The Anki Vector robot. - Android General

A kickstarter-backed robot called Vector was released by a company called Anki back in August of 2018. It was one of the only robots out there that felt "alive". But.. Anki recently went out of buisness in May. Me and a team of developers have started a project called Project Victor. We want to find an exploit in Vector to make it open-source. Vector, on the inside, is kind of like a phone. A Qualcomm 212 processor, Adreno graphics, 4 GB of storage, and 512 MB of RAM. Vector runs a custom Linux OS, but... it has an Android bootloader. One of our members has the flash chip off of the robot, and we need to find a person who knows how and is willing to work with ABOOT. It has a USB port (not a port, but there are pads), and if you raise a pad (F_USB) to VCC, it goes to a proprietary Qualcomm QDL mode. We want to flip the switches in the NAND to allow for fastboot or adb over USB during operation. The OTA updates are signed with a pubkey and a .pas file, but we have already found that in the NAND. The thing we got stumped on though is the manifest.sha256 file. It is encrypted with a private key we don't know that is stored in the Qualcomm Trustzone. We have found a way to downgrade Vector to an older version using a simple DNS redirect, which is how we want to inject the exploit into Vector once we get there. Most importantly, it has no dm-verity. If you are willing to work with ABOOT, join our Discord Server or Google Group. Links are in the Links section of the website in the replies.

Link to
Project Vector
http://projectvictor.my.to/
Sent from my ocean using XDA Labs

Related

Looking for documentation about Qualcomm bootloader/download mode

I own an LG Optimus Elite phone, which is based around the qualcomm msm7k. This phone, like many other qualcomm devices, has a Download mode you can enter where you can send commands over USB and send commands to the phone for reading/writing RAM and ROM and stuff like this. After some messing around, I found the second stage bootloader (osbl.mbn) on the second partition of the phone. I reverse engineered some stuff and got the bootloader loaded up in ida and a good bit of it figured out, including where the implement the download mode.
I already wrote some code that can talk to the download mode, and I can send commands and receive the replies, and I have already made myself a list of all the supported commands and subcommands and started documenting what they do. I also found the implementation for some of their crypto stuff and some hardcoded keys/hashes. What I'm looking for now is some sort of documentation about the bootloader and/or the download mode. It would be really awesome if somebody could point me to some documentation about what sort of things you can do with this one, or similar bootloaders. Some of the commands look like they are for writing to the internal rom, and I would like to avoid messing with those that might brick my phone if used wrong. And any documentation about the logic for the booting process would really help. I see code here for booting secure elfs and stuff like that that will take a bit of effort to reverse.
gianptune said:
I own an LG Optimus Elite phone, which is based around the qualcomm msm7k. This phone, like many other qualcomm devices, has a Download mode you can enter where you can send commands over USB and send commands to the phone for reading/writing RAM and ROM and stuff like this. After some messing around, I found the second stage bootloader (osbl.mbn) on the second partition of the phone. I reverse engineered some stuff and got the bootloader loaded up in ida and a good bit of it figured out, including where the implement the download mode.
I already wrote some code that can talk to the download mode, and I can send commands and receive the replies, and I have already made myself a list of all the supported commands and subcommands and started documenting what they do. I also found the implementation for some of their crypto stuff and some hardcoded keys/hashes. What I'm looking for now is some sort of documentation about the bootloader and/or the download mode. It would be really awesome if somebody could point me to some documentation about what sort of things you can do with this one, or similar bootloaders. Some of the commands look like they are for writing to the internal rom, and I would like to avoid messing with those that might brick my phone if used wrong. And any documentation about the logic for the booting process would really help. I see code here for booting secure elfs and stuff like that that will take a bit of effort to reverse.
Click to expand...
Click to collapse
i am interested to in this subject
i am trying to do the same thing but i lack the experience.
i have a tablet that has an msm8255 which is made in china, in europe it is sold without the phone capabilities, in rusia there is the same tablet that has the phone capabilities, i flashed the firmware from the rusian tablet, but still, no phone function, so i think i need some ideas on how to download some stuff from the rusian model and flash`it on the european version.
i will do some reasearch at the uni because i have acces to more academical resources.
Are you the same guy from the Wii scene? Anyway I don't know much to help you myself, but you may want to check out revolutionary.io and unlimited.io. they have hacked bootloaders on phones

[APP][2.3+] SDR Touch - Live radio on your Android device

Listen to live FM broadcasts on devices that don't have a built-in FM radio!
Description
SDR Touch turns your mobile phone or tablet into a cheap and portable software defined radio scanner. Allows you to listen to live on air FM radio stations, weather reports, police, fire department and emergency stations, taxi traffic, airplane communications, audio of analogue TV broadcasts, audio amateurs, digital broadcasts and many more! Depending on the hardware used, its radio frequency coverage could span between 50 MHz and 2.2 GHz. It currently demodulates WFM, AM, NFM, USB, LSB, DSB, CWU and CLW signals.
You can get a compatible USB receiver for under $20 online from eBay. Just plug in your rtl-sdr compatible USB DVB-T tuner into your Android device using a USB OTG Cable and turn on SDR Touch. For list of supported Realtek RTL2832U based dongles, please see the end of the description.
Compatible USB DVB-T tuners
- Generic RTL2832U (e.g. hama nano)
- ezcap USB 2.0 DVB-T/DAB/FM dongle
- Terratec Cinergy T Stick Black (rev 1)
- Terratec NOXON DAB/DAB+ USB dongle (rev 1)
- Terratec Cinergy T Stick RC (Rev.3)
- Terratec T Stick PLUS
- Terratec NOXON DAB/DAB+ USB dongle (rev 2)
- PixelView PV-DT235U(RN)
- Compro Videomate U620F
- Compro Videomate U650F
- Compro Videomate U680F
- Sweex DVB-T USB
- GTek T803
- Lifeview LV5TDeluxe
- MyGica TD312
- PROlectrix DV107669
- Zaapa ZT-MINDVBZP
- Twintech UT-40
- Dexatek DK DVB-T Dongle (Logilink VG0002A)
- Dexatek DK DVB-T Dongle (MSI DigiVox mini II V3.0)
- Dexatek Technology Ltd. DK 5217 DVB-T Dongle
- MSI DigiVox Micro HD
- Genius TVGo DVB-T03 USB dongle (Ver. B)
- GIGABYTE GT-U7300
- DIKOM USB-DVBT HD
- Peak 102569AGPK
- SVEON STV20 DVB-T USB & FM
Interaction with battery savers
It turns out some manufacturers such as Huawei and Samsung have very aggressive power saving policies and force close background apps without notice. If the system decides to kill the RTL-SDR (or SdrPlay) driver while SDR Touch is running, the app will stop playing and become unresponsive eventually showing a "Disconnected unexpectedly" error message.
If you are experiencing this issue, the only solution that currently exists is to manually whitelist *both* the SDR driver app and SDR Touch in your phone's power saving settings to prevent the operating system from unexpectedly stopping the apps. More information and instructions on how to do this based on your particular phone make and model can be found on this website: dontkillmyapp.com
Feedback
An article about SDR Touch - Android Meets the RTL2832U from HamRadioScience
A user submitted video showing off advanced features of SDR Touch running on a mobile phone:
Any additional feature suggestions, comments or feedback will be much appreciated!
looking good sir looking good
Fantastic work. I am excited to see squelch on the list of improvements. Is there any chance that you will ever support a plugin architecture or P25 decoding? There is a decoder called DSD which can decode P25. Squelch+P25 would make it replace my scanner entirely. I would pay additional $$ for each of these features and it would still be more affordable and interesting than carrying around a scanner.
daniel_reetz said:
Fantastic work. I am excited to see squelch on the list of improvements. Is there any chance that you will ever support a plugin architecture or P25 decoding? There is a decoder called DSD which can decode P25. Squelch+P25 would make it replace my scanner entirely. I would pay additional $$ for each of these features and it would still be more affordable and interesting than carrying around a scanner.
Click to expand...
Click to collapse
Thanks for the support! Squelch is coming soon! I will look into P25 but we might need to work together on this - you may need to provide me some I/Q recorded samples - but I would say this would be a bit later since I just started my second semester and have some studying to do as well
P.S. Squelch is now on top of my TODO list
Although this seems to be a great app, I couldn't make it to work with Xperia Ray... ("no tuner found" error)
Anyone here had success with making it work on a Xperia phone?
martintzvetomirov said:
Thanks for the support! Squelch is coming soon! I will look into P25 but we might need to work together on this - you may need to provide me some I/Q recorded samples - but I would say this would be a bit later since I just started my second semester and have some studying to do as well
P.S. Squelch is now on top of my TODO list
Click to expand...
Click to collapse
Fanastic, thank you. I can't wait for squelch!
I'll supply whatever data/info you need to implement P25. I/Q samples are no problem. I understand completely that your time is limited and there is a larger audience to serve, but if you need resources, please let me know what you need and I'll see how I can help.
My account here is new, so I can't post links, but "DSD" and "radioreference wiki" will get you to the DSD source.
Amazing work! Well worth the $9.99USD pricetag. Gave you a nice review on the Google Market/Play Store as well.
FYI: Works wonderfully on an Acer A500 w/ Android 4.2.1.
SDR Touch has been removed by Google from Google Play! I will investigate the issue and will report back as soon as I have more information!!!
If somebody needs the latest version of SDR Touch, please download it from the attachment. Keep in mind that as soon as SDR Touch goes back to Android market you might need to reinstall it in order to get the latest updates!
Ok, just to make it clear for everybody that is concerned.
SDR Touch DOES NOT violate the GPL license!
SDR Touch is merely a client for - https://github.com/martinmarinov/rtl_tcp_andro-. rtl_tcp_andro is released under GPL2+. SDR Touch and rtl_tcp_andro are separate works in the sense of GPL. They are neither statically or dynamically linked and they are two separate executables that communicate over a TCP connection. rtl_tcp_andro is bundled with SDR Touch merely to help the user and with accordance to point 2. of GPL Terms and Conditions. You can think of SDR Tocuh as an "installer" of rtl_tcp_andro. It just launches rtl_tcp_andro with Runtime.exec("");. Furthermore SDR Touch could happily work without the bundled rtl_tcp_andro in network mode by connecting to a remote computer running either rtl_tcp_andro or the original rtl_tcp.
Therefore GPL is not violated. Saying that GPL is violated would be like saying that you can't listen to online radio with your proprietary music player because the radio is being streamed with a GPL based software.
A quote from GPL-3.0:
A compilation of a covered work with other separate and independent works, which are not by their nature extensions of the covered work, and which are not combined with it such as to form a larger program, in or on a volume of a storage or distribution medium, is called an "aggregate" if the compilation and its resulting copyright are not used to limit the access or legal rights of the compilation's users beyond what the individual works permit. Inclusion of a covered work in an aggregate does not cause this License to apply to the other parts of the aggregate.
Click to expand...
Click to collapse
Did you read that quote ?
... and which are NOT combined with it such as to form a larger program, in or on a volume of a storage or distribution medium ...
Click to expand...
Click to collapse
A single .APK _is_ a single distribution medium ... and they definitely _ARE_ combined to form a larger program. The "SDR Touch" .APK is the larger program, containing both your own code and the rtl_tcp_andro binary. That clause is meant for when you ship a CDRom with different stuff on it for example where they have no special relation ship. Here the relation ship and dependency is clear (even says so in the damn description of the app)
The problem is not with SDR Touch or the way it's a client for a rtl_tcp version, that's the right way to do it.
The problem is that both are distributed bundled.
SDR Touch and rtl_tcp_andro need to be two separate packages to be installed independently by the user.
There is also the requirement to make a written offer and include the full license terms when distributing rtl_tcp_andro, usual way is to include both the license in the .APK and also accessible to the user in the UI (menu often).
Cheers,
Sylvain
smunaut said:
Did you read that quote ?
Click to expand...
Click to collapse
But rtl_tcp_andro is a separate binary and the apk is just a container like a CD Rom. That's precisely the point. The binary classes of SDR Touch are separate entities in the apk file and are not linked to rtl_tcp_andro!. The GPL allows using an "installer" to install proprietary software as well as GPLed software in one go. The Android apk installer grabs the contents of the archive (which is like a rar archive) and unrars it ("installs") it onto the device. When the user is using the program, the two entities are still different and separate!
The license is linked in the Help section of SDR Touch. The thing that I haven't done is to put the license physically on the apk as well.
But that's a good point,
Thanks,
Martin
martintzvetomirov said:
But rtl_tcp_andro is a separate binary and the apk is just a container like a CD Rom. That's precisely the point. The binary classes of SDR Touch are separate entities in the apk file and are not linked to rtl_tcp_andro!. The GPL allows using an "installer" to install proprietary software as well as GPLed software in one go. The Android apk installer grabs the contents of the archive (which is like a rar archive) and unrars it ("installs") it onto the device. When the user is using the program, the two entities are still different and separate!
Click to expand...
Click to collapse
Mmm, first, I'm not sure the APK is uncompressed on the flash.
But you're missing the point that in this case it's a single "application", no matter what binaries it's composed of. It's not pulled independently (as a dependency or not) and via that "installer" you can't get it independently, it's just a single package, even presented as a single application to the user (aren't they both under the same 'title' in the "Application" tab of android ?)
So really, I don't see how you could consider this as not being a "whole" without, like I said, distribute it as two different packages (which would also allow other "users" to use the rtl_tcp_andro for eg) and give a undeniable separation between the two.
smunaut said:
Mmm, first, I'm not sure the APK is uncompressed on the flash.
But you're missing the point that in this case it's a single "application", no matter what binaries it's composed of. It's not pulled independently (as a dependency or not) and via that "installer" you can't get it independently, it's just a single package, even presented as a single application to the user (aren't they both under the same 'title' in the "Application" tab of android ?)
So really, I don't see how you could consider this as not being a "whole" without, like I said, distribute it as two different packages (which would also allow other "users" to use the rtl_tcp_andro for eg) and give a undeniable separation between the two.
Click to expand...
Click to collapse
Ok, I see your point and this looks like an option. I still can argue that they are separate but in order to prove that, as you say, I might split them into two packages.
Will see how things go, will keep you posted!
Like smunaut said, this definitely counts as a derivative work as they are being presented to the user as one cohesive application via the Play Store.
This is the same problem that SDR# had some time back, where they tried to distribute the GPL RTL-SDR with their proprietary UI. They thought that, since the UI only communicated with RTL-SDR and wasn't technically part of SDR#, they could include it; but that's not the case. (http://dangerousprototypes.com/2012/08/05/confusion-over-sdr-vs-opensdrsharp/)
The solution in this case will be the same as it was for SDR#: Either make the entire application GPL, or break rtl_tcp_andro into a completely separate package. Make sure that the description for the rtl_tcp_andro package clearly states its license, and make sure you link to the GitHub page for it so the source is clearly available. That should cover all the bases.
MS3FGX said:
Like smunaut said, this definitely counts as a derivative work as they are being presented to the user as one cohesive application via the Play Store.
This is the same problem that SDR# had some time back, where they tried to distribute the GPL RTL-SDR with their proprietary UI. They thought that, since the UI only communicated with RTL-SDR and wasn't technically part of SDR#, they could include it; but that's not the case. (http://dangerousprototypes.com/2012/08/05/confusion-over-sdr-vs-opensdrsharp/)
The solution in this case will be the same as it was for SDR#: Either make the entire application GPL, or break rtl_tcp_andro into a completely separate package. Make sure that the description for the rtl_tcp_andro package clearly states its license, and make sure you link to the GitHub page for it so the source is clearly available. That should cover all the bases.
Click to expand...
Click to collapse
Ok, this makes sense.
Actually this won't be a bad idea after all, I mean if there is a separate app "rtl_tcp_andro" that can do I/Q samples, this might help other developers write their own SDR based applications so therefore help the community.
I don't want to release the processing bit under GPL since it took me quite some time to optimize the algorithms to run on Android so I want to keep my work with this private and this is what Pro users are paying for but rtl_tcp_andro is in the public domain anyways, I will just wrap it around with an apk and release it under GPL.
Please add NetSDR support for RFSpare radios like NetSDR or SDR-IP.
I would pay 10x the Pro price for this! http://sourceforge.net/projects/cutesdr/ and http://cutesdr.svn.sourceforge.net/...face/sdrinterface.cpp?revision=36&view=markup will probably reveal how NetSDR format works.
stejc said:
Please add NetSDR support for RFSpare radios like NetSDR or SDR-IP.
I would pay 10x the Pro price for this! http://sourceforge.net/projects/cutesdr/ and http://cutesdr.svn.sourceforge.net/...face/sdrinterface.cpp?revision=36&view=markup will probably reveal how NetSDR format works.
Click to expand...
Click to collapse
I already have sever requests about this. I will keep this idea in the record. I will first need to make sure SDR Touch is working properly and implement the list of features in the first post.
Also, I was able to rapidly prototype so far but now I'm back in University and I am forced to slow down the development speed. So it may take some time.
Any chance to make the whole app Open Source? This would be a nice recognition of the hard work done by the rtl-sdr folks, and solve your packaging problem.
I have licensed APRSdroid (which btw. can modulate and demodulate Packet Radio using audio in/out) under the GPL, and I can not complain about people not getting the paid version from Google Play.
To the contrary, 80% of my users actually bought the app, and all without evil nag screens!
martintzvetomirov said:
Actually this won't be a bad idea after all, I mean if there is a separate app "rtl_tcp_andro" that can do I/Q samples, this might help other developers write their own SDR based applications so therefore help the community.
Click to expand...
Click to collapse
Absolutely. That is the idea behind the GPL in the first place, that other developers can benefit from improvements made to the code. Having a separate download for rtl_tcp_andro would definitely be a positive for the community, I could personally think of a couple interesting projects with it.
martintzvetomirov said:
I don't want to release the processing bit under GPL since it took me quite some time to optimize the algorithms to run on Android so I want to keep my work with this private and this is what Pro users are paying for but rtl_tcp_andro is in the public domain anyways, I will just wrap it around with an apk and release it under GPL.
Click to expand...
Click to collapse
Of course, it's your right to keep your own software closed source. I don't personally believe in keeping this kind of software closed, but it's your decision.
Though I would like to point out that this type of software is going to get paid downloads either way. The type of users you will attract with this kind of software are the same kinds of users who have no problem donating to open source projects. We aren't talking about some casual game here that just anyone will be downloading, this is an application developed for more technical users who have a pretty good idea of the amount of effort that goes into a project like this.
In any event, I'm glad to see you taking the proper steps to make sure your software is GPL compliant.
FUNcube Pro & FUNcube Pro Plus Support
Any chance FUNcube Pro & FUNcube Pro Plus Dongles Support can be added in the future.

[QPST 2.7 build 402]

Mods please move this post if in the wrong place. OK, I couldn't find it ANYWHERE on XDA but, I did find it by doing extensive baidu (China's Equivalent of Google Search engine) searches and translations. So I give to you all QPST 2.7 build 402. I have the newest and latest QXDM and QCAT also. They were uploaded to the Chinese site on February 13, 2013. QXDM requires activation so I wont post it. I will post QCAT if anyone requests it though, as it does not require activation and neither does this version of QPST. I have seen numerous posts over the net where people wanted QPST 2.7 build 385 but this one surpasses that version. Annoyingly enough though, I still cant write settings to my girlfriends LGL55CV3 Straight Talk android phone with it . So if anyone here can help me out on this, please feel free to do so. So enjoy and hit thanks if I've helped you out.:good: http://www.mediafire.com/?yya85byog8kqtxn
:good:
solcam said:
Mods please move this post if in the wrong place. OK, I couldn't find it ANYWHERE on XDA but, I did find it by doing extensive baidu (China's Equivalent of Google Search engine) searches and translations. So I give to you all QPST 2.7 build 402. I have the newest and latest QXDM and QCAT also. They were uploaded to the Chinese site on February 13, 2013. QXDM requires activation so I wont post it. I will post QCAT if anyone requests it though, as it does not require activation and neither does this version of QPST. I have seen numerous posts over the net where people wanted QPST 2.7 build 385 but this one surpasses that version. Annoyingly enough though, I still cant write settings to my girlfriends LGL55CV3 Straight Talk android phone with it . So if anyone here can help me out on this, please feel free to do so. So enjoy and hit thanks if I've helped you out.:good: http://www.mediafire.com/?yya85byog8kqtxn
Click to expand...
Click to collapse
---------- Post added at 04:36 PM ---------- Previous post was at 03:44 PM ----------
:good:
solcam said:
Mods please move this post if in the wrong place. OK, I couldn't find it ANYWHERE on XDA but, I did find it by doing extensive baidu (China's Equivalent of Google Search engine) searches and translations. So I give to you all QPST 2.7 build 402. I have the newest and latest QXDM and QCAT also. They were uploaded to the Chinese site on February 13, 2013. QXDM requires activation so I wont post it. I will post QCAT if anyone requests it though, as it does not require activation and neither does this version of QPST. I have seen numerous posts over the net where people wanted QPST 2.7 build 385 but this one surpasses that version. Annoyingly enough though, I still cant write settings to my girlfriends LGL55CV3 Straight Talk android phone with it . So if anyone here can help me out on this, please feel free to do so. So enjoy and hit thanks if I've helped you out.:good: http://www.mediafire.com/?yya85byog8kqtxn
Click to expand...
Click to collapse
Ummmm...Yeah. If you say so.
solcam said:
Ummmm...Yeah. If you say so.
Click to expand...
Click to collapse
Anyone managed to download this?
No. It says that it belongs to an unvalidated account. I know that 418 is now out too if anyone might have this one.
cezar1 said:
This file infected by troyan. Thanks a lot
Click to expand...
Click to collapse
I had no issues with it... and still use it. I will look into it. I did not upload it, I just posted the link.
---------- Post added at 10:56 PM ---------- Previous post was at 10:32 PM ----------
cezar1 said:
This file infected by troyan. Thanks a lot
Click to expand...
Click to collapse
I did some checking and a few people DID have issues with this. Thank you for bringing it to my attention...
If you install this via "setup.exe" it will put a backdoor on your system. It lives at "C:\Users\Admin\AppData\Roaming\Qualcomm". It will also add itself to the "HKCU/Software/Microsoft/Windows/Current Version/Run" key in the registry. There is no virus in the MSI file.
You should be able to detect it, remove it and use build 422. Again, I am using it without issue.
rekamyenom said:
I had no issues with it... and still use it. I will look into it. I did not upload it, I just posted the link.
Click to expand...
Click to collapse
Hello, fellow QPST users.
QPST 2.7 Build 4.2.2 is a fake version with keylogger.
Some a$$hole downloaded latest public QPST build (4.0.2) and decompiled MSI installer package, then edited all "4.0.2" to "4.2.2", added "fake changelog", added keylogger (qualcomm.exe), then repackaged and spread around web!
Everyone who downloaded QPST build "4.2.2" should change all his passwords.
More info about malware from fake 4.2.2 build (QPST.2.7.422.msi)
MSI package (QPST.2.7.422.msi) was embedded/tampered with qualcomm.exe which is a .NET based malware that logs your keystrokes and sends it to attacker's server.
How to delete the actual malware from your system?
Look at the startup from msconfig or CCleaner, there should be a file called qualcomm.exe thats set to start everytime system starts. Delete both registry and file.
If you wanted to see what data thief was stolen from you. Just open the .dc file (in "dclogs" folder) with Notepad and see for yourself.
In XP, dc file is located here!
C:\Documents and Settings\Administrator\Application Data\dclogs
there should be a file called "201X-XX-XX-X.dc
if you open that DC files with Notepad, you'll see all your keystrokes.
Here is mine. I've intentionally entered paypal site with fake info.
:: Run (3:01:51 AM)
Script kiddie. NET Based malware, huh?[ESC]
:: Program Manager (3:02:14 AM)
e
:: Firefox (3:02:18 AM)
www.paypal.com
[email protected][TAB]
mypaypalpass
[ENTER]
:: Documents and Settings (3:02:19 AM)
[UP]
:: Administrator (3:02:28 AM)
[DOWN][DOWN][DOWN][DOWN][DOWN][DOWN][DOWN][DOWN][DOWN][DOWN]
[DOWN][DOWN][DOWN][DOWN][DOWN][DOWN][DOWN][DOWN][DOWN][DOWN][DOWN][DOWN][DOWN]
d
:: (3:02:34 AM)
:: Administrator (3:02:34 AM)
d
:: (3:03:11 AM)
mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm
:: [Release] QPST 2.7 BUILD 422 - Download Here - Enjoy - Mozilla Firefox (3:03:57 AM)
crap
How to delete?d
:: Clipboard Change : size = 16 Bytes (3:03:57 AM)
QPST.2.7.422.msi
:: (3:04:23 AM)
cccccc
Click to expand...
Click to collapse
Keylogger sends the logs from keylogger to "qpst.hopto.me"
So please report about this incident where and when you encounter QPST 4.2.2 somewhere (forums, posts, sharing-sites, etc)
Copy my whole post and paste it where you see 4.2.2 mentioned.
Bonus: Fake Changelog
If you've installed this 422 build, then open the Readme.txt in C:\Program Files\Qualcomm\QPST\Documents
Scroll down and see the "6/12/13 QPST 2.7.422 changelog"
6/12/13 QPST 2.7.422
1) EFS Hello commands will not be sent unless the device is in a compatible mode. Sending this command when the
device is in download mode can cause a "server busy" message for a few seconds because of command retries.
2) Support for the Sahara device protocol (see 80-N1008-1 or equivalent) is now built in to the QPST server process.
This protocol is only supported by USB Serial ports, not TCP/IP connections. In QPST Configuration a device in
this mode will display as "Q/QCP-XXX (Sahara Download)". This mode can only be detected (1) when the QPST server
process starts or a COM port in this mode added to QPST, or (2) when a device enters Sahara mode on a port assigned
to QPST. This is because the device only sends its Hello message once, as soon as the COM port is opened.
Click to expand...
Click to collapse
Changelog above is actually cloned from QPST 2.7.394 Just scroll down and see Build 2.7.394 changelog. Its same!
So forget about Build 422. It doesn't exist.
Use QPST 2.7 Build 402. It's the latest public build
Sorry about my english
Best Regards
AnycallMongolia
can somebody give proper qpst latest version.
pl provide dropbox link
madroamer said:
can somebody give proper qpst latest version.
pl provide dropbox link
Click to expand...
Click to collapse
Okey, someone (HuaweiDevices.ru) leaked QPST v2.7.411 to the public. I've installed it myself and confirmed that its legit build.
Here is original link of the leak..
Here is my link.
http://d-h.st/qAy
Thread cleaned, potentially unsafe file and posts are gone. All members are to be reminded that whenever you flash anything, regardless of what it is, you take chances.
Thanks for the report, and thanks for not being disrespectful regarding the matter.
Now, back to development.
Thanks for your sharing this.
solcam said:
Mods please move this post if in the wrong place. OK, I couldn't find it ANYWHERE on XDA but, I did find it by doing extensive baidu (China's Equivalent of Google Search engine) searches and translations. So I give to you all QPST 2.7 build 402. I have the newest and latest QXDM and QCAT also. They were uploaded to the Chinese site on February 13, 2013. QXDM requires activation so I wont post it. I will post QCAT if anyone requests it though, as it does not require activation and neither does this version of QPST. I have seen numerous posts over the net where people wanted QPST 2.7 build 385 but this one surpasses that version. Annoyingly enough though, I still cant write settings to my girlfriends LGL55CV3 Straight Talk android phone with it . So if anyone here can help me out on this, please feel free to do so. So enjoy and hit thanks if I've helped you out.:good: http://www.mediafire.com/?yya85byog8kqtxn
Click to expand...
Click to collapse
anycallmongolia said:
Okey, someone (HuaweiDevices.ru) leaked QPST v2.7.411 to the public. I've installed it myself and confirmed that its legit build.
Here is original link of the leak..
Here is my link.
http://d-h.st/qAy
Click to expand...
Click to collapse
Link works. Thank you.
Hello guys, i have a LG G2 with 3g issue , it works just in 2g, somebody can upload his QCN file so i try to replace mine with it? Thank you so much
!!!!!!!!!!!!!!!!!! WARNING !!!!!!!!!!!!!!!!!!
!!! TROJAN AGAIN !!!
Some time ago in Feb 2014 man named anycallmongolia posted a link to QPST 2.7 build 411
Link points to the site HuaweiDevices.ru
h_t_t_p_://_huaweidevices._ru/ROMS/QPST_2.7.411.rar
Later I'd personally downloaded this version from this topic a few times in 2014 and this was normal non fake QPST which i'd installed on a few PC's. (Can't remember particular link now). Today I would like to install QPST to a new NB PC, so assumed this topic as the best source. Being a recovery/data structures expert I always inspect code (mostly by viewing in text/hex). As most of members I've very high trust level to xda (certainly it's much higher then one related to the "famous and respectable" corps like Google/MS/Apple/etc, who aren't on my side, I'm sure).
I've installed QPST got from this topic a few times, so I'd almost pressed Enter (I use FAR most of time and advice you to do the same) over the DL'd file "qpst 2 7 411.exe".... What??? - EXE??? And it's just about 500Kb long... But QPST installer occupies about 16Mb.
I've explored body - I's typical malware with slightly "encoded" (to prevent direct reading) data inside. QXDM offered on the neighbor page is the same malware of the same size.
If you'll try to dl QPST from above link you'll got 404 error in the center of normal html page with site menu etc... What normal man would think in this case? He'll think page/product have moved (e.g. due to overload protection) and what he'll do next? He'll try to find where page have moved and... will got link in menu just at the bottom of 404 page. It's just trivial (but very good working!) "social engineering" - publish real app in trusted place and when it will pass checks replace it with malware. (Or may be domain was sold to the criminals as it often occures in Russia for a few latest years). Even if you will check DL url in the status bar it will show link to the .RAR archive, but ASAY click the link it will be redirected to .exe!
PLEASE PUBLISH BIG WARNING on TOPIC START and remove links to HUAWEIDEVICES.RU!!!
Furthermore. Situation is much worse because huaweidevices shows 1ST position in search request "QPST 2.7.411" by Yandex.ru (#1 search engine in Russia) and 2ND position in Google results with the same request!!! It's VERY DANGEROUS situation! Thousands if not millions of peoples are at risk of infection.
I'm going to write abuses to Google and Yandex NOW!
Please spread info on such a new attack manner/technique around your friends, collegues and internet.!
Always check what you run!!!
QPST 2.7 build 425 (The REAL Thing!)
It is so irritating to see all of the jerks who are trying to spread viruses and malware nowadays.
Here is the REAL build 425:
http://www.mediafire.com/download/neeapht51ub2333/QPST.WIN.2.7_Installer-00425.1.zip
drkcobra said:
It is so irritating to see all of the jerks who are trying to spread viruses and malware nowadays.
Here is the REAL build 425:
h_t_t_p_://_w_w_w.mediafire.com/download/neeapht51ub2333/QPST.WIN.2.7_Installer-00425.1.zip
Click to expand...
Click to collapse
Very very very BIG Thank you!!!
That's really new one and it contains new very promising QFIL util. Didn't explored much yet!
God bless on you man!
BTW does anybody know how to descramble (decrypt)/scramble (encrypt) back EFS/NVRAM partitions (in most cases modemst*). I'd like to be able to patch/change every byte in EFS (not just locks etc bull****, my phones are always free of any contracts). Full modem FW reversing seems too difficult to me (i'm 'not so strong' in ARM assembly and there is too much code in modem FW). I'm sure for a such long period (over decade) of EFS life there should be methods around to manipulate it independently of mfr/commercial products, but I can't find them for a long time. Trust me, it's fully idiotic situation I'm (you're) not able to do with my (yours) computer (PDA is computer, not the "phone") all I want to do being "restricted" to access only data some f...n mfr "allowed" me to access. It's my device, I'd paid for it and I will decide what me to do with it.
Furthermore, modern public licenses don't allow to hide parts of object (device) code, where GNU/GPL code is the main part. Is anybody here who think that Linux/Unix value in ALL there f...n "modern" Android devices less than 90%? Most router mfrs have already forced by requirements GNU/GPL to publish full compilable code of their firmware. I shouldn't have clue what all they want to hide related to their "commercial" and manipulating interests. Using 30years of thousands people's free labor in their commercial products , they're obligated to publish full sources and should DO IT.
Apple is today wealthiest corp on this planet, but If you'll look into the Apple's internals you'll find tons of MODERN Linux code (protected by modern GNU/GPL) simply stolen from open source depositories, then adopted to MacOS/iOS then closed and sold as commercial product . Is it fair game?
TheDrive said:
Very very very BIG Thank you!!!
That's really new one and it contains new very promising QFIL util. Didn't explored much yet!
God bless on you man!
BTW does anybody know how to descramble (decrypt)/scramble (encrypt) back EFS/NVRAM partitions (in most cases modemst*). I'd like to be able to patch/change every byte in EFS (not just locks etc ...................
Click to expand...
Click to collapse
I use EFS Pro for BackUp and Restore.... Sadly its windows only, but works great with VirtualBox on Linux Mint Cinnamon/MATE 17.1 x64.
Hosted on the wonderful XDA:
http://forum.xda-developers.com/gal...ol-updated-09-06-14-efs-professional-t1308546
FWIW
I hear you about Apple, used to be a hardcore fan, when they were nearly bankrupt. I still swear by OS X, but not the iTard line of devices. I tell my nieces and nephews to get an Android cause they are not ignorant! lol There should be more of an effort to make people understand that Apple is using allot of *BSD (Linux) source. The GUI is closed, but some of the other source is available in the dev program site they host.
unimatrix725 said:
I use EFS Pro for BackUp and Restore.... Sadly its windows only, but works great with VirtualBox on Linux Mint Cinnamon/MATE 17.1 x64.
Hosted on the wonderful XDA:
http://forum.xda-developers.com/gal...ol-updated-09-06-14-efs-professional-t1308546
Click to expand...
Click to collapse
Thank you! Certainly I know this good product. It can manipulate NVRAM through COM-port, just the way QPST does it communicating w/modem FW. Is has many advanced options but seems not to be reliable enough (too many OEM customizations around, it's difficult to reverse all) As you stated it can also backup some partitions (like EFS). but you can do this yourself just by simple ADB/Unix shell commands (e.g. "dd if=/dev/block/mmcblk0p?? of=/sdcard/mmcblk0p??.img")
You can write simple scripts and perform such backups directly from device (to SD). Furthermore, you can customize CWM/TWRP for your device to perform such backups from recovery.
To do it you should know which partition numbers to backup/restore (to backup/restore what data you want).
There are methods/commands available to get needed info to build full device partition map (e.g. some devices contains "folders" named "by-names" deeper in /dev/block/... (where partitions are named), but in some cases (e.g. some 2013 MSM7227 based Samsung phones like GT-S756x) there is no names associated with particular proprietary partitions in the device, (at all) so the only way to find what data reside there is to backup and look (hex) with your own "experienced" eyes what these data seems to be (or search what others found on the theme). EFSPro "from the box" also knows only a few device's partition maps so, in most cases you should build configuration for your device manually with full knowledge of it.
There is no problem to locate and backup encrypted modem data partitions (modemst*/efs/etc...) if your device is rooted. Moreover, if your device has standard Qualcomm bootloader (not OEM's cut) you can switch device to the standard Qualcom DM (download mode) when all your eMMC contents will be exposed to USB bus as mass storage device (just like UFD or SDCard) and you can backup/restore whole drive contents or particular partitions just like PC's own partitions (try some "chnese" stuff (made of quality parts) instead of "branded" ones and you'll see superiority of the "open world".
But main question is how to decrypt modem data to explore and change them as I want at any time. Mfrs (i.e. Qualcomm and OEMs hide serials, locks etc BS there, but there is a lot of other interesting stuff related to modem configuration which is also closed and encrypted. This drives me wild because it's my device and my serials/locks and other stuff too, so it's my option to do with is what I want and no one else. I'm definitely know and sure modem FW/config and even mask ROM (which we most probably never will be able to explore) contains many hidden features that may lead to remotely force device to collect info about user and perform actions without his knowledge and consent. I have no matter what all these sec... services planned to do with all these exploits they forced OEMs/chipmakers to implement., but (sic!) they allowed information about these exploits to leak wild! So some "generic" engineers who simply have job and low level access to cellular provider's equipment (which able to broadcast custom service packets) to make "what they want with user's phones (e.g. switch it on or request GPS data) just "for fun". F them all, but most idiotic is fact that being an 25y experienced "lowest level" service engineer I can't get access and control over my own devices (i.e. computers). It's incorrect. It would be difficult but we should pay more attention to explore internals and get clue what goes on.
unimatrix725 said:
FWIW
I hear you about Apple, used to be a hardcore fan, when they were nearly bankrupt. I still swear by OS X, but not the iTard line of devices. I tell my nieces and nephews to get an Android cause they are not ignorant! lol There should be more of an effort to make people understand that Apple is using allot of *BSD (Linux) source. The GUI is closed, but some of the other source is available in the dev program site they host.
Click to expand...
Click to collapse
I've personally explored OSX files and partitions and seen much modern Linux code inside. They even don't hide "copyrights". Nobody will explore anyway and nobody cares. Old 80x-90x versions of public licenses allowed to do "anything" with free open sources (including to make changes, then close sources and sell product). After some smartasses like Apple used this hole to sell free labor of thousands of peoples, public license had changed. Modern licenses allows you to sell derived product, but obligate you to open sources (with same license) so anyone else can use them to and sell too. You can't close your part of sources if free code is most valuable part of your product. E.g. router mfr can't close part his own sources to make firmware sources "uncompilable" because Linux definitely is most valuable part of router FW. This warrant later development of free open source programs and free community n whole. Apple stated that they used only old 80x code in their OS'es and then developed it separately and thus they are not obligated to open sources to everyone. They would be right unless they didn''t used a lot of modern code protected by modern public license's requirements. I didn't explored deeply. May be they publish all derived code for free. Today we can't say accurately if some modern Linux components they adopt for Mac/iOS are most valuable part of their systems or not. We should explore all the code to make decision. but anyway it's not fair to use a lot of thousand's people's free labor just to make money. Google's position here is not ideal but much more fair. They publish most of sources and support open source community. They don't try to make system "unbreakable" and they don't force you to use their accounts too much. I've NO Google "phone" account AT ALL. I've no need in any "markets", "clouds" ect BS., which lead absolutely no problem to me to effectively use Android devices. There are lots of free APK's around
It practice, I have 2-3 old iPhones just for experiments. Yes we have Jailbreaks and some other stuff, but even if you break and get access to your device it's very uncomfortable to work with it at low level. On my sight just one ADB interface costs more then all "jingles and bells" of iOS's GUI. All these "tethered-untethered", "unbreakable" bootloaders in Mask ROM, lack of normal tools to explore and manage data on any level, total control and extraction of my data by mfr via strongly encrypted obfuscated protocols and hidden services make these devices useless for me in practice.
Windows Phone is even far more closed OS then iOS. You have no control over your data at all. You can't do a thing with WP device unless you sign up with MS account. You can't get access to your own data (except MM files) unless you sync it with MS cloud, i.e. you will be forced to send all your private data to MS and MS will decide whether to give piece of it back to you or not. Matrix in action. I've absolutely no clue what thought MS bosses when they decided to close ALL in OS that have had less than 1% of market. Their 1st goal was to attract developers to write apps for their OS and there was no better way to kick them than "close All". There is no matter does it perform GUI actions good or not when devs and users have no effective way to collect and use "useful" results of device's work.
drkcobra said:
It is so irritating to see all of the jerks who are trying to spread viruses and malware nowadays.
Here is the REAL build 425:
http://www.mediafire.com/download/neeapht51ub2333/QPST.WIN.2.7_Installer-00425.1.zip
Click to expand...
Click to collapse
The new versions got rid of QXDM and RF NV Manager.
Build 415
etirkca said:
The new versions got rid of QXDM and RF NV Manager.
Click to expand...
Click to collapse
I have not used this version, so do not know if it has been removed from this one or not, but here is a legitimate copy of build 415:
http://www.mediafire.com/download/ac6yh57yye363mx/QPSTWIN2700415.rar

MediaTek FOTA reverse engineering

So, I decided to have a look at how my Cat B15Q actually recieves OTA updates. Turns out the lifting is done by two apk's in /system, FWUpgrade.apk and FWUpgradeProvider.apk.
Notes taken during reverse engineering:
the entire upgrade mechanism runs over plain HTTP, so you can use tools like fiddler or wireshark to listen and manipulate the entire mechanism (just imagine deploying a malicious proxy with ettercap on a conference wifi and pwning all mediatek devices)
mediatek seems to supply handset manufacturers with a set of PHP scripts for providing OTA upgrades.
the whole code is littered with typos ("onHandsakeAuthentication", "downlaod" and more), commented-out code and other stuff which makes me wonder just how it works, but well I always have that feeling when I have to read Mediatek source code
an old version of the client-side source, written for another mediatek device, is at https://github.com/kupyxa4444/baoxu...a/src/com/mediatek/GoogleOta/HttpManager.java
something in the core methods apparently messes up both JD-GUI and Procyon decompilers
the core mechanism for obtaining a download/checkversion token is just a md5sum (fixed "tag string" 15811375356 + server-sent "rand"); funny enough that this "tag string" is sent as "serial number" during login and is apparently totally hardcoded.
at least in this 2012 ROM dump, the endpoint addresses are stored in res/values/address.xml, however this is not present in "my" apk, nor in /data/data/com.fw.upgrade. Looks like the new version uses SharedPreferences, but there is no backing store in /data/data/com.fw.upgrade either.
Because I don't really like unknown parties being able to link together my SIM and IMEI (especially any random wifi snoop, this thing is a background service), I have killed off the OTA service and wrote me a little script to check and fetch updates: https://gist.github.com/msmuenchen/c3fb276f264058b8d51e
By the way, I don't know what the ... the guys at mediatek are smoking, but that code... it is sufficient to say that it would be trivial to thoroughly **** up any OTA distribution, up to the point of distributing malware and rootkits. To top it off, some guy even dumped a boatload of internal mediatek stuff to github, and the horrors I have seen there are beyond imaginable.

Rooting the Anki Vector Robot - a robot that runs Android

Hi,
my name is Melanie, I'm part of an effort to root the Vector robot made by Anki.
Anki has recently gone into administration, with the IP of the company winding up as collateral for an emergency loan that was never paid back.
Vector is very much dependent on the "cloud", namely, Anki's servers running on AWS. The SSL certificate for these servers is due to expire in September. There is little chance of it being renewed since the company has no funds.
A group of tech-savvy owners have got together on Discord to discuss how to help Vector survive the coming demise of his servers. They had already collected a not insignificant amount of information in the form of datasheets and observations as well as images of the internals of the robot and images of jigs Anki used during development.
I'm bringing this project to this forum because, internally, Vector is really a phone without the GSM part.
He is powered by a Qualcomm APQ8009 (Snapdragon 212), which has been paired with a combination ram/flash chip by Kingston, 04EMCP04-NL3DM627. There is also a Wifi/BLE module and a screen and 4 microphones.
The Snapdragon runs an Android boot loader and Linux kerner version 3.18.66-perf.
This is where he becomes different from a phone in that he doesn't start Zygote, but rather runs a number of daemons from systemd.
As shipped, there is no user accessible wired IO.
There are a number of wirepads on the PCB, as well as unpopulated pads for a micro USB port. When I joined the project, the serial port was already known, but while it provides a boot log, there is no getty on it.
The USB port had to this point not been successfully activated.
Since I'm a hardware person, that is where i placed my lever. I populated the USB port and started digging. Finally I found a solder pad labeled F_USB which was not even close tot he USB port, but turned out to be a boot mode pin from the CPU. Pulling it to VCC made the USB port enumerate in EDL mode. Qualcomm call it QDL or QDLoader, but it basically an interface to the ROM in the CPU, just like phones have.
From this I managed to grab a CPU ID but not much more.
Meanwhile, we reverse-engineered the phone app that comes with it and are currently writing a general purpose library to talk to Vector over BLE.
At this point, I found that I was facing a thicket of software, mostly either cracked or containing malware, or both, but very little legit options.
I see a few options to go forward on this:
- Find a software that can talk to the Snapdragon 212 to extract the current image
- Desolder the flash to extract the image via a programmer
- Desolder the CPU to access the flash's data lines without having to heat the flash, which could corrupt it
The last two options are bound to be destructive and all us owners have found a connection to their robots and are loath to sacrifice them. Also, they require a bit of investment and are, because of that, no quick wins.
I'm hoping that someone here may have the missing pieces I need to get from QDL 9008 mode to an image of the flash on my disk. We believe we have another way to flash it, not needing the USB port, but we don't have an image to try it with and flashing something like all zeroes would needlessly destroy a robot.
- Melanie
PS: I would post links but I'm too young to do so. There is a google group called "Project Victor" that has the info we have so far called anki-vector-rooting, a.k.a. Project Victor.
https://groups.google.com/forum/m/#!forum/anki-vector-rooting
You are welcome to PM links to me and I will post them as a work around.
hope the best!
Link to Project Vector
http://projectvictor.my.to/
Sent from my ocean using XDA Labs

Categories

Resources