Archive for the ‘electronics’ Category

How we found a backdoor in Sprint’s EVO and Hero phones (and lived to tell about it)

Wednesday, July 7th, 2010

As you might have seen on Wired or Engadget, we were poking around on the pre-release EVO from Google I/O and managed to get root access to it before it had been shipped. You might remember my blurrycam video of the event:

We didn’t mention how we did it at the time, only that we exploited a serious vulnerability and recommended other users root their phones. Now that Sprint’s patch has been out in the wild for a while and everyone has updated, we’re releasing more details on what the security vulnerability is.

The first step of rooting any phone is taking stock of what’s on the device and doing a cursory check of whether you can use it to elevate permissions. This means running a shell on the device and poring over ls -l in every directory.

On the EVO I received from I/O, there was a file named “skyagent” in the /system/bin directory of the device. This file was also present in the latest, shipped firmware in Sprint HTC Hero phones. When we started poking at it, we discovered that not only would it let us get root, but it was effectively a backdoor into the device that allowed external users to peek and poke input, dump the contents of the screen and run arbitrary programs. Not only that, but the program listened on every interface, meaning external users could spy remotely on the device. We weren’t able to determine if the program could be launched remotely, but once it was launched, it was a very effective back door.

We disclosed this to Sprint quickly after finding it. They were very responsive and rolled it into a patch that they released alongside the EVO’s launch.

We’re still not sure what this program was doing on the device at launch. One theory is that it’s a test program, designed to provide input and output for automated testing on real devices. Another theory is that it’s a law-enforcement or three-letter-agency wiretap program for capturing communication. Yet another is that it was placed there by a rogue employee as a plain, malicious backdoor. There’s not enough evidence to determine which (if any) of the theories is correct and Sprint hasn’t disclosed anything.

Here’s an excerpt from our coming vulnerability disclosure (thanks to rpearl for turning our internal disclosure into something more readable):

The binary is executable by any user; no authentication or privileges are necessary. Further, during the program’s initialization, there are numerous instances in which a buffer overflow can overwrite stack or bssmemory; similarly, the program passes user controlled arguments unsanitized as a format string to a sprintf, also leading to memory being overwritten. We believe that these can only be exploited to the point of a denial of service, not to the end of arbitrary code execution. This appears to be by chance, not by design.

However, the security vulnerabilities present in skyagent are of less cause for concern than the purpose of the program. It appears that the binary was designed as a backdoor into the phone, allowing remote control of the device without the user’s knowledge or permission. When the program is invoked, it listens for connections over TCP (by default, port 12345, on all interfaces, including the 3G network!) that accepts a fixed set of commands. These commands appear to be authenticated only by a fixed “magic number”; the commands are neither encrypted on the way to the device or on the way back. The commands that we have knowledge of at this time include:

  • sending and monitor user tap and drag input (“PentapHook”),
  • sending key events (“InputCapture”),
  • dumping the framebuffer (“captureScreen”),
  • listing processes (“GetProc”),
  • rebooting the device immediately,
  • and executing arbitrary shell commands as root (“LaunchChild”)

Here’s the paper that Joshua Wise typed up from the analysis we did, describing the backdoor in more detail:

Skyagent Protocol Description

Posted in electronics, technology | 2 Comments »

HTC EVO 4G: Nice Hardware, Horrible Sprint Software

Thursday, June 3rd, 2010

UPDATE: Sprint’s OTA release last night fixes the serious vulnerability we reported to them. Kudos to them for moving so quickly. As an end-user, you’ll have to decide between being more secure with the OTA update or having root access to the device you own for now.

In the comments, Sean Doherty says:

We want to reassure everybody about some questions that have been raised about HTC EVO 4G.

We have a software update being deployed that corrects an issue with some MicroSD cards and also deploys a patch that will fix a potential security vulnerability. Users can install this update by going to Settings > System Updates > HTC Software Update on their EVO and following the instructions as prompted.

Sprint moved swiftly to make sure this was addressed.

Sean Doherty
Sprint Corporate Communications
@srdoherty

As you might know, I’ve been poking around in the guts of the HTC EVO with some other developers during the last few weeks of early EVO ownership looking to get access to root. It turned out to be fairly easy – a few hours into the investigation and we had access to root.

It turns out that this is a really, really bad thing for users. The Sprint customizations of Android are so bad that an Android application could get access to all of your data with very little work. It’s so bad that I would not recommend purchasing the Sprint EVO or Hero.

You are putting your data at risk of theft from not just one vulnerability (the one we’re releasing tomorrow), but a whole suite of vulnerabilities!

The hardest part of this is that we’re now in competition with Sprint trying to keep root access to the phone, so the idea of “responsible disclosure” works against what you’re trying to do. If end-users had full access to the phone, we’d be sending these vulnerabilities straight to Sprint. Since Sprint has decided to take the anti-user approach and lock down the phone, we’re basically holding all of these exploits close to our chest.

It hurts me to say this, but to help users take control of hardware they own, we have to expose them to security holes.

To handset manufacturers and carriers: if you give users to freedom to customize their devices, we’ll work with you directly to make sure those same users aren’t vulnerable out-of-the-box. Be more like Google and less like Apple and you’ll get an army of white-hats working to improve your product.

To end-users: choose phones that don’t make you jump through hoops to take control like the Nexus One. You bought it, it should be yours to hack and customize.

We’ll be releasing the unrevoked exploit tomorrow, but holding the details for a week or so. It’s such a blatant and dangerous hole that we felt that responsible disclosure was our only choice.

For the record, both Google and Sprint have been very proactive in plugging this hole. It would, however, be a lot easier for all parties involved if these devices weren’t locked down and we were all working to improve the user’s experience instead of building better mice and mousetraps.

Posted in electronics | 35 Comments »

HTC Evo 4G Root – where’s the details?

Wednesday, May 26th, 2010

No surprise here: lots of people are interested in the details of the root process. There’s four reasons why we aren’t releasing anything yet:

  1. We’re still working on making the root ‘sticky’. The current root doesn’t persist beyond a reboot, meaning you need to root it every time you reboot the device.
  2. We want to package up the rooter in an easy-to-install, one-click application so we’re not holding people’s hands through adb shell.
  3. We don’t want to give HTC any details that they could use to fix the hole before the official release.
  4. We want to make sure that when Froyo is released on this device, we can still get root on it.

#1 is the only real technical challenge left, but we’ve almost cracked it. Stay tuned for details.

FWIW, I can’t use my HTC Evo up here in Canada, so I’ll be selling or trading it after we finish everything up. It’s a great phone, but the best parts of it come from being a great network device.

Posted in electronics | 11 Comments »

Root on an HTC EVO 4G!

Sunday, May 23rd, 2010

UPDATE: We (ozzeh, joshua, shadowmite and I) just put the teaser site together for the EVO root. More info coming soon!

http://unrevoked.com

I ended up with a Sprint HTC EVO 4G after Google I/O. It’s a pretty fantastic phone, even though it’s something of a kitchen sink. By a happy coincidence, I ended up reconnecting with some of my buddies from the old mobile hacking days who were looking to root it. With a few hours effort and a three person team (credit to ozzeh and Joshua Wise!), we managed to get the standard su tool installed.

This sort of disassembly and hacking really brought back memories. Shadowmite introduced me to mobile phone hacking back in the day. Back then we were doing stuff like porting Linux to the device and hacking the bootloader.

In any case, here’s some screenshots. We’re not releasing any details on the root hack yet:

At this time, we believe that this specific exploit cannot be applied to Incredible.

You can find me on twitter as @mmastrac

Posted in electronics | 43 Comments »

The Next Decade

Sunday, January 3rd, 2010

The last ten years have been a wild ride for this planet, but I’m sure the next ten are going to be even more exciting. I’d like to offer my predictions of what we’ll see around now, ten years in the future.

The browser will continue its domination in the world of applications, absorbing more of what we do in desktop applications. A significant fraction of software development will happen in the browser, though most development will still happen on the desktop. WebGL will be starting to become a major platform for gaming. IE6 will be a war story told by greybeard developers, Microsoft having jumped back into the browser race and caught up to the leaders of the pack. No single browser will have a majority share worldwide. Javascript will still be the biggest language, but it will have gone through a few language iterations. The browser JS VM will be near the speed of native code, less than 25% slower.

Devices will continue to double in capacity and speed every few years. In 2020 you won’t have a desktop computer. You’ll have something in the form-factor of a laptop or tablet that you dock and charge wirelessly wherever you device to work. Hard-drives as we know them today won’t exist in most machines, replaced by various forms of multi-terabyte solid-state storage.

You’ll be carrying around a mini-computer in your pocket that runs at the equivalent speed of today’s MacBook Pro. It’ll multitask easily with a few GB of RAM and have nearly a terabyte of solid-state storage onboard. The mobile experience will be a scaled-down, synchronized version of your larger machine rather than an entirely separate device. In fact, some people may eschew the larger device and hook their mobile device wirelessly into display and input devices when they want an easier environment to work in.

Your phone and laptop will have high-end cameras with thin liquid lenses that will be good enough for most people to stop carrying around dedicated point-and-shoot cameras.

E-books will continue to grow, but the functionality will move out of dedicated devices and into portable computers with improved screens that work as well as e-paper today. Electronic textbooks will have taken over the majority share of post-secondary education and will start to make inroads in earlier school grades.

Land-lines will be a legacy technology in 2020. Most people will opt to forward their personal cell phones to an adapter that rings a home number as well when the phone is nearby. Telcos will start offering a much-higher-fidelity audio codec for cell phones that offers VoIP-quality conversations.

True electronic commerce will be starting to emerge in 2020, replacing wallets with your electronic devices for power users. Instead of carrying around a dozen ID and payment cards, people will have the option of storing them digitally and presenting them wirelessly. Electronic banking will take off, providing safe, standard web-based APIs around your personal finances and investments.

Our understanding of genetics today will look primitive compared to that of 2020. In 2020, genomics will have high-level structures that understand and codify the development and existence of organisms, allowing us to symbolically describe and modify how genes are turned on and off, like a computer program. We will have genetic fixes for a few of the big genetic disorders today. Some of these fixes will be applied to the human germline as well, wiping the diseases out entirely for descendants.

Car travel will take a number of big steps forward. In 2020, most modern cars will aware of each other to some degree and offer basic driving coordination like avoiding rear-end collisions and traffic management. Most cars will be LTE-capable and have online traffic updates, integration with your personal mail and text-to-speech for handsfree web ‘listening’. Rare features today such as heads-up night-vision displays and 360º visibility cameras will trickle down to a much larger segment of vehicles.

Personal space travel will be uncommon, but available for individuals for a cost around $100,000. Small space travel outfits will have small, but permanent space stations for the travellers to dock and stay for a few nights. Humans will be in the planning stages for the first extra-terran mission in our solar system since the moon landings which will involve nations from around the world.

Thoughts on where I’ve missed the boat, or neglected an important up-and-coming change? Leave comments below or select a paragraph to add your thoughts inline.

Posted in electronics, technology | 3 Comments »

Windows 7 Experience

Wednesday, July 1st, 2009

I spent the last few days shoehorning Windows 7 into one of the laptops I’ve got around the house. My day-to-day desktop for development is a MacBook Pro, but I spend some time testing on Windows. I haven’t had a chance to update my Windows knowledge from where I left it at the XP level, so I figured it would be a good time to give Vista’s successor a shot.

The laptop I’m upgrading is old, but not so old that it’s obsolete. It’s a Gateway MX7337 with a 3.0GHz P4 (back when Hyperthreading, rather than multi-core was the rage!). It’s got a reasonable 1GB of RAM, enough that a basic Linux desktop would fly and development isn’t impossible. In fact, I did all of the Windows development for Stumbleupon’s IE toolbar on this machine!

The install

My experience begins a few days ago, shortly after we signed up for BizSpark. I downloaded their Windows 7 RC ISO and burnt it to a DVD. Popping it into the laptop resulted in the most pleasant Windows install I’ve encountered.

I’ll digress for a short moment here. I’ve been installing operating systems for a while now and Windows has always had the worst experience. I was very surprised when Microsoft decided to launch XP with the old Windows-NT text-mode installer. For the last few years I’ve been installing Fedora boxes with the pretty VESA-based Anaconda, while every XP machine I boot up starts off with the classic blue-screen of installation and “Press F6 to load drivers”.

There’s not much to say about Windows 7′s installation. It was fast, pretty and over with before I could really think about it.

Hardware

My biggest concern before I started down the Windows 7 path was hardware support. The Gateway laptop was a pain to get working under Windows XP. It uses bog-standard Broadcom wireless drivers which, for some strange reason, Microsoft never supported off its XP install disks. This always left me with an XP machine unable to connect to the internet, having to use either a burnt DVD or a USB key to port over Gateway’s poorly packaged driver bundles.

Windows 7 surprised me here. With the exception of the sound hardware, everything worked out of the box. This is a pretty big improvement over XP on this particular laptop, though I can’t vouch for the experience of a user with newer, potentially unsupported out-of-the-box hardware. The graphics were a bit disappointing, since Intel’s “extreme” laptop chipset (852GME) was only supported by Windows’s default VESA modes.

… And Hardware Issues

The sound hardware was a mystery. The drivers were installed, device manager said everything was OK, but nothing was coming out of the laptop’s speakers. I eventually found some forum posts that suggested I try a set of Vista drivers — from a different manufacturer. That did the trick!

My next task was attempting to get graphics working at a level beyond basic VESA support. This was a lot trickier, since Intel’s last driver update was in 2006 and the fact that there was never an official driver release. I ended up using the device manager’s ability to install legacy drivers and pointing it at the latest driver release from Intel. A forum post suggested the following convoluted, but successful workaround:

1. Remove all previous installtions of hardware (just keep vistas std vga).
2. DLD the latest drivers from intel and extract to hardrive.
3. in device manager go to Action – Add legacy hardware.
4. Select device manually. (If the 82852/82855 GM/GME doesnt show in the list of display drivers, then you need to point to the directory where you extracted the drivers)
5. THIS IS THE IMPOTANT [sic] STEP. Dont select 82852/82855 GM/GME from the list of drivers, select the 945GM driver. It will install and you will need to reboot.

It took me a few times to get that working, and I ended up with two 82852/82855 display adapters in the device manager. While the drivers are somewhat faster for general use, they are still too old to support Aero. I can’t believe that worked!

Bonjour Printing (no pun intended)

The final part of the adventure dealt with trying to set up my Bonjour-available printers. I had installed iTunes on the laptop previously, which usually installs the Bonjour software and the Bonjour Printer Wizard. In this case, however, the printer wizard was missing. I had to uninstall and reinstall the software to make this available.

Once the wizard was ready to go, it found the two printers on the network. When I selected the printers I was confused – it couldn’t find the appropriate drivers for either of them. It turns out that Windows 7 doesn’t ship with the whole gamut of printer support on the installation disk like XP did. Instead, you need to either download the drivers directly from catalog.update.microsoft.com (thanks to @herkyjerky for the tip), or use the workaround that I did: setting up a fake printer on LPT1 with the correct drivers (which are pulled from Windows Update automatically), then deleting the printer and letting the Bonjour wizard add it.

Conclusions

Overall, I’m happy with the Windows 7 experience on this older machine. It certainly boots faster (fresh install notwithstanding) and it feels less clunky than XP on the same machine did.

The whole configuration experience is pretty overwhelming. Most of the options have moved since XP. Thankfully, the search available in the start menu is able to find most of the settings that I couldn’t find myself: showing file extensions and hidden files, for example.

UAC is a new beast for me. It’s somewhat annoying, but as long as you are a member of the local Administrators group you can just keep clicking “Yes” to its prompts. If you aren’t part of the admin group, you’ll need to enter the username and password of the admin every time you want to perform an admin-level task. If Microsoft had provided a way to remember the admin credentials for a short period of time, I’d probably run as a regular user rather than an Administrator (thanks for @liltude for some UAC tips!). Quick tip: if you get frustrated with entering your admin credentials for all the prompts and add yourself to the Administrators group, don’t forget to log out. If you don’t, you’ll still have your old “standard user” token and UAC will keep prompting you for a username/password!

Posted in electronics, windows | 4 Comments »

Pixel Qi – Revolutionary Screen Design

Sunday, June 7th, 2009

I’ve been following the story of Pixel Qi for some time.  I bought an OLPC during the first G1G1 event and I’ve been impressed with the screen’s visibility and low-cost construction.  On top of that, it can turn into a black-and-white, e-ink-like screen with minimal power draw using the same individual pixels it uses for color display, but at 3x the resolution.

Check out the comparison between the Kindle’s e-ink screen, a regular laptop and the new 3Qi screen below. I’ve always been somewhat irritated by the inverted flash of most ebook readers – probably the reason I’ve been avoiding buying them for the last few years. An interesting factoid from the video: some touchscreen technologies can absorb 50% of your screen’s brightness!

(via techvideoblog)

UPDATE: I just found an interesting video on OLPC News, saying that “… the new Pixel [Qi] screen has actually evolved past the OLPC screen, to the point where it is not longer even using the XO laptop display technology.”

Posted in electronics | No Comments »