Added old notes

asutoshpalai · asutoshpalai · commit 900bf092f996 · 2018-04-06T01:19:50.000+05:30
diff --git a/AC3633_v2.md b/AC3633_v2.md
@@ -0,0 +1,6 @@
+- Wifi disk access at
+  [http://192.168.1.1/sdindex.asp](http://192.168.1.1/sdindex.asp) is vulneable
+  for arbitrary read/write on any directory.
+- After logging in, visit [Wifi disk access](http://192.168.1.1/sdindex.asp).
+- Set BP on folder click.
+- run `sd_current_path = "/";initSDList(0);` in the console.
diff --git a/EC315.md b/EC315.md
@@ -0,0 +1,254 @@
+## Exractring UPDATA.APP from update setup
+- Downloaded the update setup
+- Loaded it with PE explorer
+- Extracted an _executable_ named UPDATEWIZARD\_130.exe from the Resource folder
+- Loaded that with PE explorer
+- Extracted a file named BIN\_250 from the Resource folder
+- Renamed BIN\_250 to UPDATA.APP
+
+## Extracting UPDATA.APP
+
+- Used [split\_update.pl](https://github.com/JoeyJiao/split_updata.pl) to extract files from UPDATA.APP
+
+```
+Unknown sequence: 00000100
+Extracted unknown_file.0 - CRC Okay
+Unknown sequence: 00001100
+Extracted unknown_file.1 - CRC Okay
+Unknown sequence: 00001300
+Extracted unknown_file.2 - CRC Okay
+Unknown sequence: 00000800
+Extracted unknown_file.3 - CRC Okay
+Unknown sequence: 00000900
+Extracted unknown_file.4 - CRC Okay
+```
+
+## Analysis of extracted files:
+
+### unknown\_file.0
+
+**Sequence:** 00000100
+**Size:** 464 bytes
+**Desc:** ATAGs msm partition table
+**Suggested Name:** partition.mbn
+
+Analysed using the tool described below in the links. The output is as follows:
+
+```
+Partition header:
+  MAGIC1: aa7d1b9a
+  MAGIC2: 1f7d48bc
+  Version: 3
+  Number of partitions: 8
+Partition table:
+  00: 0:MIBIB           offset=6        size=4        flags=feffffff
+  01: 0:OSBL            offset=768      size=256      flags=ffffffff
+  02: 0:OEMINFO         offset=4096     size=512      flags=ffffffff
+  03: 0:AMSS            offset=32256    size=2560     flags=ffffffff
+  04: 0:EFS2            offset=5760     size=640      flags=ffffffff
+  05: 0:DWNLOAD         offset=43520    size=2560     flags=ffffffff
+  06: 0:MMC             offset=8960     size=1280     flags=ffffffff
+  07: 0:FTL             offset=23040    size=2560     flags=ffff01ff
+```
+
+Links:
+  - [`roman-yepishev/acer-tools/msmptbl`](https://github.com/roman-yepishev/acer-tools/tree/master/msmptbl)
+
+### unknown\_file.1
+
+**Sequence:** 00001100
+**Size:** 38752 bytes (38K)
+**Desc:** Qualcomm SBL1 image / Device Boot Loader
+**Suggested Name:** dbl.mbn
+
+Analysed with binwalk as per an online ref[Notes about Qualcomm Secure Boot and
+Motorola High Assurance Boot
+(hab)](http://vm1.duckdns.org/Public/Qualcomm-Secure-Boot/Qualcomm-Secure-Boot.htm).
+
+It had 2 skip headers. The actual image was at offset 0x2000.
+
+Loaded with IDA Pro using loader plugin from
+[ralekdev/mbn\_ida\_loader](https://github.com/ralekdev/mbn_ida_loader/blob/master/mbn_ida_loader.py).
+The plugin didn't work directly because as noted in the ref mentioned above,
+with image type as `0x7D0B435A` it assumes that the image is at address
+`0x2800`. But actually, it is just a forward pointer. There were 3 headers.
+First 2 at 0, 0x800 respectively with image type as `0x7D0B435A`. The actual one
+was at 0x2000. The last one's type field had `0xFFFFFFFF`.
+
+Applied the following patch to make it work for this file:
+```patch
+diff --git a/mbn_ida_loader.py b/mbn_ida_loader.py
+index 095a7f0..c35dbe3 100644
+--- a/mbn_ida_loader.py
++++ b/mbn_ida_loader.py
+@@ -58,11 +58,22 @@ def load_file(li, neflags, format):
+ 
+     return 0
+ 
+-def load_file_sbl(li):
++def load_file_sbl(li, start = 0):
++
++    if dwordAt(li, start + 8) == 0x7D0B435A:
++        # The actual header is ahead
++        li.seek(start + 4)
++        s = li.read(4)
++        while len(s) > 0 and struct.unpack('<I', s)[0] != 0x844BDCD1:
++            s = li.read(4)
++        if len(s) > 0:
++            return load_file_sbl(li, li.tell() - 4)
++        return 0
+ 
+-    start = 0
+-    if dwordAt(li, 8) == 0x7D0B435A:
+-        start = 0x2800
++    if dwordAt(li, start) != 0x844BDCD1:
++        print "dword at {}: {}".format(hex(start), hex(dwordAt(li, start)))
++        print "Signature mismatch at expected start {}".format(hex(start))
++        return 0
+ 
+     image_source = dwordAt(li, start + 0x14)
+     image_dest = dwordAt(li, start + 0x18)
+```
+
+### unknown\_file.2
+
+**Sequence:** 00001300
+**Size:** 672072 bytes (657K)
+**Desc:** OS Boot Loader
+**Suggested Name:** osbl.mbn
+
+From the online ref about Secure Bootloader and HBA, one could guess that this
+file was High Assurance Boot (hab) file. The file structure matched the one
+given online, but the type `0x0000000b` as no where to be found. All the online
+refs pointed it to be `0x00000005`.
+
+It could be loaded into IDA Pro with the same loader file mentioned above.
+
+But later I found that I was mistaken in assuming it to be aboot.mdn (not that I
+know what aboot is ;) ). As I learned from an [online form](For http://forum.gsmhosting.com/vbb/f804/huawei-modem-universal-flasher-1495518/index23.html#post9851968) it is actually osbl.mbm
+
+```
+$ strings unknown_file.2 | grep target
+E:\baiyunting\11.102.99.60.00\core\boot\amssboot\target\qsc6695\src\boot_shared_progressive_boot_block.c
+E:\baiyunting\11.102.99.60.00\core\boot\secboot2\osbl\target\qsc6695\src\osbl_stubs.c
+```
+
+### unknown\_file.3
+
+**Sequence:** 00000800
+**Size:** 19005440 bytes (19M)
+**Desc:** Qualcomm's operating system
+**Suggested Name:** amss.mbn
+
+Upon further research it turned out to be `amss.mbn`. (Searched strings on
+google and found https://pastebin.com/NcGy8Fr7)
+
+```
+  $ strings unknown_file.2 | grep target
+  E:\baiyunting\11.102.99.60.00\core\boot\amssboot\target\qsc6695\src\boot_shared_progressive_boot_block.c
+  E:\baiyunting\11.102.99.60.00\core\boot\secboot2\osbl\target\qsc6695\src\osbl_stubs.c
+```
+
+AMSS stands for Advanced Mobile Subscriber Software (Qualcomm's operating
+system). Ref: [Mobile Devices: Tools and
+Technologies](https://books.google.co.in/books?id=lky3BgAAQBAJ&pg=PA47&lpg=PA47&dq=full+form+amss+firmware&source=bl&ots=LOj8slD2l1&sig=FwadyTImv2zKOSRFUA9yI6DkmSg&hl=en&sa=X&ved=0ahUKEwje7-mP_e3VAhUKso8KHVrrDTgQ6AEIVjAI#v=onepage&q=full%20form%20amss%20firmware&f=false)
+
+### unknown\_file.4
+
+**Sequence:** 00000900
+**Size:** 284672 bytes (278K)
+**Desc:** EFS2 File system
+**Suggested Name:** efs2.mbn
+
+Upon analysis of amss.mbn as ARM ELF file, the magic bytes for this, `87 67 85
+34 59 77 34 92` (0x34856787, 0x92347759) was found in a function which was being
+called (after a series of intermediate functions) from a function which referred
+to the string "EFS2". So, I guess this is our best bet.
+
+## USB connection attempt:
+
+- Pluging in, `lsusb` read:
+
+  `Bus 003 Device 014: ID 12d1:1f01 Huawei Technologies Co., Ltd. E353/E3131 (Mass storage mode)`
+
+- Installed `usb_modeswitch`. It added the necessary udev rules.
+
+  The switched interface looked to be:
+  `Bus 003 Device 011: ID 12d1:14db Huawei Technologies Co., Ltd. E353/E3131` 
+
+- This is usb ethernet mode.
+
+- Seems like not switching to serial mode and switching to ethernet mode is a
+  known issue.
+
+- Was able to switch to serial mode, thanks to discussion an online discussion
+  for [Huawei E353](http://www.draisberghof.de/usb_modeswitch/bb/viewtopic.php?p=8651#p8651)
+
+  - Disabled udev rule for `12d1` (Generic Huawei device).
+
+  - Executed command 
+
+    sudo usb_modeswitch -v 0x12d1 -p 0x1f01 -M "55534243123456780000000000000011060000000000000000000000000000"
+
+- Now it detects two `ttyUSB` devices:
+
+  ```
+  --- Available ports:
+  ---  1: /dev/ttyUSB0         HUAWEI Mobile
+  ---  2: /dev/ttyUSB1         HUAWEI Mobile
+  ```
+- Was able to send AT commands using `/dev/ttyUSB0`: `sudo socat -
+  /dev/ttyUSB0`. Tried some ref commands from
+  [https://routerunlock.com/useful-at-commands-for-huawei-modem/](https://routerunlock.com/useful-at-commands-for-huawei-modem/)
+  and [Hacking the Huawei
+  E589](https://forum.xda-developers.com/showpost.php?p=44389917&postcount=2)
+
+- Found an offical doc, [HUAWEI ME906s LTE Module AT Command Interface Specification-%28V100R001_01%2C English%29.pdf](http://download-c.huawei.com/download/downloadCenter?downloadId=51047&version=120450&siteCode)
+
+- Switched `/dev/ttyUSB0` to QCDM with `AT$QCDMG` AT command. Later found that
+  /dev/ttyUSB1 was in 
+
+- Tested QCDM with qcdm.pl obtained from [huawei.git by Dobrica Pavlinusic](http://git.rot13.org/?p=huawei.git;a=summary)
+
+- Sending diag commands for peek returns packets starting with 0x13
+  (`DIAG_BAD_CMD_F`).
+  Found a call to `diagpkt_err_rsp` with 0x13 at `0x08176846`, `0x0812ED20`, `0812EC8E`, `0812EBFE`, `0812EB42`, `0812E91A`, `0809E166`, `0809E14C`, `0809DE94`, `0809DE76`
+
+
+## Analysis of amss.mbn
+
+- Loaded into IDA as an ARM ELF file.
+- Tried Snowman for decompling, didn't work as it doesn't support THUMB
+  instruction set.
+- Looked for AT command strings and tried to reverse the functions.
+- Searched for the magic string for the 5th unknown file,
+  `87 67 85 34 59 77 34 92`. Got two hits at 
+
+    - 0x0055C054  DCD 0x34856787
+    - 0x00733AF4  DCD 0x34856787
+
+  Both the locations had the second half of the magic bits.
+
+  At the hit at 0x0055C054 the magic bits were being assigned to something. The
+  trail of `xrefs from` went down a dead end.
+
+  The hit at 0x00733AF4 was being referred by function (present just above),
+  beginning at 0x00733A5C. It was verifying the magic bytes from a buffer.
+  Following the trail of `xref from` lead me to a function at 0x00364420 which
+  had the reference to the string "EFS2".  Interesting. So, I guess that the last
+  unknown file is a EFS2 file system.
+
+- [SMD (Shared Memory Device)](https://osmocom.org/projects/quectel-modems/wiki/Qualcomm_Linux_SMD)
+
+- OSA is a cooperative multitasking real-time operating system (RTOS) for Microchip PIC-controllers.
+
+- searching for `websdk` gave interesting results 
+- same goes for `ipwebs`
+  A lot of functions can be identified using the log messages.
+- A memory map was found resembling the found at page 66 of [Mobile Data modem user guide](https://electronix.ru/forum/index.php?act=Attach&type=post&id=102723)
+- Got peek into qualcomm source code files for the first time at [huawei.git by Dobrica Pavlinusic](http://git.rot13.org/?p=huawei.git;a=summary) inside the AMSS folder.
+
+# Known issues
+
+-  webserver\_get\_time() does not closes the xml file in case of get\_childnode
+   failes
diff --git a/EC315_research.md b/EC315_research.md
@@ -0,0 +1,58 @@
+- https://pastebin.com/NcGy8Fr7
+- https://androidforums.com/threads/virgin-mobile-sprint-help-qualcomm-hs-usb-qdloader-9008.869613/
+
+  ```
+  dbl.mbn - Device Boot Loader
+  osbl.mbn - OS Boot Loader
+  partition.mbn - MBR sector
+  ```
+
+- For http://forum.gsmhosting.com/vbb/f804/huawei-modem-universal-flasher-1495518/index23.html#post9851968
+
+  ```
+  Rename extracted firmware parts as follows:
+  01.bin -> partition.mbn;
+  02.bin -> dbl.mbn;
+  03.bin -> osbl.mbn;
+  04.bin -> amss.mbn;
+  05.bin -> dsp1.mbn;
+  06.bin -> dsp2.mbn.
+  ```
+
+- [Reverse Engineering Android's Aboot](http://www.newandroidbook.com/Articles/aboot.html)
+
+```
+morpheus@Forge (~/S5/)% od -A d -t x4 aboot |head -5
+                 Magic             Version             NULL            ImgBase
+0000000          00000005          00000003          00000000          0f800000
+                 ImgSize           CodeSize      ImgBase+CodeSize      SigSize
+0000020          00107e24          000fed24          0f8fed24          00000100
+         ImgBase+CodeSize+SigSize    Certs
+0000040          0f8fee24          00009000          ea000006          ea005487
+0000048          ea00548d          ea005493          ea005499          ea00549f
+0000064          ea00549f          ea0054b6          ee110f10          e3c00a0b
+```
+
+- http://blog.azimuthsecurity.com/2013/05/exploiting-samsung-galaxy-s4-secure-boot.html
+- http://blog.azimuthsecurity.com/2013/04/unlocking-motorola-bootloader.html
+- https://askubuntu.com/questions/634180/minicom-status-stays-offline
+- [Reverse engineering a Qualcomm baseband](https://events.ccc.de/congress/2011/Fahrplan/attachments/2022_11-ccc-qcombbdbg.pdf)
+
+  Recomends to use `AT$QCDMG` to enable diag mode
+- https://forum.xda-developers.com/showthread.php?t=2396752
+- [QC BQS Firmware Analyzer - learnt about efs2 magic stings](http://forum.modopo.com/diskussionen-rund-ums-modding/t-19197-qc-bqs-firmware-analyzer/page44.html#post189000)
+
+- [Res OS] (https://en.wikipedia.org/wiki/REX_OS)
+- [osa  files from another device](http://www.pudn.com/Download/item/id/1019687.html)
+- [osa homepage](http://wiki.pic24.ru/doku.php/en/osa/ref/introduction/intro#what_is_osa)
+- [osa\_semaphore.h](https://github.com/bushuhui/pi-slic/blob/master/Thirdparty/PIL/src/base/osa/osa_semaphore.h)
+- [wpscli source (probably leaked)](https://github.com/elenril/VMG1312-B/blob/master/bcmdrivers/broadcom/net/wl/impl10/wps/wpscli/linux/wpscli_wlan.c)
+- [CBW and USBC explanantion](https://books.google.co.in/books?id=zSv3BwAAQBAJ&pg=PA357&lpg=PA357&dq=CBW+usbc&source=bl&ots=74N3yJ4wK8&sig=vrZE6pc0CYeD_l2cp1lMuYbIrlQ&hl=en&sa=X&ved=0ahUKEwi0mcT04v_VAhWKPY8KHXRUDn0Q6AEIOjAE#v=onepage&q=CBW%20usbc&f=false)
+- [ Android/HTC/Vision/BootProcess – TJworld : Really detailed explanation of boot process](http://tjworld.net/wiki/Android/HTC/Vision/BootProcess)
+- [Mobile Data modem user guide](https://electronix.ru/forum/index.php?act=Attach&type=post&id=102723)
+- [](https://blogs.gnome.org/dcbw/2010/04/15/mobile-broadband-and-qualcomm-proprietary-protocols/)
+- [rtf file with links to some usefull codes](https://saturn.ffzg.hr/rot13/index.cgi/asterisk_gsm.rtf?action=rtf_export;page_selected=asterisk_gsm)
+- [some more qualcomm source
+  codes](https://github.com/Bigcountry907/HTC_a13_vzw_Kernel/tree/master/vendor/qcom/proprietary)
+  and [some more](https://v2.pikacode.com/jsr-d10/qcom_msm8626_adsp_proc/raw/ae282f66e175a6a585b5f9b9daade693b9f736ef/core/api/services/diagpkt.h)
+- [DIAG protocol description](https://books.google.co.in/books?id=lky3BgAAQBAJ&pg=PA46&lpg=PA46&dq=qualcomm+diag+mode+dump+memory&source=bl&ots=LOj9plB5jZ&sig=rkEUC-gY782oHae8g6_3DFM3kNI&hl=en&sa=X&ved=0ahUKEwjgj7CzpoLWAhVJvI8KHSyeDGwQ6AEIMzAB#v=onepage&q=qualcomm%20diag%20mode%20dump%20memory&f=false)
diff --git a/android_wlan.md b/android_wlan.md
@@ -0,0 +1,36 @@
+# Context
+- Checking out the wlan firmware of my device Moto G5 Plus (potter)
+
+# Research
+- Found the vendor firmwares files at
+  [https://github.com/boulzordev/android_vendor_motorola_potter](https://github.com/boulzordev/android_vendor_motorola_potter)
+- Found the wlan firmware at path
+  [`proprietary/etc/firmware/wlan/prima`](https://github.com/boulzordev/android_vendor_motorola_potter/tree/lineage-15.1-64/proprietary/etc/firmware/wlan/prima)
+- Searching for "android wlabn firmware load address" I found a issue for
+  ["wlan-prima (wireless module) and
+  wcnss-service"](https://github.com/postmarketOS/pmbootstrap/issues/373).
+  Prima-wlan, match match!
+  ```
+  This is how it works:
+
+  The wlan-prima kernel module is loaded
+  wlan-prima tries to load the firmware (multiple files) (will be solved in issue #147)
+  wcnss-service initializes the wireless interface
+  ```
+- Had the link for [wlan-prima source code](https://github.com/t2m-foxfone/android_platform_vendor_qcom-opensource_wlan_prima), but I also found it ini
+[andoid kernel
+tree](https://android.googlesource.com/kernel/msm/+/android-msm-mako-3.4-jb-mr1/drivers/staging/prima/). I used the former source. I also found similar code base for [android 8.1](://android.googlesource.com/kernel/msm/+/android-8.1.0_r0.9/drivers/staging/qcacld-2.0/), but it was a very different versoin and prelim search didn't reveal where the nv file was being loaded.
+- Searching for "wlan_prima firmware load address", I found error messages
+  "wcn36xx smd:riva@6:wcnss:wifi: loading
+  /system/vendor/firmware/wlan/prima/WCNSS_qcom_wlan_nv.bin failed with
+  error -13" and "wlan: [1006:F :VOS] vos_open: Failed to initialize the NV 
+  module". The later was intresting because I saw VOS logging in the source
+  code.
+- Searching for the string landed me at vos_open in `CORE/VOSS/src/vos_api.c`.
+- I called `vos_nv_open` in `vos_nvitem.c`.
+- It loads `WLAN_NV_FILE` which points to our firmware file.
+- It checks for magic number at 3rd and 4th byte `CAFEBABE` which is present in
+  the firmware files.
+- The first and second bytes are called "mask", didn't find any use of that in
+  the code.
+- The qcom nv files are arranged in form of streams.
