Vault7: CIA Hacking Tools Revealed
Navigation: » Latest version
Weeping Angel (Extending) Engineering Notes
Features Added during week of Jun 16, 2014 with MI5/BTSS
Discovered delete and download keyfiles will include any newline characters
Found configuration setting that manages automatic updates
Added feature to periodically re-acquire alsa (audio) device while in Fake-Off mode
Suppress LEDs to improve look of Fake-Off mode
ported and modified TinyShell to provide shell, command execution, file transfer.
Added feature to prevent updates (an iptables rule -- ported iptables application to this platform)
Received sanitized source code from UK
Tested on firmware versions 1111, 1112, and 1116 and characterized various recording qualities (wrt file size) and noise cancellation.
Anomalies
Cannot update firmware over internet
LED on back
Storage usage up to 700MB (of 1.6GB)
Development Notes:
Build environment uses Ubuntu 12.10 and g++-4.7 compiler due to dependencies
use => unset VD_PRINT_DISABLE;
Installer Notes:
Looks like Samsung app
UEP.b -> app killer that checks signatures on installed apps
UEP.d -> kills UEP.b and kills it when it restarts (every 15-20 minutes)
UEP.f -> hooking one of the main Samsung apps by injecting a shared object (libt.so)
empDownload -> the binary that downloads other apps or adverts and is executed by the system
empDownload is replaced by our binary that we need to be executed. The installer backsup the real empDownload and then replaces it with our's. The installer uses the APIApplication Programming Interface to initiate a download which then causes our empDownload to execute. After installation, the original empDownload is restored.
AutoStart -> file put in moip/engines
start -> binary is very similar to empDownload. Both, initially look for the "block" file which is an encrypted shell script.
libt.so -> shared object used by UEF.f and injected into one of the main threads to hook several functions of interest
dreamhost -> telnet server. same as remshd
busybox -> fully featured version to include an FTPFile Transfer Protocol server
when Extending starts, it looks for dreamhost and busybox, and if they exist, starts them.
After Extending installed, the system must reboot.
For system power up, the control flow is roughly: AutoStart > libDownload.so > start > block > UEF.*
System Details:
- Some of the primary Samsung applications are exe, exeApp, and exeDSP
Linux 3.0.33 SMPSymmetric Multi-Processor armv71
libc-2.14.1
compiled with gcc 4.6.4
/mtd_rwcommon - writable partition
/mtd_rwarea - writable partition
/mtd_rwcommon/widgets/normal - apps stored here
/mtd_rwcommon/tempS - audio stored here
/bin - busybox
/dtv - tempoary directory clear upon reboot
/mtd_swu/stb - SmartHub configuration file (STANDBYDOWNOFF = 0 -> turns off automatic updates)
/webkit/webbrowser/settings.db - browser sqlite database. may contain credentials.