|
Welcome to the GSM-Forum forums. You are currently viewing our boards as a guest which gives you limited access to view most discussions and access our other features. Only registered members may post questions, contact other members or search our database of over 8 million posts. Registration is fast, simple and absolutely free so please - Click to REGISTER! If you have any problems with the registration process or your account login, please contact contact us . |
|
Register | FAQ | Donate | Forum Rules | Root any Device | ★iPhone Unlock★ | ★ Direct Codes ★ | Direct Unlock Source | Search | Today's Posts | Mark Forums Read |
GSM Programming & Reverse Engineering Here you can post all Kind of GSM Programming and Reverse Engineering tools and Secrets. |
| LinkBack | Thread Tools | Display Modes |
08-22-2024, 04:30 | #46 (permalink) |
No Life Poster Join Date: Dec 2006 Location: yes
Posts: 797
Member: 420658 Status: Offline Thanks Meter: 218 | If I search in SM-G965F Kernel Source... then for instance this plopped out... for search string: urandom Code: * Ensuring unpredictability at system startup * ============================================ * * When any operating system starts up, it will go through a sequence * of actions that are fairly predictable by an adversary, especially * if the start-up does not involve interaction with a human operator. * This reduces the actual number of bits of unpredictability in the * entropy pool below the value in entropy_count. In order to * counteract this effect, it helps to carry information in the * entropy pool across shut-downs and start-ups. To do this, put the * following lines an appropriate script which is run during the boot * sequence: * * echo "Initializing random number generator..." * random_seed=/var/run/random-seed * # Carry a random seed from start-up to start-up * # Load and then save the whole entropy pool * if [ -f $random_seed ]; then * cat $random_seed >/dev/urandom * else * touch $random_seed * fi * chmod 600 $random_seed * dd if=/dev/urandom of=$random_seed count=1 bs=512 * * and the following lines in an appropriate script which is run as * the system is shutdown: * * # Carry a random seed from shut-down to start-up * # Save the whole entropy pool * echo "Saving random seed..." * random_seed=/var/run/random-seed * touch $random_seed * chmod 600 $random_seed * dd if=/dev/urandom of=$random_seed count=1 bs=512 * * For example, on most modern systems using the System V init * scripts, such code fragments would be found in * /etc/rc.d/init.d/random. On older Linux systems, the correct script * location might be in /etc/rcb.d/rc.local or /etc/rc.d/rc.0. * * Effectively, these commands cause the contents of the entropy pool * to be saved at shut-down time and reloaded into the entropy pool at * start-up. (The 'dd' in the addition to the bootup script is to * make sure that /etc/random-seed is different for every start-up, * even if the system crashes without executing rc.0.) Even with * complete knowledge of the start-up activities, predicting the state * of the entropy pool requires knowledge of the previous history of * the system. * * Configuring the /dev/random driver under Linux * ============================================== * * The /dev/random driver under Linux uses minor numbers 8 and 9 of * the /dev/mem major number (#1). So if your system does not have * /dev/random and /dev/urandom created already, they can be created * by using the commands: * * mknod /dev/random c 1 8 * mknod /dev/urandom c 1 9 * * Acknowledgements: * ================= Only as idea... Best Regards |
09-06-2024, 18:32 | #47 (permalink) |
Freak Poster Join Date: Oct 2009
Posts: 284
Member: 1144205 Status: Offline Thanks Meter: 77 | Hi Adfree I don't quite understand what you're trying to do? Are you trying to understand how the IMEI certificate works on Samsungs? I have s8 for test |
The Following User Says Thank You to smithjhon For This Useful Post: |
09-10-2024, 04:30 | #48 (permalink) |
No Life Poster Join Date: Dec 2006 Location: yes
Posts: 797
Member: 420658 Status: Offline Thanks Meter: 218 | Code: <string name="v1_mode_access_sod_dsc">Allow to access SOD(Storage On-board Debugging) Mode for analyzing Strorage(UFS,eMMc)</string> <string name="v1_mode_allow_cts_ara_in_ese_dsc">Allow updating CTS Applet into eSe</string> <string name="v1_mode_allow_fastbootd_dsc">Allow to trigger fastbootd in recovery mode.</string> <string name="v1_mode_allow_get_ga_screenshot_dsc">Allows to collect device screen information (screen capture)</string> <string name="v1_mode_allow_gsi_dsc">Allow downloading and booting GSI(Google System Image) on commercial mobile</string> <string name="v1_mode_allow_rdx_dump_dsc">FBE(File Based Encryption) exception for /data/rdx_dump folder</string> <string name="v1_mode_allow_rf_act_dsc">Allow to launch RF ACT daemon</string> <string name="v1_mode_allow_silent_log_dsc">Allow to get silent log</string> <string name="v1_mode_avoid_hdm_oem_unlock_policy_dsc">Bypass HDM policy (camera block) due to OEM Unlock</string> <string name="v1_mode_cust_kernel_dsc">Allow customized kernel binary to be flashed and booted</string> <string name="v1_mode_data_recover_dsc" /> <string name="v1_mode_deactive_removte_lock_dsc">Deactivate Remote Lock (RMM)</string> <string name="v1_mode_debug_cp_dsc">Allow to show CP debug messages</string> <string name="v1_mode_debug_vbmeta">Allow flashing debug VBMETA and booting the device where partially built binary images were flashed</string> <string name="v1_mode_enable_facm_dsc">Allow to enable FACM(Factory Air Command Manager)</string> <string name="v1_mode_eng_kernel_dsc">Allow ENG binaries to be flashed and booted</string> <string name="v1_mode_init_em_dsc">This is for only EM 2.X</string> <string name="v1_mode_integrated_test_env_dsc">If this mode will be shown, something wrong!, please ask developer</string> <string name="v1_mode_keep_5g_state_dsc">Allow to keep 5G state</string> <string name="v1_mode_knox_test_dsc">Allow Knox test mode</string> <string name="v1_mode_mnfr_allow_atcmd_dsc">Allow protected AT command</string> <string name="v1_mode_mnfr_allow_fac_bin_dsc">Allow to flash factory binary into device.</string> <string name="v1_mode_mnfr_allow_ob_boot_dsc">Allow OB(OutBattery) boot in Only USB models</string> <string name="v1_mode_rca_frame_buf_run_dsc">Allow RCAFrameBuffer application to work</string> <string name="v1_mode_rescue_retail_dsc">Retail shop allows recovery of mobile that does not boot</string> <string name="v1_mode_reset_activated_id_dsc">Reset Activated id</string> <string name="v1_mode_rollback_suw_dsc">Allow to roll-back SetupWizard</string> <string name="v1_mode_rtl_run_dsc">Allow to run RTL(Remote Test Lab) application.</string> <string name="v1_mode_run_bps_app_dsc">Allow to run BSP(Bad device Predict System) app that predicts the possibility of bad device</string> <string name="v1_mode_run_fmm_hidden_dsc">Exposure of Hidden Menu to view the scanned device list of BLE (Bluetooth Lowe Energy) in FMM Client</string> <string name="v1_mode_run_gps_test_app_dsc">Automation tool (android application) execution control that checks GPS operation and impacts using GPS API / COMMAND</string> <string name="v1_mode_run_labo_test_app_dsc">Mass Automation Test APK for System S/W Stability Verification</string> <string name="v1_mode_run_quest_tool_dsc">Allow to run QUEST tool in bootloader.</string> <string name="v1_mode_run_remote_viewer_app_dsc">App that provides the screen and sound information of the device connected to the Smart Device Farm (SDF) server</string> <string name="v1_mode_run_rfalt_app_dsc">Allow the RF ALT app to run used for RF part testing</string> <string name="v1_mode_run_sl4a_app_dsc">Allows to run the SL4A (Scripting Layer for Android) app used for automation system using script language</string> <string name="v1_mode_run_ubis_agent_app_dsc">In order to implement the terminal pre-setup tool (FAST, UBIS Framework) for shipment verification, a separate service agent APK provides the functions that the phone must support</string> <string name="v1_mode_run_wass_app_dsc">Allow WASS application to work</string> <string name="v1_mode_run_wolfserver_app_dsc">Allows to run the WolfServer app used for SQE test.</string> <string name="v1_mode_scan2dram_dsc">Do not remove SCAN2DRAM debug data even after SECURE JTAG ENABLE (Only for LSI)</string> <string name="v1_mode_skip_iss_dsc">Allow to skip ISS.</string> <string name="v1_mode_tcp_dump_dsc">Allow to enable TCP dump</string> <string name="v1_mode_test_dsc">This is test mode (please do not install)</string> <string name="v1_mode_unknown_dsc">Unknown mode</string> <string name="v1_mode_usb_debug_dsc">"ㆍMODE_USB_DEBUG ㆍMODE_RUN_KEY_STRING_APP ㆍMODE_SKIP_SUW ㆍMODE_SKIP_MTP_POPUP ㆍMODE_KEEP_USB_DEBUG_UNDER_KNOX ㆍMODE_ENABLE_BIXBY_LOG"</string> In "theory" because depend on Firmware etc... more then 3 Modes exist... Only as tiny info. Best Regards |
The Following 2 Users Say Thank You to adfree For This Useful Post: |
09-11-2024, 19:10 | #49 (permalink) |
Freak Poster Join Date: Jun 2015 Age: 33
Posts: 379
Member: 2418095 Status: Offline Thanks Meter: 126 | As is well known, all cheap (non-officially generated) V3 tokens are created using self-made DRK V2 server cert. This is why, after flashing, the phone is required to stay offline. It seems that there is a leaked E0C2 certificate online, but it still requires the key. |
The Following User Says Thank You to TaiChi gossip For This Useful Post: |
09-18-2024, 23:25 | #50 (permalink) |
No Life Poster Join Date: Dec 2006 Location: yes
Posts: 797
Member: 420658 Status: Offline Thanks Meter: 218 | Somebody was able to identify the new Root CA Modulus for v4? IMHO it is not more: E0C2818755AFD2D1E08DA3728023B9F6... Code: EngineeringMode mnfr ROOT No idea why it is same Modulus in EM Cert like before in DRK chain... from DASEUL... Best Regards |
09-23-2024, 22:16 | #51 (permalink) |
No Life Poster Join Date: Dec 2006 Location: yes
Posts: 797
Member: 420658 Status: Offline Thanks Meter: 218 | Please. Need 4 study the PHN-P Cert(s) from end of system partition... aka DRK1... Looks like this: Code: "PHN-P:20160330:00:20:00539383:ROOT", "PHN-P:20160330:00:20:00598555:ROOT", "PHN-P:20160628:00:20:00368783:ROOT", "PHN-P:20160628:00:20:00368808:ROOT", "PHN-P:20160628:00:20:00368809:ROOT", "PHN-P:20160628:00:20:00368836:ROOT", "PHN-P:20160628:00:20:00368837:ROOT", "PHN-P:20160628:00:20:00368867:ROOT", "PHN-P:20160628:00:20:00368905:ROOT", "PHN-P:20160628:00:20:00368910:ROOT", "PHN-P:20160628:00:20:00368918:ROOT", "PHN-P:20160628:00:20:00368928:ROOT", "PHN-P:20160705:00:20:00002085:ROOT", "PHN-P:20160705:00:20:00002135:ROOT", "PHN-P:20160705:00:20:00002150:ROOT", Oldest device I found in my old hands... is SM-G920F... S6 Series... It is really hard to find fulldumps with complete system partition... I found 1 DEVelopment Cert with PHN-D from 2013... Code: PHN-D:20131008:02:00:00000001:ROOT Root CA is btw also from 2013... I mean Cert with Modulus: Code: E0C2818755AFD2D1E08DA3728023B9F63180DF093106DB52B0985A986B1E5CF3506D66BF82A3AB26427B5A0DBA063FE4E40E8655A77A59A4C3D56DC29BC37EC0383343C3BC8508AD65EAEF5F68994CC4E75D5595E4830E2812169FD4C4C66C0CEF1C0980C1B5F93542E7C7EECF863A05DD941BACC27CDB20216E6C6AA43B8BF41525C932A28700AAEE75D2A9FB860EDAD6C57ABE76A83BBD6E5119A3D4208B6730DE23C2299E6BD3E4F43E75FB85E06E514714B2441DF0ECE9E4C4E145FE506C4E8A11BF5AB30A470D204420CF8BE5CDF1E01B776EAD24B491D69F4D0D4DE53292584A7490066DD55F513AB132DD57FE5B021EAF160C21C25DD75DB4A32411DD Maybe somebody found in the last 10 years 1 or 2 such Certs and can contact me... Thanx in advance. Best Regards |
10-03-2024, 01:15 | #52 (permalink) |
No Life Poster Join Date: Dec 2006 Location: yes
Posts: 797
Member: 420658 Status: Offline Thanks Meter: 218 | After some loooonger problem to find my old UART/Prolific crap... I was able to bypass this tiny problem on my SM-G920F aka S6 by "patch" ddexe... So now I can see... with simple USB cable... Code: [01:41:48] AT+DEVROOTK=1,0,0 [01:41:50] AT+DEVROOTK=1,0,0 +DEVROOTK:1,PHN-P:20160428:01:03:00670662:ROOT OK [01:42:41] AT+DEVROOTK=0,0,0 [01:42:41] AT+DEVROOTK=0,0,0 +DEVROOTK:0,OK OK So I can easier proceed with older device(s)... for tiny EM research... hopefully... Only as info... ccm_gen_cert looks also interesting for study... Best Regards |
10-14-2024, 12:49 | #53 (permalink) |
No Life Poster Join Date: Dec 2006 Location: yes
Posts: 797
Member: 420658 Status: Offline Thanks Meter: 218 | Very nice post... https://forum.gsmhosting.com/vbb/f45...l#post11651918 Then via Google found the full AT cmd... So 1 more PHN-P Cert with Private Key... Meanwhile I have """managed""" ccm_gen_cert... Very interesting. Still I have more QuestionS then answers... Still under Construction... Best Regards |
11-02-2024, 04:27 | #54 (permalink) |
No Life Poster Join Date: Dec 2006 Location: yes
Posts: 797
Member: 420658 Status: Offline Thanks Meter: 218 | ffffffff00000000000000000000000c.tlbin Before Android 6 also as decrypted Trustlet floating around... Here example from FAC 4.4.3 2014 Code: [D]CSTORAGE_PROV: Got RSA cert length (get_cert): %d bytes [D]CSTORAGE_PROV: After get UID: %s [D]CSTORAGE_PROV: Got IV length: %d bytes [D]CSTORAGE_PROV: Private key has been successfully decrypted [D]CSTORAGE_PROV: IV length: %d bytes [D]CSTORAGE_PROV: Got symmetric key length: %d bytes [D]CSTORAGE_PROV: HMAC verify success [D]CSTORAGE_PROV: Symmetric key has been successfully decrypted [D]CSTORAGE_PROV: handled RSA_SHA256 [D]CSTORAGE_PROV: rsa_check_keypair: ctx->len = %d [D]CSTORAGE_PROV: getSHA256Digest start [D]CSTORAGE_PROV: getSHA256Digest end [D]CSTORAGE_PROV: wrap start [D]CSTORAGE_PROV: buf[0] = %02x, wrapped[0] = %02x [D]CSTORAGE_PROV: wrap end [D]CSTORAGE_PROV: got wrapped object %u byte [D]CSTORAGE_PROV: get command %d [D]CSTORAGE_PROV: Private key has been successfully saved to SFS [D]CSTORAGE_PROV: HMAC verify success with modified KEK (this is broken blob) [D]CSTORAGE_PROV: x509_parse_ext_authority_key_identifier: not a sequence, tag=%d, class=%d [D]CSTORAGE_PROV: x509_parse_ext_authority_key_identifier: not a expl_0 [D]CSTORAGE_PROV: getRandBlock() failed, using hardcoded string... [D]CSTORAGE_PROV: decryptDataAES_CBC_s: actual len of symm key is %u I am playing in DRK 1 aka PHN- "world" to find something for my tiny... E0C2 Modulus problem... For now I can play with S5 Best Regards |
11-02-2024, 12:29 | #55 (permalink) |
No Life Poster Join Date: Dec 2006 Location: yes
Posts: 797
Member: 420658 Status: Offline Thanks Meter: 218 | Trustlet from Android 4 and 5 same... Since 6 encrypted... DRK 1 aka PHN-P 70 KB... Maybe somebody with IDA skills or can run in QEMU or something like this... Have any kind of idea... How to force signing with E0C2 ... to get also custom EngineeringMode Cert... For v3/EM 3... Best Regards |
11-02-2024, 12:35 | #56 (permalink) |
No Life Poster Join Date: Dec 2006 Location: yes
Posts: 797
Member: 420658 Status: Offline Thanks Meter: 218 | gs8tmo.eng.7z Maybe somebody knows this ENG dump from S8... Floating around in Internet.... Code: /efs/prov_data/dev_root/dev_root.dat /efs/prov_data/dev_root/sym_key.dat Both files without typical Header blabla... Maybe somebody allready know how to decrypt this... Only as info... Best Regards |
Bookmarks |
Thread Tools | |
Display Modes | |
| |
|