FORUMS

[RADIO] Cellular Radio Communication -\/ Modem | IMEI \/- Related Security Discussion

209 posts
Thanks Meter: 60
 
By noidodroid, Senior Member on 6th December 2019, 10:45 AM
Post Reply Email Thread
[RADIO] Cellular Radio Communication -\/ Modem | IMEI \/- Related Security Discussion!

I hope this Thread Section is A-Ok for the following. @MikeChanning i see this is one of which you are in control of. If not suitable please move it to where you see it is best fit for its final resting place. If you see this and i am sure i have the correct Mike from XDA..... Hey there guy.. =] been a while since we have spoke about the good ol days of the 90's and 00's internet. We will have to have another chat when time permits. Curious to hear more stories about my ex marketing associates and other mutual walks of underground life we ran around with.

Alright now to what I wanted to get a good discussion going on...


This whole discussion you are about to get into is spawned from my extended thirst for knowledge and related comment from @tecknight i just so happened to see moments ago. It is something that could use more educated discussion here as for one it's important to watch what you include in your EDL dumps or file pulls you provide to others. Secondly the more you know the better... The easier it is to *repair* loss of International Mobile Equipment Identity of your device without blowing a gasket!


Quote:
Originally Posted by tecknight

I will need all partitions except for:
fsg
modemst1
modemst2

Which contain unique information tied to your phone (IMEI, serial,etc)
I would recommend that you zip the partition images into an archive and upload them to Google drive on some other file sharing service, then PM the URL to me.

I too used to think that these partitions carried valuable information however after dealing with Android second operating system aka the RIL and reading various informative articles I have found out that only 2 of those are actually ones to really worry about except for [fsg] and some other partitions.

From what I understand and I have seen modem ST1 and modem st2 do you contain sensitive data however are encrypted and unreadable until you erase them and they get restored on the next reboot which I'm sure you already know. Now [modem] is just an ext4 partition containing nothing but radio firmware binaries themselves. As for [fsg] partition it's still doesn't contain all the NV items for instance and you won't find any IMEI there. Now [/dev/block/boot/device/by-name] directory however does have some interesting information according to articles and more I have recently read. Apparently according to the author of one part of where some of your information is coming from is the [tunning] partition which contained some references to NV items as well but totally different than the ones in [fsg]. Including [/nv/num/550 and [/nvm/context1/550]. When looking at the familiar patterns read from partitions [nvdiag_client -r -p /nvm/num/550] they showed up there more just as well.

This information is coming from a new 2019 Nokia model phone from what I'm Gathering but the bulk of it is common and applies to most all Qualcomm. Defile looked into was a raw binary on an EMMC partition but had some interesting regular structure despite having no file system it appeared as one. This my friends would be the second operating system on Android the RIL. This is where all the complicated work goes on when it comes to programming anything radio related. I am very limited and have unlock numerous phones in my time. Really the most experience I have is with CDMA going back to early days of last decade. So this is all still interesting information I am glad to have came across and share to everyone here. Ok.. Back to this strange amazing structure it appears to contain name-contents and also some o d d ustar references. to some when seeing this you might realize where you have seen them before.. Think and try applying tar xf ... ? With me?

[fsg] and [tunning] partitions are just TAR archives with logic structured EFS items critical for the handsets radiomodule functionality. They are apparently also TOTALLY unencrypted unlike modemst1 and modemst2 partitions that get restored from these. .... So now down to the obvious reason you would do this.. to repair and more by modifying their TAR contents and erasing the modesmst1 and modemst2 partitions that, again, get restored from these you can either repair or run game on the EFS and for example have complete total File System control in a "custom rom" and could create whats been done already but not so advanced as the ideas I have in my mind which would be randomization of these very important sacred identifier numbers 14 numbers long with a luhn check digit. The author i gathered some of this information from has already created a very small self spawning shell script running in busybox of a certain rooted Custom ROM. I don't want to lead this down the negative road and get this convo banned with those of us choosing to discuss how everything works warned/banned so i will end this here.

However if mods do not mind us discussing this in detail simply as protection measures to be watched and or protected by means of hardening security in this area that would be great and I could show an example of a simple small script that does would do the imei repair or worse with ease in a matter of seconds ...

I see positive and negative out of this and already have a load of PoC's that will work. This which people more dedicated than myself these days to research leading to action in the pentesting field might find interesting not to mention including all HATS, cellular manafacturers, ROM programmers, companies both large and small and so many more...

I would love those more experienced in this disucssion to chime in with their comments and correct me / update me if and where I am off and of course make it easier for XDA members to understand what gives so many trouble and renders devices useless unless fixed.. -=]


.
.
.


/me inserts Lamar Burks photo and whispers "this has been a reading rainbow moment" ha ha..

q=]
-noidodroid
The Following 2 Users Say Thank You to noidodroid For This Useful Post: [ View ] Gift noidodroid Ad-Free
6th December 2019, 10:49 AM |#2  
noidodroid's Avatar
OP Senior Member
Flag Innernetz
Thanks Meter: 60
 
More
RESERVED ..

(off to count sheep for a while - ZZZzz..)
The Following User Says Thank You to noidodroid For This Useful Post: [ View ] Gift noidodroid Ad-Free
23rd January 2020, 06:46 AM |#3  
noidodroid's Avatar
OP Senior Member
Flag Innernetz
Thanks Meter: 60
 
More
Bump.. nobody?
7th February 2020, 06:55 PM |#4  
noidodroid's Avatar
OP Senior Member
Flag Innernetz
Thanks Meter: 60
 
More
Anyone ?? Surprised nobody has researched this
7th February 2020, 10:23 PM |#5  
Junior Member
Thanks Meter: 0
 
More
I would be interested to know more specific information about the topics you would like to discuss. I can see you have given thoughtful consideration to forum choice and posting guidelines, however the original message is just a little TOO circumspect and vague for me to follow. I am particularly interested to hear about your observations of the RIL and file system in this recent Nokia release, and where you see the vulnerabilities lie. If you could maybe also give some hypothetical scenarios as to how exploitations of your observations might look IRL (yes... IRL, not RIL, lol!). I am at a stage where I'm still learning about the enormous amount of unseen stuff on Android (filesystems, partitions, libraries, APIs, the nuts and bolts of the OS, all the mysterious looking stuff, and of course, the radio interface layer and all its constituents - which, I believe, are STILL relatively insecure - which I think it's also the point of your discussion...).

So... Yes... If you could perhaps give a more concise account of your observations, and perhaps a few starter questions, hopefully those with more knowledge than us might deign to lower themselves to our sordid little level, and get a little dirt on their polished fingernails sharing that sweet sweet knowledge...
8th February 2020, 10:58 AM |#6  
Member
Thanks Meter: 1
 
More
With the correct information about this could u technically get any phone from the past working on any carrier or cdma /gsm and then lte (or is that hardware capabilities ) . I'm off topic slightly but not really
6th April 2020, 03:52 PM |#7  
noidodroid's Avatar
OP Senior Member
Flag Innernetz
Thanks Meter: 60
 
More
Quote:
Originally Posted by thorax.x

I would be interested to know more specific information about the topics you would like to discuss. I can see you have given thoughtful consideration to forum choice and posting guidelines, however the original message is just a little TOO circumspect and vague for me to follow. I am particularly interested to hear about your observations of the RIL and file system in this recent Nokia release, and where you see the vulnerabilities lie. If you could maybe also give some hypothetical scenarios as to how exploitations of your observations might look IRL (yes... IRL, not RIL, lol!). I am at a stage where I'm still learning about the enormous amount of unseen stuff on Android (filesystems, partitions, libraries, APIs, the nuts and bolts of the OS, all the mysterious looking stuff, and of course, the radio interface layer and all its constituents - which, I believe, are STILL relatively insecure - which I think it's also the point of your discussion...).

So... Yes... If you could perhaps give a more concise account of your observations, and perhaps a few starter questions, hopefully those with more knowledge than us might deign to lower themselves to our sordid little level, and get a little dirt on their polished fingernails sharing that sweet sweet knowledge...

Thanks for replying. Basically what I am trying to get discussion on here is where critical modem related files and RIL files (imei, esn, etc) reside within the files listed and whether or not one can trully gain enough information from said files to find that information. I already know the answer and also wanted to make it a point to others on what not to include in your EDL / Firmware dumps as it could be used by the wrong hands. I also had a bunch of other information more detailed but it looks like its been edited out by someone... Maybe a bit TOO detailed. ha

I will come up with some more direct questions sometime when i get a few minutes free.
6th April 2020, 03:52 PM |#8  
noidodroid's Avatar
OP Senior Member
Flag Innernetz
Thanks Meter: 60
 
More
.......
6th April 2020, 03:57 PM |#9  
noidodroid's Avatar
OP Senior Member
Flag Innernetz
Thanks Meter: 60
 
More
Quote:
Originally Posted by camm44

With the correct information about this could u technically get any phone from the past working on any carrier or cdma /gsm and then lte (or is that hardware capabilities ) . I'm off topic slightly but not really


Technically yes and no. If the idea i mentioned will write out through serial to RIL and all security is saved or updated then yes but the other methods would be a soft IME! spoof so to speak and the other advanced methods well i cant discuss these as yeah they really could be something new not ever explored. Simply ideas for exploring to help security improve NOT to defraud or do anything illegal... -=]
11th April 2020, 01:45 PM |#10  
Member
Thanks Meter: 1
 
More
What programs can be used to read binary code from phone partitions ?
Post Reply Subscribe to Thread

Tags
efs, emmc, imei, modem, radio

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes