[silverfang77]

I received a PM on another cell phone forum I use, telling me to download a program called BrandingInfo to my Berry, run it on the phone, transfer the results back to the computer, zip them and send them to him.

He also told me I should go to this unlocking site, input information from my phone's Help Me screen into the site and then send him the resulting unlock code. This is the information the site had me input:

App Version: 4.5.0.127 (179)
PIN: XXXXXXX
Uptime: 63998 seconds
Unlock code [1 day]: (removed due to paranoia)

Anyway, sending an unlock code to someone I do not know raised several red flags for me, so I have not sent him the information. I did however, stupidly download the BrandingInfo thing. The Berry seems fine. However, a program with a generic icon did show up in my phone's memory yesterday. I just turned my Berry on to check and now the generic icon no longer shows up.

Anyway, these are the sites he directed me to: BrandingInfo
http://cellphonephorum.com/BrandingInfo.jad (download directly to berry)
http://cellphonephorum.com/BrandingInfo.cod (download to pc to put on berry)
BlackBerry eScreen Unlock Code Generator (by Thyth) (some kind of unlocking site).

Was this legit, or was this guy trying to take over my Berry? Am I now infected with some kind of virus?

[Slate004]

Weird.......very weird

[silverfang77]

I know. I just don't like the idea that this thing is on my phone. It doesn't show up in the list of apps that can be uninstalled. It doesn't appear to have done anything inimical, but has me rather worried. Is there a way to flush something out of my phone's memory without reformatting?

[jeffh]

The Thyth program seems to be legit. I've used it, as has at least one other Mod. It's not a device unlocking service. What it unlocks is more detailed information about your device's internal functions, what's called an Engineering screen. I'm not familiar with the other programs mentioned. You are always safe NOT to share information. Please note: I'm not endorsing the Thyth program. I used it, and it appears to be safe, but if the link had not been sent to me by another Mod, I would not have used it.

[silverfang77]

Is there any way to get it off my Berry? It doesn't show up in the apps list.

[jeffh]

Thyth didn't stay on my 8830. When I gave it the info, it generated an Engineering Screen unlock code that I then entered into the BB's Help Screen. All Thyth was/is is a website that generates the code. At least, that's all it appeared to be to me.

[silverfang77]

OK. Thanks for the help. In the future, I will not download anything until I've researched it. I know not to do stupid stuff like this with computers; why would a Berry be any different? *sighs*

[jeffh]

One important difference is there are no confirmed BlackBerry virus programs. Not yet, anyway. As BlackBerry devices become more mainstream, somebody's sure to test RIM's OS security. Of course, social engineering threats work on every platform. You're wise to be skeptical of requests for information.

[silverfang77]

Thank you. Better safe than sorry, I always say.

[Thyth]

Thyth is a person, not the name of a program or a website. I did create that engineering screen unlock code generator that you link to.

I keep a referrer log of my generator to see where it's being linked from, and this topic caught my attention. I'm pretty curious as to what you were promised in exchange for that information.

Use of the engineering screen unlock code generator is safe. It simply computes a special algorithm on the input data to generate a magic code. RIM has an identical utility available behind password protection (I'd link to it, but, evidently I can't with less than 10 posts). I simply reverse engineered the algorithm (HMAC-SHA1 with a special key and padding data) from net_rim_escreen.cod, included as a part of the operating system installation, then turned it into a PHP application. Once you enter the code, the duration that you selected when generating the code starts counting down; once the duration expires, the engineering screen relocks. Devices from RIM engineering (usually preproduction, or rebranded devices with a vendorid of 1) are always engineering screen unlocked. I prefer using codes, since they are temporary, and don't affect device warranty status. Unlocking the engineering screen is all these codes can do.

Horizon Wireless offers a similar service, but they charge somewhere on the order of $40 or $50 for one of those codes (they offer it as a UMA unlocking "service"). Frankly, I think it's a rip-off, and those codes should be free.

As for the BrandingInfo.cod file that you've linked to... I've just run it through my COD decompiler.
The class hierarchy is as follows:
BrandingInfo (entry point, is a standard BlackBerry UI application)
BrandingInfoScreen
BrandingInfoScreen$1 (anonymous inner class)
BrandingInfoScreen$Worker (inner class)
BrandingInfoScreen$Worker$1 (anonymous inner class)
BrandingInfoScreen$Worker$2 (anonymous inner class)
com/rim/resources/BrandingInfoRIMResources (generated as part of the COD)
com/rim/resources/BrandingInfoRIMResourcesPopulator0 (ditto, contains resources in binary form)

It looks rather simple. On launch, it creates a UI, enumerates the root of the file system, and it looks like it dumps a bunch of data from the device into home/user/branding. After it does that deal, closing the UI quits the program. It doesn't stay resident in the background, and it doesn't do anything malicious.

To help you further, I would need to know the pretext under which you were asked for this information.

[jeffh]

Welcome to the Forums Thyth! I'm very glad you noticed this thread. I was given the link to your program by one of the other Mods here, and was unaware that you were a person. We're glad to have you on CrackBerry.

[silverfang77]

He said he could look at the info and try to figure out my Blackberry keeps experiencing outages/disconnections.

[Thyth]

Well, I'm not sure if there is anything in the engineering screens that could help explain that.

It sounds like it could be a radio hardware failure, or problems with your cellular network.

[linxroute]

Dear Thyth

Sorry to bother you, as reading throu the thread, i've noticed that you have some kind of decompiler for the .cod files. The reason i'm asking about it cos i'm living in and asian country, we are using unicode language. Unfortunetly BB only support precompound unicode but not composite unicode for the time being. So all my BB fellows in Vietnam would not be able to read email - web etc..encoded with unicode, all this because of the font comes with BB currently does not support composited unicode. We would like to decompile other already supported language like korean and chinese to see how the font was compiled since there's files such as net_rim_font_korean.cod Please do shred some light for us. Thank you very much.

[Bit-Twiddler]

Dare I dream?
...sigh.

Cheers!,
BT

[Pete6]

I can think up any number of uses for one of those. Thyth, did you buy it or make it? Please PM me if you feel that you can confidentialyy divulge such information.

btw a crude way of looking at .cod files has been foungd by Forums Moderator Branta who uses WordPad to open them up.

Details and an example are in the CrackMem thread in my signature.

[Branta]

My gut feeling is that this is a way to obtain data for cloning a BB using the illegally leaked MFI Multiloader.

I would guess the java classes Thyth identified will extract all the details required to be programmed into a stolen or otherwise blocked phone and give it the identity of the OP's phone. We have seen some reports of this happening in the Asia region, and it is likely to be a spreading problem.

There is reasonable cause to handle your phone's technical identity rather like you handle your credit card number. Don't disclose it (or more detail than necessary) to unknown requesters but it is usually safe to reveal the PIN to folk you want to communicate with.

The other warning sign in this case was the download, install and execution of a completely unknown application. Would you do that on your PC if someone emailed a program called Spyware Installer and told you to run it and send them it's output? The main weak point in BlackBerry security is the risk of social engineering to install or run software. As far as we know this failure of the human element is the only way to load a malicious program onto a BB.

[Thyth]

I wrote my module decompiler over the course of the last 18 months or so. I imagine you get just about nothing out of using a text editor to read them. The class hierarchy is encoded, so you wouldn't even get the names of classfiles. So, I guess the only data you would get are the printable contents of the constants pool. If you were smart, you could use a file carver to extract other types of resources (i.e. image/audio resources embedded in the module), but you'd still have no idea about what the program actually did.

My decompiler isn't perfect, since RIM has some incredibly strange implementations of some bytecodes, but it was plenty sufficient to figure out the engineering screen algorithm, among several other interesting information about the OS and some of the popular BlackBerry applications.

It's alleged that RIM has a fully functional decompiler as part of their internal utilities. I don't doubt that, but mine is independently developed from the publicly available information on the devices, and from reverse engineering the module compiler in the SDK. Maybe, in the next few weeks, I'll have the time to finish up my decompiler, and bring it to a comparable feature set to RIM's.

In any case, I looked more closely at the BrandingInfo COD. From what I can tell it extracts the VSM data from the device. It doesn't extract PIN or IMEI, which would be necessary to clone the device. Not sure why that would be of any use to anyone, especially for the reasons stated.

Oh yeah... and... spell my name right. Thanks.

[Branta]

Oh yeah... and... spell my name right. Thanks.

Fixed. That's what we get for posting at 1am

[Heresy]

Just curious this is mainly used for getting the VSM files to debrand the phones correct?

[heavylee]

OP, what initiated that other person on the other forum to offer the advise and links that you received? What question/problem did you have?

[computer9658]

The last one is legit, anyway - allows you to access engineering menu on branded phones with a special mathematically created hex code

Posted from my CrackBerry at wapforums.crackberry.com

[AZBBFAN]

That sounds too fishy to me, in fact I would just get worried my precious BB is being invaded. I would wipe the entire handheld and the restore my phone through DM, unless this weird program has been backed up already on DM...I trust nothing that I don't know that I installed myself!

[oliv2915]

Thyth, with the code unlocking the escreen. What all can we do there? I noticed there is a setting to where I can change EQ settings for the media player. Is there a guide that you have that cab tell us what each screen is for and how to read the settings?

Posted from my CrackBerry at wapforums.crackberry.com

[ScienceRules]

I wrote my module decompiler over the course of the last 18 months or so. My decompiler isn't perfect, since RIM has some incredibly strange implementations of some bytecodes, but it was plenty sufficient to figure out the engineering screen algorithm, among several other interesting information about the OS and some of the popular BlackBerry applications.

Maybe, in the next few weeks, I'll have the time to finish up my decompiler, and bring it to a comparable feature set to RIM's.

Oh yeah... and... spell my name right. Thanks.

How does your decompiler compare to that of dr bolsen's coddec?
He too claims that RIM released a version of rapc.jar with the dumping classes intact. I think this could be found in ver 4.0 of the JDE. Not that I would know.

-sR