Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Rooting Your Device

Mingshen Sun
October 19, 2015

Rooting Your Device

About rooting on Android.

Mingshen Sun

October 19, 2015
Tweet

More Decks by Mingshen Sun

Other Decks in Research

Transcript

  1. ANSR Lab Group Study
    Roo ng Your Device
    Bob Mingshen Sun
    September 14, 2015

    View full-size slide

  2. Outline
    1 What?
    2 Why?
    3 How?
    4 HOW???!!!
    Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 4 / 54

    View full-size slide

  3. What?
    rooting
    the process of gaining super user privileges on an Anroid device
    super user account is called root
    has rights and permissions over all files and programs on a
    UNIX-based system
    full control over the operating system
    Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 5 / 54

    View full-size slide

  4. Why?
    access or alter system files to change a hard-coded
    configuration or behavior
    modify the look and feel with custom themes or boot
    animations
    uninstall pre-installed applications, system backups and
    restores
    root apps: iptables-based firewalls, ad-blockers, overclocking
    audit the security of an Android device without being confined
    by UNIX permissions
    Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 6 / 54

    View full-size slide

  5. Why? — Examples
    Advanced Power Menu+ (APM+)
    Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 7 / 54

    View full-size slide

  6. Why? — Examples
    Fake address of Wechat’s “Moments”.
    Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 8 / 54

    View full-size slide

  7. Why? — Examples
    Xblast
    Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 9 / 54

    View full-size slide

  8. Why? — Examples
    Xblast
    You can choose your favorite color for your Clock with out
    modifying APK files
    You can add custom text along with the clock, which will be
    displayed in status bar and notification bar
    You can add color to Date field in notification bar...
    You can choose your favorite font for clock & Date field in
    status bar & notification bar...
    You can add your favorite fonts into your /sdcard/fonts/ folder,
    it will be listed in the app
    You can add bar code fonts for clock & Date field in status bar
    & notification bar..
    You can add shadow and color for clock and custom text as you
    like
    You can choose any color for status bar...
    You can make full transparent for notification
    Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 10 / 54

    View full-size slide

  9. Why? — Examples
    iPhone Jailbreak
    Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 11 / 54

    View full-size slide

  10. Why not?
    compromise the security protection
    all user data is exposed to applications that have been granted
    proot premissions
    extract all data from the device
    Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 12 / 54

    View full-size slide

  11. How?
    Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 13 / 54

    View full-size slide

  12. How?
    Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 14 / 54

    View full-size slide

  13. HOW???!!! — SU
    https://github.com/ChainsDD/su-binary/blob/master/su.c
    static void allow(const struct su_context *ctx)
    {
    // ...
    if (seteuid(0)) {
    PLOGE("seteuid (root)");
    exit(EXIT_FAILURE);
    }
    populate_environment(ctx);
    if (setresgid(ctx->to.uid, ctx->to.uid, ctx->to.uid)) {
    PLOGE("setresgid (%u)", ctx->to.uid);
    exit(EXIT_FAILURE);
    }
    if (setresuid(ctx->to.uid, ctx->to.uid, ctx->to.uid)) {
    PLOGE("setresuid (%u)", ctx->to.uid);
    exit(EXIT_FAILURE);
    }
    // ...
    execv(ctx->to.shell, ctx->to.argv + argc);
    }
    Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 15 / 54

    View full-size slide

  14. HOW???!!! — Objec ve
    Copy su binary into /system/bin or
    /system/xbin directory.
    Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 16 / 54

    View full-size slide

  15. Understanding the Par on Layout
    boot loader: boot loader program, initialize the hardware,
    boot the kernel
    splash: first splash screen
    boot: boot image, Linux kernel (zImage) system the root file
    system ram disk (initrd)
    recovery: minimal Android boot image
    system: /system, framework, libraries, binaries, pre-installed
    applications
    userdata: /data, app data, pictures, videos
    cache
    radio
    Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 17 / 54

    View full-size slide

  16. Understanding the Boot Process
    boot loader
    manufacturer’s proprietary code
    takes care of low-level hardware initialization (clocks, RAM,
    media)
    provides support for loading recovery images
    putting the phone into download mode
    Android kernel
    memory, I/O, memory protections, interrupt handlers, the CPU
    scheduler, device drivers, and finally mounts the root file
    system and starts the first user-space process init
    init.rc
    start some core Android services such as rild for telephony
    and mtpd for VPN access
    Zygote, Dalvik VM and System Server
    Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 18 / 54

    View full-size slide

  17. Accessing Download Mode
    download mode enables the user to update the persistent
    storage at a low level
    flashing process
    via fastboot protocol, a proprietary protocol, or both
    these protocols facilitate executing various tasks including
    fashing NAND partitions, rebooting the device, downloading
    and executing an alternate kernel image, etc
    Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 19 / 54

    View full-size slide

  18. Locked and Unlocked Boot Loaders
    locked boot loaders
    prevent the end user from performing modifications to the
    device’s firmware
    unlocked boot loaders
    custom kernel, recovery image, or operating system image
    official mechanism in place that enables owners to unlock
    fastboot oem unlock
    HTC
    Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 20 / 54

    View full-size slide

  19. Locked and Unlocked Boot Loaders
    security implications
    all data on a device can be recovered by an attacker
    uploading a custom Android boot image or flashing a custom
    recovery image
    Google accounts, documents, contacts, passwords
    factory data reset
    Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 21 / 54

    View full-size slide

  20. Stock and Custom Recovery Images
    recovery system allows software updates to replace the
    entirety of the system software preinstalled on the device
    without wiping user data
    used to apply updates downloaded manually or Over-the-Air
    (OTA)
    ClockworkMode recovery or TeamWin Recovery Project (TWRP)
    Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 22 / 54

    View full-size slide

  21. Roo ng with an Unlocked Boot Loader
    1 unlock boot loader
    2 use fastboot to flash customized recovery
    3 use coustomized recovery to patch an su into /system/bin
    directory
    Chainfire SuperSU recovery
    provides a graphical prompt each time an application requests
    root access
    manage which applications or users should be granted root
    access automatically
    Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 23 / 54

    View full-size slide

  22. Chainfire SuperSU
    cat META-INF/com/google/android/update-binary
    ui_print "- Mounting /system, /data and rootfs"
    mount /system
    mount /data
    mount -o rw,remount /system # <<-----------------
    mount -o rw,remount /system /system
    mount -o rw,remount /
    mount -o rw,remount / /
    ui_print "- Placing files"
    mkdir /system/bin/.ext
    set_perm 0 0 0777 /system/bin/.ext
    cp_perm 0 0 $SUMOD $BIN/su /system/bin/.ext/.su
    cp_perm 0 0 $SUMOD $BIN/su /system/xbin/su # <<-----------------
    cp_perm 0 0 0755 $BIN/su /system/xbin/daemonsu
    if ($SUGOTE); then
    cp_perm 0 0 0755 $BIN/su /system/xbin/sugote u:object_r:zygote_exec:s0
    cp_perm 0 0 0755 $MKSH /system/xbin/sugote-mksh
    fi
    if ($SUPOLICY); then
    cp_perm 0 0 0755 $BIN/supolicy /system/xbin/supolicy
    cp_perm 0 0 0644 $BIN/libsupol.so $SYSTEMLIB/libsupol.so
    Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 24 / 54

    View full-size slide

  23. Roo ng with a Locked Boot Loader
    Gaining root on a booted system
    soft root
    get a root shell through an unpatched security flaw
    vulnerability in the Android kernel
    vulnerability of a process running as root
    vulnerable program with the set-uid
    a symbolic link attack against a file permission bug
    Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 25 / 54

    View full-size slide

  24. A acks
    Kernel: Wunderbar/asroot
    Recovery: Volez
    Udev: Exploid
    Adbd: RageAgainstTheCage
    Zygote: Zimperlinch and Zysploit
    Ashmem: KillingInTheNameOf and psneuter
    Vold: GingerBreak
    PowerVR: levitator
    Libsysutils: zergRush
    Kernel: mempodroid
    File Permission and Symbolic Link-related attack
    Adb restore race condition
    Exynos4: exxynos-abuse
    Diag: lit/diaggetroot
    Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 26 / 54

    View full-size slide

  25. BOB WARNING
    Pay attention. The following content may contain a lot of vulnerable
    C/C++ code. You may write these vulnerable code in the future. The
    vulernabilities may cause a considerable damage, even affact the
    national security.

    View full-size slide

  26. Kernel
    int socket(int domain, int type, int protocol);
    The domain argument specifies a communication domain; this selects
    the protocol family which will be used for communication. These
    families are defined in . The currently understood
    formats include:
    Name Purpose Man page
    AF_UNIX, AF_LOCAL Local communication unix(7)
    AF_INET IPv4 Internet protocols ip(7)
    AF_INET6 IPv6 Internet protocols ipv6(7)
    AF_IPX IPX - Novell protocols
    AF_NETLINK Kernel user interface device netlink(7)
    AF_X25 ITU-T X.25 / ISO-8208 protocol x25(7)
    AF_AX25 Amateur radio AX.25 protocol
    AF_ATMPVC Access to raw ATM PVCs
    AF_APPLETALK AppleTalk ddp(7)
    AF_PACKET Low level packet interface packet(7)
    Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 28 / 54

    View full-size slide

  27. Kernel
    65 struct socket
    66 {
    67 socket_state state;
    68
    69 unsigned long flags;
    70 struct proto_ops *ops;
    71 struct inode *inode;
    72 struct fasync_struct *fasync_list; /* Asynchronous wake u
    73 struct file *file; /* File back pointer f
    74 struct sock *sk;
    75 wait_queue_head_t wait;
    76
    77 short type;
    78 unsigned char passcred;
    79 };
    Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 29 / 54

    View full-size slide

  28. Kernel
    87 struct proto_ops {
    88 int family;
    89
    90 int (*release) (struct socket *sock);
    91 int (*bind) (struct socket *sock, struct sockaddr *umyaddr,
    92 int sockaddr_len);
    93 int (*connect) (struct socket *sock, struct sockaddr *uservaddr,
    94 int sockaddr_len, int flags);
    95 int (*socketpair) (struct socket *sock1, struct socket *sock2);
    96 int (*accept) (struct socket *sock, struct socket *newsock,
    97 int flags);
    98 int (*getname) (struct socket *sock, struct sockaddr *uaddr,
    99 int *usockaddr_len, int peer);
    100 unsigned int (*poll) (struct file *file, struct socket *sock, struct poll_table_struct *wait
    101 int (*ioctl) (struct socket *sock, unsigned int cmd,
    102 unsigned long arg);
    103 int (*listen) (struct socket *sock, int len);
    104 int (*shutdown) (struct socket *sock, int flags);
    105 int (*setsockopt) (struct socket *sock, int level, int optname,
    106 char *optval, int optlen);
    107 int (*getsockopt) (struct socket *sock, int level, int optname,
    108 char *optval, int *optlen);
    109 int (*sendmsg) (struct socket *sock, struct msghdr *m, int total_len, struct scm_cooki
    110 int (*recvmsg) (struct socket *sock, struct msghdr *m, int total_len, int flags, struc
    111 int (*mmap) (struct file *file, struct socket *sock, struct vm_area_struct * vma);
    112 ssize_t (*sendpage) (struct socket *sock, struct page *page, int offset, size_t size, int f
    113 };
    Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 30 / 54

    View full-size slide

  29. Kernel
    sendfile - transfer data between file descriptors
    ssize_t sendfile(int out_fd, int in_fd, off_t *offset, size_t count);
    sendfile() copies data between one file descriptor and another.
    Because this copying is done within the kernel, sendfile() is
    more efficient than the combination of read(2) and write(2),
    which would require transferring data to and from user space
    Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 31 / 54

    View full-size slide

  30. Kernel
    What goes wrong? Linux NULL pointer dereference due to
    incorrect proto_ops initializations
    static ssize_t sock_sendpage(struct file *file, struct page *page,
    int offset, size_t size, loff_t *ppos, int more)
    {
    struct socket *sock;
    int flags;
    sock = file->private_data;
    flags = !(file->f_flags & O_NONBLOCK) ? 0 : MSG_DONTWAIT;
    if (more)
    flags |= MSG_MORE;
    return sock->ops->sendpage(sock, page, offset, size, flags);
    }
    Could sock->ops->sendpage be NULL?
    Yes. PF__PPPOX, PF__BLUETOOH donot impliment sendpage
    function for their sockets.
    Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 32 / 54

    View full-size slide

  31. Exploit
    /* ... */
    int fdin = mkstemp(template);
    int fdout = socket(PF_PPPOX, SOCK_DGRAM, 0);
    unlink(template);
    ftruncate(fdin, PAGE_SIZE);
    sendfile(fdout, fdin, NULL, PAGE_SIZE);
    /* ... */
    Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 33 / 54

    View full-size slide

  32. Adbd: RageAgainstTheCage
    take advantage of RLMIT_NPROC max
    a value that defines how many processes a give UID can have
    running
    adb deamon <-> adb server
    /* run under root privileges */
    /* don't listen on a port (default 5037) if running in secure mode */
    /* don't run as root if we are running in secure mode */
    if (secure) {
    ...
    /* then switch user and group to "shell" */
    setuid(AID_SHELL);
    setgid(AID_SHELL);
    ...
    }
    Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 34 / 54

    View full-size slide

  33. Patch and adb.c

    View full-size slide

  34. Adbd: exploit
    the exploit has to be run throught the ADB shell (under shell
    UID)
    fork processs until the fork call fails (exceed RLIMIT_NPROC)
    kill adbd (restart as root again)
    adbd cannot drop privileges to shell because the process limit
    Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 36 / 54

    View full-size slide

  35. Vold: GingerBreak
    vold: volume manger daemon
    accept message that are received from a PF_NETLINK socket
    execute aritrary code with root privileges
    Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 37 / 54

    View full-size slide

  36. void DirectVolume::handlePartitionAdded(const char *devpath,
    NetlinkEvent *evt) {
    int major = atoi(evt->findParam("MAJOR"));
    int minor = atoi(evt->findParam("MINOR"));
    int part_num;
    const char *tmp = evt->findParam("PARTN");
    if (tmp) {
    part_num = atoi(tmp);
    } else {
    SLOGW("Kernel block uevent missing 'PARTN'");
    part_num = 1;
    }
    if (part_num > mDiskNumParts) {
    mDiskNumParts = part_num;
    }
    if (major != mDiskMajor) {
    SLOGE("Partition '%s' has a different major than its disk!", devpa
    return;
    }
    mPartMinors[part_num -1] = minor; // <<----------
    // ...
    }

    View full-size slide

  37. GingerBreak: Exploit
    exploit work across builds without add
    shows how a negative index can be use
    .text
    low
    high
    GOT
    .data −n
    heap
    Figure 8-7: Negative GOT index from the heap
    Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 39 / 54

    View full-size slide

  38. GingerBreak: Exploit
    overwrite the GOT entry of the strcmp function with the
    address of the system function in libc
    ASLR
    send a NETLINK request
    Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 40 / 54

    View full-size slide

  39. GingerBreak: Patch
    278 Chapter 8 ■
    Exploiting User Space Software
    proper check for negative indexes. The following output from gi t diff shows
    the relevant change.
    Patch for the Missing Bounds Check in handlePartitionAdded with f3d3ce5
    --- a/DirectVolume.cpp
    +++ b/DirectVolume.cpp
    @@ -186,6 +186,11 @@ void DirectVolume: :handlePart i t ionAdded
    (const char *devpath, Net l inkEvent *evt)
    part_num = 1;
    }
    ↓ The missing bounds checks are added here.
    + if (part_num > MAX_PARTITIONS | | part_num < 1) {
    + SLOGW("Inval id ' PARTN ' value");
    + part_num = 1;
    + }
    +
    if (part_num > mDiskNumParts) {
    mDiskNumParts = part_num;
    }
    This is a classic instance of a write-four primitive. This primitive describes
    the situation where an attacker-controlled 32-bit value is written to an attacker-
    Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 41 / 54

    View full-size slide

  40. Exynos4: exynos-abuse
    /dev/mem is a character device file that is an image of the main
    memory of the computer. It may be used, for example, to
    examine (and even patch) the system.
    /dev/exynos-mem
    Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 42 / 54

    View full-size slide

  41. Linux Kernel and Device Driver
    features implemented as modules
    Process
    management
    Memory
    management
    Filesystems Device
    control
    Networking
    Arch-
    dependent
    code
    Memory
    manager
    Character
    devices
    Network
    subsystem
    CPU Memory
    Concurrency,
    multitasking
    Virtual
    memory
    Files and dirs:
    the VFS
    Kernel
    subsystems
    Features
    implemented
    Software
    support
    Hardware
    IF drivers
    Block devices
    File system
    types
    Ttys &
    device access Connectivity
    Disks & CDs Consoles,
    etc.
    Network
    interfaces
    The System Call Interface
    Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 43 / 54

    View full-size slide

  42. Linux Kernel and Device Driver
    static const struct memdev {
    const char *name;
    mode_t mode;
    const struct file_operations *fops;
    struct backing_dev_info *dev_info;
    } devlist[] = {
    #ifdef CONFIG_DEVMEM
    [1] = { "mem", 0, &mem_fops, &directly_mappable_cdev_bdi },
    #endif
    #ifdef CONFIG_DEVKMEM
    [2] = { "kmem", 0, &kmem_fops, &directly_mappable_cdev_bdi },
    #endif
    [3] = { "null", 0666, &null_fops, NULL },
    #ifdef CONFIG_DEVPORT
    [4] = { "port", 0, &port_fops, NULL },
    #endif
    [5] = { "zero", 0666, &zero_fops, &zero_bdi },
    [7] = { "full", 0666, &full_fops, NULL },
    [8] = { "random", 0666, &random_fops, NULL },
    [9] = { "urandom", 0666, &urandom_fops, NULL },
    [11] = { "kmsg", 0, &kmsg_fops, NULL },
    #ifdef CONFIG_CRASH_DUMP
    [12] = { "oldmem", 0, &oldmem_fops, NULL },
    Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 44 / 54

    View full-size slide

  43. Exynos4: exynos-abuse
    What goes wrong?
    #ifdef CONFIG_EXYNOS_MEM
    [14] = {"exynos-mem", S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH
    | S_IWOTH, &exynos_mem_fops},
    #endif
    rw-rw-r-- for /dev/exynos-mem
    /system/lib/hw/camera.smdk4x12.so
    /system/lib/hw/gralloc.smdk4x12.so
    /system/lib/libhdmi.so
    Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 45 / 54

    View full-size slide

  44. Exynos4: exynos-abuse
    static const struct file_operations exynos_mem_fops = {
    .open = exynos_mem_open,
    .release = exynos_mem_release,
    .unlocked_ioctl = exynos_mem_ioctl,
    .mmap = exynos_mem_mmap,
    }
    Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 46 / 54

    View full-size slide

  45. Exynos4: exynos-abuse
    map kernel memory and changes the format string for the
    function handling /proc/kallsyms
    parse /proc/kallsyms to find the address of the function to
    remove permission check and executes the setresuid system
    call in user space
    reverse the changes it made to kernel memory and execute a
    root shell
    a simple patch could be to set permissions to 0660 or 0600
    Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 47 / 54

    View full-size slide

  46. KeyStore Stack Buffer Overflow
    Figure 1: The KeyStore Service
    Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 48 / 54

    View full-size slide

  47. static ResponseCode get_key_for_name(KeyStore* keyStore, Blob* keyBlob,
    const Value* keyName,
    const uid_t uid, const BlobType type) {
    char filename[NAME_MAX];
    encode_key_for_uid(filename, uid, keyName);
    ...
    static int encode_key_for_uid(char* out, uid_t uid, const Value* key) {
    int n = snprintf(out, NAME_MAX, "%u_", uid);
    out += n;
    return n + encode_key(out, key);
    }
    static int encode_key(char* out, const Value* key) {
    const uint8_t* in = key->value;
    int length = key->length;
    for (int i = length; i > 0; --i, ++in, ++out) {
    if (*in >= '0' && *in <= '~') {
    *out = *in;
    } else {
    *out = '+' + (*in >> 6);
    *++out = '0' + (*in & 0x3F);
    ++length;
    }
    }
    *out = '\0';

    View full-size slide

  48. KeyStore Exploit
    1 Class keystore = Class.forName (" android.security.KeyStore ");
    2 Method mGetInstance = keystore.getMethod (" getInstance ");
    3 Method mGet = keystore.getMethod ("get", String.class );
    4 Object instance = mGetInstance.invoke(null );inf
    5 mGet.invoke(instance ,
    6 " aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa "+
    7 " aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa "+
    8 " aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa "+
    9 " aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa "+
    10 " aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa "+
    11 " aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa "+
    12 " aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa ");
    Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 50 / 54

    View full-size slide

  49. Summary
    sources
    Linux kernel
    Android userspace
    Linux device driver written by SoC venders
    method
    buffer overflow
    integer overflow
    use-after-free vulnerability
    Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 51 / 54

    View full-size slide

  50. Vulnerability
    Proportion of devices running vulnerable versions of Android
    Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 52 / 54

    View full-size slide

  51. Adver sing
    Emacs and Spacemacs
    writing code
    version control
    editing LaTeX files
    organizing your life
    managing email
    Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 53 / 54

    View full-size slide

  52. References
    Android Hacker’s Handbook
    Android Security Internals
    Linux Device Drivers, Third Edition:
    https://lwn.net/Kernel/LDD3/
    Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 54 / 54

    View full-size slide