
#ifihadglass I would jailbreak it and modify the software - taytus
https://twitter.com/saurik/status/327856986278477824
======
guard-of-terra
Why would I even need a device that is supposed to become part of my mind but
that I _don't_ have root on?

Come on.

UPD: I already have my mind where I don't have "root" on. It's kind of a black
box. And it is counterproductive.

~~~
alex_marchant
Someone start working on a psychotropic that takes back control from the
amygdala and call it "su".

~~~
njloof
... And gives it to what? My prefrontal cortex volunteers, but it's always so
pushy.

~~~
nooneelse
My Broca's and Wernicke's areas often go on and on about how good a job they
would do with sudo privileges. And they say their arguments are well formed.

------
jacquesm
It's quite depressing that such a peripheral would need to be jailbroken in
the first place.

Computers got to where they are because they were hackable, not because they
were locked up.

~~~
ChrisClark
There is no need to 'jailbreak' it. It's built with the same idea as the Nexus
phones. It isn't 'fastboot unlock' but Glass has a specific command in adb to
unlock, so you can root it. Takes less than a minute, no need for exploits.

Tim Bray says, "Yes, Glass is hackable. Duh."

~~~
saurik
Apparently the previous person to provide your overall commentary got
downvoted enough that you likely don't see my response anymore, so I will
respond more directly here (making this reply sadly somewhat repetitive: I'm
sorry).

First, it actually does have fastboot oem unlock, and no: there is no
"specific command in adb" to unlock it; the command you are seeing people post
reboots the device unto the bootloader, which can then be used with fastboot
oem unlock.

However, that isn't helpful; in fact, I had to use an exploit (not one I came
up with: a known one that affects all Android 4.0/4.1 devices) to accomplish
this. (So, my device actually still has a locked bootloader ;P.)

In order to go from "unlocked bootloader" to "root" you need a new image to
flash. The most common way to get this is to dump the kernel from the device
(as you know that that works), but guess what: you can't, as that requires
root.

The alternatives are either to have a stock image from the manufacturer that
you can extract a working kernel from (something Google did not provide for
the Glass, at least yet) or to build your own from the Linux source code.

Building your own kernel is, of course, possible, however it is quite
irritating, and there is no guarantee the result will work as there might be
binary blobs in loadable modules that you need, or other irritating hardware
checks.

You also need a good feel for what hardware the device has for this to be an
option, and Google disabled access to /proc/config, which makes the process of
building a vaguely compatible kernel all the more like guess-and-check.

So no, it isn't at all clear to me that it is so obvious that you can go from
nothing to "modified software" on the Google Glass. I'd like to see Tim Bray
explain how _he'd_ easily go about hacking on the thing ;P.

This is _especially_ the case as the Glass Guide (the fancy term for the
Google Glass sales person) who gave me the glass (I chose the option to go to
Google HQ to pick it up in person) seriously told me that the debug mode
feature (which gives you adb shell) is something that he thought they removed
from the units they were distributing. (I guess I was the first person to find
it during the at-Google demo and then ask what it would let me do ;P.)

~~~
angusgr
_Google disabled access to /proc/config, which makes the process of building a
vaguely compatible kernel all the more like guess-and-check._

Is there really no .config in their GPL release? AFAIK compile-time config is
a GPLv2 requirement as part of the "scripts used to control compilation" (Gpl-
Violations FAQ specifically mentions Linux .config files.) I'd hope there's
either a .config or a defconfig that applies to Glass as-shipped.

(NB: I don't mean to dispute your overall point by this, just wondering.)

~~~
edderly
I haven't looked but I think you'd find the config file be in their kernel
source under arch/arm/configs/.

~~~
DannyBee
it's the default config for the notle board, so you want "make
notle_defconfig"

~~~
saurik
(For historical clarity, in the code that was released after these comments
were posted.)

------
aren55555
Google Glass runs Android 4.0.4, which is subject to the adb restore race
condition; com.google.glass.logging fits the needed configuration.

<https://twitter.com/saurik/status/327857009754001408>

~~~
ChrisClark
Or you can just use adb to unlock it. It's built right in. It's not 'fastboot
unlock' but it's an actual adb command on Glass, specifically to unlock it so
you can root it.

No need to try and find a back door. As Tim Bray put it, "Yes, Glass is
hackable. Duh."

------
kvnn
I believe that demand will exist for software that requires jail breaking, and
hardware that interfaces with Glass's standard inputs.

Think of high-income professionals who can make $xx,xxx more per year by face-
identifying people in the street and knowing their job and income. I don't
believe Google's API supports this, and there are bounds of examples I'm sure.

------
DanBC
Wait, isn't this a public declaration of breaking some law or other? A few
years ago I'd be impressed but not worried. Now? I'm impressed and worried.

~~~
wvenable
<Honestly curious> What US/California law is this breaking? </Honestly
curious>

~~~
axusgrad
The DMCA provisions for circumventing an access control measure. Cell phone
unlocking had an exemption before, but are restricted again.

~~~
wvenable
It isn't immediately obvious to me that DMCA applies to jailbreaking a device;
has it been confirmed to apply? I understand it applies to breaking access
control measures on copyrighted materials but it seems to be a stretch to
apply it to jailbreaking in general.

~~~
alexwright
Some of the code on the device is no doubt a copyrighted work, eg the main
Glass APK and such. You can't dump some parts of Android without being root,
and getting root would count as circumvention.

I'm sure they wouldn't pursue it... but it's shitty enough that they could.

~~~
Gormo
But the measures that jailbreaking circumvents aren't intended to function as
copy protection - they're doing something else entirely.

And even if those measures are protecting copyright in addition to locking
down the device, has any court ever ruled on whether circumventing those
measures without intending to breach copyright is a violation?

If a car manufacturer decided to lock the hoods of the cars they sell so that
only authorized mechanics could access the engine, could they use the DMCA to
outlaw users from circumventing the hood-locks on their own cars merely by
printing some copyrighted text on the inside of the hood, and call it a copy-
protection measure?

~~~
alexwright
There was the DeCSS case, other than Sony's autorun CDs I think that would be
the most trivial "DRM" but was still ruled a violation to circumvent.

Auto manufacturers, along with printer manufacturers, are already using IP in
the on board diagnostics and printer cartridges to claim copyright violations
when people adjust or replace parts "without authorisation."

~~~
Gormo
Because the CSS code _was_ there for the purpose of preventing unauthorized
duplication of content, not to restrict people's ability to control the
functioning of their DVD players.

Regarding printer cartridges, there have already been court rulings [1] that
have determined that "jailbreaking" them _isn't_ a violation of the DMCA,
making the distinction specifically on the basis of whether the the element of
the product being protected is "creative" or "functional". So we already know
from case law that the DMCA doesn't actually prohibit people from
circumventing functional lock-outs.

[1]:
[http://en.wikipedia.org/wiki/Lexmark_Int%27l_v._Static_Contr...](http://en.wikipedia.org/wiki/Lexmark_Int%27l_v._Static_Control_Components)

------
anonfunction
Last night me and my buddy were talking about the future of personal
transportation and how when cars (or helicopters) start flying themselves
people will resort to jailbreaking them to take back control.

~~~
tbrownaw
...why? Having _control_ of the car requires _paying attention_ to the car and
surroundings. I'd rather be able to ignore all that and have more time for
reading (whether educational or entertainment) and such.

~~~
slg
Some people actually enjoy driving/flying.

That said, in order to get the true efficiency of computer controlled
vehicles, it really helps to have them all computer controlled.

~~~
moheeb
I don't believe that anyone truly enjoys driving. If that were the case I
could say "I need a ride to North Dakota" and someone would totally be like
"yeah I love driving, hop in!"

That never happens. People that love surfing will surf at every opportunity
you give them, people that love eating will eat nearly anything you put in
front of them. People that love driving.....well I need a ride to North
Dakota.

~~~
Zak
Some people enjoy driving _in certain situations_. Few people get much
enjoyment out of guiding a car down the interstate; it's boring, but breaking
concentration can be rapidly fatal. No, I won't drive you to North Dakota.

Many people enjoy driving a sports car down a mountain road with light/no
traffic though. If you wanted me to drive you from Flagstaff to Sedona[0] in a
Mazda Miata, I'd do it happily, over and over. I would rather do that myself
than let a computer do it, even if the computer can do it safer and faster.

[0]
[https://maps.google.com/maps?q=flagstaff+to+sedona&saddr...](https://maps.google.com/maps?q=flagstaff+to+sedona&saddr=flagstaff&daddr=sedona&hl=en&ll=34.998785,-111.694565&spn=0.284612,0.41851&sll=30.34499,-81.683107&sspn=1.199363,1.674042&geocode=FUghGQIdL4VY-
SkxJi7a944thzEAs9vOoTwfjg%3BFewRFAIdoqlW-SkNsEL5MqEthzH9jmz6I8VIVQ&t=h&z=12)

------
chriscoyfish
#healreadyhasglass

~~~
agravier
They should start using #asihaveglass or #wellnowihaveglass

~~~
saurik
(;P I did feel that was somewhat awkward, but I felt I satisfied the grammar
with the rest of my post.)

------
smegel
I wonder if one day it will be mandatory to wear some descendant of this
device in order to receive government bulletins, and if the jailbreakers
become some underground citizens rebellion against the corporate borg in
Google, which ironically still goes by the now-sinister mantra "don't be
evil".

~~~
derefr
I'd be okay with this being mandatory in some sense to our future descendants,
after it becomes uniquitous enough that it's only the lone straggler who
_doesn't_ have one.

Not for government bulletins, though--for instant-vote referrendums :)

------
thurn
Accessing root on a device by using the built-in debug mode counts as
"jailbreaking" now?

~~~
danilocampos
Really, dude? You're going to sass _saurik_ on the subject of jailbreaking?
Know your history.

~~~
obituary_latte
HN: where _everyone_ is an expert. A vile, condescending, hate-filled expert.

~~~
gfodor
Yeah, like you know anything about HN.

~~~
vlaskovits
Genius level trolling.

------
tomphoolery
Sometimes, I love you saurik.

Just this time...try not to capitalize too much on the whole thing ;)

------
brian_cloutier
Jailbreaking isn't quite as fun when it's a matter of

> reboot-bootloader

> fastbook oem unlock

~~~
saurik
That lets you flash the device, it doesn't give you root. To get root from
that you need to make a bootable image, which requires a compatible kernel,
which you normally pull off the device _as root_. Thankfully, there is a race
condition in the backup/restore mechanism that lets you do a symlink traversal
to unlock root adb (by modifying /data/local.prop).

(To be clear, though, this was a known exploit: it is normally done to the
Android Settings application, which isn't present on the Glass, but it turns
out that the Glass Logging service also has the right prerequisites to pull
off the attack, so I adapted the restore payload. The tweet I posted right
after this one made it clear what exploit I was using against what installed
package.)

~~~
brian_cloutier
I stand corrected.

Thanks for the explanation. Your next tweet was too cryptic for me to
understand so I didn't realize you were explaining your jailbreak method.

If I'm understanding you right though, this technique sounds fairly universal.
Does it affect any android device with an unlockable bootloader? Just devices
running a newer version of the adb daemon?

~~~
saurik
This exploit seems to affect almost every device running Android 4+ (I am not
certain about lower ones: all of the comments I've seen about the exploit talk
about 4.0/4.1, but it might be because 2.3 already had a pretty universal
root: GingerBreak). The person who wrote the most common implementation is
B1nary (but I don't think he came up with the exploit either; it wasn't clear
if the people he credited as having helped him did either... so I just cited
the exploit itself as that seemed sufficient), which may help you find the XDA
developers thread (which, as is usual, doesn't explain the exploit, it just
provides a wad of shell scripts you can download from a few random filelockers
;P).

The exploit requires not just something in adb: it requires the device have
the package for the backup service (I guess some don't, so B1nary's
implementation tries to work around this as the most common alternative
actually had a similar bug) and that there be a system package installed that
1) is not marked allowBackup="false" and 2) is marked with
sharedUserId="android.uid.system". The normal Android Settings app has these
properties, as does the Glass Logging service. It is thereby a trivial thing
to mitigate, even without any extensive code changes: these packages don't
need to be backed up anyway (backing up Settings, for example, results in an
empty file... it has no data of its own, so it has no reason to avoid
allowBackup"false").

The way it then works is that the backup service, in order to extract files
with the right permissions, does a setuid to the owner of the package being
restored (in this case that is root, so it continues to be root). It then
extracts the restore image (which is a compressed tar file with a special
header) to the package's data directory, and as it does so it honors the
access flags of the files and directories. You then make a world-writable
directory with numerous very large files, which slows down the process. As it
extracts the files, you use adb shell access to add a symlink from a file in
that folder to /data/local.prop. You have that file in the backup contain a
/data/local.prop that forces adb to give you root access.

(Note: with those modifications, which typically includes telling the system
you are running in the qemu debugger, Glass actually doesn't work correctly
due to an assumption it makes that Bluetooth will work, which the qemu
debugger I guess doesn't normally support. However, it is then easy to drop a
copy of su, mark it setuid, delete the local.prop, and reboot to a system that
is now pristine except for the one modification of setuid su.)

------
sturmeh
Except it's not called jailbreaking on an Android device.

------
dannowatts
saurik: doing god's work!

