Skip to content

Instantly share code, notes, and snippets.

@rossja

rossja/TizenHacking.md

Last active February 19, 2024 15:49
Show Gist options
  • Star 25 You must be signed in to star a gist
  • Fork 2 You must be signed in to fork a gist
  • Save rossja/d65f6b31c8f47010700161bd90e24a6c to your computer and use it in GitHub Desktop.
Save rossja/d65f6b31c8f47010700161bd90e24a6c to your computer and use it in GitHub Desktop.
Download ZIP
Tizen Hacking
Raw
TizenHacking.md

Tizen Hacking

Contents

  1. Device Info
  2. Modes HOWTO
    1. Recovery Mode
    2. Bootloader Mode
    3. Developer Mode
  3. Rooting
    1. Heimdall
    2. Odin
  4. File-System Analysis
  5. Logs
  6. Packet Capture
  7. Package Management
    1. pkginfo
    2. rpm
    3. pkgcmd

Device Info

Tested using the following devices:

  • Samsung Z1 (SM-Z130H)
    • firmware: Z130HDDU0CPL1
  • Samsung Z2 (SM-Z200F)
    • firmware: Z200FDDE0BPJ5
  • Samsung Z3 (SM-Z300H)
    • firmware: Z300HDDE0BOL1
  • Samsung Z4 (SM-Z400F)
    • firmware: Z400FDDU0BQG1

Back to contents

Modes HOWTO

To get the most out of the test device, you'll need to know how to enable or get to operating modes other than the normal run-time environment. This section of the guide provides information on how to boot the device to Recovery Mode, the Bootloader, and how to enable Developer Options on the device.

Recovery Mode

  1. Power off device
  2. Push & Hold Home, Volume Up, and press Power
  3. Once the Booting Recovery notification appears, let go of buttons to enter the recovery mode screen
  4. From here you can:
  • Enter Safe Mode
  • Perform a factory reset
  • Reboot the device

Back to contents

Bootloader Mode

  1. Power off device
  2. Push & Hold Home, Volume Down, and press Power
  3. You will see a Warning screen. Push the Volume Up button to continue
  4. Your device will now be in Odin Mode
  5. From here you can:
  • Use Odin to backup, restore, and flash over the bootloader, OS, and other areas of the device storage.

Back to contents

Developer Mode

  1. Open the Phone application
  2. Dial the number *#84936#
  3. A screen will open
  4. Toggle the Developer Option switch
  5. Go to System Settings and scroll to the bottom to open the Developer Options menu
  6. From here you can:
  • Enable USB Debugging
  • Enable CPU Usage screen overlay
  • View Crash traces
  • Obtain the device ID (DUID)

Back to contents

Short Cut Keys

  • Screenshot:
    • Home Keys + Power Key (Press Simultaneously)
  • Close All Open Applications:
    • Long Press Home Key
  • Launch Camera ( Quick Launch):
    • Press Home Key twice (can be setup in camera settings)
  • Boot Mode (Odin Mode):
    • Long press Power Key + Home Key + Volume Key (-)
  • Hard Reset(Factory Reset):
    • Long press Power Key + Home Key + Volume Key (+)
  • Safe Mode:
    • Long press Power Key + Home Key + Volume Key (+)

Back to contents

Hidden Codes

(Entered via the phone dialer app)

  • Developer Option: *#84936#
  • See Version Info: *#1234#
  • IMEI(MEID) and SIN: *#06#
  • MODEM Test Mode: #1111#
  • Check Battery Status: *#0228#
  • Service Mode: *#0011#
  • Touch Firmware Version: *#2663#
  • Check All Hardware (Sensor, speaker, Echo Test, Camera): *#0*#
  • USB Config: *#0808#
  • Check Speaker/Earpiece: *#0283#

Back to contents

Useful Features

  • Clean Storage Cache & RAM
    1. Go to Settings
    2. Select Storage and RAM
    3. Select Clear
  • Change Keyboard Style
    1. Go to Settings
    2. Select Style
    3. Go to Others
    4. Select desired Style
  • Move Apps to SD-Card
    1. Go to Settings
    2. Select Apps
    3. Select App Manager
    4. Select the app you want to move to SD Card
    5. Select Move to SD Card
  • Locate or Find / Ring your lost device
    1. Go to Settings
    2. Select Lock screen and Security
    3. Go to Find My Mobile
    4. Configure your settings.
    5. To find your phone or ring it, go to Samsung's Find My Mobile website.
  • Send SOS Messages to a Specific Contact (Help Mode)
    1. Press Power Key Quickly 3 times
      (configurable in Privacy & Security Settings)

Back to contents

Firmware Reversing

  1. Download the firmware image (for example: Z400FDDU0BQG1_Z400FODD0BQG1_INS.zip)
  2. Extract the the .tar.md5 contained within the zip file: unzip Z400FDDU0BQG1_Z400FODD0BQG1_INS.zip
  3. Make a new directory to contain the files in the tarball: mkdir extracted and change into the new directory: cd extracted
  4. Untar the .tar.md5 file: tar xf ../Z400FDDU0BQG1_Z400FODD0BQG1_Z400FDDU0AQF2_HOME.tar.md5
  5. There are a number of files here, the disk partitions are .img files. For example: rootfs.img
  6. Make a new directory to use as mountpoint root: mkdir mnt
  7. Mount the desired image using loop: mount -t ext4 -o loop rootfs.img mnt
    • On Mac OSX you may be able to use hdiutil, but you'll need ext4 support first:
      1. Install ext4fuse and dependencies:
        1. brew cask install osxfuse
        2. brew install ext4fuse
      2. Attach the file: hdiutil attach -imagekey diskimage-class=CRawDiskImage -nomount rootfs.img (this will print out a device, for example /dev/disk1)
      3. Mount the device from the prior step: hdiutil mount /dev/disk1

Back to contents

Rooting

Once you've mounted the rootfs.img as per above:

  1. Modify the image to include the su binary at /bin/su
    (You can use this su binary from a Z3 if you don't have one, or build your own from source)*

    • sudo mount -o loop rootfs.img ./mnt
    • sudo cp su ./mnt/bin
    • sudo chmod 4755 ./mnt/bin/su
    • sudo umount ./mnt

Flash the modified rootfs.img using Heimdall:

  1. Turn off phone
  2. Hold home and vol-down and press power
  3. Press vol-up to continue (if prompted)
  4. Flash the root image: heimdall flash --ROOTFS rootfs.img
  5. Wait for the phone to finish flashing and reboot

Repackage the modified rootfs.img into an Odin flashable tarball:

  1. From inside the directory that contains the .img files:
    1. Remove the mnt point you created: rm -rf ./mnt (This is necessary because the tarball can only contain files, Odin will fail if there is a directory in it)
    2. Create a tarball of the filesystem: tar cf ../rootedFirmwareImage.tar *
  2. Change to the directory you created the tarball in: cd ..
  3. Calculate the MD5 of the tarball and append it to the end of the tar file: tar -t ./rootedFirmwareImage.tar >> ./rootedFirmwareImage.tar
  4. Rename the tar file to tar.md5: mv ./rootedFirmwareImage.tar ./rootedFirmwareImage.tar.md5
  5. Flash the device using Odin:
    1. Turn off phone
    2. Hold home and vol-down and press power
    3. Press vol-up to continue (if prompted)
    4. Run Odin on a Windows PC
      • Select the AP button
      • Select the tar.md5 file
      • Select Start once Odin has successfully calculated the MD5
      • Exit when flashing has completed

Accessing root

  1. You can run su from within a shell terminal on the device
  2. If you want to be root as soon as connecting to the shell, switch root mode on using sdb root on

Back to contents

File System Analysis

Because Tizen uses SMACK, the Linux file-system level permissions do not accurately reflect which users/processes can access a given file. As a result, when performing file-system analysis on Tizen devices, you need to examine both the normal Linux permissions (using ls -l, for example) as well as the SMACK labels on the file/directory.

To check the SMACK label on a file or directory, you can do either of:

ls -Z <file>

chsmack <file>

To check the SMACK label on a process, you can run

ps -Z

To see what your current SMACK label is, you can run:

id -Z

To change your current SMACK label (as root) you can run:

echo <new-label> > /proc/self/attr/current

Back to contents

Logs

Logs can be viewed using the dlogutil executable on the device, or using sdb dlog. Either accepts params to filter the logs you wish to see, similar to logcat for Android. You can use :I for info, :D for debug, etc. You can also specify an application filter. For example, to view the logs for MyApp with level debug or greater:

dlogutil example

$ sdb shell
sh-3.2$ dlogutil MyApp:D
arc = 2, optind = 1 ,Kb 0, rotate 4
D/MyApp( 3833): jsonutilities::getJsonObject
D/MyApp( 3833): jsonutilities::getJsonObject
D/MyApp( 3833): jsonutilities::getJsonObject

sdb dlog example

$ sdb dlog 'MyApp:D'
arc = 2, optind = 1 ,Kb 0, rotate 4
D/MyApp( 3833): jsonutilities::getJsonObject
D/MyApp( 3833): jsonutilities::getJsonObject
D/MyApp( 3833): jsonutilities::getJsonObject

To dump the logs to a file, pass in the -d parameter and a file name. Then you can extract the file using sdb pull

Back to contents

Packet Capture

Once you've enabled developer mode, a settings option named Run DumpState will be available.

  1. Click Run DumpState.
  2. Click TCPdump : Click to START.
    • The pcap file name is presented in a pop-up window, but it flashes too fast to be useful. Files are stored in /opt/usr/data/network/tcpdump-<YYYY>.<MM>.<DD>-<HH>_<MM>_<SS>.pcap (for example, tcpdump-2017.08.11-23_19_06.pcap)
  3. To turn off tcp dump, go back into Run DumpState and select TCPdump : Click to STOP.
  4. Use sdb pull /opt/usr/data/network/<filename> to extract the file from the device
    • You may need to review the SMACK label on the file, and the label you come in as from SDB, and make changes accordingly. For example, on the Z2, the SDB user comes in under label sdbd, but the TCPDump files need testuser access.

Back to contents

Tizen Package Management

There are several types of packages on Tizen: 1. wgt - Tizen web applications 1. tpk - Tizen native applications 1. rpm - Linux native applications ported to Tizen

Likewise, there are several tools that you can use to manage packages on a Tizen device: 1. pkginfo - lets you manage tpk and wgt packages 1. rpm - lets you manage rpm packages 1. pkgcmd - lets you manage any type of package

To use any of these, connect to the device using sdb shell

PKGINFO

  1. To get the list of all packages: pkginfo --listpkg
  2. To list all the apps: pkginfo --listapp
  3. To get information on a specific app: pkginfo --list <packageID>

Examples:

Obtain a list of all Appids on the device

sh-3.2# pkginfo --listapp |grep Appid |sort -n
Appid: 57r43275q7.osp-connectivity-service
Appid: 9XMcawW2yL.MyGalaxy
Appid: EmbkcJFK7q.MMS
Appid: EmbkcJFK7q.MMSBootService
Appid: EmbkcJFK7q.MMSLauncher
Appid: EznIfUm2IW.ClubSamsung
Appid: FwqPsztuFz.ESPNCricInfo
Appid: Ynaz8RbwZd.NewsHunt
...
Appid: srfxzv8GKR.YouTube
Appid: ug-bluetooth-efl
Appid: ug-bluetooth-efl-single
Appid: ug-setting-find-my-mobile-efl
Appid: wallpaper-viewer-efl
Appid: wifi-efl-ug-lite
Appid: worldclock-efl

Get info about the ESPN CricInfo app*

sh-3.2# pkginfo --app FwqPsztuFz.ESPNCricInfo
Locale is en_GB.UTF-8
---------   Info of Ui-Apps   ---------
Appid: FwqPsztuFz.ESPNCricInfo
Package: FwqPsztuFz
Exec: /opt/usr/apps/FwqPsztuFz/bin/FwqPsztuFz.ESPNCricInfo
Apptype: webapp
Appcomp: uiapp
Pkgtype: wgt
Icon: /opt/usr/apps/FwqPsztuFz/shared/res/FwqPsztuFz.ESPNCricInfo.png
Label: ESPN Cricinfo
Effectimage-Type: image
component: uiapp
Autorestart: 0
Onboot: 0
Enabled: 1
Preload: 1
Nodisplay: 0
System: 0
Support-Disable: 0
Installed-Time: 1502473099
BG-category value : enable
spend time for pkginfo is [16]ms

Get info on the package that provides the ESPN CricInfo app

sh-3.2# pkginfo --pkg FwqPsztuFz
Locale is en_GB.UTF-8
Get Pkg Info Called [FwqPsztuFz]
Type: wgt
Version: 1.0.2
Install Location: 1
Icon: /opt/usr/apps/FwqPsztuFz/shared/res/FwqPsztuFz.ESPNCricInfo.png
Label: ESPN Cricinfo
Description:
Author Name:
Author Email:
Author Href:
root_path : /opt/usr/apps/FwqPsztuFz
mainappid : FwqPsztuFz.ESPNCricInfo
Install time: 1502473099
Removable: 1
Preload: 1
Readonly: 0
update: 1
system: 0
Support-Disable: 0
spend time for pkginfo is [14]ms

RPM

Standard RPM techniques work here: rpm, rpmquery, etc. There's also a specific uninstall script on some devices at /usr/bin/uninstall_rpm_package.sh

PKGCMD

  1. List all packages on the device: pkgcmd -l
  2. See if apps associated with a given package are running: pkgcmd -C -n <packageId>
  3. Kill running apps asscociated with a given package: pkgcmd -k -n <packageId>
  4. Install a package: pkgcmd -i -t <type> -p <path-to-package>
  5. Uninstall a package: pkgcmd -u -n <packageId>
  6. Move a package: pkgcmd -m -T <type> -n <packageId>
    (valid move types are: '0' = move to internal, '1' = move to external)

Examples:

Obtain a list of all packages installed on a device

sh-3.2# pkgcmd -l
...
pkg_type [rpm]	pkgid [com.samsung.mdm-syspopup]	name [MDM System Popup]	version [1.0.2]
pkg_type [wgt]	pkgid [sEvhOLMlQ7]	name [Hungama]	version [0.0.15]
pkg_type [tpk]	pkgid [sjjevolsjk]	name [Native Privileged API Service]	version [1.0.0]
pkg_type [tpk]	pkgid [57r43275q7]	name [Native Network Service]	version [1.0.0]
pkg_type [wgt]	pkgid [srfxzv8GKR]	name [YouTube]	version [1.0.4]
...

See if the TizenStore app is running

sh-3.2# pkgcmd -C -n org.tizen.tizenstore
Pkgid: org.tizen.tizenstore is Running
spend time for pkgcmd is [292]ms

Back to contents

@dyno679
Copy link

dyno679 commented Dec 23, 2018

How to root Samsung z2. Can i use vpn in Samsung z2 mobile. Please help me.

@codemanfreecodes
Copy link

should i do "Flash the modified rootfs.img using Heimdall" and "Repackage the modified rootfs.img into an Odin flashable tarball"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment