2017/12/28

Run ARM executables on Linux x86 with Intel Houdini

This is only an experimental test. Please DO NOT abuse. Take responsibility for your own if using it in other purposes.

Intel Houdini is applied in x86 arch Android devices to enable the possibility of ARM code support. It's awesome and how about extending the possibility to Linux?

The Intel Houdini binaries is proprietary, you can only find them in several x86 model Android devices' vendor binaries. Nexus Player (fugu) contains currently the latest version that I can find.
https://developers.google.com/android/drivers#fuguopr2.170623.027
SHA256: 114c20b8335f3c166c76d590c6d238153c463c2fa2dea3da56d1ce3ffd1ec6ed

Accept the license at your own risk. Extract it and you get the Houdini and other unrelated binaries in vendor/intel/fugu/proprietary.
In vendor/intel/fugu/proprietary/device-partial.mk, files manifest is located here. All you need to do is copy them to your Linux host. However, the target path is Android style and this path style is hard-coded in Houdini binaries, so just take it easy, mkdir /system, try script below (root needed).

import os
import shutil

with open('device-partial.mk') as f:
    for line in f:
        line = line.strip()
        if line.startswith(r"vendor/intel/fugu/"):
                j = line.split(':')
                if len(j) < 2:
                    continue
                src = j[0]
                src = src[src.find(r"proprietary/"):]
                dst = '/'+j[1]
                dst = os.path.dirname(dst)
                if not os.path.exists(dst):
                    os.makedirs(dst)
                shutil.copy(src, dst)
                print("src %s copied to dst %s" % (src, dst))

Houdini relies binfmt_misc feature by Linux Kernel to pass the ARM executables to Houdini translator. You need to register ARM executable magic to Houdini translator /system/bin/houdini.

su
modprobe binfmt_misc
mount -t binfmt_misc none /proc/sys/fs/binfmt_misc
cd vendor/intel/fugu/proprietary
cat arm_dyn > /proc/sys/fs/binfmt_misc/register
cat arm_exe > /proc/sys/fs/binfmt_misc/register

Next step, install ARM runtime libraries on Linux. For Ubuntu 16.04:

# For default APT servers on Ubuntu x86 provide no ARM support, you need to add restriction to fetch only i386, amd64 packages from main server. Example: deb [arch=i386,amd64] http://archive.ubuntu.com/ubuntu/ xenial main restricted
# Then add APT servers providing ARM packages.
deb [arch=armhf] http://ports.ubuntu.com/ubuntu-ports/ xenial main
deb [arch=armhf] http://ports.ubuntu.com/ubuntu-ports/ xenial-updates main
deb [arch=armhf] http://ports.ubuntu.com/ubuntu-ports/ xenial-security main

dpkg --add-architecture armhf
apt update
apt install libc6:armhf

Now we need Houdini using Linux GNU linker instead of Android linker. And chmod.

su
cp /lib/arm-linux-gnueabihf/ld-2.23.so /system/lib/arm/linker
chmod 755 /system/lib/arm/linker
chmod 755 /system/bin/houdini

Almost done. Let's try run OpenSSL for benchmark. Firstly, download a ARMHF openssl:

apt install libssl1.0.0:armhf
# DO NOT apt install openssl:armhf for breaking many things.
# Extract openssl from http://ports.ubuntu.com/ubuntu-ports/pool/main/o/openssl/openssl_1.0.2g-1ubuntu4.10_armhf.deb

Here is the result:

# NATIVE
~/poc$ openssl speed -evp AES256
Doing aes-256-cbc for 3s on 16 size blocks: 90227643 aes-256-cbc's in 3.00s
Doing aes-256-cbc for 3s on 64 size blocks: 24112794 aes-256-cbc's in 3.00s
Doing aes-256-cbc for 3s on 256 size blocks: 6133873 aes-256-cbc's in 3.00s
Doing aes-256-cbc for 3s on 1024 size blocks: 1526964 aes-256-cbc's in 3.00s
Doing aes-256-cbc for 3s on 8192 size blocks: 192347 aes-256-cbc's in 3.00s
OpenSSL 1.0.2g  1 Mar 2016
built on: reproducible build, date unspecified
options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) blowfish(idx) 
compiler: cc -I. -I.. -I../include  -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack -Wall -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-256-cbc     481214.10k   514406.27k   523423.83k   521203.71k   525235.54k

# ARMHF
~/poc$ ./openssl speed -evp AES256
ERROR: ld.so: object '/system/lib/arm/libaeabi_map.so' from LD_PRELOAD cannot be preloaded (cannot open shared object file): ignored.
Doing aes-256-cbc for 3s on 16 size blocks: 10090430 aes-256-cbc's in 3.00s
Doing aes-256-cbc for 3s on 64 size blocks: 3350791 aes-256-cbc's in 3.00s
Doing aes-256-cbc for 3s on 256 size blocks: 878897 aes-256-cbc's in 3.00s
Doing aes-256-cbc for 3s on 1024 size blocks: 176189 aes-256-cbc's in 3.00s
Doing aes-256-cbc for 3s on 8192 size blocks: 27901 aes-256-cbc's in 3.00s
OpenSSL 1.0.2g  1 Mar 2016
built on: reproducible build, date unspecified
options:bn(64,32) rc4(ptr,char) des(idx,cisc,16,long) aes(partial) blowfish(ptr) 
compiler: cc -I. -I.. -I../include  -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack -Wall -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DAES_ASM -DBSAES_ASM -DGHASH_ASM
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-256-cbc      53815.63k    71483.54k    74999.21k    60139.18k    76188.33k

Additional, to fix  '/system/lib/arm/libaeabi_map.so' from LD_PRELOAD warning.
The cause is that Houdini will set LD_PRELOAD=/system/lib/arm/libaeabi_map.so, libaeabi_map.so is not neccesary for us as it's used for patching libc.so and libm.so on Android.
So, NUL the path can silent the warning.
su
sed -i 's/\/system\/lib\/arm\/libaeabi_map\.so/\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0/g' /system/bin/houdini

Bugs may exist for this Houdini binaries was not intended for Linux.

2017/6/14

PoC of CVE-2017-0641 (VP9 decoder DoS)

Missed to report this PoC....
Now it goes public:
https://github.com/V-E-O/PoC/tree/master/CVE-2017-0641

Patch:https://android.googlesource.com/platform/external/libvpx/+/698796fc930baecf5c3fdebef17e73d5d9a58bcb

06-14 18:28:57.741 11710 11710 F DEBUG   : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
06-14 18:28:57.741 11710 11710 F DEBUG   : Build fingerprint: 'google/angler/angler:7.0/NBD90X/3254009:user/release-keys'
06-14 18:28:57.741 11710 11710 F DEBUG   : Revision: '0'
06-14 18:28:57.741 11710 11710 F DEBUG   : ABI: 'arm'
06-14 18:28:57.742 11710 11710 F DEBUG   : pid: 10085, tid: 11705, name: gle.vp9.decoder  >>> media.codec <<<
06-14 18:28:57.742 11710 11710 F DEBUG   : signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x0
06-14 18:28:57.742 11710 11710 F DEBUG   :     r0 00000000  r1 00000000  r2 0ad3c210  r3 00000000
06-14 18:28:57.742 11710 11710 F DEBUG   :     r4 f2672fa0  r5 0000e304  r6 0000c30d  r7 0000c30c
06-14 18:28:57.742 11710 11710 F DEBUG   :     r8 f2677404  r9 f1b039d4  sl f2672fa0  fp f2672fa0
06-14 18:28:57.742 11710 11710 F DEBUG   :     ip 00000000  sp f1b038d4  lr f3011ad4  pc f3f8a6e4  cpsr 200f0010
06-14 18:28:57.746 11710 11710 F DEBUG   :
06-14 18:28:57.746 11710 11710 F DEBUG   : backtrace:
06-14 18:28:57.746 11710 11710 F DEBUG   :     #00 pc 000176e4  /system/lib/libc.so (memset+48)
06-14 18:28:57.746 11710 11710 F DEBUG   :     #01 pc 0001dad0  /system/lib/libstagefright_soft_vpxdec.so
06-14 18:28:57.746 11710 11710 F DEBUG   :     #02 pc 00013b3c  /system/lib/libstagefright_soft_vpxdec.so (vp9_init_context_buffers+12)
06-14 18:28:57.746 11710 11710 F DEBUG   :     #03 pc 00017ab0  /system/lib/libstagefright_soft_vpxdec.so
06-14 18:28:57.746 11710 11710 F DEBUG   :     #04 pc 000178f0  /system/lib/libstagefright_soft_vpxdec.so
06-14 18:28:57.746 11710 11710 F DEBUG   :     #05 pc 00014248  /system/lib/libstagefright_soft_vpxdec.so (vp9_decode_frame+1068)
06-14 18:28:57.746 11710 11710 F DEBUG   :     #06 pc 0001e228  /system/lib/libstagefright_soft_vpxdec.so (vp9_receive_compressed_data+1104)
06-14 18:28:57.746 11710 11710 F DEBUG   :     #07 pc 0000f604  /system/lib/libstagefright_soft_vpxdec.so
06-14 18:28:57.746 11710 11710 F DEBUG   :     #08 pc 00010348  /system/lib/libstagefright_soft_vpxdec.so
06-14 18:28:57.746 11710 11710 F DEBUG   :     #09 pc 0000f4c8  /system/lib/libstagefright_soft_vpxdec.so
06-14 18:28:57.746 11710 11710 F DEBUG   :     #10 pc 0000e150  /system/lib/libstagefright_soft_vpxdec.so
06-14 18:28:57.746 11710 11710 F DEBUG   :     #11 pc 0000fbe4  /system/lib/libstagefright_soft_vpxdec.so (vpx_codec_decode+100)
06-14 18:28:57.746 11710 11710 F DEBUG   :     #12 pc 0000c6eb  /system/lib/libstagefright_soft_vpxdec.so (_ZN7android7SoftVPX13onQueueFilledEj+298)
06-14 18:28:57.746 11710 11710 F DEBUG   :     #13 pc 0002223d  /system/lib/libstagefright_omx.so (_ZN7android22SimpleSoftOMXComponent17onMessageReceivedERKNS_2spINS_8AMessageEEE+272)
06-14 18:28:57.746 11710 11710 F DEBUG   :     #14 pc 0002325d  /system/lib/libstagefright_omx.so
06-14 18:28:57.746 11710 11710 F DEBUG   :     #15 pc 0000ea25  /system/lib/libstagefright_foundation.so (_ZN7android8AHandler14deliverMessageERKNS_2spINS_8AMessageEEE+24)
06-14 18:28:57.746 11710 11710 F DEBUG   :     #16 pc 00010bf5  /system/lib/libstagefright_foundation.so (_ZN7android8AMessage7deliverEv+60)
06-14 18:28:57.746 11710 11710 F DEBUG   :     #17 pc 0000f58d  /system/lib/libstagefright_foundation.so (_ZN7android7ALooper4loopEv+380)
06-14 18:28:57.746 11710 11710 F DEBUG   :     #18 pc 0000e3c5  /system/lib/libutils.so (_ZN7android6Thread11_threadLoopEPv+264)
06-14 18:28:57.746 11710 11710 F DEBUG   :     #19 pc 00047003  /system/lib/libc.so (_ZL15__pthread_startPv+22)
06-14 18:28:57.746 11710 11710 F DEBUG   :     #20 pc 00019e1d  /system/lib/libc.so (__start_thread+6)

2017/4/20

PoC of CVE-2017-0474 (VP9 decoder DoS)

Google fixed it before I found the PoC.
Now it goes public:

04-20 22:31:17.998 13643 13740 F libc    : Fatal signal 11 (SIGSEGV), code 1, fault addr 0xffffffec in tid 13740 (gle.vp9.decoder)
04-20 22:31:17.999   355   355 W         : debuggerd: handling request: pid=13643 uid=1046 gid=1006 tid=13740
04-20 22:31:18.061 13751 13751 F DEBUG   : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
04-20 22:31:18.062 13751 13751 F DEBUG   : Build fingerprint: 'google/angler/angler:7.0/NBD90X/3254009:user/release-keys'
04-20 22:31:18.062 13751 13751 F DEBUG   : Revision: '0'
04-20 22:31:18.062 13751 13751 F DEBUG   : ABI: 'arm'
04-20 22:31:18.063 13751 13751 F DEBUG   : pid: 13643, tid: 13740, name: gle.vp9.decoder  >>> media.codec <<<
04-20 22:31:18.063 13751 13751 F DEBUG   : signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0xffffffec
04-20 22:31:18.063 13751 13751 F DEBUG   :     r0 0006dc72  r1 200f3e9e  r2 00000002  r3 00000000
04-20 22:31:18.063 13751 13751 F DEBUG   :     r4 f178a008  r5 00000000  r6 00000000  r7 00000000
04-20 22:31:18.063 13751 13751 F DEBUG   :     r8 f20da779  r9 f146c624  sl 00000000  fp f17fa9e8
04-20 22:31:18.063 13751 13751 F DEBUG   :     ip f146c580  sp f146c610  lr f20799f1  pc f20797d2  cpsr 80030030
04-20 22:31:18.064 13751 13751 F DEBUG   :
04-20 22:31:18.064 13751 13751 F DEBUG   : backtrace:
04-20 22:31:18.065 13751 13751 F DEBUG   :     #00 pc 000197d2  /system/lib/libc.so (_ZN11ScopedTraceC1EPKc+141)
04-20 22:31:18.065 13751 13751 F DEBUG   :     #01 pc fffffffd  <unknown>

2017/1/18

Enable BBR on Arch/Manjaro

BBR is a new congestion control algorithm developed at Google, which was supported in Linux 4.9.

Arch may be needed to switch to testing branch to temporarily install Linux kernel 4.9.
pacman-mirrors -g -b testing

Test if BBR is included in your installed kernel (early version on Manjaro did not config BBR)
modprobe tcp_bbr
lsmod | grep bbr

Modify /etc/sysctl.d/*.conf to set these values (remove existed config which set to different values):
net.core.default_qdisc=fq
net.ipv4.tcp_congestion_control=bbr

sysctl -p or reboot, check sysctl net.ipv4.tcp_congestion_control.

Google Pixel modem.img mod for Chinese carriers

Carriers in China like China Telecom was stuck on CSFB mode of 4G NOT globally popular VOLTE mode, so most cell-phones not selling in China ...