1. quackquack147's Avatar
    OK then I am going to sit back and enjoy the show.
    BTW Paul I think I got something for my closed source android device, the one and only a110. Yes source leaks. Now cm10.1 here I come.I don't thing I would be coming here much.(if I get cm booting atleast.
    Leave me a pm if succeed.
    my systems are getting ready! 2 new machines will be ready fully in 34 hours minus 12 hours (6+6) of sleep. and i can work on those machines and build the CM 10.1. can i build a non-cm android? i.e. w/o all the junk which it has to offer? and also make it clean-lean-mean. i am not in favor of heavy junk stuffs..... let me know if its so. and in pm drop me the link again, tomorrow. because i will run parallel tasks. what good are 2 machines if they are not crunched to the core? uh!
    i will use gnutoo's method and compile it up. i need to do these:
    upsize the thinkpad t60 and x60 to 16 MiB if it fails then 8 MiB -> #1.
    run a complete NVRAM clean up on t60 and x60 -> #2.
    hdparm and secure delete 2*160 GB PATA hdd (each 160 minutes) -> #3.
    install debian via serial console & harden & secure the base -> #4.
    configure services and et al -> #5.
    install/load SDK/NDK & arm/mips compilers -> #6.
    install base for openwrt for seawarrior and his device -> #7.
    in background sniff for electrical circuits of playbook 32 GB -> #8.
    roll out a custom rom for your a116 (hope you got a backup and also a standby easy install firmware, i dont have that device)-> #9.
    park myself in freenode and other irc servers -> #10
    1-10 ~ 34-36 hours ..... target completion time..... if you are patient then i am okay with it.

    hope this helps!
    thanks
    -paul
    jeroen_13, SEAWARRIOR and Dr_Acula like this.
    06-24-13 02:31 PM
  2. quackquack147's Avatar
    06-24-13 02:52 PM
  3. Dr_Acula's Avatar
    my systems are getting ready! 2 new machines will be ready fully in 34 hours minus 12 hours (6+6) of sleep. and i can work on those machines and build the CM 10.1. can i build a non-cm android? i.e. w/o all the junk which it has to offer? and also make it clean-lean-mean. i am not in favor of heavy junk stuffs..... let me know if its so. and in pm drop me the link again, tomorrow. because i will run parallel tasks. what good are 2 machines if they are not crunched to the core? uh!
    i will use gnutoo's method and compile it up. i need to do these:
    upsize the thinkpad t60 and x60 to 16 MiB if it fails then 8 MiB -> #1.
    run a complete NVRAM clean up on t60 and x60 -> #2.
    hdparm and secure delete 2*160 GB PATA hdd (each 160 minutes) -> #3.
    install debian via serial console & harden & secure the base -> #4.
    configure services and et al -> #5.
    install/load SDK/NDK & arm/mips compilers -> #6.
    install base for openwrt for seawarrior and his device -> #7.
    in background sniff for electrical circuits of playbook 32 GB -> #8.
    roll out a custom rom for your a116 (hope you got a backup and also a standby easy install firmware, i dont have that device)-> #9.
    park myself in freenode and other irc servers -> #10
    1-10 ~ 34-36 hours ..... target completion time..... if you are patient then i am okay with it.

    hope this helps!
    thanks
    -paul
    Cm10.1 for playbook??
    Or my a110 canvas 2?
    And yeah the leaked sources I was talking about. Another crap, broken ****. Back to playbook as my vacations are almost over so can't waste time in compiling.:banghead:

    Whats working is just kernel sources (.ko and .so).
    I need to fix the device tree too.:'(

    And isn't the update thing u talk about a part of microhttpd ?
    Most secure bb server?

    Don't know. Is it?
    Last edited by Dr_Acula; 06-24-13 at 03:06 PM.
    06-24-13 02:56 PM
  4. quackquack147's Avatar
    Cm10.1 for playbook??
    Or my a110 canvas 2?
    And yeah the leaked sources I was talking about. Another crap, broken ****. Back to playbook as my vacations are almost over so can't waste time in compiling.:banghead:

    Whats working is just kernel sources (.ko and .so).
    I need to fix the device tree too.:'(

    And isn't the update thing u talk about a part of microhttpd ?
    Most secure bb server?

    Don't know. Is it?
    i got no clue, as i havent seen/git clone the source.
    cm/lean-mean-clean android? hmmmmm. no idea either i havent looked into any either. and its long i have played with android. really long..... time.
    let me kick it off and then see how it goes. .ko aka kernel object which i havent looked into and i would rather recompile the source than trust outside binary and same with .so aka static, dynamic shared and loadable libraries. cant say anything at this moment.
    i have never used a most secure BB server. let me know if you find one and even if it is? it will be broken.
    microhttpd is almost there in every device i have seen a uhttpd or bozohttpd in almost all device, some with telnet and ftp and ssh installed and activated...... so, certainly some XhttpX got to be on for easy firmware/software upgrade. i am not sure about your device. if i get one i will play with it. some device with modems/softmodems/cellular modems even got http on. but i seriously got no clue and i am sorry i have no info ATM.
    so answer is again a variable. because i dont know what i dont know. how can i answer things which i dont know. and will never know. some stuffs are hidden and some never being told. :-S sorry mate. some thing you and i need to find together, if it interests us both thats my short answer.

    hope this helps.

    thanks
    -paul

    p.s. if you are thinking i am making a very secure BB server? then i think you got me wrong. i am making a basic hardened server with ACL and RBACL plus other security stuffs. so even if its compromised losses are minimal viz grsec and pax. thanks again. and once again. i never said i will build a hackproof server. i said i will minimise the risk by 75-80% starting from scratch.
    Dr_Acula and jeroen_13 like this.
    06-24-13 03:45 PM
  5. Dr_Acula's Avatar

    p.s. if you are thinking i am making a very secure BB server? then i think you got me wrong. i am making a basic hardened server with ACL and RBACL plus other security stuffs. so even if its compromised losses are minimal viz grsec and pax. thanks again. and once again. i never said i will build a hackproof server. i said i will minimise the risk by 75-80% starting from scratch.
    U r pushing in a new server? I thought it was something to do existing server.
    Anyways guest of luck.:thumbup:
    06-24-13 10:18 PM
  6. Synerworks's Avatar
    systemupgrade is one such calls which links directly or indirectly to the 77 systemcalls in blackberry 10.x ;-) system upgrade has got way beyond root power aka god power and it runs as root. hope it rings a bell. does it?
    thanks
    -paul
    The problem with a FIPS 140-2 platform is that the security audit has verified that those systemcalls does not grant backdoor access, whereas the NVRAM corruption facilitates the provision of a rootable OS that can enable you to do what you want without the security handcuffs. A start could be to pull the SoC and socket it so that you can physically target exploits and give you a means of recovering a damaged bootrom. Otherwise, you risk having to throw away dead as doorknob Playbooks since it will not be able to be rebuilt in-protocol.
    06-24-13 11:42 PM
  7. quackquack147's Avatar
    The problem with a FIPS 140-2 platform is that the security audit has verified that those systemcalls does not grant backdoor access, whereas the NVRAM corruption facilitates the provision of a rootable OS that can enable you to do what you want without the security handcuffs. A start could be to pull the SoC and socket it so that you can physically target exploits and give you a means of recovering a damaged bootrom. Otherwise, you risk having to throw away dead as doorknob Playbooks since it will not be able to be rebuilt in-protocol.
    bad news comes from you. and it kills my excitement. hardware access is extremely important. fine enough i will start my scans from today.
    thanks
    -paul
    06-25-13 12:43 AM
  8. quackquack147's Avatar
    U r pushing in a new server? I thought it was something to do existing server.
    Anyways guest of luck.:thumbup:
    2 machines 2 new server isnt it? ;-)
    thanks
    -paul
    Dr_Acula likes this.
    06-25-13 12:44 AM
  9. Dr_Acula's Avatar
    2 machines 2 new server isnt it? ;-)
    thanks
    -paul
    Thought u were pushing a web server into playbook.
    06-25-13 12:59 AM
  10. quackquack147's Avatar
    Thought u were pushing a web server into playbook.
    it already has a webserver, samba server (remember dingleberry? it uses/exploits a samba vulnerability), dhcp server (if you run dhclient, it gives you a 169.254.x.x IP), QConn port 4455 (i knew about the port wich i got via nmap, but i didnt know whats it for), and lastly we even got sshd.
    so this also means we can reverse ssh. i dont know if you do know what i mean.
    the debug token does help you get access to loads of stuffs, which i am yet to try.
    thanks
    -paul
    06-25-13 01:42 AM
  11. Dr_Acula's Avatar
    it already has a webserver, samba server (remember dingleberry? it uses/exploits a samba vulnerability), dhcp server (if you run dhclient, it gives you a 169.254.x.x IP), QConn port 4455 (i knew about the port wich i got via nmap, but i didnt know whats it for), and lastly we even got sshd.
    so this also means we can reverse ssh. i dont know if you do know what i mean.
    the debug token does help you get access to loads of stuffs, which i am yet to try.
    thanks
    -paul
    Knew of samba and dhcp. I thought u were going to replace the microhttpd (root process I think) to take control.
    And debug token, isn't it restricted to apps only? Used it to fix Some bugs in mc2 3.0.0 before 4.0 was released. What else can we do with it?
    Last edited by Dr_Acula; 06-25-13 at 04:26 AM.
    06-25-13 02:14 AM
  12. blueberrymerry's Avatar
    It's not microhttpd, it's bozoshttpd or something like that. I still don't know why it runs a https port, is that used by Desktop Manager or BB Link?

    As for sshd, you run QConnDoor.jar on your PC to push your public SSH key to the PB, then it runs an sshd instance allowing you to connect like this: ssh [email protected]

    Unfortunately you're sandboxed as the devuser which doesn't have many privileges. Xsacha tried all this two years ago and didn't find a vulnerability.

    The debug token lets you run unsigned apps or at least, apps which are signed by the debug token, but the token must be renewed every 30 days or the app stops working. You can then login via ssh as devuser and see the debug logs for your app.
    06-25-13 05:27 AM
  13. Dr_Acula's Avatar
    Bozohttpd
    K
    Heard for it all lognk time ago don't remember.
    06-25-13 05:49 AM
  14. quackquack147's Avatar
    Knew of samba and dhcp. I thought u were going to replace the microhttpd (root process I think) to take control.
    And debug token, isn't it restricted to apps only? Used it to fix Some bugs in mc2 3.0.0 before 4.0 was released. What else can we do with it?
    blueberrymerry said it already its bozohttpd, its netbsd's full featured httpd. it runs as root only and considering netbsd's pedantic structured and secure coding its highly unlike we will find any vulnerability.
    hope this helps!
    thanks
    -paul
    06-25-13 05:53 AM
  15. quackquack147's Avatar
    It's not microhttpd, it's bozoshttpd or something like that. I still don't know why it runs a https port, is that used by Desktop Manager or BB Link?

    As for sshd, you run QConnDoor.jar on your PC to push your public SSH key to the PB, then it runs an sshd instance allowing you to connect like this: ssh [email protected]

    Unfortunately you're sandboxed as the devuser which doesn't have many privileges. Xsacha tried all this two years ago and didn't find a vulnerability.

    The debug token lets you run unsigned apps or at least, apps which are signed by the debug token, but the token must be renewed every 30 days or the app stops working. You can then login via ssh as devuser and see the debug logs for your app.
    yes i agree with what you said. there are 27 more processess which runs as UID0, (root!)
    we need to look deep into it. there is something which talks about IPC and mach (microkernel), time to fiddle with netbsd's kernel. but then again this is RTOS.
    why https port, something which even i dont know. but this means we are not out of scope. we have a chance.
    and somewhere in those pdf there is a reference of using unsigned binary....... UNSIGNED BINARY?
    i am yet to play with the ndk and sdk and i just now finished task one. i upsized and beefed up the bios flash from 4 MiB to 8 MiB, too much soldering and testing and buspirate and stuffs. the 16 MiB flash didnt work i will have to get new chips. but anyway coming to topic this flashchip is holding me for a while. because if i get a 16 MiB then i can go ahead and install windows. if it doesnt i will stick to 8 MiB and still install windows server 2008 r2.
    yes unauthorised access or devuser only access to sandbox. looks like there is/are some rbacl or pax kind of thingie in this setup.
    i came to know of one more thing. called fuzzing. i am not new to fuzzing. but a pdf told if we run complicated fuzz then there is a stack crash and also it can lead to kernel panic. if there is a kernel panic? there will be a coredump i believe. and if there is a coredump we can run a trace.
    but i can not confirm any of the things i said above. because my systems are not yet ready and i am still setting up my desktop systems. so unless i get a first hand experience i am sorry i will not be able to say anything whatsoever.
    but i am placing a 10 US$ bet on cfp i think it can help us in one way. i am yet to try it. but when i am done i will release the docs. and once again unless i try it myself i cant ask others to do it on their device and end up with a brick.
    hope this helps.
    thanks
    -paul
    06-25-13 06:04 AM
  16. SifJar's Avatar
    and somewhere in those pdf there is a reference of using unsigned binary....... UNSIGNED BINARY?
    Sure. There's even a git here with ports of a bunch of dev tools (including gcc) to the PB, so you can run all of them directly on the PB and compile binaries on-the-fly on the PB (using a terminal app e.g. term48).
    06-25-13 07:05 AM
  17. quackquack147's Avatar
    Sure. There's even a git here with ports of a bunch of dev tools (including gcc) to the PB, so you can run all of them directly on the PB and compile binaries on-the-fly on the PB (using a terminal app e.g. term48).
    gcc? whattt? gcc? what????????
    sweet. thanks!
    here is one more where you can get loads of tools.
    https://github.com/intrepidusgroup/pbtools
    ifs_parse.py Parse an IFS image. Must be run from a QNX environment, as it depends on dumpifs.
    we need these tools also. if we need to tear open and look whats inside.
    thanks
    -paul
    06-25-13 07:12 AM
  18. SifJar's Avatar
    gcc? whattt? gcc? what????????
    sweet. thanks!
    here is one more where you can get loads of tools.
    https://github.com/intrepidusgroup/pbtools
    Yeah, haven't quite got it running personally (used a virtual machine to compile, now trying to figure the best way to get the files out of the VM and onto my PB).

    And those tools are for running on computer, not on PB. Although the PB does have a built in python interpreter that you can easily use from a terminal app or over SSH, so perhaps they could actually run there as well...

    EDIT: Actually, it looks like they are Python 2.X scripts, the PB's (working) python interpreter is 3.2 and there are syntax differences which would make those scripts incompatible without at least minor tweaking. [PB does have a python 2.7 interpreter included, but it doesn't have the execute permission required to actually run it]
    06-25-13 09:11 AM
  19. quackquack147's Avatar
    Yeah, haven't quite got it running personally (used a virtual machine to compile, now trying to figure the best way to get the files out of the VM and onto my PB).

    And those tools are for running on computer, not on PB. Although the PB does have a built in python interpreter that you can easily use from a terminal app or over SSH, so perhaps they could actually run there as well...

    EDIT: Actually, it looks like they are Python 2.X scripts, the PB's (working) python interpreter is 3.2 and there are syntax differences which would make those scripts incompatible without at least minor tweaking. [PB does have a python 2.7 interpreter included, but it doesn't have the execute permission required to actually run it]
    okular sec_consult_vulnerability_lab_blackberry_z10_initi al_analysis_v10.pdf
    pg 22. it seems we can extract the rimboot environment. and loads of info. i will get it to kick off asap. does it mean we can get loads of valueable info? looks like we can extract the bootloader. if we can extract the bootloader from this? we can also extract bootloader from almost all RIM images. which means now we are sh!t *** close. and this may also mean we can look into the bootloader of each and every device.
    which also means we can decompress the image and extract the bootloaders and then we can reverse engineer.
    sooooooooooooooooooooooooooooo gooooddddddddddddddddddddddddd newsssssssssssssssssss.
    i am loving internet and RIM and all these security analysis........... this is sweet. i will try to decompress all the flles and see if i can extract the bootloader.
    damn damn damn.
    if we can get a hold on the bootloader then many including me will be void of smd soldering and also jtag. lets assume only 5 out of 1000 knows how to jtag. then those 995 folks can have it all zonked up w/o much or any hassle.
    *i cleaned up my room and looks in shape now. tonight i will install debian on the desktop machine. *
    hope this helps!
    thanks
    -paul
    p.s. can you let me know what are your findings on the gcc aspect, does it have aslr? and also rbacl and acl in strict mode? because if we can get the gcc then many our tasks are solved easily. thanks again.
    p.s. and who else is helping. see when many people work together whats tough for one is distributed easily among many. thanks sifjar
    Dr_Acula and antiRIM like this.
    06-25-13 10:22 AM
  20. Dr_Acula's Avatar
    using a terminal app e.g. term48.
    Term48.
    Nice.
    Was looking for months long before (6 months before when I last time picked up my pb. Will power it on again. I hope it has some juice left, at least to power on.
    06-25-13 10:36 AM
  21. Dr_Acula's Avatar
    Y don't u people use irc channel?
    Won't that give fast results?
    faenil likes this.
    06-25-13 10:38 AM
  22. quackquack147's Avatar
    Y don't u people use irc channel?
    Won't that give fast results?
    because i am not ready yet. and i am yet to do a clean install and carry on. and then only i will join IRC. i dont like to join a party w/o proper preparation....... :-)
    sifjar here is one hint, if its serial then try xmodem or ymodem to transfer. and see whats the result. i am lagging with the development, as i am doing many things at one time. wish there were 48 hours a day.
    i have been doing many xmodem and ymodem transfer before when i had only serial mode to transfer files. old school method. ;-)
    i will try to catch up soon. damn i hate this lag when i am unable to be at the party ;-)
    beefing up multi tasking!!!
    hope this helps.
    thanks
    -paul
    06-25-13 11:07 AM
  23. quackquack147's Avatar
    Term48.
    Nice.
    Was looking for months long before (6 months before when I last time picked up my pb. Will power it on again. I hope it has some juice left, at least to power on.
    this might be a big asset, considering its serial transfer mode. we can do loads of things, i hope!
    i still got enough juice on my playbook. :-D
    want some lemonade? ;-)
    thanks
    -paul
    Dr_Acula likes this.
    06-25-13 11:09 AM
  24. faenil's Avatar
    Y don't u people use irc channel?
    Won't that give fast results?
    agree, let's use a IRC channel!
    06-25-13 11:22 AM
  25. SifJar's Avatar
    because i am not ready yet. and i am yet to do a clean install and carry on. and then only i will join IRC. i dont like to join a party w/o proper preparation....... :-)
    sifjar here is one hint, if its serial then try xmodem or ymodem to transfer. and see whats the result. i am lagging with the development, as i am doing many things at one time. wish there were 48 hours a day.
    i have been doing many xmodem and ymodem transfer before when i had only serial mode to transfer files. old school method. ;-)
    i will try to catch up soon. damn i hate this lag when i am unable to be at the party ;-)
    beefing up multi tasking!!!
    hope this helps.
    thanks
    -paul
    I've been trying to setup something called a "host only" network in virtualbox, and then get an ssh server running within the VM for me to connect to with WinSCP, but I can't seem to get it working yet. And I'm going away in a few days for a couple of months without my laptop, so I'm probably not going to get the dev tools working on my PB before that, and I'm sure you'll have them up and running long before I'm back.
    06-25-13 11:26 AM
1,081 ... 56789 ...

Similar Threads

  1. What should app developer do to keep PB app awake?
    By kwelamnp in forum BlackBerry PlayBook
    Replies: 41
    Last Post: 11-14-13, 06:41 PM
  2. How To Back-up 3rd Party Applications on Z10?
    By JustfrEe in forum BlackBerry Z10
    Replies: 4
    Last Post: 09-06-13, 07:10 PM
  3. Replies: 2
    Last Post: 07-25-13, 10:33 PM
  4. Need Developer for Sideloading android app to .bar (can installed mass)
    By Nicko Christian in forum Developers Lounge
    Replies: 5
    Last Post: 07-25-13, 07:39 PM
  5. Switch to international character set for SMS!
    By Matt Vairy in forum BlackBerry Curve Series
    Replies: 1
    Last Post: 07-23-13, 09:10 AM
LINK TO POST COPIED TO CLIPBOARD