ĵ > The Making of the Kosher Phone

The Making of the Kosher Phone

Page 1
The Making of the Kosher Phone
RECon - 2014

Page 2
Assaf Nativ
● Presented here in 2010 about Memory Analysis techniques
Youtube movie of it is on my blog
● A security researcher

Page 3
Disclaimers
● Everything presented here was done by me and many other people ● I now work for the security startup Sentinel ● I’m not a religious person

Page 4
The story
About 4 years ago

Page 5
By the end of this talk
● You will be able to make a Kosher firmware. ● But you are not going to...

Page 6
What can feature phone do?
(AKA Dumb phone)
● Can: ○ Make phone calls ○ SMS ○ MMS ○ Calendar ○ FM Radio ○ Play annoying ringtones ○ GPRS or 3G using dis-functional web browser ○ Bluetooth ○ ~2MPixel camera ○ Utilities and Games ● On some newer models: ○ Limited Facebook, Twitter and WhatsApp

Page 7
What a Kosher phone can do
(AKA a phone that suffers from severe retardation)
● Can: ○ Make phone calls ○ SMS 8==D ○ MMS ○ Calendar
○ FM Radio
○ Play annoying hasidic ringtones ○ GPRS or 3G using dis-functional web browser ○ Bluetooth to earpiece only
○ ~2MPixel camera
○ Utilities and Games ● On some newer models:
○ Limited Facebook, Twitter and WhatsApp

Page 8
Kosher Phone’s new app
The Jewish calendar
Fun fact about the Jewish calendar:
● Follows both the moon and the sun ● Every year has either 12 or 13 months ● Day is of no fixed length ● Inaccurate by 1 day every 216 years ● Strange

Page 9
Planning ahead
1. Choose a phone 2. Get the company who makes it remove some features 3. Sell it for more money

Page 10
Nokia, connecting people (sort of)
I needed a phone that is: ● Cheap ● Reliable ● In mass production

Page 11
Choose a model

Page 12
Nokia software series
S30 S40

Page 13
Nokia software series
Symbian S60 (Died on 2010) Symbian^3

Page 14
Hardware versions

Page 15
Hardware Samples
DCT1 DCT4 BB5 Asha DCT3

Page 16
First Kosher phones
● Nokia 1208, 2680, 2720 ● All DCT4 ● All S40

Page 17
Nokia 1208 - Ugly Candybar

Page 18
Nokia 2680 - Ugly Slider

Page 19
Nokia 2720 - Super ugly Clamshell

Page 20
Ask Nokia
Plz Nokia, I can haz no Interwebz and camera and file transfer?

Page 21
No, but...
You can do whatever helps you sell more of our phones

Page 22
Patching

Page 23
DCT4+ firmware
● Flashable
○ OS (MCUSW) ○ Localization strings and gfx (PPM) ○ General purpose file system - Operator FAT16 (CNT / IMAGE)
● SecureROM
○ ?

Page 24
Why would Nokia care
Patching the MCUSW might allow you to: ● Change the IMEI ● Break the SIMlock ● And more...

Page 25
How to obtain the files
Just it

Page 26
How to flash a phone
3 options

Page 27
Phoenix

Page 28
A box

Page 29
And the right cable

Page 30
FBus - Connector

Page 31
USB

Page 32
At this point
● A phone ● Firmware files ● A way to flash firmwares

Page 33
File format - First layer
After a short header: ● 1 Byte: Type (Always 0x14) ● 4 Bytes: Address ● 3 Bytes: Length ● 1 Byte: Header checksum ● 1 Byte: Data Xor checksum

Page 34
File format - 2nd layer
01000000 AD 7E B6 1B 23 10 03 40 C6 05 E4 01 20 A2 00 00 .~¶.#..@ֶ.ה. ¢.. 01000010 00 00 00 00 00 00 00 00 00 00 00 FF FF FF FF FF ........... 01000020 FF FF FF FF F8 1F BD FA 50 65 61 4B FF FF FF FF ת?.רPeaK 01000030 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 01000040 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 01000050 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 01000060 FF FF FF FF FF FF FF FF FF FF FF FF 94 72 48 92 ”rH’ 01000070 A6 87 2A FE 00 02 00 00 01 00 01 00 00 00 00 00 ?‡*............ 01000080 00 00 00 00 AB ED A4 43 5C 0D 53 A3 BD 70 EC 37 ....?ם₪C\.S??p7ל 01000090 D1 AE CD 20 AE 54 47 F7 59 B4 A2 36 B4 85 BB 2B ׁ?ֽ?TGקY??6?…?+ 010000A0 B3 62 22 05 2E 16 13 1E C6 EE F2 2F AC CF CC 11 ³b".....ֶעמ/?ּֿ. 010000B0 50 C8 B9 82 FE BC 8B C7 0E 58 91 9D 32 28 E8 B3 Pָ‚?‹ַ.X‘.2(?ט 010000C0 D4 1D AF 3E ED 0C 50 AB E0 F9 E5 09 69 D7 33 CE ם<¯.װ.P?ושא.i־3׳ 010000D0 62 CC D1 E2 3B DB 77 1E 64 7E AE 8A D4 AA BE CE bּׁג;w.d~®.־?װ 010000E0 97 9E 24 23 40 05 9A 1C A0 37 41 30 58 9D 2A 3D —.$#@... 7A0X.*= 010000F0 41 F5 85 AF 67 A1 42 60 02 8E E9 59 8C BE 43 F5 Aץ…?g¡B`..יY.¾Cץ 01000100 56 4D EE F6 55 C3 DC B1 DB 14 72 74 43 A5 47 8F VMצמUֳ.rtC¥G.

Page 35
Obfuscation
● Starting from offset 0x84 ● There is a lot of pieces of information about it spread around GSM forums

Page 36

Page 37
G3gg0 and nok5rev work
They reversed the obfuscation ● Just because it was fun ● They simply stared at the bits for 2 months until it made sense ● They published it for free :)

Page 38

Page 39
File format - 3rd layer
01000000 AD 7E B6 1B 23 10 03 40 C6 05 E4 01 20 A2 00 00 .~¶.#..@ֶ.ה. ¢.. 01000010 00 00 00 00 00 00 00 00 00 00 00 FF FF FF FF FF ........... 01000020 FF FF FF FF F8 1F BD FA 50 65 61 4B FF FF FF FF ת?.רPeaK 01000030 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 01000040 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 01000050 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 01000060 FF FF FF FF FF FF FF FF FF FF FF FF 94 72 48 92 ”rH’ 01000070 A6 87 2A FE 00 02 00 00 01 00 01 00 00 00 00 00 ?‡*............ 01000080 00 00 00 00 FF FF FF FF FF FF FF FF 01 CE 00 00 .....־.. 01000090 03 00 00 00 00 04 CC A2 00 04 CC A3 FF FF FF FF ......ּ?..ּ? 010000A0 00 00 F1 EF 89 33 EB 2D 1F 09 3B DA C7 C0 3D 9F ..כ‰3ןס-..;ְַ=. 010000B0 BB D3 29 98 01 C8 BC B0 06 6E A8 11 0E D1 69 67 ?׃)˜.ָ?.n¨..ׁig 010000C0 A4 A3 9A A5 BF 7B 27 5A E6 C7 61 2D F7 B8 70 9C ₪?.??{'Zַזa-קp. 010000D0 D4 1C 09 96 AF 5B F2 05 20 92 49 DF D5 0B FC DE ע]?–..װ. ’Iױ. 010000E0 A8 30 B7 39 34 59 13 7D E7 BD 72 3F C7 CF B3 5A ¨0·94Y.}ח?r?ַֿ?Z 010000F0 60 2C 5E 7D 63 17 56 C4 9F 6C C5 1A 01 BF B7 DF `,^}c.Vִ.lֵ..? 01000100 EA 01 FF BE 00 FE 6A 84 EA 50 20 20 20 20 6A 04 .¾.ךj„ךP j.

Page 40
Arm code

Page 41
Attempt to patch

Page 42
Error type 1
Contact service

Page 43
Error type 2
No signal

Page 44
2 types of errors
1. Contact Service 2. No Signal

Page 45
Patching doesn’t work map
00000000 AD 7E B6 1B 23 10 03 40 C6 05 E4 01 20 A2 00 00 .~¶.#..@.. ¢.. 00000010 00 00 00 00 00 00 00 00 00 00 00 FF FF FF FF FF ........... 00000020 FF FF FF FF F8 1F AA 02 50 65 61 4B FF FF FF FF .ª.PeaK 00000030 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 00000040 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 00000050 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 00000060 FF FF FF FF FF FF FF FF FF FF FF FF C0 52 90 D4 R. 00000070 4A E4 5C 8F 00 02 00 00 01 00 01 00 00 00 00 00 J\............. 00000080 00 00 00 00 FF FF FF FF FF FF FF FF 01 CE 00 00 ....... 00000090 03 00 00 00 00 04 CC A2 00 04 CC A3 FF FF FF FF ......?..? 000000A0 00 00 F1 EF 89 33 EB 2D 1F 09 3B DA C7 C0 3D 9F ..‰3-..;=Ÿ 000000B0 BB D3 29 98 01 C8 BC B0 06 6E A8 11 0E D1 69 67 ?)˜.?.n¨..ig 000000C0 A4 A3 9A A5 BF 7B 27 5A E6 C7 61 2D F7 B8 70 9C ?š??{'Zاa-pœ 000000D0 D4 1C 09 96 AF 5B F2 05 20 92 49 DF D5 0B FC DE ..–?[. ’I. 000000E0 A8 30 B7 39 34 59 13 7D E7 BD 72 3F C7 CF B3 5A ¨0·94Y.}?r??Z 000000F0 60 2C 5E 7D 63 17 56 C4 9F 6C C5 1A 01 BF B5 CF `,^}c.VŸl..?? 00000100 EA 01 FF BE 00 FE 6A 84 EA 50 20 20 20 20 6A 04 .?.j„P j. 00000110 2D CF 20 20 20 20 6A 01 9D 7C 20 20 20 20 6A 01 - j..| j. 00000120 B3 C8 20 20 20 20 6A 01 A5 C2 20 20 20 20 6A 04 ? j.? j.

Page 46
Patching doesn’t work map
00000000 AD 7E B6 1B 23 10 03 40 C6 05 E4 01 20 A2 00 00 .~¶.#..@.. ¢.. 00000010 00 00 00 00 00 00 00 00 00 00 00 FF FF FF FF FF ........... 00000020 FF FF FF FF F8 1F AA 02 50 65 61 4B FF FF FF FF .ª.PeaK 00000030 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 00000040 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 00000050 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 00000060 FF FF FF FF FF FF FF FF FF FF FF FF C0 52 90 D4 R. 00000070 4A E4 5C 8F 00 02 00 00 01 00 01 00 00 00 00 00 J\............. 00000080 00 00 00 00 FF FF FF FF FF FF FF FF 01 CE 00 00 ....... 00000090 03 00 00 00 00 04 CC A2 00 04 CC A3 FF FF FF FF ......?..? 000000A0 00 00 F1 EF 89 33 EB 2D 1F 09 3B DA C7 C0 3D 9F ..‰3-..;=Ÿ 000000B0 BB D3 29 98 01 C8 BC B0 06 6E A8 11 0E D1 69 67 ?)˜.?.n¨..ig 000000C0 A4 A3 9A A5 BF 7B 27 5A E6 C7 61 2D F7 B8 70 9C ?š??{'Zاa-pœ 000000D0 D4 1C 09 96 AF 5B F2 05 20 92 49 DF D5 0B FC DE ..–?[. ’I. 000000E0 A8 30 B7 39 34 59 13 7D E7 BD 72 3F C7 CF B3 5A ¨0·94Y.}?r??Z 000000F0 60 2C 5E 7D 63 17 56 C4 9F 6C C5 1A 01 BF B5 CF `,^}c.VŸl..?? 00000100 EA 01 FF BE 00 FE 6A 84 EA 50 20 20 20 20 6A 04 .?.j„P j. 00000110 2D CF 20 20 20 20 6A 01 9D 7C 20 20 20 20 6A 01 - j..| j. 00000120 B3 C8 20 20 20 20 6A 01 A5 C2 20 20 20 20 6A 04 ? j.? j.
Contact Service
No Signal

Page 47
Contact Service Error
Simple checksum 16bit

Page 48
Error type 3
Reboot

Page 49
2 types of errors
1. Contact Service 2. No Signal 3. Reboot

Page 50
SRE the checks

Page 51
Finding the memory map
Only one leak of debug symbols Nokia 1650 rm305_05.530.out

Page 52
In the leak

Page 53
Memory map

Page 54
1st MB
Calling to the 1st MB validation and activate GSM secROM function

Page 55
Encryption disable bit
Address 0x900003a = 0x100003a | 0x8000000 The 0x8000000 is a flag that disables the firmware encryption / decryption for that address.

Page 56

Page 57
No Signal
Reboot

Page 58

Page 59

Page 60

Page 61

Page 62

Page 63

Page 64
Zoom x3

Page 65
You are here
0x01453178

Page 66
You are here
0x01453178
Meaning
When the check fails, it uses the code that it just failed to validate!

Page 67
Exploiting
Allow us to overcome the validation of binary after the 1st MB (Reboot error)

Page 68
POC
https://www.youtube.com/watch?v=i0NJZ_J5c6g&feature=youtu.be

Page 69
Overcoming the SecureROM
First 1MB check (No Signal)

Page 70
Example for log recovering
R0:00000000 R1:00000005 R2:00000002 R0:00000007 R1:00000005 R2:00000002 R0:00000009 R1:00000005 R2:00000002 R0:0000000A R1:00000005 R2:00000002

Page 71
Make it Kosher

Page 72
Disable Internet
● Remember that time is money

Page 73
Disable Internet
● “GET” -> “BET” ● “POST” -> “MOST” No web server would ever answer you again.

Page 74
Hardware patches
Circumcising a phone

Page 75
Bugs
● GSM connection ● FM Radio ● Bad factory reset

Page 76
BB5
Not on this presentation :(

Page 77
Asha phones protection
This one has ● Whatsapp ● Facebook ● Twitter ● And all kind of other things...

Page 78
Three steps of trust chain
1. PBL 2. SBL 3. Firmware RSA 1024 - SHA1

Page 79
Signed
Flashable
OS (MCUSW) - Signed Localization strings and gfx (PPM) - Signed General purpose file system - Operator FAT16 (CNT / IMAGE) - Open
SecureROM
?

Page 80
In the Image
● Menusettings.xml ● Java apps ● Startup / Shutdown animations ● Ringtones ● Many kinds of other settings

Page 81
Blocking SMS & MMS
When I have no control over the OS

Page 82
A few things about FAT16
● Table that defines chains of sectors ● Hard-links are possible ● Two files with the same name are possible

Page 83
Blocking SMS
● Find where messages are stored ● Delete that folder ● Create a file with the same name

Page 84
pyFAT16
Parsing FAT16 with Python is fun

Page 85
Making of the Samsung Kosher Phone

Page 86
How to
1. Download the firmware 2. Patch whatever you like 3. Flash it * If it’s hard to find what to patch, Samsung are leaking binaries with debug symbols everywhere!

Page 87
Release
Phosher framework:
https://phosher.googlecode.com/svn/trunk
* It includes the FAT16 parser

Page 88
Thanks
● Friends who prefer to stay Anonymous ● AT ● Ildis, Rubi, Yuval, Nitzan, Oren & Budo ● G3gg0, Krish and Nok5rev ● The good people of GSM Forum ● Wife ● My daughter for stress testing the hardware

Page 89
Thank you

Page 90
Questions?

Ϊҳ | ղ |

All Rights Reserved Powered by ĵ

Copyright © 2011
ĵ磬ַϵtousu#anggang.com
ض