├── .gitignore ├── README.md ├── build-all.bash ├── build-one.bash ├── files ├── shim.make └── wireguard.xml ├── kernels ├── bonito │ ├── do.bash │ ├── manifest.xml │ └── version-hashes.txt ├── coral │ ├── do.bash │ ├── manifest.xml │ └── version-hashes.txt ├── crosshatch │ ├── do.bash │ ├── manifest.xml │ └── version-hashes.txt ├── marlin │ ├── do.bash │ ├── manifest.xml │ ├── tvec_base_deferrable-hack.patch │ └── version-hashes.txt ├── ocn │ ├── do.bash │ ├── manifest.xml │ └── version-hashes.txt └── wahoo │ ├── do.bash │ ├── manifest.xml │ └── version-hashes.txt └── util ├── extract-version-hash-from-factory.bash ├── server.conf └── sign-and-upload.bash /.gitignore: -------------------------------------------------------------------------------- 1 | out/ 2 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ## Android WireGuard Module Builder 2 | 3 | This builds [WireGuard](https://www.wireguard.com/) modules for various Android kernels. 4 | 5 | ### Adding your phone's kernel 6 | 7 | 1. Create a directory in `kernels/` if it doesn't already exist. 8 | 9 | 2. Add a corresponding `manifest.xml`, with versions based on stable non-moving tags and refs. 10 | 11 | 3. Add a `do.bash` with minimal commands for conducting the build. 12 | 13 | 4. Add a `version-hashes.txt` containing the output of `printf '%s|%s\n' "$(sha256sum < /proc/version | cut -d ' ' -f 1)" "$(cat /proc/version)"` from your phone. 14 | 15 | Note that if a kernel directory already exists that is compatible (i.e. the module loads and works) with your phone's kernel, simply skip to step 4 and append the line. 16 | 17 | ### Building 18 | 19 | Build all kernels: 20 | 21 | ``` 22 | $ ./build-all.bash 23 | ``` 24 | 25 | Build just one: 26 | 27 | ``` 28 | $ ./build-one.bash crosshatch 29 | ``` 30 | 31 | ### Downloading 32 | 33 | These are built, signed, and uploaded to [the WireGuard download server](https://download.wireguard.com/android-module/). They can automatically be used by the [WireGuard app](https://play.google.com/store/apps/details?id=com.wireguard.android): 34 | 35 | ![WireGuard app downloading and inserting kernel module](https://data.zx2c4.com/wireguard-android-download-kernel-module.gif) 36 | -------------------------------------------------------------------------------- /build-all.bash: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -ex 3 | 4 | BASE="$(readlink -f "$(dirname "$(readlink -f "$0")")")" 5 | for i in "$BASE"/kernels/*; do 6 | KERNEL="${i##*/}" 7 | [[ -d "$BASE/kernels/$KERNEL" ]] || continue 8 | "$BASE/build-one.bash" "$KERNEL" 9 | done 10 | -------------------------------------------------------------------------------- /build-one.bash: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -ex 3 | 4 | [[ $# -eq 1 ]] || { echo "Usage: $0 KERNEL_NAME" >&2; exit 1; } 5 | BASE="$(readlink -f "$(dirname "$(readlink -f "$0")")")" 6 | KERNEL_DIR="$BASE/kernels/$1" 7 | [[ -d $KERNEL_DIR ]] || { echo "Error: '$0' does not exist" >&2; exit 1; } 8 | 9 | # Step 1) Account for already built modules by hard linking new hashes to the old names. 10 | first="" 11 | while IFS='|' read -r hash ver; do 12 | if [[ -f $BASE/out/wireguard-$hash.ko ]]; then 13 | first="$hash" 14 | break 15 | fi 16 | done < "$KERNEL_DIR/version-hashes.txt" 17 | if [[ -n $first ]]; then 18 | while IFS='|' read -r hash ver; do 19 | [[ -f $BASE/out/wireguard-$hash.ko ]] || ln "$BASE/out/wireguard-$first.ko" "$BASE/out/wireguard-$hash.ko" 20 | done < "$KERNEL_DIR/version-hashes.txt" 21 | exit 0 22 | fi 23 | 24 | # Step 2) Make working directory. 25 | D="$(mktemp -d)" 26 | trap 'rm -rf "$D"' INT TERM EXIT 27 | cd "$D" 28 | 29 | # Step 3) Initialize repo with manifests and fetch repositories. 30 | mkdir -p manifest 31 | cd manifest 32 | git init --initial-branch=master 33 | git config user.email "$(id -un)@$(hostname)" 34 | git config user.name "$(id -un)" 35 | cp "$KERNEL_DIR/manifest.xml" default.xml 36 | git add default.xml 37 | git commit -m "Initial commit" 38 | cd .. 39 | repo init -u ./manifest 40 | mkdir -p .repo/local_manifests 41 | cp "$BASE/files/wireguard.xml" .repo/local_manifests/ 42 | repo sync 43 | 44 | # Step 4) Inject shim module and launch build. 45 | mkdir -p wireguard 46 | cp "$BASE/files/shim.make" wireguard/Makefile 47 | exec 9>&1 48 | read -r output < <("$BASH" "$KERNEL_DIR/do.bash" 7>&1 >&9) 49 | exec 9>- 50 | [[ -f $output ]] 51 | 52 | # Step 5) Copy first module out and hard link the rest. 53 | mkdir -p "$BASE/out" 54 | first="" 55 | while IFS='|' read -r hash vers; do 56 | if [[ -z $first ]]; then 57 | cp "$output" "$BASE/out/wireguard-$hash.ko" 58 | first="$hash" 59 | else 60 | ln "$BASE/out/wireguard-$first.ko" "$BASE/out/wireguard-$hash.ko" 61 | fi 62 | done < "$KERNEL_DIR/version-hashes.txt" 63 | -------------------------------------------------------------------------------- /files/shim.make: -------------------------------------------------------------------------------- 1 | modules: 2 | @$(MAKE) -C $(KERNEL_SRC) M=$$(readlink -f ../wireguard-linux-compat/src) modules 3 | 4 | modules_install: 5 | @$(MAKE) -C $(KERNEL_SRC) M=$$(readlink -f ../wireguard-linux-compat/src) modules_install 6 | 7 | .PHONY: modules modules_install 8 | -------------------------------------------------------------------------------- /files/wireguard.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | -------------------------------------------------------------------------------- /kernels/bonito/do.bash: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -ex 3 | echo 'EXT_MODULES="${EXT_MODULES} wireguard"' >> private/msm-google/build.config.common 4 | echo 'ccflags-y += -Wno-unused-variable' >> wireguard-linux-compat/src/Kbuild 5 | ./build/build.sh 6 | readlink -f out/android-msm-pixel-4.9/dist/wireguard.ko >&7 7 | -------------------------------------------------------------------------------- /kernels/bonito/manifest.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | -------------------------------------------------------------------------------- /kernels/bonito/version-hashes.txt: -------------------------------------------------------------------------------- 1 | 92dc78e0f08c63fc87ae5160d7de8c3244998f9e4eaa5151ec0655be4cdf0af4|Linux version 4.9.237-g4291d86870f1-ab7185835 (android-build@abfarm625) (Android (6443078 based on r383902) clang version 11.0.1 (https://android.googlesource.com/toolchain/llvm-project b397f81060ce6d701042b782172ed13bee898b79)) #0 SMP PREEMPT Fri Mar 5 04:23:37 UTC 2021 2 | -------------------------------------------------------------------------------- /kernels/coral/do.bash: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -ex 3 | BASE="$(readlink -f "$(dirname "$(readlink -f "$0")")")" 4 | echo 'EXT_MODULES="${EXT_MODULES} wireguard"' >> private/msm-google/build.config.common 5 | echo 'ccflags-y += -Wno-unused-variable' >> wireguard-linux-compat/src/Kbuild 6 | ./build/build.sh 7 | ./prebuilts-master/clang/host/linux-x86/clang-r353983c/bin/llvm-strip -strip-debug out/android-msm-floral-4.14/dist/wireguard.ko 8 | readlink -f out/android-msm-floral-4.14/dist/wireguard.ko >&7 9 | -------------------------------------------------------------------------------- /kernels/coral/manifest.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | -------------------------------------------------------------------------------- /kernels/coral/version-hashes.txt: -------------------------------------------------------------------------------- 1 | b56c2622397d84196c8781ba12601c7091e665ad63327d1a47bd18c8c94f555e|Linux version 4.14.199-gaf03eef7d4c3-ab7185840 (android-build@abfarm-east4-103) (Android (6443078 based on r383902) clang version 11.0.1 (https://android.googlesource.com/toolchain/llvm-project b397f81060ce6d701042b782172ed13bee898b79)) #1 SMP PREEMPT Fri Mar 5 04:26:05 UTC 2021 2 | -------------------------------------------------------------------------------- /kernels/crosshatch/do.bash: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -ex 3 | echo 'EXT_MODULES="${EXT_MODULES} wireguard"' >> private/msm-google/build.config.common 4 | echo 'ccflags-y += -Wno-unused-variable' >> wireguard-linux-compat/src/Kbuild 5 | ./build/build.sh 6 | readlink -f out/android-msm-pixel-4.9/dist/wireguard.ko >&7 7 | -------------------------------------------------------------------------------- /kernels/crosshatch/manifest.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | -------------------------------------------------------------------------------- /kernels/crosshatch/version-hashes.txt: -------------------------------------------------------------------------------- 1 | 5f1fd410564159af1b5c546943bbaa7072a99c59ab048e9f123cd76bc746c849|Linux version 4.9.237-g4291d86870f1-ab7185835 (android-build@abfarm-east4-050) (Android (6443078 based on r383902) clang version 11.0.1 (https://android.googlesource.com/toolchain/llvm-project b397f81060ce6d701042b782172ed13bee898b79)) #0 SMP PREEMPT Fri Mar 5 04:23:11 UTC 2021 2 | -------------------------------------------------------------------------------- /kernels/marlin/do.bash: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -ex 3 | BASE="$(readlink -f "$(dirname "$(readlink -f "$0")")")" 4 | patch -d wireguard-linux-compat -p1 < "$BASE/tvec_base_deferrable-hack.patch" 5 | echo 'EXT_MODULES="${EXT_MODULES} wireguard"' >> private/msm-google/build.config 6 | ./build/build.sh 7 | readlink -f out/android-msm-marlin-3.18/dist/wireguard.ko >&7 8 | -------------------------------------------------------------------------------- /kernels/marlin/manifest.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | -------------------------------------------------------------------------------- /kernels/marlin/tvec_base_deferrable-hack.patch: -------------------------------------------------------------------------------- 1 | diff --git a/src/ratelimiter.c b/src/ratelimiter.c 2 | index e33ec72a..5062e329 100644 3 | --- a/src/ratelimiter.c 4 | +++ b/src/ratelimiter.c 5 | @@ -19,6 +19,7 @@ 6 | #include 7 | #include 8 | #include 9 | +#include 10 | #include 11 | 12 | static struct kmem_cache *entry_cache; 13 | @@ -29,6 +30,7 @@ static u64 init_refcnt; /* Protected by init_lock, hence not atomic. */ 14 | static atomic_t total_entries = ATOMIC_INIT(0); 15 | static unsigned int max_entries, table_size; 16 | static void wg_ratelimiter_gc_entries(struct work_struct *); 17 | +struct tvec_base { char herp_derp; } tvec_base_deferrable; 18 | static DECLARE_DEFERRABLE_WORK(gc_work, wg_ratelimiter_gc_entries); 19 | static struct hlist_head *table_v4; 20 | #if IS_ENABLED(CONFIG_IPV6) 21 | @@ -169,6 +171,10 @@ err_oom: 22 | 23 | int wg_ratelimiter_init(void) 24 | { 25 | + struct timer_list dummy_timer; 26 | + setup_deferrable_timer_on_stack(&dummy_timer, NULL, 0); 27 | + gc_work.timer.base = dummy_timer.base; 28 | + 29 | mutex_lock(&init_lock); 30 | if (++init_refcnt != 1) 31 | goto out; 32 | -------------------------------------------------------------------------------- /kernels/marlin/version-hashes.txt: -------------------------------------------------------------------------------- 1 | 65de97cf5e79e3657d63ee4e6aad222d9e32b35876e19b7818599d3aaa428899|Linux version 3.18.137-g72a7a64494e (android-build@wphn3.hot.corp.google.com) (gcc version 4.9.x 20150123 (prerelease) (GCC) ) #1 SMP PREEMPT Fri Sep 27 18:40:34 UTC 2019 2 | -------------------------------------------------------------------------------- /kernels/ocn/do.bash: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -ex 3 | 4 | cd kernel 5 | ln -s ../../wireguard-linux-compat/src net/wireguard 6 | 7 | # Inject the kernel module. Reference: https://git.zx2c4.com/android_kernel_wireguard/tree/patch-kernel.sh 8 | [[ $(< net/Makefile) == *wireguard* ]] || sed -i "/^obj-\\\$(CONFIG_NETFILTER).*+=/a obj-\$(CONFIG_WIREGUARD) += wireguard/" net/Makefile 9 | [[ $(< net/Kconfig) == *wireguard* ]] || sed -i "/^if INET\$/a source \"net/wireguard/Kconfig\"" net/Kconfig 10 | 11 | # Based on Readme.txt in ocndtwl-4.4.153-perf-g0041d80.tar.gz, which is in turn downloaded from htcdev.com 12 | mkdir out 13 | make ARCH=arm64 CROSS_COMPILE="$PWD/../aarch64-linux-android-4.9/bin/aarch64-linux-android-" O=out htcperf_defconfig 14 | make ARCH=arm64 CROSS_COMPILE="$PWD/../aarch64-linux-android-4.9/bin/aarch64-linux-android-" O=out -j$(nproc) 15 | 16 | ../aarch64-linux-android-4.9/bin/aarch64-linux-android-strip --strip-debug out/net/wireguard/wireguard.ko 17 | readlink -f out/net/wireguard/wireguard.ko >&7 18 | -------------------------------------------------------------------------------- /kernels/ocn/manifest.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | -------------------------------------------------------------------------------- /kernels/ocn/version-hashes.txt: -------------------------------------------------------------------------------- 1 | 80ee34126cd97c9a15bc3b970a6f38ce30852d0b8547dbcc43eee22956aa1934|Linux version 4.4.153-perf-g66b46bd (and@AABM) (gcc version 4.9.x 20150123 (prerelease) (GCC) ) #1 SMP PREEMPT Thu Nov 7 21:09:01 CST 2019 2 | -------------------------------------------------------------------------------- /kernels/wahoo/do.bash: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -ex 3 | echo 'EXT_MODULES="${EXT_MODULES} wireguard"' >> private/msm-google/build.config 4 | ./build/build.sh 5 | readlink -f out/android-msm-wahoo-4.4/dist/wireguard.ko >&7 6 | -------------------------------------------------------------------------------- /kernels/wahoo/manifest.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | -------------------------------------------------------------------------------- /kernels/wahoo/version-hashes.txt: -------------------------------------------------------------------------------- 1 | 1135b316f87e3952cf52f646c442992029a643f09489e164f0b756296c14e36e|Linux version 4.4.223-g52750b8f2138-ab6846512 (android-build@abfarm-us-west1-c-0099) (Android (6443078 based on r383902) clang version 11.0.1 (https://android.googlesource.com/toolchain/llvm-project b397f81060ce6d701042b782172ed13bee898b79)) #1 SMP PREEMPT Fri Sep 18 09:49:34 UTC 2020 2 | -------------------------------------------------------------------------------- /util/extract-version-hash-from-factory.bash: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -e 3 | 4 | URL="$1" 5 | # Expecting URL like https://dl.google.com/dl/android/aosp/crosshatch-qp1a.191005.007-factory-2989a08d.zip 6 | [[ -n $URL ]] || { echo "Usage: $0 URL" >&2; exit 1; } 7 | 8 | D="$(mktemp -d)" 9 | trap 'rm -rf "$D"' INT TERM EXIT 10 | cd "$D" 11 | 12 | curl -#o out.zip "$URL" 13 | bsdtar --strip-components 1 -xvf out.zip 14 | bsdtar -xvf image-*.zip boot.img 15 | abootimg -x boot.img 16 | unlz4 zImage Image 17 | version="$(strings Image | grep '^Linux version [^%]' | head -n 1)" 18 | [[ -n $version ]] || { echo "ERROR: no proper version in image" >&2; exit 1; } 19 | printf '\n==========================================\n\n%s|%s\n' "$(echo "$version" | sha256sum | cut -d ' ' -f 1)" "$version" 20 | -------------------------------------------------------------------------------- /util/server.conf: -------------------------------------------------------------------------------- 1 | WEB_SERVER=metheny.zx2c4.com 2 | SERVER_PATH=/var/www/htdocs/download.wireguard.com/android-module/ 3 | SIGNING_KEY="$HOME/Projects/yubihsm/keys/wireguard-android-module.sec" 4 | -------------------------------------------------------------------------------- /util/sign-and-upload.bash: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -ex 3 | 4 | BASE="$(readlink -f "$(dirname "$(readlink -f "$0")")")" 5 | source "$BASE/server.conf" 6 | SSH_OPTS=( -q -o ControlMaster=auto -o ControlPath=../.ssh-deployment.sock ) 7 | 8 | cd "$BASE/../out" 9 | sha256sum *.ko > modules.txt 10 | signify -S -e -s "$SIGNING_KEY" -m modules.txt 11 | rm modules.txt 12 | 13 | ssh "${SSH_OPTS[@]}" -Nf "$WEB_SERVER" 14 | ssh -t "${SSH_OPTS[@]}" $WEB_SERVER "sudo -u nginx -v" 15 | rsync -aizm --delete --rsh="ssh ${SSH_OPTS[*]}" --rsync-path="sudo -n -u nginx rsync" ./ "$WEB_SERVER:$SERVER_PATH" 16 | ssh -t "${SSH_OPTS[@]}" "$WEB_SERVER" "sudo chown -R nginx:nginx '$SERVER_PATH'" 17 | ssh -t "${SSH_OPTS[@]}" "$WEB_SERVER" "sudo find '$SERVER_PATH' -type f -exec chmod 640 {} \;; sudo find '$SERVER_PATH' -type d -exec chmod 750 {} \;;" 18 | ssh -O exit "${SSH_OPTS[@]}" "$WEB_SERVER" 19 | 20 | --------------------------------------------------------------------------------