This is a collection of binaries running on the device. This list also includes a rudimentary description of their functionality as far as we can judge. We did not fully reverse them and just acquired basic knowledge required to understand the functionality of the device and implement our attacks. Those binaries come from Ubiquisys (vendor) and not from SFR (operator).



  • performance measurements


  • backhaul quality of service, submits bqos performance data via ftp


  • (common control interface?) db interface service


  • firmware check/download/recovery via web interface


  • receives on data on a trace socket, dumps to /tmp/local_trace.bin (not working for whatever reason)
  • listens on 10010 udp and receives traces

  • central shared library used by almost all system services
  • provides message queue functionality for IPC
  • provides functions for configuration parsing
  • provides debug functionality
  • it uses libiniparser (API)
  • note : iniparser is also used by kamailio
  • used to parse e.g. operator.ini


  • GAN client
  • some interesting functions to hook:
  • gac_cnv_sc_imsi_gac_imsi
  • gan also receives location updating request information, might be interesting to hook as well ⇒ ganif_gac__dl_payload_xfr_hdlr maybe
  • dump timsis
  • ganif_sc_message_handler is _the_ huge message handling function, 105 case switch


  • service control application
  • using sqlite database
  • also initiating factory recovery?!


  • sim controller program talking to the sim via serial port
  • interesting note: can somehow interact with google maps (nlpp)
  • we can get RES,Kc from this application via hooking dbg_trace here, called from run_3g_authentication


  • TR-069 remote provisioning service
  • used by the operator to push configuration updates to the device
  • based on SOAP and XML
  • copyright 1985, 1989 regents of the university of california. can we acquire the source somehow?



  • complete sip client
  • settings numbers for fire,marine,mountain emergency,ambulance, police…
  • note: what is as seen in the authentication code
  • looks also responsible for rtp


  • mini httpd with hardcoded cgi scripts, see html
  • based on shttpd
  • contains stack-based buffer overflow in PUT processing, see root exploit


  • soap client?!


  • responsible for network configuration:
    • interfaces
    • routes
    • iptables rules
    • ntp


  • Zone Access Point init
  • central managing service for all other system binaries
  • starts initial services as well as restarting crashed ones


the dc,usim,rs and zapinit binaries are mapping this and storing various information in it. valuable data might be in there, we should look into this

binaries.txt · Last modified: 2011/08/30 17:34 (external edit)
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 3.0 Unported
Recent changes RSS feed Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki