Monday, August 10, 2015

Fix for Stagefright in Cyanogenmod 9.1 for Xperia Ray

Having recently gone from the stock Sony ROM to CM 9.1 I found the Stagefright stuff a good excuse to start hacking Cyanogenmod.
Long story short - I've backported the fixes for the Stagefright vulnerabilities to the cm9.1 branch and built a private ROM for my Ray out of that.

It works acceptably well on my device and while I'm quite sure the CM9.1 libstagefright code contains many horrors that might have been fixed along the long way from Android 4.0.4, at least now I should be relatively safe should a massive exploit be unleashed:
I'll try to push the changes upstream. In the meantime, here's the ROM (sha1sum: 54ae08ffb080767336faa430d7ad0a14558d6ad5).

Wednesday, August 5, 2015

More breakage:
hajma@c:~/android/system-ics$ brunch urushi
host C++: libdvm <= dalvik/vm/native/dalvik_system_Zygote.cpp
host C++: libdvm <= dalvik/vm/native/java_lang_Class.cpp
host C++: libdvm <= dalvik/vm/native/java_lang_Double.cpp
host C++: libdvm <= dalvik/vm/native/java_lang_Float.cpp
dalvik/vm/native/dalvik_system_Zygote.cpp: In function ‘int setrlimitsFromArray(ArrayObject*)’:
dalvik/vm/native/dalvik_system_Zygote.cpp:199:19: error: aggregate ‘setrlimitsFromArray(ArrayObject*)::rlimit rlim’ has incomplete type and cannot be defined
     struct rlimit rlim;
                   ^
dalvik/vm/native/dalvik_system_Zygote.cpp:222:43: error: ‘setrlimit’ was not declared in this scope
         err = setrlimit(contents[0], &rlim);
                                           ^
build/core/binary.mk:347: recipe for target 'out/host/linux-x86/obj/SHARED_LIBRARIES/libdvm_intermediates/native/dalvik_system_Zygote.o' failed
make: *** [out/host/linux-x86/obj/SHARED_LIBRARIES/libdvm_intermediates/native/dalvik_system_Zygote.o] Error 1
make: *** Waiting for unfinished jobs....
hajma@c:~/android/system-ics$
and a fix:
diff --git a/vm/native/dalvik_system_Zygote.cpp b/vm/native/dalvik_system_Zygote.cpp
index 8224656..648bd58 100644
--- a/vm/native/dalvik_system_Zygote.cpp
+++ b/vm/native/dalvik_system_Zygote.cpp
@@ -21,7 +21,7 @@
 #include "native/InternalNativePriv.h"
 
 #include 
-#if (__GNUC__ == 4 && __GNUC_MINOR__ == 7)
+#if (__GNUC__ == 4 && __GNUC_MINOR__ >= 7)
 #include 
 #endif
 #include 

Tuesday, August 4, 2015

my next breakage is due to Debian Jessie having fresher and pickier version of make:

hajma@chrastavec:~/android/system-ics$ brunch urushi
including vendor/cm/vendorsetup.sh
Looking for dependencies

============================================
PLATFORM_VERSION_CODENAME=REL
PLATFORM_VERSION=4.0.4
TARGET_PRODUCT=cm_urushi
TARGET_BUILD_VARIANT=userdebug
TARGET_BUILD_TYPE=release
TARGET_BUILD_APPS=
TARGET_ARCH=arm
TARGET_ARCH_VARIANT=armv7-a-neon
HOST_ARCH=x86
HOST_OS=linux
HOST_BUILD_TYPE=release
BUILD_ID=IMM76L
============================================

build/core/main.mk:43: ********************************************************************************
build/core/main.mk:44: *  You are using version 4.0 of make.
build/core/main.mk:45: *  Android can only be built by versions 3.81 and 3.82.
build/core/main.mk:46: *  see http://source.android.com/source/download.html
build/core/main.mk:47: ********************************************************************************
============================================
PLATFORM_VERSION_CODENAME=REL
PLATFORM_VERSION=4.0.4
TARGET_PRODUCT=cm_urushi
TARGET_BUILD_VARIANT=userdebug
TARGET_BUILD_TYPE=release
TARGET_BUILD_APPS=
TARGET_ARCH=arm
TARGET_ARCH_VARIANT=armv7-a-neon
HOST_ARCH=x86
HOST_OS=linux
HOST_BUILD_TYPE=release
BUILD_ID=IMM76L
============================================
Checking build tools versions...
build/core/prebuilt.mk:143: *** recipe commences before first target.  Stop. 

Fortunately, the Firefox OS folks hit it too and have a patch.
The next step is to get the closed binaries. The script device/semc/urushi/extract-files.sh does that by downloading them from the phone via adb. I no longer have Sony firmware in my phone so there's no need to connect the phone when the Cyanogenmod zip I used to flash it has the same contents, right? The below patch changes the source to the zip:
hajma@c:~/android/system-ics/device/semc/urushi$ git diff ./extract-files.sh 
diff --git a/extract-files.sh b/extract-files.sh
index f3aaa2c..192ea96 100755
--- a/extract-files.sh
+++ b/extract-files.sh
@@ -5,10 +5,11 @@ DEVICE=urushi
 
 BASE=../../../vendor/$VENDOR/$DEVICE/proprietary
 
-while getopts ":nh" options
+while getopts ":nzh" options
 do
   case $options in
     n ) NC=1 ;;
+    z ) FROMZIP=1;;
     h ) echo "Usage: `basename $0` [OPTIONS] "
         echo "  -n  No clenup"
         echo "  -h  Show this help"
@@ -27,7 +28,11 @@ for FILE in `cat proprietary-files.txt | grep -v ^# | grep -v ^$`; do
     if [ ! -d $BASE/$DIR ]; then
         mkdir -p $BASE/$DIR
     fi
-    adb pull /system/$FILE $BASE/$FILE
+    if [ "$FROMZIP" = "1" ]; then
+        unzip $2 system/$FILE -d $BASE
+    else
+        adb pull /system/$FILE $BASE/$FILE
+    fi
 done
 
 ./setup-makefiles.sh
... and more breakage:
hajma@c:~/android/system-ics$ brunch urushi
...
make: *** No rule to make target 'vendor/cm/proprietary/lib/armeabi/libjackpal-androidterm4.so', needed by 'out/target/product/urushi/system/lib/libjackpal-androidterm4.so'.  Stop.
make: *** Waiting for unfinished jobs....
target thumb C: calibrator <= hardware/ti/wlan/mac80211/ti-utils/ini.c
hajma@c:~/android/system-ics$ 
The file was supposed to be delivered with get-prebuilts:
hajma@c:~/android/system-ics/vendor/cm$ ./get-prebuilts 
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 3347k  100 3347k    0     0   175k      0  0:00:19  0:00:19 --:--:--  205k
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   178  100   178    0     0    296      0 --:--:-- --:--:-- --:--:--   295
100  551k  100  551k    0     0   373k      0  0:00:01  0:00:01 --:--:-- 1375k
Archive:  ./proprietary/Term.apk
caution: filename not matched:  lib/armeabi/libjackpal-androidterm4.so
but the Term.apk now has a newer version:
hajma@c:~/android/system-ics/vendor/cm$ unzip -l proprietary/Term.apk |grep libjackpal-androidterm
    13532  2015-04-15 08:09   lib/armeabi/libjackpal-androidterm5.so
     5648  2015-04-15 08:09   lib/mips/libjackpal-androidterm5.so
     5240  2015-04-15 08:09   lib/x86/libjackpal-androidterm5.so
I'll have a look at updating the term later, for now I'll use the zip one:
hajma@c:~/android/system-ics/vendor/cm$ mkdir -p proprietary/lib/armeabi/
hajma@c:~/android/system-ics/vendor/cm$ unzip -j ~/Downloads/cm-9.1.0-urushi.zip -d proprietary/lib/armeabi system/lib/libjackpal-androidterm4.so
external/llvm/include/llvm/ADT/PointerUnion.h:64:39: error: comparison between ‘enum llvm::PointerLikeTypeTraits::’ and ‘enum llvm::PointerLikeTypeTraits::’ [-Werror=enum-compare]
       NumLowBitsAvailable = PT1BitsAv < PT2BitsAv ? PT1BitsAv : PT2BitsAv
while everybody on the Internet just removes -Wall from the makefile, it can be fixed in a simpler manner, as it has been workarounded before apparently:
hajma@c:~/android/system-ics/external/llvm$ git diff include/llvm/ADT/PointerUnion.h 
diff --git a/include/llvm/ADT/PointerUnion.h b/include/llvm/ADT/PointerUnion.h
index 3e3f214..6450bdb 100644
--- a/include/llvm/ADT/PointerUnion.h
+++ b/include/llvm/ADT/PointerUnion.h
@@ -54,7 +54,7 @@ namespace llvm {
     static inline void *getAsVoidPointer(void *P) { return P; }
     static inline void *getFromVoidPointer(void *P) { return P; }
     enum {
-#if (__GNUC__ == 4 && __GNUC_MINOR__ == 7)
+#if (__GNUC__ == 4 && __GNUC_MINOR__ >= 7)
       PT1BitsAv = static_cast< int >(PointerLikeTypeTraits<PT1>::NumLowBitsAvailable),
       PT2BitsAv = static_cast< int >(PointerLikeTypeTraits<PT2>::NumLowBitsAvailable),
 #else
... and more:
In file included from system/extras/ext4_utils/output_file.c:30:0:
/usr/include/zlib.h:34:19: fatal error: zconf.h: No such file or directory
 #include "zconf.h"
                   ^
compilation terminated.
The cause is ugly and the solution is uglier.
getting closer...
Boot image: out/target/product/urushi/boot.img
error: unsupported page size 131072
device/semc/msm7x30-common/custombootimg.mk:5: recipe for target 'out/target/product/urushi/boot.img' failed
make: *** [out/target/product/urushi/boot.img] Error 255
Now this is caused by a second part of a changeset missing in the cm9.1 branch ... this changeset has to be applied.

aaaand here it is:
Package complete: /home/hajma/android/system-ics/out/target/product/urushi/cm-9-20150804-UNOFFICIAL-urushi.zip
41ef84db95dc7b24f78c8d0788fc1bcd  cm-9-20150804-UNOFFICIAL-urushi.zip
I don't dare to flash this yet though ;-)
While following Cyanogenmod's steps to build CM for my Ray, the repo sync command froze. 'ps -ef --forest', the Linux' take on ptree, told me it was stuck doing 'git-remote-https github https://github.com/CyanogenMod/android_external_svox' and a quick google search took me to http://forum.cyanogenmod.org/topic/103527-cannot-repo-source-code-as-android-external-svox-repository-meets-dmca-issue/
ugh...

So, here's the first workaround:

   <project path="external/srtp" name="platform/external/srtp" remote="aosp" revision="refs/tags/android-4.0.4_r2.1" />
   <project path="external/stlport" name="CyanogenMod/android_external_stlport" />
   <project path="external/strace" name="CyanogenMod/android_external_strace" />
-  <project path="external/svox" name="CyanogenMod/android_external_svox" />
+  <project path="external/svox" name="platform/external/svox" remote="aosp" revision="refs/tags/android-4.0.4_r2.1" />
   <project path="external/tagsoup" name="CyanogenMod/android_external_tagsoup" />
   <project path="external/tcpdump" name="CyanogenMod/android_external_tcpdump" />
   <project path="external/tinyalsa" name="platform/external/tinyalsa" remote="aosp" revision="refs/tags/android-4.0.4_r2.1" />
and I also had to issue
rm external/svox/
before running sync again

Friday, May 1, 2015

Heroes of Might and Magic II

The latest Humble Bundle comes with HOMM2 Gold in the pay-what-you-want group. While it's for Windows only, the installer works in Wine flawlessly.
When it's started I noticed the game actually runs in DosBox, which sounds somewhat silly - to run a game inside a DOS emulator which runs in a Windows emulator :-)
The natural instinct lead me to try to remove the unnecessary levels.
I used lnk-parser to find out what the HOMM2 Desktop link was actually doing:
$ lnk-parse-1.0/lnk-parse-1.0.pl  /home/hajma/.wine/dosdevices/c\:/users/Public/Desktop/Heroes\ of\ Might\ and\ Magic\ 2\ Gold.lnk 

Link File:  /home/hajma/.wine/dosdevices/c:/users/Public/Desktop/Heroes of Might and Magic 2 Gold.lnk
Link Flags:  HAS SHELLIDLIST | POINTS TO FILE/DIR | NO DESCRIPTION | NO RELATIVE PATH STRING | HAS WORKING DIRECTORY | HAS CMD LINE ARGS | HAS CUSTOM ICON |
File Attributes: 
Create Time: Mon Jan 01 1601 00:57:44
Last Accessed time: Mon Jan 01 1601 00:57:44
Last Modified Time: Mon Jan 01 1601 00:57:44
Target Length: 0
Icon Index: 0
ShowWnd: 1 SW_NORMAL
HotKey: 0
Target is on local volume
Volume Type: Fixed (Hard Disk)
Volume Serial: 00000000
Vol Label: 
Base Path: C:\Program Files\Ubisoft\Heroes of Might and Magic 2 Gold\dosbox.exe
(App Path:) Remaining Path: 
Working Dir: C:\Program Files\Ubisoft\Heroes of Might and Magic 2 Gold\
Command Line: -conf dosboxhomm2.conf -noconsole
Icon filename: C:\Program Files\Ubisoft\Heroes of Might and Magic 2 Gold\Icon.ico

but when I run
dosbox -conf ./dosboxhomm2.conf -noconsole
the game doe not run in full version, complaining about missing CD in the drive.
Here's the necessary change to the config file:

$ diff -u dosboxhomm2.conf.orig dosboxhomm2.conf
--- dosboxhomm2.conf.orig 2015-05-01 00:38:24.937021111 +0200
+++ dosboxhomm2.conf 2015-05-01 01:05:30.530285702 +0200
@@ -193,8 +193,8 @@
 
 @ECHO OFF
 mount C "."
-imgmount d ".\homm2.inst" -t iso -fs iso
 c:
+imgmount d "./homm2.inst" -t iso -fs iso
 cls
 heroes2.exe
-exit
\ No newline at end of file
+exit

Monday, April 27, 2015

Fixating testing to Jessie

So, Jessie is released, and I'd like to keep it on my laptop for some time.
It turns out it's reather trivial to do, just make sure all entries in one's sources.list point to jessie instead of testing:

--- /etc/apt/sources.list.bak    2015-04-27 22:23:17.664326851 +0200
+++ /etc/apt/sources.list    2015-04-27 22:27:33.559723639 +0200
@@ -1,10 +1,5 @@
-deb http://ftp.cz.debian.org/debian/ testing main  non-free
-deb-src http://ftp.cz.debian.org/debian/ testing main non-free
-
-deb http://security.debian.org/ testing/updates main non-free
-deb-src http://security.debian.org/ testing/updates main non-free
-
-# testing-updates, previously known as 'volatile'
-deb http://ftp.cz.debian.org/debian/ testing-updates main non-free
-deb-src http://ftp.cz.debian.org/debian/ testing-updates main non-free
+deb http://ftp.cz.debian.org/debian/ jessie main  non-free
+deb-src http://ftp.cz.debian.org/debian/ jessie main non-free

+deb http://security.debian.org/ jessie/updates main non-free
+deb-src http://security.debian.org/ jessie/updates main non-free

and run the usual

apt-get update

apt-get dist-upgrade