Vault7: CIA Hacking Tools Revealed
Navigation: » Latest version
Status Update 2
SECRET//NOFORN
Status Update 2 – Last Updated July 12, 2013
My goal was to understand how the Siemens phone application uses the ifx_mps driver. The first step was to determine which processes were opening the ifx_mps device files. I built strace and lsof for the phone and put them in /usr/sbin. Using lsof, determined that SvcConfig and its threads (total 70 of 95) are the only processes that open /dev/ifx_mps/cmd. In the current state, no ifx_mps channels are opened by any process. After closer examination, the 70 SvcConfig processes have the following command line:
SvcConfig services.conf -startLogDaemon -logAll V2 R0.92.0 HFA 120822
lsof | grep ifx_mps | wc -l
ps -ef | grep SvcConfig | wc -l
The SvcConfig (in this case PIDProcess ID 503) processes of interest open the following files (in addition to numerous sockets and pipes filtered out of the result below):
SvcConfig 503 ??? cwd ??? ??? ??? ??? /Opera_Deploy
SvcConfig 503 ??? exe ??? ??? ??? ??? /Opera_Deploy/SvcConfig
SvcConfig 503 ??? 0 ??? ??? ??? ??? /dev/null
SvcConfig 503 ??? 1 ??? ??? ??? ??? /dev/null
SvcConfig 503 ??? 2 ??? ??? ??? ??? /dev/null
SvcConfig 503 ??? 10 ??? ??? ??? ??? /Opera_Deploy/healthservice.conf
SvcConfig 503 ??? 24 ??? ??? ??? ??? /data/database/phone.db
SvcConfig 503 ??? 37 ??? ??? ??? ??? /dev/input/keyboards
SvcConfig 503 ??? 38 ??? ??? ??? ??? /dev/input/keyInput
SvcConfig 503 ??? 39 ??? ??? ??? ??? /dev/input/HookSw
SvcConfig 503 ??? 40 ??? ??? ??? ??? /dev/sidecar
SvcConfig 503 ??? 41 ??? ??? ??? ??? /dev/ledmatrix
SvcConfig 503 ??? 42 ??? ??? ??? ??? /dev/fb/0
SvcConfig 503 ??? 53 ??? ??? ??? ??? /tmp/lldpfifo
SvcConfig 503 ??? 56 ??? ??? ??? ??? /tmp/LldpManagerFifo
SvcConfig 503 ??? 62 ??? ??? ??? ??? /dev/pc_status
SvcConfig 503 ??? 64 ??? ??? ??? ??? /dev/ifx_mps/cmd
SvcConfig 503 ??? 81 ??? ??? ??? ??? /Opera_Deploy/Mobile_0100_base.dls
SvcConfig 503 ??? 100 ??? ??? ??? ??? /dev/sidecar
SvcConfig 503 ??? mem ??? 1f:04 0 386 /Opera_Deploy/SvcConfig
SvcConfig 503 ??? mem ??? 1f:04 20480 386 /Opera_Deploy/SvcConfig