This shows you the differences between two versions of the page.
binaries [2011/08/29 15:01] |
binaries [2011/08/30 17:34] (current) |
||
---|---|---|---|
Line 1: | Line 1: | ||
+ | This is a collection of binaries running on the device. | ||
+ | This list also includes a rudimentary description of their functionality as far as we can judge. | ||
+ | We did not fully reverse them and just acquired basic knowledge required to understand the functionality of the device and implement our attacks. | ||
+ | Those binaries come from Ubiquisys (vendor) and not from SFR (operator). | ||
+ | |||
+ | ====== binaries ======= | ||
+ | |||
+ | **apm** | ||
+ | |||
+ | * performance measurements | ||
+ | |||
+ | **bqos** | ||
+ | |||
+ | * backhaul quality of service, submits bqos performance data via ftp | ||
+ | |||
+ | **cci** | ||
+ | |||
+ | * (common control interface?) db interface service | ||
+ | |||
+ | **dc** | ||
+ | |||
+ | * firmware check/download/recovery via web interface | ||
+ | |||
+ | **local_trace** | ||
+ | |||
+ | * receives on data on a trace socket, dumps to /tmp/local_trace.bin (not working for whatever reason) | ||
+ | * listens on 10010 udp and receives traces | ||
+ | |||
+ | **libosal.so** | ||
+ | |||
+ | * central shared library used by almost all system services | ||
+ | * provides message queue functionality for IPC | ||
+ | * provides functions for configuration parsing | ||
+ | * provides [[debug]] functionality | ||
+ | * it uses [[http://ndevilla.free.fr/iniparser/index.html|libiniparser]] ([[http://ndevilla.free.fr/iniparser/html/iniparser_8h.html|API]]) | ||
+ | * note : iniparser is also used by [[http://www.kamailio.org/w/|kamailio]] | ||
+ | * used to parse e.g. operator.ini | ||
+ | |||
+ | **gan** | ||
+ | |||
+ | * [[http://en.wikipedia.org/wiki/Generic_Access_Network|GAN]] client | ||
+ | * some interesting functions to hook: | ||
+ | * gac_cnv_sc_imsi_gac_imsi | ||
+ | * gan also receives location updating request information, might be interesting to hook as well => ganif_gac__dl_payload_xfr_hdlr maybe | ||
+ | * dump timsis | ||
+ | * ganif_sc_message_handler is _the_ huge message handling function, 105 case switch | ||
+ | |||
+ | **scapp** | ||
+ | * service control application | ||
+ | * using sqlite database | ||
+ | * also initiating factory recovery?! | ||
+ | |||
+ | |||
+ | **usim** | ||
+ | * sim controller program talking to the sim via serial port | ||
+ | * interesting note: can somehow interact with google maps (nlpp) | ||
+ | * we can get RES,Kc from this application via hooking dbg_trace here, called from run_3g_authentication | ||
+ | |||
+ | **tr069** | ||
+ | * [[http://en.wikipedia.org/wiki/TR-069|TR-069]] remote provisioning service | ||
+ | * used by the operator to push configuration updates to the device | ||
+ | * based on SOAP and XML | ||
+ | * copyright 1985, 1989 regents of the university of california. can we acquire the source somehow? | ||
+ | |||
+ | **srv** | ||
+ | * find out what http://ubiquisys.com/femto-intelligence is used for, srv is connecting via xmpp there | ||
+ | * looks like it features a jabber client | ||
+ | * http://www.ubiquisys.com/femtocell-technology-femtocell-intelligence | ||
+ | |||
+ | **sipc** | ||
+ | * complete sip client | ||
+ | * settings numbers for fire,marine,mountain emergency,ambulance, police... | ||
+ | * note: what is 192.168.50.169 as seen in the authentication code | ||
+ | * looks also responsible for rtp | ||
+ | |||
+ | **wsal** | ||
+ | * mini httpd with hardcoded cgi scripts, see [[html]] | ||
+ | * based on [[http://sourceforge.net/projects/shttpd/|shttpd]] | ||
+ | * contains stack-based buffer overflow in PUT processing, see [[remote_root|root exploit]] | ||
+ | |||
+ | **cci** | ||
+ | * soap client?! | ||
+ | |||
+ | **netc** | ||
+ | * responsible for network configuration: | ||
+ | * interfaces | ||
+ | * routes | ||
+ | * iptables rules | ||
+ | * ntp | ||
+ | * ... | ||
+ | |||
+ | **zapinit** | ||
+ | * Zone Access Point init | ||
+ | * central managing service for all other system binaries | ||
+ | * starts initial services as well as restarting crashed ones | ||
+ | |||
+ | ====== /dev/pico_sram ====== | ||
+ | the dc,usim,rs and zapinit binaries are mapping this and storing various information in it. valuable data | ||
+ | might be in there, we should look into this | ||
+ | |||