WhatIsWhatIsWhatIsWhat Posted July 27, 2015 Report Share Posted July 27, 2015 [deleted post] Quote Link to post Share on other sites
AdamOutler Posted July 27, 2015 Report Share Posted July 27, 2015 No need to sign this. You can just insert sd/usb card with files and copy files you need directly to device. Does it sign on its own? Every time we have tried to modify them, we get an error on the boot.img. There is more work left. Quote Link to post Share on other sites
WhatIsWhatIsWhatIsWhat Posted July 27, 2015 Report Share Posted July 27, 2015 [deleted post] Quote Link to post Share on other sites
AdamOutler Posted July 27, 2015 Report Share Posted July 27, 2015 I'm sorry, as you noticed, English is not my native language  I mean that instead of patching firmware *.prg files (to make firmware modifications) and flash this modified firmware you can just change source files directly on device filesystem using shell scripts and file manager from testmode. The boot.img is a raw-partition, header'd image on the internal SDCard. It consists of a ramdisk, kernel and parameters. The ramdisk is the root filesystem of the device and is loaded directly from this file. Any changes to this filesystem will not persist.  The way Android works, in contrast to other Linux systems, is the initrd remains mounted instead of being replaced by a physical disk after drivers are loaded. The system can be modified, but the kernel/ramdisk cannot.  The solutions are: 1. Figure out how to re-header the boot.img after modification to the ramdisk inside. 2. Utilize kexec to reinitialize the entire system and run a custom init.. Which will double the boot time. Quote Link to post Share on other sites
bass_rock Posted July 27, 2015 Report Share Posted July 27, 2015 @bass_rock great news! Thank you! Where did you find this new keys like XXTECHNICALXX? How to exit this XXTECHNICALXX mode? As I understand, this modes are registered in TST_MainThread::CreateStartupInfo() function and this function contains following modes list: XXTECHNICALXX AUTO PRODUCT SERVICE DIRECT NANDUP Also, there is TST_KeyFileInfo::DecodeKeyFile() with testmode files decode functions, sample code from this function:  while ( 1 )  {    source_char_tmp = *(_BYTE *)(source_string++ + 1);    source_char = source_char_tmp;    if ( !source_char_tmp )      break;    if ( (char)source_char > 51 )      destination_char = source_char - 20;    else      destination_char = source_char + 76;    destination_string[v2++] = destination_char; } Take attention, our perl script 0x14 is decimal 20 as in this function, so this two lines is equivalent: $byte = ord($byte) - 0x14; // from perl destination_char = source_char - 20; // from disassembled library So, maybe, correct perl code may be should look like this: #!/usr/bin/perl # usage perl decode.pl TEST.KEY my $filename = (shift); open(my $fh, $filename) or die $!; binmode($fh); my $cnt = 0; my $encodeString = ""; my $otherString = ""; while (read($fh, my $byte, 1)) { if ($cnt % 2 == 1) { if (ord($byte) > 51) { $byte = ord($byte) - 20; } else { $byte = ord($byte) + 76; } $encodeString = $encodeString.chr($byte); } else { if (ord($byte) > 51) { $byte = ord($byte) - 20; } else { $byte = ord($byte) + 76; } $otherString = chr($byte).$otherString; } $cnt++; } print $encodeString.$otherString; print "\n"; close $fh; About USB-OTG - maybe it starts to work after reboot/poweroff?  Yep thats probably correct, although I am not sure if any of the current test mode strings we have ever it the +76.   Great news. Using XXTECHNICALXX testmode you can do anything, including copy files and directories. testmode contains fully-functional file manager, you can even do recursive copy of full directories. Also, it is possible to run scripts and write whole partitions. There is copy-device mode to copy everything to sd/usb and so on. Also, you can copy system logs and device info into sd/usb. There is a lot of information in logs.  @bass_rock Where did you get this information about XXTECHNICALXX? It is not in the public domain. I did a strings terminal command on the libTestMode.so and that stuck out to me as it was next to SERVICE, PRODUCT and more, and that thread that talks about the TestMode keys mentioned those so I tried it.   Awesome! Let's get a script with the outputs of dmesg, logcat, and id ported to a file on the SDCard.  Next we will want to install apps and execute them. We need a live terminal active on the device.  Good work guys! You've just busted through gaining access all the way through to maintaining access.  Stages of ethical hacking 1.Reconnaissance 2.Scanning & Enumeration 3.Gaining Access [Escalation of privileges] 4.Maintaining Access 5.Covering Tracks  Now we bounce around between 1-4 for a while until we are able to create a full update. But the important thing is that we have penetrated and have some level of access!  If you can provide me with a script that dumps out what we need I can run it on my device later today. Quote Link to post Share on other sites
AdamOutler Posted July 27, 2015 Report Share Posted July 27, 2015 bass_rock, here is the script. #! /system/bin/sh out="/sdcard/log.txt" echo "--id--">$out id  2>&1 >>$out echo "--mount--">>$out mount 2>&1 >>$out echo "--proc/mounts--">>$out cat /proc/mounts >>$out echo "--netstat--">>$out netstat -Af>>$out netstat -r>>$out echo "--dmesg--">>$out dmesg 2>&1 >>$out echo "--logcat--" >>$out logcat 2>&1 >>$out echo "--ifconfig--" >>$out ifconfig 2>&1 >>$out paste the contents from /sdcard/log.txt  if /sdcard/ isn't proper, I have notes at home about the locations of each partition I'd need to review.  /sdcard/ may be the internal SD partition. Quote Link to post Share on other sites
WhatIsWhatIsWhatIsWhat Posted July 27, 2015 Report Share Posted July 27, 2015 [deleted post] Quote Link to post Share on other sites
AdamOutler Posted July 27, 2015 Report Share Posted July 27, 2015 Proper locations can be viewed using testmode file browser. Â AFAIR, right location of usb (not sd) is something /mnt/udisk and /mnt/udisk1 for usb1 and usb2. Â Is /system/bin/sh right location of shell interpreter? Awesome. Bass, please take note of this and change that out variable accordingly. Â Yes. /system/bin/sh is usually where Android's sh is kept. There is no /bin and /sbin is just some crash handling bs. In a rare case I saw /system/xbin/sh, and while I'm not at my computer now, I'd say /system/bin/sh is where its located. Â Do you have reason to doubt that? Quote Link to post Share on other sites
WhatIsWhatIsWhatIsWhat Posted July 27, 2015 Report Share Posted July 27, 2015 [deleted post] Quote Link to post Share on other sites
bass_rock Posted July 27, 2015 Report Share Posted July 27, 2015 @AdamOutler thanks! I will get it to trying that tonight. Â Also @AdamOutler since you are big on XDA, is it possible to get an admin to open a forum there, or do you have a good place to wiki dump this knowledge so we don't have to go digging through 30+ forum pages? Quote Link to post Share on other sites
ils15 Posted July 27, 2015 Report Share Posted July 27, 2015 any chance to update firmware?i'm working in Igo NextGen appbecause i need to put inside it new maps from brazil (2015.q1) and speedcam alertsGreat work guys... Quote Link to post Share on other sites
AdamOutler Posted July 27, 2015 Report Share Posted July 27, 2015 @AdamOutler thanks! I will get it to trying that tonight. Â Also @AdamOutler since you are big on XDA, is it possible to get an admin to open a forum there, or do you have a good place to wiki dump this knowledge so we don't have to go digging through 30+ forum pages? I'm actually a nobody on XDA now. I used to be very involved with the forums, an XDATV Host, a newswriter, an Elite Recognized Developer, and I ran my own contracting firm at casual-dev. I had to retire because I took a job with TracFone as an embedded systems security engineer, and they paid me well enough to give it all up. I could ask just as well as you could, but moving to XDA-Developers would sorta exclude me due to contractual obligations. Quote Link to post Share on other sites
AdamOutler Posted July 27, 2015 Report Share Posted July 27, 2015 bass_rock, I've added in a listing here so we know what partitions to pull to make a FULL sdcard backup bass_rock, here is the script. #! /system/bin/sh out="/sdcard/log.txt" echo "--id--">$out id 2>&1 >>$out echo "--mount--">>$out mount 2>&1 >>$out echo "--proc/mounts--">>$out cat /proc/mounts >>$out echo "--dev/block--">>$out ls -alR /dev/block >>$out ls -alr /dev/block >>$out echo "--netstat--">>$out netstat -Af>>$out netstat -r>>$out echo "--dmesg--">>$out dmesg 2>&1 >>$out echo "--logcat--" >>$out logcat 2>&1 >>$out echo "--ifconfig--" >>$out ifconfig 2>&1 >>$out paste the contents from /sdcard/log.txt if /sdcard/ isn't proper, I have notes at home about the locations of each partition I'd need to review. /sdcard/ may be the internal SD partition. I added in "ls -alR /dev/block >>$out" and "ls -alr /dev/block >>$out" because sometimes ls requires lower case and sometimes upper case. but, once we know the partition layout we can get an actual living SDCard from your device using "dd if=/path/to/sdcard0 of=usb2/pioneer-avic5000-sdcard.img"  If this works, we just need someone with an x1xx unit to help me get my deck unbricked. Quote Link to post Share on other sites
bass_rock Posted July 28, 2015 Report Share Posted July 28, 2015 I'm actually a nobody on XDA now. I used to be very involved with the forums, an XDATV Host, a newswriter, an Elite Recognized Developer, and I ran my own contracting firm at casual-dev. I had to retire because I took a job with TracFone as an embedded systems security engineer, and they paid me well enough to give it all up. I could ask just as well as you could, but moving to XDA-Developers would sorta exclude me due to contractual obligations. Â Ah ok. Never mind then, do you have a good spot for a wiki for this useful information then? Â bass_rock, I've added in a listing here so we know what partitions to pull to make a FULL sdcard backup I added in "ls -alR /dev/block >>$out" and "ls -alr /dev/block >>$out" because sometimes ls requires lower case and sometimes upper case. but, once we know the partition layout we can get an actual living SDCard from your device using "dd if=/path/to/sdcard0 of=usb2/pioneer-avic5000-sdcard.img" Â If this works, we just need someone with an x1xx unit to help me get my deck unbricked. Â Â Ok that sounds really awesome. I will start small tonight and give it a shot. (Of course after I threw my deck back in my car right after we cracked the test mode keys.) Â So for the script though, Does it look like I have to put the script on the device and run it from the TestMode, or do I use a test mode key with the command to run it? Quote Link to post Share on other sites
AdamOutler Posted July 28, 2015 Report Share Posted July 28, 2015 Ah ok. Never mind then, do you have a good spot for a wiki for this useful information then? Â Â Â Â Ok that sounds really awesome. I will start small tonight and give it a shot. (Of course after I threw my deck back in my car right after we cracked the test mode keys.) Â So for the script though, Does it look like I have to put the script on the device and run it from the TestMode, or do I use a test mode key with the command to run it? I believe github has wikis available. I know googlecode does, but they are shutting down soon. Â As for execution... "put Copy_Script.sh into root dir of USB1 and test XXTECHNICALXX mode using ProgramFunction => CopyShellUpdate" Is what was said on the previous page. I'd like a copy of said key. Quote Link to post Share on other sites
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.