This shows you the differences between two versions of the page.
|
binaries [2011/08/29 13:01] |
binaries [2011/08/30 15:34] (current) |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| + | This is a collection of binaries running on the device. | ||
| + | This list also includes a rudimentary description of their functionality as far as we can judge. | ||
| + | We did not fully reverse them and just acquired basic knowledge required to understand the functionality of the device and implement our attacks. | ||
| + | Those binaries come from Ubiquisys (vendor) and not from SFR (operator). | ||
| + | |||
| + | ====== binaries ======= | ||
| + | |||
| + | **apm** | ||
| + | |||
| + | * performance measurements | ||
| + | |||
| + | **bqos** | ||
| + | |||
| + | * backhaul quality of service, submits bqos performance data via ftp | ||
| + | |||
| + | **cci** | ||
| + | |||
| + | * (common control interface?) db interface service | ||
| + | |||
| + | **dc** | ||
| + | |||
| + | * firmware check/download/recovery via web interface | ||
| + | |||
| + | **local_trace** | ||
| + | |||
| + | * receives on data on a trace socket, dumps to /tmp/local_trace.bin (not working for whatever reason) | ||
| + | * listens on 10010 udp and receives traces | ||
| + | |||
| + | **libosal.so** | ||
| + | |||
| + | * central shared library used by almost all system services | ||
| + | * provides message queue functionality for IPC | ||
| + | * provides functions for configuration parsing | ||
| + | * provides [[debug]] functionality | ||
| + | * it uses [[http://ndevilla.free.fr/iniparser/index.html|libiniparser]] ([[http://ndevilla.free.fr/iniparser/html/iniparser_8h.html|API]]) | ||
| + | * note : iniparser is also used by [[http://www.kamailio.org/w/|kamailio]] | ||
| + | * used to parse e.g. operator.ini | ||
| + | |||
| + | **gan** | ||
| + | |||
| + | * [[http://en.wikipedia.org/wiki/Generic_Access_Network|GAN]] client | ||
| + | * some interesting functions to hook: | ||
| + | * gac_cnv_sc_imsi_gac_imsi | ||
| + | * gan also receives location updating request information, might be interesting to hook as well => ganif_gac__dl_payload_xfr_hdlr maybe | ||
| + | * dump timsis | ||
| + | * ganif_sc_message_handler is _the_ huge message handling function, 105 case switch | ||
| + | |||
| + | **scapp** | ||
| + | * service control application | ||
| + | * using sqlite database | ||
| + | * also initiating factory recovery?! | ||
| + | |||
| + | |||
| + | **usim** | ||
| + | * sim controller program talking to the sim via serial port | ||
| + | * interesting note: can somehow interact with google maps (nlpp) | ||
| + | * we can get RES,Kc from this application via hooking dbg_trace here, called from run_3g_authentication | ||
| + | |||
| + | **tr069** | ||
| + | * [[http://en.wikipedia.org/wiki/TR-069|TR-069]] remote provisioning service | ||
| + | * used by the operator to push configuration updates to the device | ||
| + | * based on SOAP and XML | ||
| + | * copyright 1985, 1989 regents of the university of california. can we acquire the source somehow? | ||
| + | |||
| + | **srv** | ||
| + | * find out what http://ubiquisys.com/femto-intelligence is used for, srv is connecting via xmpp there | ||
| + | * looks like it features a jabber client | ||
| + | * http://www.ubiquisys.com/femtocell-technology-femtocell-intelligence | ||
| + | |||
| + | **sipc** | ||
| + | * complete sip client | ||
| + | * settings numbers for fire,marine,mountain emergency,ambulance, police... | ||
| + | * note: what is 192.168.50.169 as seen in the authentication code | ||
| + | * looks also responsible for rtp | ||
| + | |||
| + | **wsal** | ||
| + | * mini httpd with hardcoded cgi scripts, see [[html]] | ||
| + | * based on [[http://sourceforge.net/projects/shttpd/|shttpd]] | ||
| + | * contains stack-based buffer overflow in PUT processing, see [[remote_root|root exploit]] | ||
| + | |||
| + | **cci** | ||
| + | * soap client?! | ||
| + | |||
| + | **netc** | ||
| + | * responsible for network configuration: | ||
| + | * interfaces | ||
| + | * routes | ||
| + | * iptables rules | ||
| + | * ntp | ||
| + | * ... | ||
| + | |||
| + | **zapinit** | ||
| + | * Zone Access Point init | ||
| + | * central managing service for all other system binaries | ||
| + | * starts initial services as well as restarting crashed ones | ||
| + | |||
| + | ====== /dev/pico_sram ====== | ||
| + | the dc,usim,rs and zapinit binaries are mapping this and storing various information in it. valuable data | ||
| + | might be in there, we should look into this | ||
| + | |||