On 08/25/2017 10:07 AM, Alex wrote:
Following up on my previous post on setting up Android 6.0 as a Qubes
HVM for app debugging purposes, I'm fixing some of the things that were
left unsolved, namely:
* screen goes to unrecoverable standby after little time
* fix vga settings in grub config
* enable adb via tcp
* allow VNC connections
First, we fix the screen timeout. That's relatively easy:
* Open Settings
* Go to "About Tablet"
* Tap 8 times over the build number (until you're a developer)
* Go back to settings
* Go to newly added "Developer Options"
* Enable "Stay awake"
Then we need to setup TCP connection to our work appvm (or the one in
which Android Studio is installed and will be used). These steps are
adapted from qubes-os.org/doc/firewall
* Gather IP addresses (qubes ones) for work and android-6
* Open a shell in sys-firewall
[sys-fw]$ sudo iptables -I FORWARD 2 -s <workIP> -d <andIP> -j ACCEPT
[sys-fw]$ sudo iptables -I FORWARD 2 -s <andIP> -d <workIP> -j ACCEPT
* Open a shell in work appVM
[work]$ sudo iptables _I INPUT -s <andIP> -j ACCEPT
* Firewall in Android-x86 already allows connections, so test:
[work]$ ping <andIP>
[android-terminal-emulator]$ ping <workIP>
* Should be able to ping. If this is the case, follow instructions in
qubes-os.org/doc/firewall to ensure persistence of these settings in
both work appVM and sys-firewall.
Now we can configure the ADB TCP port for remote debugging:
* inside Android open the terminal emulator again if closed
[android-terminal-emulator]$ su
[android-terminal-emulator]# setprop service.adb.tcp.port 5555
[android-terminal-emulator]# stop adbd
[android-terminal-emulator]# start adbd
* check from work appVM (Android studio and the tools should have
already been installed, so that you have "adb" available)
[work]$ adb connect <andIP>:5555
* Should say "connected to 10.137.xx.yy:5555"
If this is the case, you now have a friendlier connection for your system!
Now our Android HVM will have to be booted from dom0 command line, but
we can make it easier by persisting the vga= config in grub. To do that,
we must restart Android and:
* from the GRUB menu select the second line (Debug Mode)
* boot will stop at a temporary root MirBSD Korn shell
* give it a couple of Enter keys to clear logs out of the way
* now type:
[android]# mount -o rw,remount /mnt
[android]# cd /mnt/grub
[android]# vi menu.lst
* edit the file as to append the VGA parameter
* press "i", move the cursor, add text
* save and quit
* press Esc, then type ":wq"
* exit the shell TWICE and android will try to complete its boot
* but because we did not set the "vga" parameter in the debug line,
it will most likely fail
* kill the VM from VM Manager
Now we can start the android vm with a relatively easy dom0 command, it
will automatically and quickly boot to a relatively usable android
(sometimes some google background service will crash) with no problems
with screen timeouts. The only problem remaining is the mouse, that can
be bypassed with a VNC connection.
Problem is, our Android is x86 and most VNC servers out there are for
ARM devices. There is an x86 build of android-vnc-server at
http://xmodulo.com/how-to-run-vnc-server-on-android-x86.html but it has
not PIE enabled (some exploit protection) so Marshmallow will refuse to
load it.
Now you have TWO paths available:
one is
* download the android-vnc-server project
* update it and compile it for x86 with PIE
* load it into our HVM and use it to connect
the other is
* patch the /system/bin/linker executable in Marshmallow to avoid PIE check
* load the already compiled assembly found at previous link
* use it to connect
I went through the second path, since I'm more of a reverse engineer
than a library archaeologist, and really don't like the idea of trying
to compile things from the past with obscure (to me) options.
I found a nice explanation at
https://forum.xda-developers.com/google-nexus-5/development/fix-bypassing-pie-security-check-t2797731/page13#127
about a guy that did exactly this patch for Android 5.1. Following his
steps I disassembled /system/bin/linker from our Marshmallow HVM and
found that the 4 bytes to patch for the check are at 0xD25A (file
offset): they start with 0x0F 0x85. Patch the 4 bytes with four NOPs
(0x90), save, and replace the linker with your patched version.
* put the new linker in /storage/emulated/0/linker_new
* restart the Android HVM in Debug mode again
* once there the layout of the FS is completely different
* find linker_new inside /mnt/android-6.0-r1/data/media/0/
* copy it over to /android/system/bin
* chmod it to 755
* exit TWICE from the MirBSD shell and kill HVM
* start android normally (via the qvm-start custom command, as usual)
* push droidvnc_x86 you downloaded from the link above into the VM
[work]$ adb push droidvnc_x86 /storage/emulated/0/
[work]$ adb shell
[adb]$ su
[adb]# mv /storage/emulated/0/droidvnc_x86 /system/bin/
[adb]# chmod 755 /system/bin/droidvnc_x86
[adb]# droidvnc_x86
* if everything is ok, you will see the messages
Initializing VNC server:
width: 1024
height: 768
bpp: 32
port: 5901
Initializing server...
25/08/2017 11:35:27 Listening for VNC connections on TCP port 5901
25/08/2017 11:35:27 Listening for HTTP connections on TCP port 5801
25/08/2017 11:35:27 URL http://localhost:5801
Now you can connect via any VNC client (say, remmina?), tweak the
connection quality settings, and use your Android HVM to debug apps!
Some more issues you may find:
* Network is connected via cable, and Android knows it, not via WiFi
adapters. Apps may get this situation wrong.
* You cannot obviously multitouch via VNC. You could not either via
normal HVM screen.
* Application may sporadically crash, and this is an x86 machine: many
native apps are compiled for ARM devices only, with all due consequences.
* You will have to start the VM via the dom0 shell command, until I get
to understand how to avoid having the XML overwritten by VM Manager when
starting from there.
Hope somebody finds this useful
NICE!
Thank You!
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/9ab1268e-2150-7dde-e482-5756a55a6dbd%40gmail.com.
For more options, visit https://groups.google.com/d/optout.
