Differences

This shows you the differences between two versions of the page.

Link to this comparison view

binaries [2011/08/29 13:01]
binaries [2011/08/30 15:34] (current)
Line 1: Line 1:
 +This is a collection of binaries running on the device.
 +This list also includes a rudimentary description of their functionality as far as we can judge.
 +We did not fully reverse them and just acquired basic knowledge required to understand the functionality of the device and implement our attacks.
 +Those binaries come from Ubiquisys (vendor) and not from SFR (operator).
 +
 +====== binaries =======
 +
 +**apm**
 +
 +  * performance measurements
 +
 +**bqos**
 +
 +  * backhaul quality of service, submits bqos performance data via ftp
 +
 +**cci**
 +
 +  * (common control interface?) db interface service
 +
 +**dc**
 +
 +  * firmware check/download/recovery via web interface
 +
 +**local_trace**
 +
 +  * receives on data on a trace socket, dumps to /tmp/local_trace.bin (not working for whatever reason)
 +  * listens on 10010 udp and receives traces
 +
 +**libosal.so**
 +
 +  * central shared library used by almost all system services
 +  * provides message queue functionality for IPC
 +  * provides functions for configuration parsing
 +  * provides [[debug]] functionality
 +  * it uses [[http://ndevilla.free.fr/iniparser/index.html|libiniparser]] ([[http://ndevilla.free.fr/iniparser/html/iniparser_8h.html|API]])
 +  * note : iniparser is also used by [[http://www.kamailio.org/w/|kamailio]]
 +  * used to parse e.g. operator.ini
 +
 +**gan**
 +
 +  * [[http://en.wikipedia.org/wiki/Generic_Access_Network|GAN]] client
 +  * some interesting functions to hook:
 +   * gac_cnv_sc_imsi_gac_imsi
 +   * gan also receives location updating request information, might be interesting to hook as well => ganif_gac__dl_payload_xfr_hdlr maybe
 +   * dump timsis
 +   * ganif_sc_message_handler is _the_ huge message handling function, 105 case switch
 +
 +**scapp**
 +  * service control application
 +  * using sqlite database
 +  * also initiating factory recovery?!
 +
 +
 +**usim**
 +  * sim controller program talking to the sim via serial port
 +  * interesting note: can somehow interact with google maps (nlpp)
 +  * we can get RES,Kc from this application via hooking dbg_trace here,  called from run_3g_authentication
 +
 +**tr069**
 +  * [[http://en.wikipedia.org/wiki/TR-069|TR-069]] remote provisioning service
 +  * used by the operator to push configuration updates to the device
 +  * based on SOAP and XML
 +  * copyright 1985, 1989 regents of the university of california. can we acquire the source somehow?
 +
 +**srv**
 +  * find out what http://ubiquisys.com/femto-intelligence is used for, srv is connecting via xmpp there
 +  * looks like it features a jabber client
 +  * http://www.ubiquisys.com/femtocell-technology-femtocell-intelligence 
 +
 +**sipc**
 +  * complete sip client
 +  * settings numbers for fire,marine,mountain emergency,ambulance, police...
 +  * note: what is 192.168.50.169 as seen in the authentication code
 +  * looks also responsible for rtp
 +
 +**wsal**
 +  * mini httpd with hardcoded cgi scripts, see [[html]]
 +  * based on [[http://sourceforge.net/projects/shttpd/|shttpd]]
 +  * contains stack-based buffer overflow in PUT processing, see [[remote_root|root exploit]]
 +
 +**cci**
 +  * soap client?!
 +
 +**netc**
 +  * responsible for network configuration:
 +    * interfaces
 +    * routes
 +    * iptables rules
 +    * ntp
 +    * ...
 +
 +**zapinit**
 +  * Zone Access Point init
 +  * central managing service for all other system binaries
 +  * starts initial services as well as restarting crashed ones
 +
 +====== /dev/pico_sram ======
 +the dc,usim,rs and zapinit binaries are mapping this and storing various information in it. valuable data
 +might be in there, we should look into this
 +
  
 
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 3.0 Unported
Recent changes RSS feed Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki