Skip to content

Instantly share code, notes, and snippets.

@daveloyall

daveloyall/README.md

Last active May 15, 2020 01:17
Show Gist options
  • Save daveloyall/2910460bdf997685825b2ed071e5c80c to your computer and use it in GitHub Desktop.
Save daveloyall/2910460bdf997685825b2ed071e5c80c to your computer and use it in GitHub Desktop.
Download ZIP
my weaksauce audit of Magisk, step one
Raw
README.md

update: topjohnwu is legit

Old content follows for no reason:

I am thinking about using https://github.com/topjohnwu/Magisk/, but is it safe?

What kind of safe are we talking about here?

Well, the android rooting community is young by my standards and they do things I would never do, like share random binaries with each other and use megasharelol.tldidonotrecognize to store files. Gross. So, I'm inclined to be a bit paranoid.

There are real dangers out there. People use their phones for everything from banking to storing bitcoin to taking pictures.

Look at these submodules.

What are they, where do they come from?

[submodule "selinux"]
	path = native/jni/external/selinux
	url = https://github.com/topjohnwu/selinux.git
[submodule "busybox"]
	path = native/jni/external/busybox
	url = https://github.com/topjohnwu/ndk-busybox.git
[submodule "dtc"]
	path = native/jni/external/dtc
	url = https://github.com/dgibson/dtc
[submodule "lz4"]
	path = native/jni/external/lz4
	url = https://github.com/lz4/lz4.git
[submodule "bzip2"]
	path = native/jni/external/bzip2
	url = https://github.com/nemequ/bzip2.git
[submodule "xz"]
	path = native/jni/external/xz
	url = https://github.com/xz-mirror/xz.git
[submodule "nanopb"]
	path = native/jni/external/nanopb
	url = https://github.com/nanopb/nanopb.git
[submodule "mincrypt"]
	path = native/jni/external/mincrypt
	url = https://github.com/topjohnwu/mincrypt.git
[submodule "pcre"]
	path = native/jni/external/pcre
	url = https://android.googlesource.com/platform/external/pcre
[submodule "termux-elf-cleaner"]
	path = tools/termux-elf-cleaner
	url = https://github.com/termux/termux-elf-cleaner.git

Look at these files

Some of them are from the submodules.

key data

I don't think I want to use keys known to somebody who isn't me. How are these used? Maybe they will be regenerated during build and these are just accidentally committed artifacts?

./signing/src/main/resources/keys/testkey.pk8: data
./signing/src/main/resources/keys/verity.pk8: data
./tools/kernel.keyblock: data
./tools/kernel_data_key.vbprivk: data
./signing/src/main/resources/keys/testkey.x509.pem: PEM certificate
./signing/src/main/resources/keys/verity.x509.pem: PEM certificate

bins

I don't want to incorporate bins of unknown origin into my phone. Again, maybe these are wiped out and rebuilt during a build, maybe they are simply missing some .gitignore entries...

./tools/ndk-bins/arm/libc.a: current ar archive
./tools/ndk-bins/arm/libm.a: current ar archive
./tools/ndk-bins/arm/libm_hard.a: current ar archive
./tools/ndk-bins/arm/libstdc++.a: current ar archive
./tools/ndk-bins/i686/libc.a: current ar archive
./tools/ndk-bins/i686/libm.a: current ar archive
./tools/ndk-bins/i686/libstdc++.a: current ar archive
./tools/ndk-bins/i686/libz.a: current ar archive
./native/jni/external/xz/tests/compress_prepared_bcj_sparc: ELF 32-bit MSB relocatable, SPARC, version 1 (SYSV), not stripped
./native/jni/external/xz/tests/compress_prepared_bcj_x86: ELF 32-bit LSB relocatable, Intel 80386, version 1 (SYSV), not stripped
./tools/futility: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), statically linked, BuildID[md5/uuid]=2a634a4b19ea852faf70891a42a7cb4b, stripped
./tools/ndk-bins/arm/crtbegin_dynamic.o: ELF 32-bit LSB relocatable, ARM, EABI5 version 1 (SYSV), not stripped
./tools/ndk-bins/arm/crtbegin_so.o: ELF 32-bit LSB relocatable, ARM, EABI5 version 1 (SYSV), not stripped
./tools/ndk-bins/arm/crtbegin_static.o: ELF 32-bit LSB relocatable, ARM, EABI5 version 1 (SYSV), not stripped
./tools/ndk-bins/arm/crtend_android.o: ELF 32-bit LSB relocatable, ARM, EABI5 version 1 (SYSV), not stripped
./tools/ndk-bins/arm/crtend_so.o: ELF 32-bit LSB relocatable, ARM, EABI5 version 1 (SYSV), not stripped
./tools/ndk-bins/i686/crtbegin_dynamic.o: ELF 32-bit LSB relocatable, Intel 80386, version 1 (SYSV), not stripped
./tools/ndk-bins/i686/crtbegin_so.o: ELF 32-bit LSB relocatable, Intel 80386, version 1 (SYSV), not stripped
./tools/ndk-bins/i686/crtbegin_static.o: ELF 32-bit LSB relocatable, Intel 80386, version 1 (SYSV), not stripped
./tools/ndk-bins/i686/crtend_android.o: ELF 32-bit LSB relocatable, Intel 80386, version 1 (SYSV), not stripped
./tools/ndk-bins/i686/crtend_so.o: ELF 32-bit LSB relocatable, Intel 80386, version 1 (SYSV), not stripped

Big blobs of Binary

Ok, obviously these are just images, right? But... I was taught to "Think like the wolf". If I wanted to sneak a pub key or some executable into a build environment, I'd consider putting it in an image. Either just by renaming my content to .png or by some other method... We can see here that the first method wasn't used on these files, because file(1) identifies them as PNGs and that one JPEG.

./app/src/main/res/drawable-hdpi/ic_launcher.png: PNG image data, 72 x 72, 8-bit/color RGBA, non-interlaced
./app/src/main/res/drawable-hdpi/ic_magisk_outline.png: PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced
./app/src/main/res/drawable-mdpi/ic_launcher.png: PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced
./app/src/main/res/drawable-mdpi/ic_magisk_outline.png: PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced
./app/src/main/res/drawable-nodpi/logo.png: PNG image data, 512 x 512, 8-bit colormap, non-interlaced
./app/src/main/res/drawable-xhdpi/ic_launcher.png: PNG image data, 96 x 96, 8-bit/color RGBA, non-interlaced
./app/src/main/res/drawable-xhdpi/ic_magisk_outline.png: PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced
./app/src/main/res/drawable-xxhdpi/ic_launcher.png: PNG image data, 144 x 144, 8-bit/color RGBA, non-interlaced
./app/src/main/res/drawable-xxhdpi/ic_magisk_outline.png: PNG image data, 72 x 72, 8-bit/color RGBA, non-interlaced
./app/src/main/res/drawable-xxxhdpi/ic_launcher.png: PNG image data, 192 x 192, 8-bit/color RGBA, non-interlaced
./app/src/main/res/drawable-xxxhdpi/ic_magisk_outline.png: PNG image data, 96 x 96, 8-bit/color RGBA, non-interlaced
./docs/images/disable_auto_ota.png: PNG image data, 1440 x 2560, 8-bit colormap, non-interlaced
./docs/images/install_inactive_slot.png: PNG image data, 1440 x 2560, 8-bit colormap, non-interlaced
./docs/images/logo.png: PNG image data, 1500 x 599, 8-bit/color RGBA, non-interlaced
./docs/images/manager_reboot.png: PNG image data, 1440 x 2560, 8-bit colormap, non-interlaced
./docs/images/ota_done.png: PNG image data, 1440 x 2560, 8-bit colormap, non-interlaced
./docs/images/restore_img.png: PNG image data, 1440 x 1159, 8-bit colormap, non-interlaced
./native/jni/external/nanopb/docs/logo/logo.png: PNG image data, 192 x 192, 8-bit/color RGBA, non-interlaced
./native/jni/external/nanopb/docs/logo/logo16px.png: PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
./native/jni/external/nanopb/docs/logo/logo48px.png: PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced
./native/jni/external/selinux/gui/sepolicy_16.png: PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
./native/jni/external/selinux/gui/sepolicy_22.png: PNG image data, 22 x 22, 8-bit/color RGBA, non-interlaced
./native/jni/external/selinux/gui/sepolicy_256.png: PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
./native/jni/external/selinux/gui/sepolicy_32.png: PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
./native/jni/external/selinux/gui/sepolicy_48.png: PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced
./native/jni/external/selinux/gui/system-config-selinux.png: PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced
./native/jni/external/selinux/python/sepolicy/sepolicy/help/booleans.png: PNG image data, 510 x 362, 8-bit/color RGBA, non-interlaced
./native/jni/external/selinux/python/sepolicy/sepolicy/help/booleans_more.png: PNG image data, 510 x 362, 8-bit/color RGBA, non-interlaced
./native/jni/external/selinux/python/sepolicy/sepolicy/help/booleans_more_show.png: PNG image data, 510 x 362, 8-bit/color RGB, non-interlaced
./native/jni/external/selinux/python/sepolicy/sepolicy/help/booleans_toggled.png: PNG image data, 510 x 362, 8-bit/color RGBA, non-interlaced
./native/jni/external/selinux/python/sepolicy/sepolicy/help/file_equiv.png: PNG image data, 510 x 410, 8-bit/color RGB, non-interlaced
./native/jni/external/selinux/python/sepolicy/sepolicy/help/files_apps.png: PNG image data, 510 x 362, 8-bit/color RGBA, non-interlaced
./native/jni/external/selinux/python/sepolicy/sepolicy/help/files_exec.png: PNG image data, 510 x 362, 8-bit/color RGBA, non-interlaced
./native/jni/external/selinux/python/sepolicy/sepolicy/help/files_write.png: PNG image data, 510 x 362, 8-bit/color RGBA, non-interlaced
./native/jni/external/selinux/python/sepolicy/sepolicy/help/lockdown.png: PNG image data, 510 x 410, 8-bit/color RGB, non-interlaced
./native/jni/external/selinux/python/sepolicy/sepolicy/help/lockdown_permissive.png: PNG image data, 510 x 410, 8-bit/color RGB, non-interlaced
./native/jni/external/selinux/python/sepolicy/sepolicy/help/lockdown_ptrace.png: PNG image data, 510 x 410, 8-bit/color RGB, non-interlaced
./native/jni/external/selinux/python/sepolicy/sepolicy/help/lockdown_unconfined.png: PNG image data, 510 x 410, 8-bit/color RGBA, non-interlaced
./native/jni/external/selinux/python/sepolicy/sepolicy/help/login.png: PNG image data, 510 x 410, 8-bit/color RGB, non-interlaced
./native/jni/external/selinux/python/sepolicy/sepolicy/help/login_default.png: PNG image data, 510 x 410, 8-bit/color RGB, non-interlaced
./native/jni/external/selinux/python/sepolicy/sepolicy/help/ports_inbound.png: PNG image data, 510 x 362, 8-bit/color RGBA, non-interlaced
./native/jni/external/selinux/python/sepolicy/sepolicy/help/ports_outbound.png: PNG image data, 510 x 362, 8-bit/color RGBA, non-interlaced
./native/jni/external/selinux/python/sepolicy/sepolicy/help/start.png: PNG image data, 510 x 410, 8-bit/color RGBA, non-interlaced
./native/jni/external/selinux/python/sepolicy/sepolicy/help/system.png: PNG image data, 510 x 410, 8-bit/color RGB, non-interlaced
./native/jni/external/selinux/python/sepolicy/sepolicy/help/system_boot_mode.png: PNG image data, 510 x 410, 8-bit/color RGB, non-interlaced
./native/jni/external/selinux/python/sepolicy/sepolicy/help/system_current_mode.png: PNG image data, 510 x 410, 8-bit/color RGB, non-interlaced
./native/jni/external/selinux/python/sepolicy/sepolicy/help/system_export.png: PNG image data, 510 x 410, 8-bit/color RGB, non-interlaced
./native/jni/external/selinux/python/sepolicy/sepolicy/help/system_policy_type.png: PNG image data, 510 x 410, 8-bit/color RGB, non-interlaced
./native/jni/external/selinux/python/sepolicy/sepolicy/help/system_relabel.png: PNG image data, 510 x 410, 8-bit/color RGB, non-interlaced
./native/jni/external/selinux/python/sepolicy/sepolicy/help/transition_file.png: PNG image data, 510 x 362, 8-bit/color RGBA, non-interlaced
./native/jni/external/selinux/python/sepolicy/sepolicy/help/transition_from.png: PNG image data, 510 x 362, 8-bit/color RGBA, non-interlaced
./native/jni/external/selinux/python/sepolicy/sepolicy/help/transition_from_boolean.png: PNG image data, 510 x 362, 8-bit/color RGBA, non-interlaced
./native/jni/external/selinux/python/sepolicy/sepolicy/help/transition_from_boolean_1.png: PNG image data, 510 x 368, 8-bit/color RGB, non-interlaced
./native/jni/external/selinux/python/sepolicy/sepolicy/help/transition_from_boolean_2.png: PNG image data, 510 x 368, 8-bit/color RGB, non-interlaced
./native/jni/external/selinux/python/sepolicy/sepolicy/help/transition_to.png: PNG image data, 510 x 362, 8-bit/color RGBA, non-interlaced
./native/jni/external/selinux/python/sepolicy/sepolicy/help/users.png: PNG image data, 510 x 410, 8-bit/color RGB, non-interlaced
./native/jni/external/selinux/secilc/docs/cil_design.jpeg: JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 1224x726, components 3

archives

These could contain anything!

./native/jni/external/busybox/testsuite/awk_t1.tar.bz2: bzip2 compressed data, block size = 900k
./native/jni/external/busybox/testsuite/bz2_issue_11.bz2: bzip2 compressed data, block size = 100k
./native/jni/external/busybox/testsuite/bz2_issue_12.bz2: bzip2 compressed data, block size = 100k
./native/jni/external/busybox/testsuite/tar.utf8.tar.bz2: bzip2 compressed data, block size = 900k
./native/jni/external/bzip2/sample1.bz2: bzip2 compressed data, block size = 100k
./native/jni/external/bzip2/sample2.bz2: bzip2 compressed data, block size = 200k
./native/jni/external/bzip2/sample3.bz2: bzip2 compressed data, block size = 300k

no idea

Are these "par archive data" or are they misidentified by file(1)?

./native/jni/external/busybox/shell/ash_test/ash-misc/empty_for2.right: Par archive data
./native/jni/external/busybox/shell/hush_test/hush-misc/empty_for2.right: Par archive data

A #$%^ing jar file.

./gradle/wrapper/gradle-wrapper.jar

Fonts! Big binary blobs.

./app/src/main/res/font/exo_bold.ttf: TrueType Font data, 14 tables, 1st "GDEF", 13 names, Microsoft, language 0x409, Copyright 2017 The Exo Project Authors (https://github.com/NDISCOVER/Exo-1.0)ExoBold1.500;TINY;
./app/src/main/res/font/exo_bold_italic.ttf: TrueType Font data, 14 tables, 1st "GDEF", 13 names, Microsoft, language 0x409, Copyright 2017 The Exo Project Authors (https://github.com/NDISCOVER/Exo-1.0)ExoBold Italic1.50
./app/src/main/res/font/exo_regular.ttf: TrueType Font data, 14 tables, 1st "GDEF", 13 names, Microsoft, language 0x409, Copyright 2017 The Exo Project Authors (https://github.com/NDISCOVER/Exo-1.0)ExoRegular1.500;TI
./app/src/main/res/font/exo_regular_italic.ttf: TrueType Font data, 14 tables, 1st "GDEF", 13 names, Microsoft, language 0x409, Copyright 2017 The Exo Project Authors (https://github.com/NDISCOVER/Exo-1.0)ExoItalic1.500;TIN

Other formats

I don't know what is inside these without looking.

./native/jni/external/bzip2/sample1.ref: TeX DVI file (TeX output 1995.07.01:1517\213)
./native/jni/external/bzip2/sample2.ref: TeX DVI file (TeX output 1995.10.19:1430\213)
./native/jni/external/pcre/dist2/testdata/grepinput8: SoftQuad troff Context intermediate
./native/jni/external/bzip2/manual.ps
./native/jni/external/bzip2/manual.pdf: PDF document, version 1.4
./native/jni/external/dtc/Documentation/dtc-paper.tex: LaTeX 2e document, ASCII text

No, thank you!

./tools/elf-cleaner.exe: PE32+ executable (console) x86-64, for MS Windows
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment