Bypassing PIE check (enables gdb) for Android 5.0+

s810car

Active Member
Dec 9, 2016
199
DISCLAIMER: This mod should be done by experienced modders only, with a solid understanding of the Android file system and IDA, done incorrectly this has a HUGE potential to brick your device! Consider yourself warned...

Bypassing PIE (position independent executable) check
Ever run into this message?
Code:
error: only position independent executables (PIE) are supported
I ran into this problem trying to debug an app by getting a memory dump first, never had the problem before but this is the first attempt on Android L. After researching, I found an ideal solution supplied here (XDA), and, if you happen to have the same type of phone, you can stop reading this as the zip file should work when flashed. It did nothing for me, and after reading the problems people were having after flashing (PSA read comments on files BEFORE putting on your device, I got lucky and had no issue but coulda been worse) decided this wouldn't work for me. after reading more though, I found what I really needed was in this code here (source orig tutorial linked)
Code:
 3a06:       f8c6 5098       str.w   r5, [r6, #152]  ; 0x98
    3a0a:       f8c6 4100       str.w   r4, [r6, #256]  ; 0x100
    3a0e:       8a0a            ldrh    r2, [r1, #16]
    3a10:       2a03            cmp     r2, #3
    3a12:       d007            beq.n   3a24 // change to e007 (b.n)
    3a14:       4992            ldr     r1, [pc, #584]  ; (3c60)
    3a16:       2002            movs    r0, #2
    3a18:       4479            add     r1, pc
Specifically, 3a12: d007 beq.n 3a24 // change to e007 (b.n)
So, I decided to dig into it myself and see if I could do anythiung.

What I used:
IDA Pro 32 bit (I used the paid version, its not necessary here, free version can do as well)
Any good hex editor (my fav is Ultraedit, but Winhex, etc. don't matter)
Rooted phone, you need to move files and change permissions
A file explorer WITH root access (ES file explorer, Root Explorer)

Step 1:
Find the file named "linker" in your ./system/bin directory. Copy onto your computer you will be working on.

Step 2:
Fire up IDA Pro 32 bit. When you load the linker file for disassembly, leave default settings (ELF file, metapc engine). Let it do its thing.

Step 3: Go to View -> Open Subviews -> Strings. Look for the string that says
Code:
.rodata:0000B1F9 00000043 C error: only position independent executables (PIE) are supported.\n
your address the line is on may be different but the text won't change (dumb fact: obv the reason the flashed zip I tried failed is my linker has different address to change the value at, duh me lool). Double click the line and itll go to
Code:
.rodata:0000B1F9 aErrorOnlyPosit DCB "error: only position independent executables (PIE) are supported"
.rodata:0000B1F9                                         ; DATA XREF: __dl___linker_init+3D6o
.rodata:0000B1F9                                         ; .text:off_3BDCo
.rodata:0000B1F9                 DCB ".",0xA,0
Again address will be specific to your file. Double click the XREF to go to the actual subroutine, and scroll up like 10-15 lines and you'll see this:
Code:
.text:0000387C loc_387C                                ; CODE XREF: __dl___linker_init+390j
.text:0000387C                                         ; __dl___linker_init+3B6j
.text:0000387C                 LDR.W           R1, [R4,#0x8C]
.text:00003880                 MOVS            R5, #0
.text:00003882                 MOVS            R6, #1
.text:00003884                 STR.W           R5, [R4,#0x98]
.text:00003888                 STR.W           R6, [R4,#0x100]
.text:0000388C                 LDRH            R3, [R1,#0x10]
.text:0000388E                 CMP             R3, #3
.text:00003890                 BEQ               loc_38A2
.text:00003892 ; ---------------------------------------------------------------------------
.text:00003892                 LDR             R1, =(aErrorOnlyPosit - 0x389A)
.text:00003894                 MOVS            R0, #2
.text:00003896                 ADD             R1, PC  ; "error: only position independent execut"...
.text:00003898                 BL              __dl___libc_format_fd
.text:0000389C                 MOV             R0, R6
.text:0000389E
.text:0000389E loc_389E                                ; CODE XREF: __dl___linker_init+604j
.text:0000389E                 BL              __dl_exit
Any of that look familiar? Well if you recall the code from XDA the STR, CMP, and BEQ lines match exactly (if you didn't know, #0x100 is actually 0x100, or #256 from the other disassambly, same with #0x10 = #16). So now we can do the exact same fix, manually! Before you shut down IDA, go to the hex view screen from here to get the address needed. In my example, this is 00003890, yours may be different, but the values on the line should read
Code:
07 D0 D2 49 02 20 79 44 02 F0 DE FC 30 46 FD F7
that's it for IDA, exit (no need to save database unless you want to)

Step 4:
Open your hex editor. Search for the data anyway you want, either by the address (my example 00003890), in my case I just searched the values "07 D0 D2 49" to find the spot (put enough hex values in your search to find the unique spot, don't just put D0 even though thats what we're editing or you may edit the wrong address). Once you're sure you're at the right spot, simply change it to read
Code:
07 E0 D2 49 02 20 79 44 02 F0 DE FC 30 46 FD F7
Only the "D0" to "E0"? Yes it's really that simple ;)

Step 5:
On your phone, temporarily change permissions of your ./system/bin/linker file from 755 (rwxr-xr-x) to 777 (rwxrwxrwx), depending on your mounts you (SHOULD HAVE TO) change the folders permissions as well. DON'T FORGET TO CHANGE PERMISSIONS BACK WHEN DONE!!!! Rename linker file on phone to linker1, linkerbak, or whatever. Then upload the edited linker file from your PC back to your phone. Afterwards SET PERMISSIONS BACK on file and folders.

You should now be able to use gdb, gdbserver, and any old busybox executables that give you the PIE error.
Happy modding!
 
Last edited:

BTG

busy n will update mods with most "likes" first
Staff member
Exclusive Modding Team
Apr 26, 2016
5,732
just a bit of warning, those who never temper their device should plan carefully before you brick your phone, linker is core of your device :D :D

very nice tut btw
 

s810car

Active Member
Dec 9, 2016
199
just a bit of warning, those who never temper their device should plan carefully before you brick your phone, linker is core of your device :D :D

very nice tut btw
thanks, forgot my disclaimer, and even though this mod hasn't messed anyone up I'm aware of provided they manually did it (not flashed), i believe now that more android phones are being developed prepared for 64 bit applications, more memory addresses =more opportunities a conflict occurring that a PIE check could have avoided, and the results of that could be devastating to the phone. just speculation but better safe then sorry and as with any system editing mod, do a nandroid backup!!
 

icry4u

Busy....
Staff member
Exclusive Modding Team
Nov 4, 2015
2,232
just a bit of warning, those who never temper their device should plan carefully before you brick your phone, linker is core of your device :D :D

very nice tut btw
bricked mine like 4 to 6 times lol

Nice detailed tutorial bro
 

s810car

Active Member
Dec 9, 2016
199
bricked mine like 4 to 6 times lol

Nice detailed tutorial bro
fortunately ive only bricked mine once, my own fault so in general good track record even learned something that day, hey flashing a system mount with a root script in fastboot does no good without the root script having a system.img of some type, since it wipes out the mount first :D whoops
 

icry4u

Busy....
Staff member
Exclusive Modding Team
Nov 4, 2015
2,232
Lol ... my fault was i didn't set permissions
 

UngahUsak

New User
Apr 5, 2017
3
Please help patch my linker...here I upload my linker...using lineageOS 14.1 on zenfone 5 t00f...thank you...:hearteyes:
 

Attachments

s810car

Active Member
Dec 9, 2016
199
should've moved to use termux. Its more suitable for 5.0+
you know i asked this somewhere else, from what i understand the method with termux uses an updated gdb with the proper PIE setup, which is why it works without patching linker. my question is, why do you need termux then? the corrected gdb by itself should solve the issue so that part seems odd to me.
 

s810car

Active Member
Dec 9, 2016
199
Please help patch my linker...here I upload my linker...using lineageOS 14.1 on zenfone 5 t00f...thank you...:hearteyes:
i gotta go to work shortly, but ill check this out after work, why did you post two files tho, i assume mistake being the same size but need to be sure
 

pancakeatomuch

New User
Dec 24, 2016
34
you know i asked this somewhere else, from what i understand the method with termux uses an updated gdb with the proper PIE setup, which is why it works without patching linker. my question is, why do you need termux then? the corrected gdb by itself should solve the issue so that part seems odd to me.
idk what you mean. But termux has a package manager system which android didnt has it out of the box. There's no downside even if you have it installed anyway. It has many package to play with soo.. termux-packages/packages at master · termux/termux-packages · GitHub
 

s810car

Active Member
Dec 9, 2016
199
yea i get that, and it does seem like an awesome terminal, but it has nothing to do with gdb, just like the current gdb has nothing to do with the terminal you would choose before.
the whole reason this issue occurs is because gdb wasn't properly compiled to be a position independent executable (PIE). as such, another similarly misconfigured script /program could conceivably attempt to load into the same memory blocks the gdb server process resides in, causing unknown and possibly damaging files /corrupting disk sectors, etc. linker is a file that one of its many purposes is a fail safe against that, and for better security and OS stability google opted to start requiring PIE compliance from programs, linker enforces that.
The tutorial that describes using termux also mentions it uses an updated gdb (which i believe has been built properly now). So, my issue was, why the changed tutorial at all, instead of just recommending the updated gdb.
tl;dr i think termux is awesome, but until I understand otherwise, i dont think that tutorial is needed or that termux is required, just the new gdb suffices, imo.
 

s810car

Active Member
Dec 9, 2016
199
Please help patch my linker...here I upload my linker...using lineageOS 14.1 on zenfone 5 t00f...thank you...:hearteyes:
yours is QUITE a bit more complex, looks like Cyanogen guys put a lot more into it over AOSP. I'll try to look at it a few more ways but I believe the error is grouped into an enumeration and iterated through, which will be hard to fix unless I can find the correct case (and conveniently, the string is visible but one of the few messages it wont allow me to xref either direction)
 

pancakeatomuch

New User
Dec 24, 2016
34
Nope, i know the whole reason whats PIE etc, but the reason isnt related to it. 5.0+ should just use gdb from termux and older android could use gdb from Dan's. I've tried some hacky build for support 4.x and it really sucks, Why bother to force termux to useable on <5.0? thats the reason. You can see the gdb installation on termux tutorial by iAndroHacker's in his blog.
 

UngahUsak

New User
Apr 5, 2017
3
Sorry...just one file...that same file I just accidentally upload twice...my mistake :disappointed:
i gotta go to work shortly, but ill check this out after work, why did you post two files tho, i assume mistake being the same size but need to be sure
 

UngahUsak

New User
Apr 5, 2017
3
Thank you...I'm waiting the result...
yours is QUITE a bit more complex, looks like Cyanogen guys put a lot more into it over AOSP. I'll try to look at it a few more ways but I believe the error is grouped into an enumeration and iterated through, which will be hard to fix unless I can find the correct case (and conveniently, the string is visible but one of the few messages it wont allow me to xref either direction)
 

s810car

Active Member
Dec 9, 2016
199
Nope, i know the whole reason whats PIE etc, but the reason isnt related to it. 5.0+ should just use gdb from termux and older android could use gdb from Dan's. I've tried some hacky build for support 4.x and it really sucks, Why bother to force termux to useable on <5.0? thats the reason. You can see the gdb installation on termux tutorial by iAndroHacker's in his blog.
no no that wasn't my point lol, gdb is a gnu/linux system file that android can use since linux("like") kernel. Its not a termux file and no way would a full terminal like termux be useful <5.0 i agree. not trying to suggest putting termux on lower OS, just the gdb/gdbserver files that are updated to properly pass linker PIE check. you can use pretty much ANY terminal to run gdb so no need for anything but that, that's what I'm saying.
So conclusion is the same i got before, no reason to do a diff tutorial since no need for termux (not debating how good a terminal it is, already agreed). Only thing needed is updated gdb/gdb server files and either tutorial would work then
 

iAlex

Staff member
Exclusive Modding Team
Mar 11, 2016
5,760
@s810car

.text:0000388E CMP R3, #3

make it CMP r3,r3 , easy fix , but i still find pretty slow all the process for dumping the core and one more thing , if device has linker64 you have to patch that one too
 

s810car

Active Member
Dec 9, 2016
199
@s810car

.text:0000388E CMP R3, #3

make it CMP r3,r3 , easy fix , but i still find pretty slow all the process for dumping the core and one more thing , if device has linker64 you have to patch that one too
thanks, I'll have to look at it later, was nearby that memory range im sure so unless i was totally out of it weird to miss (totally out of it quite possible anyways, been too many late coding nights :D) i wouldn't think it would have linker64 but then again cyanogen devs like going all out, not my phone anyways orig req would have to check
thanks again