Building on Android about mambo HOT 14 OPEN

@umarcor I split this single commit into smaller ones. You can see all the change I made here android-ndk-build.

from mambo.

I see @HuErr appears to have a working Android based off of #15. Would you mind sharing mambondk? =)

from mambo.

Was able to get a bit further with Termux by setting CFLAGS+=-mcpu=krait in the makefile.

from mambo.

hi @Manouchehri ，have you solved to work the project on android?

from mambo.

I am trying to build mambo with android ndk, able to compile now.android-ndk-build

from mambo.

@amimo, it seems that you merged multiple non-related modifications in a single commit. Is there any other branch/repo where we can find the modifications in a series of atomic commits?

from mambo.

I’m not sure why I forgot to share this, but I sponsored @liamwhite to poke around with building Mambo for Android. https://gist.github.com/Manouchehri/7263b3231a755d8f34cf719006b2c393

from mambo.

Note that the mixtape link in this gist is dead. The package in question is, however, part of the gist. (You will need to clone it or download it directly.)

from mambo.

@Manouchehri @liamwhite really nice patches, can I port them to my ndk-build?
I also have a question about the disp_thread_data variable, it looks like a tls variable, is it still so after putting it in the data section?

from mambo.

Sure, feel free to use the patches.

from mambo.

@Manouchehri @liamwhite I only had a quick look at the patches, but I've noticed fix-sigaction.patch is going to break signal handling. The POSIX / libc struct sigaction is different from the kernel's, which is why MAMBO has a kernel_sigaction.h.

from mambo.

I tried building https://gist.github.com/Manouchehri/7263b3231a755d8f34cf719006b2c393 on Termux v0.92 (Android v8.1.0). The build is successful, executing without args is correct, but trying to use it produces a segmentation fault:

$ ./dbm "$(which ls)"
Segmentation fault
$ cd test
$ ../dbm mmap_munmap
Segmentation fault
$ ../dbm mprotect_exec
Segmentation fault
$ ../dbm self_modifying
Segmentation fault

I tried three different commits: https://github.com/umarcor/mambo/commits/termux

• @Manouchehri's and @liamwhite's GIST rebased on top of master: umarcor@04181f5
• Reverting some changes to the makefile: umarcor@7ca3785
• Reverting the changes to syscalls.c: umarcor@82d4c4a

All of them produce the same result: successful build but segfult.

Note that building other tests (hw_div, load_store and/or sirgnals) fails because of unknown directive .func.

These are the binaries that correspond to the last commit: termux-bins.zip

from mambo.

Any further information since the latest comment created?

Recently I try to run mambo on Android, successfully built with latest master of this repository. I got SIGSEGV when run on real device.

Below this the debug output of adb shell console.

$ ./mambo /system/bin/toybox ls -al
INTERP field found

p_type: 0x6
p_offset: 0x40
p_vaddr: 0x40
p_paddr: 0x40
p_filesz: 0x230
p_memsz: 0x230
p_flags: 0x4
p_align: 0x8
Unhandled program header table entry type

p_type: 0x1
p_offset: 0x0
p_vaddr: 0x0
p_paddr: 0x0
p_filesz: 0x301b4
p_memsz: 0x301b4
p_flags: 0x4
p_align: 0x1000

p_type: 0x1
p_offset: 0x31000
p_vaddr: 0x31000
p_paddr: 0x31000
p_filesz: 0xb37d0
p_memsz: 0xb37d0
p_flags: 0x5
p_align: 0x1000
imap added: 76361be000 7636272000
imap 0x5859a7b0a8:
76361be000 - 7636272000

p_type: 0x1
p_offset: 0xe5000
p_vaddr: 0xe5000
p_paddr: 0xe5000
p_filesz: 0x6478
p_memsz: 0x6478
p_flags: 0x6
p_align: 0x1000

p_type: 0x1
p_offset: 0xeb480
p_vaddr: 0xec480
p_paddr: 0xec480
p_filesz: 0xcf8
p_memsz: 0xc938
p_flags: 0x6
p_align: 0x1000

p_type: 0x2
p_offset: 0xeac78
p_vaddr: 0xeac78
p_paddr: 0xeac78
p_filesz: 0x120
p_memsz: 0x120
p_flags: 0x6
p_align: 0x8
Unhandled program header table entry type

p_type: 0x6474e552
p_offset: 0xe5000
p_vaddr: 0xe5000
p_paddr: 0xe5000
p_filesz: 0x6478
p_memsz: 0x7000
p_flags: 0x4
p_align: 0x1
Unhandled program header table entry type

p_type: 0x6474e550
p_offset: 0x16ee0
p_vaddr: 0x16ee0
p_paddr: 0x16ee0
p_filesz: 0x4b8c
p_memsz: 0x4b8c
p_flags: 0x4
p_align: 0x4
Unhandled program header table entry type

p_type: 0x6474e551
p_offset: 0x0
p_vaddr: 0x0
p_paddr: 0x0
p_filesz: 0x0
p_memsz: 0x0
p_flags: 0x6
p_align: 0x0
Unhandled program header table entry type

p_type: 0x4
p_offset: 0x270
p_vaddr: 0x270
p_paddr: 0x270
p_filesz: 0x20
p_memsz: 0x20
p_flags: 0x4
p_align: 0x4
Unhandled program header table entry type

p_type: 0x6
p_offset: 0x40
p_vaddr: 0x40
p_paddr: 0x40
p_filesz: 0x2a0
p_memsz: 0x2a0
p_flags: 0x4
p_align: 0x8
Unhandled program header table entry type

p_type: 0x3
p_offset: 0x2e0
p_vaddr: 0x2e0
p_paddr: 0x2e0
p_filesz: 0x15
p_memsz: 0x15
p_flags: 0x4
p_align: 0x1
Unhandled program header table entry type

p_type: 0x1
p_offset: 0x0
p_vaddr: 0x0
p_paddr: 0x0
p_filesz: 0x2a004
p_memsz: 0x2a004
p_flags: 0x4
p_align: 0x1000

p_type: 0x1
p_offset: 0x2b000
p_vaddr: 0x2b000
p_paddr: 0x2b000
p_filesz: 0x42700
p_memsz: 0x42700
p_flags: 0x5
p_align: 0x1000
imap added: 76362b1000 76362f4000
imap 0x5859a7b0a8:
76361be000 - 7636272000
76362b1000 - 76362f4000

p_type: 0x1
p_offset: 0x6e000
p_vaddr: 0x6e000
p_paddr: 0x6e000
p_filesz: 0x3de0
p_memsz: 0x3de0
p_flags: 0x6
p_align: 0x1000

p_type: 0x1
p_offset: 0x71de0
p_vaddr: 0x72de0
p_paddr: 0x72de0
p_filesz: 0x2878
p_memsz: 0x6ae8
p_flags: 0x6
p_align: 0x1000

p_type: 0x7
p_offset: 0x6e000
p_vaddr: 0x6e000
p_paddr: 0x6e000
p_filesz: 0x0
p_memsz: 0x0
p_flags: 0x4
p_align: 0x40
Unhandled program header table entry type

p_type: 0x2
p_offset: 0x71060
p_vaddr: 0x71060
p_paddr: 0x71060
p_filesz: 0x240
p_memsz: 0x240
p_flags: 0x6
p_align: 0x8
Unhandled program header table entry type

p_type: 0x6474e552
p_offset: 0x6e000
p_vaddr: 0x6e000
p_paddr: 0x6e000
p_filesz: 0x3de0
p_memsz: 0x4000
p_flags: 0x4
p_align: 0x1
Unhandled program header table entry type

p_type: 0x6474e550
p_offset: 0x21aa4
p_vaddr: 0x21aa4
p_paddr: 0x21aa4
p_filesz: 0x17e4
p_memsz: 0x17e4
p_flags: 0x4
p_align: 0x4
Unhandled program header table entry type

p_type: 0x6474e551
p_offset: 0x0
p_vaddr: 0x0
p_paddr: 0x0
p_filesz: 0x0
p_memsz: 0x0
p_flags: 0x6
p_align: 0x0
Unhandled program header table entry type

p_type: 0x4
p_offset: 0x2f8
p_vaddr: 0x2f8
p_paddr: 0x2f8
p_filesz: 0x38
p_memsz: 0x38
p_flags: 0x4
p_align: 0x4
Unhandled program header table entry type
entry address: 0x76361d9ac0
Code cache: 0x7633ef7000
*thread_data in dispatcher at: 0x7633ef7268
Traces start at: 0x7634c64800
Syscall wrapper addr: 0x33ef71b4
scan(0x76361d9ac0)
A64 scan read_address: 0x76361d9ac0, w: : 0x7633ef7414, bb: 4
instruction enum: 36
instruction word: 0x910003e0
A64 scan read_address: 0x76361d9ac4, w: : 0x7633ef7418, bb: 4
instruction enum: 20
instruction word: 0x9400cc58
A64 branch target: 0x763620cc24
Address of first basic block is: 0x7633ef7400
Segmentation fault

And below is the crash information

2021-11-25 14:53:58.639 7258-7258/? A/DEBUG: *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
2021-11-25 14:53:58.639 7258-7258/? A/DEBUG: Revision: '0'
2021-11-25 14:53:58.639 7258-7258/? A/DEBUG: ABI: 'arm64'
2021-11-25 14:53:58.640 7258-7258/? A/DEBUG: Timestamp: 2021-11-25 14:53:58+0800
2021-11-25 14:53:58.640 7258-7258/? A/DEBUG: pid: 7255, tid: 7255, name: mambo  >>> ./mambo <<<
2021-11-25 14:53:58.640 7258-7258/? A/DEBUG: uid: 2000
2021-11-25 14:53:58.640 7258-7258/? A/DEBUG: signal 11 (SIGSEGV), code 2 (SEGV_ACCERR), fault addr 0x7633ef45e4
2021-11-25 14:53:58.640 7258-7258/? A/DEBUG:     x0  000000763620cc24  x1  0000000000000004  x2  0000007633d6f140  x3  0000007634ef7000
2021-11-25 14:53:58.640 7258-7258/? A/DEBUG:     x4  0000000000000038  x5  8080808080808080  x6  fefefefefefefeff  x7  7f7f7f7f7f7f7f7f
2021-11-25 14:53:58.640 7258-7258/? A/DEBUG:     x8  0000007633d6f380  x9  0000007633ef45e4  x10 0000000000000010  x11 0000000000001c57
2021-11-25 14:53:58.640 7258-7258/? A/DEBUG:     x12 636f6c6220636973  x13 7830203a7369206b  x14 0000000000000010  x15 00e8000000000000
2021-11-25 14:53:58.640 7258-7258/? A/DEBUG:     x16 0000005859a7ae38  x17 0000007633ef7268  x18 00000076b7c08000  x19 0000000020000000
2021-11-25 14:53:58.640 7258-7258/? A/DEBUG:     x20 0000000000000000  x21 0000000000000000  x22 0000007633d6f386  x23 0000007fd2744508
2021-11-25 14:53:58.640 7258-7258/? A/DEBUG:     x24 0000007633d6f370  x25 0000000000000042  x26 0000007fd27444f0  x27 0000005859a7647e
2021-11-25 14:53:58.640 7258-7258/? A/DEBUG:     x28 0000007633d6f170  x29 0000007fd27441d0
2021-11-25 14:53:58.640 7258-7258/? A/DEBUG:     lr  0000007633ef710c  sp  0000007633d6ee90  pc  0000007633ef45e4  pst 0000000020001000
2021-11-25 14:53:58.653 7258-7258/? A/DEBUG: backtrace:
2021-11-25 14:53:58.653 7258-7258/? A/DEBUG:       #00 pc 00000000001845e4  <anonymous:7633d70000>

How can I fix this SIGSEGV to make it work on Android platform?

The attached file is the binary I compile with cmake + clang for aarch64, can run on API >= 28 Android device.
mambo.zip

from mambo.

Hi @WanghongLin. Our position is the same as before: we don't officially support Android. But if you do a standard build of MAMBO on an Arm GNU/Linux system and copy the statically linked executable to an Android device, it should work. You don't need any of the patches from this issue.

Here's the current master branch HEAD running on my phone with the cachesim plugin enabled:

p:/data/local/tmp $ ./dbm /system/bin/toybox ls -al                                                                                                                                      
total 1898
drwxrwx--x 2 shell shell    3488 2021-11-25 18:18 .
drwxr-x--x 4 root  root     3488 1970-01-02 07:00 ..
-rwxrwxrwx 1 shell shell 1935024 2021-11-25 18:18 dbm
We're done; exiting with status: 0

-- MAMBO cachesim 569b5f90-dirty --

Cache L1i: 49152 bytes, 64 byte lines, 3-way set-associative, LRU replacement policy

         2471364 references
         2471364 reads
               0 writes
            5156 misses total       (0.21% of references)
            5156 misses reads       (0.21% of references)
               0 misses writes      (0.00% of references)
               0 writebacks total   (0.00% of references)
               0 writebacks reads   (0.00% of references)
               0 writebacks writes  (0.00% of references)

Cache L1d: 32768 bytes, 64 byte lines, 2-way set-associative, LRU replacement policy

         1718398 references
         1225298 reads
          493100 writes
           44277 misses total       (2.58% of references)
           37377 misses reads       (2.18% of references)
            6900 misses writes      (0.40% of references)
           11255 writebacks total   (0.65% of references)
            7766 writebacks reads   (0.45% of references)
            3489 writebacks writes  (0.20% of references)

Cache L2: 1048576 bytes, 64 byte lines, 16-way set-associative, random replacement policy

           49433 references
           42533 reads
            6900 writes
           13445 misses total       (27.20% of references)
           10880 misses reads       (22.01% of references)
            2565 misses writes      (5.19% of references)
             910 writebacks total   (1.84% of references)
             752 writebacks reads   (1.52% of references)
             158 writebacks writes  (0.32% of references)

Note that the latest commit from the master branch is required because the Android libraries were trying to create an executable mapping without read permissions, which was previously making an assert fail.

from mambo.