Startup Replacement #32

New Issue

Closed

opened 2018-12-12 22:10:58 -08:00 by sekkit · 22 comments

sekkit commented 2018-12-12 22:10:58 -08:00 (Migrated from github.com)

Copy Link

Here is the project:
JSONClientSRC.zip
signtool.zip
[Important]Must to be signed as system app to run.

Question is:

1. who called JSONClient during the startup procedure?
2. what else has been done before/after activation?
3. what is happening while activating? Some critical part is missing in decompilated code.
   protected void onPreExecute() {
   }
   //Activate code authentication happens here
   protected Object doInBackground(Object[] params_obj) {
   // :( Parsing error. Please contact me.
   }
   Also String.format('/sbin/eid recv {0}', result), this result is definitely missing, needs some debugging.
4. adb needs to be enabled in hacked boot.img for debugging.

Conclusion: Emulate the startup process means replace the original components without protection. JSONClient.apk might be just a part of it.

Here is the project: [JSONClientSRC.zip](https://github.com/HappyZ/dpt-tools/files/2674640/JSONClientSRC.zip) [signtool.zip](https://github.com/HappyZ/dpt-tools/files/2674642/signtool.zip) [Important]Must to be signed as system app to run. Question is: 1) who called JSONClient during the startup procedure? 2) what else has been done before/after activation? 3) what is happening while activating? Some critical part is missing in decompilated code. protected void onPreExecute() { } //Activate code authentication happens here protected Object doInBackground(Object[] params_obj) { // :( Parsing error. Please contact me. } Also String.format('/sbin/eid recv {0}', result), this result is definitely missing, needs some debugging. 4) adb needs to be enabled in hacked boot.img for debugging. Conclusion: Emulate the startup process means replace the original components without protection. JSONClient.apk might be just a part of it.

ziegfeld commented 2018-12-12 22:31:17 -08:00 (Migrated from github.com)

Copy Link

great job!
for 3: maybe try another smali decompiler to see those part again for a 2nd opinion, maybe https://bytecodeviewer.com/ ? (or some other windows platform smali2java tools from google results)
It is for windows only and I am afraid I do not have access now.

for 4: does that adb in system.img /bin/ work?

for 1: in case you do not know yet, use this tool to have a look at boot.img, without a dpt device dd'd from the img (for system.img use mount and simg2img tool as in this repo via @happyZ ). Easier to grep and so on.
https://github.com/cfig/Android_boot_image_editor
EDIT: adding a "strings boot_img_unpacked/sbin/eid" result for a glance.
eid-strings.txt

great job! for 3: maybe try another smali decompiler to see those part again for a 2nd opinion, maybe https://bytecodeviewer.com/ ? (or some other windows platform smali2java tools from google results) It is for windows only and I am afraid I do not have access now. for 4: does that adb in system.img /bin/ work? for 1: in case you do not know yet, use this tool to have a look at boot.img, without a dpt device dd'd from the img (for system.img use mount and simg2img tool as in this repo via @happyZ ). Easier to grep and so on. https://github.com/cfig/Android_boot_image_editor EDIT: adding a "strings boot_img_unpacked/sbin/eid" result for a glance. [eid-strings.txt](https://github.com/HappyZ/dpt-tools/files/2677650/eid-strings.txt)

sekkit commented 2018-12-14 00:45:31 -08:00 (Migrated from github.com)

Copy Link

@ziegfeld wow, thx, this information is cool, seems to have some scripts inside.
1)export PATH=/system/bin:/system/xbin; export ANDROID_PROPERTY_WORKSPACE=8,0; export TERM=vt100; cd /data; busybox tar -zcvf - . --exclude=./dalvik-cache --exclude=./recv.bin --exclude=./firmware/imx |
| busybox dd of=recv.bin; cd /
It seems recv.bin is some important data inside /system/vendor/recv.bin

2)there are some scripts under /xbin, sqlfix.sh, preapk.sh that might help fix crashing problems.

I guess recv.bin might be the /data directory, flash boot.img -> system.img -> data.img. Just assumptions.

@ziegfeld wow, thx, this information is cool, seems to have some scripts inside. 1)export PATH=/system/bin:/system/xbin; export ANDROID_PROPERTY_WORKSPACE=8,0; export TERM=vt100; cd /data; busybox tar -zcvf - . --exclude=./dalvik-cache --exclude=./recv.bin --exclude=./firmware/imx | | busybox dd of=recv.bin; cd / It seems recv.bin is some important data inside /system/vendor/recv.bin 2)there are some scripts under /xbin, sqlfix.sh, preapk.sh that might help fix crashing problems. I guess recv.bin might be the /data directory, flash boot.img -> system.img -> data.img. Just assumptions.

sekkit commented 2018-12-14 01:15:03 -08:00 (Migrated from github.com)

Copy Link

attatched partition mapping:
lrwxrwxrwx root root 2018-12-14 16:31 DTIM -> /dev/block/mmcblk0p4
lrwxrwxrwx root root 2018-12-14 16:31 MEP2 -> /dev/block/mmcblk0p3
lrwxrwxrwx root root 2018-12-14 16:31 MRD -> /dev/block/mmcblk0p1
lrwxrwxrwx root root 2018-12-14 16:31 MRD1 -> /dev/block/mmcblk0p2
lrwxrwxrwx root root 2018-12-14 16:31 NVM -> /dev/block/mmcblk0p12
lrwxrwxrwx root root 2018-12-14 16:31 boot -> /dev/block/mmcblk0p8
lrwxrwxrwx root root 2018-12-14 16:31 cache -> /dev/block/mmcblk0p14
lrwxrwxrwx root root 2018-12-14 16:31 ddat -> /dev/block/mmcblk0p16
lrwxrwxrwx root root 2018-12-14 16:31 diag -> /dev/block/mmcblk0p15
lrwxrwxrwx root root 2018-12-14 16:31 misc -> /dev/block/mmcblk0p10
lrwxrwxrwx root root 2018-12-14 16:31 pbootloader -> /dev/block/mmcblk0p7
lrwxrwxrwx root root 2018-12-14 16:31 radio -> /dev/block/mmcblk0p11
lrwxrwxrwx root root 2018-12-14 16:31 rbootloader -> /dev/block/mmcblk0p5
lrwxrwxrwx root root 2018-12-14 16:31 recovery -> /dev/block/mmcblk0p6
lrwxrwxrwx root root 2018-12-14 16:31 secure -> /dev/block/mmcblk0p13
lrwxrwxrwx root root 2018-12-14 16:31 system -> /dev/block/mmcblk0p9
lrwxrwxrwx root root 2018-12-14 16:31 userdata -> /dev/block/mmcblk0p17

I am still searching for /data partition's device. maybe userdata is the one.
Maybe I'll try to flash recv.bin to /data

attatched partition mapping: lrwxrwxrwx root root 2018-12-14 16:31 DTIM -> /dev/block/mmcblk0p4 lrwxrwxrwx root root 2018-12-14 16:31 MEP2 -> /dev/block/mmcblk0p3 lrwxrwxrwx root root 2018-12-14 16:31 MRD -> /dev/block/mmcblk0p1 lrwxrwxrwx root root 2018-12-14 16:31 MRD1 -> /dev/block/mmcblk0p2 lrwxrwxrwx root root 2018-12-14 16:31 NVM -> /dev/block/mmcblk0p12 lrwxrwxrwx root root 2018-12-14 16:31 boot -> /dev/block/mmcblk0p8 lrwxrwxrwx root root 2018-12-14 16:31 cache -> /dev/block/mmcblk0p14 lrwxrwxrwx root root 2018-12-14 16:31 ddat -> /dev/block/mmcblk0p16 lrwxrwxrwx root root 2018-12-14 16:31 diag -> /dev/block/mmcblk0p15 lrwxrwxrwx root root 2018-12-14 16:31 misc -> /dev/block/mmcblk0p10 lrwxrwxrwx root root 2018-12-14 16:31 pbootloader -> /dev/block/mmcblk0p7 lrwxrwxrwx root root 2018-12-14 16:31 radio -> /dev/block/mmcblk0p11 lrwxrwxrwx root root 2018-12-14 16:31 rbootloader -> /dev/block/mmcblk0p5 lrwxrwxrwx root root 2018-12-14 16:31 recovery -> /dev/block/mmcblk0p6 lrwxrwxrwx root root 2018-12-14 16:31 secure -> /dev/block/mmcblk0p13 lrwxrwxrwx root root 2018-12-14 16:31 system -> /dev/block/mmcblk0p9 lrwxrwxrwx root root 2018-12-14 16:31 userdata -> /dev/block/mmcblk0p17 I am still searching for /data partition's device. maybe userdata is the one. Maybe I'll try to flash recv.bin to /data

👍 1

ziegfeld commented 2018-12-18 08:37:43 -08:00 (Migrated from github.com)

Copy Link

@sekkit, cc @HappyZ @p4s2wd
Hi, if you read Chinese, here's a thread about bypassing Kindle Android boot activation from Taobao kdroid, hopefully it would help us here for DPT (register for it if needed):

https://www.hi-pda.com/forum/viewthread.php?tid=2313206&extra=page%3D1
or here for a webpage-screenshot image file version:
https://i.loli.net/2018/04/30/5ae6db6682572.png

Good luck and thanks to them.

@sekkit, cc @HappyZ @p4s2wd Hi, if you read Chinese, here's a thread about bypassing Kindle Android boot activation from Taobao kdroid, hopefully it would help us here for DPT (register for it if needed): https://www.hi-pda.com/forum/viewthread.php?tid=2313206&extra=page%3D1 or here for a webpage-screenshot image file version: https://i.loli.net/2018/04/30/5ae6db6682572.png Good luck and thanks to them.

sekkit commented 2018-12-19 10:13:46 -08:00 (Migrated from github.com)

Copy Link

this is great news. But I can't get access to hi-pda. And right now DPT has been returned to retailer because of WiFi issue. I will try reimplement that method when next DPT arrived.

this is great news. But I can't get access to hi-pda. And right now DPT has been returned to retailer because of WiFi issue. I will try reimplement that method when next DPT arrived.

ultraboy commented 2018-12-19 18:16:44 -08:00 (Migrated from github.com)

Copy Link

This topic is about how to crack a kindle which installed android by the same tabao seller who crack dpt. The main step is:
1.mount system image.
2.modify /system/framework/services.jar to bypass signature check.
3.modify JSONClient.jar so any password can pass password check.

This topic is about how to crack a kindle which installed android by the same tabao seller who crack dpt. The main step is: 1.mount system image. 2.modify /system/framework/services.jar to bypass signature check. 3.modify JSONClient.jar so any password can pass password check.

👍 1

ziegfeld commented 2018-12-20 08:47:37 -08:00 (Migrated from github.com)

Copy Link

@sekkit please do register an account for access, or let me know what the problem is and let me see how to help.
Because, from that bbs thread, updates (esp. from post no. 110) indicated the screenshot versiom is not 100% accurate and pointed out some errors/typos.

@sekkit please do register an account for access, or let me know what the problem is and let me see how to help. Because, from that bbs thread, updates (esp. from post no. 110) indicated the screenshot versiom is not 100% accurate and pointed out some errors/typos.

sekkit commented 2018-12-20 22:22:03 -08:00 (Migrated from github.com)

Copy Link

@ziegfeld I registered for almost half a year, but not approved by admin yet.
After flashing the third boot.img from another issue, my DPT can no longer connect to WiFi by DigitalPaperApp, even restored to original firmware. Not a clue for what might've happened.

@ziegfeld I registered for almost half a year, but not approved by admin yet. After flashing the third boot.img from another issue, my DPT can no longer connect to WiFi by DigitalPaperApp, even restored to original firmware. Not a clue for what might've happened.

sekkit commented 2018-12-23 11:40:47 -08:00 (Migrated from github.com)

Copy Link

@ziegfeld hi Im going to repimplement these steps, could u export post no. 110 as pdf and send it to me?
PS: no need anymore, got a account now.

@ziegfeld hi Im going to repimplement these steps, could u export post no. 110 as pdf and send it to me? PS: no need anymore, got a account now.

ziegfeld commented 2018-12-24 18:19:29 -08:00 (Migrated from github.com)

Copy Link

@sekkit sorry for late reply. I forgot it then the holiday came. Glad that you got it! You can ask questions directly there this way!

@sekkit sorry for late reply. I forgot it then the holiday came. Glad that you got it! You can ask questions directly there this way!

sekkit commented 2019-01-05 08:24:58 -08:00 (Migrated from github.com)

Copy Link

@ziegfeld @HappyZ After patching JSONClient.apk with Smali code, Activation has been done. But the device startup again in an activation loop. There is a step libjnidemo.so calls saveData function for saving server returned results into somewhere. Without that data, eid will not call post setup procedure concerning dd recv.bin to it's target. And there are some RSA en/decryption going on inside libjnidemo.so.

Some information found in eid && libjnidemo:
eid's params:
recv
xpx
gamma
setstr
eid
proc

misc:
runcommand((int32_t)"/system/xbin/sqlfix.sh vol on");
runcommand((int32_t)"busybox killall com.smart.swkey.nonroot");
int32_t v8 = function_1db58((int32_t)"/dev/block/mmcblk0p15", (int32_t)&g49, (int32_t)"ext4", 1, 0);
function_1d7b0((int32_t)"cp -aR /mnt/opt/sig.key /tmp; chmod 644 /tmp/sig.key");
/dev/block/mmcblk0

activation post JSON data && the format of returning data has been found. BUT the only thing in need is the "enc" field.

SEND data:
wWEu6v/ljlOG4MQjjfAbW1HaqDeGgEIOtg0Aq0tpO58NQn7VgFmATv0ucnbVM06jn3JOEj3ZxQouunS7VSQ/1kIEgIx9v3gt5Z0u/TimYR0vxRpUeA6vAjAOQnQWAe9hFhdP4oEx9mnijlDSE2Fk6OgI2YTpmmfcTGKaxzju6J5VZuPKeUMJqlHQbLlvMGmX6t8mlt1UyvQsIwkR2F1VzAUGXRRjdrItRz7bWFv4NK3ZxQS1Eq+1LW7kmWaon6qIEq66y85OMxoOGWDvwazSHcyolFpROyvpEhc9hc0tdmSAnKd5/RmSqyTsnIXUUgR3pCr5JTWP1WNyoQRfmjxHtQ==

RETURN data:
{
"ret": "base64 of jsondata"
}

jsondata = {
"flag": "PASS",
"pcbsn": "324658506502376x",
"test": "",
"enc": "MzIzZjNmOGU=", (this field in need)
}

@ziegfeld @HappyZ After patching JSONClient.apk with Smali code, Activation has been done. But the device startup again in an activation loop. There is a step libjnidemo.so calls saveData function for saving server returned results into somewhere. Without that data, eid will not call post setup procedure concerning dd recv.bin to it's target. And there are some RSA en/decryption going on inside libjnidemo.so. Some information found in eid && libjnidemo: eid's params: recv xpx gamma setstr eid proc misc: runcommand((int32_t)"/system/xbin/sqlfix.sh vol on"); runcommand((int32_t)"busybox killall com.smart.swkey.nonroot"); int32_t v8 = function_1db58((int32_t)"/dev/block/mmcblk0p15", (int32_t)&g49, (int32_t)"ext4", 1, 0); function_1d7b0((int32_t)"cp -aR /mnt/opt/sig.key /tmp; chmod 644 /tmp/sig.key"); /dev/block/mmcblk0 activation post JSON data && the format of returning data has been found. BUT the only thing in need is the "enc" field. SEND data: wWEu6v/ljlOG4MQjjfAbW1HaqDeGgEIOtg0Aq0tpO58NQn7VgFmATv0ucnbVM06jn3JOEj3ZxQouunS7VSQ/1kIEgIx9v3gt5Z0u/TimYR0vxRpUeA6vAjAOQnQWAe9hFhdP4oEx9mnijlDSE2Fk6OgI2YTpmmfcTGKaxzju6J5VZuPKeUMJqlHQbLlvMGmX6t8mlt1UyvQsIwkR2F1VzAUGXRRjdrItRz7bWFv4NK3ZxQS1Eq+1LW7kmWaon6qIEq66y85OMxoOGWDvwazSHcyolFpROyvpEhc9hc0tdmSAnKd5/RmSqyTsnIXUUgR3pCr5JTWP1WNyoQRfmjxHtQ== RETURN data: { "ret": "base64 of jsondata" } jsondata = { "flag": "PASS", "pcbsn": "324658506502376x", "test": "", "enc": "MzIzZjNmOGU=", (this field in need) }

sekkit commented 2019-01-05 21:20:19 -08:00 (Migrated from github.com)

Copy Link

int32_t createRSA(int32_t a1, int32_t a2) {
int32_t v1;
int32_t v2;
int32_t format = (int32_t)"\x7c\xde\xff\xff\x2d\xe9\xf0\x4f\x83\xb0\x07\x46\x1a\x48\x0e\x46\x1a\x49\x78\x44\x48\xf6\x8a\x78\x41\xf2\xae\x49\x45\xf2\x7a\x7a\x0c\x58\xc1\xf2\x97\x28\x9b\x46\x15\x46\xcb\xf6\x37\x49\xc0\xf6\x81\x7a\x41\x46\x10\xe0\x28\x46\x01\x21\xff\xf7\xa1\xfe\x03\x46\x20\x68" + (int32_t)&g13;
maybe this helps with RSAkey

int32_t createRSA(int32_t a1, int32_t a2) { int32_t v1; int32_t v2; int32_t format = (int32_t)"\x7c\xde\xff\xff\x2d\xe9\xf0\x4f\x83\xb0\x07\x46\x1a\x48\x0e\x46\x1a\x49\x78\x44\x48\xf6\x8a\x78\x41\xf2\xae\x49\x45\xf2\x7a\x7a\x0c\x58\xc1\xf2\x97\x28\x9b\x46\x15\x46\xcb\xf6\x37\x49\xc0\xf6\x81\x7a\x41\x46\x10\xe0\x28\x46\x01\x21\xff\xf7\xa1\xfe\x03\x46\x20\x68" + (int32_t)&g13; maybe this helps with RSAkey

sekkit commented 2019-01-07 20:43:40 -08:00 (Migrated from github.com)

Copy Link

This pkg seems to be cracked by someone else and he is selling it too.
In short, I think following that post is not enough, we need to MOD eid to bypass the post setup procedure.

This pkg seems to be cracked by someone else and he is selling it too. In short, I think following that post is not enough, we need to MOD eid to bypass the post setup procedure.

👍 1

sekkit commented 2019-01-10 00:54:56 -08:00 (Migrated from github.com)

Copy Link

Update:
After some digging: recv.bin is actually user_data partition dump, which is encrypted, and will be extracted and dd to mmcblk0p17.

Update: After some digging: recv.bin is actually user_data partition dump, which is encrypted, and will be extracted and dd to mmcblk0p17.

HappyZ commented 2019-01-14 13:55:11 -08:00 (Migrated from github.com)

Copy Link

if encrypted, they shall have the decryption method included somewhere; another easier way is just to get the extracted files :)

if encrypted, they shall have the decryption method included somewhere; another easier way is just to get the extracted files :)

sekkit commented 2019-01-15 00:15:09 -08:00 (Migrated from github.com)

Copy Link

if encrypted, they shall have the decryption method included somewhere; another easier way is just to get the extracted files :)

Made a schedule to go to dude's place this weekend and dd some partitions.
mmcblk0p8
mmcblk0p9
mmcblk0p17

> if encrypted, they shall have the decryption method included somewhere; another easier way is just to get the extracted files :) Made a schedule to go to dude's place this weekend and dd some partitions. mmcblk0p8 mmcblk0p9 mmcblk0p17

sekkit commented 2019-01-20 01:56:17 -08:00 (Migrated from github.com)

Copy Link

Update: failed to get the dump of kdroid firmware this week unfortunately. Anyone be able to share one?

Update: failed to get the dump of kdroid firmware this week unfortunately. Anyone be able to share one?

ziegfeld commented 2019-01-24 11:31:21 -08:00 (Migrated from github.com)

Copy Link

Update: failed to get the dump of kdroid firmware this week unfortunately. Anyone be able to share one?

Hi @sekkit, glad you are still actively working!
I think you can try at people in #52 .

> Update: failed to get the dump of kdroid firmware this week unfortunately. Anyone be able to share one? Hi @sekkit, glad you are still actively working! I think you can try at people in #52 .

sekkit commented 2019-01-25 02:06:33 -08:00 (Migrated from github.com)

Copy Link

@HappyZ unfortunately, lastime I tried to enter diagnosis mode of a Hacked kdroid RP1, it failed. Today I tried again using dpt-tools to upload that two pkgs but it failed too. Any thoughts on this? I think the root psw change or disableid method not working on that device.

@HappyZ unfortunately, lastime I tried to enter diagnosis mode of a Hacked kdroid RP1, it failed. Today I tried again using dpt-tools to upload that two pkgs but it failed too. Any thoughts on this? I think the root psw change or disableid method not working on that device.

sekkit commented 2019-01-25 02:48:07 -08:00 (Migrated from github.com)

Copy Link

Is 7.87k resister usb gonna work？

Is 7.87k resister usb gonna work？

HappyZ commented 2019-01-30 09:57:48 -08:00 (Migrated from github.com)

Copy Link

@sekkit can i get more insights what do you mean by using dpt-tools to upload that two pkgs but it failed too?

@sekkit can i get more insights what do you mean by `using dpt-tools to upload that two pkgs but it failed too`?

sekkit commented 2019-01-30 22:47:12 -08:00 (Migrated from github.com)

Copy Link

@HappyZ shankerzhiwu’s exploit pkgs, unable to enter diag mode black square with’em uploaded. This is KDroid’s latest protection machanism

@HappyZ shankerzhiwu’s exploit pkgs, unable to enter diag mode black square with’em uploaded. This is KDroid’s latest protection machanism

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

master

develop

Labels

Clear labels   

Customized PKG

customized pkg related discussions

  

Dup

This issue or pull request already exists

  

Enhancement

New feature or request

  

Help Needed

need help/testers

  

Invalid

This doesn't seem right

  

Official PKG

official pkg related discussions

  

Question

Further information is requested

  

Script Bug

Something isn't working

  

Taobao PKG

taobao fw related discussions

  

Wont Fix

This will not be worked on

No Label

Customized PKG

Dup

Enhancement

Help Needed

Invalid

Official PKG

Question

Script Bug

Taobao PKG

Wont Fix

Milestone

Clear milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

No Assignees

1 Participants

Notifications

Subscribe

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: happyz/dpt-tools#32

No description provided.