After trying tool-based rooting first (and failing), the next and successful attempt was via dirtycow directly as done for the Lenovo B8000 with minimal changes as the Toshiba didn't have SELinux set to enforced.
root@tostab12BA:/data/local/tmp # ls -la
-rwxr-xr-x shell shell 21728 2021-03-17 21:37 debuggerd.orig
-rwxrwxrwx shell shell 17880 2021-01-21 00:28 dirtycow
-rwxr-xr-x shell shell 71304 2021-03-17 21:37 netd.orig
-rwxrwxrwx shell shell 122 2021-03-17 21:44 root.sh
-rwxrwxrwx shell shell 295 2021-03-17 21:49 start-su.sh
-rwxrwxrwx shell shell 13940 2021-01-21 22:53 su
root@tostab12BA:/data/local/tmp # cat root.sh
#!/system/bin/sh
cd /data/local/tmp
./dirtycow start-su.sh /system/bin/debuggerd
./dirtycow start-su.sh /system/bin/netd
root@tostab12BA:/data/local/tmp # cat start-su.sh
#!/system/bin/sh
if ! /data/local/tmp/su -c id; then
mount -o remount,suid /data
/data/local/tmp/su --daemon
fi
# repair daemons
/data/local/tmp/dirtycow /data/local/tmp/debuggerd.orig /system/bin/debuggerd
/data/local/tmp/dirtycow /data/local/tmp/netd.orig /system/bin/netd
exec "$0" "$@"
A debian jessie was copied over from elsewhere.
lifetab / % tar -czvf /sdcard/root.tgz --exclude '/run/*' --exclude '/proc/*' --exclude '/sys/*' --exclude '/sdcard/*' --exclude '/dev/pts/*' /
As the android shell did not provide a busybox, I had to push a static Armv7 binary. And re-modify the start.sh similar to how it is set up on the B8000:
setprop ctl.stop media setprop ctl.stop zygote sleep 1 setprop ctl.stop bootanim sleep 1 setprop ctl.stop bootanim mount -o remount,rw /system mount -t proc proc /data/debian-jessie/proc mount -t sysfs sysfs /data/debian-jessie/sys mount -t devpts devpts /data/debian-jessie/dev/pts mount -o bind /storage/emulated/legacy /data/debian-jessie/sdcard mount -o remount,rw,suid,dev /data
During the "normal" setup process, however I was not able to remount /system read-write:
root@tostab12BA:/data/debian-jessie # mount -o remount,rw /system mount: Operation not permitted
So, the libc should better live under /data instead of /system (for now at least). Quickly adb pulling /data/debian-jessie/usr/sbin/chroot.android and editing the dynamic linker path from /system/ld-lx-armhf.so.3 to /data/ld-linx-armhf.so.3 did the trick.
However
root@tostab12BA:/data/debian-jessie # ./enter.sh /data/debian-jessie/usr/sbin/chroot.android: cannot change root directory to /data/debian-jessie: Operation not permitted 125|root@tostab12BA:/data/debian-jessie # cat /proc/$$/status ... CapPrm: ffffffffffffffff CapEff: ffffffffffffffff CapBnd: ffffffffffffffff Cpus_allowed: f Cpus_allowed_list: 0-3 voluntary_ctxt_switches: 1137 nonvoluntary_ctxt_switches: 223 root@tostab12BA:/data/debian-jessie # getenforce Permissive
What kind of new permission system is this now?
So the internet says Toshiba has built a kernel module sealime.ko to "protect" its tablets, but it's easy enough to work around that using a loopback device.
The really brazen way of accessing the system partition did not work
root@tostab12BA:/data/local/tmp # ./busybox losetup /dev/loop0 /dev/block/mmcblk0p4
... so it seems one really needs to use offset from mmcblk0. Correct values (in 512 sectors) are here
root@tostab12BA:/data/local/tmp # cat /sys/block/mmcblk0/mmcblk0p4/start 65536 root@tostab12BA:/data/local/tmp # cat /sys/block/mmcblk0/mmcblk0p4/size 3145728
Unfortunately, the loopback-device hack seems to have been made impossible by later updates:
root@tostab12BA:/data/local/tmp # ./busybox losetup -o $((65536 * 512)) -r /dev/loop0 /dev/block/mmcblk0 losetup: /dev/block/mmcblk0: Operation not permitted root@tostab12BA:/data/local/tmp # dd if=/dev/block/mmcblk0 bs=512 count=1 /dev/block/mmcblk0: cannot open for read: Operation not permitted
So, Toshiba has pushed a security update and closed the above loophole. Challenge accepted.
Given DirtyCow is modifying pages directly, it could potentially replace whatever that module contains in-place and everything should work (with near-zero risk of bricking).
Unfortunately, /modules/sealime.ko cannot be open(2)ed, due to sealime.ko, so it's hard to target dirtycow.
Surely there is a way to evade this sealime thing... Look at this:
root@tostab12BA:/system/lib/modules # lsmod inv_mpu 42968 0 - Live 0x00000000 bcmdhd 497053 0 - Live 0x00000000 sealime 39996 1 - Live 0x00000000 (PO) root@tostab12BA:/system/lib/modules # insmod gps_drv.ko root@tostab12BA:/system/lib/modules # lsmod gps_drv 5412 0 - Live 0x00000000 inv_mpu 42968 0 - Live 0x00000000 bcmdhd 497053 0 - Live 0x00000000 sealime 39996 1 - Live 0x00000000 (PO) root@tostab12BA:/system/lib/modules # rmmod gps_drv root@tostab12BA:/data/local/tmp # ./dirtycow start-su.sh /system/lib/modules/gps_drv.ko warning: new file size (295) and destination file size (154278) differ [*] size 154278 [*] mmap 0xb6f07000 [*] currently 0xb6f07000=464c457f [*] using /proc/self/mem method [*] madvise = 0xb6f07000 154278 [*] madvise = 0 64347 [*] /proc/self/mem 48597570 315 [*] exploited 0 0xb6f07000=732f2123 root@tostab12BA:/data/local/tmp # insmod /system/lib/modules/gps_drv.ko insmod: init_module '/system/lib/modules/gps_drv.ko' failed (Exec format error)
So, let's build a module. /proc/version says
Linux version 3.4.57-gc710e6f (android-toshiba@tesibuild7) (gcc version 4.6.x-google 20120106 (prerelease) (GCC) ) #1 SMP PREEMPT Mon Dec 2 17:16:19 IST 2013
so let's busy a PI with an ARM build.
root@raspberrypi:~/linux# make tegra-defconfig root@raspberrypi:~/linux# make -j8 bzImage
include/linux/compiler-gcc.h:100:1: fatal error: linux/compiler-gcc8.h: No such file or directory #include gcc_header(__GNUC__)
Wonderful. Luckily gcc-4.9 is still available in Raspian.
perl: warning: Falling back to a fallback locale ("en_GB.UTF-8").
Can't use 'defined(@array)' (Maybe you should just omit the defined()?) at kernel/timeconst.pl line 373.
Yeah, maybe let's.
With a quick copy of the example module code from the kernel documentation, we now have:
root@tostab12BA:/data/local/tmp # insmod glomus.ko insmod: can't open 'glomus.ko'
(Glomus being a genus of Fungus which helps plants take root, as shown experimentally for Sea Lyme in https://doi.org/10.1007/BF02803153 )
Nice extra protection you have there, would be sad if a kernel bug would exist which replaced file contents in the page cache...
root@tostab12BA:/data/local/tmp # ./dirtycow glomus.ko /system/lib/modules/gps_drv.ko root@tostab12BA:/data/local/tmp # insmod /system/lib/modules/gps_drv.ko insmod: init_module '/system/lib/modules/gps_drv.ko' failed (Exec format error)
Hrm... according to the internet, this is due to incorrect version information in the module. Indeed dmesg shows:
<3>[ 5491.018487] glomus: version magic '3.4.0-dirty SMP preempt mod_unload ARMv7 p2v8 ' should be '3.4.57-gc710e6f SMP preempt mod_unload ARMv7 p2v8 '
Ok, I guess...
laptop % cat Makefile KDIR = ../linux kbuild: echo '#define UTS_RELEASE "3.4.57-gc710e6f"' > $(KDIR)/include/generated/utsrelease.h make -C $(KDIR) M=`pwd` clean: make -C $(KDIR) M=`pwd` clean
With these modifications, the kernel accepts the module and the device crashes. Hrm. Maybe dirtycow-ing only half of a kernel-module was a bad idea?
Maybe, if we dirtycow the entire module (to get a clean state):
root@laptop:/tmp# dd if=glomus.ko of=gps_drv.ko conv=notrunc 47+1 records in 47+1 records out
Nope, still crash.
So, maybe some other avenue:
root@tostab12BA:/ # cat /init.rc
...
on post-fs
insmod /modules/sealime.ko
copy /data/data/com.toshiba.drm.wdapp2/files/conf/dmbeini.so /proc/seandroid/sec_setting
However, creation of that file is blocked.
Back to un-sealiming again...
root@tostab12BA:/ # echo 0 > /proc/sys/kernel/kptr_restrict root@tostab12BA:/ # cat /proc/kallsyms ... bf0061c0 t cleanup_module [sealime] ... c0bc6d28 t register_sealime [sealime] ...
Ok, that's something. What would be a good way to get kernel execution, hrm...
objdump -x gps_drv.ko
gps_drv.ko: file format elf32-little
gps_drv.ko
architecture: UNKNOWN!, flags 0x00000011:
HAS_RELOC, HAS_SYMS
start address 0x00000000
Sections:
Idx Name Size VMA LMA File off Algn
0 .text 00000a6c 00000000 00000000 00000034 2**2
CONTENTS, ALLOC, LOAD, RELOC, READONLY, CODE
1 .init.text 000000fc 00000000 00000000 00000aa0 2**2
CONTENTS, ALLOC, LOAD, RELOC, READONLY, CODE
and with 0xaa0 == 2720, we can just "improve" the existing gps_drv.ko:
#!/bin/sh cp gps_drv.ko glomus.ko # mov %r0, #1 # bx lr echo -ne '\x01\x00\x00\xe3\x1e\xff\x2f\xe1' | dd bs=1 seek=2720 of=glomus.ko conv=notrunc
using the result
root@tostab12BA:/data/local/tmp # ./dirtycow glomus.ko /system/lib/modules/gps_drv.ko root@tostab12BA:/data/local/tmp # insmod /system/lib/modules/gps_drv.ko root@tostab12BA:/data/local/tmp # dmesg ... <4>[ 1164.230458] sys_init_module: 'gps_drv'->init suspiciously returned 1, it should follow 0/-E convention <4>[ 1164.230481] sys_init_module: loading module anyway... <4>[ 1164.231313] [<c001580c>] (unwind_backtrace+0x0/0x140) from [<c00ba450>] (sys_init_module+0x1a0/0x1bc) <4>[ 1164.231806] [<c00ba450>] (sys_init_module+0x1a0/0x1bc) from [<c000e800>] (ret_fast_syscall+0x0/0x30)
Glorious success, aka kernel-level execution. And with some bits of ARMv7 fiddling, the possibility to dump the code from register_sealime (thank you print_hex_dump from lib/hexdump.c):
.../toshiba-excite-pro % arm-none-eabi-objdump -D -b binary -m armv7 register_sealime
register_sealime: file format binary
Disassembly of section .data:
00000000 <.data>:
0: e92d4000 stmfd sp!, {lr}
4: e8bd4000 ldmfd sp!, {lr}
8: e3063d28 movw r3, #27944 ; 0x6d28
c: e34c30bc movt r3, #49340 ; 0xc0bc
10: e5830000 str r0, [r3]
14: e3a00000 mov r0, #0
18: e12fff1e bx lr
So, this is obviously storing some callback into a pointer variable, let's undo (and also a second one from register_extra_hook):
laptop % cat glomus.as
.macro mov32, reg, val
movw \reg, #:lower16:\val
movt \reg, #:upper16:\val
.endm
init_module:
push {lr}
mov r0, #0
mov32 r1, 0xc0bc6d28
str r0, [r1]
str r0, [r1, #4]
mov r0, #-43
pop {pc}
laptop % as -o glomus.bin glomus.as laptop % cp gps_drv.ko glomus.ko laptop % dd bs=1 count=128 skip=52 seek=2720 if=glomus.bin of=glomus.ko conv=notrunc # kill some unhelpful relocations into our wonderful code laptop % dd bs=1 count=1 skip=0 seek=115148 if=/dev/zero of=glomus.ko conv=notrunc laptop % adb push glomus.ko /data/local/tmp/glomus.ko laptop % adb shell shell@tostab12BA:/data/local/tmp # /data/local/tmp/root.sh shell@tostab12BA:/data/local/tmp # /data/local/tmp/su root@tostab12BA:/data/local/tmp # ./dirtycow glomus.ko /system/lib/gps_drv.ko root@tostab12BA:/data/local/tmp # insmod /system/lib/gps_drv.ko insmod: init_module '/system/lib/modules/gps_drv.ko' failed (Identifier removed) root@tostab12BA:/data/local/tmp # ./dirtycow gps_drv.ko /system/lib/gps_drv.ko root@tostab12BA:/data/local/tmp # mount -o remount,rw /system; mount ... /dev/block/platform/sdhci-tegra.3/by-name/APP /system ext4 rw,seclabel,relatime,data=ordered 0 0 ...
Identifier removed, indeed. :P
Onwards to Xorg.
(II) FBDEV(0): checking modes against monitor...
(--) FBDEV(0): Virtual size is 2560x1600 (pitch 2560)
(**) FBDEV(0): Built-in mode "current": 259.7 MHz, 95.5 kHz, 58.0 Hz
(II) FBDEV(0): Modeline "current"x0.0 259.67 2560 2608 2640 2720 1600 1603 1609 1646 +hsync +vsync -csync (95.5 kHz b)
(==) FBDEV(0): DPI set to (96, 96)
(II) Loading /usr/lib/xorg/modules/libfb.so
(II) Module fb: vendor="X.Org Foundation"
compiled for 1.16.4, module version = 1.0.0
(**) FBDEV(0): using shadow framebuffer
(II) Loading /usr/lib/xorg/modules/libshadow.so
(II) Module shadow: vendor="X.Org Foundation"
compiled for 1.16.4, module version = 1.1.0
fbdev: PreInit done
(==) Depth 24 pixmap format is 32 bpp
fbdev: FBDevScreenInit 0
(EE) FBDEV(0): FBIOPUT_VSCREENINFO: Invalid argument
(EE) FBDEV(0): mode initialization failed
(EE)
Fatal server error:
(EE) AddScreen/ScreenInit failed for driver 0
excite pro /root % gdb Xorg (gdb) break ioctl Function "ioctl" not defined. Make breakpoint pending on future shared library load? (y or [n]) y Breakpoint 1 (ioctl) pending. (gdb) run -sharevts -noreset -retro -verbose -fbbpp 32 -nocursor vt1 Breakpoint 1, ioctl () at ../sysdeps/unix/syscall-template.S:82 82 ../sysdeps/unix/syscall-template.S: No such file or directory. (gdb) display /x $r1 1: /x $r1 = 0x5603 (gdb) cont Continuing. ... [tcsetpgrp failed in terminal_inferior: Inappropriate ioctl for device] Breakpoint 1, ioctl () at ../sysdeps/unix/syscall-template.S:82 82 in ../sysdeps/unix/syscall-template.S 1: /x $r1 = 0x4600 (gdb) print /x $r2 $10 = 0x2a199f48 (gdb) x /60lx 0x2a199f48 ... (gdb) step [tcsetpgrp failed in terminal_inferior: Inappropriate ioctl for device] 0xb66c9932 in fbdevHWInit () from /usr/lib/xorg/modules/libfbdevhw.so 1: /x $r1 = 0x4600 (gdb) x /60lx 0x2a199f48 0x2a199f48: 0x00000a00 0x00000640 0x00000a00 0x00000c80 0x2a199f58: 0x00000000 0x00000000 0x00000000 0x00000000 0x2a199f68: 0x00000000 0x00000000 0x00000000 0x00000000 0x2a199f78: 0x00000000 0x00000000 0x00000000 0x00000000 0x2a199f88: 0x00000000 0x00000000 0x00000000 0x00000000 0x2a199f98: 0x00000000 0x00000000 0x00000087 0x000000d8 0x2a199fa8: 0x00000000 0x00000f0b 0x00000050 0x00000030 0x2a199fb8: 0x00000025 0x00000003 0x00000020 0x00000006 0x2a199fc8: 0x00000003 0x00000000 0x00000000 0x00000000 0x2a199fd8: 0x00000000 0x00000000 0x00000000 0x00000000 0x2a199fe8: 0x00000000 0x00000000 0x00000000 0x00000000 0x2a199ff8: 0x00000000 0x00000000 0x00000000 0x00000000 0x2a19a008: 0x00000000 0x00000000 0x00000000 0x00000000 0x2a19a018: 0x00000000 0x00000000 0x00000000 0x00000000 0x2a19a028: 0x00000000 0x00000000 0x00000000 0x00000000 ... Breakpoint 1, ioctl () at ../sysdeps/unix/syscall-template.S:82 82 in ../sysdeps/unix/syscall-template.S 1: /x $r1 = 0x4601 (gdb) x /60lx $r1 0x4601: Cannot access memory at address 0x4601 (gdb) x /60lx $r2 0xbefff57c: 0x00000a00 0x00000640 0x00000a00 0x00000640 0xbefff58c: 0x00000000 0x00000000 0x00000020 0x00000000 0xbefff59c: 0x00000000 0x00000008 0x00000000 0x00000000 0xbefff5ac: 0x00000008 0x00000000 0x00000000 0x00000008 0xbefff5bc: 0x00000000 0x00000000 0x00000000 0x00000000 0xbefff5cc: 0x00000000 0x00000000 0x00000087 0x000000d8 0xbefff5dc: 0x00000000 0x00000f0b 0x00000050 0x00000030 0xbefff5ec: 0x00000025 0x00000003 0x00000020 0x00000006 0xbefff5fc: 0x00000003 0x00000000 0x00000000 0x00000000 0xbefff60c: 0x00000000 0x00000000 0x00000000 0x00000000
So the FBIOPUT_VSCREENINFO tries to change virtual y resolution from 3200 to 1600. Let's try not to:
(gdb) set *(unsigned long int)(0xbefff57c + 12) = 0xC80 (gdb) x /60lx $r2 0xbefff57c: 0x00000a00 0x00000640 0x00000a00 0x00000c80 ...
Not yet... Ok, kill all the differences:
Breakpoint 1, ioctl () at ../sysdeps/unix/syscall-template.S:82 82 in ../sysdeps/unix/syscall-template.S 1: /x $r1 = 0x4601 (gdb) x /20lx $r2 0xbefff57c: 0x00000a00 0x00000640 0x00000a00 0x00000640 0xbefff58c: 0x00000000 0x00000000 0x00000020 0x00000000 0xbefff59c: 0x00000000 0x00000008 0x00000000 0x00000000 0xbefff5ac: 0x00000008 0x00000000 0x00000000 0x00000008 0xbefff5bc: 0x00000000 0x00000000 0x00000000 0x00000000 (gdb) set *(unsigned long int)($r2 + 12) = 0xC80 (gdb) set *(unsigned long int)($r2 + 24) = 0 (gdb) set *(unsigned long int)($r2 + 36) = 0 (gdb) set *(unsigned long int)($r2 + 48) = 0 (gdb) set *(unsigned long int)($r2 + 60) = 0 (gdb) x /20lx $r2 0xbefff57c: 0x00000a00 0x00000640 0x00000a00 0x00000c80 0xbefff58c: 0x00000000 0x00000000 0x00000000 0x00000000 0xbefff59c: 0x00000000 0x00000000 0x00000000 0x00000000 0xbefff5ac: 0x00000000 0x00000000 0x00000000 0x00000000 0xbefff5bc: 0x00000000 0x00000000 0x00000000 0x00000000
No...
(gdb) set *(unsigned long int)($r2 + 12) = 0xC80 (gdb) set *(unsigned long int)($r2 + 16) = 16 (gdb) set *(unsigned long int)($r2 + 28) = 8 (gdb) set *(unsigned long int)($r2 + 40) = 0 (gdb) set *(unsigned long int)($r2 + 60) = 0 (gdb) x /20lx $r2
Still no... :(
https://en.wikipedia.org/wiki/Nouveau_%28software%29:
> nouveau is a free and open-source graphics device driver for
> Nvidia video cards and the Tegra family of SoCs written by independent
> software engineers, with minor help from Nvidia employees.
... but did not work for me :/
Some research points here: https://android.googlesource.com/kernel/tegra/+/refs/heads/android-tegra-molly-3.4-l-preview/drivers/video/tegra/fb.c ... as the code I'm trying to talk to on the other side of /dev/fb0
But ultimately, after some testing with hand-crafted ioctls, the working solution was to ensure DRM never gets activated and the framebuffer device be left undisturbed from boot:
root@tostab12BA:/system/bin # mount -o remount,rw /system root@tostab12BA:/system/bin # mv drmserver drmserver.off root@tostab12BA:/system/bin # mv bootanimation bootanim.off root@tostab12BA:/system/bin # mv surfaceflinger surfaceflinger.off
(This being necessary, as /init.rc is loaded from an allegedly signed boot partition.)
And of course a complete faking of all ioctl(2) framebuffer activity:
excite pro /root % cat xorg-ioctls.c
// gcc -fPIC -shared -o xorg-ioctls.so xorg-ioctls.c -ldl
#define _GNU_SOURCE
#include <dlfcn.h>
#include <sys/types.h>
#include <fcntl.h>
#include <stddef.h>
#include <linux/fb.h>
static int(*ioctl_orig)(int, unsigned long, ...) = NULL;
int ioctl(int fd, unsigned long request, void *a, void *b, void *c, void *d, void *e) {
if(request == FBIOPUT_VSCREENINFO) {
// Pretend stuff happened successfully.
return 0;
} else if(request == FBIOGET_VSCREENINFO) {
// Fake response from kernel.
struct fb_var_screeninfo *info = a;
info->xres = 2560;
info->yres = 1600;
info->xres_virtual = 2560;
info->yres_virtual = 3200;
info->xoffset = 0;
info->yoffset = 0;
info->bits_per_pixel = 32;
info->grayscale = 0;
info->red.length = 8;
info->red.offset = 0;
info->green.length = 8;
info->green.offset = 8;
info->blue.length = 8;
info->blue.offset = 16;
info->pixclock = 3851;
info->hsync_len = 32;
info->vsync_len = 6;
info->vmode = 0; // No interlacing
info->rotate = 0; // No interlacing
return 0;
}
if(!ioctl_orig) {
ioctl_orig = dlsym(RTLD_NEXT, "ioctl");
}
return ioctl_orig(fd, request, a, b, c, d, e);
}
excite pro /root % cat X.sh
#!/bin/sh
LD_PRELOAD=/root/xorg-ioctls.so Xorg -sharevts -noreset -retro -verbose -fbbpp 32 vt1
Touchscreen events are available at /dev/input/event1 and the final Xorg.conf becomes:
excite pro /root % cat /etc/X11/xorg.conf
Section "ServerLayout"
Identifier "Layout0"
Screen "Screen0"
InputDevice "Mouse0" "CorePointer"
InputDevice "Keyboard0" "CoreKeyboard"
EndSection
Section "InputDevice"
Identifier "Keyboard0"
Driver "evdev"
Option "Device" "/dev/input/event1"
Option "Protocol" "usb"
EndSection
Section "InputDevice"
Identifier "Mouse0"
Driver "evdev"
Option "Device" "/dev/input/event3"
Option "IgnoreRelativeAxes" "true"
Option "IgnoreAbsoluteAxes" "false"
Option "InvertX" "true"
Option "InvertY" "true"
Option "Mode" "Absolute"
EndSection
Section "Device"
Identifier "Card0"
Driver "fbdev"
Option "fbdev" "/dev/fb0"
Option "debug" "true"
# Option "Rotate" "UD"
VendorName "Unknown"
BoardName "Unknown"
EndSection
Section "Screen"
Identifier "Screen0"
Device "Card0"
Monitor "Monitor0"
DefaultDepth 32
SubSection "Display"
Depth 32
Modes "2560x1600"
EndSubSection
EndSection
Section "Monitor"
Identifier "Monitor0"
Mode "2560x1600"
# D: 64.000 MHz, H: 44.444 kHz, V: 54.003 Hz
DotClock 259.67
HTimings 2560 2608 2640 2720
VTimings 1600 1603 1609 1646
Flags "+HSync" "+VSync" "-CSync"
EndMode
EndSection
Section "ServerFlags"
Option "AutoAddDevices" "false"
EndSection
Nota bene: There is also an open source tegra driver implementation but I didn't check it yet (because I don't need acceleration on this device at the moment).
Unfortunately, WiFi setup is driven via the (now gone) Android userland, so some minimal extra effort needs to be spent to get internet going again:
root@tostab12BA:/data/local/tmp # ifconfig wlan0 up error: SIOCSIFFLAGS (Operation not permitted) root@tostab12BA:/data/local/tmp # dmesg ... <6>[11322.690969] SDIO Vendor ID:02d0 and SDIO Device ID: 4335 <4>[11322.700644] F1 signature OK, socitype:0x1 chip:0x4335 rev:0x1 pkg:0x2 <4>[11322.702630] DHD: dongle ram size is set to 786432(orig 786432) at 0x180000 <4>[11322.704716] _dhdsdio_download_firmware: dongle image file download failed <4>[11322.705303] dhd_dev_reset: dhd_bus_devreset: -35 <4>[11322.705756] dhd_open : wl_android_wifi_on failed (-35) ... <4>[11638.286479] dhd_bus_start: dhdsdio_probe_download failed. firmware = /system/etc/firmware/fw_bcmdhd.bin nvram = /system/etc/nvram_4335.txt
root@tostab12BA:/system/etc/firmware # mount -o remount,rw /system root@tostab12BA:/system/etc/firmware # ln -s /vendor/firmware/bcm4335/fw_bcmdhd.bin fw_bcmdhd.bin root@tostab12BA:/system/etc/firmware # insmod /system/lib/modules/bcmdhd.ko root@tostab12BA:/system/etc/firmware # cd /data/misc/wifi root@tostab12BA:/data/misc/wifi # wpa_supplicant -B -iwlan0 -Dwext -c wpa_supplicant.conf root@tostab12BA:/data/misc/wifi # dhcpcd wlan0
Combining into
root@tostab12BA:/data/local/tmp # cat root.sh #!/system/bin/sh cd /data/local/tmp ./dirtycow start-su.sh /system/bin/debuggerd ./dirtycow start-su.sh /system/bin/netd sleep 45 ./dirtycow glomus.ko /system/lib/modules/gps_drv.ko echo 'insmod /system/lib/modules/gps_drv.ko; exit' | ./su ./dirtycow gps_drv.ko /system/lib/modules/gps_drv.ko echo 'insmod /system/lib/modules/bcmdhd.ko' | ./su ( echo 'cd /data/misc/wifi; wpa_supplicant -B -Dwext -iwlan0 -c wpa_supplicant.conf' | ./su ) & ( echo 'dhcpcd wlan0' | ./su ) &
ALSA works out-of-the-box. Integration into the multi-monitor setup was done for a test, but the touchscreen detects very wobbly lines for the stylus and this tablet will be a monitor at the office I think.