Awesome Android eXtreme Hacking. Part III. What a Shell!

Awesome Android eXtreme Hacking Part I HeaderAwesome Android eXtreme Hacking Part I Header


NOTE
This article has already been moved to the our new blog. Please update any link to this post as it will be removed in the future. This post is available clicking the link below:

http://papermint-designs.com/dmo-blog/2016-04-awesome-android-extreme-hacking--part-iii--what-a-shell

So, you had notice we are using the shell a lot. If you are used to work on a standard UNIX shell you had also noticed that the Android command line is really limited. Well, somehow, that makes sense for a consumer electronics device like a phone. Most of the users won't ever notice that. However, us, the chosen wannabes, really want a more powerful shell on our phone.... Such a thing is possible and it is called Busybox.

Busybox (http://www.busybox.net/) is an open source project that provides a pretty decent set of standard command line tools targeting embedded system. In other words, keeping them small and simple.

So... That is what we actually need. To get the thing in your phone you can just go to the Android Market and install it. The drawback of doing that is that... installing an application from the Android Market is not really awesome. besides you need a rooted device. So what we are going to do, is to build our own Busybox. We will soon see that doing this has some extra advantages.

Let's start. The first thing we need is a new toolchain. Apparently it is possible to recompile Busybox using the Android NDK. I quickly tried the obvious things and it just didn't work for me, so I decide o go for a different toolchain... after all, in a couple of issues of AAXH we will be using a different toolchain. Anyways, be free to try it yourself, but it won't actually give you any advantage.

Said that, let's get the latest Linaro toolchain. We are using the one optimized for Cortex A-X... which is pretty much a base line for recent system. Go to this page (https://www.linaro.org/downloads/) and scroll down. Yes, it is not straightforward to find what you need in that web.

You can try something more specific if you have some special HW, or fallback to a more generic toolchain. For the purpose of recompiling Busybox, it does not make much difference which toolchain you use.

As we did with the NDK thingy, just download the Linaro toolchain and unzip it somewhere. Then update your path to point to the bin directory within the toolchain package and you are done.

Good!. Now we are midway on the process. It is time to download Busybox (http://www.busybox.net/). At the time of this writing we had got version 1.23 from the official web. Download, uncompress and change to the new created directory. Now is time to configure busybox. Just type

~aaxh $ make menuconfig
A nice configuration interface (similar to the one used by the Linux kernel) is presented to you, in order to tweak Busybox to the edge. OK, you may do that later. For starters, let's change the very minimal. Go into Busybox Settings ► Build Options ► and then check the first option (Build BusyBox as a static binary), then set your cross compiler prefix. For the current Linaro Cortex A-optimized toolchain, prefix is: arm-linux-gnueabihf- In case you are using a different toolchain, check the right prefix for your tools and enter that. That's it. Select exit as many times as needed until you are asked if you want to save your new configuration. Say yes and now you are done. Time to type...
make
And after a while you will get a nice static binary in the project top directory (that is the directory where you actually are) :). Now, you can go and test our new shell thingy.
NOTE: You can get a pre-compiled version of busybox on our TOOLS site (http://papermint-designs.com/tools/)
First let's move the binary into our phone and, right after, let's log into the phone's shell
~aaxh $ adb push busybox /data/local/tmp
~aaxh $ adb shell
phone:/ $ cd /data/local/tmp
Now we have to install busybox. For the time being we will install it under tmp, instead of doing a system wide installation. Basically, you need root access to do that... and we are not there yet.
phone:/data/local/tmp $ chmod 777 busybox
phone:/data/local/tmp $ mkdir bb
phone:/data/local/tmp $ ./busybox --install ./bb
phone:/data/local/tmp $ export PATH=/data/local/tmp/bb:$PATH
The first command might not be need... but it won hurt any way. After running those commands up there you will just get a bunch of new tools as well as a nice colorized ls... just try ls to see what I mean. Now is time for awesomeness.

Run a webserver to access your photos and movies

Yes!, Busybox comes with a basic HTTP server. Actually it is not that basic, it can run CGIs. The main issue here is that we can only run scripts stored on tmp... so we have to do a bit of filesystem gymnastics. Usually photos and videos get stored at /sdcard/DCIM/Camera. We cannot run our CGI scripts there (because of the Android permissions, you need root access to change that) and CGI scripts have to be stored under the HTTP server home directory (the root directory for our HTML files. So we do something like this:
phone:/data/local/tmp $ mkdir cgi-bin
phone:/data/local/tmp $ ln -s /sdcard/DCIM/Camera ./share
phone:/data/local/tmp $ httpd -p 8800 -h ./    
phone:/data/local/tmp $ cd cgi-bin
phone:/data/local/tmp/cgi-bin $
Now we just write a simple CGI shell script to list the content of the directory as a set of HTML links. Something like this:
#!/data/local/tmp/bb/sh
echo "Content-type: text/html"
echo ""
echo "<h1>Easy File Transfer</h1>"
echo ""
echo ""

BASE_DIR="/data/local/tmp"
SHARE_DIR="/share"
TARGET_FOLDER="$BASE_DIR/$SHARE_DIR"
FILE=`ls $TARGET_FOLDER`

for i in $FILE
do
	echo '<a href="'$SHARE_DIR"/"$i'">'$i'</a> <br>'
done

echo ""
echo ""
Let's call the script "files". Now we can just point our browser to the phone and download the files with a simple click: http://phone_ip:8800/cgi-bin/files Pretty awesome... uhm! What about download all the pictures at once to your PC?... No cables. No special SW. No problem
wget -m http://phone_ip:8800/cgi-bin/files
That is pretty awesome... but what about sharing phones with people around. Yes wget is also part of Busybox. Unfortunately the -m option is not there.... No problem we can just write a small CGI that downloads the list of a server (that should be a script parameter) and then gets the images one by one using wget.... OK, this we leave it up to you to have some fun.
CAUTION: You should not expose your files like this if you do not want to keep them private. In real world you should enable some control access on the server. Just use this for a temporally emergency transfer fallback. Check busybox documentation about httpd configuration to know what is possible without installing a different server. You had been warned
Well that's it for now. If you want to keep playing and keep doing awesome stuff these are some programs that might be of interest>
  • ether-wake. Send a magic packet to wake up sleeping machines.
  • ftpd/ftpget/ftpput. FTP stuff (an alternative to HTTP to transfer files)
  • dd. Device Dump
  • nc. Netcat... hours of fun!
And many more. Some might require root in order to access some files but most of the standard utilities should just work So this is it for now. Happy Hacking Awesome Wells