Announcement

**eegorr** · 16 December 2012, 22:00

Originally posted by Finless View Post

Where did everyone go? I have some ideas if we can edit that script.

I see the script is in fact run from init.rc as root! At least it is in my init.rc file.
So we have an exploit I think. Please check your init.rc file and see if it is being called.

service pppd_gprs /system/etc/init-pppd.sh
user root
group radio net_admin cache inet misc
disabled
oneshot

If this script can be edited maybe we can add this to the beginning:
mount -o rw,remount /system
cp /sdcard/su /system/bin/
cp /sdcard/Superuser.apk /system/app
chmod 06755 /system/bin/su
chown root:root /system/bin/su

of course from my update.zip extract su and Superuser.apk from it and put them at root of internal sdcard.

Bob

Where is init.rc?

EDIT: Never mind, I found it!

**ozymandiaz** · 16 December 2012, 22:03

Use astro which is included in the stock rom, it starts you in the sdcard directory but hit the app's up arrow and go up to /system. Open the etc folder, find init-pppd.sh which has rw permission. Press and hold, click open as text and choose the text editor app to modify. Add the lines Bob suggested and save, it should automatically make a backup.

**eegorr** · 16 December 2012, 22:50

Originally posted by ozymandiaz View Post

Use astro which is included in the stock rom, it starts you in the sdcard directory but hit the app's up arrow and go up to /system. Open the etc folder, find init-pppd.sh which has rw permission. Press and hold, click open as text and choose the text editor app to modify. Add the lines Bob suggested and save, it should automatically make a backup.

Yeah, it let me save a comment into the file. Let me give the rest a try. I'm assuming I will need to reboot to get init.rc to execute and call init-pppd.sh, right?

**ozymandiaz** · 16 December 2012, 23:03

Hopefully that does it. Exciting loophole either way!

**eegorr** · 16 December 2012, 23:14

Originally posted by ozymandiaz View Post

Hopefully that does it. Exciting loophole either way!

Okay, I added the following lines to the init-pppd.sh file and saved it:
mount -o rw,remount /system
cp /sdcard/su /system/bin/
cp /sdcard/Superuser.apk /system/app/ (I added the trailing slash to be safe)
chmod 06755 /system/bin/su
chown root:root /system/bin/su

Rebooting now...

Looking via Astro, neither file has been copied! There is no evidence that the code I added was even executed.

I'm going to check my work and try again.

EDIT: Still no good. Here is init-pppd.sh, as modified:

#!/system/bin/sh
# An unforunate wrapper script
# so that the exit code of pppd may be retrieved

# root exploit
mount -o rw,remount /system
cp /sdcard/su /system/bin/
cp /sdcard/Superuser.apk /system/app/
chmod 06755 /system/bin/su
chown root:root /system/bin/su

# this is a workaround for issue #651747
#trap "/system/bin/sleep 1;exit 0" TERM

SCRIPT=`/system/bin/getprop ril.ppp.script`
USER=`/system/bin/getprop ril.ppp.user`
PWD=`/system/bin/getprop ril.ppp.pwd`
APNNAME=`/system/bin/getprop ril.ppp.apn_name`

CHATSCRIBE="/system/bin/chat ABORT '\nBUSY\r' ABORT '\nNO ANSWER\r' ABORT '\nRINGING\r' TIMEOUT 30 '' \rAT OK AT+CGDCONT=1,\"IP\",\"$APNNAME\" '' ATDT*99***1# CONNECT '' "

/system/bin/log -t pppd "init-pppd.sh SCRIPT=$SCRIPT"
/system/bin/log -t pppd "init-pppd.sh user=$USER"
/system/bin/log -t pppd "init-pppd.sh pwd=$PWD"
/system/bin/log -t pppd "init-pppd.sh apn_name=$APNNAME"

if busybox [ "$SCRIPT" = "mcli-cdma" ] ; then
CHATSCRIBE="/system/bin/chat -s -S TIMEOUT 25 ABORT 'BUSY' '' AT '' ATH0 '' ATDT#777 CONNECT"
elif busybox [ "$SCRIPT" = "mcli-tdscdma" ] ; then
CHATSCRIBE="/system/bin/chat TIMEOUT 25 '' AT+CGDCONT=1,\"IP\",\"$APNNAME\" '' ATDT*99***1# CONNECT "
SCRIPT=mcli-gsm
fi

/system/bin/log -t pppd "Starting pppd $CHATSCRIBE"

#/system/bin/pppd file /system/etc/ppp/peers/mcli
/system/bin/pppd call $SCRIPT user $USER password $PWD connect "$CHATSCRIBE"

/system/bin/log -t pppd "init-pppd.sh exited "

exit $PPPD_EXIT

**eegorr** · 16 December 2012, 23:44

Dump of init.rc

app_116@android:/ $ cat init.rc
on early-init
start ueventd
symlink /initlogo.rle.bak /initlogo.rle
write /sys/class/graphics/fb0/blank 1
write /sys/class/graphics/fb1/blank 1
insmod /boot/ump.ko ump_debug_level=2
insmod /boot/mali.ko mali_debug_level=2

# create mountpoints
mkdir /mnt 0775 root system

on init
sysclktz 0
loglevel 7

write /sys/class/graphics/fb0/blank 0
write /sys/class/graphics/fb1/blank 1

mkdir /system
mkdir /data 0771 system system
mkdir /cache 0770 system cache
mkdir /config 0500 root root

# Setup the global environment
export PATH /sbin:/vendor/bin:/system/sbin:/system/bin:/system/xbin
export LD_LIBRARY_PATH /vendor/lib:/system/lib
export ANDROID_BOOTLOGO 1
export ANDROID_ROOT /system
export ANDROID_ASSETS /system/app
export ANDROID_DATA /data
export EXTERNAL_STORAGE /mnt/sdcard
export EXTERNAL_STORAGE2 /mnt/sdcard/external_sdcard
export INTERNAL_STORAGE /mnt/sdcard
export ASEC_MOUNTPOINT /mnt/asec
export LOOP_MOUNTPOINT /mnt/obb
export BOOTCLASSPATH /system/framework/core.jar:/system/framework/core-junit.jar:/system/framework/bouncycastle.jar:/system/framework/ext.jar:/system/framework/framework.jar:/system/framework/android.policy.jar:/system/framework/services.jar:/system/framework/apache-xml.jar:/system/framework/filterfw.jar

# Mount /system rw first to give the filesystem a chance to save a checkpoint

# Backward compatibility
symlink /system/etc /etc
symlink /sys/kernel/debug /d

# Right now vendor lives on the same filesystem as system,
# but someday that may change.
symlink /system/vendor /vendor

# Create mountpoints
mkdir /mnt/sdcard 0000 system system

# Create cgroup mount point for cpu accounting
mkdir /acct
mount cgroup none /acct cpuacct
mkdir /acct/uid

# Backwards Compat - XXX: Going away in G*
symlink /mnt/sdcard /sdcard

# Directory for putting things only root should see.
mkdir /mnt/secure 0700 root root

# Directory for staging bindmounts
mkdir /mnt/secure/staging 0700 root root

# Directory-target for where the secure container
# imagefile directory will be bind-mounted
mkdir /mnt/secure/asec 0700 root root

# Secure container public mount points.
mkdir /mnt/asec 0700 root system
mount tmpfs tmpfs /mnt/asec mode=0755,gid=1000

# Filesystem image public mount points.
mkdir /mnt/obb 0700 root system
mount tmpfs tmpfs /mnt/obb mode=0755,gid=1000

write /proc/sys/kernel/panic_on_oops 1
write /proc/sys/kernel/hung_task_timeout_secs 0
write /proc/cpu/alignment 4
write /proc/sys/kernel/sched_latency_ns 10000000
write /proc/sys/kernel/sched_wakeup_granularity_ns 2000000
write /proc/sys/kernel/sched_compat_yield 1
write /proc/sys/kernel/sched_child_runs_first 0

# Create cgroup mount points for process groups
mkdir /dev/cpuctl
mount cgroup none /dev/cpuctl cpu
chown system system /dev/cpuctl
chown system system /dev/cpuctl/tasks
chmod 0666 /dev/cpuctl/tasks
write /dev/cpuctl/cpu.shares 1024

mkdir /dev/cpuctl/fg_boost
chown system system /dev/cpuctl/fg_boost/tasks
chmod 0666 /dev/cpuctl/fg_boost/tasks
write /dev/cpuctl/fg_boost/cpu.shares 1024

mkdir /dev/cpuctl/bg_non_interactive
chown system system /dev/cpuctl/bg_non_interactive/tasks
chmod 0666 /dev/cpuctl/bg_non_interactive/tasks
# 5.0 %
write /dev/cpuctl/bg_non_interactive/cpu.shares 52

# Allow everybody to read the xt_qtaguid resource tracking misc dev.
# This is needed by any process that uses socket tagging.
chmod 0644 /dev/xt_qtaguid

# Make /system/etc/firmware writable for easier upgrade/install
mkdir /system/etc/firmware
chmod 0666 /system/etc/firmware

on fs
ubiattach mtd@system
mount ubifs ubi0_0 /system
ubiattach mtd@userdata
mount ubifs ubi1_0 /data nosuid nodev
mount yaffs2 mtd@cache /cache nosuid nodev

on post-fs
# once everything is setup, no need to modify /
#mount rootfs rootfs / ro remount

# We chown/chmod /cache again so because mount is run as root + defaults
chown system cache /cache
chmod 0770 /cache

# For 3G Dongle
mount usbfs none /proc/bus/usb

# This may have been created by the recovery system with odd permissions
chown system cache /cache/recovery
chmod 0770 /cache/recovery

# Change permissions on vmallocinfo so we can grab it from bugreports
chown root log /proc/vmallocinfo
chmod 0440 /proc/vmallocinfo

# Change permissions on kmsg & sysrq-trigger so bugreports can grab kthread stacks
chown root system /proc/kmsg
chmod 0440 /proc/kmsg
chown root system /proc/sysrq-trigger
chmod 0220 /proc/sysrq-trigger

# create the lost+found directories, so as to enforce our permissions
mkdir /cache/lost+found 0770 root root

on post-fs-data
# We chown/chmod /data again so because mount is run as root + defaults
chown system system /data
chmod 0771 /data

# Create dump dir and collect dumps.
# Do this before we mount cache so eventually we can use cache for
# storing dumps on platforms which do not have a dedicated dump partition.
mkdir /data/dontpanic 0750 root log

# Collect apanic data, free resources and re-arm trigger
copy /proc/apanic_console /data/dontpanic/apanic_console
chown root log /data/dontpanic/apanic_console
chmod 0640 /data/dontpanic/apanic_console

copy /proc/apanic_threads /data/dontpanic/apanic_threads
chown root log /data/dontpanic/apanic_threads
chmod 0640 /data/dontpanic/apanic_threads

write /proc/apanic_console 1

# Create basic filesystem structure
mkdir /data/misc 01771 system misc
mkdir /data/misc/bluetoothd 0770 bluetooth bluetooth
mkdir /data/misc/bluetooth 0770 system system
mkdir /data/misc/keystore 0700 keystore keystore
mkdir /data/misc/keychain 0771 system system
mkdir /data/misc/vpn 0770 system vpn
mkdir /data/misc/systemkeys 0700 system system

# Give system access to wpa_supplicant.conf for backup and restore
mkdir /data/misc/wifi 0770 wifi wifi
mkdir /data/misc/wifi/sockets 0770 wifi wifi
chmod 0770 /data/misc/wifi
chmod 0660 /data/misc/wifi/wpa_supplicant.conf
chown wifi wifi /data/misc/wifi
chown wifi wifi /data/misc/wifi/sockets
chown wifi wifi /data/misc/wifi/wpa_supplicant.conf
mkdir /data/local 0751 root root
mkdir /data/local/tmp 0771 shell shell
mkdir /data/data 0771 system system
mkdir /data/app-private 0771 system system
mkdir /data/app 0771 system system
mkdir /data/property 0700 root root

# Create dalvik-cache and double-check the perms
mkdir /data/dalvik-cache 0771 system system

# create resource-cache and double-check the perms
mkdir /data/resource-cache 0771 system system
chown system system /data/resource-cache
chmod 0771 /data/resource-cache

# Create the lost+found directories, so as to enforce our permissions
mkdir /data/lost+found 0770 root root

# create directory for DRM plug-ins
mkdir /data/drm 0774 drm drm

# If there is no fs-post-data action in the init.<device>.rc file, you
# must uncomment this line, otherwise encrypted filesystems
# won't work.
# Set indication (checked by vold) that we have finished this action
#setprop vold.post_fs_data_done 1

chown system system /sys/class/android_usb/android0/f_mass_storage/lun0/file
chmod 0660 /sys/class/android_usb/android0/f_mass_storage/lun0/file
chown system system /sys/class/android_usb/android0/f_mass_storage/lun1/file
chmod 0660 /sys/class/android_usb/android0/f_mass_storage/lun1/file
chown system system /sys/class/android_usb/android0/f_rndis/ethaddr
chmod 0660 /sys/class/android_usb/android0/f_rndis/ethaddr

mkdir /dev/console

on boot
setprop wifi.interface wlan0
# Basic network init
ifup lo
hostname localhost
domainname localdomain

# Create dhcpcd dir
mkdir /data/misc/dhcp 0770 dhcp dhcp
chmod 0770 /data/misc/dhcp

# Set RLIMIT_NICE to allow priorities from 19 to -20
setrlimit 13 40 40

# Define for Alsa
#setprop alsa.mixer.playback.master Digital
setprop alsa.mixer.capture.master Digital
#setprop alsa.mixer.playback.headset Digital
setprop alsa.mixer.capture.headset Digital
#setprop alsa.mixer.playback.earpiece Digital
setprop alsa.mixer.capture.earpiece Digital
#setprop alsa.mixer.playback.speaker Digital

# Memory management. Basic kernel parameters, and allow the high
# level system server to be able to adjust the kernel OOM driver
# paramters to match how it is managing things.
write /proc/sys/vm/overcommit_memory 1
write /proc/sys/vm/min_free_order_shift 4
chown root system /sys/module/lowmemorykiller/parameters/adj
chmod 0664 /sys/module/lowmemorykiller/parameters/adj
chown root system /sys/module/lowmemorykiller/parameters/minfree
chmod 0664 /sys/module/lowmemorykiller/parameters/minfree

# Set init and its forked children's oom_adj.
write /proc/1/oom_adj -16

# Tweak background writeout
write /proc/sys/vm/dirty_expire_centisecs 200
write /proc/sys/vm/dirty_background_ratio 5

# Permissions for System Server and daemons.
chown radio system /sys/android_power/state
chown radio system /sys/android_power/request_state
chown radio system /sys/android_power/acquire_full_wake_lock
chown radio system /sys/android_power/acquire_partial_wake_lock
chown radio system /sys/android_power/release_wake_lock
chown radio system /sys/power/state
chown radio system /sys/power/wake_lock
chown radio system /sys/power/wake_unlock
chmod 0660 /sys/power/state
chmod 0660 /sys/power/wake_lock
chmod 0660 /sys/power/wake_unlock
chown system system /sys/class/timed_output/vibrator/enable
chown system system /sys/class/timed_output/vibrator/enable
chown system system /sys/module/sco/parameters/disable_esco
chown system system /sys/kernel/ipv4/tcp_wmem_min
chown system system /sys/kernel/ipv4/tcp_wmem_def
chown system system /sys/kernel/ipv4/tcp_wmem_max
chown system system /sys/kernel/ipv4/tcp_rmem_min
chown system system /sys/kernel/ipv4/tcp_rmem_def
chown system system /sys/kernel/ipv4/tcp_rmem_max
chown root radio /proc/cmdline

chmod 0666 /dev/mxc622x
chmod 0666 /dev/mmc328x
chmod 0666 /dev/ecompass_ctrl

chown media system /sys/class/tsync/pts_video
chown media system /sys/class/tsync/pts_audio
chown media system /sys/class/tsync/pts_pcrscr
chown media system /sys/class/tsync/event
chown media system /sys/class/tsync/mode
chown media system /sys/class/tsync/enable
chown media system /sys/class/graphics/fb0/blank
chown media system /sys/class/graphics/fb1/blank
chown media system /sys/class/graphics/fb0/enable_key
chown media system /sys/class/graphics/fb0/enable_key_onhold
chmod 0664 /sys/class/tsync/pts_video
chmod 0664 /sys/class/tsync/pts_audio
chmod 0664 /sys/class/tsync/pts_pcrscr
chmod 0664 /sys/class/tsync/event
chmod 0664 /sys/class/tsync/mode
chmod 0664 /sys/class/tsync/enable
chmod 0664 /sys/class/graphics/fb0/blank
chmod 0664 /sys/class/graphics/fb1/blank
chmod 0664 /sys/class/graphics/fb0/enable_key
chmod 0664 /sys/class/graphics/fb0/enable_key_onhold

chown media system /sys/class/video/blackout_policy
chown media system /sys/class/video/screen_mode
chown media system /sys/class/video/axis
chown media system /sys/class/video/disable_video
chown media system /sys/class/video/zoom
chown media system /sys/class/ppmgr/angle
chown media system /sys/class/ppmgr/ppscaler
chown media system /sys/class/ppmgr/ppscaler_rect
chmod 0664 /sys/class/video/blackout_policy
chmod 0664 /sys/class/video/screen_mode
chmod 0664 /sys/class/video/axis
chmod 0664 /sys/class/video/disable_video
chmod 0664 /sys/class/video/zoom
chmod 0664 /sys/class/ppmgr/angle
chmod 0664 /sys/class/ppmgr/ppscaler
chmod 0664 /sys/class/ppmgr/ppscaler_rect

chmod 0666 /dev/amstream_sub_read

chown system system /sys/class/subtitle/enable
chown system system /sys/class/subtitle/total
chown system system /sys/class/subtitle/width
chown system system /sys/class/subtitle/height
chown system system /sys/class/subtitle/type
chown system system /sys/class/subtitle/curr
chown system system /sys/class/subtitle/size
chown system system /sys/class/subtitle/data
chown system system /sys/class/subtitle/startpts
chown system system /sys/class/subtitle/fps
chown system system /sys/class/subtitle/subtype
chown media system /sys/class/audiodsp/codec_fatal_err
chmod 0664 /sys/class/audiodsp/codec_fatal_err
chmod 0664 /sys/class/subtitle/enable
chmod 0664 /sys/class/subtitle/total
chmod 0664 /sys/class/subtitle/width
chmod 0664 /sys/class/subtitle/height
chmod 0664 /sys/class/subtitle/type
chmod 0664 /sys/class/subtitle/curr
chmod 0664 /sys/class/subtitle/size
chmod 0664 /sys/class/subtitle/data
chmod 0664 /sys/class/subtitle/startpts
chmod 0664 /sys/class/subtitle/fps
chmod 0664 /sys/class/subtitle/subtype

# chmod
# HDMI/LCD switch
chown system system /sys/class/display/mode
chown media system /sys/class/display/axis
chown system system /sys/class/graphics/fb0/scale
chown system system /sys/class/graphics/fb1/scale
chown system system /sys/class/graphics/fb0/scale_axis
chown system system /sys/class/graphics/fb1/scale_axis
chown system system /sys/class/amhdmitx/amhdmitx0/disp_mode
chmod 0664 /sys/class/display/mode
chmod 0664 /sys/class/display/axis
chmod 0664 /sys/class/graphics/fb0/scale
chmod 0664 /sys/class/graphics/fb1/scale
chmod 0664 /sys/class/amhdmitx/amhdmitx0/disp_mode

#
chown media system /sys/class/graphics/fb0/block_mode
chmod 0664 /sys/class/graphics/fb0/block_mode

# Dual display
chown system system /sys/class/display2/mode
chown system system /sys/class/display2/axis
chown system system /sys/class/video2/clone
chown system system /sys/class/vfm/map
chown system system /sys/module/amvideo2/parameters/clone_frame_scale_width
chown system system /sys/module/amvideo2/parameters/clone_frame_rate
chown system system /sys/module/amvideo2/parameters/throw_frame
chown system system /sys/class/video2/screen_mode
chown system system /sys/class/video2/zoom
chmod 0664 /sys/class/display2/mode
chmod 0664 /sys/class/display2/axis
chmod 0664 /sys/class/video2/clone
chmod 0664 /sys/class/vfm/map
chmod 0664 /sys/module/amvideo2/parameters/clone_frame_scale_width
chmod 0664 /sys/module/amvideo2/parameters/clone_frame_rate
chmod 0664 /sys/module/amvideo2/parameters/throw_frame
chmod 0664 /sys/class/video2/screen_mode
chmod 0664 /sys/class/video2/zoom

# Free scale
chown system system /sys/class/graphics/fb0/free_scale
chown system system /sys/class/graphics/fb0/scale_width
chown system system /sys/class/graphics/fb0/scale_height
chown system system /sys/class/graphics/fb1/free_scale
chown system system /sys/class/graphics/fb1/scale_width
chown system system /sys/class/graphics/fb1/scale_height
chown media system /sys/class/graphics/fb0/request2XScale
chmod 0664 /sys/class/graphics/fb0/free_scale
chmod 0664 /sys/class/graphics/fb0/scale_width
chmod 0664 /sys/class/graphics/fb0/scale_height
chmod 0664 /sys/class/graphics/fb1/free_scale
chmod 0664 /sys/class/graphics/fb1/scale_width
chmod 0664 /sys/class/graphics/fb1/scale_height
chmod 0664 /sys/class/graphics/fb0/request2XScale

# 3G dongle
chmod 0666 /dev/ttyS20
chmod 0777 /system/etc/init-pppd.sh

# Backlight control
chmod 0664 /sys/class/backlight/aml-bl/brightness
chown system system /sys/class/backlight/aml-bl/brightness

# CPU scaling
chown system system /sys/devices/system/cpu/cpu0/cpufreq/scaling_min_freq
chown system system /sys/devices/system/cpu/cpu0/cpufreq/scaling_governor
chmod 664 /sys/devices/system/cpu/cpu0/cpufreq/scaling_min_freq
chmod 664 /sys/devices/system/cpu/cpu0/cpufreq/scaling_governor

# GPS com and pesudo com ports
symlink /dev/ttyS1 /dev/ttyS10

# patch to disable suspend
# write /sys/power/wake_lock true

# Set CPU scaling policy to conservative
write /sys/devices/system/cpu/cpu0/cpufreq/scaling_governor conservative
write /sys/devices/system/cpu/cpu0/cpufreq/scaling_min_freq 250000
chown system system /sys/devices/system/cpu/cpu0/cpufreq/conservative/freq_step
chmod 664 /sys/devices/system/cpu/cpu0/cpufreq/conservative/freq_step
write /sys/devices/system/cpu/cpu0/cpufreq/conservative/freq_step 10

# G-Sensors
chmod 0666 /dev/mpu
chmod 0666 /dev/mpuirq
chmod 0666 /dev/timerirq

# Bluetooth
chmod 0777 /system/bin/hciattach_usi
chown system system /sys/class/rfkill/rfkill0/state
chmod 0664 /sys/class/rfkill/rfkill0/state
write /sys/class/rfkill/rfkill0/state 0

# Bluetooth MAC address programming
chown bluetooth bluetooth /sys/class/efuse/mac_bt
setprop ro.bt.bdaddr_path /sys/class/efuse/mac_bt
symlink /sys/class/efuse/mac_bt /system/etc/bt_addr.conf

#optimize system performance
chown system system /sys/devices/system/clocksource/clocksource0/current_clocksource

# usbpm
chown system system /sys/devices/platform/usb_phy_control/index
chown system system /sys/devices/platform/usb_phy_control/por
chown system system /sys/devices/platform/usb_phy_control/otgdisable
chown system system /sys/devices/lm0/pullup

# Define TCP buffer sizes for various networks
# ReadMin, ReadInitial, ReadMax, WriteMin, WriteInitial, WriteMax,
setprop net.tcp.buffersize.default 4096,87380,110208,4096,16384,110208
setprop net.tcp.buffersize.wifi 524288,1048576,2097152,262144,524288,1048576
setprop net.tcp.buffersize.lte 524288,1048576,2097152,262144,524288,1048576
setprop net.tcp.buffersize.umts 4094,87380,110208,4096,16384,110208
setprop net.tcp.buffersize.hspa 4094,87380,262144,4096,16384,262144
setprop net.tcp.buffersize.edge 4093,26280,35040,4096,16384,35040
setprop net.tcp.buffersize.gprs 4092,8760,11680,4096,8760,11680

# Set this property so surfaceflinger is not started by system_init
setprop system_init.startsurfaceflinger 0

class_start core
class_start main

on nonencrypted
class_start late_start

on charger
class_start charger

on property:vold.decrypt=trigger_reset_main
class_reset main

on property:vold.decrypt=trigger_load_persist_props
load_persist_props

on property:vold.decrypt=trigger_post_fs_data
trigger post-fs-data

on property:vold.decrypt=trigger_restart_min_framewor k
class_start main

on property:vold.decrypt=trigger_restart_framework
class_start main
class_start late_start

on property:vold.decrypt=trigger_shutdown_framework
class_reset late_start
class_reset main

# Used to disable USB when switching states
on property:sys.usb.config=none
stop adbd
write /sys/class/android_usb/android0/enable 0
write /sys/class/android_usb/android0/bDeviceClass 0
setprop sys.usb.state $sys.usb.config

# adb only USB configuration
# This should only be used during device bringup
# and as a fallback if the USB manager fails to set a standard configuration
on property:sys.usb.config=adb
write /sys/class/android_usb/android0/enable 0
write /sys/class/android_usb/android0/idVendor 18d1
write /sys/class/android_usb/android0/idProduct D002
write /sys/class/android_usb/android0/functions $sys.usb.config
write /sys/class/android_usb/android0/enable 1
start adbd
setprop sys.usb.state $sys.usb.config

on property:sys.usb.config=mass_storage
write /sys/class/android_usb/android0/enable 0
write /sys/class/android_usb/android0/idVendor 18d1
write /sys/class/android_usb/android0/idProduct 4e21
write /sys/class/android_usb/android0/functions $sys.usb.config
write /sys/class/android_usb/android0/enable 1
setprop sys.usb.state $sys.usb.config

on property:sys.usb.config=mass_storage,adb
write /sys/class/android_usb/android0/enable 0
write /sys/class/android_usb/android0/idVendor 18d1
write /sys/class/android_usb/android0/idProduct 4e22
write /sys/class/android_usb/android0/functions $sys.usb.config
write /sys/class/android_usb/android0/enable 1
start adbd
setprop sys.usb.state $sys.usb.config

# USB accessory configuration
on property:sys.usb.config=accessory
write /sys/class/android_usb/android0/enable 0
write /sys/class/android_usb/android0/idVendor 18d1
write /sys/class/android_usb/android0/idProduct 2d00
write /sys/class/android_usb/android0/functions $sys.usb.config
write /sys/class/android_usb/android0/enable 1
setprop sys.usb.state $sys.usb.config

# USB accessory configuration, with adb
on property:sys.usb.config=accessory,adb
write /sys/class/android_usb/android0/enable 0
write /sys/class/android_usb/android0/idVendor 18d1
write /sys/class/android_usb/android0/idProduct 2d01
write /sys/class/android_usb/android0/functions $sys.usb.config
write /sys/class/android_usb/android0/enable 1
start adbd
setprop sys.usb.state $sys.usb.config

# Used to set USB configuration at boot and to switch the configuration
# when changing the default configuration
on property

ersist.sys.usb.config=*
setprop sys.usb.config $persist.sys.usb.config

class_start default

#
# Daemon processes to be run by init.
#
service ueventd /sbin/ueventd
class core
critical

service console /system/bin/sh
class core
console
# disabled
#user shell
#group log

#on property:ro.debuggable=1
# start console

# Set screen size
service display /system/bin/logwrapper /system/bin/set_display_mode.sh panel
class core
oneshot

# adbd is controlled via property triggers in init.<platform>.usb.rc
service adbd /sbin/adbd
class core
disabled

# adbd on at boot in emulator
on property:ro.kernel.qemu=1
start adbd

CONTINUED IN NEXT POST

**eegorr** · 16 December 2012, 23:45

Dump of init.rc (continued)

# This property trigger has added to imitiate the previous behavior of "adb root".
# The adb gadget driver used to reset the USB bus when the adbd daemon exited,
# and the host side adb relied on this behavior to force it to reconnect with the
# new adbd instance after init relaunches it. So now we force the USB bus to reset
# here when adbd sets the service.adb.root property to 1. We also restart adbd here
# rather than waiting for init to notice its death and restarting it so the timing
# of USB resetting and adb restarting more closely matches the previous behavior.
on property:service.adb.root=1
write /sys/class/android_usb/android0/enable 0
restart adbd
write /sys/class/android_usb/android0/enable 1

service servicemanager /system/bin/servicemanager
class core
user system
group system
critical
onrestart restart zygote
onrestart restart media

service vold /system/bin/vold
class core
socket vold stream 0666 root mount
ioprio be 2

service netd /system/bin/netd
class main
socket netd stream 0660 root system
socket dnsproxyd stream 0660 root inet

service debuggerd /system/bin/debuggerd
class main

service ril-daemon /system/bin/rild -l /system/lib/libaml-ril.so
class main
socket rild stream 660 root radio
socket rild-debug stream 660 radio system
user root
group radio cache inet misc audio sdcard_rw log
disabled

service pppd_gprs /system/etc/init-pppd.sh
user root
group radio net_admin cache inet misc
disabled
oneshot

on property:hw.nophone=true
stop ril-daemon

on property:hw.nophone=false
start ril-daemon

service surfaceflinger /system/bin/surfaceflinger
class main
user system
group graphics
onrestart restart zygote

service zygote /system/bin/app_process -Xzygote /system/bin --zygote --start-system-server
class main
socket zygote stream 660 root system
onrestart write /sys/android_power/request_state wake
onrestart write /sys/power/state on
onrestart restart media
onrestart restart netd
dalvik_recache

service drm /system/bin/drmserver
class main
user drm
group system inet drmrpc

service media /system/bin/mediaserver
class main
user media
group audio camera inet net_bt net_bt_admin net_bw_acct drmrpc
ioprio rt 4

service bootanim /system/bin/bootanimation
class main
user graphics
group graphics
disabled
oneshot

service dbus /system/bin/dbus-daemon --system --nofork
class main
socket dbus stream 660 bluetooth bluetooth
user bluetooth
group bluetooth net_bt_admin

#service bluetoothd /system/bin/bluetoothd -n
# class main
# socket bluetooth stream 660 bluetooth bluetooth
# socket dbus_bluetooth stream 660 bluetooth bluetooth
# # init.rc does not yet support applying capabilities, so run as root and
# # let bluetoothd drop uid to bluetooth with the right linux capabilities
# group bluetooth net_bt_admin misc
# disabled

#service hfag /system/bin/sdptool add --channel=10 HFAG
# user bluetooth
# group bluetooth net_bt_admin
# disabled
# oneshot

#service hsag /system/bin/sdptool add --channel=11 HSAG
# user bluetooth
# group bluetooth net_bt_admin
# disabled
# oneshot

#service opush /system/bin/sdptool add --channel=12 OPUSH
# user bluetooth
# group bluetooth net_bt_admin
# disabled
# oneshot

#service pbap /system/bin/sdptool add --channel=19 PBAP
# user bluetooth
# group bluetooth net_bt_admin
# disabled
# oneshot

service installd /system/bin/installd
class main
socket installd stream 600 system system

service flash_recovery /system/etc/install-recovery.sh
class main
oneshot

service racoon /system/bin/racoon
class main
socket racoon stream 600 system system
# IKE uses UDP port 500. Racoon will setuid to vpn after binding the port.
group vpn net_admin inet
disabled
oneshot

service mtpd /system/bin/mtpd
class main
socket mtpd stream 600 system system
user vpn
group vpn net_admin inet net_raw
disabled
oneshot

service keystore /system/bin/keystore /data/misc/keystore
class main
user keystore
group keystore
socket keystore stream 666

service dumpstate /system/bin/dumpstate -s
class main
socket dumpstate stream 0660 shell log
disabled
oneshot

service wpa_supplicant /system/bin/wpa_supplicant -Dwext -iwlan0 -d -c /data/misc/wifi/wpa_supplicant.conf
class main
socket wpa_wlan0 dgram 0666 system wifi
group system wifi
disabled
oneshot

service hostapd /system/bin/hostapd_wps /data/misc/wifi/hostapd.conf
class main
disabled
oneshot

service dhcpcd_wlan0 /system/bin/dhcpcd -ABKL
class main
group dhcp system
disabled
oneshot

service dhcpcd_usbnet0 /system/bin/dhcpcd -ABKL
class main
group dhcp system
disabled
oneshot

service iprenew_wlan0 /system/bin/dhcpcd -n
class main
disabled
oneshot

service audio /system/bin/alsa_ctl restore
class core
group system audio
oneshot

service usbpm /system/bin/usbtestpm
user system
group system
disabled

service memsicd /system/bin/memsicd
class core
oneshot

#service hciattach /system/bin/logwrapper /system/bin/hciattach_usi \
# -n -s 115200 /dev/ttyS1 bcmbt 921600
# user root
# group bluetooth net_bt_admin
# disabled

# touch calebration
#service calibration /system/bin/calibration.sh
# oneshot
# console
# disabled

# remote
service remotecfg /system/bin/remotecfg /system/etc/remote.conf
class main
oneshot

# do wififix
service wififix /system/bin/wififix.sh
class main
group root root
oneshot
disabled

on property:dev.bootcomplete=1
chown media system /sys/class/vm/mirror
write /sys/class/vm/mirror 0
#start calibration
start usbpm
app_116@android:/ $

**eegorr** · 16 December 2012, 23:47

Dump of default.prop

app_116@android:/ $ cat default.prop
#
# ADDITIONAL_DEFAULT_PROPERTIES
#
ro.secure=1
ro.allow.mock.location=0
ro.debuggable=0
persist.sys.usb.config=mass_storage
ro.product.locale.language=en
ro.product.locale.region=US
persist.sys.timezone=America/New_York
app_116@android:/ $

**eegorr** · 16 December 2012, 23:54

There are two occurrences of init-pppd.sh in init.rc.

Here they are (apparently) purposely setting full rw rights for init-pppd.sh:

# 3G dongle
chmod 0666 /dev/ttyS20
chmod 0777 /system/etc/init-pppd.sh

and, here they are starting pppd using our modified init-pppd.sh:

service pppd_gprs /system/etc/init-pppd.sh
user root
group radio net_admin cache inet misc
disabled
oneshot

How do I check the log to see that init-ppd.sh executed?

**ozymandiaz** · 17 December 2012, 00:02

I'm on the road with limited data connection so I won't be able to check, looks like if this method doesn't work we could possibly still use busybox since there's busybox commands in both files...

**biffler** · 17 December 2012, 00:09

The init-pppd.sh is being setup as a service. To invoke
it, you actually has to start if from a shell, IE "start pppd_gprs".
(the name after service). That being said, I don't think "shell" has
the permissions to start that service. Although if you try, it doesn't error.

service pppd_gprs /system/etc/init-pppd.sh
user root
group radio net_admin cache inet misc
disabled
oneshot

**Finless** · 17 December 2012, 00:11

OK so init.rc is setting up a service that WHEN the service runs it should run that script.
It does not mean it i run on startup.

I go not know what this service is
pppd_gprs

I have to leave for a bit but somone look it up and see how to start it.

Also lets try something simple.
In the script try something that does not require root.
see if you can copy a file from internal sdcard to somewhere like /data/local which should be writable.

By the way. something else I just thought of that might be a problem. SDcard may not be mounted when init.rc runs or when that script runs! This very well maybe why it is not working!

So try another route. put su and superuser.apk in /data/local/ which you should be able to write to without root access. Then mod the script to copy from there instead of sdcard.

Bob

**eegorr** · 17 December 2012, 00:27

Originally posted by Finless View Post

OK so init.rc is setting up a service that WHEN the service runs it should run that script.
It does not mean it i run on startup.

I go not know what this service is
pppd_gprs

I have to leave for a bit but somone look it up and see how to start it.

Also lets try something simple.
In the script try something that does not require root.
see if you can copy a file from internal sdcard to somewhere like /data/local which should be writable.

By the way. something else I just thought of that might be a problem. SDcard may not be mounted when init.rc runs or when that script runs! This very well maybe why it is not working!

So try another route. put su and superuser.apk in /data/local/ which you should be able to write to without root access. Then mod the script to copy from there instead of sdcard.

Bob

/data/local is not writeable. I'll keep looking around for some other place to put it them.

Can we mount sdcard from the init-pppd.sh script, even if only temporarily?

Also, how can I view the log to see if the script is even running?

EDIT: I didn't do a lot of reading about it, but pppd_gprs has something to do with ppp over 3G (phone data). That is probably why the comment for the first occurrence says "3G dongle".

**biffler** · 17 December 2012, 00:43

if you look in the script, you see things like:
/system/bin/log -t pppd "init-pppd.sh SCRIPT=$SCRIPT"

that should log a pppd entry. I don't see anything.

if you "cd /sdcard"
then "logcat -d > logfile.txt"

You can view that file. To prove that is the log, you could also
do :

/system/bin/log -t freaktab "this is a test"

Then logcat -d should show it.

**Finless** · 17 December 2012, 01:07

You can also just do a logcat command from ADB or a terminal window to dump the log and see that it is working.

Bob

Announcement

Announcement

Nexbook AMlogic root WORK!

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

What's Going On