Saturday, January 16, 2016

HG532e Reverse Engineering


The firmware under test is HG532eV100R001C81B025_upgrade_packet.bin.

Binwalk Analysis:

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
8792          0x2258          LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 97664 bytes
70016         0x11180         LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 2783096 bytes
979072        0xEF080         Squashfs filesystem, big endian, lzma signature, version 3.0, size: 2746714 bytes, 197 inodes, blocksize: 65536 bytes, created: 2014-04-17 02:44:10


Also by comparing this file with the same version of the firmware but different upgrade process
HG532eV100R001C81B025_upgrade_main.bin
we will find that the first 80 bytes is a RSA key
(packet at the end of the file name is used to update a firmware and reset the configuration to its default, but main is only updating the firmware and keeping the previous settings)

The firmware is divided into three partitions:

1. EF080 Squashfs filesystem


Partition is extracted using sasquatch

The extracted folder has base linux file system with some empty folders and links to file system, and some important files.
List of folders:
bin  dev  etc  init  lib  mnt  proc  sbin  tmp  usr  var

important files are inside /etc:
1. defaultcfg.xml > an encrypted configuration file, a very important file which has all usernames and passwords of  the system and the default settings of the device.
I've looked into a project to decrypt the configuration file from a similar system hg658c.wordpress.com and found that it's not easy, you need some keys and RSAs, these keys should be stored somewhere in the system.
2. webimg > the content of the website, it consists of html asp xml css files, but all the files are stacked in one file
3. webidx > is the index for the files which is stacked in webimg, the content of this file as follows:
path:html
webfilterparam.h 39663 0
path:html/html
pubinfo.asp 1279 39663
msgerrcode.asp 1347 40942

path:html > is the path of the following files
webfilterparam.h > is the file name
39663 > is the file size
0 > is the decimal starting position of the file

I've made a python script to extract the webimg files in my Github, you have to download readwebimg.py and copy it beside the webidx and webimg, and run it using the terminal:
$ python readwebimg.py
it will extract all files inside html folder

2. 2258  LZMA compressed data


3. 11180 LZMA compressed data



HG532e opensource codes on GitHub

HG532e folder on mediafire


Things you need to know:

Note: you need to replace the brackets with the text inside (*****) to the suitable variable.

To extract a part of a firmware image use:
$ dd if=(imageName) bs=1 skip=(decimal address of the beginning of the file) of=(outPartName)

To check the file type use:
$ file (the name of the file you need to check)

To read all strings in a file use:
$ strings -n 10 (the name of the file you need to check)  >  (name_of_the_output_file)

To read a file in hex form including a space with (*) to indicate a repeated code use:
$ hexdump -C (the name of the file you need to check)  >  (name_of_the_output_file)

You can limit the hex form lines to a certain number of lines using:
$  hexdump -C (the name of the file you need to check) | head -n (number of requested lines)

To search for a file name in a directory and its subdirectories use:
$ find . -name (the name of the wanted file)

To search for a text inside the files in a directory and its subdirectories use:
$ grep "(the wanted text)" -r .

To extract lzma compressed file sue:
$ lzma -d (the lzma compressed file)

Tuesday, June 30, 2015

GSM Sniffing and Decoding

1. Install RTL-SDR Driver

git clone git://git.osmocom.org/rtl-sdr.git
cd rtl-sdr/
mkdir build
cd build
cmake ../
make
sudo make install
sudo ldconfig



2. Install OSMO-SDR

git clone git://git.osmocom.org/gr-osmosdr
cd gr-osmosdr
git checkout gr3.6
mkdir build 
cd build/
cmake ../
make 
sudo make install 
sudo ldconfig

3. Install Airprobe

Install gsmdecode

cd airprobe/gsmdecode
./bootstrap
./configure
make


Install gsm-receiver

cd airprobe/gsm-receiver
./bootstrap
./configure
make


4. Start Live Decoding

./gsm_receive_rtl.py -s 1e6 -f 951.8M
if you receive many errors no (sch.c:260 ERR: conv_decode 12), you need to calibrate.


5. Recording data Capturing a cfile with the RTL-SDR

First save a rtl_sdr .bin data file using where -s is the sample rate, -f is the GSM signal frequency and -g is the gain setting. (rtl_sdr is stored in ‘gnuradio-src/rtl-sdr/src’)
rtl_sdr /tmp/rtl_sdr_capture.bin -s 1.0e6 -f 955363665
Next, download this GNU Radio Companion (GRC) flow graph (scroll all the way down for the link), which will convert the rtl_sdr .bin file into a .cfile. Set the file source to the capture.bin file, and set the file output for a file called capture.cfile which should be located in the ‘airprobe/gsm-receiver/src/python’ folder. Also, make sure that ‘Repeat’ in the File Source block is set to ‘No’.
Now execute the GRC flow graph by clicking on the icon that looks like grey cogs. This will create the capture.cfile. The flow chart will not stop by itself when it’s done, so once the file has been written press the red X icon in GRC to stop the flow chart running.
The capture.cfile can now be used in airprobe. However, to use this cfile, I found that I had to use ./gsm_receive.py, rather than ./go.sh as a custom decimation rate is required. I’m not sure why, but a decimation rate of 64 worked for me, which is set with the -d flag.
./gsm_receive.py -I rtl_sdr_capture.cfile -d 64
For Decoding a message
./go.sh output.cfile 64 0C (EFKC KEY)
EFKC is unique per mobile user and changeable

Notes for errors:

1. Invalid Driver

Message: "Kernel driver is active, or device is claimed by second instance of librtlsdr.
In the first case, please either detach or blacklist the kernel module
(dvb_usb_rtl28xxu), or enable automatic detaching at compile time."
Solution: sudo rmmod dvb_usb_rtl28xxu rtl2832 

If this works, and you don't want to use the device for TV reception, 
you can stop the module from ever being loaded, solving the problem 
permanently.  The exact method depends on your Linux distribution, but 
for me (running Arch Linux) I create a file in /etc/modprobe.d with 
a .conf extension (I called it "no-rtl.conf") with these contents: 

  blacklist dvb_usb_rtl28xxu 
  blacklist rtl2832 
  blacklist rtl2830 

2. Calibration

git clone git://github.com/steve-m/kalibrate-rtl
cd kalibrate-rtl
./bootstrap && CXXFLAGS='-W -Wall -03'
./configure
make
make install

kal -s 900

kal -c (channel Number)



Source:

1. https://github.com/ksnieck/airprobe
2. http://www.rtl-sdr.com/rtl-sdr-tutorial-analyzing-gsm-with-airprobe-and-wireshark/
3. http://sdr.osmocom.org/trac/wiki/rtl-sdr

Saturday, March 21, 2015

How to Hide Your IP, Browse the Web Anonymously and Access Restricted Sites

Internet censorship is something which almost all of us, no matter where we live, encounter in one form or the other. Social networking or video sharing sites like YouTube, Facebook and Twitter are usually blocked in offices. Some sites, like Pandora, are country specific. And if you are in a place like China, well, you’ve heard the censorship stories, haven’t you?

Even if you can visit the sites mentioned above using certain workarounds or tools, your school/company or ISP may record your recent activities, something you might not want.
There are online web proxies too, but many of them are of unknown origin and hence you cannot ensure complete privacy. So how do we hide IP and securely surf the web anonymously? I’d say VPN is probably the best and ultimate solution to bypassing internet censorship in a secure way.
VPN
(Image Courtesy – Cisco Systems )
According to Wikipedia,
virtual private network (VPN) is a network that uses a public telecommunication infrastructure, such as the Internet, to provide remote offices or individual users with secure access to their organization’s network. It aims to avoid an expensive system of owned or leased lines that can only be used by one organization. The goal of a VPN is to provide the organization with the same, secure capabilities, but at a much lower cost.
While Wikipedia’s definition highlights VPN’s commercial benefit, for users like us, it means that if we use a VPN service (like one we are going to discuss) whose servers are in a specific country, we will be assigned an IP of that location and would be able to browse sites limited to that country privately and securely.
Thus, if you’re using a VPN service provided by US servers, you can visit sites like Hulu and Pandora even if you are outside US. Same is the case when you are in a limited or censored network and using a VPN to connect to that network.
Now, lets talk about some popular and free VPN services that can help you surf the web as freely as possible without worrying about privacy and censorship issues.

Hotspot Shield

Probably, the most popular one among all free VPN providers. Hotspot Shield is an OpenVPN based privacy and security tool, used to encrypt your web browsing when at public hotspotsand to circumvent web filters.
Here are the steps to use it.
Download Hotspot Shield and then install the package. The newer version will first launch a download manager for the installation.
hotspot shield free VPN
After downloading is finished, the installer will launch.
hotspotshield free vpn
The only thing I need to mention is that you may not need the Hotspot Shield IE toolbar, so just uncheck it while installing.
hotspotshield free vpn IE toolbar
Neither do you want to enable these options, I guess.
ad based options in hotspot shield
Once you are done selecting the options, you can click install to begin. If there are any dialog boxes prompting new driver installation, just click “Install”.
Hotspot Shield
Now you can double click Hotspot Shield shortcut, and wait for the connection. Right click the program icon in system tray to switch the VPN connection on or off. There is no need to register or pay for the service, but you will receive advertisements and forced URL redirect sometimes.
Note: Although HotSpot Shield is pretty effective, you cannot watch Hulu videos using it. It’s just that Hulu is smarter. Most of the other US based sites work fine though.

Free VPN

Another well known VPN provider, Free VPN is also free and doesn’t require registration. It has a forced URL redirect and changes the homepage to display ads, but you can buy a paid account to get rid of them (and also enable torrents downloading).
Download Free VPN and install it. If there are any dialog boxes prompting new driver installation, just click “Install”.
Free VPN
After installation, launch Free VPN and you can choose a “FREE” server to establish VPN connections.
free vpn
If you have a paid account, please switch to “Account” tab first, type your account information in the box, and then you can choose  any “PAID” server to connect in the previous tab.

One More – proXPN

Apart from the popular free VPN services introduced above, here is a new one for our readers:proXPN – secure your internet connection instantly (that’s the tagline). All you need do is to register for a free account, then download, install and launch the client.
proxpn free vpn
Oh, and proXPN is ad-free too! :)
So that was about free VPN services that let you hide your IP address and browse the web anonymously through an encrypted connection. These services can also be used, in fact should be used, when you are using a public Wi-Fi so that your internet usage remains secure and private.
Do you know of other such tools and methods to bypass internet censorship effectively? What VPN tools have you tried? Tell us in the comments.

Friday, March 25, 2011

Android Tricks

Mount a filesystem read-write

Very often when you want to write files to a particular partition on ADP1, you will get a "Permission Denied" if the partition is mounted read-only.
To get around this, you need to mount the partition read-write. Typically this is done with /system partition

adb shell
su
mount -o rw,remount -t yaffs2 /dev/block/mtdblock3 /system (or mount -o rw,remount,rw /system)

(Replace /dev/block/mtdblock3 & /system with appropriate device path and mount point, as obtained from cat /proc/mounts)


Moving Android cache to SD Card

Some Android devices, which have little internal memory or when download data and application data fills the cache area, will issue “insufficient space” warning.  A quick workaround would be to move device cache and/or application caches to SC card.
It is assumed that the device is already rooted and a way to run commands on the device is available. i.e “Terminal Emulator” app, Android ADB.
Basically, the idea is to create a cache folder on SD card, remove the cache folder on internal memory and then link the internal folder to the folder on SD card so SD card space is used.
To move the cache folder
1
2
3
4
5
umount /cache
mount -o rw,remount -t rootfs rootfs /
rmdir /cache
mkdir /sdcard/cache
ln -s /sdcard/cache /cache
Browser Cache
1
2
3
4
cd /data/data/com.android.browser/cache
rm -R webviewCache
mkdir /sdcard/cache/webviewCache
ln -s /sdcard/cache/webviewCache webviewCache
Google Maps
1
2
3
4
cd /data/data/com.google.android.apps.maps
rm -R files
mkdir /sdcard/cache/files/maps
ln -s /sdcard/cache/files/maps files
Google StreetView
1
2
3
4
cd /data/data/com.google.android.street
rm -R cache
mkdir /sdcard/cache/streetCache
ln -s /sdcard/cache/streetCache cache
Market Cache
1
2
3
4
cd /data/data/com.android.vending
rm -R cache
mkdir /sdcard/cache/marketCache
ln -s /sdcard/cache/marketCache cache
imeem Cache
1
2
3
4
cd /data/data/com.imeem.gynoid
rm -R cache
mkdir /sdcard/cache/imeemCache
ln -s /sdcard/cache/imeemCache cache
Tunewiki Cache
1
2
3
4
cd /data/data/com.tunewiki.lyricplayer.android/cache
rm -R webviewCache
mkdir /sdcard/cache/tunewikiCache
ln -s /sdcard/cache/tunewikiCache webviewCache
Steel Browser Cache
1
2
3
4
cd /data/data/com.kolbysoft.steel/cache
rm -R webviewCache
mkdir /sdcard/cache/steelCache
ln -s /sdcard/cache/steelCache webviewCache
OR
1
2
3
4
5
cd /data/data/com.kolbysoft.steel
mkdir cache
cd cache
mkdir /sdcard/cache/steelCache
ln -s /sdcard/cache/steelCache webviewCache
MeetMe Cache
1
2
3
4
cd /data/data/com.stylem.meetme
rm -R cache
mkdir /sdcard/cache/meetmeCache
ln -s /sdcard/cache/meetmeCache cache
MySpace
1
2
3
4
cd /data/data/com.myspace.android
mkdir /system/sd/cache/files/myspace
rm -R files
ln -s /sdcard/cache/files/myspace files
Gmail
1
2
3
cd /data/data/com.google.android.gm/cache
rm -R webviewCache
ln -s /sdcard/cache/webviewCache webviewCache
Voice Search
1
2
3
cd /data/data/com.google.android.voicesearch/cache
rm -R webviewCache
ln -s /sdcard/cache/webviewCache webviewCache
My Maps Editor
1
2
3
cd /data/data/com.google.android.apps.mymaps/cache
rm -R webviewCache
ln -s /sdcard/cache/webviewCache webviewCache

Credits:

Thanks to birdman81484 for imeemm, Tunewiki, Steel Browser, MeetMe, MySpace