- Device
- LG Stylo
Hi all just joined the community, been checking out the site as I am aspiring to increase my programming/hacking knowledge esp. when it comes to Android so thought I'd join. Would do a regular intro but I was reading another topic here and someone brought up a question I recently solved myself after some research, and as I will be trying to gain knowledge here as well, in spirit of the old Scene mantra "no leeching!" will also share knowledge whenever I can.
Bypassing PIE (position independent executable) check
I ran into this problem similar to how the person in the link I put ^ there, trying to debug an app by getting a memory dump first, never had the problem before but this is the first attempt on Android L. After researching, I found an ideal solution supplied here (XDA), and, if you happen to have the same type of phone, you can stop reading this as the zip file should work when flashed. It did nothing for me, and after reading the problems people were having after flashing (PSA read comments on files BEFORE putting on your device, I got lucky and had no issue but coulda been worse) decided this wouldn't work for me. after reading more though, I found what I really needed was in this code here (source orig tutorial linked)
Specifically, 3a12: d007 beq.n 3a24 // change to e007 (b.n)
So, I decided to dig into it myself and see if I could do anythiung.
What I used:
IDA Pro 32 bit (I used the paid version, its not necessary here, free version can do as well)
Any good hex editor (my fav is Ultraedit, but Winhex, etc. don't matter)
Rooted phone, you need to move files and change permissions
A file explorer WITH root access (ES file explorer, Root Explorer)
Step 1:
Find the file named "linker" in your ./system/bin directory. Copy onto your computer you will be working on.
Step 2:
Fire up IDA Pro 32 bit. When you load the linker file for disassembly, leave default settings (ELF file, metapc engine). Let it do its thing.
Step 3: Go to View -> Open Subviews -> Strings. Look for the string that says
your address the line is on may be different but the text won't change (dumb fact: obv the reason the flashed zip I tried failed is my linker has different address to change the value at, duh me lool). Double click the line and itll go to
Again address will be specific to your file. Double click the XREF to go to the actual subroutine, and scroll up like 10-15 lines and you'll see this:
Any of that look familiar? Well if you recall the code from XDA the STR, CMP, and BEQ lines match exactly (if you didn't know, #0x100 is actually 0x100, or #256 from the other disassambly, same with #0x10 = #16). So now we can do the exact same fix, manually! Before you shut down IDA, go to the hex view screen from here to get the address needed. In my example, this is 00003890, yours may be different, but the values on the line should read
that's it for IDA, exit (no need to save database unless you want to)
Step 4:
Open your hex editor. Search for the data anyway you want, either by the address (my example 00003890), in my case I just searched the values "07 D0 D2 49" to find the spot (put enough hex values in your search to find the unique spot, don't just put D0 even though thats what we're editing or you may edit the wrong address). Once you're sure you're at the right spot, simply change it to read
Only the "D0" to "E0"? Yes it's really that simple
Step 5:
On your phone, temporarily change permissions of your ./system/bin/linker file from 755 (rwxr-xr-x) to 777 (rwxrwxrwx), depending on your mounts you (SHOULD HAVE TO) change the folders permissions as well. DON'T FORGET TO CHANGE PERMISSIONS BACK WHEN DONE!!!! Rename linker file on phone to linker1, linkerbak, or whatever. Then upload the edited linker file from your PC back to your phone. Afterwards SET PERMISSIONS BACK on file and folders.
You should now be able to use gdb, gdbserver, and any old busybox executables that give you the PIE error.
Happy modding!
Bypassing PIE (position independent executable) check
I ran into this problem similar to how the person in the link I put ^ there, trying to debug an app by getting a memory dump first, never had the problem before but this is the first attempt on Android L. After researching, I found an ideal solution supplied here (XDA), and, if you happen to have the same type of phone, you can stop reading this as the zip file should work when flashed. It did nothing for me, and after reading the problems people were having after flashing (PSA read comments on files BEFORE putting on your device, I got lucky and had no issue but coulda been worse) decided this wouldn't work for me. after reading more though, I found what I really needed was in this code here (source orig tutorial linked)
Code:
3a06: f8c6 5098 str.w r5, [r6, #152] ; 0x98
3a0a: f8c6 4100 str.w r4, [r6, #256] ; 0x100
3a0e: 8a0a ldrh r2, [r1, #16]
3a10: 2a03 cmp r2, #3
3a12: d007 beq.n 3a24 // change to e007 (b.n)
3a14: 4992 ldr r1, [pc, #584] ; (3c60)
3a16: 2002 movs r0, #2
3a18: 4479 add r1, pc
So, I decided to dig into it myself and see if I could do anythiung.
What I used:
IDA Pro 32 bit (I used the paid version, its not necessary here, free version can do as well)
Any good hex editor (my fav is Ultraedit, but Winhex, etc. don't matter)
Rooted phone, you need to move files and change permissions
A file explorer WITH root access (ES file explorer, Root Explorer)
Step 1:
Find the file named "linker" in your ./system/bin directory. Copy onto your computer you will be working on.
Step 2:
Fire up IDA Pro 32 bit. When you load the linker file for disassembly, leave default settings (ELF file, metapc engine). Let it do its thing.
Step 3: Go to View -> Open Subviews -> Strings. Look for the string that says
Code:
.rodata:0000B1F9 00000043 C error: only position independent executables (PIE) are supported.\n
Code:
.rodata:0000B1F9 aErrorOnlyPosit DCB "error: only position independent executables (PIE) are supported"
.rodata:0000B1F9 ; DATA XREF: __dl___linker_init+3D6o
.rodata:0000B1F9 ; .text:off_3BDCo
.rodata:0000B1F9 DCB ".",0xA,0
Code:
.text:0000387C loc_387C ; CODE XREF: __dl___linker_init+390j
.text:0000387C ; __dl___linker_init+3B6j
.text:0000387C LDR.W R1, [R4,#0x8C]
.text:00003880 MOVS R5, #0
.text:00003882 MOVS R6, #1
.text:00003884 STR.W R5, [R4,#0x98]
.text:00003888 STR.W R6, [R4,#0x100]
.text:0000388C LDRH R3, [R1,#0x10]
.text:0000388E CMP R3, #3
.text:00003890 BEQ loc_38A2
.text:00003892 ; ---------------------------------------------------------------------------
.text:00003892 LDR R1, =(aErrorOnlyPosit - 0x389A)
.text:00003894 MOVS R0, #2
.text:00003896 ADD R1, PC ; "error: only position independent execut"...
.text:00003898 BL __dl___libc_format_fd
.text:0000389C MOV R0, R6
.text:0000389E
.text:0000389E loc_389E ; CODE XREF: __dl___linker_init+604j
.text:0000389E BL __dl_exit
Code:
07 D0 D2 49 02 20 79 44 02 F0 DE FC 30 46 FD F7
Step 4:
Open your hex editor. Search for the data anyway you want, either by the address (my example 00003890), in my case I just searched the values "07 D0 D2 49" to find the spot (put enough hex values in your search to find the unique spot, don't just put D0 even though thats what we're editing or you may edit the wrong address). Once you're sure you're at the right spot, simply change it to read
Code:
07 E0 D2 49 02 20 79 44 02 F0 DE FC 30 46 FD F7
Step 5:
On your phone, temporarily change permissions of your ./system/bin/linker file from 755 (rwxr-xr-x) to 777 (rwxrwxrwx), depending on your mounts you (SHOULD HAVE TO) change the folders permissions as well. DON'T FORGET TO CHANGE PERMISSIONS BACK WHEN DONE!!!! Rename linker file on phone to linker1, linkerbak, or whatever. Then upload the edited linker file from your PC back to your phone. Afterwards SET PERMISSIONS BACK on file and folders.
You should now be able to use gdb, gdbserver, and any old busybox executables that give you the PIE error.
Happy modding!