SamsungGalaxyBackdoor » History » Version 8
Paul Kocialkowski, 01/29/2014 10:18 PM
| 1 | 1 | Paul Kocialkowski | h1. Samsung Galaxy Back-door |
|---|---|---|---|
| 2 | |||
| 3 | 3 | Paul Kocialkowski | This page contains a technical description of the back-door found in Samsung Galaxy devices. |
| 4 | For a general description of the issue, please refer to the following statement: |
||
| 5 | 1 | Paul Kocialkowski | |
| 6 | *This back-door is present in most proprietary Android systems running on the affected Samsung Galaxy devices, including the ones that are shipped with the devices. However, when Replicant is installed on the device, this back-door is not effective: Replicant does not cooperate with back-doors.* |
||
| 7 | |||
| 8 | h2. Abstract |
||
| 9 | |||
| 10 | 8 | Paul Kocialkowski | We have good reasons to believe that Samsung Galaxy devices running proprietary Android versions come with a back-door that gives remote access to the data stored on the device. |
| 11 | 4 | Paul Kocialkowski | In particular, the proprietary software that is in charge of handling the communications with the modem, using the Samsung IPC protocol, implements a class of requests known as RFS commands, that allows the modem to perform remote I/O operations on the phone's storage. |
| 12 | 1 | Paul Kocialkowski | |
| 13 | 7 | Paul Kocialkowski | *Disclaimer: We are not security researchers and cannot establish the absolute certainty that the incriminated software actually contains the back-door we describe. However, everything apparently points in that direction and we believe the information at our disposal is relevant enough to constitute basis for us to issue a statement about this presumed back-door. If you have any indication that would prove our statement wrong, do not hesitate contacting us.* |
| 14 | 1 | Paul Kocialkowski | |
| 15 | 7 | Paul Kocialkowski | h2. Known affected devices |
| 16 | |||
| 17 | The following table shows which devices are known to contain this back-door as part of the software they ship with. |
||
| 18 | Please contact us if you know about some other device that could be concerned by this back-door or have more information on one of the listed devices! |
||
| 19 | |||
| 20 | |_. Device |_. Incriminated program running as root |_. SELinux enabled |_. libsamsung-ipc support |_. Replicant support | |
||
| 21 | | Nexus S (I902x) | No | Possible with Android 4.2 and later | Yes | Yes | |
||
| 22 | | Galaxy S (I9000) | Yes | ? | Yes | Yes | |
||
| 23 | | Galaxy S 2 (I9100) | No | ? | Yes | Yes | |
||
| 24 | | Galaxy Note (N7000) | No | ? | Yes | Yes | |
||
| 25 | | Galaxy Tab 2 7.0 (P31xx) | No | ? | Yes | Yes | |
||
| 26 | | Galaxy Tab 2 10.1 (P51xx) | No | ? | Yes | Yes | |
||
| 27 | | Galaxy S 3 (I9300) | No | ? | Yes | Yes | |
||
| 28 | | Galaxy Note 2 (N7100) | No | ? | Yes | Yes | |
||
| 29 | |||
| 30 | 1 | Paul Kocialkowski | h2. Analysis |
| 31 | 2 | Paul Kocialkowski | |
| 32 | The following analysis was conducted using the @libsec-ril.so@ binary file (the incriminated proprietary software) as extracted from the CyanogenMod 10.1.3 system zip for the Galaxy S 3 (I9300), from location @system/lib/libsec-ril.so@. |
||
| 33 | |||
| 34 | 1 | Paul Kocialkowski | *The developers involved in the present analysis did not ever agree to any sort of End User License Agreement that explicitly prohibited the reverse engineering and decompiling operations of the incriminated binary. The reverse engineering operations that lead to these findings originally took place during the development of [[Samsung-RIL]], the free software replacement for the incriminated program. Hence, we believe these operations were conducted for the sole purpose of interoperability and not with the intent of creating a competing product. As the involved developers were based in Europe, we believe the legality of these operations is granted by article 6 of the 1991 EU Computer Programs Directive.* |
| 35 | |||
| 36 | 6 | Paul Kocialkowski | As a first approach, using the @strings@ tool against the incriminated program reveals numerous suspicious command names that appear to be Samsung IPC protocol definitions: |
| 37 | <pre> |
||
| 38 | IPC_RFS_READ_FILE |
||
| 39 | IPC_RFS_WRITE_FILE |
||
| 40 | IPC_RFS_LSEEK_FILE |
||
| 41 | IPC_RFS_CLOSE_FILE |
||
| 42 | IPC_RFS_PUT_FILE |
||
| 43 | IPC_RFS_GET_FILE |
||
| 44 | IPC_RFS_RENAME_FILE |
||
| 45 | IPC_RFS_GET_FILE_INFO |
||
| 46 | IPC_RFS_UNLINK_FILE |
||
| 47 | IPC_RFS_MAKE_DIR |
||
| 48 | IPC_RFS_REMOVE_DIR |
||
| 49 | IPC_RFS_OPEN_DIR |
||
| 50 | IPC_RFS_READ_DIR |
||
| 51 | IPC_RFS_CLOSE_DIR |
||
| 52 | IPC_RFS_OPEN_FILE |
||
| 53 | IPC_RFS_FTRUNCATE_FILE |
||
| 54 | IPC_RFS_GET_HANDLE_INFO |
||
| 55 | IPC_RFS_CREATE_FILE |
||
| 56 | </pre> |
||
| 57 | 4 | Paul Kocialkowski | |
| 58 | 6 | Paul Kocialkowski | The names of these commands make it obvious that they let the modem perform I/O operations. |
| 59 | 1 | Paul Kocialkowski | |
| 60 | 6 | Paul Kocialkowski | The @strings@ utility also reveals matching function names that seem to implement the handling of these commands: |
| 61 | <pre> |
||
| 62 | RxRFS_GetFile |
||
| 63 | RxRFS_CreateFile |
||
| 64 | RxRFS_ReadDirectory |
||
| 65 | RxRFS_OpenDirectory |
||
| 66 | RxRFS_RenameFile |
||
| 67 | RxRFS_Default |
||
| 68 | RxRFS_OpenFile |
||
| 69 | RxRFS_ReadFile |
||
| 70 | RxRFS_FtruncateFile |
||
| 71 | RxRFS_WriteFile |
||
| 72 | RxRFS_GetFileInfoByHandle |
||
| 73 | RxRFS_GetFileInfo |
||
| 74 | RxRFS_PutFile |
||
| 75 | RxRFS_LseekFile |
||
| 76 | RxRFS_CloseFile |
||
| 77 | RxRFS_DeleteFile |
||
| 78 | RxRFS_MakeDirectory |
||
| 79 | RxRFS_CloseDirectory |
||
| 80 | RxRFS_RemoveDirectory |
||
| 81 | TxRFS_CfrmCreateFile |
||
| 82 | TxRFS_CfrmPutFile |
||
| 83 | TxRFS_CfrmOpenDirectory |
||
| 84 | TxRFS_CfrmGetFileInfo |
||
| 85 | TxRFS_CfrmReadDirectory |
||
| 86 | TxRFS_CfrmRenameFile |
||
| 87 | TxRFS_CfrmCloseFile |
||
| 88 | TxRFS_CfrmFtruncateFile |
||
| 89 | TxRFS_CfrmGetFileInfoByHandle |
||
| 90 | TxRFS_CfrmDeleteFile |
||
| 91 | TxRFS_CfrmCloseDirectory |
||
| 92 | TxRFS_CfrmRemoveDirectory |
||
| 93 | TxRFS_CfrmMakeDirectory |
||
| 94 | TxRFS_CfrmGetFile |
||
| 95 | TxRFS_CfrmReadFile |
||
| 96 | TxRFS_CfrmWriteFile |
||
| 97 | TxRFS_CfrmLseekFile |
||
| 98 | TxRFS_CfrmOpenFile |
||
| 99 | </pre> |
||
| 100 | 1 | Paul Kocialkowski | |
| 101 | 7 | Paul Kocialkowski | Taking a closer look at these functions, using the @objdump@ decompiler, reveals that they are actually called from the @ipc_recv_rfs@ function, itself called from @process_ipc_notify_message@, which appears to handle the received messages from the modem. Hence we can deduct that the incriminated functions are actually called upon modem request: |
| 102 | <pre> |
||
| 103 | 0003ce20 <ipc_recv_rfs>: |
||
| 104 | 3ce20: b538 push {r3, r4, r5, lr} |
||
| 105 | 3ce22: 4605 mov r5, r0 |
||
| 106 | 3ce24: 484b ldr r0, [pc, #300] (3cf54 <ipc_recv_rfs+0x134>) |
||
| 107 | 3ce26: 460c mov r4, r1 |
||
| 108 | 3ce28: 4478 add r0, pc |
||
| 109 | 3ce2a: 6800 ldr r0, [r0, #0] |
||
| 110 | 3ce2c: 7803 ldrb r3, [r0, #0] |
||
| 111 | 3ce2e: b143 cbz r3, 3ce42 <ipc_recv_rfs+0x22> |
||
| 112 | 3ce30: 4949 ldr r1, [pc, #292] (3cf58 <ipc_recv_rfs+0x138>) |
||
| 113 | 3ce32: 2006 movs r0, #6 |
||
| 114 | 3ce34: 4a49 ldr r2, [pc, #292] (3cf5c <ipc_recv_rfs+0x13c>) |
||
| 115 | 3ce36: 4b4a ldr r3, [pc, #296] (3cf60 <ipc_recv_rfs+0x140>) |
||
| 116 | 3ce38: 4479 add r1, pc |
||
| 117 | 3ce3a: 447a add r2, pc |
||
| 118 | 3ce3c: 447b add r3, pc |
||
| 119 | 3ce3e: f7df ed30 blx 1c8a0 <RIL_elapsedRealtime-0x9c0> |
||
| 120 | 3ce42: 2001 movs r0, #1 |
||
| 121 | 3ce44: f002 fa5a bl 3f2fc <get_wakelock> |
||
| 122 | 3ce48: 7921 ldrb r1, [r4, #4] |
||
| 123 | 3ce4a: 1e4a subs r2, r1, #1 |
||
| 124 | 3ce4c: 2a14 cmp r2, #20 |
||
| 125 | 3ce4e: d876 bhi.n 3cf3e <ipc_recv_rfs+0x11e> |
||
| 126 | 3ce50: e8df f002 tbb [pc, r2] |
||
| 127 | 3ce54: 100b asrs r3, r1, #32 |
||
| 128 | 3ce56: 1a15 subs r5, r2, r0 |
||
| 129 | 3ce58: 241f movs r4, #31 |
||
| 130 | 3ce5a: 2e29 cmp r6, #41 |
||
| 131 | 3ce5c: 3833 subs r0, #51 |
||
| 132 | 3ce5e: 423d tst r5, r7 |
||
| 133 | 3ce60: 4c47 ldr r4, [pc, #284] (3cf80 <ipc_recv_factory+0x18>) |
||
| 134 | 3ce62: 5651 ldrsb r1, [r2, r1] |
||
| 135 | 3ce64: 6560 str r0, [r4, #84] |
||
| 136 | 3ce66: 5b6a ldrh r2, [r5, r5] |
||
| 137 | 3ce68: 006f lsls r7, r5, #1 |
||
| 138 | 3ce6a: 4628 mov r0, r5 |
||
| 139 | 3ce6c: 4621 mov r1, r4 |
||
| 140 | 3ce6e: f002 faf3 bl 3f458 <RxRFS_NVRead> |
||
| 141 | 3ce72: e062 b.n 3cf3a <ipc_recv_rfs+0x11a> |
||
| 142 | 3ce74: 4628 mov r0, r5 |
||
| 143 | 3ce76: 4621 mov r1, r4 |
||
| 144 | 3ce78: f002 fc1e bl 3f6b8 <RxRFS_NVWrite> |
||
| 145 | 3ce7c: e05d b.n 3cf3a <ipc_recv_rfs+0x11a> |
||
| 146 | 3ce7e: 4628 mov r0, r5 |
||
| 147 | 3ce80: 4621 mov r1, r4 |
||
| 148 | 3ce82: f002 fefd bl 3fc80 <RxRFS_ReadFile> |
||
| 149 | 3ce86: e058 b.n 3cf3a <ipc_recv_rfs+0x11a> |
||
| 150 | 3ce88: 4628 mov r0, r5 |
||
| 151 | 3ce8a: 4621 mov r1, r4 |
||
| 152 | 3ce8c: f002 ffea bl 3fe64 <RxRFS_WriteFile> |
||
| 153 | 3ce90: e053 b.n 3cf3a <ipc_recv_rfs+0x11a> |
||
| 154 | 3ce92: 4628 mov r0, r5 |
||
| 155 | 3ce94: 4621 mov r1, r4 |
||
| 156 | 3ce96: f003 f8b9 bl 4000c <RxRFS_LseekFile> |
||
| 157 | 3ce9a: e04e b.n 3cf3a <ipc_recv_rfs+0x11a> |
||
| 158 | 3ce9c: 4628 mov r0, r5 |
||
| 159 | 3ce9e: 4621 mov r1, r4 |
||
| 160 | 3cea0: f003 f96a bl 40178 <RxRFS_CloseFile> |
||
| 161 | 3cea4: e049 b.n 3cf3a <ipc_recv_rfs+0x11a> |
||
| 162 | 3cea6: 4628 mov r0, r5 |
||
| 163 | 3cea8: 4621 mov r1, r4 |
||
| 164 | 3ceaa: f003 fa09 bl 402c0 <RxRFS_PutFile> |
||
| 165 | 3ceae: e044 b.n 3cf3a <ipc_recv_rfs+0x11a> |
||
| 166 | 3ceb0: 4628 mov r0, r5 |
||
| 167 | 3ceb2: 4621 mov r1, r4 |
||
| 168 | 3ceb4: f003 fb40 bl 40538 <RxRFS_GetFile> |
||
| 169 | 3ceb8: e03f b.n 3cf3a <ipc_recv_rfs+0x11a> |
||
| 170 | 3ceba: 4628 mov r0, r5 |
||
| 171 | 3cebc: 4621 mov r1, r4 |
||
| 172 | 3cebe: f003 fc61 bl 40784 <RxRFS_RenameFile> |
||
| 173 | 3cec2: e03a b.n 3cf3a <ipc_recv_rfs+0x11a> |
||
| 174 | 3cec4: 4628 mov r0, r5 |
||
| 175 | 3cec6: 4621 mov r1, r4 |
||
| 176 | 3cec8: f003 fd60 bl 4098c <RxRFS_GetFileInfo> |
||
| 177 | 3cecc: e035 b.n 3cf3a <ipc_recv_rfs+0x11a> |
||
| 178 | 3cece: 4628 mov r0, r5 |
||
| 179 | 3ced0: 4621 mov r1, r4 |
||
| 180 | 3ced2: f003 fe55 bl 40b80 <RxRFS_DeleteFile> |
||
| 181 | 3ced6: e030 b.n 3cf3a <ipc_recv_rfs+0x11a> |
||
| 182 | 3ced8: 4628 mov r0, r5 |
||
| 183 | 3ceda: 4621 mov r1, r4 |
||
| 184 | 3cedc: f003 ff16 bl 40d0c <RxRFS_MakeDirectory> |
||
| 185 | 3cee0: e02b b.n 3cf3a <ipc_recv_rfs+0x11a> |
||
| 186 | 3cee2: 4628 mov r0, r5 |
||
| 187 | 3cee4: 4621 mov r1, r4 |
||
| 188 | 3cee6: f003 ffc9 bl 40e7c <RxRFS_RemoveDirectory> |
||
| 189 | 3ceea: e026 b.n 3cf3a <ipc_recv_rfs+0x11a> |
||
| 190 | 3ceec: 4628 mov r0, r5 |
||
| 191 | 3ceee: 4621 mov r1, r4 |
||
| 192 | 3cef0: f004 f888 bl 41004 <RxRFS_OpenDirectory> |
||
| 193 | 3cef4: e021 b.n 3cf3a <ipc_recv_rfs+0x11a> |
||
| 194 | 3cef6: 4628 mov r0, r5 |
||
| 195 | 3cef8: 4621 mov r1, r4 |
||
| 196 | 3cefa: f004 f969 bl 411d0 <RxRFS_ReadDirectory> |
||
| 197 | 3cefe: e01c b.n 3cf3a <ipc_recv_rfs+0x11a> |
||
| 198 | 3cf00: 4628 mov r0, r5 |
||
| 199 | 3cf02: 4621 mov r1, r4 |
||
| 200 | 3cf04: f004 fa96 bl 41434 <RxRFS_CloseDirectory> |
||
| 201 | 3cf08: e017 b.n 3cf3a <ipc_recv_rfs+0x11a> |
||
| 202 | 3cf0a: 4628 mov r0, r5 |
||
| 203 | 3cf0c: 4621 mov r1, r4 |
||
| 204 | 3cf0e: f004 fb31 bl 41574 <RxRFS_CreateFile> |
||
| 205 | 3cf12: e012 b.n 3cf3a <ipc_recv_rfs+0x11a> |
||
| 206 | 3cf14: 4628 mov r0, r5 |
||
| 207 | 3cf16: 4621 mov r1, r4 |
||
| 208 | 3cf18: f004 fbe0 bl 416dc <RxRFS_OpenFile> |
||
| 209 | 3cf1c: e00d b.n 3cf3a <ipc_recv_rfs+0x11a> |
||
| 210 | 3cf1e: 4628 mov r0, r5 |
||
| 211 | 3cf20: 4621 mov r1, r4 |
||
| 212 | 3cf22: f004 fcf1 bl 41908 <RxRFS_FtruncateFile> |
||
| 213 | 3cf26: e008 b.n 3cf3a <ipc_recv_rfs+0x11a> |
||
| 214 | 3cf28: 4628 mov r0, r5 |
||
| 215 | 3cf2a: 4621 mov r1, r4 |
||
| 216 | 3cf2c: f004 fdaa bl 41a84 <RxRFS_GetFileInfoByHandle> |
||
| 217 | 3cf30: e003 b.n 3cf3a <ipc_recv_rfs+0x11a> |
||
| 218 | 3cf32: 4628 mov r0, r5 |
||
| 219 | 3cf34: 4621 mov r1, r4 |
||
| 220 | 3cf36: f002 fd63 bl 3fa00 <RxRFS_NVWriteAll> |
||
| 221 | 3cf3a: 4604 mov r4, r0 |
||
| 222 | 3cf3c: e000 b.n 3cf40 <ipc_recv_rfs+0x120> |
||
| 223 | 3cf3e: 2400 movs r4, #0 |
||
| 224 | 3cf40: 2000 movs r0, #0 |
||
| 225 | 3cf42: f002 f9db bl 3f2fc <get_wakelock> |
||
| 226 | 3cf46: 4907 ldr r1, [pc, #28] (3cf64 <ipc_recv_rfs+0x144>) |
||
| 227 | 3cf48: 2000 movs r0, #0 |
||
| 228 | 3cf4a: 4479 add r1, pc |
||
| 229 | 3cf4c: f7fb f930 bl 381b0 <set_wakelock> |
||
| 230 | 3cf50: 4620 mov r0, r4 |
||
| 231 | 3cf52: bd38 pop {r3, r4, r5, pc} |
||
| 232 | 3cf54: db40 blt.n 3cfd8 <ipc_recv_factory+0x70> |
||
| 233 | 3cf56: 0006 lsls r6, r0, #0 |
||
| 234 | 3cf58: ff9c 0003 vaddl.u16 q0, d12, d3 |
||
| 235 | 3cf5c: 0306 lsls r6, r0, #12 |
||
| 236 | 3cf5e: 0004 lsls r4, r0, #0 |
||
| 237 | 3cf60: 6a63 ldr r3, [r4, #36] |
||
| 238 | 3cf62: 0005 lsls r5, r0, #0 |
||
| 239 | 3cf64: 03dd lsls r5, r3, #15 |
||
| 240 | 3cf66: 0004 lsls r4, r0, #0 |
||
| 241 | </pre> |
||
| 242 | 1 | Paul Kocialkowski | |
| 243 | 7 | Paul Kocialkowski | Taking a closer look at one of these functions, e.g. RxRFS_ReadFile reveals multiple calls to the Procedure Linkage Table (PLT): |
| 244 | <pre> |
||
| 245 | 0003fc80 <RxRFS_ReadFile>: |
||
| 246 | 3fc80: e92d 4ff0 stmdb sp!, {r4, r5, r6, r7, r8, r9, sl, fp, lr} |
||
| 247 | 3fc84: f5ad 5d80 sub.w sp, sp, #4096 ; 0x1000 |
||
| 248 | 3fc88: f8df b1a0 ldr.w fp, [pc, #416] ; 3fe2c <RxRFS_ReadFile+0x1ac> |
||
| 249 | 3fc8c: b08b sub sp, #44 |
||
| 250 | 3fc8e: f8df 81a0 ldr.w r8, [pc, #416] ; 3fe30 <RxRFS_ReadFile+0x1b0> |
||
| 251 | 3fc92: 4682 mov sl, r0 |
||
| 252 | 3fc94: 44fb add fp, pc |
||
| 253 | 3fc96: f8db b000 ldr.w fp, [fp] |
||
| 254 | 3fc9a: f50d 5280 add.w r2, sp, #4096 ; 0x1000 |
||
| 255 | 3fc9e: 44f8 add r8, pc |
||
| 256 | 3fca0: f8d8 8000 ldr.w r8, [r8] |
||
| 257 | 3fca4: 3224 adds r2, #36 |
||
| 258 | 3fca6: f8db 0000 ldr.w r0, [fp] |
||
| 259 | 3fcaa: 460f mov r7, r1 |
||
| 260 | 3fcac: f898 3000 ldrb.w r3, [r8] |
||
| 261 | 3fcb0: 6010 str r0, [r2, #0] |
||
| 262 | 3fcb2: b143 cbz r3, 3fcc6 <RxRFS_ReadFile+0x46> |
||
| 263 | 3fcb4: 495f ldr r1, [pc, #380] (3fe34 <RxRFS_ReadFile+0x1b4>) |
||
| 264 | 3fcb6: 2006 movs r0, #6 |
||
| 265 | 3fcb8: 4a5f ldr r2, [pc, #380] (3fe38 <RxRFS_ReadFile+0x1b8>) |
||
| 266 | 3fcba: 4b60 ldr r3, [pc, #384] (3fe3c <RxRFS_ReadFile+0x1bc>) |
||
| 267 | 3fcbc: 4479 add r1, pc |
||
| 268 | 3fcbe: 447a add r2, pc |
||
| 269 | 3fcc0: 447b add r3, pc |
||
| 270 | 3fcc2: f7dc edee blx 1c8a0 <RIL_elapsedRealtime-0x9c0> |
||
| 271 | 3fcc6: 2400 movs r4, #0 |
||
| 272 | 3fcc8: a805 add r0, sp, #20 |
||
| 273 | 3fcca: f241 020e movw r2, #4110 ; 0x100e |
||
| 274 | 3fcce: 9403 str r4, [sp, #12] |
||
| 275 | 3fcd0: 4621 mov r1, r4 |
||
| 276 | 3fcd2: 9404 str r4, [sp, #16] |
||
| 277 | 3fcd4: f241 090e movw r9, #4110 ; 0x100e |
||
| 278 | 3fcd8: f7dc ee18 blx 1c90c <RIL_elapsedRealtime-0x954> |
||
| 279 | 3fcdc: 2f00 cmp r7, #0 |
||
| 280 | 3fcde: f000 8091 beq.w 3fe04 <RxRFS_ReadFile+0x184> |
||
| 281 | 3fce2: 7939 ldrb r1, [r7, #4] |
||
| 282 | 3fce4: 2903 cmp r1, #3 |
||
| 283 | 3fce6: f040 808f bne.w 3fe08 <RxRFS_ReadFile+0x188> |
||
| 284 | 3fcea: f44f 2000 mov.w r0, #524288 ; 0x80000 |
||
| 285 | 3fcee: f7dc ee4a blx 1c984 <RIL_elapsedRealtime-0x8dc> |
||
| 286 | 3fcf2: 4606 mov r6, r0 |
||
| 287 | 3fcf4: 2800 cmp r0, #0 |
||
| 288 | 3fcf6: d04b beq.n 3fd90 <RxRFS_ReadFile+0x110> |
||
| 289 | 3fcf8: 4621 mov r1, r4 |
||
| 290 | 3fcfa: f44f 2200 mov.w r2, #524288 ; 0x80000 |
||
| 291 | 3fcfe: f7dc ee06 blx 1c90c <RIL_elapsedRealtime-0x954> |
||
| 292 | 3fd02: 4621 mov r1, r4 |
||
| 293 | 3fd04: 464a mov r2, r9 |
||
| 294 | 3fd06: a805 add r0, sp, #20 |
||
| 295 | 3fd08: f7dc ee00 blx 1c90c <RIL_elapsedRealtime-0x954> |
||
| 296 | 3fd0c: 1db9 adds r1, r7, #6 |
||
| 297 | 3fd0e: 2204 movs r2, #4 |
||
| 298 | 3fd10: a803 add r0, sp, #12 |
||
| 299 | 3fd12: f7dc ee74 blx 1c9fc <RIL_elapsedRealtime-0x864> |
||
| 300 | 3fd16: 2204 movs r2, #4 |
||
| 301 | 3fd18: f107 010a add.w r1, r7, #10 ; 0xa |
||
| 302 | 3fd1c: a804 add r0, sp, #16 |
||
| 303 | 3fd1e: f7dc ee6e blx 1c9fc <RIL_elapsedRealtime-0x864> |
||
| 304 | 3fd22: 9a04 ldr r2, [sp, #16] |
||
| 305 | 3fd24: 9803 ldr r0, [sp, #12] |
||
| 306 | </pre> |
||
| 307 | |||
| 308 | For instance, offset @1c90c@ is part of the PLT, which starts at @1c85c@. Hence we believe these calls are linked functions from the libc library, especially I/O-related functions such as (in a general manner) @open@, @close@, @read@, @write@, etc. That's however just a guess that doesn't offer definite proof it's calling these functions from that library in particular, but it makes that possibility look rather likely. |
||
| 309 | |||
| 310 | h2. Areas of work |
||
| 311 | |||
| 312 | A more decisive proof of these assumptions could be obtained by crafting a packet requesting I/O operations on the device's storage and looking at whether the incriminated binary proceeds or not. |
||
| 313 | 1 | Paul Kocialkowski | |
| 314 | 6 | Paul Kocialkowski | h2. Notes |
| 315 | 1 | Paul Kocialkowski | |
| 316 | 6 | Paul Kocialkowski | Our free software replacement for the incriminated binary is [[Samsung-RIL]] which relies on [[Libsamsung-ipc|libsamsung-ipc]] and it is used in Replicant. |
| 317 | 1 | Paul Kocialkowski | |
| 318 | 6 | Paul Kocialkowski | The affected devices have modems that use the Samsung IPC protocol, mostly Intel XMM6160 and Intel XMM6260 modems. Note that despite this back-door, the devices using these modems are most likely to have good modem isolation, compared to other devices using Qualcomm platforms. Bear in mind that this back-door is implemented in software and can easily be removed by installing a free replacement for the incriminated software, for instance by installing Replicant. Hence, we don't consider the incriminated devices as bad targets for Replicant because of this back-door. |