Run shell command with root permissions from AOSP apk

[anymor1024]

Hello,

I would like to ask for help with get root access for AOSP apk broadcast receiver.

I need receive event for change date/time and I need run my shell command for write system time to hardware RTC.

I have chosen follow principe:
- I wrote Android myBR.apk in AOSP with broadcast receiver for TIME_SET, TIMEZONE_CHANGED
- From myBR.apk I run my shell command (rtcclock -w)
- "rtcclock -w" shell command which is write system time from Android to RTC via /dev/rtc0 -> ioctl( i2c )

My problem is:
==============
I need run shell command rtcclock from AOSP myBR.apk as root.
My all attempts were unsuccessful.
I would like to ask for help from some experts how can I resolve this problem.

Environment info (everything in Android shell terminal)
=======================================================
Android device is not rooted

Permissions for su shell command
$ ls -lZ /system/xbin/su
-rwsr-x--- root shell ubject_r:su_exec:s0 su

SELinux status
$ getenforce
Disabled

Super user information
$ su
# id
uid=0(root) gid=0(root) groups=1007(log)

Android version
$ cat /system/build.prop | grep "ro.build.version.release"
ro.build.version.release=5.1.1

Kernel version
$ cat /proc/version
Linux version 3.4.39 .....

Permissions for rtcclock shell command
$ ls -l /system/bin/rtcclock
-rwxr-xr-x root shell 13672 2017-10-18 09:53 rtcclock

Example for try write system time from Android to RTC as user = shell from
$ rtcclock -w
rtcclock: can't open '/dev/misc/rtc': No such file or directory

Example for try write system time from Android to RTC as user = system
$ su system
$ rtcclock -w
rtcclock: ioctl 0x4024700a failed: Permission denied

Example for try write system time from Android to RTC as user = root
$ su
# rtcclock -w
successfull

My source code:

MyBroadcastReceiver.java
========================
package com.example.mybr;

import android.content.BroadcastReceiver;
import android.content.Context;
import android.content.Intent;
import android.util.Log;

import java.io.DataInputStream;
import java.io.DataOutputStream;
import java.io.IOException;

public class MyBroadcastReceiver extends BroadcastReceiver {

private static final String TAG = "MyBroadcastReceiver";

public MyBroadcastReceiver() {
super();
Log.i( TAG, "MyBroadcastReceiver - created" );
}

@override
public void onReceive( Context context, Intent intent )
{
final String intentAction = intent.getAction();
boolean bResult = false;

if( intentAction.equals( Intent.ACTION_TIME_CHANGED ) ||
intentAction.equals( Intent.ACTION_TIMEZONE_CHANGED ) )
{
bResult = runCmd( "sh", "id" );
Log.i( TAG, "bResult = " + bResult );

bResult = runCmd( "su", "id" );
Log.i( TAG, "bResult = " + bResult );

bResult = runCmd( "su", "rtcclock -w" );
Log.i( TAG, "bResult = " + bResult );
}
}

public static boolean runCmd( String...commands )
{
boolean bResult = false;

try
{
Process prcs = Runtime.getRuntime().exec( commands[ 0 ] );
DataOutputStream cmdStream = new DataOutputStream( prcs.getOutputStream() );
DataInputStream resStream = new DataInputStream( prcs.getInputStream() );
DataInputStream errStream = new DataInputStream( prcs.getErrorStream() );

if( cmdStream != null && resStream != null && errStream != null )
{

for( int n = 1; n < commands.length; n++ )
{
Log.d( TAG, "cmd: " + commands[ n ] );
cmdStream.writeBytes( commands[ n ] + "\n" );
cmdStream.flush();

do
{
String outputResult = resStream.readLine();
Log.d( TAG, "cmd result: " + outputResult );
} while( resStream.available() > 0 );

while( errStream.available() > 0 )
{
String outputResult = errStream.readLine();
Log.d( TAG, "cmd error: " + outputResult );
}
}

bResult = true;

cmdStream.writeBytes( "exit\n" );
cmdStream.flush();
try
{
prcs.waitFor();
} catch( InterruptedException e )
{
Log.i( TAG, "!!! EXCEPTION_1 !!!" );
e.printStackTrace();
}
}
if( cmdStream != null )
{
cmdStream.close();
}
if( resStream != null )
{
resStream.close();
}
if( errStream != null )
{
errStream.close();
}
}
catch( IOException e )
{
Log.i( TAG, "!!! EXCEPTION_2 !!!" );
e.printStackTrace();
}

return( bResult );
}
}

AndroidManifest.xml
===================
<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
package="com.example.mybr"
android:sharedUserId="android.uid.shell">

<application
android:allowBackup="true"
android:icon="@mipmap/ic_launcher"
android:label="@string/app_name"
android:supportsRtl="true">
<receiver
android:name=".MyBroadcastReceiver"
android:enabled="true"
android:exported="true">
<intent-filter>
<action android:name="android.intent.action.TIME_SET"/>
<action android:name="android.intent.action.TIMEZONE_CHANGED"/>
</intent-filter>
</receiver>
</application>
</manifest>

Android.mk
==========
LOCAL_PATH:= $(call my-dir)
include $(CLEAR_VARS)

LOCAL_MODULE_TAGS := optional

# Only compile source java files in this apk.
LOCAL_SRC_FILES := $(call all-java-files-under, src)

LOCAL_PACKAGE_NAME := myBR
LOCAL_CERTIFICATE := platform
LOCAL_PRIVILEGED_MODULE := true

LOCAL_MODULE_PATH := $(TARGET_OUT)/priv-app

include $(BUILD_PACKAGE)

# Use the following include to make our test apk.
include $(call all-makefiles-under,$(LOCAL_PATH))

Listing from logcat (as you can see su always failed)
===================
10-28 14:08:28.821 455-455/system_process I/PackageManager: /system/priv-app/myBR changed; collecting certs
10-28 14:08:28.855 455-455/system_process I/art: DexFile_isDexOptNeeded file /system/priv-app/myBR/arm/myBR.odex needs to be relocated for /system/priv-app/myBR/myBR.apk
10-28 14:08:42.875 455-455/system_process I/art: DexFile_isDexOptNeeded file /system/priv-app/myBR/arm/myBR.odex needs to be relocated for /system/priv-app/myBR/myBR.apk
10-28 14:08:42.876 455-455/system_process I/PackageManager: Running patchoat on: com.example.mybr
10-28 14:08:42.878 631-631/? E/installd: Running /system/bin/patchoat isa=arm in-fd=5 (/system/priv-app/myBR/arm/myBR.odex) out-fd=6 (/data/dalvik-cache/arm/system@priv-app@myBR@myBR.apk@classes.dex)
10-03 14:11:47.001 455-501/system_process I/ActivityManager: Start proc 1795:com.example.mybr/2000 for broadcast com.example.mybr/.MyBroadcastReceiver
10-03 14:11:47.115 455-499/system_process W/InputMethodManagerService: Window already focused, ignoring focus gain of: com.android.internal.view.IInputMethodClient$Stub$Proxy@c92a0d7 attribute=null, token = android.os.BinderProxy@3515a383
10-03 14:11:47.181 1795-1795/com.example.mybr I/MyBroadcastReceiver: MyBroadcastReceiver - created
10-03 14:11:47.214 1795-1795/com.example.mybr D/MyBroadcastReceiver: cmd: id (added my note: runCmd( "sh", "id" )
10-03 14:11:47.268 1795-1795/com.example.mybr D/MyBroadcastReceiver: cmd result: uid=2000(shell) gid=2000(shell) groups=1015(sdcard_rw),1023(media_rw),1028(sdcard_r),3002(net_bt),3008(net_bt_stack),9997(everybody),42000(u0_a32000)
10-03 14:11:47.275 1795-1795/com.example.mybr I/MyBroadcastReceiver: bResult = true
10-03 14:11:47.297 1795-1795/com.example.mybr D/MyBroadcastReceiver: cmd: id (added my note: runCmd( "su", "id" )
10-03 14:11:47.306 1795-1795/com.example.mybr D/MyBroadcastReceiver: cmd result: null
10-03 14:11:47.309 1795-1795/com.example.mybr D/MyBroadcastReceiver: cmd error: su: permission denied (added mine detection: call function setgidI() return -1 from su.c)
10-03 14:11:47.310 1795-1795/com.example.mybr I/MyBroadcastReceiver: !!! EXCEPTION_2 !!!
10-03 14:11:47.310 1795-1795/com.example.mybr W/System.err: java.io.IOException: write failed: EPIPE (Broken pipe)
10-03 14:11:47.310 1795-1795/com.example.mybr W/System.err: at libcore.io.IoBridge.write(IoBridge.java:502)
10-03 14:11:47.310 1795-1795/com.example.mybr W/System.err: at java.io.FileOutputStream.write(FileOutputStream.java:186)
10-03 14:11:47.310 1795-1795/com.example.mybr W/System.err: at java.iutputStream.write(OutputStream.java:82)
10-03 14:11:47.310 1795-1795/com.example.mybr W/System.err: at java.io.DataOutputStream.writeBytes(DataOutputStream.java:156)
10-03 14:11:47.310 1795-1795/com.example.mybr W/System.err: at com.example.mybr.MyBroadcastReceiver.runCmd(MyBroadcastReceiver.java:77)
10-03 14:11:47.310 1795-1795/com.example.mybr W/System.err: at com.example.mybr.MyBroadcastReceiver.onReceive(MyBroadcastReceiver.java:33)
10-03 14:11:47.310 1795-1795/com.example.mybr W/System.err: at android.app.ActivityThread.handleReceiver(ActivityThread.java:2609)
10-03 14:11:47.310 1795-1795/com.example.mybr W/System.err: at android.app.ActivityThread.access$1700(ActivityThread.java:151)
10-03 14:11:47.310 1795-1795/com.example.mybr W/System.err: at android.app.ActivityThread$H.handleMessage(ActivityThread.java:1380)
10-03 14:11:47.311 1795-1795/com.example.mybr W/System.err: at android.os.Handler.dispatchMessage(Handler.java:102)
10-03 14:11:47.311 1795-1795/com.example.mybr W/System.err: at android.os.Looper.loop(Looper.java:135)
10-03 14:11:47.311 1795-1795/com.example.mybr W/System.err: at android.app.ActivityThread.main(ActivityThread.java:5254)
10-03 14:11:47.311 1795-1795/com.example.mybr W/System.err: at java.lang.reflect.Method.invoke(Native Method)
10-03 14:11:47.311 1795-1795/com.example.mybr W/System.err: at java.lang.reflect.Method.invoke(Method.java:372)
10-03 14:11:47.311 1795-1795/com.example.mybr W/System.err: at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:903)
10-03 14:11:47.311 1795-1795/com.example.mybr W/System.err: at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:698)
10-03 14:11:47.311 1795-1795/com.example.mybr W/System.err: Caused by: android.system.ErrnoException: write failed: EPIPE (Broken pipe)
10-03 14:11:47.311 1795-1795/com.example.mybr W/System.err: at libcore.io.Posix.writeBytes(Native Method)
10-03 14:11:47.311 1795-1795/com.example.mybr W/System.err: at libcore.io.Posix.write(Posix.java:258)
10-03 14:11:47.311 1795-1795/com.example.mybr W/System.err: at libcore.io.BlockGuardOs.write(BlockGuardOs.java:313)
10-03 14:11:47.311 1795-1795/com.example.mybr W/System.err: at libcore.io.IoBridge.write(IoBridge.java:497)
10-03 14:11:47.312 1795-1795/com.example.mybr W/System.err: ... 15 more
10-03 14:11:47.312 1795-1795/com.example.mybr I/MyBroadcastReceiver: bResult = true
10-03 14:11:47.337 1795-1795/com.example.mybr D/MyBroadcastReceiver: cmd: rtcclock -w (added my note: runCmd( "su", "rtcclock -w" )
10-03 14:11:47.340 1795-1795/com.example.mybr D/MyBroadcastReceiver: cmd result: null
10-03 14:11:47.342 1795-1795/com.example.mybr D/MyBroadcastReceiver: cmd error: su: permission denied (added mine detection: call function setgidI() return -1 from su.c)
10-03 14:11:47.342 1795-1795/com.example.mybr I/MyBroadcastReceiver: !!! EXCEPTION_2 !!!
10-03 14:11:47.342 1795-1795/com.example.mybr W/System.err: java.io.IOException: write failed: EPIPE (Broken pipe)
10-03 14:11:47.343 1795-1795/com.example.mybr W/System.err: at libcore.io.IoBridge.write(IoBridge.java:502)
10-03 14:11:47.343 1795-1795/com.example.mybr W/System.err: at java.io.FileOutputStream.write(FileOutputStream.java:186)
10-03 14:11:47.343 1795-1795/com.example.mybr W/System.err: at java.iutputStream.write(OutputStream.java:82)
10-03 14:11:47.343 1795-1795/com.example.mybr W/System.err: at java.io.DataOutputStream.writeBytes(DataOutputStream.java:156)
10-03 14:11:47.343 1795-1795/com.example.mybr W/System.err: at com.example.mybr.MyBroadcastReceiver.runCmd(MyBroadcastReceiver.java:77)
10-03 14:11:47.343 1795-1795/com.example.mybr W/System.err: at com.example.mybr.MyBroadcastReceiver.onReceive(MyBroadcastReceiver.java:36)
10-03 14:11:47.343 1795-1795/com.example.mybr W/System.err: at android.app.ActivityThread.handleReceiver(ActivityThread.java:2609)
10-03 14:11:47.343 1795-1795/com.example.mybr W/System.err: at android.app.ActivityThread.access$1700(ActivityThread.java:151)
10-03 14:11:47.343 1795-1795/com.example.mybr W/System.err: at android.app.ActivityThread$H.handleMessage(ActivityThread.java:1380)
10-03 14:11:47.343 1795-1795/com.example.mybr W/System.err: at android.os.Handler.dispatchMessage(Handler.java:102)
10-03 14:11:47.343 1795-1795/com.example.mybr W/System.err: at android.os.Looper.loop(Looper.java:135)
10-03 14:11:47.343 1795-1795/com.example.mybr W/System.err: at android.app.ActivityThread.main(ActivityThread.java:5254)
10-03 14:11:47.343 1795-1795/com.example.mybr W/System.err: at java.lang.reflect.Method.invoke(Native Method)
10-03 14:11:47.343 1795-1795/com.example.mybr W/System.err: at java.lang.reflect.Method.invoke(Method.java:372)
10-03 14:11:47.343 1795-1795/com.example.mybr W/System.err: at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:903)
10-03 14:11:47.343 1795-1795/com.example.mybr W/System.err: at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:698)
10-03 14:11:47.343 1795-1795/com.example.mybr W/System.err: Caused by: android.system.ErrnoException: write failed: EPIPE (Broken pipe)
10-03 14:11:47.344 1795-1795/com.example.mybr W/System.err: at libcore.io.Posix.writeBytes(Native Method)
10-03 14:11:47.344 1795-1795/com.example.mybr W/System.err: at libcore.io.Posix.write(Posix.java:258)
10-03 14:11:47.344 1795-1795/com.example.mybr W/System.err: at libcore.io.BlockGuardOs.write(BlockGuardOs.java:313)
10-03 14:11:47.344 1795-1795/com.example.mybr W/System.err: at libcore.io.IoBridge.write(IoBridge.java:497)
10-03 14:11:47.344 1795-1795/com.example.mybr W/System.err: ... 15 more
10-03 14:11:47.344 1795-1795/com.example.mybr I/MyBroadcastReceiver: bResult = true
10-03 14:11:47.354 1388-1388/com.android.deskclock V/AlarmClock: AlarmInitReceiver android.intent.action.TIME_SET
10-03 14:11:47.384 1388-1647/com.android.deskclock V/AlarmClock: AlarmInitReceiver finished
10-03 14:11:47.395 455-498/system_process I/ActivityManager: Killing 1368:com.android.music/u0a33 (adj 15): empty #17
10-03 14:11:47.408 455-455/system_process W/MediaSessionRecord: Removing dead callback in pushEvent.
android.os.DeadObjectException
at android.os.BinderProxy.transactNative(Native Method)
at android.os.BinderProxy.transact(Binder.java:496)
at android.media.session.ISessionControllerCallback$Stub$Proxy.onSessionDestroyed(ISessionControllerCallback.java:189)
at com.android.server.media.MediaSessionRecord.pushSessionDestroyed(MediaSessionRecord.java:667)
at com.android.server.media.MediaSessionRecord.access$3800(MediaSessionRecord.java:67)
at com.android.server.media.MediaSessionRecord$MessageHandler.handleMessage(MediaSessionRecord.java:1286)
at android.os.Handler.dispatchMessage(Handler.java:102)
at android.os.Looper.loop(Looper.java:135)
at com.android.server.SystemServer.run(SystemServer.java:269)
at com.android.server.SystemServer.main(SystemServer.java:170)
at java.lang.reflect.Method.invoke(Native Method)
at java.lang.reflect.Method.invoke(Method.java:372)
at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:903)
at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:698)

Thank you very much for help.

 

[Rukbat]

If the phone isn't rooted, you can't run the shell command as root. First root the phone. There's no su in an unrooted phone, so su shell doesn't do anything. Rooting installs su where it needs to be (bin or xbin). (And also installs a SuperSU app to control which apps get to use su - by the user saying ok the first time an app tries to run it - so a virus can't run as superuser.)

 

[anymor1024]

Hello,
thanks for your reply, but as you can see my device contain su shell command even though it is not rooted.
As you can see too, that su command is works via shell.
Root device is not possible - it is no way for me.

 

[anymor1024]

Hello,
thanks for your reply, but as you can see my device contain su shell command even though it is not rooted.
As you can see too, that su command is works via shell.
Root device is not possible - it is no way for me.