Guest Paul Posted January 14, 2010 Report Share Posted January 14, 2010 I've forwarded the files to Wavesecure that they need to make their own signed update zips, all in a nice little batch file so all they have to do is click 'go'. :) I look forward to them hosting the zips (saves me a job, lol!) P Link to comment Share on other sites More sharing options...
Guest pulser Posted January 14, 2010 Report Share Posted January 14, 2010 I've forwarded the files to Wavesecure that they need to make their own signed update zips, all in a nice little batch file so all they have to do is click 'go'. :) I look forward to them hosting the zips (saves me a job, lol!) P Good news. I'll look forware to getting zips from them now as well. I take it they don't have a way to notify us 'non-market' users when there is a new version available? (like a little notification telling us to take a new update.zip) @P, do you think I should trash the info here about how I bypassed WS, or do you think it is safe to leave on the forum? Just that I'm not sure if it's best to leave it here or not. It's not in google cache as of yet. Link to comment Share on other sites More sharing options...
Guest shenshang Posted January 14, 2010 Report Share Posted January 14, 2010 So, it seems that WS is not just magic :) I've put it back to normal. Think I'll restore to my backup just to keep everything nice and clean... you've shattered my excitedness :) i wonder if there any way of just making a .bat or .exe file where you drag an apk in and it will make an update.zip to install it to the system partition.... since 3.2b1, ive been editing the roms so if i re-flash, i dont need to go through the process of deleting footprints and stocks, adding WS and adding my own bootscreen... Link to comment Share on other sites More sharing options...
Guest shenshang Posted January 14, 2010 Report Share Posted January 14, 2010 Good news. I'll look forware to getting zips from them now as well. I take it they don't have a way to notify us 'non-market' users when there is a new version available? (like a little notification telling us to take a new update.zip) @P, do you think I should trash the info here about how I bypassed WS, or do you think it is safe to leave on the forum? Just that I'm not sure if it's best to leave it here or not. It's not in google cache as of yet. since they know Paul, him telling them will probably have a larger impact on this issue... Link to comment Share on other sites More sharing options...
Guest kendon Posted January 14, 2010 Report Share Posted January 14, 2010 Bit harsh! :) P maybe harsh, but true, as it can't be more than a lame excuse. but we will see what happens eventually. out of curiosity, does your script anything else than compress and sign a given directory structure? i'd like to see a way to automate the process of the update script creation, this is the only topic i haven't dug in yet... Link to comment Share on other sites More sharing options...
Guest Paul Posted January 14, 2010 Report Share Posted January 14, 2010 It just zipaligns the APK, creates the update zip with the update script and the right directory structure then signs it. Script was literally a 5 minute job. :) WRT to the discussions in here, the average thief probably isn't gonna run iptables to prevent the app talking back? :) P Link to comment Share on other sites More sharing options...
Guest pulser Posted January 14, 2010 Report Share Posted January 14, 2010 i'd like to see a way to automate the process of the update script creation, this is the only topic i haven't dug in yet... @kendon, I've got a script/app that claims to do what you're looking for. I built it from this source: http://www.netmite.com/android/mydroid/rec...update-script.c and you'll need this header: http://www.netmite.com/android/mydroid/sys...system_config.h So, obviously put the header inside a subfolder called private, and then build make-update-script.c I've also included the binary I got from the build at http://www.mediafire.com/download.php?mn0nimzzdd4 (since the forum won't accept it as an attachment) Just pop it into /bin and chmod 755 /bin/a.out Link to comment Share on other sites More sharing options...
Guest shenshang Posted January 14, 2010 Report Share Posted January 14, 2010 on the topic of thieves, i think that recovery menus should be passcode protected.... Link to comment Share on other sites More sharing options...
Guest kendon Posted January 14, 2010 Report Share Posted January 14, 2010 do you think I should trash the info here about how I bypassed WS, or do you think it is safe to leave on the forum? Just that I'm not sure if it's best to leave it here or not. It's not in google cache as of yet. just to leave my two cents here: if we (you) could come up with other people can also. i am not a fan of security through obscurity. the solution should be to fix the security holes, not keeping them secret. imho this thread should be left as is, and brought to the attention of the wavesecure devs. but that is just my opinion, i know the real world doesn't always work this way... Link to comment Share on other sites More sharing options...
Guest kendon Posted January 14, 2010 Report Share Posted January 14, 2010 It just zipaligns the APK, creates the update zip with the update script and the right directory structure then signs it. Script was literally a 5 minute job. :) WRT to the discussions in here, the average thief probably isn't gonna run iptables to prevent the app talking back? :) P ok, thanks for the reply. i should look into zipalign too, in contrary to the creation of the update.zip i might be actually able to do it :) topic: a thief is not going to use iptables, but taking the simcard out doesn't seem to far off... i have to admit that it provides a certain level of security for the average dumb thief, but that's about it. as soon as someone tech-savy gets his hands on it there is hardly any security left. but i guess we have to live with that, best idea so far was password-protected recovery image... @pulser: thanks for the info, i'll look into that during the weekend. maybe you write two lines of manual? when i am talking about a script i mean a bash script, from what i see this is source code that has to be compiled? this goes close to voodoo for me, would be nice if you could give a short notice on the syntax... thank you :) Link to comment Share on other sites More sharing options...
Guest Paul Posted January 14, 2010 Report Share Posted January 14, 2010 I've chatted to WS a bit about this, the next level of security would be remounting the system partition and writing stuff there so it survives a wipe... possible, but wise? Dunno... P Link to comment Share on other sites More sharing options...
Guest pulser Posted January 14, 2010 Report Share Posted January 14, 2010 (edited) It just zipaligns the APK, creates the update zip with the update script and the right directory structure then signs it. Script was literally a 5 minute job. :) WRT to the discussions in here, the average thief probably isn't gonna run iptables to prevent the app talking back? :) P @Paul Yup. I suspected it would be fine, but it's your forum, so your rules :) EDIT @kendon (must learn to refresh before reply :)) The mediafire gives you the 'linux exe' file you need. As for syntax, I'll try and explain it here: to generate an update file for a folder called system, which is in the present directory (ie. when you type ls, you see the folder name), you type a.out ../system androidinfo.txt>update-script , where androidinfo.txt is of the form ModelID: HERO10000 CIDNUM: H3G__001 CIDNUM: 11111111 MainVer: 2.73.771.73 Note that that is just an example from the recent H3G (UK) release. Unfortunately, I have experimented a bit more with it, and I think the best way to do what you're wanting to do (add apk to system) is to use the script show_progress 0.1 0 copy_dir PACKAGE:system SYSTEM: show_progress 0.1 10 inside the update-script. That should do what you need. HTH, and I would personally just use that second method of using the copy_dir file, as that should do what you need. Edited January 14, 2010 by pulser Link to comment Share on other sites More sharing options...
Guest pulser Posted January 14, 2010 Report Share Posted January 14, 2010 ok, thanks for the reply. i should look into zipalign too, in contrary to the creation of the update.zip i might be actually able to do it :) topic: a thief is not going to use iptables, but taking the simcard out doesn't seem to far off... i have to admit that it provides a certain level of security for the average dumb thief, but that's about it. as soon as someone tech-savy gets his hands on it there is hardly any security left. but i guess we have to live with that, best idea so far was password-protected recovery image... @pulser: thanks for the info, i'll look into that during the weekend. maybe you write two lines of manual? when i am talking about a script i mean a bash script, from what i see this is source code that has to be compiled? this goes close to voodoo for me, would be nice if you could give a short notice on the syntax... thank you :) @topic, kendon: Yeah. Passworded recovery would help, but what about me 'fastboot boot' ing my own recovery.img file? That would surely get round any password protection you may have. Or using a goldcard to RUU downgrade or boot into oem-78 mode? I think we're reaching limitations of the platform here. Remember also that all it takes for me to remove wavesecure from any phone is gain adb access, remount system rw and then use a rather obvious command involving 'rm'. No need for me to explain any more, I take it :) @kendon,Paul: An un-finished thought for you... Would it be possible to have a password on the root user account of the phone, so that 'su' and adb root commands would need said password? Just as I can currently unlock a phone that is sitting on the locked screen, provided I have access to adb... I really don't think we will be able to create a truly secure system... But we can try as hard as we can! :) Link to comment Share on other sites More sharing options...
Guest kendon Posted January 14, 2010 Report Share Posted January 14, 2010 @topic, kendon: Yeah. Passworded recovery would help, but what about me 'fastboot boot' ing my own recovery.img file? That would surely get round any password protection you may have. Or using a goldcard to RUU downgrade or boot into oem-78 mode? I think we're reaching limitations of the platform here. Remember also that all it takes for me to remove wavesecure from any phone is gain adb access, remount system rw and then use a rather obvious command involving 'rm'. No need for me to explain any more, I take it :) yeah, i also thought about what would happen if you lose the password. it is unsafe anyway, either that you can brick your phone or that it is easily crackable. you're right about the platform boundaries, it was just not made for this. @kendon,Paul: An un-finished thought for you... Would it be possible to have a password on the root user account of the phone, so that 'su' and adb root commands would need said password? Just as I can currently unlock a phone that is sitting on the locked screen, provided I have access to adb... I really don't think we will be able to create a truly secure system... But we can try as hard as we can! :) not sure about this, actually i am lacking the linux skills here. you need to find an authentication mechanism, as android is very different from a standard linux system i have no idea where to start. first thing that would come to my mind is hiding the su binary somewhere in the filesystem, outside of PATH. as i am writing this i think about whether applications that need root would still work, probably not. also this would be anything than secure, all you need to do is "adb shell find / -name su" and you got it... Link to comment Share on other sites More sharing options...
Guest Paul Posted January 14, 2010 Report Share Posted January 14, 2010 Wouldn't installing wavesecure then flashing the stock recovery image and a 'secure' boot image be a good idea (and no root if you don't use it)? P Link to comment Share on other sites More sharing options...
Guest kendon Posted January 14, 2010 Report Share Posted January 14, 2010 Wouldn't installing wavesecure then flashing the stock recovery image and a 'secure' boot image be a good idea (and no root if you don't use it)? P possible, but you would limit yourself pretty badly... you'd need to disable adb also, taking all the fun out of it... tried this: # passwd root passwd: unknown uid 0 Link to comment Share on other sites More sharing options...
Guest pulser Posted January 14, 2010 Report Share Posted January 14, 2010 Wouldn't installing wavesecure then flashing the stock recovery image and a 'secure' boot image be a good idea (and no root if you don't use it)? P @quote, that would certainly help, but goldcard could still be used to blitz the phone. I actually run my phone with the stock recovery on it for this very reason! Could we make yet another recovery image that didn't allow us to wipe or anything? (risky, I know...) The thing that 'worries' (well, not really, but the best word I can come up with) me with my method I tried today was that I said I wiped the phone. I didn't actually (I sort of lied to keep things simple). I actually used shell to 'rm -r /data/data/com.wsandroid'. As a result, after my phone-hacking was complete, I had full access to the target's data (target being the wealthy banker whose phone has been stolen for the data on it lol), as I didn't need to do a full wipe. Suggestion (practicalities not thought through though!! xD) Could you install the apk for WS into the ramdisk on boot.img? (I don't know how it is for size though at the moment) If you could, it would add another level of 'obscurity' to the mix, as you would need to have a decent knowledge of linux and android to even look at modifying the boot.img and recompiling it... This wouldn't address the issue of the settings though. Another alternative, and probably one for Paul: now you have a custom kitchen, would it be possible to cook each user their image with a 'special' boot.img file, that would only boot their system partition if a special hidden (filename prefixed by a full stop) 'security file' in the root directory containing a random cryptographic hash matched that in the boot file. If the algo was kept tight, this would act as a watermark/deterrent to piracy of your 'betas' but also would allow you to ensure that only a validated /system was mounted. You could optionally also only mount the system image if wavesecure.apk was found to be present (if the user chose to install it, of course), and that would stop me removing the apk for WS to get round it. As for writing to /system for WS, I don't think that's a good idea IMHO (and I could still get past it by remounting as rw and removing the offending app anyway, then the settings wouldn't matter), but I can't think of any other ideas atm. I'll probably come up with some more later though, so keep a lookout for more stupid suggestions :) Link to comment Share on other sites More sharing options...
Guest Paul Posted January 14, 2010 Report Share Posted January 14, 2010 Customised boot images is actually a very interesting area, I already POC'd generating boot images on the fly in the kitchen! A 'superboot' type approach would let you put the wavesecure APK in the boot img, that is to copy it from the boot image to /system/app if it's not found. I liaised previously with WaveSecure to get the signed update zips and also to make it hard reset proof so I have a pretty good relationship with those guys, maybe it's worth taking it to 'the next level'. :) The advantage of the superboot approach is also that it can be easily applied to an anotherwise stock ROM. P Link to comment Share on other sites More sharing options...
Guest pulser Posted January 14, 2010 Report Share Posted January 14, 2010 (edited) Customised boot images is actually a very interesting area, I already POC'd generating boot images on the fly in the kitchen! A 'superboot' type approach would let you put the wavesecure APK in the boot img, that is to copy it from the boot image to /system/app if it's not found. I liaised previously with WaveSecure to get the signed update zips and also to make it hard reset proof so I have a pretty good relationship with those guys, maybe it's worth taking it to 'the next level'. :) The advantage of the superboot approach is also that it can be easily applied to an anotherwise stock ROM. P Talking of this, I've had an idea to prevent 'piracy' of your MCR, as I noticed a few non-adfree users asking questions about the beta and RCs (obviously getting flamed off in a protective and friendly manner by the regulars). Should I mention it here, or PM it, as this would be security through obscurity? Similar to that mentioned above, but with a slight twist... Edited January 14, 2010 by pulser Link to comment Share on other sites More sharing options...
Guest Paul Posted January 14, 2010 Report Share Posted January 14, 2010 Feel free to PM... P Link to comment Share on other sites More sharing options...
Guest DarthOps Posted January 14, 2010 Report Share Posted January 14, 2010 Right, one step behind you, but I locked the phone and rebooted it without the SIM (after wipe). The phone booted as normal, even giving me the wee 'new install' This phone is protected by wavesecure, but no lock! EDIT: I know it can't really be proven in a picture, but my phone *should* be locked in that pic, you'll just have to take my word for that as you can't really show that. Again, running it gives me the cannot connect to server error. I'm now gonna block WS using iptables, and see what happens (with SIM in phone on reboot). That result will let us see if it is SMS or data. I'm also thinking we should maybe trash these posts when we're done. Just to prevent future problems... I'll try logcat when I do block it using iptables, and see as well... Hmm, I'm getting the same error, I just wiped my phone and wavesecure "Cannot Connect To Server"....problem on their side? Link to comment Share on other sites More sharing options...
Guest shenshang Posted January 14, 2010 Report Share Posted January 14, 2010 Hmm, I'm getting the same error, I just wiped my phone and wavesecure "Cannot Connect To Server"....problem on their side? you have connected to wifi or 3g right.. Link to comment Share on other sites More sharing options...
Guest DarthOps Posted January 14, 2010 Report Share Posted January 14, 2010 you have connected to wifi or 3g right.. Yeah, everything *seems* to be fine but I just can't get wavesecure to work correctly, don't know what has happened but it won't give me the usual pin entry screen, just keeps trying to "connect to the server" Link to comment Share on other sites More sharing options...
Guest shenshang Posted January 14, 2010 Report Share Posted January 14, 2010 Yeah, everything *seems* to be fine but I just can't get wavesecure to work correctly, don't know what has happened but it won't give me the usual pin entry screen, just keeps trying to "connect to the server" go in your browser and go wavesecure.com and see if your ISP is blocking wavesecure =\ Link to comment Share on other sites More sharing options...
Guest pulser Posted January 14, 2010 Report Share Posted January 14, 2010 (edited) Hmm, I'm getting the same error, I just wiped my phone and wavesecure "Cannot Connect To Server"....problem on their side? Hmmm. Are you trying to use it normally, or are you trying to break it like me? If the latter, that's to be expected :) If you're using it normally though, that's not right. I'll check mine. hold on a sec... EDIT their server is up for me... above post is out if sync, sorry. Took too long to type on my hero LOL Edited January 14, 2010 by pulser Link to comment Share on other sites More sharing options...
Recommended Posts
Please sign in to comment
You will be able to leave a comment after signing in
Sign In Now