Post Reply

Carrier IQ Profile collection for EFF

OP TrevE

21st December 2011, 10:52 PM   |  #1  
OP Retired Recognized Developer
Thanks Meter: 3,657
 
2,031 posts
Join Date:Joined: Apr 2007
Donate to Me
Hey guys, an EFF volunteer - Jered Wierzbicki - has created an application called IQIQ to decode Carrier IQ profiles back to XML. Their public git repo is in the above linked article. In a nutshell, Profiles contain what data is sent back at what interval and to where.

We are now able to see sets of metrics called from phones. The problem is right now we only have default profiles. The EFF is looking to collect as many profiles from as many different devices as possible trying to find real metrics.


Github Proof of concept code for a "profile scraper": https://github.com/TrevE/IQTool
(right now it scans, but only works for automatic sending of archive.img from tmobile, but it should be for root or non root)
If you can contribute go for it! It would help to have a "one click profile sender" out there for everyone.




Possible Methods

FINDING .PRO FILES
We are not too sure yet where updated profiles get stored, so for the time being root users can run the following to search out all .pro files on your disk.

Code:
adb shell busybox find / -iname "*.pro"
It will likely be some sort of IQProfile.pro, CIQProfile.pro, defaultprofile.pro. Once you locate it just:

Code:
adb pull /full/path/to/profile.pro .
Other strategies, such as grepping for a characteristic string like " CONSTANT " across the whole filesystem, might also turn out to be useful. Use this thread to experiment with and improve such techniques!


Waiters suggests a command reference:
Quote:
Originally Posted by waiters

maybe something like this (which could take hours to run...)

Code:
grep -r "CONSTANT PROPID" /





Getting archive.img from non-embedded CIQ
We don't yet know if all profiles will be .pro files, or if they'll sometimes be embedded inside of other things. If you are on tmobile the profile information is potentially contained in an archive.img file. The file could be world readable, so you might not even need to be rooted.


WARNING ABOUT ARCHIVE.IMG FORMATS:
Please be warned that sensitive data could be in this archive.img file such as URLs, IMEI, SMS metadata, etc.. EFF will always do its best to keep archive.img files confidential, but please DO NOT send them if there may be any private information on the handset you are working with

Example of where Tmobiles CIQ archive is:
Code:
adb pull /data/data/com.carrieriq.tmobile/app_iq_archive/archive.img .



KNOWN STOCK MD5SUMS
Were really trying to find some new profiles containing the pushed metrics, so to check if you are looking at a "stock" profile or not (this only applies to if you find a .pro file)

Code:
adb shell busybox md5sum /path/to/profile.pro
If it matches one of these md5sums (number on the left) it is likely a known "stock" profile.
Code:
e37a4a8e3ea6d6aa4b7423a462541fa9  att-galaxy-s2-defaultProfile.pro
2618eaa2e3310ec36e1b86f8b643c5fa  htc-amaze-tmob-defaultProfile.pro
a6886135d2d1ea423d4edde389fe1794  htc-evo-sprint-iqprofile.pro
2618eaa2e3310ec36e1b86f8b643c5fa  tmob-defaultProfile.pro

SUBMITTING PROFILES

If you would like to submit your profile or archive.img to EFF so CarrierIQ metrics on what operator can be better understood, please send that data off to iqiq@eff.org . It would be very helpful to them to include phone model and network it was pulled from as well.
Thanks for all your help guys!
Last edited by TrevE; 23rd December 2011 at 02:07 AM.
The Following 9 Users Say Thank You to TrevE For This Useful Post: [ View ]
21st December 2011, 11:16 PM   |  #2  
azrienoch's Avatar
Senior Member
Flag New Orleans, LA
Thanks Meter: 113
 
126 posts
Join Date:Joined: Aug 2010
Donate to Me
Portal article coming up. Thanks TrevE, and Jered and the EFF. We really appreciate everything you do.
The Following 2 Users Say Thank You to azrienoch For This Useful Post: [ View ]
22nd December 2011, 01:04 AM   |  #3  
tommytomatoe's Avatar
Recognized Developer
Flag Knoxville USA
Thanks Meter: 6,821
 
6,256 posts
Join Date:Joined: Dec 2010
Donate to Me
More
Woot woot! Keep up the good work Treve!
22nd December 2011, 01:16 AM   |  #4  
guitardoc64's Avatar
Senior Member
Flag Lake Charles,LA
Thanks Meter: 348
 
1,633 posts
Join Date:Joined: Sep 2007
Donate to Me
More
Thanks again TrevE!! I have some friends with OG EVOS that are stock that can help and a buddy on ATT with an Atrix. I'll get them involved if possible. It's great to see them collecting evidence.
22nd December 2011, 01:37 AM   |  #5  
Any other names?
Code:
adam@Adam-Desktop:~/IQIQ$ adb shell
/ # busybox find / -iname "*.pro"
/data/data/pl.aygorund.littlepiano.pro
/ #
I'm sure "little piano" which was free on amazon 2 days ago is not Carrier IQ related.
Note:This is an AT&T Infuse 4G with a 4 month old custom kernel.
Last edited by AdamOutler; 22nd December 2011 at 01:39 AM.
22nd December 2011, 01:49 AM   |  #6  
Senior Member
Thanks Meter: 196
 
925 posts
Join Date:Joined: Nov 2011
maybe something like this (which could take hours to run...)

Code:
grep -r "CONSTANT PROPID" /
The Following 2 Users Say Thank You to waiters For This Useful Post: [ View ]
22nd December 2011, 05:39 AM   |  #7  
Orical's Avatar
Senior Member
Flag Boston
Thanks Meter: 728
 
2,166 posts
Join Date:Joined: May 2011
Donate to Me
More
I'm just glad it's out in the open, there's enough crap in the world to have to worry about, if your banking from your phone (no chance I would have in the first place but) there's a real threat and a legit reason to go in personally to change all of your accounts and who in the world has had all pass access to look at it for how long.

Thanks for the post man, this is that great eye opener that needed to happen I just hope nothing happens to anyone because of Carrier IQ. It's good to see there are others that are taking this seriously.
22nd December 2011, 02:25 PM   |  #8  
Senior Member
Thanks Meter: 19
 
114 posts
Join Date:Joined: Dec 2011
Will root explorer find this for us?
22nd December 2011, 03:39 PM   |  #9  
sgt. slaughter's Avatar
Retired Forum Moderator
Flag Raleigh
Thanks Meter: 2,921
 
5,635 posts
Join Date:Joined: Jun 2010
More
tried this on my sprint evo3d and got a odd response...

when I go into adb shell and type: busybox find / -iname "*.pro"
I get the following:
/system/etc/iqprofile.pro
find: /data/DxDrm/fuse: Permission denied

Thought this was odd since im fully rooted s-off here and would be denied access to something, no? The first few times I did it straight from the comand line and that resulted in only outputting the "...permission denied" line shown above. When I did "adb shell" first by itself and then did the second part of the command it gave me the iqprofile.pro....

any thoughts?
22nd December 2011, 04:25 PM   |  #10  
Member
Flag Manchester
Thanks Meter: 9
 
78 posts
Join Date:Joined: Jan 2010
More
Quote:
Originally Posted by sgt. slaughter

tried this on my sprint evo3d and got a odd response...

when I go into adb shell and type: busybox find / -iname "*.pro"
I get the following:
/system/etc/iqprofile.pro
find: /data/DxDrm/fuse: Permission denied

Thought this was odd since im fully rooted s-off here and would be denied access to something, no? The first few times I did it straight from the comand line and that resulted in only outputting the "...permission denied" line shown above. When I did "adb shell" first by itself and then did the second part of the command it gave me the iqprofile.pro....

any thoughts?

I had to go into a shell, do the su command to gain root, and THEN do the search.

Post Reply Subscribe to Thread

Tags
carrier iq profiles, eff, iqiq
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes


Top Threads in Android General by ThreadRank