Advice wanted on the best way to package Cell Broadcast SMS bugfix for closed libsms library

Basically, due to a bug in libsms (closed source Nokia library that's part
of the telephony stack in Fremantle), Cell Broadcast SMS does not work on
the N900. Specifically it is a bug in the function sms_gsm_cb_routing_ntf.

Its clear at this point that Nokia will not release the source code to
libsms (or back-port the fix for this bug from Harmattan where it appears
to be fixed). Nor are they likely to release the information required to
allow replacement of libsms without a wholesale replacement of most of the
telephony stack (including the dialer, messaging app etc).
Given this, I have come up with a possible solution and would like advice
on the best way to package this solution.

Option 1:
Patch libsms (there are 3 bytes that need to be changed to fix the bug) and
distribute the patched .so file. (i.e. basically an updated libsms package)

Option 2:
Distribute a package that will patch (and un-patch on uninstall I would
guess) libsms with the 3 changed bytes to fix the bug.

Option 3:
Distribute a package that somehow loads something into the memory space of
the CSD daemon and applies the 3-byte patch to the in-memory image of libsms.

Option 4:
Create a clone of sms_gsm_cb_routing_ntf and use LD_PRELOAD or something
similar to cause libsms to use the clone and not the original in libsms

I dont know much about how ARM Linux works (or how Debian packaging works
or what the CSSU maintainers would find acceptable) so I dont know which
option is the best option. Hence I am asking the CSSU gurus to help me
figure out which option is the best option going forward as a way to
distribute this fix (which will then allow a user-space widget to be
produced that can talk to the IncomingCBS DBUS signal and do something with
the incoming Cell Broadcast SMS messages)

On Saturday, June 25, 2011, Jonathan Wilson <jfwfreo@tpgi.com.au> wrote:
>
> Given this, I have come up with a possible solution and would like
> advice on the best way to package this solution.

> Option 1:
> Patch libsms (there are 3 bytes that need to be changed to fix the bug) and
> distribute the patched .so file. (i.e. basically an updated libsms package)

Not an option - the licence of libsms would make this copyright
infringement (if it is closed source).

> Option 2:
> Distribute a package that will patch (and un-patch on uninstall I would guess)
> libsms with the 3 changed bytes to fix the bug.

Easiest option, and therefore the most reliable. The only caveat is
whether or not libsms varies between OS versions. As long as the
package for the installer depends on the right version of libsms, and
maybe the patcher does a checksum before modifying the file, I think
that'd work.

It can even be tested in Extras-devel outside of the CSSU, but like
the "modify the Conversations app's CSS to support portrait", it
should be depended on my the mp-fremantle-community-pr as a quick way
of bundling together the separate "hotfixes".

Cheers,

Andrew

--
Andrew Flegg -- mailto:andrew@bleb.org | http://www.bleb.org/

Jon,
I have some binary patcher ready here, alas I can't reproduce your patch, as
the values of bytes to patch differ massively from your instruction

PR1.3 CSSU system:
IroN900:~# ls -l `find /usr -name '*libsms*'`
lrwxrwxrwx 1 root root 15 2010-06-23 06:08 /usr/lib/libsms.so.0 ->
libsms.so.0.0.0
-rw-r--r-- 1 root root 79964 2009-12-15 14:41 /usr/lib/libsms.so.0.0.0
lrwxrwxrwx 1 root root 21 2010-06-23 06:07 /usr/lib/libsms-utils.so.0 ->
libsms-utils.so.0.0.0
-rw-r--r-- 1 root root 42932 2009-12-16 11:31 /usr/lib/libsms-utils.so.0.0.0
-rw-r--r-- 1 root root 7836 2010-02-04 10:50 /usr/lib/rtcom-
eventlogger/plugins/libsms.so

/j

I forgot:

IroN900:~# md5sum /usr/lib/libsms.so.0.0.0
6d9560f64f97dd18ccbd3119229717ae /usr/lib/libsms.so.0.0.0

Please tell which version (of combined fiasco image) you got installed, this
above should be International.

Also you maybe can give a context hexdump of byte DD78 -30bytes to +30bytes,
so I could find the code in case it has just moved a bit

Thanks
/j

#!/bin/sh

# Hi Jon

#attached find a little script to do the patching.

#I suggest to package this script together with whatever GUI(?) SMSCB app,
#and run in from postinst. Then up the pkg to extras-devel. If you prefer, I
#can do the packaging and upload to extras-devel repo.

#cheers
#jOERG





#----------- 8X -- (snip) ----------------------------

#!/bin/sh
# file: /usr/local/bin/patch-libsms
# perm: chmod +x /usr/local/bin/patch-libsms
#
# USAGE:
# ~# patch-libsms
# (needs root permisions)
#
# this script will patch the libsms.so library to fix a bug, so N900
# finally could receive cell broadcast SMS
# There'll be a backup of the original file so you can revert if the
# results are not satisfactory
#
# see http://lists.maemo.org/pipermail/maemo-developers/2011-June/028434.html
# All kudos to Jonathan Wilson for digging into this and finally find the
patch
#
# Alas xargs -Ixx printf is *really* too slow, and -I not supported by busybox
# busybox awk doesn't support gsub function :-/
# so you have to install *something* anyway, either a binary to patch, or a
# interpreter like perl to run a proper script,
# or you get proper awk from gawk package in SDK repo:
# IroN900:~# apt-cache policy gawk
# gawk:
# Installed: 1:3.1.4-2osso.2
# Candidate: 1:3.1.4-2osso.2
# Version table:
# *** 1:3.1.4-2osso.2 0
# 500 http://repository.maemo.org fremantle/sdk/free Packages
# 100 /var/lib/dpkg/status
# IroN900:~# apt-get install gawk
#
# (C)Joerg Reisenweber, joerg add openmoko dodd org, GPLv2
# thanks to Paul ;-)


LOG=/home/user/MyDocs/.documents/$( basename $0).log
LIBSMS=/usr/lib/libsms.so.0.0.0
BACKUP=/home/user/$(basename $LIBSMS)
MD5ORIG=6d9560f64f97dd18ccbd3119229717ae
MD5PATCHED=fff53e239c8a46c97015a8ef78f9e7ad

#set -vx
dd if=/dev/zero of=$LOG bs=2k count=1 2>/dev/null || (echo "Can not create
logfile $LOG, exiting!"; exit 5)
trap "cleanup" exit
cleanup(){
trap - exit
if [ -f $LOG ]
then
# exec
echo -e "An Error occured! Please keep the logfile $LOG, and provide it to
developers for analyzing what happend\nThe logfile:" >&3
cat $LOG >&3
fi
exit
}

exec 3>&2 1>$LOG 2>&1
set -e

echo "checking $LIBSMS for correct MD5 checksum, so we can apply patch..."
echo "$MD5ORIG $LIBSMS" | md5sum -c

echo "creating backup of $LIBSMS to $BACKUP..."
cp -va $LIBSMS $BACKUP

# change byte DD78 from 0xFF to 0x52, (changes a CMP R3, #0xFF
# instruction to a CMP R3, #0x52 instruction) then change DD7C from 0x00 to
# 0x52 and DD7F from 0x03 to 0xC3 (changes a MOVEQ R3, #0 instruction into a
# MOVGT R3, #0x52)
echo "patching $LIBSMS..."
od -Ax -tx1 -w1 -v $LIBSMS | awk '/00dd78 ff/ { $0 = "00dd78 52"} /00dd7c 00/
{ $0 = "00dd7c 52"} /00dd7f 03/ { $0 = "00dd7f c3"} { gsub(/^.* /, "0x");
printf "%c", strtonum($0) }'

echo "checking result for correctness..."
if !echo "$MD5PATCHED $LIBSMS" | md5sum -c
then
echo "result incorrect! Restoring from backup $BACKUP..."
cp -va $BACKUP $LIBSMS
echo "removing backup..."
rm $BACKUP
echo "======== system info ==========="
osso-product-info
exit 5
fi

rm $LOG

don't bother to try to get this version of patcher script running, it has
several flaws on stock maemo (busybox etc).

I may or may not ship a better version later.
sorry for the noise till then.

/j

meanwhile:

bash-3.2$ id
uid=29999(user) gid=29999(users)
bash-3.2$ dbus-monitor --system | grep -A 90 "member=IncomingCBS"
signal sender=:1.21 -> dest=(null destination) serial=344
path=/com/nokia/phone/SMS; interface=Phone.SMS; member=IncomingCBS
array [
byte 51
byte 27
byte 13
byte 135
byte 155
byte 213
byte 104
byte 184
byte 152
byte 76
byte 214
byte 104
byte 52
byte 26
byte 141
byte 70
byte 163
byte 209
byte 104
byte 52
byte 26
byte 141
byte 70
byte 163
byte 209
byte 104
byte 52
byte 26
byte 141
byte 70
byte 163
byte 209
byte 104
byte 52
byte 26
byte 141
byte 70
byte 163
byte 209
byte 104
byte 52
byte 26
byte 141
byte 70
byte 163
byte 209
byte 104
byte 52
byte 26
byte 141
byte 70
byte 163
byte 209
byte 104
byte 52
byte 26
byte 141
byte 70
byte 163
byte 209
byte 104
byte 52
byte 26
byte 141
byte 70
byte 163
byte 209
byte 104
byte 52
byte 26
byte 141
byte 70
byte 163
byte 209
byte 104
byte 52
byte 26
byte 141
byte 70
byte 163
byte 209
byte 0
]
uint32 0
uint32 221
byte 0
byte 17
byte 255
signal sender=:1.44 -> dest=(null destination) serial=80
path=/com/nokia/iphbd; interface=com.nokia.iphbd; member=wakeup2
^C
bash-3.2$



http://wiki.maemo.org/Phone_control#Send_SMS

jr@halley:~> python
Python 2.6.2 (r262:71600, Oct 24 2009, 03:16:31)
[GCC 4.4.1 [gcc-4_4-branch revision 150839]] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> def deoctify(arr):
...
... referencebit = 1
... doctect = []
... bnext = 0x00
...
... for i in arr:
...
... bcurr = ((i & (0xff >> referencebit)) << referencebit) >>
1
... bcurr = bcurr | bnext
...
... if referencebit != 7:
... doctect.append( bcurr )
... bnext = (i & (0xff << (8 - referencebit)) ) >> 8 -
referencebit
... referencebit += 1
... else:
... doctect.append( bcurr )
... bnext = (i & (0xff << (8 - referencebit)) ) >> 8 -
referencebit
... doctect.append( bnext )
... bnext = 0x00
... referencebit = 1
...
... return ''.join([chr(i) for i in doctect])
...
>>> deoctify([ 51, 27, 13, 135, 155, 213, 104, 184, 152, 76, 214, 104, 52,
26, 141, 70, 163, 209, 104, 52, 26, 141, 70, 163, 209, 104, 52, 26, 141, 70,
163, 209, 104, 52, 26, 141, 70, 163, 209, 104, 52, 26, 141, 70, 163, 209, 104,
52, 26, 141, 70, 163, 209, 104, 52, 26, 141, 70, 163, 209, 104, 52, 26, 141,
70, 163, 209, 104, 52, 26, 141, 70, 163, 209, 104, 52, 26, 141, 70,
163, 209, 0])
'364883548122\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r'
>>>

this is a SMSCB sent on

channel 221 (2nd UINT in dbus log)

containing the Gauss-Wegener coords of the BTS

"364883548122"

see http://lists.openmoko.org/pipermail/openmoko-kernel/2008-June/002987.html
for some details and further links

This looks like a really great success for Jon :-) - congrats.

/j

bash-3.2$ python ./smscb.py
Sun Jun 26 13:33:02 2011 New cell broadcast message received from channel 221
Message: 364883548122
Sun Jun 26 13:35:18 2011 New cell broadcast message received from channel 221
Message: 364977548097
Sun Jun 26 13:36:03 2011 New cell broadcast message received from channel 221
Message: 364883548122
Sun Jun 26 13:37:17 2011 New cell broadcast message received from channel 221
Message: 364977548097
Sun Jun 26 13:38:04 2011 New cell broadcast message received from channel 221
Message: 364883548122
Sun Jun 26 13:39:47 2011 New cell broadcast message received from channel 221
Message: 364977548097
Sun Jun 26 13:40:32 2011 New cell broadcast message received from channel 221
Message: 364883548122

#ok, now moving device somewhere else
Sun Jun 26 13:43:03 2011 New cell broadcast message received from channel 221
Message: 364883548122
#doublette, shouldn't happen?
^CTraceback (most recent call last):
File "./smscb.py", line 101, in <module>
listen()
File "./smscb.py", line 69, in listen
gobject.MainLoop().run()
KeyboardInterrupt
bash-3.2$ python ./smscb.py
#added a typo fix
Sun Jun 26 13:53:47 2011 New cell broadcast message received from channel 221
Message: 364977548097

think we got it
jonwil said he want's to pick up on posting/publishing a proper c binary to
patch the 3 bytes in libsms.so. I give up on messing with crippled messybox,
rather adding bit of icing to the python code that created the above, and ship
that here

cheers
jOERG