Android

Thursday, September 21. 2017

Adding a custom CA to your android phone

Another simple post this time. I updated my phone again with LineageOS (I was waiting if any release other than nightly was to be available, but the blueborne exploit convinced me to move now) and, again, I spent some time trying to install a custom certificate in the phone. The procedure is explained in this article in detail and it works like a charm for me.

To install your CA certificate you need to obtain a hash of the certificate because android expects the file to be called using this hash (this point was crucial and I had no idea about it before). So first you obtain your PEM and get the hash with the following command:
```
openssl x509 -inform PEM -subject_hash_old -in calocal.crt | head -1
xxxxxxxx
```
Once you have the certificate and the hash you just need to install it with the following name /system/etc/security/cacerts/xxxxxxxx.0 and the same permissions than the other CAs. Remember that the /system file system is read-only by default and you need su to do the complete process. So you have to go to Settings → Developer Options → Root Access and include ADB to it.
```
$ adb shell
 daemon not running. starting it now on port 5037 
 daemon started successfully 
$ su
# mount -o remount,rw /system
# cp /sdcard/Downloads/calocal.crt /system/etc/security/cacerts/xxxxxxxx.0
# chmod 644 /system/etc/security/cacerts/xxxxxxxx.0
# mount -o remount,ro /system
```
And reboot your phone. You can check that your local CA now should be listed in Settings → Security → Trusted Credentials in the System tab.

Following the procedure all my synchronizations started to work again against my personal nextcloud and runalyze servers. It's incredible that such an old phone is still maintained by lineage and now running android 7.1.2 with the September security patches from google. I have to say that my requirements for the phone are very slight.

Good job lineage team!

Posted by rickyepoderi in Android, Me at 18:32 | Comments (0)

Sunday, September 11. 2016

OpenWeatherMapProvider for cyanogenmod 13

Today a very quick entry is presented. I have just upgraded my old Moto G (1st generation) to the quite recent cyanogenmod 13 version (based on Android 6.0.1). (As a personal comment I want to say that projects like this give a much better support than any vendor, hardware or telco. And I think exactly the same for any other hardware device, I mean, OpenWRT for routers, Debian or any other linux distro for PCs, and so on. I consider preferable to choose a device due to the correct support of cyanogenmod -or any of the commented projects- than due to pure technical specs.) My phone is now at marshmallow level and I see no drawbacks for the moment.

The only little snag is that I usually configure the weather forecast in the clock widget and it seems that the new version has changed how the weather widget works. Now the weather information is retrieved from plug&play providers that can use different on-line services (Yahoo!, OpenWeatherMap,...). But, by default, there is no provider installed in cyanogenmod 13, the list is empty. Two providers can be installed using Google Play (Yahoo! and one provided by the cyanogenmod itself, although the latter is not available in Spain). Nevertheless this is meaningless, I do not have or use Google Play, and, besides, I always configure OpenWeatherMap in my desktop and laptop, so I prefer that provider. Browsing some time, I finally found a github project in the cyanogenmod repository which seemed promising. The code was almost complete and functional (at least for me), so I decided to try. And it surprisingly works.

Today's entry is just the summary of the steps to compile the project (just in case I see newer commits).

Clone the repo locally and jump into it.


git clone https://github.com/CyanogenMod/android_packages_apps_OpenWeatherMapProvider.git
cd android_packages_apps_OpenWeatherMapProvider

Prepare the environment.

First an environmental variable is used to specify where the android SDK is installed in my laptop.
```
export ANDROID_HOME=/home/ricky/android-sdk-linux
```
Then I needed to update the SDK to install build-tools 23.0.2 (the project is configured to use that version). Execute android update and select that bundle to be installed.
```
${ANDROID_HOME}/tools/android update sdk 
```
Finally I had some problems with two libraries (Invalid package reference in library XXXX) and I needed to explicitly ignore the problem (I saw the solution in other project).
```
diff --git a/app/build.gradle b/app/build.gradle
index 73b7b87..31ea494 100644
--- a/app/build.gradle
+++ b/app/build.gradle
@@ -21,6 +21,10 @@ android {
         exclude 'META-INF/LICENSE.txt'
         exclude 'META-INF/NOTICE.txt'
     }
+
+    lintOptions {
+      ignore 'InvalidPackage'
+    }
 }
```
Compile your own gradle for the project and build it.
```
./gradlew
./gradlew build
```
Finally an APK file is generated in app/build/outputs/apk/app-debug.apk you can install into your phone.

That's all. Now I have a OpenWeatherMap provider in my new and bright cyanogenmod 13 and the widget seems perfectly OK. The provider is easy to configure (you just need the OpenWeatherMap key) and then the weather widget works exactly like in the previous versions (same options). Finally my phone is feature complete with the new cyanogenmod.

Regards!

Posted by rickyepoderi in Android at 17:29 | Comments (3)

Friday, August 22. 2014

Cyanogenmod and Owncloud

Another personal entry this time. I have re-newed my old Samsung Galaxy Y Duos and, after a long period of doubts, I decided to buy a Moto G dual SIM (XT1033). It is (I think) the only dual SIM device that is supported by cyanogenmod. I really did not want to carry two phones again, and having a more friendly and trustworthy android was also a must. So this entry has two sections, the first one describes the installation of cyanogenmod in my new device (basically following the cyanogenmod installation instructions), and the second part is the installation of owncloud in my PC server in order to sync contacts, calendar and files against my own server.

Cyanogenmod installation on XT1033

As I commented the installation is easy and I just followed the steps provided by the cyanogenmod procedure. I am going to add some little details of my particular environment (debian laptop, so on and so forth). During this process the device should be connected to the PC using the USB cable.

The installation needs the android tools in order to flash the device. So installing some packages is necessary.
```
# apt-get install android-tools-adb android-tools-fastboot
```
USB debugging should be activated in order accept tools commands. First you have to activate developer options, Settings → About Phone, Click several times in Build Number until a popup appears explaining you are now a developer. Then go to the new Developer Options menu and check USB Debugging on. Please see this video for a detailed explanation of the process.

This step should be repeated if the USB debugging comes disabled back again.

When USB debugging is activated, reboot the device to bootloader (in my laptop I had to be root).

# adb reboot bootloader

And now the device should appear under the fastboot.

# fastboot devices
XXXXXXXXXX	fastboot

The XT1033 needs to be unlocked in order to install another Operating System. In this point the unlock data is requested to the phone.

# fastboot oem get_unlock_data
...
(bootloader) XXXXXXXXXXXXXXXX#XXXXXXXXXXXXXX
(bootloader) XXXXXXXXXXXXXXXXXXXXXXXXXX#XXXX
(bootloader) XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
(bootloader) XXXXX#XXXXXXXXXXXXXXXXXXXXXXXXX
(bootloader) XXXXXXX
OKAY [  0.158s]
finished. total time: 0.158s

With the unlock data obtained we need to access to the motorola site and request the unlock key for the device. You have to follow the instructions displayed in the page step by step (the information provided by the previous command should be submitted). Finally a key (a string of numbers and characters) is obtained and the device can be finally unlocked with it.
```
# fastboot oem unlock XXXXXXXXXXXXXXXXXXXX
...
(bootloader) Unlock code = XXXXXXXXXXXXXXXXXXXX

(bootloader) Unlock completed! Wait to reboot

FAILED (status read failed (No such device))
finished. total time: 28.321s
```
Although the previous command said that it failed, the device booted again and was ready to the installation of the recovery.

Please take in mind that you are unlocking the device. When you do that the startup process show a beautiful warning boot screen noticing this new situation (I suppose the unlocked logo can be changed but I have no problem with it). There are some penalties unlocking your device, among them, your device will not be covered by the motorola warranty anymore (read this entry for a more detailed explanation). But, for me, cyanogenmod is worth the risk.
Download the recovery image for falcon (Moto G codename in cyanogenmod). It seems the last one right now is 6.0.4.7.
```
# wget http://loki.rombitch.com/Devs/Dhacker29/MotoG/CWM-swipe-6.0.4.7-falcon.img
```
And again, going to bootloader, flash the recovery image.
```
# adb reboot bootloader
# fastboot devices
XXXXXXXXXX	fastboot
# fastboot flash recovery CWM-swipe-6.0.4.7-falcon.img
target reported max download size of 536870912 bytes
sending 'recovery' (9954 KB)...
OKAY [  0.336s]
writing 'recovery'...
OKAY [  0.394s]
finished. total time: 0.730s
```
The phone reboots again and now the recovery menu should be started (hold Volume Down & Power simultaneously at startup). In this menu you move up and down using volume up and down buttons, and power button selects the option.
At this point download the image of cyanogenmod for falcon. I finally decided to install last snapshop M6 (it seems that this device has some problems with audio and data right now and has lost the track of the last stable releases, currently cyanogenmod is at M9 snapshot release).
```
# wget http://download.cyanogenmod.org/get/jenkins/67673/cm-11-20140504-SNAPSHOT-M6-falcon.zip
```
Backup your current stock ROM. In the recovery menu select backup and restore and there backup to /sdcard. It generates a backup with the current date and time (format YYYY-MM-DD.hh.mm.ss).
Then go back and select wipe data/factory reset.
I decided to use the sideload option for the flashing. Select Install zip → Install zip from sideload... The device waits for the zip file to be sent. Execute the following adb command to send the cyanogenmod ROM to the device.
```
# adb sideload cm-11-20140504-SNAPSHOT-M6-falcon.zip
sending: 'cm-11-20140504-SNAPSHOT-M6-falcon.zip'  100% 
```
When the progress bar finishes you can go back and select reboot system now. Finally cyanogenmod 11M6 was installed in my device.

Synchronizing your phone with owncloud

The second part of the entry is about owncloud. This software is a PHP application that handles calDAV (protocol to manage calendar events over HTTP), cardDAV (contacts) and general webDAV (common files) in order to synchronize device data against your own server. I had read a nice entry about this application long time ago and I decided it was the perfect time to start using my own server to store contacts, calendar events, photos,... If you do not know me, until now I simply do not synchronize anything (I just backup things manually from time to time). So this second part of the entry explains how owncloud was configured in my desktop PC (obviously a debian testing box) and which applications were installed in the device to synch my data. For the server part I followed the procedure explained in the sharadchhetri.com blog, although I did a more specific setup.

First it is important that your desktop has a fixed IP address (do not use DHCP). This way the software will be always available in the same IP and your device will contact to the owncloud server with no issues. In my case this step was already done (my server IP is 192.168.1.2 and is named venom.local).
Now the required software is installed (owncloud is a free software so it is available in the debian repositories).
```
# apt-get install owncloud mysql-server
```
Owncloud needs a database (I decided to continue using MySQL) and requires a lot of depending software (PHP, Apache,...) which is installed as dependencies.

Now the database and the user for the application are created.

$ mysql -u root -p
...
mysql> create database owncloud;
mysql> create user 'ownclouduser'@'localhost' IDENTIFIED BY 'XXXXXXXX';
mysql> grant all on owncloud.* to 'ownclouduser'@'localhost';

Add your local IP and hostname to the trusted domains configuration (file /etc/owncloud/config.php). In my case the trusted_domain section was like this.
```
  'trusted_domains' =>
  array (
    0 => 'localhost',
    1 => '192.169.1.2'
    2 => 'venom.local',
  ),
```
With this modifications the owncloud server is ready to roll. Restart your apache server.
```
# /etc/init.d/apache2 restart
```

Now it is time to Access to your owncloud server (URL http://localhost/owncloud/) and configure it. The information needed by the software is almost nothing: administrator account, file system to store files (change it if needed) and the database access information. The following image is the information I entered.
I decided to use owncloud using HTTPS (you will not believe how difficult is this simple task, but not because of the server but because of the android device). After some different tries I finally created a CA certificate and another certificate for the web server (signed by the CA). All the files are going to reside in the /etc/ssl directory of my desktop machine.

Prepare the environment for the CA:
```
# cd /etc/ssl
# mkdir -p demoCA/newcerts
# touch demoCA/index.txt
# echo 01 > demoCA/crlnumber
# echo 01 > demoCA/serial
```
Create the real certificate for the CA:
```
# openssl req -subj "/C=ES/ST=Madrid/O=Home/CN=ca.local" -new -newkey rsa:2048 -keyout private/cakey.pem -out careq.pem
# openssl ca -out cacert.pem -days 10000 -keyfile private/cakey.pem -selfsign -extensions v3_ca -infiles careq.pem
# openssl x509 -in cacert.pem -outform DER -out cacert.der
# openssl pkcs12 -export -out cacert.p12 -in cacert.pem -inkey private/cakey.pem
```
With the created CA the certificate for my host was generated:
```
# openssl genrsa -out private/venom.local.pem 2048
# openssl req -subj "/C=ES/ST=Madrid/O=Home/CN=venom.local" -key private/venom.local.pem -new -out venom.local.req
# openssl ca -in venom.local.req -days 9999 -extensions usr_cert -cert cacert.pem -keyfile private/cakey.pem -out venom.local.pem
```
After that, the HTTPS virtual host should be added in the apache server (a default-ssl is ready to be enabled by default in debian).
```
# a2enmod ssl
# a2ensite default-ssl
```
Finally modify the site configuration to properly link to the created key and certificate pair (modify the following properties in the ssl virtual-host file /etc/apache2/sites-enabled/default-ssl.conf).
```
SSLCertificateFile      /etc/ssl/venom.local.pem
SSLCertificateKeyFile   /etc/ssl/private/venom.local.pem
SSLCertificateChainFile /etc/ssl/cacert.pem
```
Restart again the web server and check with a browser that owncloud is working with the new HTTPS port and certificate (now access the URL https://localhost/owncloud/, the typical warning message about a non-trusted certificate should be displayed).
Once the software is running the well-known address should be defined. These URLs are just redirections to the proper URL where calDAV and cardDAV protocols are available. In the case of apache just enable the mod_alias module (if it was not enabled before).
```
# a2enmod alias
```
And create to permanent redirections, from the well known address to the correct owncloud ones (you have to define these two lines inside the ssl virtual-host configuration too, /etc/apache2/sites-enabled/default-ssl.conf).
```
Redirect permanent /.well-known/caldav  https://venom.local/owncloud/remote.php/caldav/
Redirect permanent /.well-known/carddav  https://venom.local/owncloud/remote.php/carddav/
```
Check with any browser that, if you access to any of the well-known address, the browser is redirected to the owncloud services for calDAV and cardDAV respectively.
Finally I installed an extra application to owncloud (a notes application that will be used to synchronize my notes) which does not come with the default debian package. The installation is very easy.
```
# git clone https://github.com/owncloud/notes.git
# cp -r notes /usr/share/owncloud/apps/
```
After restarting the server a new notes application is displayed in the left menu.
Now everything is working in the server side (it would have been better to use any other non-admin user, but it is late for that) and you just need to install some applications in your device. All of them are open source and available through FDroid. In my case I decided to use the following apps:
- DAVdroid: An application which provides a synch account for calendar and contacts. It is just managed as any other account in your device. For configuring it, the well-known address are needed.
- MyOwnNotes: A little notes application which also synchronizes them to the extension installed previously in the owncloud server.
- owncloud: The application provided by the server company which let you upload and download files into the server (dropbox style). The application does not synch anything for the moment (it seems that FolderSync application does it, but it is not open source, so it is not in FDroid, so it is not an option for me), but owncloud guys are working in this feature, let's see what happens.
The configuration of the different applications works smoothly but only if you have done two little things previously (I spent a whole morning with these two little issues): the web server hostname (venom.local in my case) must be resolved by the device and the certificate CA should be a trusted one. I am going to try to explain how I did it, but I spent so much time and did so many things that I am not completely sure if the following steps are complete (I must say that android is very, very annoying, this tasks are absolutely simple for any other Operating System).

The first thing is just adding the fixed IP of my PC inside the hosts file (any *nix system uses a hosts file). The problem seems to be that the /system/etc/hosts file is mounted in a read-only file system. after reading this thread the solution was clear. Using the Terminal Emulator application I executed the following (when doing the su command the terminal requests access to root, so you need a rooted device).
```
$ su
# mount -o rw,remount /system
```
And now using the File Manager application the damned line is added to the /system/etc/hosts file (rebooting the device the FS is read-only again).
```
127.0.0.1 localhost
192.168.1.2 venom.local venom
```
The certificate issue, once you know how to do it, is also an easy task. You can follow one of the several pages that explain the installation of a custom CA certificate in the device (for example this one explained by people of MyOwnNotes). The CA ceriticate in DER mode is needed (cacert.der file created before), please, if you follow the previous procedure, download the CA certificate, not the certificate of the server. Once the process is done, you can check if the CA cert is correctly installed just accessing to your server (the device browser should not show the typical security warning). It worked for me but it has two annoying side-effects: first, in order to import a custom cert you need to establish a screen lock method (password, pattern, pin or whatever, which I do not use); second, a horrible warning is permanently displayed in the phone (your network could be monitored or something similar). Finally I discovered in a forum entry that you can move the imported cert from the user directory to the system default one (it is good to be rooted). So the file under /data/misc/keychain/cacerts-added/ was moved to /system/etc/security/cacerts/ and then the user certificate store cleared (this way the annoying warning disappears too).

With both steps completed all the commented applications were configured smoothly against the owncloud server.

This time the entry is again for my own use. I wanted to respect my privacy (avoiding internet repositories) but not to continue living in the Pleistocene epoch (as I commented, I did not use those features before). So after reading the bytopia post about owncloud I decided that this software could be a perfect local repository for me. The time came when I re-newed my phone device to a new one, that is why this entry has two parts: cyanogenmod installation on Moto G XT1033 and owncloud configuration. Awfully owncloud configuration with a non rooted device is much more difficult and I am not sure if it would be possible without important drawbacks. Using a dynamic dns and maintaining your server constantly running the device could contact and synchronize against your server anytime and anywhere (but I do not recommend it, please do not waste resources uselessly). Obviously a hosted machine, if you have one, is even a better approach. So the summary is that now I have a dual sim phone with cyanogenmod 11 (no google apps, no accounts, no nothing), and my calendar, contacts, notes and files can be synchronized against my own desktop machine as soon as I arrive home and switch it on. Absolutely perfect!

Regards!

Posted by rickyepoderi in Android, Me at 22:43 | Comments (3)

(Page 1 of 1, totaling 3 entries)