Database Users

[Q] Self-inflicted WiFi configuration trouble

SOLVED: I restored the "WiFi Access Points" backup from Titanium and I'm back online. Is there any way to get details on what files that entails?
Original query:
I'm trying to connect to a corporate IEEE8021x network, and I hand-edited my /data/misc/wifi/wpa_supplicant.conf to add my corporate network.
This didn't work, the WiFi wouldn't even enable; the top item in the Wi-Fi Settings screen Says "Error". I deleted the entry I added, but the results are the same. I then deleted everything except the first two lines
ctrl_interface=tiwlan0
update_config=1
and it appears to try harder to enable it, and it shows on for about 15 seconds, but no access points show up, the GUI asks if I want to forceclose Settings, and then it turns off.
wpa_supplicant.conf had those two lines in it, and the usual list of access points I've seen, nothing else.
Is there some other WiFi config file I need to clear out, or GUI access to this stuff? I just want to get open-access APs working again for now.
dmesg reports:
TIWLAN: driver init
TI WiLink 1271 SDIO: Driver loaded
evt_wifi_power: 0
evt_wifi_set_carddetect: 0
mmc2: card_present 0
kxtf9 1-000f: IRQ TAP2 [2]
kxtf9 1-000f: IRQ TAP2 [4]
wlanDrvIf_Stop
kxtf9 1-000f: IRQ TAP2 [1]
kxtf9 1-000f: IRQ TAP2 [8]
tiwlan: 20 sec os_SignalObjectWait timeout
evt_wifi_set_carddetect: 0
evt_wifi_reset: 1
evt_wifi_power: 0
and the driver unloads
Thanks!

[REF][INFO][R&D] "Secret Codes" and other hidden features

"Secret Codes" and Hidden Features
Hacking for "Secret Codes" and other hidden phone features.
Skill Level: Easy
Posting
==================================================
Do NOT post general questions/requests on how to do
this or that, they will not be answered, simply
because we don't know yet. Rather try to find out
by yourself and share your results.
==================================================
Purpose
To find all "Secret Codes", special properties and other hidden phone features
and settings, used in the GT-I9300. The secret codes are not so secret, but
are often used to activate and manipulate many settings, such as debug modes,
network connections, factory test modes etc. It is an unfortunate choice of
words but we will stick to this definition nonetheless for simplicity, since
it is also used in the source code by Samsung and AOS. Do not confuse secret
codes with VSC (Vertical Service Codes), USSD (Unstructured Supplementary
Service Data) or other MMI (Man Machine Interface) codes.
Although there are many "standard" codes common to many Samsung phones, they
do vary to some extent. This is because their functionality often depend on
the particular hardware, in particular the baseband processor (aka radio, DSP,
BP or CP) and the multiplexer chips that switches the various internal USB
paths, for example between MHL, BP and AP.
This is an informative reference thread on these features. If you have
relevant additional information you'd like to share, please post it here.
Background
From the Samsung Galaxy S2 experience we have gained the following
understanding when it come to the Factory/Service Mode menus and the
PhoneUtils applications. We are still to work out if this is still true for
the SGS3.
But first it is worth to note, that due to the more complicated, but better
organized phone applications in ICS, the way to enter secret codes have
changed from GB versions. Now all secret codes have to be prefixed with
"*#*#", followed by <code> and post fixed with "#*#*". [Note-1] However,
according to the GT-I9300 Service Manual, there are two codes that should work
without post- and pre-fixes. They are *#1234# (version) and *2767*3855#
(Factory reset! It will wipe your phone instantly, NO warnings, no going back,
no way to cancel.) [Note-2]
==================================================
Newbie Practice Box
Go to your phone dialer and "dial" the following string:
*#*#197328640#*#*
This will trigger the Service Menu.
==================================================​This same effect can be accomplished directly on the command line, with a
direct URI broadcast call to the application receiver via:
Code:
[SIZE=2]am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://1111[/SIZE]
Second, it is essential to know that the actual program code (read
assembly/machine code) for the Engineering / Service Mode menu, is actually
located in the baseband processor firmware. What you actually see when you
enter this menu, is just a java based wrapper application, that make direct
function calls through various entry points, in the baseband kernel/firmware.
What does it mean? When you enter a specific "secret code", the wrapper
application (e.g. ServiceMenu.App) deciphers the code to a particular menu
entry in the baseband processor, where it is executed and whose result is
output to the wrapper application.
Third. Apart from hardware differences, because of the baseband firmware
dependance, the set of working secret codes will differ somewhat from your
location, depending on:
Your Modem firmware
Your AOS version (ICS 4.0.1, 4.0.4 etc.)
Your CSC version (Regional codes)
Special Notes
[Note-1] This can be seen in the handleSecretCode() function in the SpecialCh****quenceMgr.java code.
[Note-2] These need testing and confirmation since they clearly contradict [Note-1].
[Note-3] Apparently the Samsung Galaxy S3 will come in at least two versions:
The GT-I9300 (FCC-ID: A3LGTI9300 )
The SCH-I939 (FCC-ID: A3LSCHI939 ) [Possibly the LTE version]
References
[1] "[GUIDE] Noobs guide to extract Galaxy S3 stock firmware(.img)"
[2] "[All Stock Firmwares] I9300XXALE8 (4.0.4) - Kenya (OJV) [19-05-12]"
[3] "[HOW TO][Windows]Extract Deodex Sign and Zipalign an official ROM"
[4] "[GUIDE] dsixda's Android Kitchen - Now with SGS2 support (Windows/Linux/Mac)"
[5] "[REF] Unpacking and repacking stock rom .img files"
[6] "[Tool] Yaffey - Utility for reading, editing and writing YAFFS2 images" (code is here)
[7] "[TOOL] Auto Bloat Remover Tool For GS III!"
[8] "[GUIDE][TOOL] Guide To Create You're Own De-Bloat Tool/APK Installer/For Any Device"
Keywords: Secret, Codes, Hidden, Service, Factory, UART​

HOW TO (find new stuff)
So how do you find new codes?
Well Google it! Then consider getting the following tools:
Get jd-gui (Often crashes)
Get jad (doesn't crash, but is cmdline based)
Get sgs2toext4 (and here)
Get Disk Internals Linux Reader
Get a disk image with deodexed Apps (see below)
Then what to do?
The brief version. (For full version, see "References" in OP above.)
Download all the tools shown above.
Download the deodexed firmware images (see post#3)
(If in Windows) Double click the sgs2toext4.
Drag and drop the system.img file to the sgs2toext4 "drop window".
You will now have a system.img.ext4 file, open this file with the LinuxReader tool.
Save entire filesystem (from 5) in a new folder. Close.
Go to the folder containing the *.apk(s) of interest.
Make sure dex2jar.bat (win) is in your path and run it on your interesting.apk like this, for example:
Code:
./path/to/dex2jar.bat Samsungservice.apk
This produces a new file: Samsungservice_dex2jar.jar
Extract (7zip) this file in a new folder.
Go to that folder in command line and enter the appropriate "jad" commands. For example, to decompile all class files globbed by Phone*.class and put the decompiled sources in the "src" sub-directory, do:
Code:
jad -o -r -sjava -dsrc Phone*.class
Go to the source directory (../src) you just created.
Enjoy your *.java files!
Alternatively you can deodex on your own...but don't ask me how to do it.
A few other Tools
http://www.sable.mcgill.ca/soot/
http://jdec.sourceforge.net/
http://stackoverflow.com/questions/647116/how-to-decompile-a-whole-jar-file
http://askubuntu.com/questions/129305/how-can-i-open-binary-image-files-img​

The Secret Codes
The information for this post was obtained by decompiling the
deodexed system image of the firmware shown below.
I9300XXALE8
Base Firmware: I9300XXALE8 (4.0.4)
Modem: XXLE8
CSC: OJVALE7
The latest GT-I9300 Stock Firmwares can be found here.
Here are the codes as found in:
serviceModeApp.apk: ServiceModeApp.class
Code:
[SIZE=2]
Code Description JavaCall
----------------------------------------------------------------------------------------------------------------------
197328640 || 2684 Start Service Mode / Enter SM Main Menu SendData('\001', '\001', '\000', '\000', '\000');
1111 FTA SW Version SendData('\001', '\001', '\u1002', '\000', '\000');[/SIZE] [SIZE=2]
2222 FTA HW Version SendData('\001', '\001', '\u1003', '\000', '\000');
8888 SendData('\001', '\001', '\u1003', '\000', '\000');
2886 SendData('\001', '\001', ' ', '\000', '\000');
6984125* SendData('\001', '\001', ' ', '\000', '\000');
2767*2878 ? Factory reset (complete erase & format) SendData('\001', '\001', '!', '\000', '\000');
0228 ADC Reading SendData('\001', '\001', '\005', '\000', '\000');[/SIZE] [SIZE=2]
0599 SendData('\001', '\001', '\024', '\000', '\000');
1575 SendData('\001', '\001', '\025', '\000', '\000');
2263 RF Band Selection SendData('\001', '\001', '\026', '\000', '\000');
2580 SendData('\001', '\001', '\007', '\000', '\000');
301279 || 279301 SendData('\001', '\001', '\024', '\000', '\000');
32489 Ciphering Info SendData('\001', '\001', '\006', '\000', '\000');
4238378 SendData('\001', '\001', '\027', '\000', '\000');
4387264636 SendData('\001', '\001', '\037', '\000', '\000');
7284 PhoneUtil: USB/UART I2C Mode Control SendData('\001', '\001', '\023', '\000', '\000');
738767633 SendData('\001', '\001', '\034', '\000', '\000');
73876766 SendData('\001', '\001', '\033', '\000', '\000');
7387677763 SendData('\001', '\001', '\036', '\000', '\000');
7387678378 SendData('\001', '\001', '\035', '\000', '\000');
9090 Diagnostic Configuration SendData('\001', '\001', '\023', '\000', '\000');
0011 SendData('\001', '\004', '\000', '\000', '\000');[/SIZE] [SIZE=2]
123456 SendData('\001', '\004', '\001', '\000', '\000');
<na> End Service Mode 1 () SendData('\002', '\004', '\000', '\000', '\000');
<na> End Service Mode 2 () SendData('\002', '\001', '\000', '\000', '\000');
[/SIZE]
NOTE: In the table above, I have replaced printed UTF-8 (U+NNNN) characters with '\uNNNN'.
As you can see in the table above, most of the hidden codes are just shortcuts
into various sub-menus (third parameter) of Service Mode application. However,
this does not exclude the use of other hidden codes, that can be used or detected
in other applications.
From a different file we have a some additional codes.
(Not including already covered or overlapping codes.)
serviceModeApp.apk: SecKeystringBroadcastReceiver.class
Code:
[SIZE=2]0000
147852 TestApnSettings: putExtra("testBed", "Suwon");[/SIZE] [SIZE=2]
1478963 TestApnSettings: putExtra("testBed", "Open_market");
22558463 Reset Total Call Time
232331
232332
232337
3214789650
369852 TestApnSettings: putExtra("testBed", "Gumi");
3698741 TestApnSettings: putExtra("testBed", "Delete_DB");
-------------------------------------------------------------------------------
03 NAND Flash S/N (NandFlashHeaderRead)
745 RIL Dump Menu
746 Debug Dump Menu
0228 Battery Status
1111 IF SalesCode="CTC" THEN: TerminalMode
2222 IF SalesCode="CTC" THEN: TerminalMode
2263
8888
9900 || 0514 System Dump
279301
301279
3214789 GCF Mode Settings
5337632 NFC Test
22553767 Call Drop Log View
6335623
TESTMODE
[/SIZE]
These may not always work, since some of them depend on certain "Sales Codes"
or factory IMSI numbers, through statements like:
Code:
if ((mSalesCode.equals("CHM")) && (str.equals("827828868378")))
But these were only codes found in two files.
So there are probably many more codes to be found!
Other Stuff
Here are some unknown functions from: TerminalMode.class
Code:
[SIZE=2]DEBUG_SCR SendData('\001', '\004', '\000', 0, '\000');
EI_DEBUG_SCR SendData('\001', '\006', '\000', 0, '\000');
DATA_ADV SendData('\001', '\003', '\003', 0, '\000');
NAMBASIC SendData('\001', '\003', '\001', 0, '\000');
TESTMODE SendData('\001', '\001', '\000', 0, '\000');
NAMSIMPLE SendData('\001', '\003', '\002', 0, '\000');
TEST_CALL SendData('\004', '\007', c, 0, '\000');
[/SIZE]
Here is a list of all the OEM Commands used in the Service Mode App.
Code:
[SIZE=2]-------------------------------------------------------------------------------
private class OemCommands (ServiceModeApp) value hex
-------------------------------------------------------------------------------
char OEM_SERVM_FUNCTAG = '\001';
OEM_SM_ACTION = '\000'; 00
OEM_SM_DUMMY = '\000'; 00
OEM_SM_END_MODE_MESSAGE = '\002'; 02
OEM_SM_ENTER_MODE_MESSAGE = '\001'; 01
OEM_SM_GET_DISPLAY_DATA_MESSAGE = '\004'; 04
OEM_SM_PROCESS_KEY_MESSAGE = '\003'; 03
OEM_SM_QUERY = '\001'; 01
OEM_SM_TYPE_MONITOR = '\004'; 04
OEM_SM_TYPE_MONITOR_SKT = '\001'; 01
OEM_SM_TYPE_NAM_EDIT = '\003'; 03
OEM_SM_TYPE_PHONE_TEST = '\005'; 05
OEM_SM_TYPE_SUB_ALL_VERSION_ENTER = '\004'; 04
OEM_SM_TYPE_SUB_BAND_SEL_ENTER = '\026'; 16
OEM_SM_TYPE_SUB_BATTERY_INFO_ENTER = '\005'; 05
OEM_SM_TYPE_SUB_BLUETOOTH_TEST_ENTER = '\t'; 09
OEM_SM_TYPE_SUB_CIPHERING_PROTECTION_ENTER = '\006'; 06
OEM_SM_TYPE_SUB_ENTER = '\000'; 00
OEM_SM_TYPE_SUB_FACTORY_PRECONFIG_ENTER = '\016'; 0e
OEM_SM_TYPE_SUB_FACTORY_RESET_ENTER = '\r'; od
OEM_SM_TYPE_SUB_FACTORY_VF_TEST_ENTER = '\031'; 19
OEM_SM_TYPE_SUB_FTA_HW_VERSION_ENTER = '\003'; 03
OEM_SM_TYPE_SUB_FTA_SW_VERSION_ENTER = '\002'; 02
OEM_SM_TYPE_SUB_GCF_TESTMODE_ENTER = '\027'; 17
OEM_SM_TYPE_SUB_GET_SELLOUT_SMS_INFO_ENTER = '\037'; 1f
OEM_SM_TYPE_SUB_GPSONE_SS_TEST_ENTER = '\025'; 15
OEM_SM_TYPE_SUB_GSM_FACTORY_AUDIO_LB_ENTER = '\030'; 18
OEM_SM_TYPE_SUB_IMEI_READ_ENTER = '\b'; 08
OEM_SM_TYPE_SUB_INTEGRITY_PROTECTION_ENTER = '\007'; 07
OEM_SM_TYPE_SUB_MELODY_TEST_ENTER = '\013'; 0b
OEM_SM_TYPE_SUB_MP3_TEST_ENTER = '\f'; oc
OEM_SM_TYPE_SUB_RRC_VERSION_ENTER = '\024'; 14
OEM_SM_TYPE_SUB_RSC_FILE_VERSION_ENTER = '\021'; 11
OEM_SM_TYPE_SUB_SELLOUT_SMS_DISABLE_ENTER = '\034'; 1c
OEM_SM_TYPE_SUB_SELLOUT_SMS_ENABLE_ENTER = '\033'; 1b
OEM_SM_TYPE_SUB_SELLOUT_SMS_PRODUCT_MODE_ON = '\036'; 1e
OEM_SM_TYPE_SUB_SELLOUT_SMS_TEST_MODE_ON = '\035'; 1d
OEM_SM_TYPE_SUB_SW_VERSION_ENTER = '\001'; 01
OEM_SM_TYPE_SUB_TFS4_EXPLORE_ENTER = '\017'; 0f
OEM_SM_TYPE_SUB_TOTAL_CALL_TIME_INFO_ENTER = '\032'; 1a
OEM_SM_TYPE_SUB_TST_AUTO_ANSWER_ENTER = ' '; 20
OEM_SM_TYPE_SUB_TST_FTA_HW_VERSION_ENTER = ----> # UTF-8: U+1003: e1 80 83 MYANMAR LETTER GHA
OEM_SM_TYPE_SUB_TST_FTA_SW_VERSION_ENTER = ----> # UTF-8: U+1002: e1 80 82 MYANMAR LETTER GA
OEM_SM_TYPE_SUB_TST_NV_RESET_ENTER = '!'; 21
OEM_SM_TYPE_SUB_USB_DRIVER_ENTER = '\022'; 12
OEM_SM_TYPE_SUB_USB_UART_DIAG_CONTROL_ENTER = '\023'; 13
OEM_SM_TYPE_SUB_VIBRATOR_TEST_ENTER = '\n'; 0a
OEM_SM_TYPE_TEST_AUTO = '\002'; 02
OEM_SM_TYPE_TEST_MANUAL = '\001'; 01
-------------------------------------------------------------------------------
private class OemCommands (TerminalMode)
-------------------------------------------------------------------------------
OEM_HIDDEN_FUNCTAG = 'Q';
OEM_HM_END_TEST_CALL_MESSAGE = '\t';
OEM_HM_TEST_CALL_MESSAGE = '\004';
OEM_HM_TYPE_TEST_CALL = '\007';
OEM_SERVM_FUNCTAG = '\001';
-------------------------------------------------------------------------------
private class OemCommands (SysDump:)
-------------------------------------------------------------------------------
OEM_DBG_STATE_GET = 6;
OEM_DEL_RIL_LOG = 13;
OEM_DPRAM_DUMP = 14;
OEM_DUMPSTATE = 3;
OEM_DUMPSTATE_ALL = 20;
OEM_ENABLE_LOG = 7;
OEM_GCF_MODE_GET = 15;
OEM_GCF_MODE_SET = 16;
OEM_IPC_DUMP_BIN = 9;
OEM_IPC_DUMP_LOG = 8;
OEM_KERNEL_LOG = 4;
OEM_LOGCAT_CLEAR = 5;
OEM_LOGCAT_MAIN = 1;
OEM_LOGCAT_RADIO = 2;
OEM_MODEM_FORCE_CRASH_EXIT = 23;
OEM_MODEM_LOG = 18;
OEM_NV_DATA_BACKUP = 17;
OEM_OEM_DUMPSTATE_MODEM_LOG_AUTO_START = 19;
OEM_RAMDUMP_MODE = 10;
OEM_RAMDUMP_STATE_GET = 11;
OEM_START_RIL_LOG = 12;
OEM_SYSDUMP_FUNCTAG = 7;
OEM_TCPDUMP_START = 21;
OEM_TCPDUMP_STOP = 22;
-------------------------------------------------------------------------------
[/SIZE]
Enjoy!​

Special Properties
Next we'll have a look at some interesting (or not?) system "properties".
For now, I'll just list some of those I found more interesting and potentially useful.
Code:
[SIZE=2]Property Setting/String Source Description[/SIZE]
[SIZE=2]----------------------------------------------------------------------------------------------------------------------[/SIZE]
[SIZE=2]dev.silentlog.on On SysDump: [/SIZE]
[SIZE=2]gsm.operator.numeric 45001 Sec_Ril_Dump: [RIL::FD] Samsung Testbed[/SIZE]
[SIZE=2]gsm.default.sidmode ? UART[/SIZE]
[SIZE=2]net.tcpdumping On SysDump: ?[/SIZE]
[SIZE=2]nfc.trace.mode On Enable NFC Trace Mode [/SIZE]
[SIZE=2]ril.FTM_MODE ? "FTM_MODE_KEY"[/SIZE]
[SIZE=2]ril.FS true PhoneUtils: updateRAFT() Activates RAFT (???) updates[/SIZE]
[SIZE=2]ril.OTPAuth SysDump: OTP Authentication [/SIZE]
[SIZE=2]ril.cdma.inecmmode true Is phone in ECM mode?[/SIZE]
[SIZE=2]ril.unique_number The RIL Unique Number (UN)[/SIZE]
[SIZE=2]ril.sms.gcf-mode On ? SMS "GCF" mode[/SIZE]
[SIZE=2]persist.log.seclevel On Switchable Log level?[/SIZE]
[SIZE=2]persist.sys.country [/SIZE]
[SIZE=2]ro.build.type eng SysDump: [/SIZE]
[SIZE=2]ro.debuggable On Enable Debug / DBG_ENG / Engineering Mode??[/SIZE]
[SIZE=2]----------------------------------------------------------------------------------------------------------------------[/SIZE]
[SIZE=2]Country/Region Specific[/SIZE]
[SIZE=2]----------------------------------------------------------------------------------------------------------------------[/SIZE]
[SIZE=2]ro.board.platform [/SIZE]
[SIZE=2]ro.build.characteristics [/SIZE]
[SIZE=2]ro.csc.sales_code SKT | KIT | LGT PhoneFeature: makeFeatureForKor() [/SIZE]
[SIZE=2]ro.product.name espressorf | espresso10rf PhoneFeature: checkDBGLevel() [/SIZE]
[SIZE=2] aegis2vzw PhoneFeature: makeFeatureForKor() [/SIZE]
[SIZE=2] jaguars | jaguark | jaguarl [/SIZE]
A particularly fun string is the following, found in the featureForKor() function:
Code:
[SIZE=2]mFeatureList.put("emergency_for_cyber_terror", boolean2);[/SIZE]
I'd really like to know what this does!
Special Files
As we know from other Samsung Galaxy class phones, there are a number
of files that can be created or modified in order to activate certain
functions. Here we list those found to date. Please post if you know
of other ones!
Apparently setting the "SubscriberID" (IMSI) to "999999999999999" also
activates certain test features. A sim with this IMSI is also known as
a "Factory SIM". However, if the SIM IMSI starts with either "45001" or
"00101" it is a "Test SIM".
[See: ServiceModeApp.apkhoneUtils.java:isFactoryMode() or
FactoryTest.apk:ModuleCommon.java:isFactorySim()]
Code:
[SIZE=2]File FileContent Description[/SIZE]
[SIZE=2]-------------------------------------------------------------------------------[/SIZE]
[SIZE=2]/efs/FactoryApp/factorymode ON Enable Factory Mode[/SIZE]
[SIZE=2]/efs/FactoryApp/keystr ON Blocked (hidden code?) Key String(s)[/SIZE]
[SIZE=2]/efs/imei/mps_code.dat ? ?[/SIZE]
[SIZE=2]/efs/root/ERR ? Error Log[/SIZE]
[SIZE=2]/data/.psm.info ? WiFi Power Save Mode [/SIZE]
[SIZE=2]---------------------------------------[/SIZE]
[SIZE=2]Various Log Files:[/SIZE]
[SIZE=2]---------------------------------------[/SIZE]
[SIZE=2]/data/log/CallDropInfoLog.txt ? Dropped Calls Log[/SIZE]
[SIZE=2]/data/log/lucky_ril.log ? ?[/SIZE]
[SIZE=2]/data/log/dumpState_*.log ? ? System Dump Log[/SIZE]
[SIZE=2]/data/log/main_*.log ? ? [/SIZE]
[SIZE=2]/data/anr/traces.txt ? ? [/SIZE]
[SIZE=2]/data/log/err ? ? Error Log[/SIZE]
[SIZE=2]/data/log/err/AENEAS_TRACE_###.bin RF Aeneas Trace Log[/SIZE]
[SIZE=2]/data/log/err/MA_TRACE_###.bin RF MA Trace Log[/SIZE]
[SIZE=2]/mnt/sdcard/log ? ?[/SIZE]
[SIZE=2]---------------------------------------[/SIZE]
[SIZE=2]System Files [/SIZE]
[SIZE=2]---------------------------------------[/SIZE]
[SIZE=2]/sys/class/sec/switch/adc [/SIZE]
(Note: Some of these paths need to be verified, as they may be relative...)
Finally, we have two NVpasswords, that is used for uploading or dumping NVram, AFAIK. They are:
873283
3352225
and they can be found in Sec_Ril_Dump.class.
DISCALIMER:
As I do not have access to a GT-I9300, I have not been able to verify
any of the information in this thread! I apologize if there is any erroneous
information here. Please let me know and post new information here as
it become available. Also make sure you make a complete backup, before
attempting any of the codes or other trickery above! ​

Great post Buddy. But..........
But I didn't Understand Anything, lol better to say Nothing......... Too complicate for my simple mind.

This is some list! Great job!

Very good info there .. how about programming the sim with that IMSI will it have any effect.
Sent from my GT-I9300

tids2k said:
Very good info there .. how about programming the sim with that IMSI will it have any effect.
Click to expand...
Click to collapse
It certainly will, but you will have to find a SIM that is programmable!
You can buy programmable SIM cards from the Sysmocom website, but you need the tools to do so. Sysmocom is ran by some of the GSM security researchers and open source baseband developers...
Here is tutorial on how to clone a SIM card. However, this may be highly illegal in some countries, even for your own! Check your local laws.
(In addition it is a border-line topic on what we are allowed to post here on XDA.)
But Apple proposed, (and here) already some years ago, to have programmable SIM cards built into their devices. This would make perfect sense, since the whole idea about using SIM cards have been neglected and forgotten in the first place. (The original idea, was that it should be extremely easy to switch SIM cards, so that you could easily just borrow someone else's phone, put you card in and make a phone call. Even on designated SIM-holder enabled pay-phones! This has become forgotten and circumvented and damn hard to do with embedded sim cards deep inside your phone.) In addition most cellular providers have lobbied against it...

Definately would look at it. Here is the link for the time being ...
http://www.jaycar.com.au/productView.asp?ID=KC5361
I remember when Dejan found the binary hack way back in 2006 for BB5 Nokia phones, he posted files on his website on how to clone a simcard. But those times only 16bit chips were used.
Here is the scheme tics for the reader if any one interested.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
via Flying Daggers

tids2k said:
how about programming the sim with that IMSI will it have any effect.
Click to expand...
Click to collapse
No need to program a sim, there is a service code (*#46744674#) which will set your IMSI to 9999..., well it does on the SGS2 anyway.

Does it look like there are any menus where you can disable Fast Dormancy? *#9900# does not allow you to do this on the S3

Code:
Samsung Galaxy S3 .. Secret Codes found by tids2k
Thanks to E:V:A for his information and knowledge
HOW TO RUN THESE COMMANDS :
Connect your phone into debug mode .. Settings -> USB Debugging [] Enable it.
Then in MS-DOS C:\ type
am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://****
where **** is the secret code :-) So let us begin
Secret Codes **** Function
2684 or 197328640 DEBUG MENU
0000 CSC SPECIFIC
827828868378 CSC SPECIFIC
2684 SERVICE MODE ( WATCHDOG/DUMPS/LOGS OPTIONS)
0011 CONNECTION STATUS
123456 CONNECTION STATUS
22558463 RESETS TOTAL TALK TIME
32489 CIPHERING INFO
2580 NON-SUPPORT
232337 BLUETOOTH ADAPTER ADDRESS
232331 BLUETOOTH RF TEST
232332 ??
9090 DIAG CONFIG (MODEM)
73876766 SELLOUT SMS ENABBLE
738767633 SELLOUT SMS DISABLE
7387678378 SELLOUT SELF SET TEST MODE
7387677763 SELLOUT SMS SET PRODUCT MODE
4238378 GCF SETTINGS
4387264636 SELLOUT SMS MAIN
1575 GPS SETTINGS
6984125 ????
2886 ??
2767*2878 ??
745 RIL COMMANDS ( NICE ONE )
746 ANOTHER DUMP TOOL ( NICE ONE )
9900 or 0514 SYSDUMP
1111 FTA SW VERSION
2222 or 8888 FTA HW VERSION
301279 or 279301 RRC ( HSPA ) CONTROL
2263 BAND SELECTION
5337632 SOME KIND OF SOUND
0228 BATTERY STATUS
03 NAND FLASH UNIQUE NO.
3214789 GCF MODE ENABLE/DISABLE
6335623 WIFI HIDDEN MENU
NOW FACTORY SETTINGS
06 IMEI
0589 LIGHT SENSOR TEST
80 TOUCH NOISE TEST
251 WAKELOCK ON
250 WAKELOCK OFF
350 REBOOT
5238973 LCD TYPE
4327 HDCP INFO
22235 ACCELEROMETER SENSOR INFO
0782 RCT CLOCK
86824 TOUCH KEY SENSTIVITY
0842 VIBRATION TEST
0673 SPEAKER/HEADPHONE/HEADSET TEST
0289 MELODY TEST
2663 TOUCH FIRMWARE UPDATE
2664 POINTER LOCATION
0588 PROXIMITY TEST
3264 RAM CHECK
7780 MASTER RESET
7769 PROXIMITY SENSOR TEST
87976633 FACTORY RESET
9999*3288 QWERTY COUNTER
767*2878 QWERTY COUNTER RESET
0283 LOOPBACK TEST
7328735824 LOT ID

three new tablets in work ... lol
if ((str1.startsWith("GT-P31")) || (str1.startsWith("GT-P51")) || (str1.startsWith("SCH-i705")));

tids2k said:
Code:
Samsung Galaxy S3 .. Secret Codes found by tids2k
Thanks to E:V:A for his information and knowledge
HOW TO RUN THESE COMMANDS :
Connect your phone into debug mode .. Settings -> USB Debugging [] Enable it.
Then in MS-DOS C:\ type
am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://****
where **** is the secret code :-) So let us begin
Secret Codes **** Function
2684 or 197328640 DEBUG MENU
0000 CSC SPECIFIC
827828868378 CSC SPECIFIC
2684 SERVICE MODE ( WATCHDOG/DUMPS/LOGS OPTIONS)
0011 CONNECTION STATUS
123456 CONNECTION STATUS
22558463 RESETS TOTAL TALK TIME
32489 CIPHERING INFO
2580 NON-SUPPORT
232337 BLUETOOTH ADAPTER ADDRESS
232331 BLUETOOTH RF TEST
232332 ??
9090 DIAG CONFIG (MODEM)
73876766 SELLOUT SMS ENABBLE
738767633 SELLOUT SMS DISABLE
7387678378 SELLOUT SELF SET TEST MODE
7387677763 SELLOUT SMS SET PRODUCT MODE
4238378 GCF SETTINGS
4387264636 SELLOUT SMS MAIN
1575 GPS SETTINGS
6984125 ????
2886 ??
2767*2878 ??
745 RIL COMMANDS ( NICE ONE )
746 ANOTHER DUMP TOOL ( NICE ONE )
9900 or 0514 SYSDUMP
1111 FTA SW VERSION
2222 or 8888 FTA HW VERSION
301279 or 279301 RRC ( HSPA ) CONTROL
2263 BAND SELECTION
5337632 SOME KIND OF SOUND
0228 BATTERY STATUS
03 NAND FLASH UNIQUE NO.
3214789 GCF MODE ENABLE/DISABLE
6335623 WIFI HIDDEN MENU
NOW FACTORY SETTINGS
06 IMEI
0589 LIGHT SENSOR TEST
80 TOUCH NOISE TEST
251 WAKELOCK ON
250 WAKELOCK OFF
350 REBOOT
5238973 LCD TYPE
4327 HDCP INFO
22235 ACCELEROMETER SENSOR INFO
0782 RCT CLOCK
86824 TOUCH KEY SENSTIVITY
0842 VIBRATION TEST
0673 SPEAKER/HEADPHONE/HEADSET TEST
0289 MELODY TEST
2663 TOUCH FIRMWARE UPDATE
2664 POINTER LOCATION
0588 PROXIMITY TEST
3264 RAM CHECK
7780 MASTER RESET
7769 PROXIMITY SENSOR TEST
87976633 FACTORY RESET
9999*3288 QWERTY COUNTER
767*2878 QWERTY COUNTER RESET
0283 LOOPBACK TEST
7328735824 LOT ID
Click to expand...
Click to collapse
Untested, here; nevertheless - thanks for this info guys!!
Sent from my GT-I9300 using xda premium

This should all work. Didnt had much time to look for other commands, will do in a day or so.
Sent from my GT-I9300 using XDA Premium HD app

Odia said:
No need to program a sim, there is a service code (*#46744674#) which will set your IMSI to 9999..., well it does on the SGS2 anyway.
Click to expand...
Click to collapse
Thanks! Probably very useful, but
1) Is that temporary? (How to get back original after having use this code?)
2) Where is it located? (What App + class files?)

Odia said:
No need to program a sim, there is a service code (*#46744674#) which will set your IMSI to 9999..., well it does on the SGS2 anyway.
Click to expand...
Click to collapse
doesnt work on sgs III

Hi all,
a couple of month ago I build an app with shortcuts for the "secret" dialer codes within the galaxy S2, because I could not remember them all ...This app is special tailored for the galaxy S2, but should work on all SAMSUNG devices with TOUCHWIZ ... Not all codes will work on all devices, but a lot these codes work on other samsung touchwiz devices.
I tested the App with my GS3 and a lot of these codes still working ....
You could also add your own codes and ussd codes to an app internal database ... and some users even uses this database as hidden phone book
Check it out: https://play.google.com/store/apps/details?id=com.widgapp.HiddenFeaturesFREE
(Important: These codes will NOT work on most custom roms, Nexus S, Galaxy Nexus, HTC, Sony, Motorolla etc. ...I´m a little bit annoyed by comments like: Not working on my HTC, Sony, Nexus S, Samsung XYZ with custom rom zyx .... ...without Touchwiz, there is no possibility to use touchwiz firmware functions!)

SAMSUNG GALAXY S3 CODES SECRETS
*#06# Show IMEI number
*#0*# LCD Test Menu
*#*#4636#*#* user statistics and Phone Info
*#0011# Displays status information for the GSM
*#1234# View SW Version PDA, CSC, MODEM
*#12580*369# SW & HW Info
*#197328640# Service Mode
*#0228# ADC Reading
*#32489# (Ciphering Info)
*#232337# Bluetooth Address
*#232331# Bluetooth Test Mode
*#232338# WLAN MAC Address
*#232339# WLAN Test Mode
*#0842# Vibra Motor Test Mode
*#0782# Real Time Clock Test
*#0673# Audio Test Mode
*#0*# General Test Mode
*#2263# RF Band Selection
*#9090# Diagnostic ConfiguratioN
*#7284# USB I2C Mode Control
*#872564# USB Logging Control
*#4238378# GCF Configuration
*#0283# Audio Loopback Control
*#1575# GPS Control Menu
*#3214789650# LBS Test Mode
*#745# RIL Dump Menu
*#746# Debug Dump Menu
*#9900# System Dump Mode
*#44336# Sofware Version Info
*#7780# Factory Reset
*2767*3855# Full Factory Reset
*#0289# Melody Test Mode
*#2663# TSP / TSK firmware update
*#03# NAND Flash S/N
*#0589# Light Sensor Test Mode
*#0588# Proximity Sensor Test Mode
*#273283*255*3282*# Data Create Menu
*#273283*255*663282*# Data Create SD Card
*#3282*727336*# Data Usage Status
*#7594# Remap Shutdown to End Call TSK
*#34971539# Camera Firmware Update
*#526# WLAN Engineering Mode
*#528# WLAN Engineering Mode
*#7412365# Camera Firmware Menu
*#07# Test History
*#3214789# GCF Mode Status
*#272886# Auto Answer Selection
*#8736364# OTA Update Menu
*#301279# HSDPA/HSUPA Control Menu
*#7353# Quick Test Menu
*2767*4387264636# Sellout SMS / PCODE view
*#7465625# View Phone Lock Status
*7465625*638*# Configure Network Lock MCC/MNC
#7465625*638*# Insert Network Lock Keycode
*7465625*782*# Configure Network Lock NSP
#7465625*782*# Insert Partitial Network Lock Keycode
*7465625*77*# Insert Network Lock Keycode SP
#7465625*77*# Insert Operator Lock Keycode
*7465625*27*# Insert Network Lock Keycode NSP/CP
#7465625*27*# Insert Content Provider Keycode
*#272*IMEI# then we will get buyer code (For samsung galaxy sIII csc code)
*#*#7780#*#* Factory data reset - Clears Google-account data, system and program settings and installed programs. system will not be deleted, and OEM programs, as well as My Documents (pictures, music, videos)

ascsa said:
I tested the App with my GS3 and a lot of these codes still working ....
Click to expand...
Click to collapse
Hi! Thanks for your effort, but your post risk confusing people and corrupting this thread, because the red application functions (as shown in your table) only show that your app is not able to use those codes, and not that they do not work with SGS3.
TO ALL:
DO not post new codes here, unless you have either:
a) personally tested the codes on a GT-I9300
b) found and documented references in the source code, that can be independently verified.
Thanks!

[REF|R&D|RF] RF/Radio properties of Samsung ServiceMode

RF/Radio properties of the ServiceMode Application
Thread Difficulty: HARD
Thread Noob Patience: LOW
Thread Topic
This thread is a Reference and Research & Development thread for
investigating and to better document the various radio related variables
as found and displayed by the ServiceMode application. Here we are
particularly concerned with those found in Samsung phones, but as
you will see, this is more modem (BP/CP) dependent than phone model
dependent. So much of this info should also apply to other devices
using the same modem.
Off Topic?
If you have questions that does not directly concern the main focus
of this thread, please ask in the general forum. If you ask support
questions here, they will be deleted without warning.
If you're just looking for info how to enter the Service Menu on a recent
Samsung, look in this thread:
[REF][ServiceMode] How to make your Samsung perform dog tricks
Background
Because the ServiceMode (SM) application is really running in the
Modem under its own RTOS, it is limited in the presentation. So what
you see running in the AOS ServiceMode application is really just a
Java wrapper to code that is running in the RTOS. This severely
limits the information presented, if accessible at all.
Most mobile device manufacturers doesn't want their users to have
access to the ServiceMode functions, for various and good reasons.
Perhaps the best reason is that you can easily hard-brick your
device and/or mess up all the internal radio related settings.
However, we are already used to this, so why not have a better look
at the mobile network parameters within our devices. These can be
extremely useful from identifying network problems to detect and
prevent illegal or clandestine mobile network monitoring.
So what are the limiting factors of the ServiceMode Application?
It is a Java wrapper application that is usually made by
the device manufacturer (Samsung, HTC, Nokia etc) that
need to be present and compatible with your AOS FW.
(API, RIL etc)
The actual code is running in Modem RTOS and usually queried
by ServiceMode.apk by the use of a RIL_REQUEST_OEM_HOOK_RAW request,
that allows requests to circumvent the normal RIL filter.
The parameters present depends on the Modem FW versions.
(You will find many misspellings and other FUBAR objects in
various modem SM presentations.)
The displayed RF related parameters depend on the Modem HW,
and are thus completely different in an Intel XMM modem, than
for an Qualcomm MSM type modem/processor SoC, and so on.
The displayed RF related parameters depend on the network
you are currently using and connected to.
But the mobile network interface is transparent from the AOS AP point
of view, so a large set of radio parameters must comply to the 3GPP
standards in order for your device to function properly. But only a
very small subset of these RF parameters are part of the non-internal AOS API.
We want more!
By carefully looking at all the details and information that is
presented by the SM application, we can find out many more and
useful network details, such as ciphering modes, network types,
bands, and technology used. But to do this we need to understand
the language used. Unfortunately, many times the language does
not reflect the current 3GPP standards, so we are left to guess,
until some anonymous modem RF-expert/developer come along and
correct us.
So if you happen to know anything specific, this is where you
can really help this thread...
ServiceMode Vocabulary
Here I try to resolve some of the more obscure sounding items,
as found in the SM of mainly two devices.
(a) Samsung Galaxy S2 (GT-I9100, XXKI1 with Intel XMM6260 modem)
(b) Samsung Galaxy S4-mini (GT-I9195, XXUBML4 with Qualcomm MSM8930AB SoC)
In post#2 you will find an almost complete menu structure for
the UMTS MENU items as found in (b). I have not posted the items
for the LTE or CDMA menus, since I don't have that network, which
means I don't know how they would look. So feel free to post your
own findings, if you use those.
Also, remember that the end-point/detailed view of the menu
items, depend on your current network. I.e. you will see
different items, when connected to GSM vs. WCDMA, and so on.
In post#3 I show the detailed explanations of the various
3GPP defined RR timers as shown under the NAS/MM items.
In post#4 I attempt to describe the specific end-point menu items:
Code:
[SIZE=2] [1] BASIC INFORMATION
[1] MM INFORMATION
[2] MM REJECT CAUSE
[3] GMM REJECT CAUSE
[3] AS INFORMATION
[4] NEIGHBOUR CELL
[/SIZE]
I still need help deciphering some of those values.
(What exactly do they represent and mean?)
​

The root MAIN MENU
Code:
MAIN MENU
[1] [B]UMTS[/B]
[2] CDMA
[3] LTE
[4] SIM- Not Used. ==> <E>
[5] DOCOMO DEBUG SCREEN
[6] run EFS SYNC()
[7] DEBUG SCREEN
The UMTS MENU tree
Here is an almost complete menu structure for the UMTS MENU items
found in a GT-I9195. I have not posted the items for the LTE or CDMA
menus, since I don't have that network, which means I don't know how
they would look. So please post your own findings, if you use those.
Code:
[SIZE=2][1] UMTS MAIN MENU
[1] DEBUG SCREEN
[2] VERSION INFORMATION
[3] UMTS RF NV
[4] GSM RF NV
[5] AUDIO
[6] COMMON
[7] LTE BAND CONFIG CHECK
------------------------------
[1] DEBUG SCREEN
[1] BASIC INFORMATION ==> <E> Code: 0011
[2] NAS INFORMATION
[3] AS INFORMATION
[4] NEIGHBOUR CELL
[5] GPRS INFORMATION
[6] SIM INFORMATION
[7] HANDOVER
[8] PHONE CONTROL
[9] ANTENNA/ADC
[1] // BASIC INFORMATION ==> <E>
RRC: IDLE, Band1
MCC-MNC:nnn-01
RX: 10663, RI: -59, CID: hhhhh
TX: 9713, PSC: 394
EcIo: -4, RSCP: -63
SpeechVER: FR FR FR
L1: PCH_Sleep
Drx cycle: 64
SIB19 is received
therm: 162 LNA: 0
Service: Available
[2] NAS INFORMATION
[1] MM INFORMATION
[2] MM REJECT CAUSE
[3] GMM REJECT CAUSE
[4] PS REJECT CAUSE
[5] RESET MM&GMM REJECT List
[6] EF_RAT INFORMATION
[7] SAT REFRESH INFO
[8] SMC RESULT INFO
[9] CALL END CAUSE
[1] // MM INFORMATION
mm: Idle
MCC-MNV: nnn-01
LAC: hhh, RAC: nn
TIMER_T32: 10(S) 11(S) 12(A)
13(S) 20(S) 30(S) 40(S)
GmmState: Registered(3)
SubState: normal(0)
PmmMode: IDLE(1)
rej_cause: 0, IuAttCnt: 0
TMSI: hhhhhhh
[2] // MM REJECT CAUSE
MM reject Information List
1. Time: 1M 6D 0h00m00s
Type: 0, Cause:0 000-000, GSM
2. Time: 1M 6D 0h00m00s
Type: 0, Cause:0 000-000, GSM
3. Time: 1M 6D 0h00m00s
Type: 0, Cause:0 000-000, GSM
4. Time: 1M 6D 0h00m00s
Type: 0, Cause:0 000-000, GSM
5. Time: 1M 6D 0h00m00s
Type: 0, Cause:0 000-000, GSM
6. Time: 1M 6D 0h00m00s
Type: 0, Cause:0 000-000, GSM
[3] // GMM REJECT CAUSE
GMM reject Information List
1. Time: 4M 9D 14h19m02s
Type: 4, Cause:7 nnn-01, UMTS
2. Time: 1M 6D 0h00m00s
Type: 0, Cause:0 000-000, GSM
3. Time: 1M 6D 0h00m00s
Type: 0, Cause:0 000-000, GSM
4. Time: 1M 6D 0h00m00s
Type: 0, Cause:0 000-000, GSM
5. Time: 1M 6D 0h00m00s
Type: 0, Cause:0 000-000, GSM
[4] // PS REJECT CAUSE
PDP and PDN recet List
- No Data
[5] // RESET MM&GMM REJECT List <== Immediately clears reject list!
[6] // EF_RAT INFORMATION
Boot-up EF_RAT
NONE(-1)
Refreshed EF_RAT
1.GSM_WCDMA(1), 000-000
2.GSM_WCDMA(1), 000-000
3.GSM_WCDMA(1), 000-000
4.GSM_WCDMA(1), 000-000
5.GSM_WCDMA(1), 000-000
[7] // SAT REFRESH INFO
<exactly the same as above>
[8] // SMC RESULT INFO --> <E>
RRC: IDLE, Band1
MCC-MNC: nnn-01
RX: 10663, RI: -59, CID: hhhhh
TX: 9713, PSC: 394
EcIo: -4, RSCP: -63
SpeechVER: FR FR FR
L1: PCH_Sleep
Drx cycle: 64
SIB19 is received
therm: 162 LNA: 0
Service: Available
[9] // CALL END CAUSE --> <E>
<exactly the same as above>
[3] // AS INFORMATION
RRC: IDLE, Band1
WCDMA: IDLE
RX: 10663, RI: -59, CID: hhhhh
TX: 9713, PSC: 394
EcIo: -4, RSCP: -63
VOC: FR FR FR, 0
L1: PCH_Sleep
CQI: 0, Sam: 0
[4] // NEIGHBOUR CELL
Aset: [/SIZE][SIZE=2][SIZE=2]10663[/SIZE] 394 -60 -7 53 29 <== rapid changes
Sych: [/SIZE][SIZE=2][SIZE=2]10663[/SIZE] 403 -83 -51 31 -15
Sych: [/SIZE][SIZE=2][SIZE=2]10663[/SIZE] 403 -83 -51 31 -15
Sych: [/SIZE][SIZE=2][SIZE=2]10663[/SIZE] 403 -83 -51 31 -15
Asych: [/SIZE][SIZE=2][SIZE=2]10663[/SIZE] 422 -121 -49 29 -1
Asych: [/SIZE][SIZE=2][SIZE=2]10663[/SIZE] 262 -121 -49 0 0
Asych: [/SIZE][SIZE=2][SIZE=2]10663[/SIZE] 102 -121 -49 0 0
Asych: [/SIZE][SIZE=2][SIZE=2]10663[/SIZE] 450 -121 -49 0 0
[5] GPRS INFORMATION
FUNCTION:ds_gprs_information
[6] SIM INFORMATION
[1] General Info
[2] QMI UIM status
[3] CHECK NV
[1] // General Info
SIM Phase: 0
Card Capability: USIM
SIM voltage class: 1.8V SIM
None
None
Proactive command:
00 00 00 00 00 00 00 00 00 00 - ^^ (10 Hex)
[2] // QMI UIM status
CARD_STATE: Present
CARD_ERROR: Unknown
APP_TYPE: USIM
APP_STATE: Ready
PERSO_STATE: Ready
PERSO_FEATURE: Unsupported
PIN1_STATE: Enabled_Verified
pin1_num(3), puk1_num(10)
PIN2_STATE: Enabled_Not_Verified
pin2_num(3), puk2_num(10)
[3] // CHECK NV
CHECK NV
Band pref: Unexpected value
RTRE Configuration: SIM based
FTM Mode: Online Mode
ENS: Disabled
UIM CLASS: UMTS
[7] HANDOVER
[1] HANDOVER GtoG
[2] HANDOVER GtoW
[3] HANDOVER WtoG
[4] HANDOVER TEST
[8] PHONE CONTROL
[1] DRX CONTROL
[2] FAKE SECURITY CONTROL
[3] NAS CONTROL
[4] UE STATE CONTROL
[5] SIMULATION
[6] NETWORK LOCK
[7] NETWORK CONTROL
[1] // DRX CONTROL
DRX: Not Active
[1] DRX: ON
[2] DRX: OFF
[2] // FAKE SECURITY CONTROL
FAKE SECURITY: OFF
[1] FAKE SECURITY: ON
[2] FAKE SECURITY: OFF
[3] NAS CONTROL
[1] CIPHERING CONTROL
[2] INTEGRITY CONTROL
[3] SIM CLASS CONTROL
[4] REVISION CONTROL
[5] RRC(HSPA) CONTROL
[6] DUALMODE IMPROVEMENT CONTROL
[7] NAS AVOID SECURITY CONTROL
[1] // CIPHERING CONTROL
CIPHERING CONTROL: ON
[1] CIPHERING: ON
[2] CIPHERING: OFF
[2] // INTEGRITY CONTROL
INTEGRITY CONTROL: ON
[1] INTEGRITY: ON
[2] INTEGRITY: OFF
[3] // SIM CLASS CONTROL
UIM CLASS: UMTS
[1] UIM CLASS: UMTS
[2] UIM CLASS: GSM
[4] REVISION CONTROL
[1] DISPLAY REVISION
[2] CHENGE REVISION
[5] RRC(HSPA) CONTROL
[1] DISPLAY RRC REVISION
[2] CHANGE RRC REVISION
[6] // DUALMODE IMPROVEMENT CONTROL
DUALMODE IMPROVEMENT: NOT ACT
[1] DUALMODE IMPROVEMENT: ON
[2] DUALMODE IMPROVEMENT: OFF
[7] NAS AVOID SECURITY CONTROL
AVOID_SECURITY_CHECK: NOT ACT
[1] SECURITY_CHECK: ON
[2] SECURITY_CHECK: OFF
[4] UE STATE CONTROL
[1] CALL CONNECT STATE
[2] CHANGE RAT TO WCDMA
[3] CHANGE RAT TO GSM
[5] SIMULATION
[1] Modem Assert (Reset)
[2] SW WATCHDOG
[3] HW WATCHDOG
[4] CP Logging (Started)
[5] Realtime Log(OFF) - Don't! <== WTF?
[6] NETWORK LOCK
[1] PERSO SHA256 Info
SHA256_ENABLE_FLAG [1]
[7] NETWORK CONTROL
[1] GCF
[2] BAND SELECTION ==> Code: [B]2263[/B] "BAND"
[3] SERVICE DOMAIN
[4] AQUISITION ORDER
[5] PLMN(AUTO/MANUAL) SELECTIO
[6] FPLMN
[7] IMSI replacement
[1] GCF
[1] GSM/(E)GPRS/WCDMA REL8
[2] GSM/(E)GPRS/WCDMA REL7
[3] GSM/(E)GPRS/WCDMA REL6
[4] GSM/(E)GPRS/WCDMA REL5
[5] SETTING CANCELLATION
[2] BAND SELECTION
[1] Automatic
[2] WCDMA Band Preference
[3] GSM Band Preference
[4] LTE Band Preference
[3] // SERVICE DOMAIN
[1] CS + PS (*)
[2] CS ONLY
[3] PS ONLY
[4] // AQUISITION ORDER
[1] Automatic
[2] GSM_UMTS
[3] UMTS_GSM (*)
[4] No Change
[5] // PLMN(AUTO/MANUAL) SELECTIO
[1] AUTOMATIC (*)
[2] MANUAL
[6] FPLMN
[1] FPLMN READ
[2] FPLMN DELETE ALL
[3] FPLMN DELETE EXCL DOM
[7] // IMSI replacement
[1] Enable
[2] Disable (*)
[9] ANTENNA/ADC
ds_antenna_adc
------------------------------
[2] VERSION INFORMATION
[1] SW VERSION
[2] HW VERSION
[3] UMTS RF
[1] RF NV READ
[2] RF NV WRITE
[3] UMTS DIVERSITY CONTROL
[4] RF CALIBRATION CHECK
[4] GSM RF
[1] RF NV READ
[2] RF NV WRITE
[5] AUDIO ==> Locked! See Note (a)
...
[6] COMMON
[1] FTM
[2] DEBUG INFO
[3] RF SCANNING
[4] DIAG CONFIG
[5] WCDMA SET CHANNEL
[6] NV REBUILD
[7] FACTORY TEST
[8] FORCE SLEEP
[9] GPS
[1] FTM : OFF ==> Locked! See Note (b)
[1] NOT SUPPORT
[2] FTM : OFF
[2] DEBUG INFO
[1] MM REJECT CAUSE
[2] LOG DUMP
[3] UI DEBUG POPUP - N/S
[3] RF SCANNING
[1] SETTING
[2] START RF SCANNING
[3] RESULT TO PC
[4] RESULT TO SCREEN
[4] DIAG CONFIG
[1] USB ( )
[2] UART (*)
[3] DBG MSG ON (*)
[4] DBG MSG OFF ( )
[5] WCDMA SET CHANNEL
[6] NV REBUILD
[7] FACTORY TEST
[8] FORCE SLEEP
[9] GPS
co_gps_menu
[7] LTE BAND CONFIG CHECK --> <E>
[/SIZE]
(Where I have replaced my LAC/CID with "nnnnn" and "hhhhh", respectively)
Note that the end-point/detailed view of the menu items, depend on your
current network. I.e. you will see different items, when connected to GSM vs. WCDMA.
For example. Here is a picture comparing the BASIC INFORMATION view for LTE, CDMA and GSM/UMTS, respectively.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
(Picture stolen from THIS website. Sorry, there is no owner/contact info there to ask for permission.)
So what does all those numbers mean?
That's what we will try to figure out in the next posts and in this thread! But first I will show you
another menu view. The menu that concerns the MM (Mobile Management) MENU items.
To get to the picture below:
MAIN MENU > [1] UMTS MAIN MENU > [1] DEBUG SCREEN > [2] NAS INFORMATION > [1] MM INFORMATION
Which should result in:
Code:
[SIZE=2]mm: Idle
MCC-MNV: nnn-01
LAC: hhh, RAC: nn
[B]TIMER_T32[/B]: [B]10[/B](S) [B]11[/B](S) [B]12[/B](A)
[B]13[/B](S) [B]20[/B](S) [B]30[/B](S) [B]40[/B](S)
GmmState: Registered(3)
SubState: normal(0)
PmmMode: IDLE(1)
rej_cause: 0, IuAttCnt: 0
TMSI: hhhhhhh[/SIZE]
< placeholder >
As you can see, these include the values of a few important RR timers used. In the menu above they are
marked with (S) or (A), for STOPPED and ACTIVE, respectively. These timers are discussed further in
the next section.

The Mobility Management (MM) Timers: MS-side
All the MM timers are defined and thorough;y explained in [1]. But here I
summarize the timers we have found in our SM as shown above. Where we
have the following timers clearly visible:
Code:
[SIZE=2]T3210
T3211
T3212
T3213
T3220
T3230
T3240
[/SIZE]
Here's a summary table also taken and edited from [1].
The very brief 3GPP summary for T3210/11/12/13 is:
< WIP placeholder>
The very brief 3GPP summary for T3220/30/40 is:
Code:
[SIZE=2][B]T3220[/B] Timer is used during the MM states of:
- IMSI Detach Initiated
Timer is started at IMSI Detach.
Timer is stopped when: release from RM-sublayer
At expiry it: "enter Null or Idle, ATTEMPTING TO UPDATE" ??
[B]T3230[/B] Timer is used during the MM states of:
- Wait For Outgoing MM Connection
- Wait For Additional Outgoing MM Connection
- Wait TO Re-establish MM connection
Timer is started in the mobile station when:
- the MS makes a Ciphering Mode (CM) service request
- the MS makes a Ciphering Mode (CM) re-establishment request
Timer is stopped when:
- the MS makes a CM setting
- the MS receives a CM Service Reject
- the MS receives a CM Service Accept
At expiry it provides a release indicator.
[B]T3240[/B] Timer is started in the mobile station when:
- the mobile station receives a LOCATION UPDATING ACCEPT message completing a location updating procedure in the cases specified in subclauses 4.4.4.6 and 4.4.4.8;
- the mobile station receives a LOCATION UPDATING REJECT message in the cases specified in subclause 4.4.4.7;
- the mobile station has sent a CM SERVICE ABORT message as specified in subclause 4.5.1.7;
- the mobile station has released or aborted all MM connections in the cases specified in 4.3.2.5, 4.3.5.2, 4.5.1.1, and 4.5.3.1;
- the mobile station receives the paging message from network and enter the MM state 9 (WAIT FOR NETWORK COMMAND).
Timer is stopped, reset, and started again at receipt of an MM message.
Timer is stopped and reset (but not started) at receipt of a CM message that initiates establishment of an CM connection (an appropriate SETUP, REGISTER, or CP-DATA message as defined in 3GPP TS 24.008, 3GPP TS 24.010 [21] or 3GPP TS 24.011 [22]).
If timer expires, the MS shall abort the RR connection and enter the MM state MM IDLE.
[/SIZE]
References:
[1] "Mobile Radio Interface Layer 3 specification, Core Network Protocols"
3GPP TS 24.008 V12.5.0 (2014-03): (678 pages)
[2]

The Variable Vocabulary
Here is a list of variable names, and their inferred meaning, as found in the SM shown above.
Code:
[SIZE=2]
RX : Receive/Down-Link Channel aka "DL CH"
TX : Transmit/Up-Link Channel aka "UL CH"
RI : [dBm] RSSI (Receive Signal Strength Indicator)
CID : Cell ID
PSC : Primary Synchronization Code
EcIo : [1] Ec/Io = RSCP / RSSI = Eb/No - Gp
RSCP : [dBm] Received Signal Code Power [2,3] RSCP = RSSI + Ec/No
SpeechVER : The Voice Codec in use [EFR/FR/HR/AMR]
L1 : [FACH,DCH,BCH,PCH_Sleep]
Drx cycle : Discontinuous Reception (DRX) Cycle
therm : Thermal Power (
LNA : Low Noise Amplifier ???
mm: Idle : Mobile Management connection status ??
lu: Upda :
SS: Avail : Subsystem System Simulator ?? Secondary Synchronization Signal ??
RAC : Routing Area Code
TIMER_T32: 10 (S) : Really refers to the T3210 timer, and where
GmmState: Registered(3) :
SubState: normal(0) :
PmmMode: IDLE(1) :
rej_cause:0 :
luAttCnt:0 : Location Update (IMSI Attach?)/(Attempts?) Count
TMSI: 9xxxxxxd : Temporary Mobile Subscriber Identity
AS INFORMATION: : Access Stratum
VOC :
CQI : Channel-Quality Indication
Sam :
"Specific Anthropomorphic Mannequin" ??
"Service Aware Manager" (Alcatel/Lucent) ??
[/SIZE]
As you can see there are many not yet clearly defined items.
To clarify these (and others) is the main purpose of this thread!
< more crazy dragons to be >

< more crazy dragons to be >

A very nice book chapter and collection of useful baseband info and document links.
Benoit Michau, 2014
"Analyse de sécurité des modems mobiles"
[French]
Click to expand...
Click to collapse

LNA
E:V:A said:
The Variable Vocabulary
Here is a list of variable names, and their inferred meaning, as found in the SM shown above.
Code:
[SIZE=2]
LNA : Low Noise Amplifier ???
Click to expand...
Click to collapse
LNA = Line Noise Attenuator/Attenuation

oddball3 said:
LNA = Line Noise Attenuator/Attenuation
Click to expand...
Click to collapse
Thanks for your attention, but I don't think that is correct, because this is a radio device and not an ADSL-router or other "line" dependent device. You'll have to try harder to convince me. Links to a reliable source, helps.

E:V:A said:
Thanks for your attention, but I don't think that is correct, because this is a radio device and not an ADSL-router or other "line" dependent device. You'll have to try harder to convince me. Links to a reliable source, helps.
Click to expand...
Click to collapse
Not spot on, but proof of concept:
http://www.w3eee.com/Noiz .html
I had the perfect site I wanted to post here for you, and just to prove what a crappy country this is, our power utility decided to cut supply to our area :-\ I reckon I was about two sentences away from perfection haha!! Was so disappointed it's taken me since then to work up the enthusiasm to try again!!
Edit: Good Reference source - http://ieeexplore.ieee.org/xpl/logi...re.ieee.org/xpls/abs_all.jsp?arnumber=6471543

Few from me
PSC : Primary Scrambling Code (not synchronization)
L1 : RRC State [FACH,DCH,BCH,PCH_Sleep]
GmmState: Registered(3) : GPRS Mobiity Management status
PmmMode: IDLE(1) : Packet Mobiity Management status

E:V:A said:
Code:
[SIZE=2]mm: Idle
MCC-MNV: nnn-01
LAC: hhh, RAC: nn
[B]TIMER_T32[/B]: [B]10[/B](S) [B]11[/B](S) [B]12[/B](A)
[B]13[/B](S) [B]20[/B](S) [B]30[/B](S) [B]40[/B](S)
GmmState: Registered(3)
SubState: normal(0)
PmmMode: IDLE(1)
rej_cause: 0, IuAttCnt: 0
TMSI: hhhhhhh[/SIZE]
As you can see, these include the values of a few important RR timers used. In the menu above they are
marked with (S) or (A), for STOPPED and ACTIVE, respectively. These timers are discussed further in
the next section.
Click to expand...
Click to collapse
Interesting. But that way we can only know if a Timer is Stopped or Active.
How can we know the Value of these Timers?
Thanks.

vndnguyen said:
How can we know the Value of these Timers?
Click to expand...
Click to collapse
We can try to read its value from one of the SIM card EF files. I forgot which. We can also read it from the /dev/diag RF diagnostics device or possibly from the QMI (Qualcomm) debug ports. Or we can leave phone still and read the start/stop flags when they change. Or you can call the technicians of the MNO and ask.

E:V:A said:
We can try to read its value from one of the SIM card EF files. I forgot which.
Click to expand...
Click to collapse
I can read the EF files on the SIM cards. But the problem is that we don't know which EF files store those timers?
We can also read it from the /dev/diag RF diagnostics device or possibly from the QMI (Qualcomm) debug ports.
Click to expand...
Click to collapse
Can you give some detailed instruction about it? I have no idea on it.
Or we can leave phone still and read the start/stop flags when they change.
Click to expand...
Click to collapse
This is not a good way to read.
Or you can call the technicians of the MNO and ask.
Click to expand...
Click to collapse
Yes, I'm working at that MNO. But I still want to read those timers directly from the phone.

problem with gsm
hi gays.
i`ve a prblem with my phone.
in gsm(2g) don`t have signal but in 3g yes.
with this service menu... can i reparair?
please help me
hola chicos, tengo un problema: teniendo mi cel en gsm 2g no me toma señal, se queda sin servicio, pero al cambiar a 3g tengo altiro señal.
puedo con este menu repararlo y como? se agradece la ayuda

sirkuazar said:
hi gays.
i`ve a prblem with my phone.
in gsm(2g) don`t have signal but in 3g yes.
with this service menu... can i reparair?
please help me
hola chicos, tengo un problema: teniendo mi cel en gsm 2g no me toma señal, se queda sin servicio, pero al cambiar a 3g tengo altiro señal.
puedo con este menu repararlo y como? se agradece la ayuda
Click to expand...
Click to collapse
Gays? I'm not a gay LOL
You would rather check your sim card as well as the mobile service before playing around with your phone. You can put the sim card into another phone to see if it works, etc...

:laugh::laugh::laugh::laugh:
vndnguyen said:
Gays? I'm not a gay LOL
You would rather check your sim card as well as the mobile service before playing around with your phone. You can put the sim card into another phone to see if it works, etc...
Click to expand...
Click to collapse
HHHHHHHHH

[APP][INFO|SUPPORT] SSHelper (The free Android SSH Server Application)

SSHelper (The free Android SSH Server Application)
Date: 2014-06-02
Difficulty: Easy
This is the XDA SSHelper support thread for the only completely open
source, transparent, free and ad-less SSH daemon/server Application for
Android. Sure there are plenty other Android SSH server apps out there, but
you can try to find one that is both free, without any ads, where all
the sources are clearly available and documented, where their developer
can be reached and contacted, and that has its own website.
To make things even better, I decided to start this thread in honor of,
and with permission by the main developer and scientist, Paul Lutus.
He's been developing software for NASA since the 80's and wrote one of
the first word processors for Apple-I. You can read all about it on his
website.
Another important reason for this thread is that SSHelper was developed
under CyanogenMod which is an AOSP ROM. This may cause many unexpected
side effects since those devices behave very differently from stock
(out-of-the-box) firmwares. While AOSP ROM often adds many new features,
they also remove many other OEM features that are mostly unknown or not
understood by the ROM builders/developers. So basing your app
development on a custom ROM is really begging for support trouble. This
will become even more apparent with the recent moves by Godzilla to make
AOS SELinux Enforced by default.
If you just need an SSH server right away, you can download the APK
directly from his website HERE or indirectly from Google Play.
The minimum required AOS is Honeycomb 3.2 / API 13, and the
current version is: 6.3 (04.28.2014).
SSHelper Features
SSHelper is much more than just an SSH server, it also offers:
full Rsync support
full sshd_config file support
full shell profile support
HTTP server
SCP server
SFTP server
Detailed Debug info (via App and web server)
Detailed Logcat view
Terminal Shell with OTG keyboard
and a full Busybox implementation
The Support
However, as you can imagine, the more supported features, the more
potential for problems. As the developer is a wild-life adventurer he's
not constantly sitting in front of his computer waiting to solve other
peoples problems, but often extremely isolated in the Alaskan wilderness
or in a small boat in the middle of the pacific.
That's why we need this thread. Other users may be able to help you if
they have had similar or previous problems. And if those problems aren't
solvable here, hopefully Paul will be able to have an occasional look,
insight and update.
However, since this application is based on OpenSSL / OpenSSH and so on,
the best place to find solutions and ask general SSH related questions
is on any of the 5 StackExchange related Q&A sites:
http://stackoverflow.com/
http://android.stackexchange.com/
http://unix.stackexchange.com/
http://serverfault.com/
http://superuser.com/
You should also have a good read at the SSHelper main support site.
So before posting here, search there first!
Required Android Permissions
( in: ../SSHelper/AndroidManifest.xml )
Code:
[SIZE=2]android.permission.ACCESS_NETWORK_STATE[/SIZE]
[SIZE=2]android.permission.ACCESS_SUPERUSER[/SIZE]
[SIZE=2]android.permission.ACCESS_WIFI_STATE[/SIZE]
[SIZE=2]android.permission.BLUETOOTH[/SIZE]
[SIZE=2]android.permission.CHANGE_WIFI_MULTICAST_STATE[/SIZE]
[SIZE=2]android.permission.CHANGE_WIFI_STATE[/SIZE]
[SIZE=2]android.permission.INTERNET[/SIZE]
[SIZE=2]android.permission.RECEIVE_BOOT_COMPLETED[/SIZE]
[SIZE=2]android.permission.WRITE_EXTERNAL_STORAGE[/SIZE]
These will probably need to be updated in order to solve some issues
when used on devices running SEAndoid in Enforced mode.
Application File Locations
All the SSHelper related files are located in and below the base directory at:
/data/data/com.arachnoid.sshelper
Code:
[SIZE=2]bin Here are all the binary assets, such as busybox and sshd etc.[/SIZE]
[SIZE=2]cache [/SIZE]
[SIZE=2]databases [/SIZE]
[SIZE=2]dev [/SIZE]
[SIZE=2]etc [/SIZE]
[SIZE=2]files [/SIZE]
[SIZE=2]home Your home directory when using SSH[/SIZE]
[SIZE=2]lib Symlinked to: /data/app-lib/com.arachnoid.sshelper-1[/SIZE]
[SIZE=2]tmp [/SIZE]
[SIZE=2]var [/SIZE]
The APK Assets
Code:
[SIZE=2]busybox_gz[/SIZE]
[SIZE=2]rsync_gz[/SIZE]
[SIZE=2]scp_gz[/SIZE]
[SIZE=2]sftp_gz[/SIZE]
[SIZE=2]ssh_gz[/SIZE]
[SIZE=2]ssh_keygen_gz[/SIZE]
[SIZE=2]ssh_keyscan_gz[/SIZE]
[SIZE=2]sshd_gz[/SIZE]
[SIZE=2]favicon.ico[/SIZE]
[SIZE=2]profile[/SIZE]
[SIZE=2]server_page.html[/SIZE]
[SIZE=2]sshd_config[/SIZE]
Installed Binaries
From Busybox we have:
Code:
[SIZE=2]BusyBox v1.21.0 (2014-04-01 22:29:02 PDT) multi-call binary.[/SIZE]
[SIZE=2]BusyBox is copyrighted by many authors between 1998-2012.[/SIZE]
[SIZE=2]Licensed under GPLv2. See source distribution for detailed[/SIZE]
[SIZE=2]copyright notices.[/SIZE]
[SIZE=2]Usage: busybox [function [arguments]...][/SIZE]
[SIZE=2] or: busybox --list[-full][/SIZE]
[SIZE=2] or: busybox --install [-s] [DIR][/SIZE]
[SIZE=2] or: function [arguments]...[/SIZE]
[SIZE=2] BusyBox is a multi-call binary that combines many common Unix[/SIZE]
[SIZE=2] utilities into a single executable. Most people will create a[/SIZE]
[SIZE=2] link to busybox for each function they wish to use and BusyBox[/SIZE]
[SIZE=2] will act like whatever it was invoked as.[/SIZE]
[SIZE=2]Currently defined functions:[/SIZE]
[SIZE=2] [, [[, ar, arp, ash, awk, base64, basename, bbconfig, beep, blkid,[/SIZE]
[SIZE=2] blockdev, bootchartd, bunzip2, bzcat, bzip2, cal, cat, catv, chat,[/SIZE]
[SIZE=2] chattr, chgrp, chmod, chown, chpst, chroot, chrt, chvt, cksum, clear,[/SIZE]
[SIZE=2] cmp, comm, cp, cpio, crond, crontab, cttyhack, cut, dc, dd, deallocvt,[/SIZE]
[SIZE=2] depmod, devmem, diff, dirname, dmesg, dnsd, dnsdomainname, dos2unix,[/SIZE]
[SIZE=2] dpkg, dpkg-deb, du, dumpkmap, echo, ed, egrep, env, envdir, envuidgid,[/SIZE]
[SIZE=2] expand, expr, fakeidentd, false, fbset, fbsplash, fdflush, fdformat,[/SIZE]
[SIZE=2] fdisk, fgconsole, fgrep, find, findfs, flash_lock, flash_unlock,[/SIZE]
[SIZE=2] flashcp, flock, fold, free, freeramdisk, fsync, ftpd, ftpget, ftpput,[/SIZE]
[SIZE=2] fuser, getopt, grep, gunzip, gzip, halt, hd, hdparm, head, hexdump,[/SIZE]
[SIZE=2] hostname, httpd, hwclock, ifconfig, ifdown, ifup, init, inotifyd,[/SIZE]
[SIZE=2] insmod, install, iostat, ip, ipaddr, ipcalc, iplink, iproute, iprule,[/SIZE]
[SIZE=2] iptunnel, klogd, less, linuxrc, ln, loadkmap, losetup, lpd, lpq, lpr,[/SIZE]
[SIZE=2] ls, lsattr, lsmod, lsof, lspci, lsusb, lzcat, lzma, lzop, lzopcat,[/SIZE]
[SIZE=2] makedevs, makemime, man, md5sum, mdev, mesg, mkdir, mkfifo, mknod,[/SIZE]
[SIZE=2] mkswap, mktemp, modinfo, modprobe, more, mpstat, mv, nbd-client, nc,[/SIZE]
[SIZE=2] netstat, nice, nmeter, nohup, od, openvt, patch, pidof, ping,[/SIZE]
[SIZE=2] pipe_progress, pmap, popmaildir, poweroff, powertop, printenv, printf,[/SIZE]
[SIZE=2] ps, pscan, pstree, pwd, pwdx, raidautorun, rdev, readlink, readprofile,[/SIZE]
[SIZE=2] realpath, reboot, reformime, renice, reset, resize, rev, rm, rmdir,[/SIZE]
[SIZE=2] rmmod, route, rpm, rpm2cpio, rtcwake, run-parts, runsv, runsvdir, rx,[/SIZE]
[SIZE=2] script, scriptreplay, sed, sendmail, seq, setconsole, setkeycodes,[/SIZE]
[SIZE=2] setlogcons, setserial, setsid, setuidgid, sha1sum, sha256sum, sha3sum,[/SIZE]
[SIZE=2] sha512sum, showkey, sleep, smemcap, softlimit, sort, split,[/SIZE]
[SIZE=2] start-stop-daemon, strings, stty, sum, sv, svlogd, switch_root, sync,[/SIZE]
[SIZE=2] sysctl, tac, tail, tar, tcpsvd, tee, telnet, telnetd, test, tftp,[/SIZE]
[SIZE=2] tftpd, time, timeout, top, touch, tr, traceroute, true, ttysize,[/SIZE]
[SIZE=2] tunctl, tune2fs, udpsvd, uname, uncompress, unexpand, uniq, unix2dos,[/SIZE]
[SIZE=2] unlzma, unlzop, unxz, unzip, uptime, usleep, uudecode, uuencode,[/SIZE]
[SIZE=2] vconfig, vi, volname, watch, wc, wget, which, whoami, whois, xargs, xz,[/SIZE]
[SIZE=2] xzcat, yes, zcat[/SIZE]
In addition to that, in the $SSHELPER/bin we find:
Code:
[SIZE=2]rsync[/SIZE]
[SIZE=2]scp[/SIZE]
[SIZE=2]sftp[/SIZE]
[SIZE=2]ssh[/SIZE]
[SIZE=2]ssh-keygen[/SIZE]
[SIZE=2]ssh-keyscan[/SIZE]
[SIZE=2]sshelper_sshd[/SIZE]
References and Resources:
<WIP>
​

Some Application Options
When you start the application you will see a list of different
configuration settings. The detailed description of each one is found
HERE. The most important being:
Code:
SSH Server Port Number (Default: [B]2222[/B])
Server Password (Default: [B]admin[/B])
Some Environment Variables
When you use SSHelper to login via SSH, you end up in the temporary
mksh shell at the home location set by the environment variable $ENV
which is set to be:
/data/data/com.arachnoid.sshelper/home
This behavior is contrary to what is normally used on Linux machines
where you end up in the $HOME directory. A few other important shell
variables are:
Code:
[SIZE=2]ENV=/data/data/com.arachnoid.sshelper/home[/SIZE]
[SIZE=2] HOME=/[/SIZE]
[SIZE=2] LD_LIBRARY_PATH=/vendor/lib:/system/lib[/SIZE]
[SIZE=2] LOGNAME=u0_a202[/SIZE]
[SIZE=2] LOOP_MOUNTPOINT=/mnt/obb[/SIZE]
[SIZE=2] PATH=/sbin:/vendor/bin:/system/sbin:/system/bin:/system/xbin:/data/data/com.arachnoid.sshelper/bin[/SIZE]
[SIZE=2] SHELL=/tmp-mksh/tmp-mksh[/SIZE]
[SIZE=2] SSHELPER=/data/data/com.arachnoid.sshelper[/SIZE]
[SIZE=2] USER=u0_a202[/SIZE]
And to get the whole set, use the command "set":
Code:
[SIZE=2]ANDROID_ASSETS=/system/app[/SIZE]
[SIZE=2] ANDROID_BOOTLOGO=1[/SIZE]
[SIZE=2] ANDROID_DATA=/data[/SIZE]
[SIZE=2] ANDROID_PROPERTY_WORKSPACE=8,66560[/SIZE]
[SIZE=2] ANDROID_ROOT=/system[/SIZE]
[SIZE=2] ANDROID_SOCKET_zygote=10[/SIZE]
[SIZE=2] ANDROID_STORAGE=/storage[/SIZE]
[SIZE=2] ASEC_MOUNTPOINT=/mnt/asec[/SIZE]
[SIZE=2] BOARD=MSM8960[/SIZE]
[SIZE=2] BOOTCLASSPATH=/system/framework/core.jar:/system/framework/core-junit.jar:/system/framework/bouncycastle.jar:/system/framework/ext.jar:/system/framework/framework.jar:/system/framework/framework2.jar:/system/framework/telephony-common.jar:/system/framework/mms-common.jar:/system/framework/android.policy.jar:/system/framework/services.jar:/system/framework/apache-xml.jar:/system/framework/sec_edm.jar:/system/framework/seccamera.jar:/system/framework/scrollpause.jar:/system/framework/stayrotation.jar:/system/framework/smartfaceservice.jar:/system/framework/secocsp.jar:/system/framework/abt-persistence.jar:/system/framework/sc.jar[/SIZE]
[SIZE=2] COLUMNS=80[/SIZE]
[SIZE=2] EMULATED_STORAGE_SOURCE=/mnt/shell/emulated[/SIZE]
[SIZE=2] EMULATED_STORAGE_TARGET=/storage/emulated[/SIZE]
[SIZE=2] ENV=/data/data/com.arachnoid.sshelper/home[/SIZE]
[SIZE=2] EXTERNAL_STORAGE=/storage/emulated/legacy[/SIZE]
[SIZE=2] HOME=/[/SIZE]
[SIZE=2] IFS='[/SIZE]
[SIZE=2] '[/SIZE]
[SIZE=2] KSHEGID=0[/SIZE]
[SIZE=2] KSHGID=0[/SIZE]
[SIZE=2] KSHUID=0[/SIZE]
[SIZE=2] KSH_VERSION='@(#)MIRBSD KSH R40 2011/10/07'[/SIZE]
[SIZE=2] LD_LIBRARY_PATH=/vendor/lib:/system/lib[/SIZE]
[SIZE=2] LINES=24[/SIZE]
[SIZE=2] LOGNAME=u0_a202[/SIZE]
[SIZE=2] LOOP_MOUNTPOINT=/mnt/obb[/SIZE]
[SIZE=2] MAIL=/var/mail/u0_a202[/SIZE]
[SIZE=2] OPTIND=1[/SIZE]
[SIZE=2] PATH=/sbin:/vendor/bin:/system/sbin:/system/bin:/system/xbin:/data/data/com.arachnoid.sshelper/bin[/SIZE]
[SIZE=2] PGRP=333[/SIZE]
[SIZE=2] PIPESTATUS[0]=0[/SIZE]
[SIZE=2] PIPESTATUS[1]=0[/SIZE]
[SIZE=2] PPID=21382[/SIZE]
[SIZE=2] PS1='[email protected]$BOARD:$(basename $PWD) $( (($USER_ID)) && echo \$ || echo \#) '[/SIZE]
[SIZE=2] PS2='> '[/SIZE]
[SIZE=2] PS3='#? '[/SIZE]
[SIZE=2] PS4='+ '[/SIZE]
[SIZE=2] PWD=/data/data/com.arachnoid.sshelper/home[/SIZE]
[SIZE=2] RANDOM=20853[/SIZE]
[SIZE=2] SECONDARY_STORAGE=/storage/extSdCard:/storage/UsbDriveA:/storage/UsbDriveB:/storage/UsbDriveC:/storage/UsbDriveD:/storage/UsbDriveE:/storage/UsbDriveF[/SIZE]
[SIZE=2] SECONDS=20[/SIZE]
[SIZE=2] SHELL=/tmp-mksh/tmp-mksh[/SIZE]
[SIZE=2] SSHELPER=/data/data/com.arachnoid.sshelper[/SIZE]
[SIZE=2] SSH_CLIENT='192.168.xx.xx 14115 2222'[/SIZE]
[SIZE=2] SSH_CONNECTION='192.168.xx.xx 14115 192.168.yy.yy 2222'[/SIZE]
[SIZE=2] TMOUT=0[/SIZE]
[SIZE=2] TZ=GMT-3[/SIZE]
[SIZE=2] USER=u0_a202[/SIZE]
[SIZE=2] USER_ID=0[/SIZE]
[SIZE=2] VIBE_PIPE_PATH=/dev/pipes[/SIZE]
[SIZE=2] _=set[/SIZE]
(These may vary somewhat, depending on your device.)
The default profile and sshd_config
profile:
Code:
[SIZE=2]# place user customizations here[/SIZE]
[SIZE=2] uname -s -r -m[/SIZE]
[SIZE=2] alias ls="$SSHELPER/bin/ls"[/SIZE]
[SIZE=2] export PS1='[email protected]$BOARD:$(basename $PWD) $( (($USER_ID)) && echo \$ || echo \#) '[/SIZE]
If you are rooted and already have Busybox installed, it is highly
recommended to edit this file.
sshd_config:
Code:
[SIZE=2]# $OpenBSD: sshd_config,v 1.87 2012/07/10 02:19:15 djm Exp $[/SIZE]
[SIZE=2] # This is the sshd server system-wide configuration file. See[/SIZE]
[SIZE=2] # sshd_config(5) for more information.[/SIZE]
[SIZE=2] # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin[/SIZE]
[SIZE=2] # The strategy used for options in the default sshd_config shipped with[/SIZE]
[SIZE=2] # OpenSSH is to specify options with their default value where[/SIZE]
[SIZE=2] # possible, but leave them commented. Uncommented options override the[/SIZE]
[SIZE=2] # default value.[/SIZE]
[SIZE=2] #Port 22[/SIZE]
[SIZE=2] #AddressFamily any[/SIZE]
[SIZE=2] #ListenAddress 0.0.0.0[/SIZE]
[SIZE=2] #ListenAddress ::[/SIZE]
[SIZE=2] # The default requires explicit activation of protocol 1[/SIZE]
[SIZE=2] #Protocol 2[/SIZE]
[SIZE=2] # HostKey for protocol version 1[/SIZE]
[SIZE=2] #HostKey /etc/ssh/ssh_host_key[/SIZE]
[SIZE=2] # HostKeys for protocol version 2[/SIZE]
[SIZE=2] HostKey /data/data/com.arachnoid.sshelper/home/.ssh/id_rsa[/SIZE]
[SIZE=2] HostKey /data/data/com.arachnoid.sshelper/home/.ssh/id_dsa[/SIZE]
[SIZE=2] HostKey /data/data/com.arachnoid.sshelper/home/.ssh/id_ecdsa[/SIZE]
[SIZE=2] # Lifetime and size of ephemeral version 1 server key[/SIZE]
[SIZE=2] #KeyRegenerationInterval 1h[/SIZE]
[SIZE=2] #ServerKeyBits 1024[/SIZE]
[SIZE=2] # Logging[/SIZE]
[SIZE=2] # obsoletes QuietMode and FascistLogging[/SIZE]
[SIZE=2] #SyslogFacility AUTH[/SIZE]
[SIZE=2] #LogLevel INFO[/SIZE]
[SIZE=2] # Authentication:[/SIZE]
[SIZE=2] #LoginGraceTime 2m[/SIZE]
[SIZE=2] #PermitRootLogin yes[/SIZE]
[SIZE=2] #StrictModes yes[/SIZE]
[SIZE=2] #MaxAuthTries 6[/SIZE]
[SIZE=2] #MaxSessions 10[/SIZE]
[SIZE=2] #RSAAuthentication yes[/SIZE]
[SIZE=2] #PubkeyAuthentication yes[/SIZE]
[SIZE=2] # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2[/SIZE]
[SIZE=2] # but this is overridden so installations will only check .ssh/authorized_keys[/SIZE]
[SIZE=2] # AuthorizedKeysFile (path)[/SIZE]
[SIZE=2] #AuthorizedPrincipalsFile none[/SIZE]
[SIZE=2] # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts[/SIZE]
[SIZE=2] #RhostsRSAAuthentication no[/SIZE]
[SIZE=2] # similar for protocol version 2[/SIZE]
[SIZE=2] # HostbasedAuthentication no[/SIZE]
[SIZE=2] # Change to yes if you don't trust ~/.ssh/known_hosts for[/SIZE]
[SIZE=2] # RhostsRSAAuthentication and HostbasedAuthentication[/SIZE]
[SIZE=2] # IgnoreUserKnownHosts no[/SIZE]
[SIZE=2] # Don't read the user's ~/.rhosts and ~/.shosts files[/SIZE]
[SIZE=2] #IgnoreRhosts yes[/SIZE]
[SIZE=2] # To disable tunneled clear text passwords, change to no here![/SIZE]
[SIZE=2] # PasswordAuthentication no[/SIZE]
[SIZE=2] # PermitEmptyPasswords yes[/SIZE]
[SIZE=2] # Change to no to disable s/key passwords[/SIZE]
[SIZE=2] #ChallengeResponseAuthentication yes[/SIZE]
[SIZE=2] # Kerberos options[/SIZE]
[SIZE=2] #KerberosAuthentication no[/SIZE]
[SIZE=2] #KerberosOrLocalPasswd yes[/SIZE]
[SIZE=2] #KerberosTicketCleanup yes[/SIZE]
[SIZE=2] #KerberosGetAFSToken no[/SIZE]
[SIZE=2] # GSSAPI options[/SIZE]
[SIZE=2] #GSSAPIAuthentication no[/SIZE]
[SIZE=2] #GSSAPICleanupCredentials yes[/SIZE]
[SIZE=2] # Set this to 'yes' to enable support for the deprecated 'gssapi' authentication[/SIZE]
[SIZE=2] # mechanism to OpenSSH 3.8p1. The newer 'gssapi-with-mic' mechanism is included[/SIZE]
[SIZE=2] # in this release. The use of 'gssapi' is deprecated due to the presence of[/SIZE]
[SIZE=2] # potential man-in-the-middle attacks, which 'gssapi-with-mic' is not susceptible to.[/SIZE]
[SIZE=2] #GSSAPIEnableMITMAttack no[/SIZE]
[SIZE=2] # Set this to 'yes' to enable PAM authentication, account processing,[/SIZE]
[SIZE=2] # and session processing. If this is enabled, PAM authentication will[/SIZE]
[SIZE=2] # be allowed through the ChallengeResponseAuthentication and[/SIZE]
[SIZE=2] # PasswordAuthentication. Depending on your PAM configuration,[/SIZE]
[SIZE=2] # PAM authentication via ChallengeResponseAuthentication may bypass[/SIZE]
[SIZE=2] # the setting of "PermitRootLogin without-password".[/SIZE]
[SIZE=2] # If you just want the PAM account and session checks to run without[/SIZE]
[SIZE=2] # PAM authentication, then enable this but set PasswordAuthentication[/SIZE]
[SIZE=2] # and ChallengeResponseAuthentication to 'no'.[/SIZE]
[SIZE=2] # UsePAM no[/SIZE]
[SIZE=2] # AllowAgentForwarding yes # default[/SIZE]
[SIZE=2] # AllowTcpForwarding yes # default[/SIZE]
[SIZE=2] #GatewayPorts no[/SIZE]
[SIZE=2] #X11Forwarding yes[/SIZE]
[SIZE=2] #X11DisplayOffset 10[/SIZE]
[SIZE=2] #X11UseLocalhost yes[/SIZE]
[SIZE=2] #PrintMotd yes[/SIZE]
[SIZE=2] PrintLastLog no[/SIZE]
[SIZE=2] #TCPKeepAlive yes[/SIZE]
[SIZE=2] #UseLogin no[/SIZE]
[SIZE=2] UsePrivilegeSeparation no[/SIZE]
[SIZE=2] PermitUserEnvironment yes # allow ~/.ssh/environment to contain useful path and envs for logins[/SIZE]
[SIZE=2] Compression yes[/SIZE]
[SIZE=2] ClientAliveInterval 300 # 300 seconds of idle time[/SIZE]
[SIZE=2] ClientAliveCountMax 5 # after five queries, disconnect[/SIZE]
[SIZE=2] UseDNS no[/SIZE]
[SIZE=2] # PidFile[/SIZE]
[SIZE=2] #MaxStartups 10[/SIZE]
[SIZE=2] #PermitTunnel no[/SIZE]
[SIZE=2] #ChrootDirectory[/SIZE]
[SIZE=2] #VersionAddendum none[/SIZE]
[SIZE=2] # no default banner path[/SIZE]
[SIZE=2] #Banner none[/SIZE]
[SIZE=2] # override default of no subsystems[/SIZE]
[SIZE=2] Subsystem sftp internal-sftp[/SIZE]
[SIZE=2] # This enables accepting locale enviroment variables LC_* LANG, see sshd_config(5).[/SIZE]
[SIZE=2] AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES[/SIZE]
[SIZE=2] AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT[/SIZE]
[SIZE=2] AcceptEnv LC_IDENTIFICATION LC_ALL[/SIZE]
[SIZE=2] # Example of overriding settings on a per-user basis[/SIZE]
[SIZE=2] #Match User anoncvs[/SIZE]
[SIZE=2] # X11Forwarding no[/SIZE]
[SIZE=2] # AllowTcpForwarding no[/SIZE]
[SIZE=2] # ForceCommand cvs server[/SIZE]
[SIZE=2] #Match LocalAddress 127.0.0.1[/SIZE]
[SIZE=2] # X11Forwarding yes[/SIZE]
[SIZE=2] # AllowTcpForwarding yes[/SIZE]
[SIZE=2] # AllowUsers sshelper[/SIZE]

Some SELinux / SEAndroid related issues
< WIP: may contain inaccuracies! >
So you're rooted and you hope to use SSH to get a root shell,
like in the good old days (yesterday), and now you've got trouble!
Thanks to Godzilla and Samsung, we now have to deal with something called
SEAndroid which stands for "Security Enchanced Linux (SEL) for Android".
This would not have been so bad, if it wasn't because these companies now
want to enable the very strict Enforcing mode, by default.
That means that nothing you're once used to, when you have root access,
works and behaves as expected. In fact SEL restricts root user, just like
any other, so you have to spend some weeks trying to understand how that
is dealt with and managed from a Super-User's perspective.
So trying to get a root shell from an SSH session, is now likely to fail
because:
You have a Samsung KNOX enabled device. Samsung KNOX is deeply intertwined with SEL.
==> Remove all KNOX garbage.
Your SEL policy is not allowing SSHelper to allocate a pseudo-terminal (/dev/ptmx ) beacuse the /dev/pts directory is mounted as RO as type /devpts.
==> remount /dev/pts to enable RW: mount -o remount,rw -t devpts /dev/pts
Your SEL policy is still not allowing you to su from outside SE context "init_shell".
==> Temporarily set SEL to Permissive mode with: su 0 setenforce 0
Your SEL policy is not allowing you to ... period.
==> Unless you have a locked bootloader, disable SEL by flashing an insecure kernel/ROM that either doesn't have SEL, or at least not in Enforcing mode.
su is not working because:
a) your AOS version is not handling SEL policies right.
b) your su version is not handling SEL contexts right.
You got fooled into buying a locked Verizon or ATT phone with locked boot loader, and no way of rooting, and no one can help you. You cannot do any development with such a phone.
==> Return phone and cancel your contract.
< TBA >
The mksh Shell
< WIP >
The MirBSD™ Korn Shell, is better known as mksh and is now the default
shell on Androids since JB 4.1, instead of ash. I don't know why this
change was made, but I suspect it has something to do with having much
better documentation, better linux community support and therefore more
features and better compatibility.
The current available mksh version is:
R49 (11 Jan 2014)
NOTE: This is the sources version and is not necessarily available as
an Android binary, unless you compile your own. (Please share it here!)
You can check your own Android mksh version with:
Code:
[SIZE=2][email protected]:home $ echo $KSH_VERSION[/SIZE]
[SIZE=2] @(#)MIRBSD KSH [B][COLOR=Red]R40[/COLOR] 2011/10/07[/B][/SIZE]
[SIZE=2] [/SIZE]
The complete online man pages for mksh is found HERE.
The mksh ChangeLog is HERE.
The latest mksh sources are available HERE.
The latest statically linked ARM Android binary can be downloaded HERE.​

< Here be more Dragons 3 >

The (app) Terminal
SSHelper contain it's own terminal that can be better used with an external keyboard. However, the code that runs this terminal, is hard-coded in the Java file: ShellTerminal.java as this:
Code:
[SIZE=2]String[] com = new String[] { app.binDir + "/ssh", "-q", "-t", "-t", "-o UserKnownHostsFile /dev/null", "-o StrictHostKeyChecking no", host, "-p", port };[/SIZE]
With the effect that the local loopback IP is set to 127.0.0.1 and port as chosen in the UI.
Code:
[SIZE=2]ssh -q -t -t -o UserKnownHostsFile /dev/null -o StrictHostKeyChecking no 127.0.0.1 -p <port>[/SIZE]
Unfortunately this command will fail if there is no controlling tty allocated, or if <port> is used by, or IP 127.0.0.1 is blocked by other applications, such as firewall or SEAndroid/KNOX permissions and settings.
The sshelper_sshd binary
The binary as compiled have the following options enabled:
Code:
[SIZE=2]OpenSSH_6.6p1, OpenSSL 1.0.1g 7 Apr 2014
usage: sshd [-46DdeiqTt] [-b bits] [-C connection_spec] [-c host_cert_file]
[-E log_file] [-f config_file] [-g login_grace_time]
[-h host_key_file] [-k key_gen_time] [-o option] [-p port]
[-u len]
[/SIZE]
However, the built-in app command line is:
Code:
[SIZE=2]sshelper_sshd -D -p <port> -h <key_file> -o PidFile <pid_file> -f <sshd_config_file> <debug_level> -e [UI_options] -o StrictModes <yes/no> -o Banner <banner_text_file>
[/SIZE]
where:
Code:
[SIZE=2]<debug_level> = -d, -dd, -ddd, -dddd
<banner_text_file> = banner1.txt (with password) or banner2.txt (no password)
if (prefix.disablePasswords) { app.addToList(coms, "-o PasswordAuthentication no"); }
if (prefix.allowForwarding) { app.addToList(coms, "-o PermitTunnel yes"); }
[/SIZE]
This way, if you need more special features, you can run the server from a local shell command line.
The full details which you can find HERE, but the most important shown below.
From the sshd manual pages:
Code:
[SIZE=2] -D When this option is specified, sshd will not detach and does not
become a daemon. This allows easy monitoring of sshd.
-d Debug mode. The server sends verbose debug output to standard
error, and does not put itself in the background. The server
also will not fork and will only process one connection. This
option is only intended for debugging for the server. Multiple
-d options increase the debugging level. Maximum is 3.
-e Write debug logs to standard error instead of the system log.
-f config_file
Specifies the name of the configuration file. The default is
/etc/ssh/sshd_config. sshd refuses to start if there is no
configuration file.
-h host_key_file
Specifies a file from which a host key is read. This option must
be given if sshd is not run as root (as the normal host key files
are normally not readable by anyone but root). The default is
/etc/ssh/ssh_host_key for protocol version 1, and
/etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_ecdsa_key.
/etc/ssh/ssh_host_ed25519_key and /etc/ssh/ssh_host_rsa_key for
protocol version 2. It is possible to have multiple host key
files for the different protocol versions and host key
algorithms.
-o option
Can be used to give options in the format used in the
configuration file. This is useful for specifying options for
which there is no separate command-line flag. For full details
of the options, and their values, see sshd_config(5).
-p port
Specifies the port on which the server listens for connections
(default 22). Multiple port options are permitted. Ports
specified in the configuration file with the Port option are
ignored when a command-line port is specified. Ports specified
using the ListenAddress option override command-line ports.
-q Quiet mode. Nothing is sent to the system log. Normally the
beginning, authentication, and termination of each connection is
logged.
-t Test mode. Only check the validity of the configuration file and
sanity of the keys. This is useful for updating sshd reliably as
configuration options may change.
[/SIZE]

So after having updated SuperSU from 1.94 to 2.00, I've suddenly got some different SELinux errors in the AVC log, but did not resolve the issue. This partially confirm that this is a combined App + SELinux issue, due to several factors:
1) App is not performing the SU operation according to current (latest AOSP) standards. For example, from THIS issue on Stackoverflow, apparently AOS >4.3 (or more likely those using SELinux 4.2.2) are no longer using setuid(), and if you still wanna use it, it is suggested to do a fork() before. In addition su has to be made in the right context.
2) According to THIS article, SU is no longer allowed to execute files on the /data partition, although there are some workarounds. Please read Chainfire's blog about how to SU, for latest developments, and workarounds.
3) The current SELinux policy is restricting the use of /dev/pts|ptm|pty and the mounted devpts FS. Most likely some of the policy/behavior is wrong.
Useful links:
http://su.chainfire.eu/
http://www.xda-developers.com/andro...ak-compatibility-with-many-current-root-apps/
http://www.xda-developers.com/andro...he-android-l-developer-preview-the-right-way/

Another possible reason for this issue, could be that since AOS 4.3 (and possibly some 4.2.2 in Enforcing) versions, the WRITE_EXTERNAL_STORAGE permissions in /system/etc/permissions/platform.xml have been changed to a much more restrictive setting, where Apps can ONLY write to their own directory. For a good description of the problem and solution:
[APP][4.4][ROOT] SDFix: Modify device permissions to allow apps to write to MicroSD
http://forum.xda-developers.com/showthread.php?t=2684188
https://plus.google.com/+TodLiebeck/posts/gjnmuaDM8sn
This need to be checked.
=========================== EDIT =====================
On 4.2.2 Enforcing, we have:
Code:
[SIZE=2]...
<permission name="android.permission.READ_EXTERNAL_STORAGE" >
<group gid="sdcard_r" />
</permission>
<permission name="android.permission.WRITE_EXTERNAL_STORAGE" >
<group gid="sdcard_rw" />
<group gid="media_rw" />
</permission>
...[/SIZE]
This seem OK, but perhaps SSHelper also need to set its GID to "sdcard_rw"?
Because on KK 4.4.2b4 we have:
Code:
[SIZE=2] <permission name="android.permission.READ_EXTERNAL_STORAGE" >
<group gid="sdcard_r" />
[COLOR=Red][B]<group gid="media_rw" />[/B][/COLOR]
</permission>
<permission name="android.permission.WRITE_EXTERNAL_STORAGE" >
[COLOR=Red][B]<group gid="sdcard_r" />[/B][/COLOR]
<group gid="sdcard_rw" />
<group gid="media_rw" />
</permission>
<permission name="android.permission.ACCESS_ALL_EXTERNAL_STORAGE" >
<group gid="sdcard_r" />
<group gid="sdcard_rw" />
<group gid="sdcard_all" />
</permission>
<permission name="android.permission.WRITE_MEDIA_STORAGE" >
<group gid="media_rw" />
</permission>
[/SIZE]
Looking at the permissions in our AndroidManifest.xml file, and compare that to issue#315 in Android-Terminal-Emulator, it could that we also need to add the READ_EXTERNAL_STORAGE permission, which is not present in our manifest, and contrary to what Google said about WRITE_EXTERNAL_STORAGE as automatically including READ_ access.
To help troubleshoot permission problems when running on an AOS with enabled SELinux (>4.2.2), please provide the output of the following commands:
Code:
getprop |grep "ro.build.*"
getenforce
cat /data/misc/audit/audit.log

I have now found a work-around for the lost terminal job-control.
It's originally described in detail HERE.
---
EDIT: (Added 2014-11-23)
I've finally found a work-around for the crippled /dev/pts job-control and su combination. There are two small problems that combines to this issue.
1. The SELinux policy is screwed up by Samsung. And others?
2. The /dev/pts is mounted wrong by default.
The work-around:
Make sure you're device is already in Enforcing mode, so that you get the proper su prompt (#).
1. Open terminal session 1.
Code:
[SIZE=2]
## On Terminal 1
ssh -2 [email protected] -p 2222
$ su -c /system/bin/sh -i
# su 0 setenforce 0
# umount /dev/pts
# su -cn u:r:init:s0 -c "busybox mount -t devpts -o rw,seclabel,relatime,mode=620,gid=5 devpts /dev/pts"[/SIZE]
2. Now go to Terminal 2 and login:
Code:
[SIZE=2]## On terminal 2
ssh -2 [email protected] -p 2222
$
[/SIZE]
(You now have job-control but no su possibility.)
3. Now go back to Terminal 1 and enable Enforcing mode:
Code:
[SIZE=2]## On Terminal 1
# su 0 setenforce 1
[/SIZE]
4. Now go back to Terminal 2 and escalate to su:
Code:
[SIZE=2]## On terminal 2
$ su -c /system/bin/sh -i
# [/SIZE]
Unfortunately if you exit the su (#) shell, you'll have to repeat steps 2-4 of the procedure.

Any progress on a pty for lollipop users?
So now that Lollipop has landed, is there any progress on getting a pty for Lollipop users?
Ideally something that can work with something not too far from stock.

zelch said:
So now that Lollipop has landed, is there any progress on getting a pty for Lollipop users? Ideally something that can work with something not too far from stock.
Click to expand...
Click to collapse
Are you actually having any issues? Please post what. I've used this on a KK 4.4.4 MTK device, using SuperSU 2.16, and there are no problems with this on that device.

E:V:A said:
Are you actually having any issues? Please post what. I've used this on a KK 4.4.4 MTK device, using SuperSU 2.16, and there are no problems with this on that device.
Click to expand...
Click to collapse
In short, yes.
Currently on stack (unrooted) Lollipop on a Nexus 7 (2013), and while the ssh server works it can not allocate a pty, resulting in the shell not being all that usable.
While I expect that rooting will be a requirement to adjust things, I would rather avoid the option of completely disabiling selinux enforcement.
(Yes, it's a quick and easy way to solve the problem. But the selinux enforcement buys quite a lot in the way of security, so I'd rather limit things to say, a tweaked selinux policy.)

Okay noob question .... My rooted Nexus 5, with sshelper installed, changed listening port to 3333, set a new password
Logon from Windows server with putty gives ...
login as: admin
SSHelper Version 6.8 Copyright 2014, P. Lutus
[email protected]'s password:
Server refused to allocate pty
sh: /data/data/com.arachnoid.sshelper/home/.profile[2]: uname: not found
What cretinous thing have I omitted to notice?
Regards Marcus

I've been running your app for a few days with good results, thank you for that!
Would it be possible to implement a wifi lock only when there is a client connected? Wifi lock all the time is killing my battery and my standby wifi seems to be responsive enough to receive incoming connections (often after 2 or 3 attempts, but it still eventually works)

First of all let me clarify that I am not the developer and maintainer of this App. It is Paul Lutus, and you can message him on his website. I only started this thread to help him out and to help myself of having a place to post problems. I really like his app, but THESE are really annoying issues, and has proably nothing to do with his app but with the screwed up way that Google is changing device permissions.
The only solution I know about for problem devices is something like I re-posted in edited post #8:
http://forum.xda-developers.com/showpost.php?p=55779472&postcount=8
Good Luck.

Hi!
Is it possible to start sftp session as root user? If i try to reach /data for example i get permission denied error In terminal i must type su to gain root rights.
Thank you!

jumika said:
Hi!
Is it possible to start sftp session as root user? If i try to reach /data for example i get permission denied error In terminal i must type su to gain root rights.
Thank you!
Click to expand...
Click to collapse
I would like to know this as well.

Having a problem with SFTP ssh process almost immediately disconnecting. I get messages from my file manager (caja) such as "The connection is closed (the underlying SSH process exited)". This wasn't a problem until I did a factory reset on my OnePlus 5 and upgrade it to Oreo (8.1)
How can I keep the connection alive? I tried a keep alive ping on the PC side by editing SSH config files, but that was a bust.

How to run SSHelper from CLI/ADB - failed Phone's LCD/Screen
Hi everyone
Trying to start SSH helper on a phone with a defective screen
It is already installed, but not running... tried this:
Code:
[email protected]:/data/app # am start com.arachnoid.sshelper
Starting: Intent { act=android.intent.action.MAIN cat=[android.intent.category.LAUNCHER]pkg=com.arachnoid.sshelper }
Error: Activity not started, unable to resolve Intent { act=android.intent.action.MAIN cat=[android.intent.category.LAUNCHER] flg=0x10000000 pkg=com.arachnoid.sshelper }
and many other creative combinations I somehow got from online searches:
Code:
# am start com.arachnoid.sshelper/android.intent.action.MAIN
it fails:
Code:
start com.arachnoid.sshelper/android.intent.action.MAIN <
Starting: Intent { act=android.intent.action.MAIN cat=[android.intent.category.L
AUNCHER] cmp=com.arachnoid.sshelper/android.intent.action.MAIN }
Error type 3
Error: Activity class {com.arachnoid.sshelper/android.intent.action.MAIN} does not exist.
This directory exists:
Code:
[email protected]:/data/app # ls -ld *arach*
drwxr-xr-x system system 2018-08-07 21:00 com.arachnoid.sshelper-2
maybe the "-2" needs to be accounted for somehow in the command to start?
pages like: http://learnandroid.blogspot.com/2008/01/run-android-application-from-command.html
says how to construct an "am start" command, but it requires info from the Manifest, except the file AndroidManifest.xml found in the ssh helper.apk seems binary
Until I get this working ADB is the only way to connect to the phone, it's rather limited in its abilities... like, no scp
Code:
C:\Android>adb shell
[email protected]:/ $ su
[email protected]:/ # scp
tmp-mksh: scp: not found
Any tips on how to start SSH Helper, maybe someone has the text Manifest xml file?
Stormy.

Terrible rsync transfer rates
I'm having trouble with transfer rates using rsync.
I use rsync to backup my phone to my computer but the transfer rates are always below 700kB/s which is unbearable.
My specs:
Phone: Samsung S9, rooted with custom rom.
Computer: MacOS 10.14.6
I had the same problem with SSHDroid but maybe some of you have an idea how to tackle this, or confirm the slow transfer speed.
By the way: When uploading music to my phone it is faster with 1.4MB/s (still not super great).

Running adb daemon as root

How does adb daemon can be run as root on custom ROM and not on stock ROM (throws message like "not possible on production devices"). Are there any specific settings that prevent this or /sbin/adbd executable itself is different?
(
on omniROM the build.prop are set properly as not to allow root by default:
[email protected]:/ $ getprop|grep secure
[ro.adb.secure]: [1]
[ro.secure]: [1]
[sys.settings_secure_version]: [1]
)

user vs. userdebug build might be one difference