An easy way to remove the noexec protection from partitions

General Forum for talking area for E series TVs.
Post Reply

mamaich
Official SamyGO Developer
Posts: 65
Joined: Sun Nov 21, 2010 4:15 am

An easy way to remove the noexec protection from partitions

Post by mamaich »

To make our life harder, Samsung decided to make all custom mounts as noexec. So you can't run a file from USB. Here is a code from their sources:

Code: Select all

#ifdef CONFIG_MOUNT_SECURITY
/* 
 * Devices in this list will not be applied "noexec" option.
 * All device will be applied "noexec" option to protect system security
 * except some devices for system
 * */
char *allowedDEV[] = {"bml", "stl", "mmcblk", "dev/root",
		"proc", "rootfs", "sysfs", "tmpfs", "none", 
		"END" };
#endif
....
#ifdef CONFIG_MOUNT_SECURITY
	/* Apply MNT_NOEXEC option except some devices for system */
	numOfDev = sizeof(allowedDEV)/sizeof(allowedDEV[0]);
	
	for( i = 0 ; i < numOfDev  ; i++) {
		if(strstr(dev_name, allowedDEV[i]) != NULL)
			break;
	}
	
	if( i == numOfDev ) {
		mnt_flags |= MNT_NOEXEC;
	}
#endif
Looking at this source code - it is easy to overcome this protection. The code does the following: it checks that the device path contains a given string somewhere inside its name. So you can create your own device with mknode that contains, say, "bml" in its name - and this device would be mounted as executable.

Here is a working example, tested on my UE32ES6727:

Code: Select all

mknod /tmp/loopnone b 7 9
losetup /tmp/loopnone /dtv/usb/sda1/t-mst10pdeuc.xfs
mount -o sync,exec /tmp/loopnone /mnt
This example uses the "none" allowed device substring.
Top
arris69
Official SamyGO Developer
Posts: 1700
Joined: Fri Oct 02, 2009 8:52 am
Location: Austria/Vienna (no Kangaroos here)
Contact:
Contact arris69

Re: An easy way to remove the noexec protection from partiti

Post by arris69 »

mamaich wrote:To make our life harder, Samsung decided to make all custom mounts as noexec. So you can't run a file from USB. Here is a code from their sources:
....
Here is a working example, tested on my UE32ES6727:

Code: Select all

mknod /tmp/loopnone b 7 9
losetup /tmp/loopnone /dtv/usb/sda1/t-mst10pdeuc.xfs
mount -o sync,exec /tmp/loopnone /mnt
This example uses the "none" allowed device substring.
nice :-)
Top
E3V3A
Posts: 247
Joined: Wed Oct 31, 2012 2:31 am
Location: /dev/zero

Re: An easy way to remove the noexec protection from partiti

Post by E3V3A »

Is that a permanent fix or does it re-enable noexec, after reboot?
HW: UE40ES5700SXXH
FW: T-MST10PDEUC-1029.0 Onboot: 1003
Top
User avatar
juusso
SamyGO Moderator
Posts: 10129
Joined: Sun Mar 07, 2010 6:20 pm

Re: An easy way to remove the noexec protection from partiti

Post by juusso »

as you see, the es series hack is not permanent, so all changes you ever make on tmpfs will be valid only until you reboot TV.
LE40B653T5W,UE40D6750,UE65Q8C
Have questions? Read SamyGO Wiki, Search on forum first!
FFB (v0.8), FFB for CI+ . Get root on: C series, D series, E series, F series, H series. rooting K series, exeDSP/exeTV patches[C/D/E/F/H]
DO NOT EVER INSTALL FIRMWARE UPGRADE
Top

Post Reply

Return to “[E] General”