Chroot Scripts for Harmattan Open Mode
 

I've been getting some requests to port my "Easy Debian" chroot scripts to the N9, and I've been reluctant to release anything because getting this to work depends upon flashing the Open Kernel (which means a fairly complicated flashing process and re-installing all of your apps), and, if you aren't one of the lucky few to have the N950, you'll need to install btinput and pair a Bluetooth hardware keyboard with your N9.

So I wouldn't call this "Easy Debian". My current lame little working name is "HarmChom", short for "Harmattan Chroot Open Mode".

I am linking to the tarball of my scripts. It is the beginnings of a .deb package, but I haven't figured out what I need to add to a .deb in Open Mode yet, and I wanted to get these scripts out there for you all to start using.

Basically just copy the files in the src/ directory into your phone's file system.

UPDATE: I recommend instaling coderus' sudo instead of using my fake sudo below.
As root,
I have made a "fake sudo" which is just an alias for "ssh root@localhost", but for it to work properly in scripts (i.e. no passwords), you should set up ssh key authentication.

Here are the scripts: HarmChom.tgz

Make the /home/user/.chroot file point to the correct image file, then use "debian" as root to run chroot commands. You can also use qchroot, qmount, qumount, closechroot, etc. the same as on previous versions of my scripts.

On my phone, I am using a modified version of my standard Easy Debian image, which includes a new version of the script to get LXDE up and running.

Here is the new script, put it in the /usr/bin of your image:
xephwm

And because I'm still trying to figure out the problems of running as root from an icon (see the fake sudo above), this script (when placed in your image's /usr/bin dir) drops you to user and then runs xephwm:
suxephwm

With everything set up properly, using these scripts (and the .desktop file included), I was able to launch LXDE from an icon, then run OpenOffice Writer and write a 500 word essay on an airplane.

Anyway, try this stuff out, and post your comments here.

Re: Chroot Scripts for Harmattan Open Mode
 

Thanks for your efforts, just for your interest: It is possible to run Firefox10 (and may be even more apps) from oneiric on the n900 with nemo installed, i guess there are issues with dbus which cause some crashes. May be the buggy thumb was fixed in the Meego-Kernel, so i will make further investigations if it's possible to use up2date-debapps on the n900... Should be interesting for the nemo-team anyway!
Update: Audacity1.3.13-beta is able to record and play

Re: Chroot Scripts for Harmattan Open Mode
 

I posted a video demo, just so you see how fast the N9 / N950 can run Debian apps like OpenOffice.org. The N900 is a slug in comparison!

http://www.youtube.com/watch?v=OuSfZHU1brA

Great video! More.....:)

Re: Chroot Scripts for Harmattan Open Mode
 

yes looks promising , what are next steps ? chrooting plasma aktive distro ?

Re: Chroot Scripts for Harmattan Open Mode
 

That is AMAZING! Thanks for this work and for posting video. A desktop OS and desktop-grade software that runs at a really workable speed, in the pocket!

Does the screen sensitivity and absence of a stylus prove annoying?

Apart from to type with, are there any other reasons to have a hardware kb - for instance, does not having one prevent certain interactions with the OS? For very simple text entry in Harma-Deb is the vkb ok, or is it disabled?

Re: Chroot Scripts for Harmattan Open Mode
 

At this point I know of no way to trigger the VKB from within a Debian app. Maybe we can use one of the Debian VKBs. I wish someone would get Maliit working in ARM Debian or Ubuntu.

Re: Chroot Scripts for Harmattan Open Mode
 

Wow, OpenOffice 3 @ N9 is faster than @ my notebook !

Re: Chroot Scripts for Harmattan Open Mode
 

cool, thx mr qole, and i like ur blog too, :)

Re: Chroot Scripts for Harmattan Open Mode
 

So, anyone going to try these scripts with Inception and see if you can mount on loop?

Re: Chroot Scripts for Harmattan Open Mode
 

It looks like HarmChOM ought to be doable with INCEPTION - if tweaked to be more Aegis-aware. For example, CAP::sys_admin can be requested in order to be able to mount things, and CAP::sys_chroot in order to chroot. For "traditional" root access, UID::root, GID::root, and CAP::* can be obtained.

The trick of using SSH as root in order to obtain a shell probably needs to go - replacing those files will cause a MALF and it isn't really necessary.

Re: Chroot Scripts for Harmattan Open Mode
 

So it sounds like the short answer is "no".

Re: Chroot Scripts for Harmattan Open Mode
 

Correct, Inception + chroot does not currently work.

Re: Chroot Scripts for Harmattan Open Mode
 

For Virtual Keyboards, I had Cellwriter set up on my Fujitsu tablet, It has both a virtual keyboard and hand writing recognition, works rather well. Gok is another one, though it doesn't exactly look pretty, it's functional.

Maliit does look pretty, and I wouldn't think it'd be too terribly difficult to port. I think Fedora already has it packaged. Can't recall which distribution I'd been using that had it on my tablet, but it was an earlier version and while it looked pretty, it was semi-broken.

I bought a sweet Mini Bluetooth keyboard though for this very purpose, it has a touch pad and directional pad as well as right / left mouse buttons. You can even rotate the touch pad and use it as it rests in your palm!

Hope this gets really easy to install soon, or I get some time to test it out, that's some serious awesomeness in speed!

I would think if the N900 had 1GB of ram, it'd be similar, I think that's truly where the bottle neck is.

slaapliedje

Re: Chroot Scripts for Harmattan Open Mode
 

It's no, but it can be turned into a yes.

Re: Chroot Scripts for Harmattan Open Mode
 

Which model/where did you order it from? I'm after one so any recommendations would be most welcome.

Re: Chroot Scripts for Harmattan Open Mode
 

Since the primary problem is that Aegis blocks the running of all unsigned binaries, and the chroot is all unsigned binaries, you would have to disable Aegis entirely. At which point, it is the same as Open Mode.

Re: Chroot Scripts for Harmattan Open Mode
 

Except that it doesn't - as long as relaxed mode is turned on (it is if developer mode is on), there's nothing stopping one from running unsigned binaries. I'd suggest making the install package for HarmChOM/etc. depend on aegis-dev-mode, which should make sure this is the case. Then, the binaries inside the chroot can simply inherit the Linux capabilities obtained by the launcher through Aegis.

Re: Chroot Scripts for Harmattan Open Mode
 

Please verify that what you write is true; twoboxen reports that he is experiencing the same problems with Inception that I experienced with javispedro's earlier Aegis hack, that is, all binaries within the chroot receive a "Permission Denied" error unless Aegis is completely disabled.

Re: Chroot Scripts for Harmattan Open Mode
 

I'm facing "chroot: can't execute '/bin/sh': Operation not permitted"
with same image I manage to chroot on android ICS.

Any help? :confused:


Full log ~

/ # sh /bin/debian
Chroot dir specified: /.debian
/home/user/MyDocs/bt5/bt5.img.ext4 specified in ~/.chroot
Mounting...
using image file: /home/user/MyDocs/bt5/bt5.img.ext4
fs type is ext4
Using ext4 file system
FATAL: Module ext4 not found.
mounting /home/user/MyDocs/bt5/bt5.img.ext4 on loop
.../home/user/MyDocs/bt5/bt5.img.ext4 mounted on loop0
.
..
...
....
/bin/qchroot: line 145: blkid: not found
/bin/qchroot: line 156: blkid: not found
Everything set up, running chroot...
chroot: can't execute '/bin/sh': Operation not permitted

Re: Chroot Scripts for Harmattan Open Mode
 

Hmm...I just realized what the problem probably is.

Try opening a shell using the following (incredibly long) command, then launch the chroot:

opensh -c 'aegis-exec -c -a CAP::chown -a CAP::dac_override -a CAP::dac_read_search -a CAP::fowner -a CAP::fsetid -a CAP::kill -a CAP::setgid -a CAP::setuid -a CAP::setpcap -a CAP::linux_immutable -a CAP::net_bind_service -a CAP::net_broadcast -a CAP::net_admin -a CAP::net_raw -a CAP::ipc_lock -a CAP::ipc_owner -a CAP::sys_module -a CAP::sys_rawio -a CAP::sys_chroot -a CAP::sys_ptrace -a CAP::sys_pacct -a CAP::sys_admin -a CAP::sys_boot -a CAP::sys_nice -a CAP::sys_resource -a CAP::sys_time -a CAP::sys_tty_config -a CAP::mknod -a CAP::lease -a CAP::audit_write -a CAP::audit_control -a CAP::setfcap -a CAP::mac_override -a CAP::mac_admin sh'

Re: Chroot Scripts for Harmattan Open Mode
 

Here is the error return

Chroot dir specified: /.debian
/home/user/MyDocs/bt5/bt5.img.ext4 specified in ~/.chroot
Mounting...
using image file: /home/user/MyDocs/bt5/bt5.img.ext4
fs type is ext4
Using ext4 file system
FATAL: Module ext4 not found.
mounting /home/user/MyDocs/bt5/bt5.img.ext4 on loop
.../home/user/MyDocs/bt5/bt5.img.ext4 mounted on loop0
.
..
...
....
/bin/qchroot: line 145: blkid: not found
/bin/qchroot: line 156: blkid: not found
Everything set up, running chroot...
chroot: can't execute '/bin/develsh': No such file or directory


Manually "chroot /.debian/ /bin/sh"
/ # chroot /.debian/ /bin/sh
chroot: can't execute '/bin/sh': Operation not permitted

Re: Chroot Scripts for Harmattan Open Mode
 

OK, now do dmesg | tail -50 and post any Aegis error messages you see there.

Re: Chroot Scripts for Harmattan Open Mode
 

here you are..

[15542.224365] credp: chroot: credential 0::21 not present in source SRC::9990006
[15542.224395] credp: chroot: credential 0::27 not present in source SRC::9990006
[15542.224456] credp: chroot: credential 0::32 not present in source SRC::9990006
[15542.224487] credp: chroot: credential 0::33 not present in source SRC::9990006
[15542.224517] Aegis: credp_kcheck failed 9990006 bash
[15542.224548] Aegis: bash verification failed (source origin check)
[15546.575714] credp: chroot: credential 0::1 not present in source SRC::9990006
[15546.575775] credp: chroot: credential 0::6 not present in source SRC::9990006
[15546.575805] credp: chroot: credential 0::7 not present in source SRC::9990006
[15546.575836] credp: chroot: credential 0::16 not present in source SRC::9990006
[15546.575866] credp: chroot: credential 0::17 not present in source SRC::9990006
[15546.575897] credp: chroot: credential 0::21 not present in source SRC::9990006
[15546.575927] credp: chroot: credential 0::27 not present in source SRC::9990006
[15546.575958] credp: chroot: credential 0::32 not present in source SRC::9990006
[15546.575988] credp: chroot: credential 0::33 not present in source SRC::9990006
[15546.576019] Aegis: credp_kcheck failed 9990006 bash
[15546.576049] Aegis: bash verification failed (source origin check)
[15553.154815] credp: chroot: credential 0::1 not present in source SRC::9990006
[15553.154876] credp: chroot: credential 0::6 not present in source SRC::9990006
[15553.154907] credp: chroot: credential 0::7 not present in source SRC::9990006
[15553.154937] credp: chroot: credential 0::16 not present in source SRC::9990006
[15553.154968] credp: chroot: credential 0::17 not present in source SRC::9990006
[15553.154998] credp: chroot: credential 0::21 not present in source SRC::9990006
[15553.155029] credp: chroot: credential 0::27 not present in source SRC::9990006
[15553.155059] credp: chroot: credential 0::32 not present in source SRC::9990006
[15553.155090] credp: chroot: credential 0::33 not present in source SRC::9990006
[15553.155120] Aegis: credp_kcheck failed 9990006 bash
[15553.155151] Aegis: bash verification failed (source origin check)
[15556.521179] credp: chroot: credential 0::1 not present in source SRC::9990006
[15556.521209] credp: chroot: credential 0::6 not present in source SRC::9990006
[15556.521240] credp: chroot: credential 0::7 not present in source SRC::9990006
[15556.521270] credp: chroot: credential 0::16 not present in source SRC::9990006
[15556.521331] credp: chroot: credential 0::17 not present in source SRC::9990006
[15556.521362] credp: chroot: credential 0::21 not present in source SRC::9990006
[15556.521392] credp: chroot: credential 0::27 not present in source SRC::9990006
[15556.521423] credp: chroot: credential 0::32 not present in source SRC::9990006
[15556.521453] credp: chroot: credential 0::33 not present in source SRC::9990006
[15556.521484] Aegis: credp_kcheck failed 9990006 bash
[15556.521514] Aegis: bash verification failed (source origin check)
[15558.726684] credp: chroot: credential 0::1 not present in source SRC::9990006
[15558.726745] credp: chroot: credential 0::6 not present in source SRC::9990006
[15558.726776] credp: chroot: credential 0::7 not present in source SRC::9990006
[15558.726806] credp: chroot: credential 0::16 not present in source SRC::9990006
[15558.726837] credp: chroot: credential 0::17 not present in source SRC::9990006
[15558.726867] credp: chroot: credential 0::21 not present in source SRC::9990006
[15558.726898] credp: chroot: credential 0::27 not present in source SRC::9990006
[15558.726928] credp: chroot: credential 0::32 not present in source SRC::9990006
[15558.726989] credp: chroot: credential 0::33 not present in source SRC::9990006
[15558.727020] Aegis: credp_kcheck failed 9990006 bash
[15558.727050] Aegis: bash verification failed (source origin check)

Re: Chroot Scripts for Harmattan Open Mode
 

Well that is not true, you don't have to disable aegis entirely by echo 0.

Its enough just to echo 0x25 > /sys/kernel/security/validator/enabled

And then all unsigned binaries run just fine (and it also removes source origin check errors that above post has). Of course you first need to insmod kernel module which removes the seal bit so you can write to that file.

Re: Chroot Scripts for Harmattan Open Mode
 

/bin # echo 0x25 > /sys/kernel/security/validator/enabled
sh: write error: Operation not permitted

#manually write to /sys/kernel/security/validator/enabled
/bin # cat /sys/kernel/security/validator/enabled
0x1e7

still seeing
/bin # debian
sh: debian: Operation not permitted

Re: Chroot Scripts for Harmattan Open Mode
 

Looks like this is a bit trickier than I'd hoped.

Globally disabling origin checking (as above) ought to do the trick, but if full root access isn't needed inside the chroot, it should suffice to:

a) install the chroot scripts from a package, requesting the needed credentials to set up the bind mounts etc.
b) relinquish those credentials when it comes time to actually start the chroot

Something such as /usr/bin/aegis-exec -c -a CAP::sys_chroot /bin/chroot /path/to/jail /sbin/capsh --caps='' -- -c '/path/to/payload' ought to work (this requires libcap2-bin inside the jail)

Also, @z720 - rainisto's suggestion only works if Aegis is "unsealed", which isn't the case on a fully booted system. It should be possible to change this, but that requires a kernel module that no one has put together yet for current kernel versions.

Re: Chroot Scripts for Harmattan Open Mode
 

You should read the whole post, I clearly said that you will get permission denied if you don't disable the seal bit which is protecting that file. If you don't know how to make (or where to get) such a kernel module, then your out of luck.

And yes I have a working module which does that in PR1.2, and no, I will not post it on this forum.

Re: Chroot Scripts for Harmattan Open Mode
 

This is because this is an Aegis crack and not open mode; like with the beta cracks, you will need to insmod unseal.ko .
And you will also need to still request permissions manually and so on for all packages.

Personally, I think this is the wrong approach to take (as explained in the original FMC aegis thread), exploring the real open mode is much more promising and future proof.

Re: Chroot Scripts for Harmattan Open Mode
 

Well, if you boot to Open Mode with stock kernel, you still need to insmod module in order to make aegis less strict (I've written my module originally for open mode stock kernel). Its only when you boot to open mode with Aegis cracked kernel when things are easier.

Open mode is future proof, yes, most likely it will not get blocked. But Open Mode has a disadvantage in the fact that CAL nand area is always read-only. So unless you rewrite all the system modules that use CAL to not to use it (and as most of the services using cal are not open sourced) then you will never have 100% matching functionality to Closed Mode phone while being Open Mode. You can get near 99.5% by rewriting most common usecases, like reimplementing devicelock, but I have not seen any open mode developers doing that kind of rewrites.

Using exploits in Closed Mode is wrong approach too, since its quite likely that public exploits are going to be fixed if it poses thread of being misused by malware.

In optimal perfect world there would either be
A) com.nokia.maemo signed imei based develsh package that you would buy from ovi store or something, and which needs some manual/visual confirmation (so malware cannot install it without user noticing) before it is installed. That way nobody would need to use any exploits in order to get full access to their hardware and software.
B) Or the other way around if open mode would not trigger CAL to read-only.
C) Closed mode would not have SEAL_BIT enabled (if you enable R&D mode with flasher) and develsh privileges would be able to edit the file.
D) bootloader is changed to trust even unsigned kernels

But we do not live in perfect world... and most likely A, B, C or D will never happen. But you can always hope for the miracle.

Disclaimer: this is only my personal opinion, like all my posts. IMHO Aegis is a good thing and it protects file integrity quite well, and it should not be disabled even on open mode, but in some occasions policies might need do be a bit less strict if your a developer who is doing experimental stuff to their own device.

Re: Chroot Scripts for Harmattan Open Mode
 

Good point indeed, I forgot that I do enable the fake seal bit patch. Other than that I never found any reason for the other changes -- dbus-server (imho one of the most annoying) stops doing credential checks just because of the openmode flag, and for the other few processes there's FIXED_ORIGIN. Just installing anything is usually enough for develsh to "Recover" the * token set.

One question: why do you mention CAL here? Is the libcal stuff stored in whatever BB5 uses as storage now? All of the kernel-addressable NAND is certainly fully writable in any mode (but in closed mode you need at least one of sys_module or a GRP I forgot about) and in fact one of the glaring points where a N9/50 can be relatively easily bricked.

I think that those apps just refuse to run when openmode is detected. For the simple checks, a simple workaround can be used; if they really use BB5 features it might actually be impossible, but the fact that it is impossible is exactly the reason why open mode will be allowed for the foreseeable future.

Fortunately, it seems that the number is much lower than I expected.

Any of those solutions implies keeping the device in "closed mode", so it would defeat the DRM parts of Aegis, and I've already deduced that is not going to happen.
Yes, every Nokian has been very quick to say that Aegis is not for DRM, but I've seen plenty of indications that at least some people in there still think that is the case (e.g. drive, odnp stuff) because they are going way more than necessary for just say protecting your past gps fixes from prying eyes, and because of the reluctance of the remaining developers to share information.

I do have a few proposals too:
- Make dbus-server not automatically ignore credentials on unclean boots, but rather make it listen to a env var like the dpkg script does. Same for other apps. This way you can enable credential enforcing even in unclean boots if you wish.
- The other extreme: fix all the apps that are expecting armed aegis protected storage, so that they also work even if it is missing (even if it means storing data in $HOME).

The first might probably happen, the second will certainly not.

Re: Chroot Scripts for Harmattan Open Mode
 

Hi guys, this Aegis talk is fascinating stuff, but I think it is best posted in the Nokia & Aegis thread or even the Inception thread.

Re: Chroot Scripts for Harmattan Open Mode
 

Back to the chroot-related issue - did you try the capability dropping arrangement I mentioned earlier? That should get things operating in the normal (non-root) case.

Re: Chroot Scripts for Harmattan Open Mode
 

http://www.amazon.com/gp/product/B00...00_i00_details

That's the one right there.

I believe there is a thread floating around here somewhere dealing with bluetooth keyboards that I posted that on.

slaapliedje

Re: Chroot Scripts for Harmattan Open Mode
 

hi guy, manage to chroot now.

1. using inception opensh to mount
2. exit to close mode
2. use javispedro's modhash.py to hash the image /bin/sh
3. chroot /img /bin/sh
4. done.

Thanks guy.!!

Re: Chroot Scripts for Harmattan Open Mode
 

Seems like a basic 4step process, but you lost me...how did you do it again?

Re: Chroot Scripts for Harmattan Open Mode
 

its more fun to see how it will be work rather than some gays that wants whatsapp thing, go go go, nice work here, and surprisingly this thread get less attention than the 'wazzap', sigh

Re: Chroot Scripts for Harmattan Open Mode
 

.....so only gays want WhatsApp?

I just want a semi-noob step-by-step on how to get OpenOffice to work..

Re: Chroot Scripts for Harmattan Open Mode
 

basically you need to have linux.img (it can be debian, ubuntu,bt5 & etc) google it.

copy the img to your home folder (/home/user/MyDocs/)
then download HarmChom.tgz from 1st page - Thanks to qole
extract it to your home folder, then you shoud see HarmChom folder.
Copy src/bin/* to /bin/, chmod +x after copied to /bin.
You might want to edit .chroot file as well (refer to page 1).

For close kernel :o need to edit below line.
Edit the /bin/debian, goto line 72 change it to "sh /bin/qchroot"
edit /bin/qchroot, goto line 37 add "sh" as well.

once done above follow the simple 4 steps previously.

You should able to mount linux.img :cool:

Re: Chroot Scripts for Harmattan Open Mode
 

You will still not be able to run anything other than sh (also, it's binhash the one you want to use, modhash is for kernel modules :) ).

For chroot you either need unseal.ko or a fully aegis-neutering openmode kernel.