[Concept] Omitting bada API signature checking - "rooting" bada.

Rebellos · Nov 2, 2011

I've got concept of "rooting" bada kernel.
This requires some apps and API libraries patching and in effect does allow access to the hundreds of low-level system functions.

Preamble:
Bada does register various API classes using functions __SysRegisterClass(int unknown, int ClassID, ClassInfo* cInfo) and __SysRegisterClassV2(int ClassID, char* className, ClassInfoV2* cInfo, int unknown)
Sample ClassPointers in ClassInfoV2 of class "SysBase" with ID 0x1000001 goes like this:

Code:

LOAD:41348658                 ApiFunc <"SysDispatch", 1, SysDispatch+1>
LOAD:41348658                 ApiFunc <"__SysRegisterClassV2", 1, __SysRegisterClassV2+1>
LOAD:41348658                 ApiFunc <"SysUnregisterClassV2", 1, SysUnregisterClassV2+1>
LOAD:41348658                 ApiFunc <"SysGetInterfaceV2", 1, SysGetInterfaceV2+1>
LOAD:41348658                 ApiFunc <"__SysRegisterClass", 1, __SysRegisterClass+1>
LOAD:41348658                 ApiFunc <"SysUnregisterClass", 1, SysUnregisterClass+1>
LOAD:41348658                 ApiFunc <"SysGetInterface", 1, SysGetInterface+1>
LOAD:41348658                 ApiFunc <"SysSetLastError", 1, SysSetLastError+1>
LOAD:41348658                 ApiFunc <"SysGetLastError", 1, SysGetLastError+1>
LOAD:41348658                 ApiFunc <"_SysAssertBreakpoint", 1, _SysAssertBreakpoint+1>
LOAD:41348658                 ApiFunc <"_SysAssertReport", 1, _SysAssertReport+1>
LOAD:41348658                 ApiFunc <"_SysGetDllNameByDID", 1, _SysGetDllNameByDID+1>
LOAD:41348658                 ApiFunc <"_SysGetAppNameByDID", 1, _SysGetAppNameByDID+1>
LOAD:41348658                 ApiFunc <"_SysGetDidByDllName", 1, _SysGetDidByDllName+1>
LOAD:41348658                 ApiFunc <"_SysGetDidByAppName", 1, _SysGetDidByAppName+1>
LOAD:41348658                 ApiFunc <"SysGenerateUUID", 1, SysGenerateUUID+1>
LOAD:41348658                 ApiFunc <"SysGetFirmUpInfo", 1, SysGetFirmUpInfo+1>
LOAD:41348658                 ApiFunc <"SysGetLcdHeight", 1, SysGetLcdHeight+1>
LOAD:41348658                 ApiFunc <"SysGetLcdWidth", 1, SysGetLcdWidth+1>
LOAD:41348658                 ApiFunc <"SysGetLcdBitsPerPixel", 1, SysGetLcdBitsPerPixel+1>
LOAD:41348658                 ApiFunc <"SysGetDiagnoseInfo", 1, SysGetDiagnoseInfo+1>
LOAD:41348658                 ApiFunc <"SysIsLcdHorizontal", 1, SysIsLcdHorizontal+1>
LOAD:41348658                 ApiFunc <"SysGetUAString", 1, SysGetUAString+1>
LOAD:41348658                 ApiFunc <"SysSetUAString", 1, SysSetUAString+1>
LOAD:41348658                 ApiFunc <"SysGetRealTick", 1, SysGetRealTick+1>
LOAD:41348658                 ApiFunc <"_SysGetDebugLevel", 1, _SysGetDebugLevel+1>
LOAD:41348658                 ApiFunc <"_SysAppCoreDump", 1, _SysAppCoreDump+1>
LOAD:41348658                 ApiFunc <"SysGetModelName", 1, SysGetModelName+1>
LOAD:41348658                 ApiFunc <"SysDebugPrintf", 1, SysDebugPrintf+1>
LOAD:41348658                 ApiFunc <"SysRawDebugPrintf", 1, SysRawDebugPrintf+1>
LOAD:41348658                 ApiFunc <"SysTracePrintf", 1, SysTracePrintf+1>
LOAD:41348658                 ApiFunc <"_SysSaveAssertMsg", 1, _SysSaveAssertMsg+1>
LOAD:41348658                 ApiFunc <"SysRegisterRsrc", 1, SysRegisterRsrc+1>
LOAD:41348658                 ApiFunc <"SysUnRegisterRsrc", 1, SysUnRegisterRsrc+1>
LOAD:41348658                 ApiFunc <"SysRegisterRsrcEx", 1, SysRegisterRsrcEx+1>
LOAD:41348658                 ApiFunc <"SysUnRegisterRsrcUsingHdl", 1, SysUnRegisterRsrcUsingHdl+1>
LOAD:41348658                 ApiFunc <"SysUnRegisterRsrcExUsingHdl", 1, \
LOAD:41348658                          SysUnRegisterRsrcExUsingHdl+1>
LOAD:41348658                 ApiFunc <"SysUnRegisterRsrcEx", 1, SysUnRegisterRsrcEx+1>
LOAD:41348658                 ApiFunc <"SysRegisterRsrcApp", 1, SysRegisterRsrcApp+1>
LOAD:41348658                 ApiFunc <"SysSetLcdHorizontal", 1, SysSetLcdHorizontal+1>
LOAD:41348658                 ApiFunc <"SysIsFeatureEnabled", 1, SysIsFeatureEnabled+1>
LOAD:41348658                 ApiFunc <"SysGetOperatorSWVersion", 1, SysGetOperatorSWVersion+1>
LOAD:41348658                 ApiFunc <"SysGetSamsungSWVersion", 1, SysGetSamsungSWVersion+1>
LOAD:41348658                 ApiFunc <"SysGetHiddenSWVersion", 1, SysGetHiddenSWVersion+1>
LOAD:41348658                 ApiFunc <"SysInitRsrcType", 1, SysInitRsrcType+1>
LOAD:41348658                 ApiFunc <"SysDeInitRsrcTypeDbg", 1, SysDeInitRsrcTypeDbg+1>
LOAD:41348658                 ApiFunc <"SysRsrcTypeInUseDbg", 1, SysRsrcTypeInUseDbg+1>
LOAD:41348658                 ApiFunc <"SysTotalAllocCountRsrcTypeDbg", 1, \
LOAD:41348658                          SysTotalAllocCountRsrcTypeDbg+1>
LOAD:41348658                 ApiFunc <"SysCreateHandleDbg", 1, SysCreateHandleDbg+1>
LOAD:41348658                 ApiFunc <"SysDeleteHandleDbg", 1, SysDeleteHandleDbg+1>
LOAD:41348658                 ApiFunc <"SysDeleteHandleExDbg", 1, SysDeleteHandleExDbg+1>
LOAD:41348658                 ApiFunc <"SysRegisterHandleDbg", 1, SysRegisterHandleDbg+1>
LOAD:41348658                 ApiFunc <"SysGetHandleByNameDbg", 1, SysGetHandleByNameDbg+1>
LOAD:41348658                 ApiFunc <"SysGetRsrcTypeHeadDbg", 1, SysGetRsrcTypeHeadDbg+1>
LOAD:41348658                 ApiFunc <"SysVerifyRegisteredHandleDbg", 1, \
LOAD:41348658                          SysVerifyRegisteredHandleDbg+1>
LOAD:41348658                 ApiFunc <"SysVerifyUnRegisteredHandleDbg", 1, \
LOAD:41348658                          SysVerifyUnRegisteredHandleDbg+1>
LOAD:41348658                 ApiFunc <"SysGetHandleNameDbg", 1, SysGetHandleNameDbg+1>
LOAD:41348658                 ApiFunc <"SysGetHandleOwnerTaskDbg", 1, SysGetHandleOwnerTaskDbg+1>
LOAD:41348658                 ApiFunc <"SysSetZombieHandleDbg", 1, SysSetZombieHandleDbg+1>
LOAD:41348658                 ApiFunc <"SysVerifyZombieHandleDbg", 1, SysVerifyZombieHandleDbg+1>
LOAD:41348658                 ApiFunc <"SysGetInternalHandleDbg", 1, SysGetInternalHandleDbg+1>
LOAD:41348658                 ApiFunc <"SysGetHeadHandleDbg", 1, SysGetHeadHandleDbg+1>
LOAD:41348658                 ApiFunc <"SysGetNextHandleDbg", 1, SysGetNextHandleDbg+1>
LOAD:41348658                 ApiFunc <"SysVerifyInternalHandleDbg", 1, \
LOAD:41348658                          SysVerifyInternalHandleDbg+1>
LOAD:41348658                 ApiFunc <"SysGetUnRegisteredHandleDbg", 1, \
LOAD:41348658                          SysGetUnRegisteredHandleDbg+1>
LOAD:41348658                 ApiFunc <"SysGetHandleDbg", 1, SysGetHandleDbg+1>
LOAD:41348658                 ApiFunc <"SysGetHandleRefCountDbg", 1, SysGetHandleRefCountDbg+1>
LOAD:41348658                 ApiFunc <"SysSetSysHandleForDeleteDbg", 1, \
LOAD:41348658                          SysSetSysHandleForDeleteDbg+1>
LOAD:41348658                 ApiFunc <"_SysGetAppDebugLevel", 1, _SysGetAppDebugLevel+1>
LOAD:41348658                 ApiFunc <"_SysSetAppDebugLevel", 1, _SysSetAppDebugLevel+1>
LOAD:41348658                 ApiFunc <"SysSetModuleStatus", 1, SysSetModuleStatus+1>
LOAD:41348658                 ApiFunc <"SysGetModuleStatus", 1, SysGetModuleStatus+1>
LOAD:41348658                 ApiFunc <"SysGetSWVersion", 1, SysGetSWVersion+1>
LOAD:41348658                 ApiFunc <"SysSecureDebugPrintf", 1, SysSecureDebugPrintf+1>
LOAD:41348658                 ApiFunc <"SysGetSystemInfo", 1, SysGetSystemInfo+1>
LOAD:41348658                 ApiFunc <"SysSetSystemInfo", 1, SysSetSystemInfo+1>
LOAD:41348658                 ApiFunc <"SysGetBuildInfo", 1, SysGetBuildInfo+1>
LOAD:41348658                 ApiFunc <"SysSetDiagnoseInfo", 1, SysSetDiagnoseInfo+1>
LOAD:41348658                 ApiFunc <"SysGetVersion", 1, SysGetVersion+1>
LOAD:41348658                 ApiFunc <"SysGetModelPetName", 1, SysGetModelPetName+1>
LOAD:41348658                 ApiFunc <"SysSecBootUnlock", 1, sub_40060054>

And exactly this table of pointers can be obtained by calling simple function
SysGetInterfaceV2(0x1000001);
As you can see, table is very easy to parse (already did it in IDA), it's array of structure:
struct ApiFunc
{
char name[52];
int some_bool;
void *ptr;
};
[/CODE]

Some classes does contain about 600 functions.
Parsing such array does allow calling any of these functions in any of bada apps, only pointer to SysGetInterfaceV2 function has to be known (does differ in different bada builds)

General concept:
1) Patch function of badakernel called AppPkgSvcCheckSoIntegrity, to always return true. This is easiet to be done from FOTA level.
2) Patch some Bada OSP .so file to enter CPU supervisor mode, call SysGetInterfaceV2 and return list of function pointers
3) Use exposed API function in any bada application to get access straight to LCD driver or TFS4 FileManager for example.

Advantages:
Allows to call any low level bada function using modified API - infinite possibilities.

Disadvantages:
This does turn off important layer of bada security - potential risk of abusing it by malware creators.

Any developer wants to continue it? I already spent too much time on analysing bada.

The concept above came from Bada 2.0 apps_decompressed analyse.

larioteo · Nov 2, 2011

You're for real the bada messias. I love your work man.

I would like to, but i dont understand this, i hope someone can make from it a real root to make bada more open to us developers and to offer us more possibilities.

Thanks man,.

lasentenza · Nov 2, 2011

Would be a great achievement!!
Thanks for the sharing, wish someone will continue your work

mylove90 · Nov 8, 2011

Hey Rebellos
Can you reverse engineer Broker.exe ???
I understood today huge thing
The Broker.exe is not just an installer for the app...it is written in it what is developed by it
So every developer has a different Broker.exe
If you can remove the check of "if this app is developed using this Broker" then we get a complete jailbreak (Not so complete due to badaAIK one app limitation but interesting thing though

)
I hope you will look in it
I attached badaAIK with my Broker with a test app called FilGoal

Best Regards

Tigrouzen · Nov 8, 2011

mylove90 said:
Hey Rebellos
Can you reverse engineer Broker.exe ???
I understood today huge thing
The Broker.exe is not just an installer for the app...it is written in it what is developed by it
So every developer has a different Broker.exe
If you can remove the check of "if this app is developed using this Broker" then we get a complete jailbreak (Not so complete due to badaAIK one app limitation but interesting thing though)
I hope you will look in it
I attached badaAIK with my Broker with a test app called FilGoal

Best Regards

Also mylove90 there's tow different compression binary application in Bada, some can open with zip program like 7zip

adfree · Nov 8, 2011

Broker.exe contains Filemanager like sTune to copy files to handset...
Then send Command to handset to install/activate App... can be sniffed or taken from apps_c...

Also Broker can log... like WinComm

But I hope Broker is NOT for cracking...

Maybe what you mean is calling signed... So RSA 1024... PKI... Certificates...

Btw.
Again... JB6 is COMPLETE unsecured...
http://xdaforums.com/showthread.php?t=912728

Find an way to flash this Bootloader, all Security is nuked.

Best Regards

mylove90 · Nov 8, 2011

I was just trying to push this thread and i jumped to this conclusion after small trivial test

adfree said:
Then send Command to handset to install/activate App... can be sniffed or taken from apps_c...

It would be good to know that command

adfree said:
Maybe what you mean is calling signed... So RSA 1024... PKI... Certificates...

Is it possible to disable this from the installer itself and not the phone

adfree said:
Btw.
Again... JB6 is COMPLETE unsecured...
Find an way to flash this Bootloader, all Security is nuked.

Oh this is so hard for me

Best Regards

Rebellos · Nov 8, 2011

mylove90 said:
Hey Rebellos
Can you reverse engineer Broker.exe ???
I understood today huge thing
The Broker.exe is not just an installer for the app...it is written in it what is developed by it
So every developer has a different Broker.exe
If you can remove the check of "if this app is developed using this Broker" then we get a complete jailbreak (Not so complete due to badaAIK one app limitation but interesting thing though)
I hope you will look in it
I attached badaAIK with my Broker with a test app called FilGoal

Best Regards

Please bring me few different Broker.exe binaries, for different developers. If that's possible.

Application install command is "AppPkgInstall", its syntax is "AppPkgInstall <AppPath>" (AppPath does usually start with "/Mount/Mmc/Others/__@@bada_applications@@__", you can found this directory in bada's SD card I do believe)
Also in Broker I see commands like "GetAppInstallCondition", "TerminateProcessEx", "EnableDiagWrite", "UseDrmWrite <type>" (type = "flashapp" or "webapp").

Broker seems to look for USB devices named

SAMSUNG Mobile Modem V2
SAMSUNG USB Mobile Modem
SAMSUNG Mobile USB Modem
SAMSUNG Mobile Modem Diagnostic Serial Port V2
SAMSUNG USB Mobile Logging
SAMSUNG Mobile USB Serial Port

List of supported models by Broker

GT-S8500
GT-S7230E
GT-S8530
GT-S7250
GT-S8600

mylove90 · Nov 8, 2011

Sorry Rebellos
I did a hash check on Broker from larioteo and found out that both files are identical

Also i figured out that larioteo uses old Broker file with Voluntas due to the old beta FW
My advice is to look in the dll files (FastTkFileLib.dll & argtable2.dll) because according to larioteo Broker is nothing without them

Best Regards

I attached Broker from SDK 1.2.1 because it is different

adfree · Nov 9, 2011

The reason for different Broker.exe and corresponding files... depend on SDK Version...

GT-S8500
GT-S7230E
GT-S8530
GT-S7250
GT-S8600

S8500 is ever supported since oldest SDK... but maybe for the others... little bada handset etc. are sometimes minor differences in Transfer prototcol...

Simplest example... sTune for bada 1.x and bada 2.x

Best Regards

Rebellos · Nov 9, 2011

A question - do you need to be connected to the internet any time during creating and testing application? I mean - can you just develop app from scratch using bada SDK and run it on your device without net connection?

adfree · Nov 9, 2011

...without net connection?

Not tested yet, if Certificate for signing is on PC...

If I have time, I can test it offline...

Best Regards

mylove90 · Nov 9, 2011

Tested working totally offline (Wave+PC)
Bada 1.2.1
Simulator : works fine
Target : got manifest check error

Bada 2.0.2
Emulator : App starts and close after showing the splash screen
Target : App starts and close after showing the splash screen

I thought that my app didn't work on Wave because it needed internet connection but i was wrong...it closed also after connecting to the Wifi
I understand some stuff from this
1.Emulator=Target in case of 2.0.2 (but a bit slower)
2.Simulator of 1.2.1 had no security at all because it use x86 architecture (Useless builds of the app that can't be used on a real device)
3.Manifest has a secret key connects it to a server for the check before running on real device

Best Regards

adfree · Nov 9, 2011

Online Manifest Check is not Security related...
Its more an "User protection"... as too many Devs sent Standard Manifest to Samsung... and then failed ...

Not sure but bada SDK 1.0 not check Manifest... I think...

Best Regards

mylove90 · Nov 9, 2011

hmmmmmmm
then why the app didn't work at all on 2.0.w SDK !!!!
the app works under regular conditions but when i am offline it shows splash screen then exits !!!!
there must be some thing that is done online
maybe in the compiler itself !!!
who knows?!

Best Regards

baza14 · Nov 9, 2011

Maybe interesting app for you. http://bada-world.pl/nowosci-zapowiedzi/slauncher-t7986.html

Qron · Nov 10, 2011

SASiO said, that he will not release his app (at least not in near future).
+ actually, there no evidence that his app isn't just another fake.

Tigrouzen · Nov 10, 2011

Qron said:
SASiO said, that he will not release his app (at least not in near future).
+ actually, there no evidence that his app isn't just another fake.

Why then they make lost time and lost our time, how old are there guy or maybe something mistake in brain.

Qron · Nov 10, 2011

I didn't say it's certainly fake...
We just already had Androbada (not talking about Badadroid), N64 emulator and now this.

Rebellos · Nov 10, 2011

I'd rather come with distance to things posted on forum owned by thief and crook.

Back on the topic - if I get it right - without internet connection it isn't possible to run application even on emulator, and the same result is obtained on device. While with internet connection it does works.
Is internet connection mandatory DURING starting application on device? Or only during loading it into device? Or I get something wrong?

Asking mainly because of curiosity. Again I'm stating I'm not the one to implement that.

[Concept] Omitting bada API signature checking - "rooting" bada.

Senior Recognized Developer

Senior Member

Senior Member

Senior Member

Attachments

Senior Member

Senior Member

Senior Member

Senior Recognized Developer

Senior Member

Attachments

Senior Member

Senior Recognized Developer

Senior Member

Senior Member

Attachments

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Recognized Developer

Similar threads

Top Liked Posts