Related
when do you guys think microsoft will stop giving out the activation keys?
i think soon cause of this new rom, but i'm happy i got my key already. lol
I'm already suprised they don't verify imei numbers before giving it to you.
nrfitchett4 said:
I'm already suprised they don't verify imei numbers before giving it to you.
Click to expand...
Click to collapse
that's extacly what i was thinking when they said for you to call MS to activate the phone.
nrfitchett4 said:
I'm already suprised they don't verify imei numbers before giving it to you.
Click to expand...
Click to collapse
Because you're going to see a load of banned Live IDs for this...
This must only be in the US and I have a HTC Trophy 7 in the UK and working on my live account without activating
alan1467 said:
This must only be in the US and I have a HTC Trophy 7 in the UK and working on my live account without activating
Click to expand...
Click to collapse
because they're talking about flashed HD2's which require activation
I'd be wary about doing it just so I don't get Xbox banned
hidden_hunter said:
because they're talking about flashed HD2's which require activation
I'd be wary about doing it just so I don't get Xbox banned
Click to expand...
Click to collapse
hey i live in belgium and i flashed my omnia 7 more than 2 time and it never asked for id
hidden_hunter said:
because they're talking about flashed HD2's which require activation
I'd be wary about doing it just so I don't get Xbox banned
Click to expand...
Click to collapse
which is the reason why i made a new account,
i'm not trying to risk my main account you know... lol
nrfitchett4 said:
I'm already suprised they don't verify imei numbers before giving it to you.
Click to expand...
Click to collapse
I have my imei and hd7 before so if they want it...I got it
my hotmail is also associated as dvp previously owned hd7
so I'm in the clear if microsoft has a problem
I Don't think they should have a problem anyways, it's not like WP7 is sky rocketting these days and this HD2 boost brings a lot of developers on board and a lot of attention, they are probably doind MS a favor... WP7 on the HD2 is the best thing that happend for WP7 since it launched, now with a far larger user-base, they can rack up money from Marketsales.
Besides, they can't check if you don't have an HTC HD7, they can probably ban all of those who activated their "HD7's" in the last week, but that will be very very wrong.
And lets say they do ban us, that will just make people mad and probably more anxious to hack the system even further.
tkato said:
I Don't think they should have a problem anyways, it's not like WP7 is sky rocketting these days and this HD2 boost brings a lot of developers on board and a lot of attention, they are probably doind MS a favor... WP7 on the HD2 is the best thing that happend for WP7 since it launched, now with a far larger user-base, they can rack up money from Marketsales.
Besides, they can't check if you don't have an HTC HD7, they can probably ban all of those who activated their "HD7's" in the last week, but that will be very very wrong.
And lets say they do ban us, that will just make people mad and probably more anxious to hack the system even further.
Click to expand...
Click to collapse
Love your logic. Actually, considering imei and serial numbers are device specific, if they would have asked, that would have stopped most people right there.
How many hd2's do you think are in the world? I don't think all that many. And how many xda members actually spend money on programs??? Most want them all for free.
hidden_hunter said:
because they're talking about flashed HD2's which require activation
I'd be wary about doing it just so I don't get Xbox banned
Click to expand...
Click to collapse
There is conflict when you have two sep phones with same account @live.com (ie: real wp7 and hd2-wp7) and then sign in at same time to try and use xbox live.
Edit/Update:
Wondering how live pvk and id goes to phone in hd2-wp7 situation where no real device provisioning partition exists?!?!?!??! This leads me to think that maybe:
Perhaps with Cotulla's partition layout over 4 seperate nand areas it would be an option to modify this and his wp7 spl because the activation thing happened AFTER (live activation hack around etc) he had finished leo70 release and then..........
-whilst jtag/usb or eth/debug happening- (obviously you'd though of this b4- im just theorizing- let me know if way off)- to take a HTC HD2 (LEO70) that HAS BEEN ACTIVATED ON LIVE and see where/how/when/with/which partitions, filesys, regkeys, etc, have pvk for live or the ffu and then insert a test cert like ur own xbmod/chevron. or whatever is in sdk for 7 or ce. and then utilize this to diff and comp. I dont see why not. Then .ffu then self signature.[/QUOTE]
If anyone is looking at doing this and needs hardware or I can help let me know thanks. Also:
Anyway to DUMP the newly-activated after-hack after-key after-ms-call hd2 wp7 contents completely? Any news on this unknown filesystem and sd jbod with nand? If a way to extract device provisioning partition etc. Not interested so much in live but more HSPL-for-WP7 creation to allow custom roms. Can not seem to find much on this. Anyone got ideas on own signature or other method using pre-existing leo70 nand parts as workaround maybe?
For the record - I have used a singled live key from Microsoft activation phone call more than 4 times on 2 devices and it works fine over and over: you have to consider fact that if vendor or product id was misflashed at factory onto DPP then every hardreset would not wipe this (unsure)? eitherway:
does ne1 know what the key over the phone from microsoft is actual doing? is this key taken with say imei or serial of phone and maybe your @live.com unique GUID and seeded or used with hash or some algorithm to produce a pvk for device provisioning partition? or it simply override and enable live? are there only one type of activation key over phone? seems there could be ones maybe based on your live address+guid and ones that completely allow model and oem identification to be cleanly changed?
I am just theorizing here from what I have been reading. Finally: Is it true that uk/etc MS stopped giving out keys and referring ppl to HTC etc for key2live?
leo70 said:
Edit/Update:
Wondering how live pvk and id goes to phone in hd2-wp7 situation where no real device provisioning partition exists?!?!?!??! This leads me to think that maybe:
Perhaps with Cotulla's partition layout over 4 seperate nand areas it would be an option to modify this and his wp7 spl because the activation thing happened AFTER (live activation hack around etc) he had finished leo70 release and then..........
-whilst jtag/usb or eth/debug happening- (obviously you'd though of this b4- im just theorizing- let me know if way off)- to take a HTC HD2 (LEO70) that HAS BEEN ACTIVATED ON LIVE and see where/how/when/with/which partitions, filesys, regkeys, etc, have pvk for live or the ffu and then insert a test cert like ur own xbmod/chevron. or whatever is in sdk for 7 or ce. and then utilize this to diff and comp. I dont see why not. Then .ffu then self signature.
Click to expand...
Click to collapse
If anyone is looking at doing this and needs hardware or I can help let me know thanks. Also:
Anyway to DUMP the newly-activated after-hack after-key after-ms-call hd2 wp7 contents completely? Any news on this unknown filesystem and sd jbod with nand? If a way to extract device provisioning partition etc. Not interested so much in live but more HSPL-for-WP7 creation to allow custom roms. Can not seem to find much on this. Anyone got ideas on own signature or other method using pre-existing leo70 nand parts as workaround maybe?
For the record - I have used a singled live key from Microsoft activation phone call more than 4 times on 2 devices and it works fine over and over: you have to consider fact that if vendor or product id was misflashed at factory onto DPP then every hardreset would not wipe this (unsure)? eitherway:
does ne1 know what the key over the phone from microsoft is actual doing? is this key taken with say imei or serial of phone and maybe your @live.com unique GUID and seeded or used with hash or some algorithm to produce a pvk for device provisioning partition? or it simply override and enable live? are there only one type of activation key over phone? seems there could be ones maybe based on your live address+guid and ones that completely allow model and oem identification to be cleanly changed?
I am just theorizing here from what I have been reading. Finally: Is it true that uk/etc MS stopped giving out keys and referring ppl to HTC etc for key2live?[/QUOTE]
I think the limit is 3 devices per key before MS drops the hammer.
microsoft germany support asked me for the IMEI of my HD7 (which is of course a HD2). the support guy entered the number i told him and i got an activation key.
i thought they maybe have a list of IMEIS from phones suitable for running WP7, but apparently not ...
**used Android ID Changer.. worked exactly as i needed..**
Im running vegan rom
i play a couple games that are tied into the phone( or whatever) unique id..
When i installed these games, they already act like i already have an account and will not let me login with my user(one account per device). My question is how do i change my id? If i used the id from my phone would it just act as a clone? Im fairly android literate but i cant quite figure exactly what i need to do to (or exactly explain my delima) any help or direction would be appreciated ~evil
I'm not sure how to change this, I only learned of it the other day. The Swype Beta uses the ID to register you for the beta, so if you lack one like we do then it won't work and say its unsupported. The IDs are usually unique and only appear on "phones" (devices with cell capability). However, HTC and Samsung have applied one ID to all of one device so this breaks some programs. This leads me to believe we lack the ID entirely. If you find out where the programs are looking and how to add or change the ID make sure to post the information up for everyone.
Good luck!
Found it. find and install Android ID changer. It allowed me to do what I needed.
That's what I needed to change. Somehow someone else had to have the same as mine, hard to believe but that had to be the case. Not sure if its the same thing swype is looking at though
Hi there,
This software is an Antitheft and you can use it to track your device when it was lost or stolen. It works catching a formated SMS/EMail sent from any phone/computer and then receiving useful informations back.
You can use it to others objectives, like keep your eye in your child. Use your imagination!
You can set up to four emergengy contacts to receive SMS if the thief change your SIM card and you still can track your device.
The RemoteTracker for Android is an evolution from an old project for Windows Mobile 6 (If you want to see the entire history, please click here).
I'm justing starting this project. There are much more to come.
To send a command to RemoteTracker, send a SMS with the syntax: RT#(command)#(phone or e-mail)#(password). Example: RT#EGP#[email protected]#1234. This version answer the commands below:
help - send to you a list of commands available in Android platform;
ehelp - same as 'HELP', but send the list by e-mail;
fhelp - same as 'HELP', but send the list to your FTP server;
gp - try to get GPS coordinates and send back to cel number passed as parameter;
egp - same as 'GP', but send the list by e-mail;
fgp - same as 'GP', but send a file to your FTP server;
gi - Send informations about your phone: IMSI, IMEI and ICCID;
egi - Same as 'GI' but the answer goes by e-mail;
fgi - Same as 'GI' but the answer goes to your FTP server;
cb - your phone will make a Call Back to you. Just make a call and let the microphone open;
cellid - Retrieve informations (CELLID, LAC, MNC and MCC codes) about the tower your phone are connected. Send to you by SMS;
ecellid - same as 'CELLID', but the answer goes by e-mail;
fcellid - same as 'CELLID', but the answer goes to your FTP server;
secret - if you forget your password you can use this command to receive by SMS your personal secret question;
lostpass - used to receive your password if you forgot it. You must send the answer for your secret question, so, you can use the secret command to help you;
Commands available only in PRO version:
PICSON - Makes RemoteTracker (only PRO version) watch for new photos and send them to Default EMail Address;
PICSOFF - Makes RemoteTracker (only PRO version) stop to watch for new photos;
EPICSON - Same as PICSON, but send an E-Mail back;
EPICSOFF - Same as PICSOFF, but send an E-Mail back;
FPICSON - Same as PICSON, but send the answer to FTP server;
FPICSOFF - Same as PICSOFF, but send the answer to FTP server;
PCALLSON - Makes RemoteTracker (only PRO version) takes a photo on a call is receive or made and send it to Default EMail Address;
PCALLSOFF - Makes RemoteTracker (only PRO version) stop to take photos on calls;
EPCALLSON - Same as PCALLSON, but send an E-Mail back;
EPCALLSOFF - Same as PCALLSOFF, but send an E-Mail back;
FPCALLSON - Same as PCALLSON, but send the answer to FTP server;
FPCALLSOFF - Same as PCALLSOFF, but send the answer to FTP server;
WIPEDATA - This command will return your device to factory default and format your SD Card.
There are another features inside RemoteTracker, like:
- SIM CARD change observer;
- Automatically restore your preferences if you reinstall it. This feature is particular useful if you have a custom ROM with RemoteTracker inside. Once configured, everytime your devices boots up, your preferences will be restored;
- Works as Device Admin, so it can't be uninstalled if you don't know the password;
- And more...
This project can be multi-language. In this version there is only English (sorry about it, my english is very bad because this is not my mother language). If you want to make your own translate, I can tell how. Very simple.
If you decide to try RemoteTracker, I would like to read reviews, comments and suggestions. Remember this is a beta version and may contain bugs. Use at your own risk and with caution.
--> It is a work in progress. In future versions I will make a lot more.
Support this project
You can support this project making a donation clicking here or clicking the banners in the project website: http://remotetracker.sourceforge.net
All the best,
Joubert Vasconcelos
Hello friends!
To test RemoteTracker please download it from here:
http://remotetracker.sourceforge.net/RemoteTracker.apk
Before your tests, please turn on the Debug option. It will make RemoteTracker write the remotetracker.txt file in the root of your memory card.
All the best,
Joubert
I just released the second beta!!!
Now, RemoteTracker can automatically turn on the Mobile and WiFi network to try get location and send EMails!
For older phones RemoteTracker also will automatically turn on the GPS! Unfortunately this is impossible if you are using new Android versions (2.3.x or so).
A few minor bugs was fixed.
All the best,
Joubert
joubertvasc said:
For older phones RemoteTracker also will automatically turn on the GPS! Unfortunately this is impossible if you are using new Android versions (2.3.x or so).
Click to expand...
Click to collapse
GPS can be enabled in 2.3+ - but only if device is rooted. That's what it says in the Cerberus entry in "AppStore" [edit: AndroidMarket].
Hi!
Yes, if you have a rooted device is very easy to enable GPS remotely. But I do not recommend in any way for users to root the phones for security reasons.
I think you are talking about Market, not AppStore We are talking about Android not Apple
All the best,
Joubert
New beta 0.3!!!
Hello again,
I just released version 0.3. Now we got FTP answers back!
In Configurations I added a session to input your FTP server details. The example commands GI and GP now works with FGI and FGP as well.
Once again minor bugs was fixed. If you want to try please download the APK here: http://remotetracker.sourceforge.net/RemoteTracker.apk
As soon as possible I'll make a TODO list and a Road Map.
All the best,
Joubert
Copying my post form the old thread so I can subscribe to this one:
Wow, nice to see this make it to Android.
Some suggestions,
1: Name it something that isn't obvious in the market. Don't want a thief easily finding it in the installed apps list. Going to the market and then buying "my apps" shows you exactly what's installed. So you should name it something totally different that nobody would suspect or want to remove. Like "memory maximizer" or something like that. Probably want to keep it in the middle of the alphabet so it's not at the top or bottom of the list.
2: Maybe make a way to remotely monitor the front/rear camera. Then you could get the thief on video (and also see if it's a crowd, or some huge guy you don't want to mess with, lol).
I'll try to help test when I get another phone and more time. Right now I don't have a lot of time to work out bugs. And more importantly I only have the 1 phone, and I can't afford to have it malfunctioning (I need it for work). I'll buy a used extra phone for testing and then I'll help test.
Thank's!
Be sure I'm worry about the Name I'll post on Market. Not now. I'm trying to make it working and I'll see what I can do later.
About cameras, yes, I think we can control them. At least take pictures and send to an e-mail account. To remotely monitor the cameras, may be I need a server to receive/transmit stream. Of course this is in my todo list
All the best,
Joubert
joubertvasc said:
Thank's!
Be sure I'm worry about the Name I'll post on Market. Not now. I'm trying to make it working and I'll see what I can do later.
About cameras, yes, I think we can control them. At least take pictures and send to an e-mail account. To remotely monitor the cameras, may be I need a server to receive/transmit stream. Of course this is in my todo list
All the best,
Joubert
Click to expand...
Click to collapse
I would rather set up my own server (or even directly stream peer to peer from the device). That way you don't get stuck with hosting fees and the app doesn't die if you decide to stop supporting it someday (not that you would).
There are many possibilities. I'll try all of them.
All the best
Joubert
Another beta
Hi all,
I release another beta. Once again, if you decide to try it, please download from http://remotetracker.sourceforge.net/RemoteTracker.apk.
I edited the first post to add new features. And I have a notice...
I created a free and pro versions. The free version will have the most common commands we had in Windows Mobile. Only specific commands for Windows Mobile I can't write for Android. Pro version will have new features to come (I don't know yet).
But I don't want to charge my friends, so, if you are a beta tester or help me with anything, I'll give the PRO version for free. But it's for future now I'm engaged to finish RemoteTracker free as best as I can do.
All the best,
Joubert
Possible Bugs
Hi Joubert,
Thank you for have been developing so useful application. I believe everyone here is excited about what you are doing.
I tried your better version and here what I have to say:
1) You stated that the command format is RT#EGP#[email protected]#1234, but what if I want to use command to upload that info to FTP? Then,theoretically, I don't need to indicate my email or phone in the command. At the same time commands like "RT#FGP#1234{this is a password}", "RT#FGP##1234{this is a password}" are not recognized as valid RT commands or even failed with fatal exception. How can I upload this info to FTP, what should be the format of the command in this case?Indicating an email inside the command or phone number when sending to FTP seems a kind of redundancy.
2) Once an Fatal error appeared, it started appearing for each further VALID command which were working before. Error states the following:
Fatal error: Call to a member function query() on non-object in /celerra/webstor/root.dev/usr/sms core.php on line 234, most likely there it has some null reference there.
3) In the log file I see that its trying to send messages to invalid address substituting "@" at "?". Does it mean it sends to correct address but it writes to the logs incorrectly or is it really a bug? Because I don't receive any emails at all.For example, when sending RT#EGI#[email protected]#De41Be02AF in the logs I see that it mentioned it sent the message to "test?test.ru" instead of "[email protected]"
This is it for now. I can try to help you out with programming. I have no experience in Android development but have been developing in C# for 7+ years.
Again thanks for you effort.
ser-j said:
Hi Joubert,
Thank you for have been developing so useful application. I believe everyone here is excited about what you are doing.
Click to expand...
Click to collapse
I'm stuck right now. I can not go ahead because I'm not finding some answers. But soon I return to search. Very good to know there are people wainting my work to be done, because there are lots of good programs in Google Market (now Google Play).
ser-j said:
I tried your better version and here what I have to say:
1) You stated that the command format is RT#EGP#[email protected]#1234, but what if I want to use command to upload that info to FTP? Then,theoretically, I don't need to indicate my email or phone in the command. At the same time commands like "RT#FGP#1234{this is a password}", "RT#FGP##1234{this is a password}" are not recognized as valid RT commands or even failed with fatal exception. How can I upload this info to FTP, what should be the format of the command in this case?Indicating an email inside the command or phone number when sending to FTP seems a kind of redundancy.
Click to expand...
Click to collapse
You should use: rt#fgp##1234 The double # are still necessary. I'm working on a simpler syntax to be used in final version.
I'm worried about fatal errors. That's why I released beta versions. Please use Configurations Menu and check the Debug Options. After that you will see in the root of your memory card a file named remotetracker.txt. Send that file to me please.
ser-j said:
2) Once an Fatal error appeared, it started appearing for each further VALID command which were working before. Error states the following:
Fatal error: Call to a member function query() on non-object in /celerra/webstor/root.dev/usr/sms core.php on line 234, most likely there it has some null reference there.
Click to expand...
Click to collapse
I really don't know what is this. Please send the log file to me. I wrote RemoteTracker for Android in Java, not PHP!!!
ser-j said:
3) In the log file I see that its trying to send messages to invalid address substituting "@" at "?". Does it mean it sends to correct address but it writes to the logs incorrectly or is it really a bug? Because I don't receive any emails at all.For example, when sending RT#EGI#[email protected]#De41Be02AF in the logs I see that it mentioned it sent the message to "test?test.ru" instead of "[email protected]"
Click to expand...
Click to collapse
Are you sending the command using another phone, the same phone or using some WEB service (like your carrier website)? There is no code to change '@' to '?'.
ser-j said:
This is it for now. I can try to help you out with programming. I have no experience in Android development but have been developing in C# for 7+ years.
Again thanks for you effort.
Click to expand...
Click to collapse
Thank you very much for your tests. I need that! There are lots of Androids around the world and make something secure for everyone will be a journey.
All the best,
Joubert
Notices
I almost finished writing the commands that existed in RemoteTracker for Windows Mobile (at least the ones Android can execute).
But I'm still trying to make the security of RemoteTracker to be more robust. I had Features in Windows I can't write for Android yet:
- Prompt for password when uninstalling;
- Lock / Unlock the unit with the LOCK / UNLOCK commands;
I'm not able to use the camera without the need to provide a preview to the user. According to the source code of Android that is impossible, but I saw some programs doing that, so there is a way to do that and I'm looking for this information.
If anyone knows how please help me
All the best,
Joubert
Answers to the questions
Hi Joubert,
Sorry for being silent for so long.
joubertvasc said:
Are you sending the command using another phone, the same phone or using some WEB service (like your carrier website)? There is no code to change '@' to '?'.
Click to expand...
Click to collapse
I am using Web service of my sim provider to send SMS. Didn't have a chance to try with sending SMS from the phone.
joubertvasc said:
Thank you very much for your tests. I need that! There are lots of Androids around the world and make something secure for everyone will be a journey.
Click to expand...
Click to collapse
Yes, you are right.
As to the log file I will send it to you shortly.
Thank you. I'll wait for your log to see details. You can send it directly to my e-mail.
All the best,
Joubert
Hide Remote Tracker Application
Hi Joubertvasc:
Are you planing to make a feature to hide the Remote Tracker from the drawer and from any place of the phone. Like with the Theft Aware; you can access the application by dialing from the Phone Dialer. You enter your four code number then hit call. This will open the apllication without calling the number.
Regards;
Willie
Sounds good. I will take a look about how to do that.
Thank you.
Hi!
After a long time I'm back with a new version. This one has lots of bug fixes:
http://remotetracker.sourceforge.net/RemoteTracker.apk
My problem now is Android 3.1 and later, because they don't intercept messages all the time. They need human access the configuration module once to work. Security issue Google said... I'm trying to find an exit.
Best regards,
Joubert
G'day mate.
Long time no see. Great work on this app so far.
I've finally gotten around to installing it and play around with it a little.
I'm testing this on HTC One X with Revolution HD ROM
Here are a few ideas and tips for you to incorporate into your next version.
1. Include an option that allows users to set how many replies to get back from your software.
For Example. If I were to use #RT#GPS#1234, it currently only sends 1 reply. The problem with this is that most GPS units are accurate withing 5 - 10 meters. I tested it on myself where I am and it picks me up as being 2 houses down. If there was an option to send me 3 replies, in 60 second intervals, at least I would get the average GPS location of the phone. If your phone is stolen, it would also be a good idea to have unlimited SMS replies with 60 second intervals so I can get real time minute by minute location on where my phone is. Maybe this might be an idea for your Pro version. Have the option for how many replies to get and also an option for interval time between each reply.
2. Another idea for Pro version. Hide the RemoteTracker Icon from the Apps menu, or disguise it as a useless setting so if a thief were to look in the Apps menu, they wouldn't see it straight away, so wouldn't be forced to reset the ROM. Most thieves aren't smart enough to reset the phone as soon as they steal it, They normally wait till they get home..... but if he saw a tracking program, it would make them either turn the phone off right away, or reset the ROM right away.
3. I dont know much about Android programming, but an idea for capturing the Camera is to embed the photo into an MMS, or as an attachment in an email. Trying to muck around with FTP would be a waste of time because the average user wont have an FTP server, and you dont want to set up a central one because it would give every noob hacker a target to try and get into.
I will keep playing around and get back to you with any other problems or ideas for you.
Keep up the great work.
Loved the software on WinMo and looks like the Android version will be just as great.
Mods please move this post if in the wrong place. OK, I couldn't find it ANYWHERE on XDA but, I did find it by doing extensive baidu (China's Equivalent of Google Search engine) searches and translations. So I give to you all QPST 2.7 build 402. I have the newest and latest QXDM and QCAT also. They were uploaded to the Chinese site on February 13, 2013. QXDM requires activation so I wont post it. I will post QCAT if anyone requests it though, as it does not require activation and neither does this version of QPST. I have seen numerous posts over the net where people wanted QPST 2.7 build 385 but this one surpasses that version. Annoyingly enough though, I still cant write settings to my girlfriends LGL55CV3 Straight Talk android phone with it . So if anyone here can help me out on this, please feel free to do so. So enjoy and hit thanks if I've helped you out.:good: http://www.mediafire.com/?yya85byog8kqtxn
:good:
solcam said:
Mods please move this post if in the wrong place. OK, I couldn't find it ANYWHERE on XDA but, I did find it by doing extensive baidu (China's Equivalent of Google Search engine) searches and translations. So I give to you all QPST 2.7 build 402. I have the newest and latest QXDM and QCAT also. They were uploaded to the Chinese site on February 13, 2013. QXDM requires activation so I wont post it. I will post QCAT if anyone requests it though, as it does not require activation and neither does this version of QPST. I have seen numerous posts over the net where people wanted QPST 2.7 build 385 but this one surpasses that version. Annoyingly enough though, I still cant write settings to my girlfriends LGL55CV3 Straight Talk android phone with it . So if anyone here can help me out on this, please feel free to do so. So enjoy and hit thanks if I've helped you out.:good: http://www.mediafire.com/?yya85byog8kqtxn
Click to expand...
Click to collapse
---------- Post added at 04:36 PM ---------- Previous post was at 03:44 PM ----------
:good:
solcam said:
Mods please move this post if in the wrong place. OK, I couldn't find it ANYWHERE on XDA but, I did find it by doing extensive baidu (China's Equivalent of Google Search engine) searches and translations. So I give to you all QPST 2.7 build 402. I have the newest and latest QXDM and QCAT also. They were uploaded to the Chinese site on February 13, 2013. QXDM requires activation so I wont post it. I will post QCAT if anyone requests it though, as it does not require activation and neither does this version of QPST. I have seen numerous posts over the net where people wanted QPST 2.7 build 385 but this one surpasses that version. Annoyingly enough though, I still cant write settings to my girlfriends LGL55CV3 Straight Talk android phone with it . So if anyone here can help me out on this, please feel free to do so. So enjoy and hit thanks if I've helped you out.:good: http://www.mediafire.com/?yya85byog8kqtxn
Click to expand...
Click to collapse
Ummmm...Yeah. If you say so.
solcam said:
Ummmm...Yeah. If you say so.
Click to expand...
Click to collapse
Anyone managed to download this?
No. It says that it belongs to an unvalidated account. I know that 418 is now out too if anyone might have this one.
cezar1 said:
This file infected by troyan. Thanks a lot
Click to expand...
Click to collapse
I had no issues with it... and still use it. I will look into it. I did not upload it, I just posted the link.
---------- Post added at 10:56 PM ---------- Previous post was at 10:32 PM ----------
cezar1 said:
This file infected by troyan. Thanks a lot
Click to expand...
Click to collapse
I did some checking and a few people DID have issues with this. Thank you for bringing it to my attention...
If you install this via "setup.exe" it will put a backdoor on your system. It lives at "C:\Users\Admin\AppData\Roaming\Qualcomm". It will also add itself to the "HKCU/Software/Microsoft/Windows/Current Version/Run" key in the registry. There is no virus in the MSI file.
You should be able to detect it, remove it and use build 422. Again, I am using it without issue.
rekamyenom said:
I had no issues with it... and still use it. I will look into it. I did not upload it, I just posted the link.
Click to expand...
Click to collapse
Hello, fellow QPST users.
QPST 2.7 Build 4.2.2 is a fake version with keylogger.
Some a$$hole downloaded latest public QPST build (4.0.2) and decompiled MSI installer package, then edited all "4.0.2" to "4.2.2", added "fake changelog", added keylogger (qualcomm.exe), then repackaged and spread around web!
Everyone who downloaded QPST build "4.2.2" should change all his passwords.
More info about malware from fake 4.2.2 build (QPST.2.7.422.msi)
MSI package (QPST.2.7.422.msi) was embedded/tampered with qualcomm.exe which is a .NET based malware that logs your keystrokes and sends it to attacker's server.
How to delete the actual malware from your system?
Look at the startup from msconfig or CCleaner, there should be a file called qualcomm.exe thats set to start everytime system starts. Delete both registry and file.
If you wanted to see what data thief was stolen from you. Just open the .dc file (in "dclogs" folder) with Notepad and see for yourself.
In XP, dc file is located here!
C:\Documents and Settings\Administrator\Application Data\dclogs
there should be a file called "201X-XX-XX-X.dc
if you open that DC files with Notepad, you'll see all your keystrokes.
Here is mine. I've intentionally entered paypal site with fake info.
:: Run (3:01:51 AM)
Script kiddie. NET Based malware, huh?[ESC]
:: Program Manager (3:02:14 AM)
e
:: Firefox (3:02:18 AM)
www.paypal.com
[email protected][TAB]
mypaypalpass
[ENTER]
:: Documents and Settings (3:02:19 AM)
[UP]
:: Administrator (3:02:28 AM)
[DOWN][DOWN][DOWN][DOWN][DOWN][DOWN][DOWN][DOWN][DOWN][DOWN]
[DOWN][DOWN][DOWN][DOWN][DOWN][DOWN][DOWN][DOWN][DOWN][DOWN][DOWN][DOWN][DOWN]
d
:: (3:02:34 AM)
:: Administrator (3:02:34 AM)
d
:: (3:03:11 AM)
mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm
:: [Release] QPST 2.7 BUILD 422 - Download Here - Enjoy - Mozilla Firefox (3:03:57 AM)
crap
How to delete?d
:: Clipboard Change : size = 16 Bytes (3:03:57 AM)
QPST.2.7.422.msi
:: (3:04:23 AM)
cccccc
Click to expand...
Click to collapse
Keylogger sends the logs from keylogger to "qpst.hopto.me"
So please report about this incident where and when you encounter QPST 4.2.2 somewhere (forums, posts, sharing-sites, etc)
Copy my whole post and paste it where you see 4.2.2 mentioned.
Bonus: Fake Changelog
If you've installed this 422 build, then open the Readme.txt in C:\Program Files\Qualcomm\QPST\Documents
Scroll down and see the "6/12/13 QPST 2.7.422 changelog"
6/12/13 QPST 2.7.422
1) EFS Hello commands will not be sent unless the device is in a compatible mode. Sending this command when the
device is in download mode can cause a "server busy" message for a few seconds because of command retries.
2) Support for the Sahara device protocol (see 80-N1008-1 or equivalent) is now built in to the QPST server process.
This protocol is only supported by USB Serial ports, not TCP/IP connections. In QPST Configuration a device in
this mode will display as "Q/QCP-XXX (Sahara Download)". This mode can only be detected (1) when the QPST server
process starts or a COM port in this mode added to QPST, or (2) when a device enters Sahara mode on a port assigned
to QPST. This is because the device only sends its Hello message once, as soon as the COM port is opened.
Click to expand...
Click to collapse
Changelog above is actually cloned from QPST 2.7.394 Just scroll down and see Build 2.7.394 changelog. Its same!
So forget about Build 422. It doesn't exist.
Use QPST 2.7 Build 402. It's the latest public build
Sorry about my english
Best Regards
AnycallMongolia
can somebody give proper qpst latest version.
pl provide dropbox link
madroamer said:
can somebody give proper qpst latest version.
pl provide dropbox link
Click to expand...
Click to collapse
Okey, someone (HuaweiDevices.ru) leaked QPST v2.7.411 to the public. I've installed it myself and confirmed that its legit build.
Here is original link of the leak..
Here is my link.
http://d-h.st/qAy
Thread cleaned, potentially unsafe file and posts are gone. All members are to be reminded that whenever you flash anything, regardless of what it is, you take chances.
Thanks for the report, and thanks for not being disrespectful regarding the matter.
Now, back to development.
Thanks for your sharing this.
solcam said:
Mods please move this post if in the wrong place. OK, I couldn't find it ANYWHERE on XDA but, I did find it by doing extensive baidu (China's Equivalent of Google Search engine) searches and translations. So I give to you all QPST 2.7 build 402. I have the newest and latest QXDM and QCAT also. They were uploaded to the Chinese site on February 13, 2013. QXDM requires activation so I wont post it. I will post QCAT if anyone requests it though, as it does not require activation and neither does this version of QPST. I have seen numerous posts over the net where people wanted QPST 2.7 build 385 but this one surpasses that version. Annoyingly enough though, I still cant write settings to my girlfriends LGL55CV3 Straight Talk android phone with it . So if anyone here can help me out on this, please feel free to do so. So enjoy and hit thanks if I've helped you out.:good: http://www.mediafire.com/?yya85byog8kqtxn
Click to expand...
Click to collapse
anycallmongolia said:
Okey, someone (HuaweiDevices.ru) leaked QPST v2.7.411 to the public. I've installed it myself and confirmed that its legit build.
Here is original link of the leak..
Here is my link.
http://d-h.st/qAy
Click to expand...
Click to collapse
Link works. Thank you.
Hello guys, i have a LG G2 with 3g issue , it works just in 2g, somebody can upload his QCN file so i try to replace mine with it? Thank you so much
!!!!!!!!!!!!!!!!!! WARNING !!!!!!!!!!!!!!!!!!
!!! TROJAN AGAIN !!!
Some time ago in Feb 2014 man named anycallmongolia posted a link to QPST 2.7 build 411
Link points to the site HuaweiDevices.ru
h_t_t_p_://_huaweidevices._ru/ROMS/QPST_2.7.411.rar
Later I'd personally downloaded this version from this topic a few times in 2014 and this was normal non fake QPST which i'd installed on a few PC's. (Can't remember particular link now). Today I would like to install QPST to a new NB PC, so assumed this topic as the best source. Being a recovery/data structures expert I always inspect code (mostly by viewing in text/hex). As most of members I've very high trust level to xda (certainly it's much higher then one related to the "famous and respectable" corps like Google/MS/Apple/etc, who aren't on my side, I'm sure).
I've installed QPST got from this topic a few times, so I'd almost pressed Enter (I use FAR most of time and advice you to do the same) over the DL'd file "qpst 2 7 411.exe".... What??? - EXE??? And it's just about 500Kb long... But QPST installer occupies about 16Mb.
I've explored body - I's typical malware with slightly "encoded" (to prevent direct reading) data inside. QXDM offered on the neighbor page is the same malware of the same size.
If you'll try to dl QPST from above link you'll got 404 error in the center of normal html page with site menu etc... What normal man would think in this case? He'll think page/product have moved (e.g. due to overload protection) and what he'll do next? He'll try to find where page have moved and... will got link in menu just at the bottom of 404 page. It's just trivial (but very good working!) "social engineering" - publish real app in trusted place and when it will pass checks replace it with malware. (Or may be domain was sold to the criminals as it often occures in Russia for a few latest years). Even if you will check DL url in the status bar it will show link to the .RAR archive, but ASAY click the link it will be redirected to .exe!
PLEASE PUBLISH BIG WARNING on TOPIC START and remove links to HUAWEIDEVICES.RU!!!
Furthermore. Situation is much worse because huaweidevices shows 1ST position in search request "QPST 2.7.411" by Yandex.ru (#1 search engine in Russia) and 2ND position in Google results with the same request!!! It's VERY DANGEROUS situation! Thousands if not millions of peoples are at risk of infection.
I'm going to write abuses to Google and Yandex NOW!
Please spread info on such a new attack manner/technique around your friends, collegues and internet.!
Always check what you run!!!
QPST 2.7 build 425 (The REAL Thing!)
It is so irritating to see all of the jerks who are trying to spread viruses and malware nowadays.
Here is the REAL build 425:
http://www.mediafire.com/download/neeapht51ub2333/QPST.WIN.2.7_Installer-00425.1.zip
drkcobra said:
It is so irritating to see all of the jerks who are trying to spread viruses and malware nowadays.
Here is the REAL build 425:
h_t_t_p_://_w_w_w.mediafire.com/download/neeapht51ub2333/QPST.WIN.2.7_Installer-00425.1.zip
Click to expand...
Click to collapse
Very very very BIG Thank you!!!
That's really new one and it contains new very promising QFIL util. Didn't explored much yet!
God bless on you man!
BTW does anybody know how to descramble (decrypt)/scramble (encrypt) back EFS/NVRAM partitions (in most cases modemst*). I'd like to be able to patch/change every byte in EFS (not just locks etc bull****, my phones are always free of any contracts). Full modem FW reversing seems too difficult to me (i'm 'not so strong' in ARM assembly and there is too much code in modem FW). I'm sure for a such long period (over decade) of EFS life there should be methods around to manipulate it independently of mfr/commercial products, but I can't find them for a long time. Trust me, it's fully idiotic situation I'm (you're) not able to do with my (yours) computer (PDA is computer, not the "phone") all I want to do being "restricted" to access only data some f...n mfr "allowed" me to access. It's my device, I'd paid for it and I will decide what me to do with it.
Furthermore, modern public licenses don't allow to hide parts of object (device) code, where GNU/GPL code is the main part. Is anybody here who think that Linux/Unix value in ALL there f...n "modern" Android devices less than 90%? Most router mfrs have already forced by requirements GNU/GPL to publish full compilable code of their firmware. I shouldn't have clue what all they want to hide related to their "commercial" and manipulating interests. Using 30years of thousands people's free labor in their commercial products , they're obligated to publish full sources and should DO IT.
Apple is today wealthiest corp on this planet, but If you'll look into the Apple's internals you'll find tons of MODERN Linux code (protected by modern GNU/GPL) simply stolen from open source depositories, then adopted to MacOS/iOS then closed and sold as commercial product . Is it fair game?
TheDrive said:
Very very very BIG Thank you!!!
That's really new one and it contains new very promising QFIL util. Didn't explored much yet!
God bless on you man!
BTW does anybody know how to descramble (decrypt)/scramble (encrypt) back EFS/NVRAM partitions (in most cases modemst*). I'd like to be able to patch/change every byte in EFS (not just locks etc ...................
Click to expand...
Click to collapse
I use EFS Pro for BackUp and Restore.... Sadly its windows only, but works great with VirtualBox on Linux Mint Cinnamon/MATE 17.1 x64.
Hosted on the wonderful XDA:
http://forum.xda-developers.com/gal...ol-updated-09-06-14-efs-professional-t1308546
FWIW
I hear you about Apple, used to be a hardcore fan, when they were nearly bankrupt. I still swear by OS X, but not the iTard line of devices. I tell my nieces and nephews to get an Android cause they are not ignorant! lol There should be more of an effort to make people understand that Apple is using allot of *BSD (Linux) source. The GUI is closed, but some of the other source is available in the dev program site they host.
unimatrix725 said:
I use EFS Pro for BackUp and Restore.... Sadly its windows only, but works great with VirtualBox on Linux Mint Cinnamon/MATE 17.1 x64.
Hosted on the wonderful XDA:
http://forum.xda-developers.com/gal...ol-updated-09-06-14-efs-professional-t1308546
Click to expand...
Click to collapse
Thank you! Certainly I know this good product. It can manipulate NVRAM through COM-port, just the way QPST does it communicating w/modem FW. Is has many advanced options but seems not to be reliable enough (too many OEM customizations around, it's difficult to reverse all) As you stated it can also backup some partitions (like EFS). but you can do this yourself just by simple ADB/Unix shell commands (e.g. "dd if=/dev/block/mmcblk0p?? of=/sdcard/mmcblk0p??.img")
You can write simple scripts and perform such backups directly from device (to SD). Furthermore, you can customize CWM/TWRP for your device to perform such backups from recovery.
To do it you should know which partition numbers to backup/restore (to backup/restore what data you want).
There are methods/commands available to get needed info to build full device partition map (e.g. some devices contains "folders" named "by-names" deeper in /dev/block/... (where partitions are named), but in some cases (e.g. some 2013 MSM7227 based Samsung phones like GT-S756x) there is no names associated with particular proprietary partitions in the device, (at all) so the only way to find what data reside there is to backup and look (hex) with your own "experienced" eyes what these data seems to be (or search what others found on the theme). EFSPro "from the box" also knows only a few device's partition maps so, in most cases you should build configuration for your device manually with full knowledge of it.
There is no problem to locate and backup encrypted modem data partitions (modemst*/efs/etc...) if your device is rooted. Moreover, if your device has standard Qualcomm bootloader (not OEM's cut) you can switch device to the standard Qualcom DM (download mode) when all your eMMC contents will be exposed to USB bus as mass storage device (just like UFD or SDCard) and you can backup/restore whole drive contents or particular partitions just like PC's own partitions (try some "chnese" stuff (made of quality parts) instead of "branded" ones and you'll see superiority of the "open world".
But main question is how to decrypt modem data to explore and change them as I want at any time. Mfrs (i.e. Qualcomm and OEMs hide serials, locks etc BS there, but there is a lot of other interesting stuff related to modem configuration which is also closed and encrypted. This drives me wild because it's my device and my serials/locks and other stuff too, so it's my option to do with is what I want and no one else. I'm definitely know and sure modem FW/config and even mask ROM (which we most probably never will be able to explore) contains many hidden features that may lead to remotely force device to collect info about user and perform actions without his knowledge and consent. I have no matter what all these sec... services planned to do with all these exploits they forced OEMs/chipmakers to implement., but (sic!) they allowed information about these exploits to leak wild! So some "generic" engineers who simply have job and low level access to cellular provider's equipment (which able to broadcast custom service packets) to make "what they want with user's phones (e.g. switch it on or request GPS data) just "for fun". F them all, but most idiotic is fact that being an 25y experienced "lowest level" service engineer I can't get access and control over my own devices (i.e. computers). It's incorrect. It would be difficult but we should pay more attention to explore internals and get clue what goes on.
unimatrix725 said:
FWIW
I hear you about Apple, used to be a hardcore fan, when they were nearly bankrupt. I still swear by OS X, but not the iTard line of devices. I tell my nieces and nephews to get an Android cause they are not ignorant! lol There should be more of an effort to make people understand that Apple is using allot of *BSD (Linux) source. The GUI is closed, but some of the other source is available in the dev program site they host.
Click to expand...
Click to collapse
I've personally explored OSX files and partitions and seen much modern Linux code inside. They even don't hide "copyrights". Nobody will explore anyway and nobody cares. Old 80x-90x versions of public licenses allowed to do "anything" with free open sources (including to make changes, then close sources and sell product). After some smartasses like Apple used this hole to sell free labor of thousands of peoples, public license had changed. Modern licenses allows you to sell derived product, but obligate you to open sources (with same license) so anyone else can use them to and sell too. You can't close your part of sources if free code is most valuable part of your product. E.g. router mfr can't close part his own sources to make firmware sources "uncompilable" because Linux definitely is most valuable part of router FW. This warrant later development of free open source programs and free community n whole. Apple stated that they used only old 80x code in their OS'es and then developed it separately and thus they are not obligated to open sources to everyone. They would be right unless they didn''t used a lot of modern code protected by modern public license's requirements. I didn't explored deeply. May be they publish all derived code for free. Today we can't say accurately if some modern Linux components they adopt for Mac/iOS are most valuable part of their systems or not. We should explore all the code to make decision. but anyway it's not fair to use a lot of thousand's people's free labor just to make money. Google's position here is not ideal but much more fair. They publish most of sources and support open source community. They don't try to make system "unbreakable" and they don't force you to use their accounts too much. I've NO Google "phone" account AT ALL. I've no need in any "markets", "clouds" ect BS., which lead absolutely no problem to me to effectively use Android devices. There are lots of free APK's around
It practice, I have 2-3 old iPhones just for experiments. Yes we have Jailbreaks and some other stuff, but even if you break and get access to your device it's very uncomfortable to work with it at low level. On my sight just one ADB interface costs more then all "jingles and bells" of iOS's GUI. All these "tethered-untethered", "unbreakable" bootloaders in Mask ROM, lack of normal tools to explore and manage data on any level, total control and extraction of my data by mfr via strongly encrypted obfuscated protocols and hidden services make these devices useless for me in practice.
Windows Phone is even far more closed OS then iOS. You have no control over your data at all. You can't do a thing with WP device unless you sign up with MS account. You can't get access to your own data (except MM files) unless you sync it with MS cloud, i.e. you will be forced to send all your private data to MS and MS will decide whether to give piece of it back to you or not. Matrix in action. I've absolutely no clue what thought MS bosses when they decided to close ALL in OS that have had less than 1% of market. Their 1st goal was to attract developers to write apps for their OS and there was no better way to kick them than "close All". There is no matter does it perform GUI actions good or not when devs and users have no effective way to collect and use "useful" results of device's work.
drkcobra said:
It is so irritating to see all of the jerks who are trying to spread viruses and malware nowadays.
Here is the REAL build 425:
http://www.mediafire.com/download/neeapht51ub2333/QPST.WIN.2.7_Installer-00425.1.zip
Click to expand...
Click to collapse
The new versions got rid of QXDM and RF NV Manager.
Build 415
etirkca said:
The new versions got rid of QXDM and RF NV Manager.
Click to expand...
Click to collapse
I have not used this version, so do not know if it has been removed from this one or not, but here is a legitimate copy of build 415:
http://www.mediafire.com/download/ac6yh57yye363mx/QPSTWIN2700415.rar
Hello,
I want to figure out the Samsung Accesory Protocol in order to create a "open source" Gear Manager app replacement. This thread is to ask if anyone has been trying to do the same thing as well as try to gather as much information about this protocol as possible. Generic discussion is also accepted, in case anyone has better ideas.
Right now all I know is that this protocol is based on RFCOMM, albeit it can be transported over TCP too. It has a level 1 "framing" which consists basically on
Code:
packed struct Frame {
uint16_be length_of_data;
char data[length_of_data];
}
packed struct FrameWithCRC {
uint16_be length_of_data;
uint16_be crc_of_length;
char data[length_of_data];
uint16_be crc_of_data;
}
I also know that there are various types of packets. "Hello" packets are exchanged early during the connection and contain the product name, etc. Authentication packets are exchanged right after the initial "hello" and contain some varying hashes (crypto warning!). Then the normal data packets are "multiplexed", as in usbmuxd: they have 'session' IDs which described towards which watch program they are talking with. All Hello and authentication packets are sent without CRC, but normal data packets are. The CRC implementation used is crc16, same poly as in the linux kernel.
I suspect that whatever we uncover about this protocol might be useful to e.g. pair Gear with an iPhone, with a PC, things like that.
Note: most of this comes from viewing Bluetooth logs. However it's clear that reverse engineering will be required for the cryptographic parts. In this case I believe it's legally OK to do so in the EU because it's purely for interoperability reasons. I don't want to create a competitor to the Gear2, I just want to talk to it.
Motivation: I bought a Gear2 in order to replace a LiveView that was dying (buttons wearing out, broken wriststrap clips, etc.) . I used it both for notifications as well as map/navigation.
Since I have a Jolla, no programs are available to pair with most smartwatches, but I've been developing my own so far (MetaWatch, LiveView). Thus I decided on a replacement based purely on hardware characteristics and price. Also Tizen seems more open than Android, thus I figured out it would be easier for me to adapt to the watch.
However it seems that I understimated the complexity of the protocol that connects the Gear with the GearManager. So my options in order to make use of this watch are:
Sell Gear2 back and buy something that's easier to hack (e.g. another LiveView ),
Figure out the SAP protocol and write a replacement Gear Manager app (what this thread is about),
Write replacement Tizen applications that don't use SAP. This involves writing new programs for Calls, Messages, Notifications, Alarms, Camera, watchOn, Pulse monitor, etc. i.e. a _lot_ of work if I want to exploit all features of the watch.
But at least one can reuse the existing Tizen settings app, launcher, drivers, etc. (I started porting Qt to the Gear2 with this idea)
Use a different Linux distro on the Gear 2. Such as Sailfish, Mer, etc. This involves all the work of option 3 + possibly driver work.
As of now I've not decided which option is easier for me so I'll keep trying to push them all.
javispedro said:
Hello,
I want to figure out the Samsung Accesory Protocol in order to create a "open source" Gear Manager app replacement. This thread is to ask if anyone has been trying to do the same thing as well as try to gather as much information about this protocol as possible. Generic discussion is also accepted, in case anyone has better ideas.
Right now all I know is that this protocol is based on RFCOMM, albeit it can be transported over TCP too. It has a level 1 "framing" which consists basically on
Code:
packed struct Frame {
uint16_be length_of_data;
char data[length_of_data];
}
packed struct FrameWithCRC {
uint16_be length_of_data;
uint16_be crc_of_length;
char data[length_of_data];
uint16_be crc_of_data;
}
I also know that there are various types of packets. "Hello" packets are exchanged early during the connection and contain the product name, etc. Authentication packets are exchanged right after the initial "hello" and contain some varying hashes (crypto warning!). Then the normal data packets are "multiplexed", as in usbmuxd: they have 'session' IDs which described towards which watch program they are talking with. All Hello and authentication packets are sent without CRC, but normal data packets are. The CRC implementation used is crc16, same poly as in the linux kernel.
I suspect that whatever we uncover about this protocol might be useful to e.g. pair Gear with an iPhone, with a PC, things like that.
Note: most of this comes from viewing Bluetooth logs. However it's clear that reverse engineering will be required for the cryptographic parts. In this case I believe it's legally OK to do so in the EU because it's purely for interoperability reasons. I don't want to create a competitor to the Gear2, I just want to talk to it.
Motivation: I bought a Gear2 in order to replace a LiveView that was dying (buttons wearing out, broken wriststrap clips, etc.) . I used it both for notifications as well as map/navigation.
Since I have a Jolla, no programs are available to pair with most smartwatches, but I've been developing my own so far (MetaWatch, LiveView). Thus I decided on a replacement based purely on hardware characteristics and price. Also Tizen seems more open than Android, thus I figured out it would be easier for me to adapt to the watch.
However it seems that I understimated the complexity of the protocol that connects the Gear with the GearManager. So my options in order to make use of this watch are:
Sell Gear2 back and buy something that's easier to hack (e.g. another LiveView ),
Figure out the SAP protocol and write a replacement Gear Manager app (what this thread is about),
Write replacement Tizen applications that don't use SAP. This involves writing new programs for Calls, Messages, Notifications, Alarms, Camera, watchOn, Pulse monitor, etc. i.e. a _lot_ of work if I want to exploit all features of the watch.
But at least one can reuse the existing Tizen settings app, launcher, drivers, etc. (I started porting Qt to the Gear2 with this idea)
Use a different Linux distro on the Gear 2. Such as Sailfish, Mer, etc. This involves all the work of option 3 + possibly driver work.
As of now I've not decided which option is easier for me so I'll keep trying to push them all.
Click to expand...
Click to collapse
I think your thread should probably go in the Dev section for Tizen. Have you made any development? If your want it moved, report your own post with the button in top right labeled report. You can then suggest your thread be moved to the new Tizen Development section. Ok, I wish you all the luck, you seem to be very talented programmer/dev. Thanks for your contributions.
Chris
noellenchris said:
I think your thread should probably go in the Dev section for Tizen.
Click to expand...
Click to collapse
Well, some mod already moved this thread from Development, where I originally posted it, into Q&A. This is not exactly "Tizen" development (SAP is used in may Samsung devices seemingly).
noellenchris said:
Have you made any development?
Click to expand...
Click to collapse
Yes, lots of progress. I have been able to write a program that connects to the Gear2 from my PC, succesfully "completes" the setup program and synchronizes the date&time. Things like changing the background color etc. are now trivial. I will soon port it to my Jolla.
I am now looking into how to send notifications to the watch. I've not been able to get Gear Manager to actually send any notifications (to use as "reference"), because goproviders crashes when I try to simulate notifications on my android_x86 VM
If anyone can send me an HCI / Bluetooth packet capture of their Android device while it is sending notifications to the Gear2 I would really appreciate it.
Unfortunately, the main problem here is that Samsung uses some cryptographic authentication as a form of "DRM". I am not exactly sure why.
There was no way for me to discover how the crypto worked so I took the unclean approach and dissasembled their crypto code (libwms.so). That means there's no way I would be able to distribute the code now without risking a lawsuit from Samsung.
Sadly this means that while I can distribute the protocol specifications I obtained, legally distributing "Gear Manager replacements" is probably impossible.
javispedro said:
Well, some mod already moved this thread from Development, where I originally posted it, into Q&A. This is not exactly "Tizen" development (SAP is used in may Samsung devices seemingly).
Click to expand...
Click to collapse
Ya, I was kinda in a Gear 1 mind set, and they have separate threads for Android and Tizen....
Chris
javispedro said:
Unfortunately, the main problem here is that Samsung uses some cryptographic authentication as a form of "DRM". I am not exactly sure why.
There was no way for me to discover how the crypto worked so I took the unclean approach and dissasembled their crypto code (libwms.so). That means there's no way I would be able to distribute the code now without risking a lawsuit from Samsung.
Sadly this means that while I can distribute the protocol specifications I obtained, legally distributing "Gear Manager replacements" is probably impossible.
Click to expand...
Click to collapse
I would gladly write a MIT-licensed C library implementing your protocol specifications. That would be correctly following the chinese-wall approach to reverse-engineering, right?
Anyway, AFAIK, being in Europe decompiling for interoperability purposes is allowed -- I know that wikipedia is not to be taken at face value, but: en.wikipedia.org/wiki/Reverse_engineering#European_Union
Antartica said:
I would gladly write a MIT-licensed C library implementing your protocol specifications. That would be correctly following the chinese-wall approach to reverse-engineering, right?
Anyway, AFAIK, being in Europe decompiling for interoperability purposes is allowed -- I know that wikipedia is not to be taken at face value, but: en.wikipedia.org/wiki/Reverse_engineering#European_Union
Click to expand...
Click to collapse
Well, the problem is not the protocol specifications per se, which I'm actually quite confident I'd be able to redistribute (I'm in EU). The problem is the cryptography part, which is basically ripped off from the Samsung lib "libwsm.so" . Unless we can find out what cryptographic method that lib uses, distributing alternate implementations Is a no-go.
javispedro said:
Well, the problem is not the protocol specifications per se, which I'm actually quite confident I'd be able to redistribute (I'm in EU). The problem is the cryptography part, which is basically ripped off from the Samsung lib "libwsm.so" . Unless we can find out what cryptographic method that lib uses, distributing alternate implementations Is a no-go.
Click to expand...
Click to collapse
If you have the time, I don't mind researching the possible crypto used (although I've only studied DES/3DES, AES and Serpent, hope that whatever scheme used is not very different from them).
Some ideas to start from somewhere:
1. As you have used its functions, it is a block cipher? I will assume that it is.
2. What is the key size and the block size?
3. Are there signs that it is using a stack of ciphers? (that is, applying one cipher, then another to the first result and so on)
Antartica said:
If you have the time, I don't mind researching the possible crypto used (although I've only studied DES/3DES, AES and Serpent, hope that whatever scheme used is not very different from them).
Some ideas to start from somewhere:
1. As you have used its functions, it is a block cipher? I will assume that it is.
2. What is the key size and the block size?
3. Are there signs that it is using a stack of ciphers? (that is, applying one cipher, then another to the first result and so on)
Click to expand...
Click to collapse
Hello, I've not forgotten about this, just somewhat busy and been using the MetaWatch lately
1. Yes it is clearly a block cipher, and the block size Is 16bytes.
2. I don't know about the key size, it is obfuscated.
3. Doesn't seem like a stack of ciphers. It looks like some overcomplicated AES. But to be honest AES is the only encryption I know of
By the way I think I will upload my current test "manager" source code to somewhere after removing the crypto specific files . Since the protocol itself has been obtained cleanly. Note I've used Qt (not the GUI parts) so it's useless for creating a library; the code will probably need to be rewritten to do so, but it may be useful as "protocol specs".
javispedro said:
Hello, I've not forgotten about this, just somewhat busy and been using the MetaWatch lately
Click to expand...
Click to collapse
No problem. Curiously, I've transitioned from the metawatch to the Gear1 fully (null rom, not pairing with bluetooth to the phone but gear used as a standalone device).
[off-topic]I'm not using my metawatch anymore. I was modifying Nils' oswald firmware to make it prettier and to have some features I wanted (calendar, stopwatch), but it was very inaccurate, supposedly because of missing timer interrupts (the existing LCD drawing routines were too slow). I rewrote the graphics subsystem just to stumble into a known mspgcc bug, and trying to use the new redhat's mspgcc resulted in more problems (memory model, interrupt conventions). In the end I couldn't commit enough time to fix that and my metawatch is now in a drawer[/off-topic]
Returning to the topic:
javispedro said:
1. Yes it is clearly a block cipher, and the block size Is 16bytes.
Click to expand...
Click to collapse
Good. We can at least say it isn't DES/3DES nor blowfish (64 bits block size). Regrettably there are a lot of ciphers using 128-bits block size; that I know: AES, Twofish and serpent.
Perusing the wikipedia there are some more of that size in use: Camellia, sometimes RC5 and SEED.
javispedro said:
2. I don't know about the key size, it is obfuscated.
3. Doesn't seem like a stack of ciphers. It looks like some overcomplicated AES. But to be honest AES is the only encryption I know of
Click to expand...
Click to collapse
I understand that to mean that you cannot use that library passing your own key, right?
What a pity! One way to test for these ciphers would have been to just cipher a known string (i.e. all zeroes) with a known key (i.e. also all zeroes) and compare the result with each of the normal ciphers :-/.
javispedro said:
By the way I think I will upload my current test "manager" source code to somewhere after removing the crypto specific files . Since the protocol itself has been obtained cleanly. Note I've used Qt (not the GUI parts) so it's useless for creating a library; the code will probably need to be rewritten to do so, but it may be useful as "protocol specs".
Click to expand...
Click to collapse
Perfect. I don't need anything more .
Ok, so I've uploaded my SAP protocol implementation: https://git.javispedro.com/cgit/sapd.git/ . It's "phone" side only, ie it can be used to initiate a connection to the watch but not to simulate one. In addition, it's missing two important files: wmscrypt.cc and wmspeer.cc which implement the closed crypto required to "pair" the watch. The most important file is sapprotocol.cc which implements the packing/unpacking of the most important packet types. The license of those files is GPLv3 albeit I'm very happy if you use the information contained on them to build your "Gear Manager" program under whichever license you'd prefer.
For anyone who hasn't been following the above discussion: I've figured out a large part (useful for at least establish contact with the watch and syncing time/date) of the SAP protocol used between the Gear watch and the Gear manager program on the phone. This has been done mostly by studying traces and afterwards talking to the watch using my test implementation above to figure out the remaining and some error codes. The debug messages left by the watch's SAP daemon were also immensely helpful. As long as I understand this is perfectly safe to do, publish and use as I'm in the EU and is basically the same method Samba uses.
Unfortunately, the protocol contains some crypto parts required for the initial sync (subsequent connections require authentication). However, the communication itself is not encrypted in any way, which helped a lot with the process. Because it's impossible for me to figure out whatever authentication method is used, I had to disassemble the library implementing this stuff (libwms.so). This is still OK according to EU law, but I'm no longer to release that information to the public. I'm looking for alternatives or ideas on how to handle this fact.
In the meanwhile, let's talk about the protocol. It's basically a reimplementation of the TCP(/IP) ideas on top of a Bluetooth RFCOMM socket. This means that it's connection oriented and that it can multiplex several active connections (called "sessions") over a single RFCOMM link. Either side of the connection can request opening a connection based on the identifier of the listening endpoint (called a "service"). Strings are used to identify services instead of numeric ports as in TCP. For example, "/system/hostmanager" is a service that listens on the watch side. Once you open a session towards this service (i.e. once you connect to it) you can send the time/date sync commands. In addition to be the above the protocol also seems to implement QoS and reliability (automatic retransmission, ordering, etc.). It's not clear to me why they reimplemented all of this since RFCOMM is a STREAM protocol, and thus reliability is already guaranteed!! So I've not focused much on these (seemingly useless) QoS+reliability parts of the protocol.
Let's start with the link level. There are two important RFCOMM services exposed by the watch: {a49eb41e-cb06-495c-9f4f-aa80a90cdf4a} and {a49eb41e-cb06-495c-9f4f-bb80a90cdf00}. I am going to respectively call those two services "data" and "nudge" from now on. These names, as many of the following ones, are mostly made up by me .
The communication starts with Gear manager trying to open a RFCOMM socket towards the "nudge" service in the watch. This causes the watch to immediately reply back by trying to open a connection to the "data" service _on the phone_ side. So obviously this means that your phone needs to expose the "data" RFCOMM service at least. In addition, the watch will try to open a HFP-AG connection (aka it will try to simulate being a headset) to your phone. Most phones have no problem doing this so no work is required. Of course, if your phone is a PC (as in my case ) then you'll need to fake the HFP profile. I give some examples in my code above (see scripts/test-hfp-ag and hfpag.cc).
Once the RFCOMM socket from the watch to the phone "data" service is opened, the watch will immediately send what I call a "peer description" frame. This includes stuff such as the model of the watch as well as some QoS parameters which I still don't understand. The phone is supposed to reply back to this message with a peer description of its own. See sapprotocol.cc for the packet format.
After the description exchange is done, the watch will send a "authentication request" packet. This is a 65 byte bigint plus a 2 byte "challenge". The response from the phone should contain a similar 65 byte bigint, the 2 byte response, and an additional 32 byte bigint. If correct, the watch will reply with some packet I don't care about. Otherwise the connection will be dropped. It obviously looks like some key exchange. But this is the crypto part that's implemented in libwms.so....
After these two exchanges link is now set up. The first connection that needs to be opened is towards a service that is always guaranteed to be present, called "/System/Reserved/ServiceCapabilityDiscovery". It is used by both sides of the connection to know the list of available services present on the other side. Despite this, you cannot query for all services; instead, you must always know the name of the remote service you're looking for. There's some 16-byte checksum there which I don't know how to calculate, but fortunately the watch seems to ignore it!! I suspect that you're expected to actually persist the database of available services in order to shave a roundtrip when connection is being established. But this is not necessary for normal function. This service is implemented in capabilityagent.cc, capabilitypeer.cc . This part was actually one of the most complex ones because of the many concepts. I suggest reading the SDK documentation to understand all the terms ("service", "profile", "role", etc.).
If everything's gone well, now the watch will try to open a connection to a service in your phone called "/system/hostmanager". Once you get to this message things start to get fun, because the protocol used for this service is JSON! It's implementation resides in hostmanageragent.cc, hostmanagerconn.cc . For example, Gear Manager sends the following JSON message once you accept the EULA: {"btMac":"XX:XX:XX:XX:XX:XX", "msgId":"mgr_setupwizard_eula_finished_req", "isOld":1}. At this point, the watch hides the setup screen and goes straight to the menu.
Well, this concludes my high-level overview of the SAP protocol. Hope it is useful for at least someone!
Things to do:
Personally I'm looking for some traces of the notification service. Ie the one that forwards Android notifications towards the watch. For some reason it doesn't work on my phone, so I can't get traces. I suspect it's going to be a simple protocol so a few traces will be OK. It's the only stuff I'm missing in order to be able to actually use the Gear as a proper smartwatch with my Jolla.
We still need to tackle the problem of the cryptographic parts. Several options: either "wrap" the stock libwms.so file, try to RE it the "proper way", .... I'm not sure of the feasibility of any of these.
Many other services.
javispedro said:
After the description exchange is done, the watch will send a "authentication request" packet. This is a 65 byte bigint plus a 2 byte "challenge". The response from the phone should contain a similar 65 byte bigint, the 2 byte response, and an additional 32 byte bigint. If correct, the watch will reply with some packet I don't care about. Otherwise the connection will be dropped. It obviously looks like some key exchange. But this is the crypto part that's implemented in libwms.so....
Click to expand...
Click to collapse
About that 65-byte bigint... that is a 520-bit key. The usual length of ECDSA keys is exactly 520-bits, so we may have something there: it is possible that they are using ECDSA signing (just like in bitcoin, so there are a lot of implementations of that code).
Not forgotten about this!
Just an status update:
I'm still in the process of defining the API of the C library using javispedro's sources as template.
It's tougher than I originally supposed because the C++ code has a lot of forward-declarations of classes, which is very difficult to map into C. To counter that I have to move elements between structures and I'm not so comfortable with the codebase yet.
And then there is still the hard work of translating the Qt signals/slots to plain' old callbacks... and implementing the bluetooth part using bluez API... and... well, I hope that is all.
Anyway, patience .
I've now had access to a Samsung S2 and thus I have been able to obtain more traces. The latest Git now contains code to connect to the notification manager service, thus allowing to send notifications from the phone to the watch.
That was the last missing part to be able to use the Gear 2 as a 'daily' smartwatch with my Jolla, so I've now also ported the code to run under Sailfish. In fact I'm using this setup at the moment. My first comment is "wow the vibrator IS weak".
You can find a log of sapd's (ie my code) startup qDebug() messages; they may be useful (if you can't yet get your code to run)
I suspect that there may still be some important battery issues because the watch keeps printing error messages about SAP services it can't find on the phone (and instead of sleeping, it starts busy polling for them.... :/ ). It does not seem to happen while the watch is out of the charging cradle, so it may not be important, but not sure yet.
As for the encryption, I'm not sure how to proceed. I could describe the code to you, but that would be risky, because I don't understand what it does. Thus the only way (for me) to describe it would be to pass on the mathematical formulas/pseudocode ... Apart from that, we also have the problem of the keys...
Antartica said:
The usual length of ECDSA keys is exactly 520-bits, so we may have something there: it is possible that they are using ECDSA signing
Click to expand...
Click to collapse
They do use ECDH indeed, and they link with OpenSSL and import the ECDH functions. However it's not clear if they use ECDSA; while the crypto algorithm DOES resemble DSA, I cannot fully identify it.
Congratulations for managing to make it work with the Jolla .
I have finally found a suitable "flattened" class hierarchy as to be able to map your code into C; see the attachs. Basically, I have to move the functionality of SAPConnectionRequest, SAPSocket, CapabilityPeer and SAPConnection into SAPPeer, and then it is suitable for my needs.
javispedro said:
As for the encryption, I'm not sure how to proceed. I could describe the code to you, but that would be risky, because I don't understand what it does. Thus the only way (for me) to describe it would be to pass on the mathematical formulas/pseudocode ... Apart from that, we also have the problem of the keys...
They do use ECDH indeed, and they link with OpenSSL and import the ECDH functions. However it's not clear if they use ECDSA; while the crypto algorithm DOES resemble DSA, I cannot fully identify it.
Click to expand...
Click to collapse
If you manage to describe it using mathematical formulas as in
http://en.wikipedia.org/wiki/Ellipt...ture_Algorithm#Signature_generation_algorithm
it would be perfect, but I reckon that to be able write that you need intimate knowledge of the code and don't know if you have time for that :angel:
And identifying the hash function used would be a problem in itself...
One idea: how about a ltrace so we have the calls to the openssl library? That may uncover new hints.
Anyway, I have a lot of work before me until I need that, so don't fret over it.
Hi there! Any chance that the Gear can (really) work with an iPhone?
gidi said:
Hi there! Any chance that the Gear can (really) work with an iPhone?
Click to expand...
Click to collapse
agreed. Needs iPhone support please.
Antartica said:
Congratulations for managing to make it work with the Jolla .
I have finally found a suitable "flattened" class hierarchy as to be able to map your code into C; see the attachs. Basically, I have to move the functionality of SAPConnectionRequest, SAPSocket, CapabilityPeer and SAPConnection into SAPPeer, and then it is suitable for my needs.
Click to expand...
Click to collapse
You may want to look at the official Samsung SDK docs to match their class hierarchy. I tried to match my hierarchy to theirs, but this happened very late in the development process, so there is some weirdness.
Antartica said:
One idea: how about a ltrace so we have the calls to the openssl library? That may uncover new hints.
Click to expand...
Click to collapse
I more or less know what it is doing with OpenSSL, but that's because I looked at the dissassembly. They use OpenSSL for key derivation (ECDH), but the actual cryptographic algorithm is their own. This 'block cipher' is the part they have tried to obfuscate. Not much, but still enough to require more time than what I have available It is basically a set of arithmetical operations with some tables hardcoded in the libwsm.so binary, so no external calls to any library. The hardcoded tables are probably derivated from their private key, which is most definitely not on the binary. In fact I suspect this is basically AES with some changes to make it hard to extract the actual key used, so that's where I've centered my efforts.
Technically it should not even be copyrightable, so maybe I could just redistribute my C reimplementation of the algorithm, but as with any other DRM who knows these days... and that still leaves the problem of the tables/"private key".
Digiguest said:
agreed. Needs iPhone support please.
Click to expand...
Click to collapse
Well you are welcome to implement one such iPhone program yourself. Will be happy to resolve all the protocol questions you have.
(But please stop with the nagging).
Wasn't nagging at all. Just agreeing with him. I am no programmer so I have to rely on others for answers. Sorry if you thought otherwise.
Looking for to see more work on it though. Keep it up.
Hi there! Nice work on getting Gear2 to work with Jolla.
I'd love to get Gear1 to work with WP8.1. Do you have the code for Jolla
on github/bitbucket so I could give it a peek? Thanks in advance.
Duobix said:
Hi there! Nice work on getting Gear2 to work with Jolla.
I'd love to get Gear1 to work with WP8.1. Do you have the code for Jolla
on github/bitbucket so I could give it a peek? Thanks in advance.
Click to expand...
Click to collapse
javispedro had the sources in gitorius, but they are not there anymore (surely related to gitlab buying gitorius).
I attach a tarball with javispedro sources as of 19 October 2014.
Note that it lacks the files implementing the crypto, so just porting it is not enough to be able to communicate to the gear. OTOH, I know that there are some differences in the protocol between the Android Gear1 and the Tizen Gear2 (if the gear1 has been updated to Tizen, it uses the same protocol as gear2). Specifically, to be able to communicate with both watches, the gear manager package has both gear manager 1.7.x and gear manager 2.x. javispedro's code implements the gear 2 protocol.
Personally, I have my port on hold (I have problems with bluetooth in my phone, so there is no point in porting sapd right now as I would not be able to use it).