1. dukzcry's Avatar
    Here's my discoveries. I hope that someone will find them helpful. They all function without developer mode

    1) Tired of having your phone connected to a computer and running blackberry-connect just to ssh to it? Well, we can start an unprivileged ssh server right from the phone app (like Term48 terminal), here's how.
    Upload clitools to the phone and unpack it under documents folder. From terminal app set you environment by issuing . /accounts/1000/shared/documents/clitools/env.sh and start ssh daemon by /accounts/1000/shared/documents/clitools/bin/sshd -Dd. If keys are not set, you'll give instructions on how to set them. If everything works then just omit "-Dd" argument next time you want to start server.

    2) Need GCC and other bootstrap parts? Now self-hosting is possible! Build your posix programs right on the phone
    Most kudos for this work should go to Todd Mortimer for his playbook-dev-tools!
    You should unpack an archive and set the environment like described in 1) point. Next, you're good to go: gcc g++ binutils coreutils diffutils grep make patch gzip bzip2 bison gettext findutils groff man file tmux fakeroot are at your service.
    Attention if you need working gcc: copy target_10_3_1_995 directory from Momentics to the clitools dir on a phone. This is needed because BlackBerry strictly forbids us to distribute necessary headers and libraries
    3) Running binaries stored on sd card. Unfortunately, BB10 mounts cards formatted only to fat or exfat filesystems, which don't support posix permissions. Even though the files with .exe and some other extensions will get proper execution permissions representation, you still will not able to run them So we must unroll a solution like this. Here it is:
    Code:
    #!/bin/sh
    
    relapath=$1
    
    [ "$relapath" != "" ] || exit 1
    [ -f $relapath ] && [ -r $relapath ] || { $relapath; exit 1; }
    
    shmempath=/dev/shmem`fullpath $relapath`
    
    cp $relapath $shmempath
    chmod u+x $shmempath
    shift
    $shmempath "$@"
    res=$?
    rm $shmempath
    return $res
    Now you can easily run such binary by issuing ld.so /accounts/1000/removable/sdcard/binary. Don't forget to add the script to the $PATH.

    Tech info: If you're interested in doing the same in C, here's the code sample: https://groups.google.com/forum/mess...o/6JQtqmpHSsQJ You'll need to use exec*() with full path to the object, as BB10 doesn't have fexecve().

    4) Using an embedded web server. You may've seen the nginx server by the /bin/nginx path in the base of BlackBerry OS. Well, nothing prevents you from using it for an own tasks. Here's the simple config:
    Code:
    #daemon off;
    
    error_log /dev/null;
    
    events {
            worker_connections 10;
    }
    
    http {
            access_log /tmp/access.log;
    
            server {
                    listen 8080;
            }
    
            root /accounts/1000/removable/sdcard;
            autoindex on;
    }
    After you put it by /accounts/devuser/nginx/conf/nginx.conf you may start the server as following: nginx -p /accounts/devuser/nginx. Sure you'll need to create the folder hierarchy and fix permissions if nginx complains. That's all, you may visit your site at http://:8080
    Last edited by dukzcry; 11-16-15 at 01:18 AM.
    09-24-14 08:09 AM
  2. dukzcry's Avatar
    Ported fakeroot with some adjustments made. See examples section on what it does: fakeroot. You can emulate any given user by setting few environment variables (see clitools/env.sh in archive from opening post). It's especially useful to simulate a user, presenting in a passwd file, for example devuser, so the software looking for information like a name of the user or it's home directory will work. The current most useful usage scenario is a package manager utilization from the phone app, like terminal; or via aforementioned unprivileged ssh.
    And source code is here: https://github.com/repos-holder/bb10-fakeroot
    Last edited by dukzcry; 07-30-15 at 09:10 AM.
    09-28-14 11:43 AM
  3. gnasher666's Avatar
    I'm not a hacker or even close to being able to find out what you have but one question, any chance it runs the bash shell or could we get it on to see if the environment variable vulnerability is usable?

    Posted via CB10
    09-28-14 03:09 PM
  4. Richard Buckley's Avatar
    I'm not a hacker or even close to being able to find out what you have but one question, any chance it runs the bash shell or could we get it on to see if the environment variable vulnerability is usable?

    Posted via CB10
    You can't use the environment variable "vulnerability" directly. You have to exploit an application that allows an un-trusted source to set an environment variable, then sometime later execute bash.

    So, for example if you built an Apache web server and a "vulnerable" version of Bash, you, could stand up a vulnerable web server on a non - trusted port, 8080 for example. You would have to implement a CGI script that didn't use PHP, Pearl maybe. Someone exploiting the server could access the device as the developer. But the services on the device are not going to start using Bash just because it is there, so installing a "vulnerable" version of Bash wouldn't make the device vulnerable.

    Posted via CB10
    09-28-14 05:14 PM
  5. gariac's Avatar
    Any chance we can run mono on bb10?



    Posted via CB10
    09-28-14 09:10 PM
  6. dukzcry's Avatar
    I'm not a hacker or even close to being able to find out what you have but one question
    It's the hacks in it's traditional mean, more like tricks. The most important of them allows one to do ssh connection to her device all without need of having developer mode enabled, phone sticked to the computer via usb and running blackberry-connect utility.
    As for toolchain, for user it means that http://forums.crackberry.com/develop...-10-os-857820/ is now theoretically possible to use.

    As for your question, Richard made a great answer
    Any chance we can run mono on bb10?
    Looks like we can: burningsoda.com ? software
    Last edited by dukzcry; 07-30-15 at 09:56 AM.
    09-28-14 10:35 PM
  7. gg bb's Avatar
    I'm not a hacker or even close to being able to find out what you have but one question, any chance it runs the bash shell or could we get it on to see if the environment variable vulnerability is usable?

    Posted via CB10
    There's no bash or bsh on BB10 only ksh, the exploit cannot be used to root a phone or change Bb10 native code.

    OP,

    All very good stuff, Appreciated

    Posted via CB10
    Last edited by gg bb; 09-30-14 at 04:40 PM.
    09-30-14 04:30 PM
  8. vader42's Avatar
    Thanks! Installed the tools, and compiled the obligatory hello world (edited on my z10 with vi on bgshellplus). Worked a treat! Now I can have some fun. Thanks for your efforts, much appreciated
    10-02-14 10:45 PM
  9. xsacha's Avatar
    Just a note that I made an app about 2-3 years ago, PlaybookConnect, which technically should still work.
    It does everything described in OP automatically and then pops open the ssh window on your computer for you.
    10-05-14 11:21 PM
  10. dukzcry's Avatar
    Good to know. So, with your solution - pros: works over wifi without usb connection needed, gives a full user; cons: a platform-depended app which one needs to have running to keep connection, right?
    Anyway, i hope that other things i've posted, exactly toolchain, fakeroot and pkgsrc will have a value.

    upd: I've tried your program (latest version of dingleberry too). Unfortunately it doesn't connect to BB10 phone neither over wifi, nor via usb.
    Last edited by dukzcry; 02-09-15 at 08:53 AM.
    10-05-14 11:28 PM
  11. xsacha's Avatar
    I've tried your program. Unfortunately it doesn't connect to BB10 phone neither over wifi, nor via usb.
    You might want to try the latest version of Dingleberry, which had PlaybookConnect embedded in it.

    Yes, it is platform-dependent but it is available for any platform (much like bash).

    I removed the feature from Sachesi as it was not a popular option. However, all the code for opening the ssh connection is still inside Sachesi.
    10-09-14 06:06 AM
  12. djbclark's Avatar
    Xsacha, do you think you'll get around to doing this? No pressure but I was thinking of playing with shell scripts and ansible (the configuration management tool) to do at least the after-you-set-up-so-you-can-ssh config, but if you're going to update your software to just do it all soon I'd put my energies elsewhere.

    Posted via CB10
    12-03-14 03:28 PM
  13. djbclark's Avatar
    Yeah I've already set it up so it works once (and thanks for the directions! :-), it's not hard, but it is quite annoying, esp. when repeated across several devices / clean installs / etc.

    Also, I'm slower than you.

    And it's less that it would take me time (what I'm talking about will clearly take more of my time, although I'll probably have more fun during that time), and more that I think if it was super-trivial to do it might be more widely done, which might lead to more interest in the command line / terminal / QNX / POSIX / *NIX aspect of the nature of the BlackBerry 10 devices, esp. amongst GNU/Linux power users.
    12-03-14 03:54 PM
  14. djbclark's Avatar
    This is the "cheat sheet" I've been using. There are three things that have never worked for me:

    1. Running the sshd start script; I have to run sshd directly.
    2. Full terminal control - just text input a line at a time (e.g. less, vi aren't usable)
    3. Privilege separation - need to run with "-o UsePrivilegeSeparation=no"


    I thought those were just platform limitations having to do with number of / forked processes and permissions on terminal devices, but it looks like others have at least (1) working?

    Probably just doing one silly thing that causes all three symptoms...


    Code:
    Cut and paste this to text editor. Make sure all environment variables are
    set to legitimate values. Then cut and paste a line at a time.
    
    #### Local Machine - Terminal Window 1
    # Momentics IDE needs to be installed. Put your BlackBerry in dev mode.
    # Use Momentics to create and install debug token. Find location of
    # blackberry-connect file.
    BBCONNECT="/Applications/Momentics.app/host_10_3_1_12/darwin/x86/usr/bin/blackberry-connect"
    DEVIP="10.0.0.10"
    PASS="yourpass"
    SSHPUB="~/.ssh/id_rsa.pub"
    $BBCONNECT $DEVIP -password $PASS -sshPublicKey $SSHPUB
    
    #### Local Machine - Terminal Window 2
    SSHDIR="$HOME/.ssh" # Directory with id_rsa and id_rsa.pub you want to use
    BBHOST="10.0.0.10" # IP Address of your BlackBerry Device
    scp $SSHDIR/id_rsa devuser@$BBHOST:/accounts/devuser/.ssh/
    scp $SSHDIR/id_rsa.pub devuser@$BBHOST:/accounts/devuser/.ssh/
    # Download http://bit.do/bb10-fakeroot via GUI web browser
    # cd to the directory of the download
    scp bb10-fakeroot.tar.zip devuser@$BBHOST:/accounts/devuser
    ssh devuser@$BBHOST
    
    #### BlackBerry 10 Device (via ssh from Terminal Window 2)
    #### Set up file and directories for sshd
    BBGROUP="1000" # 1000 or 1000_shared
    chgrp $BBGROUP /accounts/devuser
    chmod +s,g+w /accounts/devuser
    umask 002
    # vi /accounts/devuser/.profile # ADD "umask 002" LINE TO ".profile"
    chgrp $BBGROUP /accounts/devuser/.ssh
    chmod +s,g+rxw /accounts/devuser/.ssh
    cp /accounts/devuser/.ssh/id_rsa.pub /accounts/devuser/.ssh/authorized_keys
    chmod 664 /accounts/devuser/.ssh/authorized_keys
    chmod 640 /accounts/devuser/.ssh/id_rsa
    chgrp $BBGROUP /accounts/devuser/.ssh/id_rsa*
    chmod g-w /accounts/devuser/.ssh # IMPORTANT - MUST HAPPEN BEFORE LOGOUT
    cd /accounts/devuser
    mkdir tools
    mv bb10-fakeroot.tar.zip tools
    cd tools
    unzip bb10-fakeroot.tar.zip
    tar xvf bb10-fakeroot.tar
    mv fakeroot/* .
    rm -R fakeroot
    cd /accounts/devuser
    cat tools/env-fakeroot.sh >> .profile
    
    #### BlackBerry 10 Device (from an app on device itself)
    cd $HOME
    ln -s /accounts/devuser/.profile . 
    /accounts/devuser/tools/bin/fakeroot
    /usr/sbin/sshd -f /dev/null -o Port=2022 -o HostKey=/accounts/devuser/.ssh/id_rsa -o PasswordAuthentication=no -o StrictModes=no -o UsePrivilegeSeparation=no -Dd
    12-10-14 01:48 PM
  15. dukzcry's Avatar
    2. These require TERM=ansi to be set. It's by default with stock .profile.

    P.S.: mkdir ~/bin; ln -s /path/to/util ~/bin; echo "export PATH=~/bin:$PATH" >> ~/.profile is a good way to reduce typing on a phone, so one can run apps like sshd without providing paths to them.
    Last edited by dukzcry; 04-22-15 at 02:51 AM.
    12-12-14 12:52 AM
  16. dukzcry's Avatar
    Updates on this project (if anyone still cares):
    1. compiler set is now bundled with all useful libraries you may need and rare "undefined reference to __sync*" errors when compiling huge c++ projects are fixed; toolchain repo got merged with main one https://github.com/mordak/playbook-dev-tools and here's where development happens. Thanks Todd aka mordak much for taking over this and polishing everything even more!
    2. we don't depend on the embedded sshd anymore and build a full openssh (both clients and servers) from playbook-dev-tools instead. The new ssh server setup is a semi-automatic process requiring just few steps to be done from you
    3. Mordak built an alpha package of tmux (gnu screen alternative) for us. Currently it's a bit tricky to use it on the phone (but good via ssh from computer!), since it's not always draws correctly on the display. Here's an explanation from developer:
    tmux needs $TERM to be screen (or some derivative of screen). The BB10 terminfo db (/usr/lib/terminfo) doesn’t include screen, so any curses based program will complain about unknown terminal type inside tmux. I’m looking into including a private terminfo or something that will set things up correctly.
    4. Developer mode is no more needed to setup any of the tools. And /accounts/devuser is not used by anything to make everyone's life easy.
    Last edited by dukzcry; 05-13-15 at 04:22 AM.
    BallRockReaper likes this.
    04-27-15 08:28 AM
  17. tollfeeder's Avatar
    Just wanted to say thank you for this. Keep up the good work! It's fun to have GCC on device albeit CONFIGURE being slooow.

    Via Pasta CB10
    04-27-15 08:32 AM
  18. dukzcry's Avatar
    albeit CONFIGURE being slooow.
    Yup, performance is not good. Looks like not something that's possible to overcome, unless someone jailbreak BB10
    04-28-15 02:06 AM
  19. LazyTabbyCat's Avatar
    Thanks a lot for great work. I'm not quite familiar with UNIX-like systems so my question can be looking ridiculous. OS creates an ext2 partition on sdcard, so it supports not only FAT. I've tried to mount non-FAT external hard disk drive via terminal emulator, but this needs superuser permissions. The only way I can see is using fakeroot because it looks impossible to get real root password. But there are some issues:
    1. The NDK doesn't work on my computer.
    2. Clitools link doesn't work now.
    What should I do?
    02-23-17 03:34 AM
  20. excelangue's Avatar
    Here is a prebuilt pbhome.zip: https://github.com/excelangue/nano-j...tag/v2.8.5-pre.

    And I've compiled a custom version of GNU nano for easier keyboard-based cursor movement:
    https://github.com/excelangue/nano-j.../v2.8.5-jump-1
    Last edited by excelangue; 07-18-17 at 12:14 PM. Reason: Update release
    tollfeeder and dpgo like this.
    07-03-17 06:34 PM
  21. berradicted_fr's Avatar
    Hi,

    I have successfully compiled perl-5.14.4, rsync-3.1.3, gnutls-3.3.29, automake-1.16, autoconf-2.69, bash-4.2.0, ftp, lua for 10.3.2 ..

    I see the directory /accounts/1000/shared/documents/clitools/packages that contains already some zip for make, patch, diffutils, coreutils, gzip, bzip2, bison, gettext, findutils, groff, man, file, openssh, gcc ..

    Did someone already setup a bb10 package repository that we would use to distribute binary packages for bb10 ?

    If not, are there anyone interested in this project ?

    Best Regards,

    Olivier K
    dpgo likes this.
    03-01-18 04:48 AM
  22. berradicted_fr's Avatar
    Just wanted to say thank you for this. Keep up the good work! It's fun to have GCC on device albeit CONFIGURE being slooow.

    Via Pasta CB10
    Sometimes ./configure is slow due to PATH .. maybe try to remove unused/too long path or re-order so that most frequently used tools come first ? also, I think original mksh from Term48 *might* be quite slow .. so would be intersting to compile, for example, bash, with gcc -O3 flag and maybe an alternate libc instead of glibc ???
    03-01-18 08:35 AM
  23. berradicted_fr's Avatar
    There's no bash or bsh on BB10 only ksh, the exploit cannot be used to root a phone or change Bb10 native code.

    OP,

    All very good stuff, Appreciated

    Posted via CB10
    Hi,

    I have compiled bash successfully, If you need I may send you the .zip file . It's been compiled with gcc-4.6.3 on 10.3.2 . I think this should work on 10.3.3 as well.
    03-01-18 02:51 PM
  24. berradicted_fr's Avatar
    Woow, thank you very much for the sdcard exec trick.. indeed my sdcard light speedy fast compared to passport SE onboard mem.. wondering if the mem might have some hardware issue..
    03-16-18 11:16 AM
  25. Rajusa24's Avatar
    Hi,

    I have successfully compiled perl-5.14.4, rsync-3.1.3, gnutls-3.3.29, automake-1.16, autoconf-2.69, bash-4.2.0, ftp, lua for 10.3.2 ..

    I see the directory /accounts/1000/shared/documents/clitools/packages that contains already some zip for make, patch, diffutils, coreutils, gzip, bzip2, bison, gettext, findutils, groff, man, file, openssh, gcc ..

    Did someone already setup a bb10 package repository that we would use to distribute binary packages for bb10 ?

    If not, are there anyone interested in this project ?

    Best Regards,

    Olivier K
    What is this actually for. What are the advantages of

    Posted via CB10
    03-28-18 05:25 AM
48 12

Similar Threads

  1. When is it 3.0 time for us on VZW?
    By kennyg17 in forum General Carrier Discussion
    Replies: 14
    Last Post: 10-17-14, 10:58 AM
  2. What processor does the BlackBerry Q5 have?
    By Martyn136 in forum BlackBerry Q5
    Replies: 1
    Last Post: 09-26-14, 07:12 AM
  3. Blackberry Live Event discussion
    By Joao Oliveira in forum General BlackBerry News, Discussion & Rumors
    Replies: 107
    Last Post: 09-25-14, 01:19 PM
  4. Lets wait for the FINAL details for BlackBerry passport
    By Jonard Bais in forum BlackBerry Passport
    Replies: 1
    Last Post: 09-24-14, 11:56 AM
LINK TO POST COPIED TO CLIPBOARD