Recently when I was preparing some Android training material I found this little trick.

Android “init” can do a lot of things, including “on property change” trigger; one can image some applications use this to implement an ad-hoc IPC. One example is the system/libnetutil that monitors the “init.svc.dhcpcd” property to detect whether dhcpcd is running or not.

Android framework can execute some predefined command (service) via the “ctl.start” property, the most interesting part is you can supply dynamic arguments to the command just like you were calling a command from shell.

The format is

setprop ctl.start service:arg1 arg2 arg3..

It must be a oneshot service, for example you can define a dhcpcd service like:

service dhcpcd /system/bin/dhcpcd -B
    group dhcp wifi system
    disabled
    oneshot

And set the target interface dynamically:

setprop ctl.start dhcpcd:eth0

“init” will then execute “dhcpcd -B eth0″ with appropriate permissions.

今年 GoogleIO 時 Android team 不斷在推廣一個 Android UI Pattern，可以觀察到最早利用這個 Pattern 的應該是預設的 Facebook 程式，接下來發展的更為完備的是 Twitter 官方程式，處處可以見到該 Pattern 的影子。GoogleIO 前 Google 也推出一個程式叫作 IOSched 用來顯示議程相關資訊，同樣是使用該 Pattern 的實作。雖然 Twitter 承諾會釋出 source code，但是一直沒下文，因此想要使用這個 UI Pattern 的可以說完全沒有範例可以參考。

今年 COSCUP 就參考 IOSched，嘗試從頭打造一個類似的程式，順便練習一下怎麼使用這個 UI Pattern，結果寫好後才知道上官大神早有 HTML5 的版本，連 IOSched 不知道什麼時候也有 source code 了 (汗)

無論如何，總算是練習了一下 Android Programming，有參加 COSCUP 的人可以試用看看

Source code 在 http://github.com/kanru/Coscup2010

Today I read that someone demoed how to put rootkit into your phone during the Defcon. But there are no details, the keywords like kernel moudle, install apk, remote phone call, …, all reminds me the old phishing attack. Then I thought, can it be the trick used to root Droid X?

Actually this exploid works on almost every Android phone because it leverages a vulnerability in the framework. XDA developers also confirmed the success on various N1 model. But can it be used on real attack?

To demonstrate how dangerous the local exploit is, I wrote an Android application that inject the su program into your phone. With Superuser.apk you can gain root access whenever you run su from adb shell.

No additional permissions required! This works on my stock Nexus One and in theory any Android. Just one click I can root you phone (optionally take away your data simultaneously). Don’t trust me or any other similar programs floating around the market, or simply don’t install any program until your carrier fix this.

Download the apk here: http://0xlab.org/~kanru/RootDroid-release.apk

md5: 20894acd3be808c51ce32491872ba027
sha1: 889fc92692c0e58e83673dedbabbc66d5c6318b1

Gallery3D is the gallery application released with Éclair, contributed by Cooliris.

This application heavily uses OpenGL to render the scenes. It looks great on Nexus One. But 0xdroid does not yet support hardware accelerated 3D graphics and rely on libagl to rasterize the 3D graph.

Agl is the software OpenGL rendering engine used by android emulator. Gallery3D assumes there is hardware support and this caused a lot of trouble when one want to run it with agl. Even if the libagl implementation is correct and complete, Gallery3D may also assumes some implementation depended behavior. Not to mention the fundamental libagl implementations may have problems.

Anyway, we have some progress and I’d like to share the screenshots. Devkit8000 DVI output, 640×480 resolution, captured by DDMS.

I have a feeling there are more OpenGL tricks inside the source code then I’d expected.

在 Devkit8000 上把 HOME key 設定好後卻無法作用，仔細看了下處理 HOME key 的地方是 polices 下的 PhoneWindowManager.java，會去檢查這個 device 是否被 “Provision” 了。

這個 Provision 的動作其實就是 Device 第一次啟用時做初始設定，在 Google phone 上面就是 SetupWizard，在 emulator 裏面則有簡單的 Provision.apk，之前無法作用就是因為一直沒有把 Provision.apk 放進去…

Provision.apk 做了什麼事呢？其實很簡短：

public class DefaultActivity extends Activity {

    @Override
    protected void onCreate(Bundle icicle) {
        super.onCreate(icicle);

        // Add a persistent setting to allow other apps to know
        // the device has been provisioned.
        Settings.Secure.putInt(getContentResolver(),
                               Settings.Secure.DEVICE_PROVISIONED, 1);

        // remove this activity from the package manager.
        PackageManager pm = getPackageManager();
        ComponentName name = new ComponentName(this,
                                     DefaultActivity.class);
        pm.setComponentEnabledSetting(name,
                   PackageManager.COMPONENT_ENABLED_STATE_DISABLED, 0);

        // terminate the activity.
        finish();
    }
}

因此若要提供一個類似 SetupWizard 的初始化介面在 Devit8000 上面，只要延伸這個 Provision.apk 做的事，提供 GUI 等等，最重要的就是設定這個 “Settings.Secure.DEVICE_PROVISIONED”

這是一個筆記。

Today we are celebrating the 0xLab’s one year old birthday! I’d like to write about the recently announced fourth 0xdroid release.

What’s new in this release? The biggest one is that it is based on Éclair code base! While Éclair uses a lot more 3D stuff for its UI, the performance drop between Donut and Éclair is huge. After lots of testing and hacking, we finally bought the Éclair performance back to its original level. For detailed benchmark results, checkout the wiki page Benchmarks.

Second is new hardware support. 0xdroid now officially supports Devkit8000, a BeagleBoard clone. Developers did many works to bring up the all functionality include LCD/DVI output, touchscreen calibration, USB, Ethernet, etc. Running Éclair on Devkit8000 looks great!

Oh, and the new installer! The new installer used in this release supports both BeagleBoard and Devkit8000, with different display resolution and hardware revision. It can do a lot more than previous installer can do, for example it can download images from network, install to SD/MMC card and indicate progress via graphic display or via blinking LEDs. All of this will fit into a 1MB binary!

Enjoy the release video on the youtube:

Want to contribute? Download it and try now!

上週末下班前，在桌上發現一個包裹，原來是渡海而來的兩隻 A1！這兩隻 A1 是 Broncho 的產品，詳細規格可以參考 Broncho 的網頁。

大伙興奮的開箱啦！

包裝和 Hero 的很像。3.2 寸 LCD, 480×320 的解析度，200 萬畫素的相機鏡頭，CPU 是 Marvell 300 (624 MHz)，記憶體是 256 + 128 MB，支援 WIFI, Bluetooth, FM, GPS。不是使用標準的 USB 接口，但同一個接口可以接 USB、耳機、變壓器。觸控螢幕使用起來的感覺像是電容式的，反應非常靈敏，輕輕的觸摸就有反應。

系統是 Android Cupcake，內建軟體有不少 Google App，最另人驚訝旳是上面有 Android Market 可以用，試著從 Market 上面下載了一些小遊戲下來玩，完全沒有問題，真是太牛了！另外一點就是有內建手寫輸入，速度不快但是準確度不錯。除此之外還有谷歌拼音可以用。

測試的途中無線網路與 GPS 不是很穩，除此之外以一隻中低價位的手機來說表現的相當不錯。