Gorilla for Android

zdia edited this page Sep 17, 2011 · 19 revisions

in work …

Thanks to David Welton there is a way to port Tcl programs to the Android™ platform with Hecl. For further details to this script language for the Android platform see the site: http://www.hecl.org/

The following steps are planned:

  • implementing the Twofish and sha256 algorithm in pure Tcl and as a C extension
  • database access replacing Itcl calls by Hecl objects
  • coding a command-line interface
  • building a GUI with Android widgets

Installing the developing environment

The Android SDK

Download the SDK from http://dl.google.com/android/android-sdk_r12-linux_x86.tgz and follow the installation guide: http://developer.android.com/sdk/installing.html

The emulator

The emulator (http://developer.android.com/guide/developing/tools/emulator.html) is called by

emulator -avd <name-of-virtual-device>

to be found in .android/avd

Pressing F2 (the menu key) will unlock the system

Access the virtual SDcard

The SDcard is to be found here: ~/.android/avd/test.avd/sdcard.img

it can be mounted via mount -loop or via adb push

Install Hecl

For information see: http://www.hecl.org/
Download http://www.hecl.org/downloads/hecl-20100628.tgz and decompress it in a folder of your working directory, e.g. ~/hecl

Change to the Hecl folder and type:

ant android-install (or android-reinstall)

to build Hecl. If the emulator is running then Hecl will should be automatically installed. But I got a permission error. So install the file manually:

$ adb install Hecl-debug.apk 

For having a look into the Android machine use:

adb shell

You will find org.hecl.android-1.apk in the folder /data/app

Editing the main Hecl script

The package that gets sent to the emulator resides in
android/bin/Hecl.apk, and is basically a .zip file. This means that
it’s possible to modify the Hecl script contained therein and
repackage the .apk without recompiling anything:

  1. Go to the android directory.
    cd android/
  2. Replace the script.hcl file in Hecl.apk with our modifications.
    zip -r bin/Hecl.apk res/raw/script.hcl
  3. Send it to the emulator.
    /opt/android_sdk_linux_m3-rc22a/tools/adb install bin/Hecl.apk

With the Hecl script executed being res/raw/script.hcl.

Interactive access to a running Hecl server on Android

To test script
Start the Hecl-Server with the main menu and follow this guide:

Running Hecl server on port ${port}.
You can telnet to this port to interact with Hecl after running this command: adb forward tcp:7405
Since the interpreter that you are accessing is a sub-interpreter, to run commands in the main interpreter, which has access to the Android GUI thread, you have to pass them with the
maineval command, like this: maineval { … code … }

To stop the telnet connection type: adb kill-server

Working with Hecl’s commandline interpreter

ant packageCommandline
java -jar jars/j2se/Hecl.jar

System.out.println(“message”; will be sent to the console.

Adding a new Hecl command

see http://www.hecl.org/docs/creating_new_hecl_commands.html

in the main method of Hecl/commandline/Hecl.java a method
extend(interp) is called where the new command can be added:

We add our new command “hello”:

public static void extend(Interp ip) throws HeclException {
        ip.addCommand("hello", new HelloCmd());

The result is:

hecl> hello
Hello world - this is a new Hecl command

Implementation of password encryption with sha256

The use of the encryption instance for sha256 needs to catch the exception NoSuchAlgorithmException which is thrown per definition. Thus we need to import the two following packages:

import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;

We take the string password passed from the console and use it in the new defined class Sha256Cmd (/hecl/core/org/hecl/Sha256cmd.java) with the following three lines:

MessageDigest md = MessageDigest.getInstance("SHA-256");
byte byteData[] = md.digest();

We add the the new command sha256 to the file …/commandline/Hecl.java:

public static void extend(Interp ip) throws HeclException {
			ip.addCommand("sha256", new Sha256Cmd());

The result is after converting the byte array to hex format:

hecl> sha256 123456
Hex format: 8d969eef6ecad3c29a3a629280e686cf0c3f5d5a86aff3ca12020c923adc6c92

Adding cipher classes

Basic information: David Hook, Beginning Cryptography with Java, Indianopolis 2005

Preliminary steps:

  • Add provider BouncyCastle
  • Add Unrestricted Policy Files http://download.oracle.com/otn-pub/java/jce_policy/6/jce_policy-6.zip

We start a little test call in Java for the 8-byte Blowfish cipher in ECB mode with input 0×0000000000000000 and key 0×0000000000000000:

Cipher        cipher = Cipher.getInstance("Blowfish/ECB/NoPadding", "BC");

Then we have:

dia[src]$ javac chapter2/SimpleSymmetricExample.java 
dia[src]$ java chapter2.SimpleSymmetricExample

input text : 0000000000000000
cipher text: 4ef997456198dd78 bytes: 8
plain text : 0000000000000000 bytes: 8

According to http://www.schneier.com/code/vectors.txt the result should be:

cipher text: 4EF997456198DD78

Let’s make a Twofish test in ECB mode (see: Twofish ECB test vectors, from http://www.schneier.com/code/ecb_ival.txt

input text : 00000000000000000000000000000000
cipher text: 9f589f5cf6122c32b6bfec2f2ae8c35a bytes: 16
plain text : 00000000000000000000000000000000 bytes: 16

Equals to Bruce Schneier’s test result: 9F589F5CF6122C32B6BFEC2F2AE8C35A

File access

So we can prepare for reading a pwsafe3 database. How to get access to a file working with java -jar Hecl.jar?:


hecl> set fh [open test.txt w]
hecl> $fh write "noch eine zeile"
hecl> $fh flush
hecl> exit
dia[j2se]$ cat test.txt 
noch eine zeile


hecl> set fh [open test.txt r]
hecl> set text [$fh read 4]
hecl> $fh close 
hecl> puts $text

Summary of methods for the stream object:

$filehandler close, read ?byte(s)?, readln, write string, writeln, flush

Add new provider

BouncyCastle provides a Twofish engine

PWGorilla status

pwsafe3 files can be read by help of new commands:

  • sha256 message
  • sha256hmac message key
  • twofish::encrypt -ebc message key
  • twofish::encrypt -cbc message key initialization-vector

db::getFieldValue recordnumber fieldnumber works

Testing with the Android emulator

create api-8 avd
ant android-reinstall
adb install Hecl…
start Hecl server
$ adb forward tcp:7405 tcp:7405
$ telnet localhost 7405
Connected to localhost (
Escape character is ‘^]’.

> file.size /sdcard/jtcl.jar
> set fh [open /sdcard/jtcl.jar r]
> $fh read 4
> $fh readhex 4
> $fh close

Package files and own commands are successfully compiled

A first test fails. adb logcat shows in regard to BouncyCastle classes the following error type:

I/dalvikvm(  668): DexOpt: not resolving ambiguous class 'Lorg/bouncycastle/asn1/pkcs/PKCSObjectIdentifiers;'
D/dalvikvm(  668): DexOpt: not verifying 'Lorg/bouncycastle/jce/provider/JCESecretKeyFactory$PBEWithMD5And128BitAESCBCOpenSSL;': multiple definitions
D/dalvikvm(  668): DexOpt: not rverifying 'Lorg/bouncycastle/jce/provider/JCESecretKeyFactory$PBEWithMD5And192BitAESCBCOpenSSL;': multiple definitions

Hints in different forums pointed to the fact that Android already has included a crippled BouncyCastle package which can’t be replaced by an updated and full BouncyCastle package, and so there would be always ambigousity for the Dalvik interpreter.

A solution in renaming the BouncyCastle package can be found here:

Spongy Castle aims to be a full replacement for the crippled versions of the Bouncy Castle cryptographic libraries which ship with Android. You can read more about the project here:


The downloaded scprov-jdk15- has to be put into the folder /platform-tools/lib where ant will find and compile it into the dex.classes file.

If we add some preprocessor commands to GorillaCmds.java then we will have the SpongyCastle package ready for the Android compile run.

//#if android
	import org.spongycastle.jce.provider.BouncyCastleProvider;
	import org.bouncycastle.jce.provider.BouncyCastleProvider;

Finally we get the desired result like before with the Hecl commandline interpreter from the Hecl server, too:

> source /sdcard/gorilla.hcl
hmac	146b1e408d6bf297422f28d65cf0a4fa3deceec3a774da9e1c653719c7f222c4
myhmac	146b1e408d6bf297422f28d65cf0a4fa3deceec3a774da9e1c653719c7f222c4
=== Step 4: Hmac authentification of all data fields proved
+++ File is read successfully

This was a proof of concept for granting access to a pwsafe database on Android. A Android Gui has to follow.

New page: Creating a PWGorilla GUI for Android with Hecl