GSM Shop GSM Shop
GSM-Forum  

Welcome to the GSM-Forum forums.

You are currently viewing our boards as a guest which gives you limited access to view most discussions and access our other features.
Only registered members may post questions, contact other members or search our database of over 8 million posts.

Registration is fast, simple and absolutely free so please - Click to REGISTER!

If you have any problems with the registration process or your account login, please contact contact us .

Go Back   GSM-Forum > Other Gsm/Mobile Related Forums > GSM Programming & Reverse Engineering

GSM Programming & Reverse Engineering Here you can post all Kind of GSM Programming and Reverse Engineering tools and Secrets.

Reply
 
LinkBack Thread Tools Display Modes
Old 08-22-2024, 04:30   #46 (permalink)
No Life Poster
 
Join Date: Dec 2006
Location: yes
Posts: 797
Member: 420658
Status: Offline
Thanks Meter: 218

Hmmmmmmmmmm...


If I search in SM-G965F Kernel Source... then for instance this plopped out... for search string:
urandom


Code:
 * Ensuring unpredictability at system startup
 * ============================================
 *
 * When any operating system starts up, it will go through a sequence
 * of actions that are fairly predictable by an adversary, especially
 * if the start-up does not involve interaction with a human operator.
 * This reduces the actual number of bits of unpredictability in the
 * entropy pool below the value in entropy_count.  In order to
 * counteract this effect, it helps to carry information in the
 * entropy pool across shut-downs and start-ups.  To do this, put the
 * following lines an appropriate script which is run during the boot
 * sequence:
 *
 *    echo "Initializing random number generator..."
 *    random_seed=/var/run/random-seed
 *    # Carry a random seed from start-up to start-up
 *    # Load and then save the whole entropy pool
 *    if [ -f $random_seed ]; then
 *        cat $random_seed >/dev/urandom
 *    else
 *        touch $random_seed
 *    fi
 *    chmod 600 $random_seed
 *    dd if=/dev/urandom of=$random_seed count=1 bs=512
 *
 * and the following lines in an appropriate script which is run as
 * the system is shutdown:
 *
 *    # Carry a random seed from shut-down to start-up
 *    # Save the whole entropy pool
 *    echo "Saving random seed..."
 *    random_seed=/var/run/random-seed
 *    touch $random_seed
 *    chmod 600 $random_seed
 *    dd if=/dev/urandom of=$random_seed count=1 bs=512
 *
 * For example, on most modern systems using the System V init
 * scripts, such code fragments would be found in
 * /etc/rc.d/init.d/random.  On older Linux systems, the correct script
 * location might be in /etc/rcb.d/rc.local or /etc/rc.d/rc.0.
 *
 * Effectively, these commands cause the contents of the entropy pool
 * to be saved at shut-down time and reloaded into the entropy pool at
 * start-up.  (The 'dd' in the addition to the bootup script is to
 * make sure that /etc/random-seed is different for every start-up,
 * even if the system crashes without executing rc.0.)  Even with
 * complete knowledge of the start-up activities, predicting the state
 * of the entropy pool requires knowledge of the previous history of
 * the system.
 *
 * Configuring the /dev/random driver under Linux
 * ==============================================
 *
 * The /dev/random driver under Linux uses minor numbers 8 and 9 of
 * the /dev/mem major number (#1).  So if your system does not have
 * /dev/random and /dev/urandom created already, they can be created
 * by using the commands:
 *
 *     mknod /dev/random c 1 8
 *     mknod /dev/urandom c 1 9
 *
 * Acknowledgements:
 * =================

Only as idea...


Best Regards
  Reply With Quote
Old 09-06-2024, 18:32   #47 (permalink)
Freak Poster
 
Join Date: Oct 2009
Posts: 284
Member: 1144205
Status: Offline
Thanks Meter: 77
Hi Adfree
I don't quite understand what you're trying to do? Are you trying to understand how the IMEI certificate works on Samsungs?
I have s8 for test
  Reply With Quote
The Following User Says Thank You to smithjhon For This Useful Post:
Old 09-10-2024, 04:30   #48 (permalink)
No Life Poster
 
Join Date: Dec 2006
Location: yes
Posts: 797
Member: 420658
Status: Offline
Thanks Meter: 218
Code:
    <string name="v1_mode_access_sod_dsc">Allow to access SOD(Storage On-board Debugging) Mode for analyzing Strorage(UFS,eMMc)</string>
    <string name="v1_mode_allow_cts_ara_in_ese_dsc">Allow updating CTS Applet into eSe</string>
    <string name="v1_mode_allow_fastbootd_dsc">Allow to trigger fastbootd in recovery mode.</string>
    <string name="v1_mode_allow_get_ga_screenshot_dsc">Allows to collect device screen information (screen capture)</string>
    <string name="v1_mode_allow_gsi_dsc">Allow downloading and booting GSI(Google System Image) on commercial mobile</string>
    <string name="v1_mode_allow_rdx_dump_dsc">FBE(File Based Encryption) exception for /data/rdx_dump folder</string>
    <string name="v1_mode_allow_rf_act_dsc">Allow to launch RF ACT daemon</string>
    <string name="v1_mode_allow_silent_log_dsc">Allow to get silent log</string>
    <string name="v1_mode_avoid_hdm_oem_unlock_policy_dsc">Bypass HDM policy (camera block) due to OEM Unlock</string>
    <string name="v1_mode_cust_kernel_dsc">Allow customized kernel binary to be flashed and booted</string>
    <string name="v1_mode_data_recover_dsc" />
    <string name="v1_mode_deactive_removte_lock_dsc">Deactivate Remote Lock (RMM)</string>
    <string name="v1_mode_debug_cp_dsc">Allow to show CP debug messages</string>
    <string name="v1_mode_debug_vbmeta">Allow flashing debug VBMETA and booting the device where partially built binary images were flashed</string>
    <string name="v1_mode_enable_facm_dsc">Allow to enable FACM(Factory Air Command Manager)</string>
    <string name="v1_mode_eng_kernel_dsc">Allow ENG binaries to be flashed and booted</string>
    <string name="v1_mode_init_em_dsc">This is for only EM 2.X</string>
    <string name="v1_mode_integrated_test_env_dsc">If this mode will be shown, something wrong!, please ask developer</string>
    <string name="v1_mode_keep_5g_state_dsc">Allow to keep 5G state</string>
    <string name="v1_mode_knox_test_dsc">Allow Knox test mode</string>
    <string name="v1_mode_mnfr_allow_atcmd_dsc">Allow protected AT command</string>
    <string name="v1_mode_mnfr_allow_fac_bin_dsc">Allow to flash factory binary into device.</string>
    <string name="v1_mode_mnfr_allow_ob_boot_dsc">Allow OB(OutBattery) boot in Only USB models</string>
    <string name="v1_mode_rca_frame_buf_run_dsc">Allow RCAFrameBuffer application to work</string>
    <string name="v1_mode_rescue_retail_dsc">Retail shop allows recovery of mobile that does not boot</string>
    <string name="v1_mode_reset_activated_id_dsc">Reset Activated id</string>
    <string name="v1_mode_rollback_suw_dsc">Allow to roll-back SetupWizard</string>
    <string name="v1_mode_rtl_run_dsc">Allow to run RTL(Remote Test Lab) application.</string>
    <string name="v1_mode_run_bps_app_dsc">Allow to run BSP(Bad device Predict System) app that predicts the possibility of bad device</string>
    <string name="v1_mode_run_fmm_hidden_dsc">Exposure of Hidden Menu to view the scanned device list of BLE (Bluetooth Lowe Energy) in FMM Client</string>
    <string name="v1_mode_run_gps_test_app_dsc">Automation tool (android application) execution control that checks GPS operation and impacts using GPS API / COMMAND</string>
    <string name="v1_mode_run_labo_test_app_dsc">Mass Automation Test APK for System S/W Stability Verification</string>
    <string name="v1_mode_run_quest_tool_dsc">Allow to run QUEST tool in bootloader.</string>
    <string name="v1_mode_run_remote_viewer_app_dsc">App that provides the screen and sound information of the device connected to the Smart Device Farm (SDF) server</string>
    <string name="v1_mode_run_rfalt_app_dsc">Allow the RF ALT app to run used for RF part testing</string>
    <string name="v1_mode_run_sl4a_app_dsc">Allows to run the SL4A (Scripting Layer for Android) app used for automation system using script language</string>
    <string name="v1_mode_run_ubis_agent_app_dsc">In order to implement the terminal pre-setup tool (FAST, UBIS Framework) for shipment verification, a separate service agent APK provides the functions that the phone must support</string>
    <string name="v1_mode_run_wass_app_dsc">Allow WASS application to work</string>
    <string name="v1_mode_run_wolfserver_app_dsc">Allows to run the WolfServer app used for SQE test.</string>
    <string name="v1_mode_scan2dram_dsc">Do not remove SCAN2DRAM debug data even after SECURE JTAG ENABLE (Only for LSI)</string>
    <string name="v1_mode_skip_iss_dsc">Allow to skip ISS.</string>
    <string name="v1_mode_tcp_dump_dsc">Allow to enable TCP dump</string>
    <string name="v1_mode_test_dsc">This is test mode (please do not install)</string>
    <string name="v1_mode_unknown_dsc">Unknown mode</string>
    <string name="v1_mode_usb_debug_dsc">"ㆍMODE_USB_DEBUG
ㆍMODE_RUN_KEY_STRING_APP
ㆍMODE_SKIP_SUW
ㆍMODE_SKIP_MTP_POPUP
ㆍMODE_KEEP_USB_DEBUG_UNDER_KNOX
ㆍMODE_ENABLE_BIXBY_LOG"</string>

In "theory" because depend on Firmware etc... more then 3 Modes exist...


Only as tiny info.


Best Regards
  Reply With Quote
The Following 2 Users Say Thank You to adfree For This Useful Post:
Old 09-11-2024, 19:10   #49 (permalink)
Freak Poster
 
TaiChi gossip's Avatar
 
Join Date: Jun 2015
Age: 33
Posts: 379
Member: 2418095
Status: Offline
Thanks Meter: 126
As is well known, all cheap (non-officially generated) V3 tokens are created using self-made DRK V2 server cert. This is why, after flashing, the phone is required to stay offline.
It seems that there is a leaked E0C2 certificate online, but it still requires the key.
  Reply With Quote
The Following User Says Thank You to TaiChi gossip For This Useful Post:
Old 09-18-2024, 23:25   #50 (permalink)
No Life Poster
 
Join Date: Dec 2006
Location: yes
Posts: 797
Member: 420658
Status: Offline
Thanks Meter: 218
Somebody was able to identify the new Root CA Modulus for v4?


IMHO it is not more:
E0C2818755AFD2D1E08DA3728023B9F6...


Code:
EngineeringMode mnfr ROOT

No idea why it is same Modulus in EM Cert like before in DRK chain... from DASEUL...





Best Regards
  Reply With Quote
Old 09-23-2024, 22:16   #51 (permalink)
No Life Poster
 
Join Date: Dec 2006
Location: yes
Posts: 797
Member: 420658
Status: Offline
Thanks Meter: 218
Please.


Need 4 study the PHN-P Cert(s) from end of system partition... aka DRK1...


Looks like this:
Code:
    "PHN-P:20160330:00:20:00539383:ROOT",     "PHN-P:20160330:00:20:00598555:ROOT",     "PHN-P:20160628:00:20:00368783:ROOT",     "PHN-P:20160628:00:20:00368808:ROOT",     "PHN-P:20160628:00:20:00368809:ROOT",     "PHN-P:20160628:00:20:00368836:ROOT",     "PHN-P:20160628:00:20:00368837:ROOT",     "PHN-P:20160628:00:20:00368867:ROOT",     "PHN-P:20160628:00:20:00368905:ROOT",     "PHN-P:20160628:00:20:00368910:ROOT",     "PHN-P:20160628:00:20:00368918:ROOT",     "PHN-P:20160628:00:20:00368928:ROOT",     "PHN-P:20160705:00:20:00002085:ROOT",     "PHN-P:20160705:00:20:00002135:ROOT",     "PHN-P:20160705:00:20:00002150:ROOT",

Oldest device I found in my old hands... is SM-G920F... S6 Series...


It is really hard to find fulldumps with complete system partition...




I found 1 DEVelopment Cert with PHN-D from 2013...
Code:
PHN-D:20131008:02:00:00000001:ROOT

Root CA is btw also from 2013... I mean Cert with Modulus:
Code:
E0C2818755AFD2D1E08DA3728023B9F63180DF093106DB52B0985A986B1E5CF3506D66BF82A3AB26427B5A0DBA063FE4E40E8655A77A59A4C3D56DC29BC37EC0383343C3BC8508AD65EAEF5F68994CC4E75D5595E4830E2812169FD4C4C66C0CEF1C0980C1B5F93542E7C7EECF863A05DD941BACC27CDB20216E6C6AA43B8BF41525C932A28700AAEE75D2A9FB860EDAD6C57ABE76A83BBD6E5119A3D4208B6730DE23C2299E6BD3E4F43E75FB85E06E514714B2441DF0ECE9E4C4E145FE506C4E8A11BF5AB30A470D204420CF8BE5CDF1E01B776EAD24B491D69F4D0D4DE53292584A7490066DD55F513AB132DD57FE5B021EAF160C21C25DD75DB4A32411DD

Maybe somebody found in the last 10 years 1 or 2 such Certs and can contact me...


Thanx in advance.


Best Regards
  Reply With Quote
Old 10-03-2024, 01:15   #52 (permalink)
No Life Poster
 
Join Date: Dec 2006
Location: yes
Posts: 797
Member: 420658
Status: Offline
Thanks Meter: 218
After some loooonger problem to find my old UART/Prolific crap...


I was able to bypass this tiny problem on my SM-G920F aka S6 by "patch" ddexe...
So now I can see... with simple USB cable...


Code:
[01:41:48] AT+DEVROOTK=1,0,0 
[01:41:50] AT+DEVROOTK=1,0,0 +DEVROOTK:1,PHN-P:20160428:01:03:00670662:ROOT  OK  
[01:42:41] AT+DEVROOTK=0,0,0 
[01:42:41] AT+DEVROOTK=0,0,0 +DEVROOTK:0,OK  OK

So I can easier proceed with older device(s)... for tiny EM research...
hopefully...



Only as info...



ccm_gen_cert looks also interesting for study...



Best Regards
  Reply With Quote
Old 10-14-2024, 12:49   #53 (permalink)
No Life Poster
 
Join Date: Dec 2006
Location: yes
Posts: 797
Member: 420658
Status: Offline
Thanks Meter: 218
Very nice post...
https://forum.gsmhosting.com/vbb/f45...l#post11651918


Then via Google found the full AT cmd...


So 1 more PHN-P Cert with Private Key...


Meanwhile I have """managed""" ccm_gen_cert...


Very interesting.


Still I have more QuestionS then answers...


Still under Construction...


Best Regards
  Reply With Quote
Old 11-02-2024, 04:27   #54 (permalink)
No Life Poster
 
Join Date: Dec 2006
Location: yes
Posts: 797
Member: 420658
Status: Offline
Thanks Meter: 218
ffffffff00000000000000000000000c.tlbin


Before Android 6 also as decrypted Trustlet floating around...


Here example from FAC 4.4.3
2014





Code:
[D]CSTORAGE_PROV: Got RSA cert length (get_cert): %d bytes

[D]CSTORAGE_PROV: After get UID: %s

[D]CSTORAGE_PROV: Got IV length: %d bytes

[D]CSTORAGE_PROV: Private key has been successfully decrypted

[D]CSTORAGE_PROV: IV length: %d bytes

[D]CSTORAGE_PROV: Got symmetric key length: %d bytes

[D]CSTORAGE_PROV: HMAC verify success

[D]CSTORAGE_PROV: Symmetric key has been successfully decrypted

[D]CSTORAGE_PROV: handled RSA_SHA256

[D]CSTORAGE_PROV: rsa_check_keypair: ctx->len = %d

[D]CSTORAGE_PROV: getSHA256Digest start

[D]CSTORAGE_PROV: getSHA256Digest end

[D]CSTORAGE_PROV: wrap start

[D]CSTORAGE_PROV: buf[0] = %02x, wrapped[0] = %02x

[D]CSTORAGE_PROV: wrap end

[D]CSTORAGE_PROV: got wrapped object %u byte

[D]CSTORAGE_PROV: get command %d

[D]CSTORAGE_PROV: Private key has been successfully saved to SFS

[D]CSTORAGE_PROV: HMAC verify success with modified KEK (this is broken blob)

[D]CSTORAGE_PROV: x509_parse_ext_authority_key_identifier: not a sequence, tag=%d, class=%d

[D]CSTORAGE_PROV: x509_parse_ext_authority_key_identifier: not a expl_0

[D]CSTORAGE_PROV: getRandBlock() failed, using hardcoded string...

[D]CSTORAGE_PROV: decryptDataAES_CBC_s: actual len of symm key is %u

I am playing in DRK 1 aka PHN- "world" to find something for my tiny...
E0C2 Modulus problem...


For now I can play with S5




Best Regards
  Reply With Quote
Old 11-02-2024, 12:29   #55 (permalink)
No Life Poster
 
Join Date: Dec 2006
Location: yes
Posts: 797
Member: 420658
Status: Offline
Thanks Meter: 218
Trustlet from Android 4 and 5 same...
Since 6 encrypted...


DRK 1 aka PHN-P


70 KB...


Maybe somebody with IDA skills or can run in QEMU or something like this...


Have any kind of idea...


How to force signing with E0C2 ... to get also custom EngineeringMode Cert...
For v3/EM 3...


Best Regards
Attached Files
File Type: zip Trusti_smG800F_v1.zip (219.0 KB, 3 views)
  Reply With Quote
Old 11-02-2024, 12:35   #56 (permalink)
No Life Poster
 
Join Date: Dec 2006
Location: yes
Posts: 797
Member: 420658
Status: Offline
Thanks Meter: 218
gs8tmo.eng.7z


Maybe somebody knows this ENG dump from S8...


Floating around in Internet....


Code:
/efs/prov_data/dev_root/dev_root.dat
/efs/prov_data/dev_root/sym_key.dat

Both files without typical Header blabla...


Maybe somebody allready know how to decrypt this...


Only as info...


Best Regards
  Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


 



All times are GMT +1. The time now is 21:01.



Powered by Searchlight © 2024 Axivo Inc.
vBulletin Optimisation provided by vB Optimise (Pro) - vBulletin Mods & Addons Copyright © 2024 DragonByte Technologies Ltd.
- GSM Hosting Ltd. - 1999-2023 -
Page generated in 0.19849 seconds with 9 queries

SEO by vBSEO