Possible backdoor loader?

[worldestroyer]

Using Anycut, select Activity, and in there choose "Device info". This tells you all the build related info, and on the bottom there is a way to check for new builds depending on your "build type". Maybe if using the wifi IP settings forced it through a proxy, where we would sniff the request. Possibly see if there are builds (beta?) we could load, or redirect it to a custom build?

[apatcas]

Quote:

Originally Posted by worldestroyer Using Anycut, select Activity, and in there choose "Device info". This tells you all the build related info, and on the bottom there is a way to check for new builds depending on your "build type". Maybe if using the wifi IP settings forced it through a proxy, where we would sniff the request. Possibly see if there are builds (beta?) we could load, or redirect it to a custom build?

Great find

[neoobs]

We should start a list... I will even keep all the data in a spread sheet if everyone can give me all the info

Build Description
Build ID
Build Date
Build Type
Build User
Build Host
Linux Kernal version
Baseband Version
RIL Impl version
Android ID

[damien667]

I have a G1 without the update... I also have adb shell access to it and succesfully ran bash and busybox on it. I know where all the partitions are in the filesystem (mtdblock1-5) and where the kernel resides (boot is mtdblock2).

When the upgrade comes out, I will sniff the packets and let you guys know (and possibly even put the upgrade file up for download somewhere).

Build Description
kila-user 1.0 TC4-RC19 109652
ota-rel-keys, release-keys
Build ID
TC4-RC19
Build Date
Sat Sep 13 00:11:34 PDT 2008
Build Type
user
Build User
android-build
Linux Kernel version
2.6.25-01828-g18ac882
android-build@apa27 #1
Thu Sep 11 23:18:27 PDT 2008
Baseband Version
62.33.20.08H_1.22.12.28
RIL Impl version
HTC-RIL 1.0 (Aug 19 2008, 21"32:33)

[neoobs]

Quote:

Originally Posted by damien667 I have a G1 without the update... I also have adb shell access to it and succesfully ran bash and busybox on it. I know where all the partitions are in the filesystem (mtdblock1-5) and where the kernel resides (boot is mtdblock2). When the upgrade comes out, I will sniff the packets and let you guys know (and possibly even put the upgrade file up for download somewhere). Build Description kila-user 1.0 TC4-RC19 109652 ota-rel-keys, release-keys Build ID TC4-RC19 Build Date Sat Sep 13 00:11:34 PDT 2008 Build Type user Build User android-build Linux Kernel version 2.6.25-01828-g18ac882 android-build@apa27 #1 Thu Sep 11 23:18:27 PDT 2008 Baseband Version 62.33.20.08H_1.22.12.28 RIL Impl version HTC-RIL 1.0 (Aug 19 2008, 21"32:33)

The upgrade will download at various times... it will ask you to update after it has downloaded.

BTW I added two fields I forgot. Build Host (I am wondering if this is different for some and that is how they get updates) and Android ID (also wondering if this has to do with updates.)

Here is my info
Build Description
kila-user 1.0 TC4-RC19 109652
ota-rel-keys, release-keys
Build ID
TC4-RC19
Build Date
Sat Sep 13 00:11:34 PDT 2008
Build Type
user
Build User
android-build
Build Host
undroid13.corp.google.com
Linux Kernel version
2.6.25-01828-g18ac882
android-build@apa27 #1
Thu Sep 11 23:18:27 PDT 2008
Baseband Version
62.33.20.08H_1.22.12.28
RIL Impl version
HTC-RIL 1.0 (Aug 19 2008, 21"32:33)
Android ID
200145da5528c72d

[damien667]

What is useless information is the serial numbers or which machine built your ROM image.

What IS NOT useless, and VERY important, is the ip address and/or domain name where the update file is downloaded from as well as the location of said file on said server, as well as the file name itself.

With that information, we could technically cook our own updates to the firmware if we figure out how to build one, simulate the updating server on a local network, and spoof the phone into thinking it's receiving a legit update when it's actually putting a cooked update onto itself... no need for root access to update the phone!

I read that you will receive a text message with a "download now" button to proceed with the update... if this is true, I can capture the entire traffic sequence of said update and we can emulate it on a local network.

I've tried some preliminary tests using the AnyCut app to open the page to force a "check for updates" and see what server it connects to but could not sniff packets from my wired LAN to my wireless LAN... I will try to sniff the packets straight on my linux router next time and see if I can tell who the phone talks to to check for updates.

If anyone wants to help, that would be excellent.

[neoobs]

Quote:

Originally Posted by damien667 What is useless information is the serial numbers or which machine built your ROM image. What IS NOT useless, and VERY important, is the ip address and/or domain name where the update file is downloaded from as well as the location of said file on said server, as well as the file name itself. With that information, we could technically cook our own updates to the firmware if we figure out how to build one, simulate the updating server on a local network, and spoof the phone into thinking it's receiving a legit update when it's actually putting a cooked update onto itself... no need for root access to update the phone! I read that you will receive a text message with a "download now" button to proceed with the update... if this is true, I can capture the entire traffic sequence of said update and we can emulate it on a local network. I've tried some preliminary tests using the AnyCut app to open the page to force a "check for updates" and see what server it connects to but could not sniff packets from my wired LAN to my wireless LAN... I will try to sniff the packets straight on my linux router next time and see if I can tell who the phone talks to to check for updates. If anyone wants to help, that would be excellent.

HTC is already telling people how to cook your own rom. I want to know how they go about deciding who gets the updates and when... are the build hosts all the same? or do they differ? is our ID sequential? does it mean something? At this point I don't think there is any useless info... we don't know enough about the entire process.

I will see what I can sniff in wireshark but I am not sure. I would really like to get my hands on a prerelease version and find out it's info.

[damien667]

HTC takes the Android SDK with kernel and rootfs, compiles it with the ARM toolchain, adds the proprietary t-mobile stuff, and makes an image to flash onto the phone. All of this information AND sourcecode is available from Google's GIT repository in the android SDK sourcecode. You can find it all here:

http://git.source.android.com/?p=pla...ster;hb=master

Since this phone goes through t-mobile, they are the ones who decide the updating process and order. According to their forums it's random.

http://forums.t-mobile.com/tmbl/boar...cending&page=1

The point is to get a back door into the root shell account so we can run whatever code we want on the phone as the root user... this will give us the ability to put a home-cooked android compilation on the phone if we so pleased.

Another way to do this is to figure out how the bootloader works on the phone and somehow tell it to boot up from a kernel in the sd card instead of the one in the ROM.

[neoobs]

... I read that google was responsible for deploying the updates and that is why it is random. I think it is because they use your android ID not your IMEI or any other number. And I bet all our android ID's have similarities.

BTW... I ran the debug client and the FOTA is cancelled by the server. It then crashes. So I am guessing what we are doing isn't working. There must be something else.

[staulkor]

I have my G1 connected over wifi to my network. Using Cain to arp poison and wireshark to sniff.

Sorry to say, but I saw this one coming...the "call home" is encrypted via TLS/SSL.

Mine was contacting Google at 74.125.19.102. I captured the ssl cert. You can get a copy of it here: http://rapidshare.com/files/15823732...9.102.crt.html

More info to come