OpenRCE

📚 OpenRCE is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Created: Thursday, May 14 2009 04:15.14 CDT

Modified: Thursday, May 14 2009 04:23.11 CDT

Direct Link, View / Make / Edit Comments

Truely Hackable Phone ?

Author:

MohammadHosein

# Views: 2270

Ok . this was big when hit the press " Openmoko is introducing a completely open cellphone " and added to it " this is a truly hackable phone " . well i needed to know how "open" is open and what do they mean by "hack" when they say its truly hackable . here is the short version of my journey .

1- i purchased one NEO Freerunner box plus its debug board . got here so fast . during the time i sent them several emails , they never responded .
2- it runs an ARM-based linux , GSM using TI's calypso , GPS , Wifi , Bluetooth . there are a bunch of tools , scripts and APIs to "develop" different application for this device . its fairly documented .
3- using development toolchain plus the debugging capabilities make life a little easier for an average linux developer . yeah you can port your enterprise applications to openmoko architecture with minimum effort . that's good , although it was not something i was looking for . i'm a hacker , right ?
4- all chipset details are under NDA from manufacturers . some people , somehow , published old versions of these spec documents and of course because downloading them is illegal i didnt do it . we are not outlaws , we are hackers , right ?
5- so you can not monitor or modify GSM stack parameters or read/write its memory or play with available registers for example to build a GSM fuzzer , at best it offers you a simples stupid GSM modem using /dev/ttySAC0 . you can not read or monitor wifi or bluetooth's Radio layer parameters from chips probably to develop a low level scanner without OS's interference , you can not hook into A/D IC bus to Baseband to add special voice filters , you can not ... actually you probably can do all these and more but you first need to do extensive linux kernel development on ARM , plus being able to read those NDA'ed documents . well , deal is the same with any windows mobile smartphone , or even your beloved iPhone . who said playing with kernel on embedded architectures and reading documents you are not supposed to read is more "open" on NEO than the others ? and how this box is "truly" hackable comparing to others ?
6- IMHO if you are looking for serious low level GSM-GPRS-Bluetooth-Wifi involvements cellphones are wrong places to look . you can read all about OpenMoko on its wiki while you need to pay for a deep Symbian book to get your hands on similar technical details , but this as open as it gets . no phone is more hackable than the others . software development using available tools is not a hack . you can develop software on openmoko the way you do it on a regular pc , that's nice , but that's not hacking . yes you can develop a device driver to attach an industrial hardware using the UART connection and its a lot easier on openmoko comparing to others ( and i'm not even sure about this , having iPhone OS 3 in mind ) but all said , this is not hacking . this is typical software development .
7- at the end of the day i learned hacking into anything that's related to Wireless Service providers business and wireless applications must be done via Software Defined Radio platforms , like USRP , not cellphones . cellphones are never Open if you are looking to extensively get involved with hardware , and they are only hackable if you make yourself ready to break the law or pray for miracles . why ? take a look at one of these ETSI specs and compare it to the implementation , you will figure why .

this was months ago and now that i'm on the right track i thought its good to write this here . folks , if a very low percentage of skilled IP network hackers were able to easily look into telecom networks like GSM and CDMA world would be a different place now . yes i have my own NDAs up in my ass about my projects , but this can be said that regular computer IP software and networks are much more robust and reliable , believe this even if you are reading about all sorts of compromises everyday .

SDR technologies are growing fast and this is gonna change the game big time . NDAs may save "their" business for sometimes but i'd like to see how its gonna save the world when on some blackhat presentation a hacker from a far strange country like mine showing how to run code on somebody's cellphone's baseband routing phone calls from one target to another , all remotely . yes , i'm hearing you all saying world is gonna be saved with all sorts of warnings and threats of lawsuits . we have seen this before . you are probably right about lawsuits but i'm not sure if its gonna save the world .

<Lost's Next Season E1>

[Richard Alpert presses a key and sits in front of a mic]

Desmond : excuse me , i called Kate's cell . who are you brother ?
the Voice : its John Desmond , John locke .
Desmond : OMG , this technology got there so fast , how are you brother ?
the Voice : all is good . yup we are using edgy technology to protect the Island . come back to the island and visit me at Hostile's camp
Desmond : alright Brother

[Richard looks at Benjamin Linus and smiles]

Created: Monday, February 9 2009 06:24.15 CST

Direct Link, View / Make / Edit Comments

iDA

Author:

MohammadHosein

# Views: 3060

well , turned out the best way to use IDA on Leopard is Parallels Desktop . using Air is always a pleasure now having IDA there i can do more . last night i had a date and while i was waiting down there near our building in a green-space ( yeah , and much as we have of these spaces , Tehran is still horribly ungreen ) it just came to me that i'm getting old . so i ran a couple of commands to setup a VNC server in Leopard remotely and i must admit iDA is always a pleasant familiar face , even over a weak WiFi connection , at night in a green-space that's not even green . it was the best 15 mins that i've ever waited for a girl because there i solved the problem and my first hex-rays SDK based application got compiled .

Created: Tuesday, February 12 2008 17:06.10 CST

Direct Link, View / Make / Edit Comments

Rootkit.com died ?

Author:

MohammadHosein

# Views: 3008

its almost two weeks i cannot reach rootkit.com , tried from several providers/proxies and asked several friends nobody knew what happened . what's the story ?

Created: Monday, February 4 2008 08:09.38 CST

Direct Link, View / Make / Edit Comments

Win32 CodeHook

Author:

MohammadHosein

# Views: 3242

a free open source library for Delphi and C++
http://www.kbasm.com/codehook.html

Created: Tuesday, December 11 2007 16:32.10 CST

Direct Link, View / Make / Edit Comments

Windows Bugs Floating around

Author:

MohammadHosein

# Views: 3066

it was a long time before since i'v seen the same
yesterday and today , it was more like 15 critical vulns on windows published , SMB2 - IE - Vista kernel - FTP Client - Directx ... . is it the month of windows "itself" or its just Christmas ? ;)

Archived Entries for MohammadHosein

Subject	# Views	Created On
kicked out of bugtraq	2317	Tuesday, August 14 2007
Immunity Debugger and API	8221	Friday, July 13 2007
Intel Core 2 bugs	1654	Friday, June 29 2007

There are 31,328 total registered users.

Recently Created Topics
[help] Unpacking VMP...	Mar/12
Reverse Engineering ...	Jul/06
let 'IDAPython' impo...	Sep/24
set 'IDAPython' as t...	Sep/24
GuessType return une...	Sep/20
About retrieving the...	Sep/07
How to find specific...	Aug/15
How to get data depe...	Jul/07
Identify RVA data in...	May/06
Question about memor...	Dec/12

Recent Forum Posts
Finding the procedur...	rolEYder
Question about debbu...	rolEYder
Identify RVA data in...	sohlow
let 'IDAPython' impo...	sohlow
How to find specific...	hackgreti
Problem with ollydbg	sh3dow
How can I write olly...	sh3dow
New LoadMAP plugin v...	mefisto...
Intel pin in loaded ...	djnemo
OOP_RE tool available?	Bl4ckm4n

Recent Blog Entries
	halsten	Mar/14
Breaking IonCUBE VM
	oleavr	Oct/24
Anatomy of a code tracer
	hasherezade	Sep/24
IAT Patcher - new tool for ...
	oleavr	Aug/27
CryptoShark: code tracer ba...
	oleavr	Jun/25
Build a debugger in 5 minutes
More ...

Recent Blog Comments
	nieo on:	Mar/22
IAT Patcher - new tool for ...
	djnemo on:	Nov/17
Kernel debugger vs user mod...
	acel on:	Nov/14
Kernel debugger vs user mod...
	pedram on:	Dec/21
frida.github.io: scriptable...
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit