Table of Contents

Android

Android
founder:
depends on:
interested: ruza
biiter
Yan
software license:
hardware license:

~~META: status = active &relation firstimage = :project:androidpirate.png ~~

People involved in this project are interested in better understanding of android platform, learning ways how to improve android security or customize android platform for their specific needs.

Research Wishlist

Equipment

Knowledge base

Building Android from source

If you want to apply more deeply implemented features into android you need to implement them to the source code and then sucesfully build that code. If you need a feature which is implemented in another ROM in majority of cases the best solution is cherry-picking.

Many ROMs' source code is aviable on github .

A lot has been written about buidling roms, good starting point is to build AOSP or CM ROM from source (guide is on their webpages).

Unlocking

Before you install custom rom you need to unlock your device first. Fastboot. In case of Samsung you will need Heimdall which was written by “some guys from MIT.”

Editing your build

Here are located source-code editing guides/hints

There is wiki entry related to specific rom & devices building, but tips and tricks could be applied globally.

Android Security

Android have many security features. Some of them are implemented better, some of them not (f.e. ALSR ). Our goal in brmlab is to improve usage of those features. Security features implemented in Android are:

Android devices attack vectors

RADIO (BASEBAND, MODEM) is another processor inside every mobile phone which is resposible for communication between BTS and your OS. It is closed source and not well documented playground (it is not easy to get nice and easily understandable articles related to this problematic). Source codes are from 80's and 90's with security mindset from that age.

Android exploits

If you want to improve android security it's good to know the problem from another point of view, so you could easily adopt policy and changes to the code to prevent attack. It is obvious that nobody can predict how exactly 0day exploit looks like, but if you learn how to minimize impact even after sucesfull exploitation, you're one step further to save device.

Exploit list

Here are some of exploits known today to android platform, it serves mainly as link database to get some interesting info on special cases, old one is left in database for educational and historical meanings. For full coverage of known android vulnerabilities use cvedetails or exploit-db instead.

Studies / reports

TODO: link database outdated - update, improve

Android application creating & building

Reverse engineering

TODO: link database outdated - update, improve

Android rooting

In many cases if you want to modify your device first you need to root it. There are many ready to use toolkits online but usually many of those have uknown source.

One solution to this problem is to compile your own root toolikt from open-source - f.e. Android run root shell (thx. 2 da3m0n22 for link)

Flashing recovery

No binaries you have to install. No shitty fastboot udev rules

adb push recovery.img /storage/emulated/0/
adb shell
DEV=$(ls /dev/block/platform/*/by-name/recovery); echo $DEV
dd of=$DEV if=/storage/emulated/0/recovery.img
exit
adb reboot recovery

GPLv2 Android

From wiki: Replicant is a free and open source operating system based on the Android mobile platform, which aims to replace all proprietary Android components with their free software counterparts. This also makes it a security focused operating system as it closes discovered Android backdoors.

The problem is that it unfortunately cares only about radio implementation into android, but not radio itself.

Official project website

TODO: link database outdated - update, improve
Speeding up the android emulator
Cool appz
Cool soft

Misc Notes

Devices

/dev/mtd/

Blbinky
Jak se dostat do nastaveni i kdyz to UI neumoznuje
./adb shell am start -a android.intent.action.MAIN -n com.android.email/.Settings

http://www.anddev.org/novice-tutorials-f8/using-the-am-tool-start-activities-intens-from-a-shell-t368.html

Random MAC
echo 00:50:`expr $RANDOM % 89 + 10`:`expr $RANDOM % 89 + 10`:`expr $RANDOM % 89 + 10`:`expr $RANDOM % 89 + 10`
StrongSwan

CA certificate needs to be imported to verify server side of communication. Certificate can be in tis binary form with .pem filename suffix

logcat errors

to view system messages logged of the Error level only you can use an message filter like this:

adb logcat '*:E'

Android Open Accessory Development Kit

Android Open Accessory Development Kit is available in brmlab

Hands-On with the Android Open Accessory Development Kit

Vyzaduje Platform 2.3.3, API Level 10, na Android telefonu

29Btnas2He8

some hw mods documented on Picasa

Root

Dropad A8 [NEKOMPLETNI]

http://www.youtube.com/user/MrTasselhof

Unbrick Android tablet

http://www.slatedroid.com/topic/19289-guide-revive-your-dead-tablet/page__view__findpost__p__221288

  1. Download HerotabC8_V2.2_2011_03_01.zip or Haipad_M7_0831_android2.3 Rooted.zip. (tested by ruza)
  2. Take out the internal 4GB microSD and wipe it clean: dd if=/dev/zero of=/dev/sdX bs=512KB count=4 No need to do anything further, i.e. create partition or format.
  3. Put the internal 4GB microSD back into the tablet.
  4. Extract the contents of the ZIP. With u-boot-sd.bin from the ZIP, use dd to dump it onto an external microSD. I used a 2GB card for this. dd if=/path_to_bin/u-boot-sd.bin of=/dev/sdX
  5. Copy the entire contents of the ZIP to the largest partition of the external microSD. It was the only automatically mounted partition when I replugged the card into Ubuntu.
  6. I had to do these steps as recommended in the first post: rm -R utscript_sd && cp utscript utscript_sd (I didn't do it initially and after the recovery flash, my tablet couldn't boot w/o the external microSD)
  7. Insert the external microSD into your tablet. Now, both microSDs are inside the tablet.
  8. Press power and “M” button simultaneously. It should boot up and begin recovery. After that is done, you may remove your external microSD and proceed as your wish.
what we've learned: Power On switch functionality is dependent on internal SD content. (even if device seems to be bricked)

zdroj

Wi-Fi sudenly stopped working

E/WifiHW  (  ): Unable to open connection to supplicant on "/data/system/wpa_supplicant/wlan0":\\
No such file or directory will appear. 
ctrl_interface=DIR=/data/system/wpa_supplicant GROUP=wifi
update_config=1

more info about Android WPA supplicant