Attend XDA's Second Annual Developer Conference, XDA:DevCon 2014!
5,806,934 Members 37,480 Now Online
XDA Developers Android and Mobile Development Forum

Droid Bionic wireless tether reverse engineering

Tip us?
 
vmspionage
Old
#1  
vmspionage's Avatar
Junior Member - OP
Thanks Meter 4
Posts: 10
Join Date: Jun 2008
Default Droid Bionic wireless tether reverse engineering

This thread is intended to discuss technical details of the Droid Bionic's wireless tethering system. Please keep all posts on topic.

Here's what has been discovered to far:
  • The "Mobile Hotspot" lockout can be disabled by setting entitlement_check=0 in the settings storage database com.motorola.android.providers.settings. This is thoroughly discussed in other threads.
  • While tethering your phone will disconnect and reconnect to the network using alternate credentials containing your ISMI. These credentials appear to originate from the SIM card. The previous RadioComm NAI method does not work with the new LTE chipset.
  • The web service used by the entitlement check appears hard-coded in VzwEntitlementService.odex. It is located at: https://quickaccess.verizonwireless....e/service?WSDL
  • The "Mobile Hotspot" icon isn't a stand-alone application, it's just a link to the settings page (Settings > Wireless & Networks > Tethering & Mobile Hotspot > Mobile Hotspot settings)

Please feel free to share your observations!
The Following 2 Users Say Thank You to vmspionage For This Useful Post: [ Click to Expand ]
 
K.AuthoR
Old
#2  
K.AuthoR's Avatar
Senior Member
Thanks Meter 19
Posts: 167
Join Date: Nov 2008
Quote:
Originally Posted by vmspionage View Post
  • While tethering your phone will disconnect and reconnect to the network using alternate credentials containing your ISMI. These credentials appear to originate from the SIM card. The previous RadioComm NAI method does not work with the new LTE chipset.
I'm curious, since this is the case, I would assume that using this they can actually verify who is paying for tethering and who isn't by comparing these connections to who is actually paying for the service. I know the phone hasn't been out long enough for this to be tested very much, but any off chance that someone's billing cycle has reset or can tell if they can track it or not?
 
vmspionage
Old
(Last edited by vmspionage; 13th September 2011 at 09:32 PM.)
#3  
vmspionage's Avatar
Junior Member - OP
Thanks Meter 4
Posts: 10
Join Date: Jun 2008
\system\etc\apns-conf.xml
Code:
    <!-- BEGIN Motorola, a13803, 07/10/2010, IKHALFMWK-87: Modify Apn database for VZW LTE support -->
    <!-- BEGIN Motorola, btm478, 12/02/2010, IKHALFMWK-117:Change Inactivity Timer to 24 hrs  -->
    <apn carrier="Verizon Internet"
        mcc="310"
        mnc="004"
        apn="VZWINTERNET"
        mmsc="http://mms.vtext.com/servlets/mms"
        type="default,mms,dun"
        inactivetimer="1440"
        enabled="true"
        iptype="IPv6v4"
        class="3"
    />
\system\etc\motorola\com.motorola.android.dm.servi ce\databases\dmAccounts.xml
Code:
<list>
        <string>__overwrite_all__</string>
        <map>
                <string name='AccName'>VzWDMServer</string>
                <string name='UserName'>xxxxxxxxxxxx</string>
                <string name='ServerPW'>0000000000000000</string>
                <string name='AuthPref'>DIGEST</string>
                <string name='ClientNonce'>123abc</string>
                <string name='AddrType'>1</string>
                <string name='ServerID'>com.vzwdmserver</string>
                <string name='Addr'>https://4g.vzwdm.com/</string>
                <string name='ClientPW'>xxxxxxxxxxxx</string>
                <string name='ServerNonce'>abc123</string>
                <string name='ConRef'/>
                <string name='Name'>VzWDMServer</string>
                <string name='PortNbr'>443</string>
        </map>
</list>


---------- Post added at 08:13 PM ---------- Previous post was at 08:09 PM ----------

Quote:
Originally Posted by K.AuthoR View Post
I'm curious, since this is the case, I would assume that using this they can actually verify who is paying for tethering and who isn't by comparing these connections to who is actually paying for the service. I know the phone hasn't been out long enough for this to be tested very much, but any off chance that someone's billing cycle has reset or can tell if they can track it or not?
Yes. If you don't subscribe to tethering then you should never be using that authentication method and your usage for that account should be zero. It would be trivial for them to figure out who is tethering based on the usage logs and feature list alone.

In fact, I've seen evidence (but haven't verified) that if you subscribe to tethering those data bytes will show up as a separate "Tethering Usage" line item in the "My Verizon" app on the data details screen... it's just hidden for everyone else.
 
K.AuthoR
Old
#4  
K.AuthoR's Avatar
Senior Member
Thanks Meter 19
Posts: 167
Join Date: Nov 2008
Well **** me then, I did that hack and tethered for about 10 minutes between class today. If it shows up on my bill (probably will at this point) I can probably get them to drop it if I bitch enough since usually VZ is flexible if it's a one-time offense.
 
Mustang02
Old
#5  
Senior Member
Thanks Meter 36
Posts: 306
Join Date: Nov 2010
Quote:
Originally Posted by K.AuthoR View Post
Well **** me then, I did that hack and tethered for about 10 minutes between class today. If it shows up on my bill (probably will at this point) I can probably get them to drop it if I bitch enough since usually VZ is flexible if it's a one-time offense.
You are going to bitch at them for you trying to illegally tether? Man up and just pay it.
 
K.AuthoR
Old
#6  
K.AuthoR's Avatar
Senior Member
Thanks Meter 19
Posts: 167
Join Date: Nov 2008
I'm probably provoking an already-beaten-to-death argument by saying this, but I believe that in my payment for data, I should be allowed to use it how I want. I seriously doubt they'll come after me for a couple of megabytes anyway, if it's not excessive then I'll just take it as a good omen and continue on with my lesson learned.

I'll stop derailing the thread now, but I'll still be interested to learn what's going on on the inside.
 
Mustang02
Old
#7  
Senior Member
Thanks Meter 36
Posts: 306
Join Date: Nov 2010
Quote:
Originally Posted by K.AuthoR View Post
I'm probably provoking an already-beaten-to-death argument by saying this, but I believe that in my payment for data, I should be allowed to use it how I want. I seriously doubt they'll come after me for a couple of megabytes anyway, if it's not excessive then I'll just take it as a good omen and continue on with my lesson learned.

I'll stop derailing the thread now, but I'll still be interested to learn what's going on on the inside.
Tethering wasn't the point, bitching to have them remove the cost of you tethering was. I'm all for tethering but if I do it and get charged, I pay the piper. My mistake not theirs, unlike that stupid $1.99 mysterious data fee we used to get.
 
nemanracing
Old
#8  
nemanracing's Avatar
Member
Thanks Meter 1
Posts: 78
Join Date: Aug 2005
Location: Riverside, CA
Quote:
Originally Posted by Mustang02 View Post
My mistake not theirs, unlike that stupid $1.99 mysterious data fee we used to get.
That was prob a bad rep adding ringback tone or the like.....
Moto Photon 4G/HTC Thunderbolt Das BAMF Forever 1.0.5
History:Fascinate,Moto Droid,XV6875 WM6.5,XV6850 WM6.5,Sprint 6850 WM6.5 on VZW,XV6850 WM6.1/Telus Radio,VZW Omnia,XV6900 WM6.1/GPS/RevA,XV6800 WM6.1/GPS/RevA,XV6700 WM6,Samsung i760,Moto Q9m,Moto Q,XV6700,VZW Treo 700WX,Treo 700W,Samsung i730,XV6600,Treo 650,Treo 600,Kyocera 7135
 
elislurry
Old
#9  
elislurry's Avatar
Senior Member
Thanks Meter 35
Posts: 146
Join Date: Jun 2010
Location: Raleigh NC
What do these posts have to do with the thread? Take your arguments to the general section.
No trees were destroyed in the sending of this message though a significant number of electrons were terribly inconvenienced.
================================================== ===

Verizon Galaxy S4 GPE
The Following User Says Thank You to elislurry For This Useful Post: [ Click to Expand ]
 
Brenardo
Old
(Last edited by Brenardo; 14th September 2011 at 11:28 PM.)
#10  
Senior Member
Thanks Meter 59
Posts: 524
Join Date: Nov 2010
I am quite confused as to how tethering on the thunderbolt is "undetectable" and the bionic is easily traced.

I have been running DroidTheory,s shiftAOSP under the presumption that tethering is untrackable. I assumed this because it was implied. Was I misinformed about tethering and what makes the bionic Different? Different chipset?

And just to be clear the wired tethering options available aren't as easily traceable or untraceable?

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes