About VZW Remote Diagnostics/AetherPal

Search This thread
By:
Advanced…
S

substanceD

Member
Aug 24, 2009
48
50
I've been doing some research into Verizon's new remote diagnostic app, so I'll share my findings here. The app in question is Aetherpal.apk, which is located in /system/app/ in the FP1 update for the Droid Charge. When the phone boots up, this app establishes a connection with AetherPal's server to establish a secure session, and though it's hard to tell exactly how this happens by reading the smali code, it appears to use a combination of AES (symmetric encryption) and cipher block chaining (each section of the message is passed through a block cipher) for encryption.

After establishing a session, the app idles until it receives either a special SMS message or a packet over HTTPS, which can instruct it perform a variety of functions. I'm still investigating what these are, but some of the status codes are for starting streaming, pausing streaming, and initiating remote control. The application logs the actions taken in the course of the session, and there is some sort of a user interface that shows the user what the remote operator is currently doing with the phone in real-time. The log is sent back to Verizon's AetherPal service running on AetherPal's servers, where presumably Verizon representatives can access it.

Here is a nice diagram that AetherPal has made concerning their service: http://aetherpal.com/architecture.html.

Well, that's it for now, but I'm going to continue investigating in more detail. In particular, I'm interested in how exactly the handshake happens during initialization, what information is logged (anything potentially sensitive?), and how much control remote operators have over the device. It would be good to confirm that some action is needed on the user's part to allow a remote operator to start controlling the device.
 
  • Like
Reactions: docnok63, xdadevnube and kvswim
4

44BSD

Member
Oct 13, 2012
7
0
davwman said:
I don't have anything with aetherpal anywhere. I also deleted all the remote diagnostic stufff with titanium. Wonder if that has anything to do with it.
Click to expand...
Click to collapse

More info on Aetherpal:

www dot google dot com slash patents slash US20120254762

www dot w2bi dot com

aetherpal dot com

Strings from Aetherpal.apk :

Does verizon actually use this to help customers?
 

Attachments

  • Aetherpal.txt
    173.5 KB · Views: 173
Antoneus1231

Antoneus1231

Senior Member
May 27, 2012
189
71
Thanks for bringing this to our attention. I hope your findings can tell us if vzw can tell if we are rooted through this "feature". It could possibly void a bunch of warranties.

However, if a device is stolen then I can see some benefits to it.

. :: TSM Tweaked 3.2 . EXT4 . Lazarus 1225 . ADW EX . Vanilla Bean :: .
 
4

44BSD

Member
Oct 13, 2012
7
0
davwman said:
I don't have anything with aetherpal anywhere. I also deleted all the remote diagnostic stufff with titanium. Wonder if that has anything to do with it.
Click to expand...
Click to collapse

Antoneus1231 said:
Thanks for bringing this to our attention. I hope your findings can tell us if vzw can tell if we are rooted through this "feature". It could possibly void a bunch of warranties.

However, if a device is stolen then I can see some benefits to it.

. :: TSM Tweaked 3.2 . EXT4 . Lazarus 1225 . ADW EX . Vanilla Bean :: .
Click to expand...
Click to collapse

lines 3436-3437:

'VZW_DEVICE_NOT_ROOTED',
'VZW_DEVICE_ROOTED'
 
Antoneus1231

Antoneus1231

Senior Member
May 27, 2012
189
71
Oh shoot. That isn't good is it...

Is that something that is transferred as it establishes a connection as you described or just a command that is available?

Can this be resolved by hiding root w an app?

. :: TSM Tweaked 3.2 . EXT4 . Lazarus 1225 . ADW EX . Vanilla Bean :: .
 
Last edited:
S

shrike1978

Senior Member
Jun 28, 2011
3,577
3,077
Atlanta, GA
I have had the automated system ask me for permission to allow a technician to remotely connected to my phone when I've called in a few times and denied it, and they never said another word about it once they were on the phone. My assumption is that there are some pretty strict privacy policies in place for it after all the fallout from the keylogger that other providers had been using.

To put it all in perspective though, I sent a Rezound in for a warranty exchange that was S-OFF and running CM9 and they never said a word about it.
 
  • Like
Reactions: tmanschuette
THEbigSWEEN

THEbigSWEEN

Senior Member
Mar 5, 2012
692
386
shrike1978 said:
I have had the automated system ask me for permission to allow a technician to remotely connected to my phone when I've called in a few times and denied it, and they never said another word about it once they were on the phone. My assumption is that there are some pretty strict privacy policies in place for it after all the fallout from the keylogger that other providers had been using.

To put it all in perspective though, I sent a Rezound in for a warranty exchange that was S-OFF and running CM9 and they never said a word about it.
Click to expand...
Click to collapse

Was that a Verizon, manufacturer, or third party warranty? Because I've heard of people sending their phones in to Samsung and having it rooted with no issues but if it's a warranty or repair through Verizon then they will cry voided warranty. Big surprise there. Luckily I've yet to have to send a phone in :knock on wood: and I froze sysscope with TiBu on my Charge just in case.

Side note: warranty is one of those words that the more you say it, the more it doesn't sound right :silly:
 
S

shrike1978

Senior Member
Jun 28, 2011
3,577
3,077
Atlanta, GA
Straight through Verizon. I have the extra insurance, but I've never used it. I did replace my Charge twice and I've had to replace my Rezound three times. All of it from hardware issues, and most of it from poor QA on Verizons CLNR program.
 
O

Ogretowman

New member
Dec 7, 2023
3
0
substanceD said:
I've been doing some research into Verizon's new remote diagnostic app, so I'll share my findings here. The app in question is Aetherpal.apk, which is located in /system/app/ in the FP1 update for the Droid Charge. When the phone boots up, this app establishes a connection with AetherPal's server to establish a secure session, and though it's hard to tell exactly how this happens by reading the smali code, it appears to use a combination of AES (symmetric encryption) and cipher block chaining (each section of the message is passed through a block cipher) for encryption.

After establishing a session, the app idles until it receives either a special SMS message or a packet over HTTPS, which can instruct it perform a variety of functions. I'm still investigating what these are, but some of the status codes are for starting streaming, pausing streaming, and initiating remote control. The application logs the actions taken in the course of the session, and there is some sort of a user interface that shows the user what the remote operator is currently doing with the phone in real-time. The log is sent back to Verizon's AetherPal service running on AetherPal's servers, where presumably Verizon representatives can access it.

Here is a nice diagram that AetherPal has made concerning their service: http://aetherpal.com/architecture.html.

Well, that's it for now, but I'm going to continue investigating in more detail. In particular, I'm interested in how exactly the handshake happens during initialization, what information is logged (anything potentially sensitive?), and how much control remote operators have over the device. It would be good to confirm that some action is needed on the user's part to allow a remote operator to start controlling the device.
Click to expand...
Click to collapse
So the way I found Aetherpal (see my 07DEC2023 post / LG thinq8x) was that when you boot up the phone , for a fraction of a second on the home screen , this flashes " Developer warning for package " net.aetherpal.device" failed to post notification on channel "null" see log for more details" . It seems that it's concealing itself from being noticed , I just happened to have the option in Developer options for notifications on apps not leaving notifications . It really seems that the potential for serious mischief is obvious . All my accounts have been compromised and this is a serious headache . Any thoughts would be greatly appreciated ,
 
You must log in or register to reply here.

Similar threads

Bfitz26
Off subject thread to talk about senseless crap?
Replies
699
Views
43K
K
kvswim
imnuts
[RECOVERY][3-2-12]Clockwork Mod Recovery
Replies
598
Views
193K
mattkilla420
mattkilla420
J
[ROOT] [KERNEL] [RECOVERY] - Root / Voodoo Lagfix / CWM Recovery
Replies
571
Views
163K
Droidriven
Droidriven
A
Bluetooth problem with your car? Please read
Replies
134
Views
177K
K
kap2009
H
[ODIN] Auto-Reboot and F. Reset Time?
Replies
7
Views
115K
Evtuuhuhut
Evtuuhuhut

Top Liked Posts

24 Hours All time
  • There are no posts matching your filters.
  • 3
    S
    substanceD
    I've been doing some research into Verizon's new remote diagnostic app, so I'll share my findings here. The app in question is Aetherpal.apk, which is located in /system/app/ in the FP1 update for the Droid Charge. When the phone boots up, this app establishes a connection with AetherPal's server to establish a secure session, and though it's hard to tell exactly how this happens by reading the smali code, it appears to use a combination of AES (symmetric encryption) and cipher block chaining (each section of the message is passed through a block cipher) for encryption.

    After establishing a session, the app idles until it receives either a special SMS message or a packet over HTTPS, which can instruct it perform a variety of functions. I'm still investigating what these are, but some of the status codes are for starting streaming, pausing streaming, and initiating remote control. The application logs the actions taken in the course of the session, and there is some sort of a user interface that shows the user what the remote operator is currently doing with the phone in real-time. The log is sent back to Verizon's AetherPal service running on AetherPal's servers, where presumably Verizon representatives can access it.

    Here is a nice diagram that AetherPal has made concerning their service: http://aetherpal.com/architecture.html.

    Well, that's it for now, but I'm going to continue investigating in more detail. In particular, I'm interested in how exactly the handshake happens during initialization, what information is logged (anything potentially sensitive?), and how much control remote operators have over the device. It would be good to confirm that some action is needed on the user's part to allow a remote operator to start controlling the device.
    View
    1
    S
    shrike1978
    I have had the automated system ask me for permission to allow a technician to remotely connected to my phone when I've called in a few times and denied it, and they never said another word about it once they were on the phone. My assumption is that there are some pretty strict privacy policies in place for it after all the fallout from the keylogger that other providers had been using.

    To put it all in perspective though, I sent a Rezound in for a warranty exchange that was S-OFF and running CM9 and they never said a word about it.
    View

New posts