Related
Hi Guys,
I am looking for methods to get root on my Linux smart tv. Anyone have any ideas?
I ran metasploit against it and had no luck, it did find some open ports for upnp and something
called twonkymedia but I was not able to get anywhere with that.
I have a Hisense LTDN50K220GWUS (Hisense 50H5GB) Smart TV that is running what appears to be a customized version of "Opera TV OS"
Its running on "Linux-3.0.13" and is using Uboot, I tried connecting a usb keyboard to the ports and pounding escape and other buttons
but that didn't get me anywhere.
Using Binwalk I was able to extract so info from a rom firmware image:
Code:
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
613 0x265 Unix path: /DTV/ROMCODE/NANDBOOT/V01.00
778954 0xBE2CA ELF, 32-bit LSB relocatable, ARM, version 1 (SYSV)
779300 0xBE424 Unix path: /home/gfkfcmo/CMO/MTK5651_US_II_WFD/vm_linux/chiling/uboot/drv_lib/mt5880/inc
1188782 0x1223AE UBI volume ID header, version: 1, type: 1, volume id: 0, size: 0
1190830 0x122BAE UBIFS superblock node, CRC: 0x50BF95C5, flags: 0x0, min I/O unit size: 2048, erase block size: 126976, erase block count: 1016, max erase blocks: 3271, format version: 4, compression type: lzo
1321902 0x142BAE UBIFS master node, CRC: 0xCC5C7044, highest inode: 2313, commit number: 0
1452974 0x162BAE UBIFS master node, CRC: 0xC06C8559, highest inode: 2313, commit number: 0
2632671 0x282BDF XML document, version: "1.0"
2633575 0x282F67 XML document, version: "1.0"
2636223 0x2839BF XML document, version: "1.0"
2637455 0x283E8F XML document, version: "1.0"
{{{ TRUNKATED }}}
132181160 0x7E0ECA8 Unix path: /mtk94064/p4_views/yaocheng.fei/ws_*<
132236386 0x7E1C462 Unix path: /i686/bin/../sysroot/usr/include
132240154 0x7E1D31A Unix path: /proj/mtk94064/p4_views/yaocheng.fei/ws_*=
132277477 0x7E264E5 Unix path: /proj/mtk94064/p4_views/yaocheng.fei/ws_*<
132295801 0x7E2AC79 Unix path: /proj/mtk94064/p4_views/yaocheng.fei/ws_*<
132320817 0x7E30E31 Unix path: /proj/mtk94064/p4_views/yaocheng.fei/ws_*<
132336687 0x7E34C2F Unix path: /proj/mtk94064/p4_views/yaocheng.fei/ws_*<
132337438 0x7E34F1E Unix path: /proj/mtk94064/p4_views/yaocheng.fei/ws_*<
132362676 0x7E3B1B4 Base64 standard index table
132404806 0x7E45646 Unix path: /proj/mtk94064/p4_views/yaocheng.fei/ws_*<
132432505 0x7E4C279 mcrypt 2.5 encrypted data, algorithm: "N", keysize: 440 bytes, mode: "\",
132462804 0x7E538D4 Base64 standard index table
132499502 0x7E5C82E Unix path: /proj/mtk94064/p4_views/yaocheng.fei/ws_*<
132532241 0x7E64811 mcrypt 2.5 encrypted data, algorithm: "N", keysize: 440 bytes, mode: "\",
132547032 0x7E681D8 Unix path: /mtk94064/p4_views/yaocheng.fei/ws_*<
133142037 0x7EF9615 mcrypt 2.2 encrypted data, algorithm: blowfish-448, mode: CBC, keymode: 8bit
133142057 0x7EF9629 mcrypt 2.2 encrypted data, algorithm: blowfish-448, mode: CBC, keymode: 8bit
133599305 0x7F69049 mcrypt 2.2 encrypted data, algorithm: blowfish-448, mode: CBC, keymode: 8bit
134172625 0x7FF4FD1 mcrypt 2.2 encrypted data, algorithm: blowfish-448, mode: CBC, keymode: 8bit
134360038 0x8022BE6 Squashfs filesystem, little endian, version 4.0, compression:gzip (non-standard type definition), size: 7064247 bytes, 126 inodes, blocksize: 131072 bytes, created: 2015-01-13 09:46:16
141462558 0x86E8C1E Squashfs filesystem, little endian, version 4.0, compression:gzip (non-standard type definition), size: 27403340 bytes, 1215 inodes, blocksize: 131072 bytes, created: 2015-01-13 09:47:38
168987734 0xA128C56 Squashfs filesystem, little endian, version 4.0, compression:gzip (non-standard type definition), size: 27403340 bytes, 1215 inodes, blocksize: 131072 bytes, created: 2015-01-13 09:47:38
196508814 0xBB67C8E uImage header, header size: 64 bytes, header CRC: 0x2C8E13D2, created: 2015-01-13 09:35:35, image size: 2060549 bytes, Data Address: 0x7FC0, Entry Point: 0x8000, data CRC: 0x5A54C3A0, OS: Linux, CPU: ARM, image type: OS Kernel Image, compression type: none, image name: "Linux-3.0.13"
196508878 0xBB67CCE LZO compressed data
196508929 0xBB67D01 uImage header, header size: 64 bytes, header CRC: 0xCB5E2D0F, created: 2015-01-13 09:35:33, image size: 3839076 bytes, Data Address: 0x7FC0, Entry Point: 0x8000, data CRC: 0x354C5FF1, OS: Linux, CPU: ARM, image type: OS Kernel Image, compression type: none, image name: "Linux-3.0.13"
197183535 0xBC0C82F SHA256 hash constants, little endian
198761115 0xBD8DA9B uImage header, header size: 64 bytes, header CRC: 0x2C8E13D2, created: 2015-01-13 09:35:35, image size: 2060549 bytes, Data Address: 0x7FC0, Entry Point: 0x8000, data CRC: 0x5A54C3A0, OS: Linux, CPU: ARM, image type: OS Kernel Image, compression type: none, image name: "Linux-3.0.13"
198761179 0xBD8DADB LZO compressed data
198761230 0xBD8DB0E uImage header, header size: 64 bytes, header CRC: 0xCB5E2D0F, created: 2015-01-13 09:35:33, image size: 3839076 bytes, Data Address: 0x7FC0, Entry Point: 0x8000, data CRC: 0x354C5FF1, OS: Linux, CPU: ARM, image type: OS Kernel Image, compression type: none, image name: "Linux-3.0.13"
199435836 0xBE3263C SHA256 hash constants, little endian
The Firmware can be found here, its a zipped *.pkg file http://hisense-usa.com/support/firmware/50H5G_V00.01.130a.F0113_us.zip
If it helps I also have the ports that metasploit was able to find on it"
Code:
10.0.0.76 unknown 8060 tcp
10.0.0.76 upnp 9085 tcp TwonkyMedia UPnP UPnP 1.0; pvConnect SDK 1.0; Twonky SDK 1.1
10.0.0.76 13000 tcp
10.0.0.76 tcpwrapped 56789 tcp
10.0.0.76 tcpwrapped 56790 tcp
Hi,
@borillion_star Did you find a way to extract the .pkg file ?
Yes I did you can you binwalk, and it can extract the files from the pkg. Vache if you need help let me know.
Hi
How did you progress with rooting?
I would like to do the same to LTDN**K720WTSEU
And your post is the only lead I got.
The
Good luck
tommyk999 said:
Hi
How did you progress with rooting?
I would like to do the same to LTDN**K720WTSEU
And your post is the only lead I got.
The
Good luck
Click to expand...
Click to collapse
@tommyk999 and @vache The pkg files do not contain any files such as /etc/shadow or /etc/passwd that can be used to get the root account password.
I think the only way is to try and dump the tv firmware, there appears to be a serial or uart on the mainboard but I have not had the chance to try that yet.
borillion_star said:
Yes I did you can you binwalk, and it can extract the files from the pkg. Vache if you need help let me know.
Click to expand...
Click to collapse
Yes, i was able to unpack firmware using binwalk.
Still looking into filesystem to find some backdoors.
App for rooting hisense TV, it may help you.
https://mega.nz/#!twYhHZhS!ZW_fdid_P4OtlcqwHCO5Z5nNlYM1cOEluYDrLrE0qM4
Sent from my SM-N910F using Tapatalk
Any update on progress? Would be possible to connect raspberry pi with already rooted firmware to go around stock firmware? So you won't void warranty and when anything goes wrong you just disconnect raspb. Pi and go with stock.
Sent from my SM-N910F using Tapatalk
tommyk999 said:
App for rooting hisense TV, it may help you.
https://mega.nz/#!twYhHZhS!ZW_fdid_P4OtlcqwHCO5Z5nNlYM1cOEluYDrLrE0qM4
Sent from my SM-N910F using Tapatalk
Click to expand...
Click to collapse
Because I don't know where this came from, and what it will do to to my computer if I try to run anything in it, or on my tv. I am going to take a look at it figure it out.
Probably going to be a couple days until I get to it.
As for the Raspberry Pi, yes you can always connect any device over HDMI and disconnect it without changing the TV firmware in any way. That somewhat defeats the goal
of rooting the linux running on the tv though.
borillion_star said:
Because I don't know where this came from, and what it will do to to my computer if I try to run anything in it, or on my tv. I am going to take a look at it figure it out.
Probably going to be a couple days until I get to it.
As for the Raspberry Pi, yes you can always connect any device over HDMI and disconnect it without changing the TV firmware in any way. That somewhat defeats the goal
of rooting the linux running on the tv though.
Click to expand...
Click to collapse
That zip file actually contains a root for HiSense TV's running android. You can tell because of the adb.exe and the apk file types. It doesn't apply here.
I did purchase a logic board for this TV with the power board off of ebay. There is something on it that is marked as a UART with 3.3V.
I will power it up and see what I can read out white its booting, and post when I am able.
I got some pdf file it is in chinese for led65k720uc, it is getting interestin at the end i think it describes how to get acces to the system with some description. hope this would help you.
https://mega.nz/#!sggVSJaS
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Found some info on led42k220 but have to find a way how to translate pdf from Chinese to English
https://drive.google.com/file/d/0B7GyFV1vAMbRUkt0LW9kRjUzQ1E/view?usp=docslist_api
Sent from my SM-N910F using Tapatalk
tommyk999 said:
App for rooting hisense TV, it may help you.
https://mega.nz/#!twYhHZhS!ZW_fdid_P4OtlcqwHCO5Z5nNlYM1cOEluYDrLrE0qM4
Sent from my SM-N910F using Tapatalk
Click to expand...
Click to collapse
Looks like it's for AndroidTV, while mine runs OperaTV.
I will keep looking hope I found something with opera
Sent from my SM-N910F using Tapatalk
What type is Chinese equivalent to 50k220gwus?
Sent from my SM-N910F using Tapatalk
Mouse/keyboard works on browser, but nothing to do here.
I'm trying to repack firmware after changing some interesting files to check if we can do something interesting.
I first get squashfs filesystem using dd command, then tried to mount it but no luck.
So i used unsquashfs to unpack it (like binwalk did)
Then i used mksquashfs to repack it and used dd to inject file again in upgrade_loader.pkg
OperaTV is new for me, i have to learn how it works before going further.
--------------------------------------------------------------------------------------------------------------------
Firmware Analazing (from 40EC591)
Partitions :
3rdw (Apps ?) (ext4 - /dev/mmcblk0p12 - dev/mmcblk0p11)
3rdp (Apps ?) (squashfs - dev/mmcblk0p11)
uImage (kernel - /dev/mmcblk0p5)
rootfs.bin (squashfs - /dev/mmcblk0p7)
pq.bin (? - /dev/mmcblk0p16)
aq.bin (? - /dev/mmcblk0p17)
adsp.bin (? - /dev/mmcblk0p21)
facsetdata.bin (? - /dev/mmcblk0p25)
uboot.bin (bootloader - /dev/mmcblk0p1)
uenv.bin (? - /dev/mmcblk0p2)
logo.bin (? - /dev/mmcblk0p18)
default_db.bin (? - /dev/mmcblk0p23)
hdmi_2_0_hdcp.bin (? - /dev/mmcblk0p24)
Hey Guys,
I've been doing some research and I've found quite a few interesting things with the modem for the OnePlus One, firstly I've found that the NON-HLOS.bin is actually a FAT file system that can be mounted, inside I've found the following files.
==========================================
-rwxr-xr-x. 1 root root 500 Apr 2 2015 adsp.b00
-rwxr-xr-x. 1 root root 488 Apr 2 2015 adsp.b01
-rwxr-xr-x. 1 root root 1 Apr 2 2015 adsp.b02
-rwxr-xr-x. 1 root root 5097872 Apr 2 2015 adsp.b03
-rwxr-xr-x. 1 root root 1332541 Apr 2 2015 adsp.b04
-rwxr-xr-x. 1 root root 1099162 Apr 2 2015 adsp.b05
-rwxr-xr-x. 1 root root 680 Apr 2 2015 adsp.b06
-rwxr-xr-x. 1 root root 936550 Apr 2 2015 adsp.b07
-rwxr-xr-x. 1 root root 120 Apr 2 2015 adsp.b08
-rwxr-xr-x. 1 root root 698928 Apr 2 2015 adsp.b09
-rwxr-xr-x. 1 root root 201008 Apr 2 2015 adsp.b10
-rwxr-xr-x. 1 root root 11700 Apr 2 2015 adsp.b11
-rwxr-xr-x. 1 root root 6105 Apr 2 2015 adsp.b12
-rwxr-xr-x. 1 root root 988 Apr 2 2015 adsp.mdt
-rwxr-xr-x. 1 root root 180 Apr 2 2015 cmnlib.b00
-rwxr-xr-x. 1 root root 168 Apr 2 2015 cmnlib.b01
-rwxr-xr-x. 1 root root 111720 Apr 2 2015 cmnlib.b02
-rwxr-xr-x. 1 root root 4416 Apr 2 2015 cmnlib.b03
-rwxr-xr-x. 1 root root 348 Apr 2 2015 cmnlib.mdt
-rwxr-xr-x. 1 root root 180 Apr 2 2015 isdbtmm.b00
-rwxr-xr-x. 1 root root 168 Apr 2 2015 isdbtmm.b01
-rwxr-xr-x. 1 root root 24692 Apr 2 2015 isdbtmm.b02
-rwxr-xr-x. 1 root root 104 Apr 2 2015 isdbtmm.b03
-rwxr-xr-x. 1 root root 348 Apr 2 2015 isdbtmm.mdt
-rwxr-xr-x. 1 root root 180 Apr 2 2015 keymaste.b00
-rwxr-xr-x. 1 root root 168 Apr 2 2015 keymaste.b01
-rwxr-xr-x. 1 root root 18324 Apr 2 2015 keymaste.b02
-rwxr-xr-x. 1 root root 208 Apr 2 2015 keymaste.b03
-rwxr-xr-x. 1 root root 348 Apr 2 2015 keymaste.mdt
-rwxr-xr-x. 1 root root 295824 Apr 2 2015 mba.b00
-rwxr-xr-x. 1 root root 84 Apr 2 2015 mba.mdt
-rwxr-xr-x. 1 root root 180 Apr 2 2015 mc_v2.b00
-rwxr-xr-x. 1 root root 168 Apr 2 2015 mc_v2.b01
-rwxr-xr-x. 1 root root 131072 Apr 2 2015 mc_v2.b02
-rwxr-xr-x. 1 root root 12 Apr 2 2015 mc_v2.b03
-rwxr-xr-x. 1 root root 348 Apr 2 2015 mc_v2.mdt
-rwxr-xr-x. 1 root root 916 Apr 2 2015 modem.b00
-rwxr-xr-x. 1 root root 904 Apr 2 2015 modem.b01
-rwxr-xr-x. 1 root root 4052 Apr 2 2015 modem.b02
-rwxr-xr-x. 1 root root 81920 Apr 2 2015 modem.b03
-rwxr-xr-x. 1 root root 177176 Apr 2 2015 modem.b06
-rwxr-xr-x. 1 root root 49500 Apr 2 2015 modem.b08
-rwxr-xr-x. 1 root root 48420 Apr 2 2015 modem.b09
-rwxr-xr-x. 1 root root 103384 Apr 2 2015 modem.b11
-rwxr-xr-x. 1 root root 110820 Apr 2 2015 modem.b12
-rwxr-xr-x. 1 root root 1590612 Apr 2 2015 modem.b13
-rwxr-xr-x. 1 root root 20748656 Apr 2 2015 modem.b14
-rwxr-xr-x. 1 root root 663520 Apr 2 2015 modem.b15
-rwxr-xr-x. 1 root root 139264 Apr 2 2015 modem.b16
-rwxr-xr-x. 1 root root 5376 Apr 2 2015 modem.b17
-rwxr-xr-x. 1 root root 8055360 Apr 2 2015 modem.b18
-rwxr-xr-x. 1 root root 3457568 Apr 2 2015 modem.b19
-rwxr-xr-x. 1 root root 73968 Apr 2 2015 modem.b22
-rwxr-xr-x. 1 root root 417451 Apr 2 2015 modem.b23
-rwxr-xr-x. 1 root root 5911268 Apr 2 2015 modem.b24
-rwxr-xr-x. 1 root root 953536 Apr 2 2015 modem.b25
-rwxr-xr-x. 1 root root 1820 Apr 2 2015 modem.mdt
-rwxr-xr-x. 1 root root 180 Apr 2 2015 playread.b00
-rwxr-xr-x. 1 root root 168 Apr 2 2015 playread.b01
-rwxr-xr-x. 1 root root 134244 Apr 2 2015 playread.b02
-rwxr-xr-x. 1 root root 608 Apr 2 2015 playread.b03
-rwxr-xr-x. 1 root root 348 Apr 2 2015 playread.mdt
-rwxr-xr-x. 1 root root 180 Apr 2 2015 tqs.b00
-rwxr-xr-x. 1 root root 168 Apr 2 2015 tqs.b01
-rwxr-xr-x. 1 root root 786132 Apr 2 2015 tqs.b02
-rwxr-xr-x. 1 root root 159744 Apr 2 2015 tqs.b03
-rwxr-xr-x. 1 root root 348 Apr 2 2015 tqs.mdt
-rwxr-xr-x. 1 root root 372 Apr 2 2015 wcnss.b00
-rwxr-xr-x. 1 root root 360 Apr 2 2015 wcnss.b01
-rwxr-xr-x. 1 root root 12596 Apr 2 2015 wcnss.b02
-rwxr-xr-x. 1 root root 61440 Apr 2 2015 wcnss.b04
-rwxr-xr-x. 1 root root 3084380 Apr 2 2015 wcnss.b06
-rwxr-xr-x. 1 root root 56 Apr 2 2015 wcnss.b07
-rwxr-xr-x. 1 root root 786432 Apr 2 2015 wcnss.b08
-rwxr-xr-x. 1 root root 41468 Apr 2 2015 wcnss.b09
-rwxr-xr-x. 1 root root 732 Apr 2 2015 wcnss.mdt
-rwxr-xr-x. 1 root root 180 Apr 2 2015 widevine.b00
-rwxr-xr-x. 1 root root 168 Apr 2 2015 widevine.b01
-rwxr-xr-x. 1 root root 156596 Apr 2 2015 widevine.b02
-rwxr-xr-x. 1 root root 908 Apr 2 2015 widevine.b03
-rwxr-xr-x. 1 root root 348 Apr 2 2015 widevine.mdt
==========================================
Running file on all of these files I receive:
adsp.b00: ELF 32-bit LSB executable, QUALCOMM DSP6, version 1 (SYSV), dynamically linked, interpreter *empty*, stripped
adsp.b01: data
adsp.b02: very short file (no magic)
adsp.b03: data
adsp.b04: data
adsp.b05: data
adsp.b06: PDP-11 UNIX/RT ldp
adsp.b07: data
adsp.b08: data
adsp.b09: data
adsp.b10: data
adsp.b11: data
adsp.b12: data
adsp.mdt: ELF 32-bit LSB executable, QUALCOMM DSP6, version 1 (SYSV), dynamically linked, interpreter *empty*, stripped
cmnlib.b00: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), statically linked, stripped
cmnlib.b01: data
cmnlib.b02: GeoSwath RDF
cmnlib.b03: data
cmnlib.mdt: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), statically linked, stripped
isdbtmm.b00: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), statically linked, stripped
isdbtmm.b01: data
isdbtmm.b02: data
isdbtmm.b03: data
isdbtmm.mdt: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), statically linked, stripped
keymaste.b00: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), statically linked, stripped
keymaste.b01: data
keymaste.b02: data
keymaste.b03: data
keymaste.mdt: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), statically linked, stripped
mba.b00: data
mba.mdt: ELF 32-bit LSB executable, QUALCOMM DSP6, version 1 (SYSV), statically linked, corrupted section header size
mc_v2.b00: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), statically linked, stripped
mc_v2.b01: data
mc_v2.b02: data
mc_v2.b03: ASCII text, with no line terminators
mc_v2.mdt: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), statically linked, stripped
modem.b00: ELF 32-bit LSB executable, QUALCOMM DSP6, version 1 (SYSV), statically linked, stripped
modem.b01: data
modem.b02: data
modem.b03: data
modem.b06: data
modem.b08: data
modem.b09: data
modem.b11: data
modem.b12: data
modem.b13: data
modem.b14: data
modem.b15: data
modem.b16: data
modem.b17: data
modem.b18: data
modem.b19: data
modem.b22: MMDF mailbox
modem.b23: data
modem.b24: data
modem.b25: data
modem.mdt: ELF 32-bit LSB executable, QUALCOMM DSP6, version 1 (SYSV), statically linked, stripped
playread.b00: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), statically linked, stripped
playread.b01: data
playread.b02: data
playread.b03: data
playread.mdt: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), statically linked, stripped
tqs.b00: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), statically linked, stripped
tqs.b01: data
tqs.b02: data
tqs.b03: data
tqs.mdt: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), statically linked, stripped
wcnss.b00: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), statically linked, stripped
wcnss.b01: data
wcnss.b02: data
wcnss.b04: data
wcnss.b06: data
wcnss.b07: data
wcnss.b08: data
wcnss.b09: data
wcnss.mdt: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), statically linked, stripped
widevine.b00: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), statically linked, stripped
widevine.b01: data
widevine.b02: data
widevine.b03: data
widevine.mdt: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), statically linked, stripped
==========================================
Now, I've been trying to discover how Qualcomm enforces things like NV write protection, so as an example I've used the IMEI number as its write protected.
Putting the phone into Qualcomm's DIAG mode and launching RF NV Manager, when I try and edit the IMEI Number and click "Write NV" I receive the following:
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
So from the above image I've found the name of the IMEI property is: NV_UE_IMEI_I
Running strings through the mounted NON-HLOS directory came up with the following:
----------------
modem.b18: Read NV_UE_IMEI_I (%d) to NV failed.
modem.b18: Write NV_UE_IMEI_I[0] (%d) to NV failed.
==========================================
Hmm, okay, modem.b18 looks to have strings referencing such action, looking at the header of this file I recieve the following:
==========================================
00000000 24 00 00 00 00 00 00 00 41 4d 53 53 00 00 00 00 |$.......AMSS....|
==========================================
After some googeling it looks like AMSS stands for Advanced Mobile Subscriber Software according to: http://www.acronymfinder.com/Advanced-Mobile-Subscriber-Software-(Qualcomm)-(AMSS).html
So this "modem.b18" file looks to be pretty interesting in terms of NV Protection, so I rna binwalk on the file and came up with the following:
==========================================
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
15276 0x3BAC Unix path: /local/mnt/workspace/CRMBuilds/MPSS.DI.3.0.c6-00194-M8974AAAAANAZM-1_20140922_114854/b/modem_proc/core/mproc/smd/src/smd_dsm_mem
32076 0x7D4C Unix path: /node/core/cpu/latency/usec
40808 0x9F68 CRC32 polynomial table, little endian
44904 0xAF68 CRC32 polynomial table, big endian
118861 0x1D04D Unix path: /nv/item_files/modem/nas/roaming_policy_back
121432 0x1DA58 Unix path: /nvm/alpha/item_file/time/%s
124252 0x1E55C gzip compressed data, NULL date (1970-01-01 00:00:00)
127283 0x1F133 POSIX tar archive, owner user name: "_size", owner group name: "c"
269101 0x41B2D Neighborly text, "NeighborBmsk | wfwTcCfgInfo.shadowCellInShoBmsk) == 0) failed"
539266 0x83A82 Neighborly text, "neighbor cell CGI request(SIB1 decode)). max_num_rb_ca0=%d max_num_rb_ca1=%d num_rb_ca1=%d "
552073 0x86C89 Unix path: /modem/fw/lte/meas_ttl_ftl/src/lte_LL1_meas_ttl_ftl_main.c %u
553105 0x87091 Unix path: /modem/fw/lte/meas_ttl_ftl/src/lte_LL1_meas_ttl_ftl_ncell.c %u
928051 0xE2933 Certificate in DER format (x509 v3), header length: 4, sequence length: 2360
928298 0xE2A2A Certificate in DER format (x509 v3), header length: 4, sequence length: 2410
928324 0xE2A44 Certificate in DER format (x509 v3), header length: 4, sequence length: 2465
928402 0xE2A92 Certificate in DER format (x509 v3), header length: 4, sequence length: 2516
1618849 0x18B3A1 Unix path: /nv/item_files/conf/mcpm.conf
1619065 0x18B479 Unix path: /nv/item_files/modem/utils/mcpm/mcpm_nv_pwrdbg_cfg
1619159 0x18B4D7 Unix path: /nv/item_files/modem/utils/mcpm/mcpm_nv_cfg_src
1624136 0x18C848 Unix path: /node/mcpm/vdd/mss
1642544 0x191030 Unix path: /nv/item_files/modem/utils/mcpm/ut_results.txt
1656085 0x194515 Unix path: /nv/item_files/CoreCpu/CoreAll/Startup/Algorithm.txt datalen %d
1660936 0x195808 Unix path: /nv/item_files/modem/utils/mcpm/mcpm_ut_efs_scenario.txt
1674069 0x198B55 Unix path: /nv/item_files/modem/utils/a2/a2_pc
1679019 0x199EAB Unix path: /nv/item_files/conf/lte_a2.conf
1682872 0x19ADB8 Unix path: /nv/item_files/modem/utils/a2/enable_zuc_debug
1684052 0x19B254 Unix path: /nv/item_files/modem/utils/cfm/cfm_cpu_monitor_cfg
2086962 0x1FD832 Unix path: /nv/item_files/modem/nas/csg_support_configuration
2103480 0x2018B8 CRC32 polynomial table, little endian
2136200 0x209888 Unix path: /nv/item_files/modem/mmode/sms_only
2139448 0x20A538 Unix path: /nv/item_files/modem/mmode/sms_only
2139484 0x20A55C Unix path: /nv/item_files/modem/mmode/ue_usage_setting
2139528 0x20A588 Unix path: /nv/item_files/modem/mmode/voice_domain_pref
2139573 0x20A5B5 Unix path: /nv/item_files/modem/mmode/sms_domain_pref
2139616 0x20A5E0 Unix path: /nv/item_files/modem/mmode/lte_disable_duration
2139664 0x20A610 Unix path: /nv/item_files/modem/mmode/n_min_MO_call_soft_retry
2139716 0x20A644 Unix path: /nv/item_files/modem/mmode/n_maxSIB8
2139753 0x20A669 Unix path: /nv/item_files/modem/mmode/sms_mandatory
2139794 0x20A692 Unix path: /nv/item_files/modem/mmode/lte_bandpref
2139834 0x20A6BA Unix path: /nv/item_files/modem/mmode/tds_bandpref
2139874 0x20A6E2 Unix path: /nv/item_files/modem/mmode/device_mode
2139913 0x20A709 Unix path: /nv/item_files/mcs/mtf/cp_mutex_tracking_enabled
2139962 0x20A73A Unix path: /nv/item_files/modem/mmode/sd/loc_base_bsr_mcc_list
2140014 0x20A76E Unix path: /nv/item_files/modem/mmode/supplement_service_domain_pref
2140072 0x20A7A8 Unix path: /nv/item_files/modem/mmode/sms_over_s102
2140113 0x20A7D1 Unix path: /nv/item_files/modem/mmode/operator_name
2140154 0x20A7FA Unix path: /nv/item_files/modem/mmode/qmss_enabled
2140194 0x20A822 Unix path: /nv/item_files/modem/mmode/sd/1xcsfb_ecbm_status
2140243 0x20A853 Unix path: /nv/item_files/modem/mmode/get_net_auto_mode
2140288 0x20A880 Unix path: /nv/item_files/modem/mmode/custom_emerg_info
2140333 0x20A8AD Unix path: /nv/item_files/modem/mmode/manufacturer_name
2140378 0x20A8DA Unix path: /nv/item_files/modem/mmode/manufacturer_code
2140423 0x20A907 Unix path: /nv/item_files/modem/mmode/device_model
2140463 0x20A92F Unix path: /nv/item_files/modem/mmode/sw_version
2140501 0x20A955 Unix path: /nv/item_files/modem/mmode/cu_imsi
2140536 0x20A978 Unix path: /nv/item_files/modem/mmode/cmcc_imsi
2140573 0x20A99D Unix path: /nv/item_files/modem/mmode/imsi_mcc
2140609 0x20A9C1 Unix path: /nv/item_files/modem/mmode/imsi_min1
2140646 0x20A9E6 Unix path: /nv/item_files/modem/mmode/imsi_min2
2140683 0x20AA0B Unix path: /nv/item_files/modem/mmode/imsi_11_12
2140721 0x20AA31 Unix path: /nv/item_files/modem/mmode/reg_status
2140759 0x20AA57 Unix path: /nv/item_files/modem/mmode/mid_call_srvcc_info
2140806 0x20AA86 Unix path: /nv/item_files/modem/mmode/lte_do_irat_duration
2140854 0x20AAB6 Unix path: /nv/item_files/modem/mmode/volte_sr_control
2140898 0x20AAE2 Unix path: /nv/item_files/modem/mmode/extend_lte_disable_duration
2140953 0x20AB19 Unix path: /nv/item_files/modem/mmode/sd/manual_search_in_wrlf
2141005 0x20AB4D Unix path: /nv/item_files/modem/mmode/sd/1xcsfb_call_end_opt
2141055 0x20AB7F Unix path: /nv/item_files/modem/mmode/sd/buffer_int_srv_lost
2141105 0x20ABB1 Unix path: /nv/item_files/modem/mmode/scan_scope_rule
2141205 0x20AC15 Unix path: /nv/item_files/modem/mmode
2162755 0x210043 Neighborly text, "neighboring_cell_infoterface"
2163056 0x210170 Unix path: /nv/item_files/modem/mmode/tui/csg_search_sel_config
2172948 0x212814 Unix path: /nv/item_files/modem/mmode/qmi/tib_timer
2280344 0x22CB98 Unix path: /nv/item_files/modem/mmode/sd
2280645 0x22CCC5 Unix path: /nv/item_files/modem/mmode/sd/sdssscr_timers
2296124 0x23093C Unix path: /nv/item_files/modem/nas/exclude_old_lai_type_field
2302296 0x232158 Unix path: /nvm/alpha/modem/nas/lte_nas_eps_loci_Subscription01
2304028 0x23281C Unix path: /nv/item_files/modem/nas/geran_cap
2304063 0x23283F Unix path: /nv/item_files/modem/nas/lte_nas_lsti_config
2304108 0x23286C Unix path: /nv/item_files/modem/nas/lte_nas_ue_sec_capability
2304159 0x23289F Unix path: /nv/item_files/modem/nas/lte_nas_temp_fplmn_backoff_time
2304216 0x2328D8 Unix path: /nv/item_files/modem/nas/drx_cn_coeff_s1
2304257 0x232901 Unix path: /nv/item_files/modem/nas/exclude_ptmsi_type_field
2304307 0x232933 Unix path: /nv/item_files/modem/nas/exclude_old_lai_type_field
2304359 0x232967 Unix path: /nv/item_files/modem/nas/nas_lai_change_force_lau_for_emergency
2304423 0x2329A7 Unix path: /nv/item_files/modem/nas/nas_srvcc_support
2304466 0x2329D2 Unix path: /nv/item_files/modem/nas/mobility_management_for_voims_feature
2304529 0x232A11 Unix path: /nv/item_files/modem/nas/nas_config_feature
2304573 0x232A3D Unix path: /nv/item_files/modem/nas/aggression_management
2304620 0x232A6C Unix path: /nv/item_files/modem/nas/csg_support_configuration
2304671 0x232A9F Unix path: /nv/item_files/modem/nas/nas_l2g_srvcc_support
2304718 0x232ACE Unix path: /nv/item_files/modem/nas/tighter_capability
2304762 0x232AFA Unix path: /nv/item_files/modem/nas/nas_nv_classmark_ie
2304807 0x232B27 Unix path: /nv/item_files/modem/nas/sglte_nas_nv_config
2304852 0x232B54 Unix path: /nv/item_files/modem/nas/mm_backoff_remaining_info
2304903 0x232B87 Unix path: /nv/item_files/modem/nas/mm_backoff_remaining_info_subscription01
2304969 0x232BC9 Unix path: /nv/item_files/modem/nas/gmm_drx_cn_coeff_s1
2305014 0x232BF6 Unix path: /nv/item_files/modem/nas/isr
2305043 0x232C13 Unix path: /nv/item_files/modem/nas/emm_combined_proc
2305086 0x232C3E Unix path: /nv/item_files/modem/nas/avoid_guti_nas_security_check
2305141 0x232C75 Unix path: /nv/item_files/modem/nas/is_accepted_on_lte
2305186 0x232CA2 Unix path: /nv/item_files/conf/nas_mm.conf
2318399 0x23603F Unix path: /nv/item_files/modem/nas/gmm_drx_cn_coeff_s1
2329012 0x2389B4 Unix path: /nvm/alpha/modem/nas/lte_nas_emm_eps_native_context_Subscription01
2368472 0x2423D8 Unix path: /nv/item_files/modem/data/3gpp/global_throttling
2371696 0x243070 Unix path: /nv/item_files/modem/nas/vpmln_Subscription01
2379116 0x244D6C Unix path: /nv/item_files/modem/nas/ignore_uplmn
2379154 0x244D92 Unix path: /nv/item_files/modem/nas/imsi_switch
2379191 0x244DB7 Unix path: /nv/item_files/modem/nas/ehplmn
2379223 0x244DD7 Unix path: /nv/item_files/modem/nas/ehplmn_Subscription01
2379270 0x244E06 Unix path: /nv/item_files/modem/nas/ehplmn_Subscription02
2379317 0x244E35 Unix path: /nv/item_files/modem/nas/efrplmnsi_select_rplmn_after_hplmn
2379377 0x244E71 Unix path: /nv/item_files/modem/nas/forced_irat
2379414 0x244E96 Unix path: /nv/item_files/modem/nas/tdscdma_op_plmn_list
2379460 0x244EC4 Unix path: /nv/item_files/modem/nas/max_validate_sim_counter
2379510 0x244EF6 Unix path: /nv/item_files/modem/nas/t3245_timer
2379547 0x244F1B Unix path: /nv/item_files/modem/nas/t3245_timer_test
2379589 0x244F45 Unix path: /nv/item_files/modem/nas/efnas_config
2379627 0x244F6B Unix path: /nv/item_files/modem/nas/lpm_power_off
2379666 0x244F92 Unix path: /nv/item_files/modem/nas/reg_nv_items
2379704 0x244FB8 Unix path: /nv/item_files/modem/nas/vplmn
2379735 0x244FD7 Unix path: /nv/item_files/modem/nas/vpmln_Subscription01
2379781 0x245005 Unix path: /nv/item_files/modem/nas/ota_plmn_list
2379820 0x24502C Unix path: /nv/item_files/modem/nas/ota_plmn_list_Subscription01
2379874 0x245062 Unix path: /nv/item_files/modem/nas/ota_plmn_list_Subscription02
2379928 0x245098 Unix path: /nv/item_files/modem/nas/max_validate_sim_counter_Subscription01
2379993 0x2450D9 Unix path: /nv/item_files/modem/nas/max_validate_sim_counter_Subscription02
2380058 0x24511A Unix path: /nv/item_files/modem/nas/t3245_timer_Subscription01
2380110 0x24514E Unix path: /nv/item_files/modem/nas/t3245_timer_Subscription02
2380162 0x245182 Unix path: /nv/item_files/modem/nas/t3245_timer_test_Subscription01
2380219 0x2451BB Unix path: /nv/item_files/modem/nas/t3245_timer_test_Subscription02
2380276 0x2451F4 Unix path: /nv/item_files/modem/nas/efnas_config_Subscription02
2380329 0x245229 Unix path: /nv/item_files/modem/nas/efnas_config_Subscription01
2380382 0x24525E Unix path: /nv/item_files/modem/nas/ehplmn_Subscription03
2380429 0x24528D Unix path: /nv/item_files/modem/nas/ehplmn_Subscription04
2380476 0x2452BC Unix path: /nv/item_files/modem/nas/ehplmn_Subscription05
2380524 0x2452EC Unix path: /nv/item_files/conf/reg.conf
2388768 0x247320 Unix path: /nv/item_files/data/3gpp/ds_3gpp_multi_pdn_same_apn
2398084 0x249784 Unix path: /nv/item_files/modem/nas/roaming_policy_manager
2399600 0x249D70 Unix path: /work/home/jenkins/Daily_14001_env_pvt/MODEM/MSM8974.LA.4.0.2/msm8974/modem_proc/mmcp/policyman/src/policyman_phone_events.c
2400952 0x24A2B8 Unix path: /work/home/jenkins/Daily_14001_env_pvt/MODEM/MSM8974.LA.4.0.2/msm8974/modem_proc/mmcp/policyman/src/policyman_rat_capability.c
2402691 0x24A983 Unix path: /work/home/jenkins/Daily_14001_env_pvt/MODEM/MSM8974.LA.4.0.2/msm8974/modem_proc/mmcp/policyman/src/policyman_serving_system.c
2403391 0x24AC3F Unix path: /work/home/jenkins/Daily_14001_env_pvt/MODEM/MSM8974.LA.4.0.2/msm8974/modem_proc/mmcp/policyman/src/policyman_set.c
2403796 0x24ADD4 Unix path: /work/home/jenkins/Daily_14001_env_pvt/MODEM/MSM8974.LA.4.0.2/msm8974/modem_proc/mmcp/policyman/src/policyman_sglte.c
2405068 0x24B2CC Unix path: /work/home/jenkins/Daily_14001_env_pvt/MODEM/MSM8974.LA.4.0.2/msm8974/modem_proc/mmcp/policyman/src/policyman_timer.c
2405649 0x24B511 Unix path: /work/home/jenkins/Daily_14001_env_pvt/MODEM/MSM8974.LA.4.0.2/msm8974/modem_proc/mmcp/policyman/src/policyman_uim.c
2406472 0x24B848 XML document, version: "1.0"
2409544 0x24C448 XML document, version: "1.0"
2412177 0x24CE91 XML document, version: "1.0"
2414817 0x24D8E1 XML document, version: "1.0"
2428426 0x250E0A XML document, version: "1.0"
2445983 0x25529F XML document, version: "1.0"
2454264 0x2572F8 Unix path: /work/home/jenkins/Daily_14001_env_pvt/MODEM/MSM8974.LA.4.0.2/msm8974/modem_proc/mmcp/policyman/src/policyman_call_events.c
2454672 0x257490 Unix path: /work/home/jenkins/Daily_14001_env_pvt/MODEM/MSM8974.LA.4.0.2/msm8974/modem_proc/mmcp/policyman/src/policyman_lang.c
2477930 0x25CF6A Unix path: /nv/item_files/modem/sms/mo_on_data_channel
2477974 0x25CF96 Unix path: /nv/item_files/modem/sms/enable_fdn_control
2478018 0x25CFC2 Unix path: /nv/item_files/modem/sms/store_to_sim_if_nv_full
2478067 0x25CFF3 Unix path: /nv/item_files/ims/qipcall_1xsmsandvoice
2478108 0x25D01C Unix path: /nv/item_files/modem/sms/telecom_smsp_fallback
2478155 0x25D04B Unix path: /nv/item_files/modem/sms/sms_rety_limit
2478195 0x25D073 Unix path: /nv/item_files/modem/sms/disable_lte_cb_dup_detection
2478249 0x25D0A9 Unix path: /nv/item_files/modem/sms/disable_pres_bc_alert
2478296 0x25D0D8 Unix path: /nv/item_files/modem/sms/cs_domain_fallback
2479896 0x25D718 Unix path: /nv/item_files/conf/wms.conf
2520837 0x267705 Unix path: /nv/item_files/cdma/1xcp/so73_cop0_supported
2522992 0x267F70 Unix path: /nv/item_files/conf/mc.conf
2577576 0x2754A8 Unix path: /work/home/jenkins/Daily_14001_env_pvt/MODEM/MSM8974.LA.4.0.2/msm8974/modem_proc/1x/mux/src/txccommon.c
2580976 0x2761F0 Unix path: /nv/item_files/modem/1x/device_only_dtx_params
2600608 0x27AEA0 Unix path: /nv/item_files/modem/1x/zz2_2_thresh
2609179 0x27D01B Unix path: /local/mnt/workspace/CRMBuilds/MPSS.DI.3.0.c6-00216-M8974AAAAANAZM-1.8590.1_20141109_222100/b/modem_proc/1x/srch/src/common/srch
2643620 0x2856A4 Unix path: /local/mnt/workspace/CRMBuilds/MPSS.DI.3.0.c6-00216-M8974AAAAANAZM-1.8590.1_20141109_222100/b/modem_proc/1x/srch/src/irat/srch_1
3043613 0x2E711D Minix filesystem, V1, big endian, 15872 zones
4343588 0x424724 Unix path: /core/buses/icb/arb
4371547 0x42B45B Unix path: /work/home/jenkins/Daily_14001_env_pvt/MODEM/MSM8974.LA.4.0.2/msm8974/modem_proc/core/kernel/dlpager/src/dlpager_main.c:108 ret
4373870 0x42BD6E Unix path: /dev/core/mproc/ipc_router
4377059 0x42C9E3 Unix path: /node/core/cpu/bus
4382947 0x42E0E3 Unix path: /nv/item_files/therm_monitor/config.ini
4388268 0x42F5AC Unix path: /local/mnt/workspace/CRMBuilds/MPSS.DI.3.0.c6-00194-M8974AAAAANAZM-1_20140922_114854/b/modem_proc/core/securemsm/crypto/environm
4388848 0x42F7F0 Unix path: /local/mnt/workspace/CRMBuilds/MPSS.DI.3.0.c6-00194-M8974AAAAANAZM-1_20140922_114854/b/modem_proc/core/securemsm/crypto/shared/s
4390088 0x42FCC8 SHA256 hash constants, little endian
4390952 0x430028 Unix path: /local/mnt/workspace/CRMBuilds/MPSS.DI.3.0.c6-00194-M8974AAAAANAZM-1_20140922_114854/b/modem_proc/core/securemsm/crypto/shared/s
4412692 0x435514 Unix path: /local/mnt/workspace/CRMBuilds/MPSS.DI.3.0.c6-00194-M8974AAAAANAZM-1_20140922_114854/b/modem_proc/core/securemsm/crypto/shared/s
4420004 0x4371A4 Unix path: /local/mnt/workspace/CRMBuilds/MPSS.DI.3.0.c6-00194-M8974AAAAANAZM-1_20140922_114854/b/modem_proc/core/securemsm/sfs/shared/src/
4423696 0x438010 Unix path: /local/mnt/workspace/CRMBuilds/MPSS.DI.3.0.c6-00194-M8974AAAAANAZM-1_20140922_114854/b/modem_proc/core/securemsm/sfs/shared/src/
4425522 0x438732 Unix path: /local/mnt/workspace/CRMBuilds/MPSS.DI.3.0.c6-00194-M8974AAAAANAZM-1_20140922_114854/b/modem_proc/core/securemsm/smecom/ixutil/e
4426560 0x438B40 Unix path: /local/mnt/workspace/CRMBuilds/MPSS.DI.3.0.c6-00194-M8974AAAAANAZM-1_20140922_114854/b/modem_proc/core/securemsm/x509/shared/src
4438825 0x43BB29 Unix path: /nv/item_files/clock/clock_mss.ini
4457591 0x440477 Unix path: /node/core/bus/uart/pnocclk
4639460 0x46CAE4 Unix path: /nv/item_files/wcdma/l1/srch/wl1_srch_e1d_nv
4642188 0x46D58C Unix path: /nv/item_files/conf/wl1_srch_e1d_nv.conf
4648100 0x46ECA4 Unix path: /nv/item_files/wcdma/idle/w_idle_mode_opt
4660952 0x471ED8 Unix path: /nv/item_files/wcdma/l1utils/wl1_dsr_mode
4661972 0x4722D4 Unix path: /nv/item_files/wcdma/irat/wl1_atuner_config
4695666 0x47A672 Unix path: /nv/item_files/wcdma/rxd/wl1_rxd_rscp_thresh
4699576 0x47B5B8 Unix path: /nv/item_files/conf/wl1_rxd.conf
4727852 0x48242C Unix path: /local/mnt/workspace/CRMBuilds/MPSS.DI.3.0.c6-00241-M8974AAAAANAZM-1_20150120_025837/b/modem_proc/wcdma/l1/offline/src/mcalwcdma
4736620 0x48466C Unix path: /nv/item_files/wcdma/fet/wl1_fet_control
4739552 0x4851E0 Unix path: /nv/item_files/wcdma/cme/wcdma_cme_opts
4741766 0x485A86 Unix path: /nv/item_files/conf/wl1_cme.conf
---------------- SNIP TOO LONG ----------------
If anyone's interested I'll update the whole output
Cheers Guys
Fascinating. Never thought of mounting it!
Real Data mining
Appreciate it
Hey Guys,
Little update.
The specific Hexagon Baseband version I have running in my OnePlus One is: QDSP6V5A however I can't load any of the files into IDA as the plugin only support V4. Perhaps I could have the baseband load remote gdb and do some live debugging.
If anyone has successfully loaded these files into IDA please let me know, I'd love to start messing with flow control of NV (Full NV Write Permission)
Hey Guys,
Another little update, I've managed to combine all of the modem.b00-25 files into a single ELF file, that now successfully opens in IDA:
Graph view:
However when I get down to my string of interest IDA seems to get confused:
If anyone can shed some light on this that would be awesome!
Very interesting! This may give us an open baseband implementation for android in the future.
Any news?
Rbn3D said:
Very interesting! This may give us an open baseband implementation for android in the future.
Any news?
Click to expand...
Click to collapse
Hey Rbn3D,
Indeed it may, however it looks like the only real way to map something like OsmocomBB to the QDSP6v* would rely on a Qualcomm leak containing everything about the QDSP6. I think the time and resources to reverse engineer something like this would be too much. But leaked documentation could make it possible.
I think its pretty crazy this hasn't been done yet. The baseband does so much and we know next to nothing about it, if I were the NSA this is where I'd hide my back door.
The other main hurdle is the fact that the bootloader checks the modem partition. If you change one bit, the phone will fail to boot, I think the verification is done in TrustZone/TZ on the SoC.
From an anti-theft standpoint this would be awesome, you could potentially SIM lock your specific SIM. And network locked phones would be a thing of the past.
Unsupported LTE/3G bands would also become accessible/modifiable, perhaps even TX/RX power, then again this is properly why they have this locked down.
If any vendors are watching, make everything open source! I'd buy a phone with open source baseband and bootloader in a heartbeat.
I did a google search for the documentation you were looking for regarding QDSP6 and came across this page: http://forum.gsmhosting.com/vbb/f83/qdsp6-qualcomm-hexxagon-few-questions-datasheet-needed-1820478/
It has a link to download a pdf, but I don't know if that's what you're looking for.
chikin said:
I did a google search for the documentation you were looking for regarding QDSP6 and came across this page: http://forum.gsmhosting.com/vbb/f83/qdsp6-qualcomm-hexxagon-few-questions-datasheet-needed-1820478/
It has a link to download a pdf, but I don't know if that's what you're looking for.
Click to expand...
Click to collapse
Yeah something like this, however we still have that first hurdle, even if we begin trying to implement osmocomBB we'd need a way for the device to load the modified baseband firmware without signature verification, you find how to do that we could begin testing.
You would have also network unlocked basically all phones that use Qualcomm as its my understanding that all network lock implementations are at the baseband, if someone can figure out how to bypass signature verification we could begin patching the baseband, as I said before verification is performed in TrustZone, there are exploits available for TZ but I'm not sure how you'd use one to skip modem verification.
Hi,
It's easy to disable this verification by ram patching the modem radio. To be able to do this you need to find some exploit within the TrustZone. Once that found you can patch in the modem radio ram and enable this way restricted NV fields writing. Also is very possible that the modem radio to be mapped at diff addr then the one from elf and in order to have some success i suggest you to look some arm based elf for the needed radio procs to be patched since the code is same but different compiler used. Anyway good luck . It wont be easy
P.S: Public trustzone exploits are available to public (ex. integer overflow bug, tzbsp_es_is_available bug, tzbsp_oem_svc bugs)
P.S1: What you discovered is know for years to some of us
For experiement sake and to possibly get us further. Would it be possible to flash the non-hlos.bin onto another similar phone? Im not sure how much device specific code that non-hlos contains but I was thinking about grabbing 2 phones, one with band20 and one without band20, both have same AMP and RF chip (or very similar) and then exchange files between to see if it will learn us anything.
Any comments/thoughts?
For reference sake ive collected info about a few devices
oppo find 7
AMP sky77629-21
RF Not sure
lenovo zuk z1
AMP sky77633-11
RF WTR1625L
mi4
AMP AVAGO ACPM-7600
RF WTR1625L
redmi 3
AMP sky77643
AMP sky77916
RF WTR4905
xperia z3
AMP sky77629-13
AMP sky77753
RF WTR1625L
1+1
AMP sky77629-21
RF WTR1625L
mi5
AMP sky77646
RF WTR3925
There was a comment from one of the bods at one plus that the original modems were oppo modems.
If that is true then on theory a find 7 modern could work
But I suspect it would be likely to cause serious issues
QCOM modem leaked sources.
Type in google/bing: "AU_LINUX_ANDROID_LNX.LA.3.5.3.4.04.04.02.113.008_msm8610_LNX.LA.3.5.3.4__release_AU"
Hi,
I own a ZUK Z1 and found the information, that Moto X 2nd Gen (CN version aka xt1085 with LTE B20) has the same AMP/RF combination. Unfortunately xt1085 is a single SIM device, so I worry if the 2nd SIM on my Z1 will work after flashing.
Anyone out there owning a xt1085 and willing ro dump the necesdary files?
Hi guys,
I am interested in this. I was thinking that at least for Xiaomi, non-hlos.bin is not the only thing to care about. See this post about qcn
https://xiaomi.eu/community/threads/solve-problem-with-4g-lte-sim1-redmi-phones.33900/
Any thought?
pakidermo5000 said:
Hi guys,
I am interested in this. I was thinking that at least for Xiaomi, non-hlos.bin is not the only thing to care about. See this post about qcn
https://xiaomi.eu/community/threads/solve-problem-with-4g-lte-sim1-redmi-phones.33900/
Any thought?
Click to expand...
Click to collapse
I'll have a look at it in more depth later on. But he appears to be pushing a hacked modem?
fards said:
I'll have a look at it in more depth later on. But he appears to be pushing a hacked modem?
Click to expand...
Click to collapse
Yes, it seems that it is the other way round of what we are looking here. Basically the shop sent the phone with a hacked qcn file that unabled the connections to LTE bands. And they looked for the right qcn file to flash it so as to have LTE.
My point was that, maybe it is not enough to modify the nvram values, maybe it is also needed to modify the qcn file so as to enable some of the bands?
And, second point. If the shop could hack the qcn, it means it is possible without having the source code, right?
pakidermo5000 said:
Yes, it seems that it is the other way round of what we are looking here. Basically the shop sent the phone with a hacked qcn file that unabled the connections to LTE bands. And they looked for the right qcn file to flash it so as to have LTE.
My point was that, maybe it is not enough to modify the nvram values, maybe it is also needed to modify the qcn file so as to enable some of the bands?
And, second point. If the shop could hack the qcn, it means it is possible without having the source code, right?
Click to expand...
Click to collapse
Ah I read it as the ship has flashed restricted one from off a Chinese phone.
Will look later on when not rushing about
An interesting development on the B20 front, it appears that there is an official release of a Mi5 and other models with B20 active, in Poland. Hopefully this will provide some leads on the .qcn file front to getting additional bands enabled.
See XDA Developers thread titled [Work in Progress] Trying to Unlock Bands (Including B20) post #357 (http://forum.xda-developers.com/showpost.php?p=68828828&postcount=357)
Cheers,
GM
(dylanger) said:
Hey Guys,
Another little update, I've managed to combine all of the modem.b00-25 files into a single ELF file, that now successfully opens in IDA:
Click to expand...
Click to collapse
What did you use to do that? I found this thread while stumbling around trying to find a way to port Keymaster firmware to a similar device without one.
http://forum.xda-developers.com/lg-g2/orig-development/porting-keymaster-firmware-t3473350
.
I am currently trying to port Plasma Mobile to the 6P. I have gotten through all of the configuration, minus setting the LD_LIBRARY_PATH (causes bootloop, manually export before running lxc-start) and the screen brightness control (Nexus 5/X are LCD). I am currently stuck trying to get lxc to launch the system. It throws the following error:
Code:
1|angler:/ # lxc-start -n system -F
The configuration file contains legacy configuration keys.
Please update your configuration file!
lxc-start: system: namespace.c: lxc_clone: 67 Failed to clone (0x2c020000): Invalid argument.
lxc-start: system: start.c: lxc_spawn: 1253 Invalid argument - Failed to clone a new set of namespaces.
lxc-start: system: start.c: __lxc_start: 1459 Failed to spawn container "system".
lxc-start: system: tools/lxc_start.c: main: 371 The container failed to start.
lxc-start: system: tools/lxc_start.c: main: 375 Additional information can be obtained by setting the --logfile and --logpriority options.
I'm not too sure as to what is going on with the error, as I have never used lxc before.
Attempting to set the logfile throws the following, even after remounting to rw:
Code:
angler:/ # lxc-start -n system -F -o log
lxc-start: system: log.c: log_open: 383 failed to open log file "log" : Read-only file system
Extra info:
LineageOS 14.1 latest nightly
pm-rootfs-20170210-152001 for the rootfs
Latest lxc-android
Any help is appreciated, as I am kinda stuck right now.
Native ARM/static Linux binaries
(for all ARMv7+ compatible platforms)
Open-source Linux binaries that are either not available on Android (e.g. in Termux)
or make sense to be statically compiled (e.g. to run in TWRP/recovery for data recovery).
These are root tools and might damage your device severely. Use at your own risk. I take no responsibility whatsoever. If in doubt don't use them.
Minimum CPU: ARMv7/vfpv3-d16. Compiled against musl-libc/Android Kernel 3.4. Binaries are static, bionic/libc independent and should run on Android, TWRP, emulator or any other compatible ARM device. Musl is patched (info)(info2)(patch file: patch -p0 -u -b -i musl-android-smp.patch) to iterate CPU cores by /proc/stat instead of _SC_NPROCESSORS_CONF/sched_getaffinity to prevent false detection due to ARM cpu core powersaving (permanently turning cores on/off). This should report CPU cores more reliably to multithreading apps.
Example instructions how to build EncFS can be found here.
Some Cryptsetup compile recipes are here.
Changelog:
20190923 - f2fs-tools added
20190915 - dislocker, ntfs-3g, mount.exfat-fuse added
20190910 - VeraCrypt v1.24-b5 added
20191215 - musl smp patch added
20191224 - hstr v2.2.0 updated
20191225 - Testdisk, PhotoRec v7.2-wip-dec2019 updated
20200103 - tar v1.32 updated (with selinux, acl, xattr support)
20200513 - Cryptsetup v2.3.2 added
20200518 - fscrypt 0.2.7, strace56(aarch64) added
20200525 - p7zip v17.01 added
20200603 - parted v3.3 added
20200606 - fxz v1.1.0alpha added
20201212 - ddrescue v1.25 added
20201212 - Cryptsetup v2.3.4 updated
20210113 - f2fs-tools updated to v1.14.0
20210125 - Several tools compiled by @Borovets. See 'Misc' tools.
20210413 - Cryptsetup v2.3.5 updated
20210916 - Cryptsetup v2.4.1 updated. Thx to @misterhsp.
20211108 - rsync v3.2.3 updated
20211118 - Cryptsetup v2.4.2 updated. Thx to @misterhsp.
20220103 - mmc-utils added
20220106 - More tools from @Borovets. See spoiler.
Spoiler
bash-5.1.16-[1]-[2022.01.05].tar.gz
openssl3-3.0.1-[2021.12.14]-static.tar.gz
tree-2.0.0-[2021.12.23]-static.tar.gz
e2fsprogs-1.46.5-[2021.12.31]-static.tar.gz
openssl-1.1.1-m-[2021.12.15]-static.tar.gz
libsqlite-3.37.1-[2021.12.30]-static.tar.gz
ldns-host-1.7.1-[2021.12.30]-static.tar.gz
bootimg-info-2.0-[2021.12.18]-static.tar.gz
bc-5.2.1-[2021.12.29]-static.tar.gz
openssl3-tool-3.0.1-[2021.12.14]-static.tar.gz
openssl-tool-1.1.1-m-[2021.12.15]-static.tar.gz
sqlite-3.37.1-[2021.12.30]-static.tar.gz
stunnel-5.61-[2021.12.17]-static.tar.gz
toybox-0.8.6-borovets-295-applets-[2021.12.30]-static.tar.gz
unrar-6.10-beta-3-[2021.12.11]-static.tar.gz
zstd-1.5.1-[2021.12.22]-static.tar.gz
20220107 - parted v3.4 updated
20220113 - cryptsetup v2.4.3 updated. Thx to @misterhsp.
20220114 - gptfdisk v1.0.8 added
20220212 - tar v1.34 updated
20220622 - gptfdisk v1.0.9 (armv7) added
20220724 - dialog v1.3 added
20220728 - f2fs tools v1.15.0 updated
20220730 - cryptsetup v2.5.0 updated. Thx to @misterhsp.
20220806 - 7z-zstd v22.01 added. Thx to @xenosaur
20220910 - rsync v3.2.6 updated
20220913 - htop v3.2.1 added
20220913 - gocryptfs v2.3 updated. Thx to @misterhsp
20220922 - veracrypt v1.25.9 updated
20220924 - fdisk v2.38.1 and file v5.43 added
20221129 - cryptsetup v2.6.0 updated. Thx to @misterhsp
20221213 - f2fs tools v1.15.0 fixed (uuid.h missing)
20230215 - cryptsetup v2.6.1 updated. Thx to @misterhsp
20230307 - gocryptfs v2.3.1. Thx to @misterhsp
Data recovery tools:
- PhotoRec 7.2 - PhotoRec is file data recovery software designed to recover lost files including video, documents and archives from hard disks, CD-ROMs, and lost pictures (thus the Photo Recovery name) from digital camera memory. PhotoRec ignores the file system and goes after the underlying data, so it will still work even if your media's file system has been severely damaged or reformatted.
- Testdisk 7.2 - Recover lost partitions and partition tables. For external sdcards. Never use it on internal mmc unless you know what you're doing.
- ext4magic 0.3.2 (with supplementary gnu date binary that can handle relative time like 'date -d "-20minutes" +%s')
- fidentity - A little utility sharing PhotoRec signature database. It identifies the type of data contained in a file and reports the extension as seen by PhotoRec.
- debugfs - Might be helpful on ext2 systems or other stuff.
- strace 4.20 - For debugging. Mainly to catch syslog messages (as Android has no traditional /dev/log buffer).
- strace 5.6 - For aarch64.
- ddrescue v1.25 - Data recovery tool for block devices with errors.
Compression tools:
p7zip v17.01 (fork) - (Download) A new p7zip fork with additional codecs and improvements
pixz - Parallel, indexed xz compressor
xz - Multicore aware version of xz/lzma (use --thread=0)
tar v1.32 - Tar provides the ability to create tar archives, as well as various other kinds of manipulation. Download below. More builds from @mirfatif here.
fxz - (Download) FXZ Utils is a fork of XZ Utils. It adds a multi-threaded radix match finder and optimized encoder.
Misc:
- hexcurse v1.60.0 - Hexcurse is a curses-base hex editing utility that can open, edit, and save files, editing both the hexadecimal and decimal values. 'ncurses' ui layout depends on TERM env variable. Change temporary with eg. 'TERM=xterm-256color hexcurse <file>'. See /system/etc/terminfo for possible terminals (xterm-256color, linux..).
- nethogs v0.8.5 - ncurse/nettop-like per-app separated speedmeter and traffic counter supporting high refresh rate. Try 'nethogs -d0' (speedmeter) or 'nethogs -v1' (traffic counter).
- rsync v3.2.3 - rsync is an open source utility that provides fast incremental file transfer. (--with-rsyncd-conf=/data/etc/rsyncd.conf)
- smbnetfs v0.6.1 - SMBNetFS is a Linux/FreeBSD filesystem that allow you to use samba/microsoft network in the same manner as the network neighborhood in Microsoft Windows. More info see below.
- progress v0.14 - Linux tool to show progress for cp, mv, dd, ... (formerly known as cv). Download here.
- archivemount (20180801) - A fuse filesystem for mounting archives in formats supported by libarchive. Download here.
- squashfuse v0.1.103 - FUSE filesystem to mount squashfs archives Download here.
- FuseISO - FuseISO is a FUSE module to mount ISO filesystem images (.iso, .nrg, .bin, .mdf and .img files). It currently support plain ISO9660 Level 1 and 2, Rock Ridge, Joliet, and zisofs. Download here.
- HSTR v2.2.0 - HSTR (HiSToRy) is a command line utility that brings improved Bash/zsh command completion from the history. It aims to make completion easier and more efficient than Ctrl-r. (If history is empty try setting HISTFILE in /system/etc/bash/bashrc e.g. export HISTFILE=/data/.bash_history).
- GNU screen, tmux - Thanks to @mirfatif.
- dislocker, ntfs-3g, mount.exfat-fuse - Thanks to @mirfatif.
- f2fs-tools - Thanks to @mirfatif. Update: v1.14.0 here.
- parted v3.3 - GNU Parted (the name being the conjunction of the two words PARTition and EDitor) is a free partition editor, used for creating and deleting partitions. Note: It might be useful to partition external sdcards (e.g. to limit adoptable storage). I do not recommend to use it on internal memory. It might brick your phone.
- Several tools compiled by @Borovets
Spoiler: Borovets tools
Borovets tools 2021.01.25
arptables-0.0.5-[2021.01.17]-static.zip
autoflushtest-1.0-[2021.01.14]-static.zip
btrfs-compsize-1.3-[build-2]-[2020.12.27].zip
btyacc-3.0-[2021.01.18]-static.zip
c-blosc-1.21.1-development-[2020.12.22].zip
c-blosc2-2.0.0-beta-6-development-[2020.04.21].zip
cabextract-1.9.1-[2021.01.08]-static.zip
compsize-1.3-[2021.01.07]-static.zip
convert-color-space-0.1-[2021.01.18]-static.zip
cpustat-0.02.13-[2021.01.13]-static.zip
doxygen-1.9.2-[2021.01.17]-static.zip
ed-1.17-[2021.01.11]-static.zip
hello-2.10-[2021.01.08]-static.zip
htop-3.0.5-[2021.01.13]-static.zip
ipcalc-ng-1.0.0-[2020.12.28]-static.zip
iw-5.9-[2021.01.08]-static.zip
libsqlite-3.34.1-[2021.01.20].zip
libtar-1.2.20-[2021.01.16]-static.zip
m5-1.0-[2020.12.31]-static.zip
sqlite-3.34.1-[2021.01.20]-static.zip
Borovets tools 2021.01.27
lcab-1.0-beta-12-[2021.01.17].zip
memdump-1.01-[2021.01.25].zip
memdumper-0.4-[2021.01.25].zip
memtester-4.5.0-[2021.01.09].zip
tcpdump-4.99.0-[libcap-1.9.1]-[2021.01.05].zip
wget2-1.99.2-[2020.12.12].zip
wolfssl-4.5.0-[2020.12.12].zip
xfsprogs-5.10.0-[2021.01.01].zip
Crypttools:
(These crypttools are mostly frontend tools for the main backend that resides in the kernel. If your kernel hasn't been configured accordingly at compile time you might not be able to use all features.)
Cryptsetup v2.3.5 - (Download) Cryptsetup is an utility used to conveniently setup disk encryption based on DMCrypt kernel module. These include plain dm-crypt volumes, LUKS volumes, loop-AES and TrueCrypt (including VeraCrypt extension) format.
eCryptfs-utils v111 - Frontend tools for the enterprise cryptographic filesystem for Linux. That's what Android/Google use for encryption. It's file-based (no container) and mounting can be automated by Termux widget. Needs shared libraries but is still portable. See notes below.
EncFS v1.9.5 - EncFS provides an encrypted filesystem in user-space. It runs in userspace, using the FUSE library for the filesystem interface.
gocryptfs - An encrypted overlay filesystem written in Go. Download here. Thanks to @mirfatif.
VeraCrypt - VeraCrypt is a free open source disk encryption software. Download here. Thanks to @mirfatif.
fscrypt 0.2.7 - (Download) fscrypt is a high-level tool for the management of Linux filesystem encryption. Needs at least kernel 4.1.
Crypttools info:
Cryptsetup:
General Notes:
- Features like TrueCrypt, VeraCrypt and LUKS2 need 'userspace crypto api' enabled in kernel. Most Android kernels are probably not configured for that and you have to recompile your kernel or contact your kernel maintainer. For kernel 3.4 you need this:
Code:
CONFIG_CRYPTO_USER=y
CONFIG_CRYPTO_USER_API=y
CONFIG_CRYPTO_USER_API_HASH=y
CONFIG_CRYPTO_USER_API_SKCIPHER=y
- If 'cryptsetup benchmark' is incomplete and says 'userspace crypto api not available' you might be affected. You can still use LUKS1 though. A full benchmark looks like this:
Code:
# cryptsetup benchmark
# Tests are approximate using memory only (no storage IO).
PBKDF2-sha1 249186 iterations per second for 256-bit key
PBKDF2-sha256 327680 iterations per second for 256-bit key
PBKDF2-sha512 58829 iterations per second for 256-bit key
PBKDF2-ripemd160 227555 iterations per second for 256-bit key
PBKDF2-whirlpool 33539 iterations per second for 256-bit key
argon2i 4 iterations, 208288 memory, 4 parallel threads (CPUs) for 256-bit key (requested 2000 ms time)
argon2id 4 iterations, 207817 memory, 4 parallel threads (CPUs) for 256-bit key (requested 2000 ms time)
# Algorithm | Key | Encryption | Decryption
aes-cbc 128b 77.8 MiB/s 88.4 MiB/s
serpent-cbc 128b N/A N/A
twofish-cbc 128b 58.5 MiB/s 61.9 MiB/s
aes-cbc 256b 61.5 MiB/s 68.4 MiB/s
serpent-cbc 256b N/A N/A
twofish-cbc 256b 58.5 MiB/s 61.8 MiB/s
aes-xts 256b 95.1 MiB/s 86.9 MiB/s
serpent-xts 256b N/A N/A
twofish-xts 256b 60.0 MiB/s 61.8 MiB/s
aes-xts 512b 74.1 MiB/s 67.2 MiB/s
serpent-xts 512b N/A N/A
twofish-xts 512b 60.3 MiB/s 62.0 MiB/s
LUKS:
Code:
** 10MB test image (luks.img) **
dd if=/dev/zero of=luks.img bs=1M count 10M
cryptsetup luksFormat luks.img
cryptsetup open luks.img myluks
mke2fs -t ext4 /dev/mapper/myluks
mkdir luks
mount /dev/mapper/myluks luks
** luks folder is ready here **
umount luks
cryptsetup close myluks
- If standard luksFormat cipher (aes-xts-plain64) doesn't work (not supported by your kernel) you can try one of the more compatible ciphers:
Code:
cryptsetup luksFormat -c cbc-essiv:sha256 luks.img myluks
cryptsetup luksFormat -c aes-plain luks.img myluks
- For LUKS2 (experimental) use:
Code:
cryptsetup luksFormat --type luks2 luks.img
- Use "cryptsetup -v --debug" for more verbose output (debugging). In case of errors.
Veracrypt:
Code:
cryptsetup open --type tcrypt --veracrypt veracrypt.tc myvera
cryptsetup status myvera
mkdir /data/myvera
mount /dev/mapper/myvera /data/myvera
umount /data/myvera
cryptsetup close myvera
- Use container from desktop system (created with real Veracrypt)
- "veracrypt.tc" is the veracrypt container name
- "myvera" is an arbitrary name (handle)
- Use "cryptsetup -v --debug" for more verbose output (debugging). In case of errors.
eCryptfs-utils:
General Notes:
These tools are not built statically as they explicitly rely on 'dlopen' (plugin system). Instead they are compiled with relative rpaths (./libs). That means dependencies (libraries in subfolders) must be present in the binaries folder and you have to be in the binaries folder itself (with 'cd') before invoking any binary. By this the binaries are still portable (system independent) as long as the subfolders are present. I've put the files into a tar.gz archive so permissions should be set +x already. Extract the archive into /data/local/bin for 'Example' below.
Code:
mkdir -p /data/local/bin
cd /data/local/bin
tar xf crypttools.armv7.20180204.tar.gz
cd ecryptfs
./ecryptfs-stat --help
More info: ArchLinux Wiki
Example:
Tested on /sdcard based on FUSE filesystem. sdcardfs untested. Might need selinux permissive.
We create a folder /sdcard/pics that can be enabled (files present) or disabled (no files present) by a click on a widget button (Termux script) and entering our password. The encryption is done on a per-file basis. The actual files are stored encrypted in /sdcard/efs/pics.
- You might need SuperSU or Magisk Superuser for 'su -mm'. That makes sure that all apps can see the mounted folder (mount namespace separation).
- Busybox needed
- Install Termux and Termux:Widget from F-Droid or Playstore
- Start it and enter:
Code:
pkg upgrade
pkg install tsu
exit
- Create script /data/data/com.termux/files/home/.shortcuts/efs-pics.sh and make sure permissions(700) and owner (take from parent folder) are correct.
Code:
#!/system/xbin/bash
su -mm -c "/system/xbin/bash -c /data/local/scripts/$(basename "$0")"
- Create script /data/local/scripts/efs-pics.sh (770/root):
Code:
#!/system/xbin/bash
set -e
PATH=$PATH:/data/data/com.termux/files/usr/bin
# Necessary because rpaths are relative
cd /data/local/bin/ecryptfs
# /data/myefskey contains the salted key.
# Don't forget to make a backup.
# Without it encrypted data is lost.
function enter_passphrase {
read -p "Enter passphrase: " passphrase
sig=$(printf "%s" "$passphrase" | ./ecryptfs-insert-wrapped-passphrase-into-keyring /data/myefskey -) || exit
sig=$(echo $sig | cut -d "[" -f2 | cut -d "]" -f1)
}
CPATH1="/data/media/0/efs/pics"
CPATH2="/data/media/0/pics"
if ! mountpoint -q ${CPATH2}; then
enter_passphrase
echo ""
mount -t ecryptfs -o ecryptfs_sig=$sig,ecryptfs_fnek_sig=$sig,ecryptfs_cipher=aes,ecryptfs_key_bytes=16 ${CPATH1} ${CPATH2} || (echo "$(basename "$0") mount failed!"; exit)
./keyctl clear @u
echo "$(basename "$0") mount successful! :)"
else
umount ${CPATH2} || (echo "$(basename "$0") umount error $? :("; exit)
echo "$(basename "$0") umount successful :)"
fi
# uncomment to force-close Termux window
# killall com.termux
- If your rom uses encryption already (/data/data) beware the './keyctl clear @u' command. It might flush *all* keys in the kernel including the Android encryption one (i'm not sure). This might lead to unpredicted behavior. Either comment it out (then your once injected key remains in the kernel keystore and someone could simply remount your folder without passphrase) or make yourself familiar with the keyctl command and handle it yourself. My phone is not encrypted so i cannot help here.
- Create random keyfile (/data/myefskey) and wrap it with passphrase. This might need 1-2 minutes depending on your devices entropy pool (/dev/random). Backup this key (/data/myefskey). Without it your encrypted data is lost. And don't forget the trailing '-' (minus) at the end of the line, it's important.
Code:
cd /data/local/bin/ecryptfs
read -p "Enter passphrase: " passphrase; printf "%s\n%s" $(busybox od -x -N 100 --width=30 /dev/random | head -n 1 | busybox sed "s/^0000000//" | busybox sed "s/[[:space:]]*//g") "${passphrase}" | ./ecryptfs-wrap-passphrase /data/myefskey -
- Create folders:
Code:
mkdir -p /sdcard/efs/pics /sdcard/pics
- Create Widget (Termux) and select 'efs-pics.sh'.
- Start it and enter your passphrase (you used above). If everything goes well (it will tell you) you can place files into /sdcard/pics and scrambled files should come up in /sdcard/efs/pics. Never write into /sdcard/efs/pics directly.
- Activate widget again. /sdcard/pics should get emptied.
- Optional: You can set /data/media/0/efs/pics to 700/root so no one can access/see the encrypted data.
SMBNetFS info:
Note: The library paths are relative. You need to be in the folder (with 'cd') to spawn the executable (./smbnetfs). You can extract the archive wherever you want though as far as the file/folder structure remains intact.
Example:
Code:
mount -o remount,rw /
mkdir -p /data/local/bin /mnt/cifs
mount -o remount,ro /
tar xf smbnetfs.tar.gz -C /data/local/bin
cd /data/local/bin/smbnetfs
export HOME=/data/local/bin/smbnetfs/home
* enter your smb credentials into smbnetfs/home/.smb/smbnetfs.auth (eg. auth "192.168.1.2" "${user}" "${pass}")
./smbnetfs /mnt/cifs
cd /mnt/cifs/192.168.1.2/${share}
I think it usually should list the samba environment in /mnt/cifs but i'm not sure which prerequisites are necessary for that (edit: maybe it needs real workgroup/hostname instead of IPs). If nothing comes up this should work:
The folder 192.168.1.2/${share} is unreachable by Androids folder picker (unless you can enter the path manually). So either pre-create the folder structure beforehand (mkdir -p /mnt/cifs/192.168.1.2/${share}) and add/register the folder to your app by folder picker (eg. MXPlayer) and then overmount that with the actual ${share}. Or bindmount the folder:
Code:
mount --bind /mnt/cifs/192.168.1.2/${share} /mnt/cifs2
Edit: Another option is to let smbnetfs create a static link (actually a symbolic link) to the share in the mountpoint root (/mnt/cifs). Its not as robust as the bindmount though. MXPlayer doesn't find any files (even though the folder picker shows the folders properly).
Code:
echo "link myfiles 192.168.1.2/${share}" > /data/local/bin/smbnetfs/home/.smb/smbnetfs.host
chmod 700 /data/local/bin/smbnetfs/home/.smb/smbnetfs.host
I've noticed that MXPlayer shows the samba folders just for a glimpse of a second. But if you enter one of the local folders and then go back all samba folders are there. Not sure why this is happening or maybe its just my system.
Edit2: Not yet tested but.. check the permissions. Its possible that SMBNetFS mounts with 755 or something. That's inaccessible for Android apps. Try this:
Code:
./smbnetfs -o umask=000,noatime,noexec,nodev,nosuid /mnt/cifs
Samba 4.8.3 configuration:
Code:
_idmap_modules=idmap_rid,idmap_hash,idmap_tdb2
_pdb_modules=pdb_tdbsam,pdb_smbpasswd,pdb_wbc_sam,pdb_samba4
_auth_modules=auth_unix,auth_wbc,auth_server,auth_netlogond,auth_script,auth_samba4
waf configure --prefix=/tmp/myout \
-C \
--sysconfdir=./conf/etc/samba \
--with-configdir=./conf/etc/samba \
--localstatedir=./conf/var \
--libexecdir=./conf/usr/lib \
--enable-fhs \
--with-lockdir=./conf/var/cache/samba \
--with-piddir=./conf/run/samba \
--with-logfilebase=./conf/var/log/samba \
--without-pam \
--without-systemd \
--without-ads \
--with-shared-modules=$_idmap_modules,$_pdb_modules,$_auth_modules \
--disable-cups \
--without-gettext \
--bundled-libraries=NONE,com_err,ldb,uid_wrapper,resolv_wrapper,socket_wrapper,nss_wrapper,ntdb,roken,wind,hx509,asn1,heimbase,hcrypto,krb5,gssapi,heimntlm,hdb,kdc,cmocka,talloc,tdb,pytdb,ldb,pyldb,tevent,pytevent \
--disable-rpath-install \
--disable-python --without-ad-dc --without-acl-support --without-ldap \
--hostcc=/usr/bin/gcc \
--cross-compile --cross-execute='qemu-arm -L /media/devpart/qemu/root'
waf build -j4
waf install
Compression tools added.
Next are crypttools (ecryptfs-utils, cryptsetup).
DualJoe said:
Compression tools added.
Next are crypttools (ecryptfs-utils, cryptsetup).
Click to expand...
Click to collapse
Please add ecryptfs-simple
xyne.archlinux.ca/projects/ecryptfs-simple
Thanks.
Ecryptfs-simple is not POSIX compliant. It relies on an argv interface (to parse command-line parameters) that is a GNU extension that musl doesn't support.
The original eCryptFS is simple enough anyway (and its the upstream project). I will provide a quickstart example and a one button GUI controlled solution (Termux widget) to handle it.
Please to add gifsicle,
http://github.com/kohler/gifsicle
Thanks.
I only have gifsicle. The other ones are too complex for my setup atm.
DualJoe said:
I only have gifsicle. The other ones are too complex for my setup atm.
Click to expand...
Click to collapse
Thank you very much.
Please help me again to build giflossy (fork of gifsicle).
I really need it to compress (--lossy=N) the Gif file to be smaller.
https://github.com/kornelski/giflossy
Thanks.
Do you use them directly on your phone for web postings or something? What's your use case to not prefer a desktop system for this?
DualJoe said:
Do you use them directly on your phone for web postings or something? What's your use case to not prefer a desktop system for this?
Click to expand...
Click to collapse
I use it directly on the phone, for learning purposes.
Using it on the phone is so handy that it can be easily used anywhere.
Thanks.
Please help me again to build lbzip2
http://lbzip2.org/
Thanks.
Here it is.
DualJoe said:
Compression tools added.
Next are crypttools (ecryptfs-utils, cryptsetup).
Click to expand...
Click to collapse
When will Crypttools be released.
I've waited for the major update of cryptsetup. Its out now indeed. I should get it up this week.
Crypttools and quickstart tutorials added.
Mountpoint is not writable (eCryptfs)
DualJoe said:
Crypttools and quickstart tutorials added.
Click to expand...
Click to collapse
Can't write to mountpoint.
# touch /sdcard/pics/test
touch: /sdcard/pics/test: Permission denied
# cp file /sdcard/pics
cp: can't create '/sdcard/pics/file': Permission denied
buengeut said:
touch: /sdcard/pics/test: Permission denied
Click to expand...
Click to collapse
What are your permissions?
Code:
# stat /data/media/0/pics
Access: (775/drwxrwxr-x) Uid: (1023/media_rw) Gid: (1023/media_rw)
# stat /data/media/0/efs
Access: (775/drwxrwxr-x) Uid: (1023/media_rw) Gid: (1023/media_rw)
# stat /data/media/0/efs/pics
Access: (775/drwxrwxr-x) Uid: (1023/media_rw) Gid: (1023/media_rw)
How does your mount look like?
Code:
# mount |grep pics
/data/media/0/efs/pics on /data/media/0/pics type ecryptfs (rw,relatime,ecryptfs_fnek_sig=56b1f3c519fb3412,ecryptfs_sig=56b1f3c519fb3412,ecryptfs_cipher=aes,ecryptfs_key_bytes=16)
Is /sdcard linked?
Code:
# ls -l /sdcard
lrwxrwxrwx 1 root root 21 May 10 1973 /sdcard -> /storage/self/primary
What Android version and kernel do you have?
DualJoe said:
What are your permissions?
Code:
# stat /data/media/0/pics
Access: (775/drwxrwxr-x) Uid: (1023/media_rw) Gid: (1023/media_rw)
# stat /data/media/0/efs
Access: (775/drwxrwxr-x) Uid: (1023/media_rw) Gid: (1023/media_rw)
# stat /data/media/0/efs/pics
Access: (775/drwxrwxr-x) Uid: (1023/media_rw) Gid: (1023/media_rw)
How does your mount look like?
Code:
# mount |grep pics
/data/media/0/efs/pics on /data/media/0/pics type ecryptfs (rw,relatime,ecryptfs_fnek_sig=56b1f3c519fb3412,ecryptfs_sig=56b1f3c519fb3412,ecryptfs_cipher=aes,ecryptfs_key_bytes=16)
Is /sdcard linked?
Code:
# ls -l /sdcard
lrwxrwxrwx 1 root root 21 May 10 1973 /sdcard -> /storage/self/primary
What Android version and kernel do you have?
Click to expand...
Click to collapse
Android 6.0 kernel 3.18.14
/sdcard is symlink to /mnt/sdcard, i changed /sdcard to /mnt/sdcard
Code:
# mount -t ecryptfs
/mnt/sdcard/efs/pics on /mnt/sdcard/pics type ecryptfs (rw,relatime,ecryptfs_fnek_sig=1b77138d91206e66,ecryptfs_sig=1b77138d91206e66,ecryptfs_cipher=aes,ecryptfs_key_bytes=16)
Code:
# stat /mnt/sdcard/pics
Access: (775/drwxrwxr-x) Uid: (1000/ system) Gid: (1015/sdcard_rw)
# stat /mnt/sdcard/efs
Access: (775/drwxrwxr-x) Uid: (1000/ system) Gid: (1015/sdcard_rw)
# stat /mnt/sdcard/efs/pics
Access: (775/drwxrwxr-x) Uid: (1000/ system) Gid: (1015/sdcard_rw)
Code:
# touch /mnt/sdcard/pics/test
touch: /mnt/sdcard/pics/test: Permission denied
What about the permissions of /data/media/0 folders? That's the most important part.
If your sdcard is not at /data/media/0 you probably don't have a multiuser environment (older phone?) and /mnt/sdcard is probably a real partition. This is early Kitkat partition layout (/sdcard and /data have separate partitions). On later systems both are on /data partition and /sdcard is abstracted by a FUSE file system that would automatically set the proper permissions whenever you write something to it (even as root).
In case you are on an old layout you would need to set proper permissions to /sdcard/pics and /sdcard/efs yourself. Just take a look at the other folders with 'ls -l /mnt/sdcard' and set accordingly. You would also need to change /data/media/0 to /mnt/sdcard in the script.
What do you get with this?
Code:
# mount |grep sdcard
# mount |grep storage
What phone is it? Kernel 3.18 doesn't sound all too old.
Edit: Another theory is your internal sdcard is scardfs or something. If so, it might break "stacking" folders (mount over). Try to use /data/pics and /data/efs/pics as a test.
It works in Permissive mode (setenforce 0)
I need Busybox with SELinux-enabled and use it to set it to Permissive mode
Code:
# busybox getenforce
Enforcing
# busybox setenforce 0
# busybox getenforce
Permissive
And then execute the efs-pics.sh and test it
Code:
# cp file /mnt/sdcard/pics ; echo $?
[b]0[/b]
# ls /mnt/sdcard/pics
[b]file[/b]
Horreee.... it Works.
Hellow guys, i have an hP laptop with 16 gigs of ram and enough hdd space. also i am running xubuntu 16.04 where i was previously able to compile custom roms. however recently my hard drive had crashed and i had to recover using easeUS. then i formatted it to exFat. Xubuntu as such is giving me write operations on exFat devices. my problem is now whenever am using repo sync a custom rom source it gives error like
Code:
[email protected]:/media/ayan/Ayan/Mobile/mo/pixel$ repo init -u https://github.com/PixelExperience/manifest -b oreo-mr1
Get https://gerrit.googlesource.com/git-repo/clone.bundle
Get https://gerrit.googlesource.com/git-repo
remote: Finding sources: 100% (5/5)
remote: Total 5 (delta 0), reused 5 (delta 0)
Unpacking objects: 100% (5/5), done.
From https://gerrit.googlesource.com/git-repo
cf7c083..0f2e45a master -> origin/master
Get https://github.com/PixelExperience/manifest
Traceback (most recent call last):
File "/media/ayan/Ayan/Mobile/mo/pixel/.repo/repo/main.py", line 531, in <module>
_Main(sys.argv[1:])
File "/media/ayan/Ayan/Mobile/mo/pixel/.repo/repo/main.py", line 507, in _Main
result = repo._Run(argv) or 0
File "/media/ayan/Ayan/Mobile/mo/pixel/.repo/repo/main.py", line 180, in _Run
result = cmd.Execute(copts, cargs)
File "/media/ayan/Ayan/Mobile/mo/pixel/.repo/repo/subcmds/init.py", line 399, in Execute
self._SyncManifest(opt)
File "/media/ayan/Ayan/Mobile/mo/pixel/.repo/repo/subcmds/init.py", line 171, in _SyncManifest
m._InitGitDir(mirror_git=mirrored_manifest_git)
File "/media/ayan/Ayan/Mobile/mo/pixel/.repo/repo/project.py", line 2292, in _InitGitDir
self._UpdateHooks()
File "/media/ayan/Ayan/Mobile/mo/pixel/.repo/repo/project.py", line 2312, in _UpdateHooks
self._InitHooks()
File "/media/ayan/Ayan/Mobile/mo/pixel/.repo/repo/project.py", line 2341, in _InitHooks
os.symlink(os.path.relpath(stock_hook, os.path.dirname(dst)), dst)
OSError: [Errno 38] Function not implemented
[email protected]:/media/ayan/Ayan/Mobile/mo/pixel$
any help would be recommended and appreciated
Ayan Uchiha Choudhury said:
Code:
[email protected]:/media/ayan/Ayan/Mobile/mo/pixel$ repo init -u https://github.com/PixelExperience/manifest -b oreo-mr1
Get https://gerrit.googlesource.com/git-repo/clone.bundle
Get https://gerrit.googlesource.com/git-repo
remote: Finding sources: 100% (5/5)
remote: Total 5 (delta 0), reused 5 (delta 0)
Unpacking objects: 100% (5/5), done.
From https://gerrit.googlesource.com/git-repo
cf7c083..0f2e45a master -> origin/master
Get https://github.com/PixelExperience/manifest
Traceback (most recent call last):
File "/media/ayan/Ayan/Mobile/mo/pixel/.repo/repo/main.py", line 531, in <module>
_Main(sys.argv[1:])
File "/media/ayan/Ayan/Mobile/mo/pixel/.repo/repo/main.py", line 507, in _Main
result = repo._Run(argv) or 0
File "/media/ayan/Ayan/Mobile/mo/pixel/.repo/repo/main.py", line 180, in _Run
result = cmd.Execute(copts, cargs)
File "/media/ayan/Ayan/Mobile/mo/pixel/.repo/repo/subcmds/init.py", line 399, in Execute
self._SyncManifest(opt)
File "/media/ayan/Ayan/Mobile/mo/pixel/.repo/repo/subcmds/init.py", line 171, in _SyncManifest
m._InitGitDir(mirror_git=mirrored_manifest_git)
File "/media/ayan/Ayan/Mobile/mo/pixel/.repo/repo/project.py", line 2292, in _InitGitDir
self._UpdateHooks()
File "/media/ayan/Ayan/Mobile/mo/pixel/.repo/repo/project.py", line 2312, in _UpdateHooks
self._InitHooks()
File "/media/ayan/Ayan/Mobile/mo/pixel/.repo/repo/project.py", line 2341, in _InitHooks
os.symlink(os.path.relpath(stock_hook, os.path.dirname(dst)), dst)
OSError: [Errno 38] Function not implemented
[email protected]:/media/ayan/Ayan/Mobile/mo/pixel$
any help would be recommended and appreciated
Click to expand...
Click to collapse
Wrong place to ask but yeah, have you installed the latest version of repo and python2 ?
Or before that try `rm -rf .repo` and then init again.
Android Building queries can be discussed here:
https://forum.xda-developers.com/chef-central/android/guide-android-rom-development-t2814763
Yes yes I did both. I also created a new directory and tried repo init. But still
emmm....
Ayan Uchiha Choudhury said:
Yes yes I did both. I also created a new directory and tried repo init. But still
Click to expand...
Click to collapse
Have you found anything to solution ?
SchafferWang said:
Have you found anything to solution ?
Click to expand...
Click to collapse
Exfat was the problem. Formatted to NTFS to fix it