Now that we've got a working kernel build system and have included the necessary NFC drivers, we need to verify that the chip is activating properly. dmesg isn't returning any indicators, however I'm only able to capture it about 20s from the start of it logging. NFC could be working in kernelspace, it could not. We'll see in time. I'll keep trying to get an earlier dmesg. A PINOUT BOARD WOULD BE VERY USEFUL FOR THIS. Please see the end of this post.
We've begun work on the system ROM. All the appropriate files have been located, we're just in the progress of adding/modifying them. The system has been deodexed, and afaik will probably stay that way for the foreseeable future, until I can figure out how to odex it all again. If anyone knows how to do that, lemme know.
Our biggest obstacle for now is signature verification. When installing system apps, the system checks the certs of the APK files to make sure they're signed with the same keys the build was signed with. We haven't tried anything, but unless Quanta was REALLY dumb and signed their builds with public testkeys, we can't sign the files ourselves. This usually isn't an issue with Android ROMs, because Android is open-source and can be built by anyone... but Wear OS is closed-source. I've reached out to others asking how to get around this, and for now, I've found two solutions, and they're both bad.
1. Disable signature verification. This a system-wide change and affects user apps as well. It's very insecure and very bad, but I don't think people sideload a bunch of apps to Wear OS anyways. What's the security issue? A developer can modify a regular package with malicious code and convince a user to install it as an update. If I'm right, we COULD release a zip that re-enables signature verification after first boot.
2. CVE-2017-13156 is a vulnerability that can bypass signature verification. Using a vuln like this is not much better than disabling signature verification, because... we really need to update our kernel anyways. It's from 2017. No bueno.
--------------------------------------------------------------------------------------------------------------------------
End notes:
1. I STILL NEED A PINOUT BOARD. I am willing to pay $20CA for a board, plus a pinout cable. I am also selling a few pinout cables for $5CA each. Please contact me if you are willing to sell me your pinout board.
2. Join our Discord for more constant updates: https://discord.gg/8XyTeUC
We've begun work on the system ROM. All the appropriate files have been located, we're just in the progress of adding/modifying them. The system has been deodexed, and afaik will probably stay that way for the foreseeable future, until I can figure out how to odex it all again. If anyone knows how to do that, lemme know.
Our biggest obstacle for now is signature verification. When installing system apps, the system checks the certs of the APK files to make sure they're signed with the same keys the build was signed with. We haven't tried anything, but unless Quanta was REALLY dumb and signed their builds with public testkeys, we can't sign the files ourselves. This usually isn't an issue with Android ROMs, because Android is open-source and can be built by anyone... but Wear OS is closed-source. I've reached out to others asking how to get around this, and for now, I've found two solutions, and they're both bad.
1. Disable signature verification. This a system-wide change and affects user apps as well. It's very insecure and very bad, but I don't think people sideload a bunch of apps to Wear OS anyways. What's the security issue? A developer can modify a regular package with malicious code and convince a user to install it as an update. If I'm right, we COULD release a zip that re-enables signature verification after first boot.
2. CVE-2017-13156 is a vulnerability that can bypass signature verification. Using a vuln like this is not much better than disabling signature verification, because... we really need to update our kernel anyways. It's from 2017. No bueno.
--------------------------------------------------------------------------------------------------------------------------
End notes:
1. I STILL NEED A PINOUT BOARD. I am willing to pay $20CA for a board, plus a pinout cable. I am also selling a few pinout cables for $5CA each. Please contact me if you are willing to sell me your pinout board.
2. Join our Discord for more constant updates: https://discord.gg/8XyTeUC
Comments
Post a Comment