[RADIO] Cellular Radio Communication -\/ Modem | IMEI \/- Related Security Discussion!
I hope this Thread Section is A-Ok for the following. @MikeChanning i see this is one of which you are in control of. If not suitable please move it to where you see it is best fit for its final resting place. If you see this and i am sure i have the correct Mike from XDA..... Hey there guy.. =] been a while since we have spoke about the good ol days of the 90's and 00's internet. We will have to have another chat when time permits. Curious to hear more stories about my ex marketing associates and other mutual walks of underground life we ran around with.
Alright now to what I wanted to get a good discussion going on...
This whole discussion you are about to get into is spawned from my extended thirst for knowledge and related comment from @tecknight i just so happened to see moments ago. It is something that could use more educated discussion here as for one it's important to watch what you include in your EDL dumps or file pulls you provide to others. Secondly the more you know the better... The easier it is to *repair* loss of International Mobile Equipment Identity of your device without blowing a gasket!
I too used to think that these partitions carried valuable information however after dealing with Android second operating system aka the RIL and reading various informative articles I have found out that only 2 of those are actually ones to really worry about except for [fsg] and some other partitions.
From what I understand and I have seen modem ST1 and modem st2 do you contain sensitive data however are encrypted and unreadable until you erase them and they get restored on the next reboot which I'm sure you already know. Now [modem] is just an ext4 partition containing nothing but radio firmware binaries themselves. As for [fsg] partition it's still doesn't contain all the NV items for instance and you won't find any IMEI there. Now [/dev/block/boot/device/by-name] directory however does have some interesting information according to articles and more I have recently read. Apparently according to the author of one part of where some of your information is coming from is the [tunning] partition which contained some references to NV items as well but totally different than the ones in [fsg]. Including [/nv/num/550 and [/nvm/context1/550]. When looking at the familiar patterns read from partitions [nvdiag_client -r -p /nvm/num/550] they showed up there more just as well.
This information is coming from a new 2019 Nokia model phone from what I'm Gathering but the bulk of it is common and applies to most all Qualcomm. Defile looked into was a raw binary on an EMMC partition but had some interesting regular structure despite having no file system it appeared as one. This my friends would be the second operating system on Android the RIL. This is where all the complicated work goes on when it comes to programming anything radio related. I am very limited and have unlock numerous phones in my time. Really the most experience I have is with CDMA going back to early days of last decade. So this is all still interesting information I am glad to have came across and share to everyone here. Ok.. Back to this strange amazing structure it appears to contain name-contents and also some o d d ustar references. to some when seeing this you might realize where you have seen them before.. Think and try applying tar xf ... ? With me?
[fsg] and [tunning] partitions are just TAR archives with logic structured EFS items critical for the handsets radiomodule functionality. They are apparently also TOTALLY unencrypted unlike modemst1 and modemst2 partitions that get restored from these. .... So now down to the obvious reason you would do this.. to repair and more by modifying their TAR contents and erasing the modesmst1 and modemst2 partitions that, again, get restored from these you can either repair or run game on the EFS and for example have complete total File System control in a "custom rom" and could create whats been done already but not so advanced as the ideas I have in my mind which would be randomization of these very important sacred identifier numbers 14 numbers long with a luhn check digit. The author i gathered some of this information from has already created a very small self spawning shell script running in busybox of a certain rooted Custom ROM. I don't want to lead this down the negative road and get this convo banned with those of us choosing to discuss how everything works warned/banned so i will end this here.
However if mods do not mind us discussing this in detail simply as protection measures to be watched and or protected by means of hardening security in this area that would be great and I could show an example of a simple small script that does would do the imei repair or worse with ease in a matter of seconds ...
I see positive and negative out of this and already have a load of PoC's that will work. This which people more dedicated than myself these days to research leading to action in the pentesting field might find interesting not to mention including all HATS, cellular manafacturers, ROM programmers, companies both large and small and so many more...
I would love those more experienced in this disucssion to chime in with their comments and correct me / update me if and where I am off and of course make it easier for XDA members to understand what gives so many trouble and renders devices useless unless fixed.. -=]
.
.
.
/me inserts Lamar Burks photo and whispers "this has been a reading rainbow moment" ha ha..
q=]
-noidodroid
I hope this Thread Section is A-Ok for the following. @MikeChanning i see this is one of which you are in control of. If not suitable please move it to where you see it is best fit for its final resting place. If you see this and i am sure i have the correct Mike from XDA..... Hey there guy.. =] been a while since we have spoke about the good ol days of the 90's and 00's internet. We will have to have another chat when time permits. Curious to hear more stories about my ex marketing associates and other mutual walks of underground life we ran around with.
Alright now to what I wanted to get a good discussion going on...
This whole discussion you are about to get into is spawned from my extended thirst for knowledge and related comment from @tecknight i just so happened to see moments ago. It is something that could use more educated discussion here as for one it's important to watch what you include in your EDL dumps or file pulls you provide to others. Secondly the more you know the better... The easier it is to *repair* loss of International Mobile Equipment Identity of your device without blowing a gasket!
I will need all partitions except for:
fsg
modemst1
modemst2
Which contain unique information tied to your phone (IMEI, serial,etc)
I would recommend that you zip the partition images into an archive and upload them to Google drive on some other file sharing service, then PM the URL to me.
I too used to think that these partitions carried valuable information however after dealing with Android second operating system aka the RIL and reading various informative articles I have found out that only 2 of those are actually ones to really worry about except for [fsg] and some other partitions.
From what I understand and I have seen modem ST1 and modem st2 do you contain sensitive data however are encrypted and unreadable until you erase them and they get restored on the next reboot which I'm sure you already know. Now [modem] is just an ext4 partition containing nothing but radio firmware binaries themselves. As for [fsg] partition it's still doesn't contain all the NV items for instance and you won't find any IMEI there. Now [/dev/block/boot/device/by-name] directory however does have some interesting information according to articles and more I have recently read. Apparently according to the author of one part of where some of your information is coming from is the [tunning] partition which contained some references to NV items as well but totally different than the ones in [fsg]. Including [/nv/num/550 and [/nvm/context1/550]. When looking at the familiar patterns read from partitions [nvdiag_client -r -p /nvm/num/550] they showed up there more just as well.
This information is coming from a new 2019 Nokia model phone from what I'm Gathering but the bulk of it is common and applies to most all Qualcomm. Defile looked into was a raw binary on an EMMC partition but had some interesting regular structure despite having no file system it appeared as one. This my friends would be the second operating system on Android the RIL. This is where all the complicated work goes on when it comes to programming anything radio related. I am very limited and have unlock numerous phones in my time. Really the most experience I have is with CDMA going back to early days of last decade. So this is all still interesting information I am glad to have came across and share to everyone here. Ok.. Back to this strange amazing structure it appears to contain name-contents and also some o d d ustar references. to some when seeing this you might realize where you have seen them before.. Think and try applying tar xf ... ? With me?
[fsg] and [tunning] partitions are just TAR archives with logic structured EFS items critical for the handsets radiomodule functionality. They are apparently also TOTALLY unencrypted unlike modemst1 and modemst2 partitions that get restored from these. .... So now down to the obvious reason you would do this.. to repair and more by modifying their TAR contents and erasing the modesmst1 and modemst2 partitions that, again, get restored from these you can either repair or run game on the EFS and for example have complete total File System control in a "custom rom" and could create whats been done already but not so advanced as the ideas I have in my mind which would be randomization of these very important sacred identifier numbers 14 numbers long with a luhn check digit. The author i gathered some of this information from has already created a very small self spawning shell script running in busybox of a certain rooted Custom ROM. I don't want to lead this down the negative road and get this convo banned with those of us choosing to discuss how everything works warned/banned so i will end this here.
However if mods do not mind us discussing this in detail simply as protection measures to be watched and or protected by means of hardening security in this area that would be great and I could show an example of a simple small script that does would do the imei repair or worse with ease in a matter of seconds ...
I see positive and negative out of this and already have a load of PoC's that will work. This which people more dedicated than myself these days to research leading to action in the pentesting field might find interesting not to mention including all HATS, cellular manafacturers, ROM programmers, companies both large and small and so many more...
I would love those more experienced in this disucssion to chime in with their comments and correct me / update me if and where I am off and of course make it easier for XDA members to understand what gives so many trouble and renders devices useless unless fixed.. -=]
.
.
.
/me inserts Lamar Burks photo and whispers "this has been a reading rainbow moment" ha ha..
q=]
-noidodroid