SlideShare a Scribd company logo

Android: Behind the scenes

Download as PPTX, PDF
N
Narkozzz
Devices & Hardware
1 of 20
Android behind the scenes possible attacks and radical defense measures
• /dev/block/mmcblk0p1 - 512 000 - dbl • /dev/block/mmcblk0p3 - 4 608 000 - osbl • /dev/block/mmcblk0p4 - 1 024 - header_rex_amss • /dev/block/mmcblk0p5 - 30 720 000 - rex_amss • /dev/block/mmcblk0p6 - 12 800 000 - modem_DSP • /dev/block/mmcblk0p7 - 2 097 152 - CID, Secure_Flag, IMEI, rcdata.img • /dev/block/mmcblk0p8 - 3 145 728 • /dev/block/mmcblk0p9 - 2 097 152 • /dev/block/mmcblk0p10 - 1 048 576 • /dev/block/mmcblk0p11 - 1 048 576 • /dev/block/mmcblk0p12 - 8 961 536 • /dev/block/mmcblk0p13 - 3 145 728 - reserved for modem storage • /dev/block/mmcblk0p14 - 3 145 728 - reserved for modem storage • /dev/block/mmcblk0p15 - 1 048 576 • /dev/block/mmcblk0p16 - 9 172 480 • /dev/block/mmcblk0p17 - 262 144 - misc • /dev/block/mmcblk0p18 - 1 048 576 - hboot • /dev/block/mmcblk0p19 - 1 048 576 - sp1 • /dev/block/mmcblk0p20 - 1 310 720 - wifi • /dev/block/mmcblk0p21 - 8 909 824 - recovery • /dev/block/mmcblk0p22 - 4 194 304 - boot • /dev/block/mmcblk0p23 - 262 144 - mfg • /dev/block/mmcblk0p24 - 2 096 128 - sp2 • /dev/block/mmcblk0p25 - 585 104 896 - system • /dev/block/mmcblk0p26 - 1 232 076 288 - userdata • /dev/block/mmcblk0p27 - 314 572 288 - cache • /dev/block/mmcblk0p28 - 21 757 440 - devlog • /dev/block/mmcblk0p29 - 262 144 - pdata
S-ON S-OFF eMMC read, writing Writing in any eMMC only to user-available partition, except partitions partition 7 Flashing only HTC- Flashing any third- signed firmware party modified firmware, including hboot, recovery and custom roms
mmcblk0p7 CID IMEI S-Flag
IMEI repair S-OFF Unlock
Powercycle Partition7 gfree wpthis.ko eMMC injection •void powercycle_emmc() { gpio_tlmm_config(PCOM_GPIO_CFG(88, 0, GPIO_OUTPUT, GPIO_NO_PULL, GPIO_2MA), 0); // turn off. wpthis.ko gpio_set_value(88, 0); mdelay(200); // turn back on. gpio_set_value(88, 1); mdelay(200); }
drivers/mmc/card/block.c #if 1 #if 0 if (board_emmc_boot()) if (mmc_card_mmc(card)) { if (brq.cmd.arg < 131073) {/* should not write any value before 131073 */ pr_err("%s: pid %d(tgid %d)(%s)n", func, (unsigned)(current->pid), (unsigned)(current->tgid), current->comm); pr_err("ERROR! Attemp to write radio partition start %d size %dn", brq.cmd.arg, blk_rq_sectors(req)); BUG(); return 0; } #endif
Preparations Android 2.3-4.1 • Rooted Android OS, stock or custom Busybox • Android console utility pack installed lm.cryptsetup • Android console LUKS-manager installed USB Debugging Enabled • Access to device’s shell by USB “reboot” binary • Reboot binary from the ROM Manager contents
In the Android Shell: #busybox dd if=/dev/zero of=/data/secure0 bs=1M count 800 #losetup /dev/block/loop3 /data/secure0 #lm.cryptsetup luksFormat –c aes-plain /dev/block/loop3 #lm.cryptsetup luksOpen /dev/block/loop3 data #mke2fs –T ext4 –L Secure0 -F /dev/mapper/data #lm.cryptsetup luksClose data In the CWM Recovery: parted /dev/block/mmcblk1 print rm 1 mkpartfs primary fat32 0 4032 mkpartfs primary ext2 4032 8065 quit In the Android Shell: #lm.cryptsetup luksFormat –c aes-plain /dev/block/mmcblk1p2 #lm.cryptsetup luksOpen /dev/block/mmcblk1p2 sdcard #mkfs.vfat -n Seccard0 /dev/mapper/sdcard #lm.cryptsetup luksClose sdcard
In the Android Shell: #losetup /dev/block/loop3 /data/secure0 #lm.cryptsetup luksOpen /dev/block/loop3 data #mount –o remount,rw / #mkdir /DATA #mount –t ext4 /dev/mapper/data /DATA # cp -a /data/app /DATA # cp -a /data/app-private /DATA # cp -a /data/backup /DATA # cp -a /data/data /DATA # cp -a /data/dontpanic /DATA # cp -a /data/drm /DATA # cp -a /data/etc /DATA # cp -a /data/htcfs /DATA # cp -a /data/local /DATA # cp -a /data/misc /DATA # cp -a /data/property /DATA # cp -a /data/secure /DATA # cp -a /data/system /DATA # cp -a /data/zipalign.log /DATA # mkdir /DATA/d # mkdir /DATA/dalvik-cache # umount /DATA # lm.cryptsetup luksClose data
Entering encrypted mode: #setprop ctl.stop zygote #mount -o remount,rw rootfs / #mkdir /DATA #mkdir /mnt/SDCARD #mount -o move /mnt/sdcard /mnt/SDCARD #lm.cryptsetup luksOpen /dev/block/mmcblk1p2 sdcard #mount -t vfat /dev/mapper/sdcard /mnt/sdcard #mount -o remount,ro rootfs / #mount /dev/block/mmcblk0p26 /DATA #losetup /dev/block/loop5 /DATA/secure0 #lm.cryptsetup luksOpen /dev/block/loop5 data #umount /data -l #mount -t ext4 /dev/mapper/data /data #setprop ctl.start zygote #killall zygote Leaving encrypted mode: #sync #setprop ctl.stop zygote #setprop ctl.stop runtime #setprop ctl.stop keystore #fuser /data –m -k #umount /data #/lm.cryptsetup luksClose data #/system/bin/reboot
CWM S-ON S-OFF ADB #Root /data/ recovery
/data/system/accounts.db /data/data/com.android.providers.contacts/databases/contacts2.db • Contacts • Call history /data/data/com.android.providers.telephony/databases/mmssms.db • Sms
adb shell # sqlite3 /data/data/com.android.providers.settings/databases/settings.db sqlite> update secure set value=65536 where name='lockscreen.password_type'; sqlite> .exit # exit adb reboot
Basic Moderate Recomended • USB • S-ON • Data Debugging • Stock Encryption Disable Firmware • Unknown Sources Off • PinLock
Thank you for listening! See you next time.

Recommended

Optimizing GELI Performance by John-Mark Gurney
Optimizing GELI Performance by John-Mark Gurney Optimizing GELI Performance by John-Mark Gurney
Optimizing GELI Performance by John-Mark Gurneyeurobsdcon
 
망고100 보드로 놀아보자 10
망고100 보드로 놀아보자 10망고100 보드로 놀아보자 10
망고100 보드로 놀아보자 10종인 전
 
Steps to build and run oai
Steps to build and run oaiSteps to build and run oai
Steps to build and run oaissuser38b887
 
24may 1000 valday sergey shekyan artem harutyunyan 'to watch or to be watched'
24may 1000 valday sergey shekyan artem harutyunyan 'to watch or to be watched'24may 1000 valday sergey shekyan artem harutyunyan 'to watch or to be watched'
24may 1000 valday sergey shekyan artem harutyunyan 'to watch or to be watched'Positive Hack Days
 
Cannot observe ingress packets
Cannot observe ingress packetsCannot observe ingress packets
Cannot observe ingress packetssoichi shigeta
 
Designof traffic isolationby using flow based tunneling
Designof traffic isolationby using flow based tunnelingDesignof traffic isolationby using flow based tunneling
Designof traffic isolationby using flow based tunnelingsoichi shigeta
 
Multipath
MultipathMultipath
MultipathMichal Sedlak
 
New microsoft word document
New microsoft word documentNew microsoft word document
New microsoft word documentWebmaster
 

Recommended

Optimizing GELI Performance by John-Mark Gurney
Optimizing GELI Performance by John-Mark Gurney Optimizing GELI Performance by John-Mark Gurney
Optimizing GELI Performance by John-Mark Gurneyeurobsdcon
 
망고100 보드로 놀아보자 10
망고100 보드로 놀아보자 10망고100 보드로 놀아보자 10
망고100 보드로 놀아보자 10종인 전
 
Steps to build and run oai
Steps to build and run oaiSteps to build and run oai
Steps to build and run oaissuser38b887
 
24may 1000 valday sergey shekyan artem harutyunyan 'to watch or to be watched'
24may 1000 valday sergey shekyan artem harutyunyan 'to watch or to be watched'24may 1000 valday sergey shekyan artem harutyunyan 'to watch or to be watched'
24may 1000 valday sergey shekyan artem harutyunyan 'to watch or to be watched'Positive Hack Days
 
Cannot observe ingress packets
Cannot observe ingress packetsCannot observe ingress packets
Cannot observe ingress packetssoichi shigeta
 
Designof traffic isolationby using flow based tunneling
Designof traffic isolationby using flow based tunnelingDesignof traffic isolationby using flow based tunneling
Designof traffic isolationby using flow based tunnelingsoichi shigeta
 
Multipath
MultipathMultipath
MultipathMichal Sedlak
 
New microsoft word document
New microsoft word documentNew microsoft word document
New microsoft word documentWebmaster
 
Linux SD/MMC device driver
Linux SD/MMC device driverLinux SD/MMC device driver
Linux SD/MMC device driver艾鍗科技
 
Crash_Report_Mechanism_In_Tizen
Crash_Report_Mechanism_In_TizenCrash_Report_Mechanism_In_Tizen
Crash_Report_Mechanism_In_TizenLex Yu
 
망고100 보드로 놀아보자 7
망고100 보드로 놀아보자 7망고100 보드로 놀아보자 7
망고100 보드로 놀아보자 7종인 전
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemCyber Security Alliance
 
Labs_BT_20221017.pptx
Labs_BT_20221017.pptxLabs_BT_20221017.pptx
Labs_BT_20221017.pptxssuserb4d806
 
Linux boot-time
Linux boot-timeLinux boot-time
Linux boot-timeAndrea Righi
 
U-Boot presentation 2013
U-Boot presentation 2013U-Boot presentation 2013
U-Boot presentation 2013Wave Digitech
 
A little systemtap
A little systemtapA little systemtap
A little systemtapyang bingwu
 
A little systemtap
A little systemtapA little systemtap
A little systemtapyang bingwu
 
HKG15-409: ARM Hibernation enablement on SoCs - a case study
HKG15-409: ARM Hibernation enablement on SoCs - a case studyHKG15-409: ARM Hibernation enablement on SoCs - a case study
HKG15-409: ARM Hibernation enablement on SoCs - a case studyLinaro
 
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON
 
Bringing up Android on your favorite X86 Workstation or VM (AnDevCon Boston, ...
Bringing up Android on your favorite X86 Workstation or VM (AnDevCon Boston, ...Bringing up Android on your favorite X86 Workstation or VM (AnDevCon Boston, ...
Bringing up Android on your favorite X86 Workstation or VM (AnDevCon Boston, ...Ron Munitz
 
Study on Android Emulator
Study on Android EmulatorStudy on Android Emulator
Study on Android EmulatorSamael Wang
 
SCADA Strangelove: взлом во имя
SCADA Strangelove: взлом во имяSCADA Strangelove: взлом во имя
SCADA Strangelove: взлом во имяEkaterina Melnik
 
SCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the NameSCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the NamePositive Hack Days
 
Cgroups in android
Cgroups in androidCgroups in android
Cgroups in androidramalinga prasad tadepalli
 
CUDA lab's slides of "parallel programming" course
CUDA lab's slides of "parallel programming" courseCUDA lab's slides of "parallel programming" course
CUDA lab's slides of "parallel programming" courseShuai Yuan
 
PFIセミナー資料 H27.10.22
PFIセミナー資料 H27.10.22PFIセミナー資料 H27.10.22
PFIセミナー資料 H27.10.22Yuya Takei
 
建構嵌入式Linux系統於SD Card
建構嵌入式Linux系統於SD Card建構嵌入式Linux系統於SD Card
建構嵌入式Linux系統於SD Card艾鍗科技
 
MySQL Tokudb engine benchmark
MySQL Tokudb engine benchmarkMySQL Tokudb engine benchmark
MySQL Tokudb engine benchmarkLouis liu
 
毕业文凭制作#回国入职#diploma#degree美国威斯康星大学麦迪逊分校毕业证成绩单pdf电子版制作修改#毕业文凭制作#回国入职#diploma#d...
毕业文凭制作#回国入职#diploma#degree美国威斯康星大学麦迪逊分校毕业证成绩单pdf电子版制作修改#毕业文凭制作#回国入职#diploma#d...毕业文凭制作#回国入职#diploma#degree美国威斯康星大学麦迪逊分校毕业证成绩单pdf电子版制作修改#毕业文凭制作#回国入职#diploma#d...
毕业文凭制作#回国入职#diploma#degree美国威斯康星大学麦迪逊分校毕业证成绩单pdf电子版制作修改#毕业文凭制作#回国入职#diploma#d...ttt fff
 
Real Sure (Call Girl) in I.G.I. Airport 8377087607 Hot Call Girls In Delhi NCR
Real Sure (Call Girl) in I.G.I. Airport 8377087607 Hot Call Girls In Delhi NCRReal Sure (Call Girl) in I.G.I. Airport 8377087607 Hot Call Girls In Delhi NCR
Real Sure (Call Girl) in I.G.I. Airport 8377087607 Hot Call Girls In Delhi NCRdollysharma2066
 

More Related Content

Similar to Android: Behind the scenes

Linux SD/MMC device driver
Linux SD/MMC device driverLinux SD/MMC device driver
Linux SD/MMC device driver艾鍗科技
 
Crash_Report_Mechanism_In_Tizen
Crash_Report_Mechanism_In_TizenCrash_Report_Mechanism_In_Tizen
Crash_Report_Mechanism_In_TizenLex Yu
 
망고100 보드로 놀아보자 7
망고100 보드로 놀아보자 7망고100 보드로 놀아보자 7
망고100 보드로 놀아보자 7종인 전
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemCyber Security Alliance
 
Labs_BT_20221017.pptx
Labs_BT_20221017.pptxLabs_BT_20221017.pptx
Labs_BT_20221017.pptxssuserb4d806
 
U-Boot presentation 2013
U-Boot presentation 2013U-Boot presentation 2013
U-Boot presentation 2013Wave Digitech
 
A little systemtap
A little systemtapA little systemtap
A little systemtapyang bingwu
 
A little systemtap
A little systemtapA little systemtap
A little systemtapyang bingwu
 
HKG15-409: ARM Hibernation enablement on SoCs - a case study
HKG15-409: ARM Hibernation enablement on SoCs - a case studyHKG15-409: ARM Hibernation enablement on SoCs - a case study
HKG15-409: ARM Hibernation enablement on SoCs - a case studyLinaro
 
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON
 
Bringing up Android on your favorite X86 Workstation or VM (AnDevCon Boston, ...
Bringing up Android on your favorite X86 Workstation or VM (AnDevCon Boston, ...Bringing up Android on your favorite X86 Workstation or VM (AnDevCon Boston, ...
Bringing up Android on your favorite X86 Workstation or VM (AnDevCon Boston, ...Ron Munitz
 
Study on Android Emulator
Study on Android EmulatorStudy on Android Emulator
Study on Android EmulatorSamael Wang
 
SCADA Strangelove: взлом во имя
SCADA Strangelove: взлом во имяSCADA Strangelove: взлом во имя
SCADA Strangelove: взлом во имяEkaterina Melnik
 
SCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the NameSCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the NamePositive Hack Days
 
CUDA lab's slides of "parallel programming" course
CUDA lab's slides of "parallel programming" courseCUDA lab's slides of "parallel programming" course
CUDA lab's slides of "parallel programming" courseShuai Yuan
 
PFIセミナー資料 H27.10.22
PFIセミナー資料 H27.10.22PFIセミナー資料 H27.10.22
PFIセミナー資料 H27.10.22Yuya Takei
 
建構嵌入式Linux系統於SD Card
建構嵌入式Linux系統於SD Card建構嵌入式Linux系統於SD Card
建構嵌入式Linux系統於SD Card艾鍗科技
 
MySQL Tokudb engine benchmark
MySQL Tokudb engine benchmarkMySQL Tokudb engine benchmark
MySQL Tokudb engine benchmarkLouis liu
 

Similar to Android: Behind the scenes (20)

Linux SD/MMC device driver
Linux SD/MMC device driverLinux SD/MMC device driver
Linux SD/MMC device driver
 
Crash_Report_Mechanism_In_Tizen
Crash_Report_Mechanism_In_TizenCrash_Report_Mechanism_In_Tizen
Crash_Report_Mechanism_In_Tizen
 
망고100 보드로 놀아보자 7
망고100 보드로 놀아보자 7망고100 보드로 놀아보자 7
망고100 보드로 놀아보자 7
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande Modem
 
Labs_BT_20221017.pptx
Labs_BT_20221017.pptxLabs_BT_20221017.pptx
Labs_BT_20221017.pptx
 
Linux boot-time
Linux boot-timeLinux boot-time
Linux boot-time
 
U-Boot presentation 2013
U-Boot presentation 2013U-Boot presentation 2013
U-Boot presentation 2013
 
A little systemtap
A little systemtapA little systemtap
A little systemtap
 
A little systemtap
A little systemtapA little systemtap
A little systemtap
 
HKG15-409: ARM Hibernation enablement on SoCs - a case study
HKG15-409: ARM Hibernation enablement on SoCs - a case studyHKG15-409: ARM Hibernation enablement on SoCs - a case study
HKG15-409: ARM Hibernation enablement on SoCs - a case study
 
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
 
Bringing up Android on your favorite X86 Workstation or VM (AnDevCon Boston, ...
Bringing up Android on your favorite X86 Workstation or VM (AnDevCon Boston, ...Bringing up Android on your favorite X86 Workstation or VM (AnDevCon Boston, ...
Bringing up Android on your favorite X86 Workstation or VM (AnDevCon Boston, ...
 
Study on Android Emulator
Study on Android EmulatorStudy on Android Emulator
Study on Android Emulator
 
SCADA Strangelove: взлом во имя
SCADA Strangelove: взлом во имяSCADA Strangelove: взлом во имя
SCADA Strangelove: взлом во имя
 
SCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the NameSCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the Name
 
Cgroups in android
Cgroups in androidCgroups in android
Cgroups in android
 
CUDA lab's slides of "parallel programming" course
CUDA lab's slides of "parallel programming" courseCUDA lab's slides of "parallel programming" course
CUDA lab's slides of "parallel programming" course
 
PFIセミナー資料 H27.10.22
PFIセミナー資料 H27.10.22PFIセミナー資料 H27.10.22
PFIセミナー資料 H27.10.22
 
建構嵌入式Linux系統於SD Card
建構嵌入式Linux系統於SD Card建構嵌入式Linux系統於SD Card
建構嵌入式Linux系統於SD Card
 
MySQL Tokudb engine benchmark
MySQL Tokudb engine benchmarkMySQL Tokudb engine benchmark
MySQL Tokudb engine benchmark
 

Recently uploaded

毕业文凭制作#回国入职#diploma#degree美国威斯康星大学麦迪逊分校毕业证成绩单pdf电子版制作修改#毕业文凭制作#回国入职#diploma#d...
毕业文凭制作#回国入职#diploma#degree美国威斯康星大学麦迪逊分校毕业证成绩单pdf电子版制作修改#毕业文凭制作#回国入职#diploma#d...毕业文凭制作#回国入职#diploma#degree美国威斯康星大学麦迪逊分校毕业证成绩单pdf电子版制作修改#毕业文凭制作#回国入职#diploma#d...
毕业文凭制作#回国入职#diploma#degree美国威斯康星大学麦迪逊分校毕业证成绩单pdf电子版制作修改#毕业文凭制作#回国入职#diploma#d...ttt fff
 
Real Sure (Call Girl) in I.G.I. Airport 8377087607 Hot Call Girls In Delhi NCR
Real Sure (Call Girl) in I.G.I. Airport 8377087607 Hot Call Girls In Delhi NCRReal Sure (Call Girl) in I.G.I. Airport 8377087607 Hot Call Girls In Delhi NCR
Real Sure (Call Girl) in I.G.I. Airport 8377087607 Hot Call Girls In Delhi NCRdollysharma2066
 
NO1 Qualified Best Black Magic Specialist Near Me Spiritual Healer Powerful L...
NO1 Qualified Best Black Magic Specialist Near Me Spiritual Healer Powerful L...NO1 Qualified Best Black Magic Specialist Near Me Spiritual Healer Powerful L...
NO1 Qualified Best Black Magic Specialist Near Me Spiritual Healer Powerful L...Amil baba
 
美国IUB学位证,印第安纳大学伯明顿分校毕业证书1:1制作
美国IUB学位证,印第安纳大学伯明顿分校毕业证书1:1制作美国IUB学位证,印第安纳大学伯明顿分校毕业证书1:1制作
美国IUB学位证,印第安纳大学伯明顿分校毕业证书1:1制作ss846v0c
 
专业一比一美国旧金山艺术学院毕业证成绩单pdf电子版制作修改#真实工艺展示#真实防伪#diploma#degree
专业一比一美国旧金山艺术学院毕业证成绩单pdf电子版制作修改#真实工艺展示#真实防伪#diploma#degree专业一比一美国旧金山艺术学院毕业证成绩单pdf电子版制作修改#真实工艺展示#真实防伪#diploma#degree
专业一比一美国旧金山艺术学院毕业证成绩单pdf电子版制作修改#真实工艺展示#真实防伪#diploma#degreeyuu sss
 
1:1原版定制美国加州州立大学东湾分校毕业证成绩单pdf电子版制作修改#真实留信入库#永久存档#真实可查#diploma#degree
1:1原版定制美国加州州立大学东湾分校毕业证成绩单pdf电子版制作修改#真实留信入库#永久存档#真实可查#diploma#degree1:1原版定制美国加州州立大学东湾分校毕业证成绩单pdf电子版制作修改#真实留信入库#永久存档#真实可查#diploma#degree
1:1原版定制美国加州州立大学东湾分校毕业证成绩单pdf电子版制作修改#真实留信入库#永久存档#真实可查#diploma#degreeyuu sss
 
RBS学位证,鹿特丹商学院毕业证书1:1制作
RBS学位证,鹿特丹商学院毕业证书1:1制作RBS学位证,鹿特丹商学院毕业证书1:1制作
RBS学位证,鹿特丹商学院毕业证书1:1制作f3774p8b
 
(办理学位证)韩国汉阳大学毕业证成绩单原版一比一
(办理学位证)韩国汉阳大学毕业证成绩单原版一比一(办理学位证)韩国汉阳大学毕业证成绩单原版一比一
(办理学位证)韩国汉阳大学毕业证成绩单原版一比一C SSS
 
Call Girls In Munirka>༒9599632723 Incall_OutCall Available
Call Girls In Munirka>༒9599632723 Incall_OutCall AvailableCall Girls In Munirka>༒9599632723 Incall_OutCall Available
Call Girls In Munirka>༒9599632723 Incall_OutCall AvailableCall Girls in Delhi
 
萨斯喀彻温大学毕业证学位证成绩单-购买流程
萨斯喀彻温大学毕业证学位证成绩单-购买流程萨斯喀彻温大学毕业证学位证成绩单-购买流程
萨斯喀彻温大学毕业证学位证成绩单-购买流程1k98h0e1
 
办理(CSU毕业证书)澳洲查理斯特大学毕业证成绩单原版一比一
办理(CSU毕业证书)澳洲查理斯特大学毕业证成绩单原版一比一办理(CSU毕业证书)澳洲查理斯特大学毕业证成绩单原版一比一
办理(CSU毕业证书)澳洲查理斯特大学毕业证成绩单原版一比一diploma 1
 
专业一比一美国加州州立大学东湾分校毕业证成绩单pdf电子版制作修改#真实工艺展示#真实防伪#diploma#degree
专业一比一美国加州州立大学东湾分校毕业证成绩单pdf电子版制作修改#真实工艺展示#真实防伪#diploma#degree专业一比一美国加州州立大学东湾分校毕业证成绩单pdf电子版制作修改#真实工艺展示#真实防伪#diploma#degree
专业一比一美国加州州立大学东湾分校毕业证成绩单pdf电子版制作修改#真实工艺展示#真实防伪#diploma#degreeyuu sss
 
5S - House keeping (Seiri, Seiton, Seiso, Seiketsu, Shitsuke)
5S - House keeping (Seiri, Seiton, Seiso, Seiketsu, Shitsuke)5S - House keeping (Seiri, Seiton, Seiso, Seiketsu, Shitsuke)
5S - House keeping (Seiri, Seiton, Seiso, Seiketsu, Shitsuke)861c7ca49a02
 
Dubai Call Girls O525547819 Spring Break Fast Call Girls Dubai
Dubai Call Girls O525547819 Spring Break Fast Call Girls DubaiDubai Call Girls O525547819 Spring Break Fast Call Girls Dubai
Dubai Call Girls O525547819 Spring Break Fast Call Girls Dubaikojalkojal131
 
the cOMPUTER SYSTEM - computer hardware servicing.pptx
the cOMPUTER SYSTEM - computer hardware servicing.pptxthe cOMPUTER SYSTEM - computer hardware servicing.pptx
the cOMPUTER SYSTEM - computer hardware servicing.pptxLeaMaePahinagGarciaV
 
Erfurt FH学位证,埃尔福特应用技术大学毕业证书1:1制作
Erfurt FH学位证,埃尔福特应用技术大学毕业证书1:1制作Erfurt FH学位证,埃尔福特应用技术大学毕业证书1:1制作
Erfurt FH学位证,埃尔福特应用技术大学毕业证书1:1制作f3774p8b
 
NO1 Certified Black Magic Specialist Expert Amil baba in Uk England Northern ...
NO1 Certified Black Magic Specialist Expert Amil baba in Uk England Northern ...NO1 Certified Black Magic Specialist Expert Amil baba in Uk England Northern ...
NO1 Certified Black Magic Specialist Expert Amil baba in Uk England Northern ...Amil Baba Dawood bangali
 
Hindu amil baba kala jadu expert in pakistan islamabad lahore karachi atar ...
Hindu amil baba kala jadu expert in pakistan islamabad lahore karachi atar ...Hindu amil baba kala jadu expert in pakistan islamabad lahore karachi atar ...
Hindu amil baba kala jadu expert in pakistan islamabad lahore karachi atar ...amilabibi1
 
Vip Udupi Call Girls 7001305949 WhatsApp Number 24x7 Best Services
Vip Udupi Call Girls 7001305949 WhatsApp Number 24x7 Best ServicesVip Udupi Call Girls 7001305949 WhatsApp Number 24x7 Best Services
Vip Udupi Call Girls 7001305949 WhatsApp Number 24x7 Best Servicesnajka9823
 

Recently uploaded (20)

毕业文凭制作#回国入职#diploma#degree美国威斯康星大学麦迪逊分校毕业证成绩单pdf电子版制作修改#毕业文凭制作#回国入职#diploma#d...
毕业文凭制作#回国入职#diploma#degree美国威斯康星大学麦迪逊分校毕业证成绩单pdf电子版制作修改#毕业文凭制作#回国入职#diploma#d...毕业文凭制作#回国入职#diploma#degree美国威斯康星大学麦迪逊分校毕业证成绩单pdf电子版制作修改#毕业文凭制作#回国入职#diploma#d...
毕业文凭制作#回国入职#diploma#degree美国威斯康星大学麦迪逊分校毕业证成绩单pdf电子版制作修改#毕业文凭制作#回国入职#diploma#d...
 
Real Sure (Call Girl) in I.G.I. Airport 8377087607 Hot Call Girls In Delhi NCR
Real Sure (Call Girl) in I.G.I. Airport 8377087607 Hot Call Girls In Delhi NCRReal Sure (Call Girl) in I.G.I. Airport 8377087607 Hot Call Girls In Delhi NCR
Real Sure (Call Girl) in I.G.I. Airport 8377087607 Hot Call Girls In Delhi NCR
 
NO1 Qualified Best Black Magic Specialist Near Me Spiritual Healer Powerful L...
NO1 Qualified Best Black Magic Specialist Near Me Spiritual Healer Powerful L...NO1 Qualified Best Black Magic Specialist Near Me Spiritual Healer Powerful L...
NO1 Qualified Best Black Magic Specialist Near Me Spiritual Healer Powerful L...
 
美国IUB学位证,印第安纳大学伯明顿分校毕业证书1:1制作
美国IUB学位证,印第安纳大学伯明顿分校毕业证书1:1制作美国IUB学位证,印第安纳大学伯明顿分校毕业证书1:1制作
美国IUB学位证,印第安纳大学伯明顿分校毕业证书1:1制作
 
专业一比一美国旧金山艺术学院毕业证成绩单pdf电子版制作修改#真实工艺展示#真实防伪#diploma#degree
专业一比一美国旧金山艺术学院毕业证成绩单pdf电子版制作修改#真实工艺展示#真实防伪#diploma#degree专业一比一美国旧金山艺术学院毕业证成绩单pdf电子版制作修改#真实工艺展示#真实防伪#diploma#degree
专业一比一美国旧金山艺术学院毕业证成绩单pdf电子版制作修改#真实工艺展示#真实防伪#diploma#degree
 
1:1原版定制美国加州州立大学东湾分校毕业证成绩单pdf电子版制作修改#真实留信入库#永久存档#真实可查#diploma#degree
1:1原版定制美国加州州立大学东湾分校毕业证成绩单pdf电子版制作修改#真实留信入库#永久存档#真实可查#diploma#degree1:1原版定制美国加州州立大学东湾分校毕业证成绩单pdf电子版制作修改#真实留信入库#永久存档#真实可查#diploma#degree
1:1原版定制美国加州州立大学东湾分校毕业证成绩单pdf电子版制作修改#真实留信入库#永久存档#真实可查#diploma#degree
 
RBS学位证,鹿特丹商学院毕业证书1:1制作
RBS学位证,鹿特丹商学院毕业证书1:1制作RBS学位证,鹿特丹商学院毕业证书1:1制作
RBS学位证,鹿特丹商学院毕业证书1:1制作
 
(办理学位证)韩国汉阳大学毕业证成绩单原版一比一
(办理学位证)韩国汉阳大学毕业证成绩单原版一比一(办理学位证)韩国汉阳大学毕业证成绩单原版一比一
(办理学位证)韩国汉阳大学毕业证成绩单原版一比一
 
Call Girls In Munirka>༒9599632723 Incall_OutCall Available
Call Girls In Munirka>༒9599632723 Incall_OutCall AvailableCall Girls In Munirka>༒9599632723 Incall_OutCall Available
Call Girls In Munirka>༒9599632723 Incall_OutCall Available
 
萨斯喀彻温大学毕业证学位证成绩单-购买流程
萨斯喀彻温大学毕业证学位证成绩单-购买流程萨斯喀彻温大学毕业证学位证成绩单-购买流程
萨斯喀彻温大学毕业证学位证成绩单-购买流程
 
办理(CSU毕业证书)澳洲查理斯特大学毕业证成绩单原版一比一
办理(CSU毕业证书)澳洲查理斯特大学毕业证成绩单原版一比一办理(CSU毕业证书)澳洲查理斯特大学毕业证成绩单原版一比一
办理(CSU毕业证书)澳洲查理斯特大学毕业证成绩单原版一比一
 
专业一比一美国加州州立大学东湾分校毕业证成绩单pdf电子版制作修改#真实工艺展示#真实防伪#diploma#degree
专业一比一美国加州州立大学东湾分校毕业证成绩单pdf电子版制作修改#真实工艺展示#真实防伪#diploma#degree专业一比一美国加州州立大学东湾分校毕业证成绩单pdf电子版制作修改#真实工艺展示#真实防伪#diploma#degree
专业一比一美国加州州立大学东湾分校毕业证成绩单pdf电子版制作修改#真实工艺展示#真实防伪#diploma#degree
 
young call girls in Khanpur,🔝 9953056974 🔝 escort Service
young call girls in Khanpur,🔝 9953056974 🔝 escort Serviceyoung call girls in Khanpur,🔝 9953056974 🔝 escort Service
young call girls in Khanpur,🔝 9953056974 🔝 escort Service
 
5S - House keeping (Seiri, Seiton, Seiso, Seiketsu, Shitsuke)
5S - House keeping (Seiri, Seiton, Seiso, Seiketsu, Shitsuke)5S - House keeping (Seiri, Seiton, Seiso, Seiketsu, Shitsuke)
5S - House keeping (Seiri, Seiton, Seiso, Seiketsu, Shitsuke)
 
Dubai Call Girls O525547819 Spring Break Fast Call Girls Dubai
Dubai Call Girls O525547819 Spring Break Fast Call Girls DubaiDubai Call Girls O525547819 Spring Break Fast Call Girls Dubai
Dubai Call Girls O525547819 Spring Break Fast Call Girls Dubai
 
the cOMPUTER SYSTEM - computer hardware servicing.pptx
the cOMPUTER SYSTEM - computer hardware servicing.pptxthe cOMPUTER SYSTEM - computer hardware servicing.pptx
the cOMPUTER SYSTEM - computer hardware servicing.pptx
 
Erfurt FH学位证,埃尔福特应用技术大学毕业证书1:1制作
Erfurt FH学位证,埃尔福特应用技术大学毕业证书1:1制作Erfurt FH学位证,埃尔福特应用技术大学毕业证书1:1制作
Erfurt FH学位证,埃尔福特应用技术大学毕业证书1:1制作
 
NO1 Certified Black Magic Specialist Expert Amil baba in Uk England Northern ...
NO1 Certified Black Magic Specialist Expert Amil baba in Uk England Northern ...NO1 Certified Black Magic Specialist Expert Amil baba in Uk England Northern ...
NO1 Certified Black Magic Specialist Expert Amil baba in Uk England Northern ...
 
Hindu amil baba kala jadu expert in pakistan islamabad lahore karachi atar ...
Hindu amil baba kala jadu expert in pakistan islamabad lahore karachi atar ...Hindu amil baba kala jadu expert in pakistan islamabad lahore karachi atar ...
Hindu amil baba kala jadu expert in pakistan islamabad lahore karachi atar ...
 
Vip Udupi Call Girls 7001305949 WhatsApp Number 24x7 Best Services
Vip Udupi Call Girls 7001305949 WhatsApp Number 24x7 Best ServicesVip Udupi Call Girls 7001305949 WhatsApp Number 24x7 Best Services
Vip Udupi Call Girls 7001305949 WhatsApp Number 24x7 Best Services
 

Android: Behind the scenes

  • 1. Android behind the scenes possible attacks and radical defense measures
  • 2.
  • 3. /dev/block/mmcblk0p1 - 512 000 - dbl • /dev/block/mmcblk0p3 - 4 608 000 - osbl • /dev/block/mmcblk0p4 - 1 024 - header_rex_amss • /dev/block/mmcblk0p5 - 30 720 000 - rex_amss • /dev/block/mmcblk0p6 - 12 800 000 - modem_DSP • /dev/block/mmcblk0p7 - 2 097 152 - CID, Secure_Flag, IMEI, rcdata.img • /dev/block/mmcblk0p8 - 3 145 728 • /dev/block/mmcblk0p9 - 2 097 152 • /dev/block/mmcblk0p10 - 1 048 576 • /dev/block/mmcblk0p11 - 1 048 576 • /dev/block/mmcblk0p12 - 8 961 536 • /dev/block/mmcblk0p13 - 3 145 728 - reserved for modem storage • /dev/block/mmcblk0p14 - 3 145 728 - reserved for modem storage • /dev/block/mmcblk0p15 - 1 048 576 • /dev/block/mmcblk0p16 - 9 172 480 • /dev/block/mmcblk0p17 - 262 144 - misc • /dev/block/mmcblk0p18 - 1 048 576 - hboot • /dev/block/mmcblk0p19 - 1 048 576 - sp1 • /dev/block/mmcblk0p20 - 1 310 720 - wifi • /dev/block/mmcblk0p21 - 8 909 824 - recovery • /dev/block/mmcblk0p22 - 4 194 304 - boot • /dev/block/mmcblk0p23 - 262 144 - mfg • /dev/block/mmcblk0p24 - 2 096 128 - sp2 • /dev/block/mmcblk0p25 - 585 104 896 - system • /dev/block/mmcblk0p26 - 1 232 076 288 - userdata • /dev/block/mmcblk0p27 - 314 572 288 - cache • /dev/block/mmcblk0p28 - 21 757 440 - devlog • /dev/block/mmcblk0p29 - 262 144 - pdata
  • 4. S-ON S-OFF eMMC read, writing Writing in any eMMC only to user-available partition, except partitions partition 7 Flashing only HTC- Flashing any third- signed firmware party modified firmware, including hboot, recovery and custom roms
  • 5. mmcblk0p7 CID IMEI S-Flag
  • 7. Powercycle Partition7 gfree wpthis.ko eMMC injection •void powercycle_emmc() { gpio_tlmm_config(PCOM_GPIO_CFG(88, 0, GPIO_OUTPUT, GPIO_NO_PULL, GPIO_2MA), 0); // turn off. wpthis.ko gpio_set_value(88, 0); mdelay(200); // turn back on. gpio_set_value(88, 1); mdelay(200); }
  • 8. drivers/mmc/card/block.c #if 1 #if 0 if (board_emmc_boot()) if (mmc_card_mmc(card)) { if (brq.cmd.arg < 131073) {/* should not write any value before 131073 */ pr_err("%s: pid %d(tgid %d)(%s)n", func, (unsigned)(current->pid), (unsigned)(current->tgid), current->comm); pr_err("ERROR! Attemp to write radio partition start %d size %dn", brq.cmd.arg, blk_rq_sectors(req)); BUG(); return 0; } #endif
  • 9.
  • 10. Preparations Android 2.3-4.1 • Rooted Android OS, stock or custom Busybox • Android console utility pack installed lm.cryptsetup • Android console LUKS-manager installed USB Debugging Enabled • Access to device’s shell by USB “reboot” binary • Reboot binary from the ROM Manager contents
  • 11. In the Android Shell: #busybox dd if=/dev/zero of=/data/secure0 bs=1M count 800 #losetup /dev/block/loop3 /data/secure0 #lm.cryptsetup luksFormat –c aes-plain /dev/block/loop3 #lm.cryptsetup luksOpen /dev/block/loop3 data #mke2fs –T ext4 –L Secure0 -F /dev/mapper/data #lm.cryptsetup luksClose data In the CWM Recovery: parted /dev/block/mmcblk1 print rm 1 mkpartfs primary fat32 0 4032 mkpartfs primary ext2 4032 8065 quit In the Android Shell: #lm.cryptsetup luksFormat –c aes-plain /dev/block/mmcblk1p2 #lm.cryptsetup luksOpen /dev/block/mmcblk1p2 sdcard #mkfs.vfat -n Seccard0 /dev/mapper/sdcard #lm.cryptsetup luksClose sdcard
  • 12. In the Android Shell: #losetup /dev/block/loop3 /data/secure0 #lm.cryptsetup luksOpen /dev/block/loop3 data #mount –o remount,rw / #mkdir /DATA #mount –t ext4 /dev/mapper/data /DATA # cp -a /data/app /DATA # cp -a /data/app-private /DATA # cp -a /data/backup /DATA # cp -a /data/data /DATA # cp -a /data/dontpanic /DATA # cp -a /data/drm /DATA # cp -a /data/etc /DATA # cp -a /data/htcfs /DATA # cp -a /data/local /DATA # cp -a /data/misc /DATA # cp -a /data/property /DATA # cp -a /data/secure /DATA # cp -a /data/system /DATA # cp -a /data/zipalign.log /DATA # mkdir /DATA/d # mkdir /DATA/dalvik-cache # umount /DATA # lm.cryptsetup luksClose data
  • 13. Entering encrypted mode: #setprop ctl.stop zygote #mount -o remount,rw rootfs / #mkdir /DATA #mkdir /mnt/SDCARD #mount -o move /mnt/sdcard /mnt/SDCARD #lm.cryptsetup luksOpen /dev/block/mmcblk1p2 sdcard #mount -t vfat /dev/mapper/sdcard /mnt/sdcard #mount -o remount,ro rootfs / #mount /dev/block/mmcblk0p26 /DATA #losetup /dev/block/loop5 /DATA/secure0 #lm.cryptsetup luksOpen /dev/block/loop5 data #umount /data -l #mount -t ext4 /dev/mapper/data /data #setprop ctl.start zygote #killall zygote Leaving encrypted mode: #sync #setprop ctl.stop zygote #setprop ctl.stop runtime #setprop ctl.stop keystore #fuser /data –m -k #umount /data #/lm.cryptsetup luksClose data #/system/bin/reboot
  • 14.
  • 15. CWM S-ON S-OFF ADB #Root /data/ recovery
  • 16.
  • 17. /data/system/accounts.db /data/data/com.android.providers.contacts/databases/contacts2.db • Contacts • Call history /data/data/com.android.providers.telephony/databases/mmssms.db • Sms
  • 18. adb shell # sqlite3 /data/data/com.android.providers.settings/databases/settings.db sqlite> update secure set value=65536 where name='lockscreen.password_type'; sqlite> .exit # exit adb reboot
  • 19. Basic Moderate Recomended • USB • S-ON • Data Debugging • Stock Encryption Disable Firmware • Unknown Sources Off • PinLock
  • 20. Thank you for listening! See you next time.