Lollipop Leak for Sprint Galaxy S5, TWRP for Micromax Canvas Magnus – XDA TV

Android 5.0 Lollipop has been leaked for the Sprint … more

Velocity is Like OpenTable on Steroids

We all enjoy a night out with friends or our significant other from time to time. However, there is … more

Android Lollipop Lands for the Sony Xperia Z Ultra

The undisputed king of the beasts–at least in Sony’s current stable,is the … more

Android 5.0 Lollipop in 3D–EVO 3D, That Is!

It is that time of the year once again. Flowers bloom (or snow falls, depending on which … more

Welcome to XDA

Search to go directly to your device's forum

Register an account

Unlock full posting privileges

Ask a question

No registration required
Post Reply

Possible backdoor loader?

OP worldestroyer

26th October 2008, 04:34 PM   |  #1  
OP Member
Flag Boston
Thanks Meter: 5
 
60 posts
Join Date:Joined: Oct 2008
More
Using Anycut, select Activity, and in there choose "Device info". This tells you all the build related info, and on the bottom there is a way to check for new builds depending on your "build type". Maybe if using the wifi IP settings forced it through a proxy, where we would sniff the request. Possibly see if there are builds (beta?) we could load, or redirect it to a custom build?
26th October 2008, 09:28 PM   |  #2  
Senior Member
Flag Marietta, GA
Thanks Meter: 115
 
512 posts
Join Date:Joined: May 2007
More
Talking
Quote:
Originally Posted by worldestroyer

Using Anycut, select Activity, and in there choose "Device info". This tells you all the build related info, and on the bottom there is a way to check for new builds depending on your "build type". Maybe if using the wifi IP settings forced it through a proxy, where we would sniff the request. Possibly see if there are builds (beta?) we could load, or redirect it to a custom build?

Great find
27th October 2008, 09:42 AM   |  #3  
Retired Moderator
Thanks Meter: 10
 
1,271 posts
Join Date:Joined: Mar 2008
More
We should start a list... I will even keep all the data in a spread sheet if everyone can give me all the info

Build Description
Build ID
Build Date
Build Type
Build User
Build Host
Linux Kernal version
Baseband Version
RIL Impl version
Android ID
Last edited by neoobs; 28th October 2008 at 01:36 AM.
27th October 2008, 10:58 PM   |  #4  
Senior Member
Thanks Meter: 41
 
144 posts
Join Date:Joined: Oct 2008
G1 back door updater
I have a G1 without the update... I also have adb shell access to it and succesfully ran bash and busybox on it. I know where all the partitions are in the filesystem (mtdblock1-5) and where the kernel resides (boot is mtdblock2).

When the upgrade comes out, I will sniff the packets and let you guys know (and possibly even put the upgrade file up for download somewhere).

Build Description
kila-user 1.0 TC4-RC19 109652
ota-rel-keys, release-keys
Build ID
TC4-RC19
Build Date
Sat Sep 13 00:11:34 PDT 2008
Build Type
user
Build User
android-build
Linux Kernel version
2.6.25-01828-g18ac882
android-build@apa27 #1
Thu Sep 11 23:18:27 PDT 2008
Baseband Version
62.33.20.08H_1.22.12.28
RIL Impl version
HTC-RIL 1.0 (Aug 19 2008, 21"32:33)
28th October 2008, 01:38 AM   |  #5  
Retired Moderator
Thanks Meter: 10
 
1,271 posts
Join Date:Joined: Mar 2008
More
Quote:
Originally Posted by damien667

I have a G1 without the update... I also have adb shell access to it and succesfully ran bash and busybox on it. I know where all the partitions are in the filesystem (mtdblock1-5) and where the kernel resides (boot is mtdblock2).

When the upgrade comes out, I will sniff the packets and let you guys know (and possibly even put the upgrade file up for download somewhere).

Build Description
kila-user 1.0 TC4-RC19 109652
ota-rel-keys, release-keys
Build ID
TC4-RC19
Build Date
Sat Sep 13 00:11:34 PDT 2008
Build Type
user
Build User
android-build
Linux Kernel version
2.6.25-01828-g18ac882
android-build@apa27 #1
Thu Sep 11 23:18:27 PDT 2008
Baseband Version
62.33.20.08H_1.22.12.28
RIL Impl version
HTC-RIL 1.0 (Aug 19 2008, 21"32:33)

The upgrade will download at various times... it will ask you to update after it has downloaded.

BTW I added two fields I forgot. Build Host (I am wondering if this is different for some and that is how they get updates) and Android ID (also wondering if this has to do with updates.)

Here is my info
Build Description
kila-user 1.0 TC4-RC19 109652
ota-rel-keys, release-keys
Build ID
TC4-RC19
Build Date
Sat Sep 13 00:11:34 PDT 2008
Build Type
user
Build User
android-build
Build Host
undroid13.corp.google.com
Linux Kernel version
2.6.25-01828-g18ac882
android-build@apa27 #1
Thu Sep 11 23:18:27 PDT 2008
Baseband Version
62.33.20.08H_1.22.12.28
RIL Impl version
HTC-RIL 1.0 (Aug 19 2008, 21"32:33)
Android ID
200145da5528c72d
28th October 2008, 05:06 AM   |  #6  
Senior Member
Thanks Meter: 41
 
144 posts
Join Date:Joined: Oct 2008
Important information vs useless information
What is useless information is the serial numbers or which machine built your ROM image.

What IS NOT useless, and VERY important, is the ip address and/or domain name where the update file is downloaded from as well as the location of said file on said server, as well as the file name itself.

With that information, we could technically cook our own updates to the firmware if we figure out how to build one, simulate the updating server on a local network, and spoof the phone into thinking it's receiving a legit update when it's actually putting a cooked update onto itself... no need for root access to update the phone!

I read that you will receive a text message with a "download now" button to proceed with the update... if this is true, I can capture the entire traffic sequence of said update and we can emulate it on a local network.

I've tried some preliminary tests using the AnyCut app to open the page to force a "check for updates" and see what server it connects to but could not sniff packets from my wired LAN to my wireless LAN... I will try to sniff the packets straight on my linux router next time and see if I can tell who the phone talks to to check for updates.

If anyone wants to help, that would be excellent.
28th October 2008, 05:12 AM   |  #7  
Retired Moderator
Thanks Meter: 10
 
1,271 posts
Join Date:Joined: Mar 2008
More
Quote:
Originally Posted by damien667

What is useless information is the serial numbers or which machine built your ROM image.

What IS NOT useless, and VERY important, is the ip address and/or domain name where the update file is downloaded from as well as the location of said file on said server, as well as the file name itself.

With that information, we could technically cook our own updates to the firmware if we figure out how to build one, simulate the updating server on a local network, and spoof the phone into thinking it's receiving a legit update when it's actually putting a cooked update onto itself... no need for root access to update the phone!

I read that you will receive a text message with a "download now" button to proceed with the update... if this is true, I can capture the entire traffic sequence of said update and we can emulate it on a local network.

I've tried some preliminary tests using the AnyCut app to open the page to force a "check for updates" and see what server it connects to but could not sniff packets from my wired LAN to my wireless LAN... I will try to sniff the packets straight on my linux router next time and see if I can tell who the phone talks to to check for updates.

If anyone wants to help, that would be excellent.

HTC is already telling people how to cook your own rom. I want to know how they go about deciding who gets the updates and when... are the build hosts all the same? or do they differ? is our ID sequential? does it mean something? At this point I don't think there is any useless info... we don't know enough about the entire process.

I will see what I can sniff in wireshark but I am not sure. I would really like to get my hands on a prerelease version and find out it's info.
28th October 2008, 05:57 AM   |  #8  
Senior Member
Thanks Meter: 41
 
144 posts
Join Date:Joined: Oct 2008
HTC takes the Android SDK with kernel and rootfs, compiles it with the ARM toolchain, adds the proprietary t-mobile stuff, and makes an image to flash onto the phone. All of this information AND sourcecode is available from Google's GIT repository in the android SDK sourcecode. You can find it all here:

http://git.source.android.com/?p=pla...ster;hb=master

Since this phone goes through t-mobile, they are the ones who decide the updating process and order. According to their forums it's random.

http://forums.t-mobile.com/tmbl/boar...cending&page=1

The point is to get a back door into the root shell account so we can run whatever code we want on the phone as the root user... this will give us the ability to put a home-cooked android compilation on the phone if we so pleased.

Another way to do this is to figure out how the bootloader works on the phone and somehow tell it to boot up from a kernel in the sd card instead of the one in the ROM.
28th October 2008, 06:03 AM   |  #9  
Retired Moderator
Thanks Meter: 10
 
1,271 posts
Join Date:Joined: Mar 2008
More
... I read that google was responsible for deploying the updates and that is why it is random. I think it is because they use your android ID not your IMEI or any other number. And I bet all our android ID's have similarities.

BTW... I ran the debug client and the FOTA is cancelled by the server. It then crashes. So I am guessing what we are doing isn't working. There must be something else.
28th October 2008, 06:52 AM   |  #10  
Senior Member
Flag Phoenix, AZ, USA
Thanks Meter: 29
 
259 posts
Join Date:Joined: Jan 2007
More
I have my G1 connected over wifi to my network. Using Cain to arp poison and wireshark to sniff.

Sorry to say, but I saw this one coming...the "call home" is encrypted via TLS/SSL.

Mine was contacting Google at 74.125.19.102. I captured the ssl cert. You can get a copy of it here: http://rapidshare.com/files/15823732...9.102.crt.html

More info to come

Post Reply Subscribe to Thread
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes