About Android MMS Stagefright exploit - Android Q&A, Help & Troubleshooting

How can Android system be hacked just by one MMS? I heard from news sites that there was found an exploit for 95% of Android phones (Android 2.3+) that can take control of the whole device just for one MMS and without letting you know. How can it be possible and how I can prevent it?
P.S.: I don't want to hack nobody's phone as I have no friends. Just curious.
Sent from my GT-I9301I using XDA Forums Pro.

mihai.apostu98 said:
How can Android system be hacked just by one MMS? I heard from news sites that there was found an exploit for 95% of Android phones (Android 2.3+) that can take control of the whole device just for one MMS and without letting you know. How can it be possible and how I can prevent it?
P.S.: I don't want to hack nobody's phone as I have no friends. Just curious.
Sent from my GT-I9301I using XDA Forums Pro.
Click to expand...
Click to collapse
Heres some useful info:
http://www.cnet.com/news/researcher-finds-mother-of-all-android-vulnerabilities/

That's some info, but not really anything useful. Does this mean Google has a patch, will they be pushing that our or will there be ways to patch custom ROMs sooner even? These are all unanswered, though would be nice to know...

"As soon as the malicious text is received, features built into Stagefright to reduce lag time for viewing videos process the video to prepare it for viewing. That processing apparently is enough for bad guys to get their hooks into the platform and take control." - cnet
I see it like this:
1. MMS with video arrives
2. Messaging app loads the video in Stagefright where it will processed for better playback.
3. Video is ready for playing.
As I figure out from Google's Android site about Stagefright, it is a service that take care of video/audio/other media related stuff offline and local.
How can hackers connect with Stagefright if Stagefright is an offline service? And anyway how can an media service recive code to execute as an remote command execution for whole system?
Sorry but I just don't get it at all.

mihai.apostu98 said:
How can Android system be hacked just by one MMS? I heard from news sites that there was found an exploit for 95% of Android phones (Android 2.3+) that can take control of the whole device just for one MMS and without letting you know. How can it be possible and how I can prevent it?
P.S.: I don't want to hack nobody's phone as I have no friends. Just curious.
Click to expand...
Click to collapse
Here's further info. Google has apparently already sent the patches, 7 in all, to the various phone manufacturers.
Because of fragmentation, though, some of them may never send out these fixes. Since these have assumedly been committed to the source code online, they should theoretically be available for download at some point as well. However, you'd (likely) need to be rooted to apply them.
In the meantime, go into your SMS application (usually Hangouts these days) and turn off automatic MMS retrieval. Then, do not accept any photos or videos from anyone you don't know. I am not sure, but I worry it's also possible you might get it from someone do know who is already infected, so just operate with an abundance of caution overall, I guess. And keep an eye out for news here, because it will probably be one of the first places they become available.

mihai.apostu98 said:
"As soon as the malicious text is received, features built into Stagefright to reduce lag time for viewing videos process the video to prepare it for viewing. That processing apparently is enough for bad guys to get their hooks into the platform and take control." - cnet
I see it like this:
1. MMS with video arrives
2. Messaging app loads the video in Stagefright where it will processed for better playback.
3. Video is ready for playing.
As I figure out from Google's Android site about Stagefright, it is a service that take care of video/audio/other media related stuff offline and local.
How can hackers connect with Stagefright if Stagefright is an offline service? And anyway how can an media service recive code to execute as an remote command execution for whole system?
Sorry but I just don't get it at all.
Click to expand...
Click to collapse
People connect with Stagefright by sending you the malicious code contained within the MMS. Once that code gets (usually automatically) processed by the Stagefright service already locally present, it exploits security vulnerabilities to hand control of your device over to whomever is waiting on the other end. As for a media service being able to control the whole system, think of how Flash (a media service) and Microsoft had those zero-day UaE bugs that would allow someone to take over your PC. The logistics may be different, but the concept is the same.
If I remember correctly, there are ways to turn stagefright on/off by editing your build.prop file (easily found on XDA). I don't know if there is another subservice or what that could be running, and I haven't devved since Android 4 dropped, so don't get your hopes up.
Hope that helps.

I gather that Google has a patch. Has it been pushed out to Nexus devices?

pomeroythomas said:
If I remember correctly, there are ways to turn stagefright on/off by editing your build.prop file (easily found on XDA). I don't know if there is another subservice or what that could be running, and I haven't devved since Android 4 dropped, so don't get your hopes up.
Click to expand...
Click to collapse
Excellent idea, +thanks. Et voilà, what appears to b-e in my KitKat:
media.stagefright.enable-player=false
media.stagefright.enable-meta=false
media.stagefright.enable-scan=false
media.stagefright.enable-http=false
media.stagefright.enable-rtsp=false
media.stagefright.enable-record=false​
Now, this can break all kinds of things if you don't know what you're doing. Use a build.prop editor from the Play Store.
I don't know that they all need to be false to plug this hole. But those are the relevant lines.*
UPDATE [10 Aug 2015]: This doesn't affect what the Zimperium scanner says is vulnerable, which may indicate the edit won't protect you. It's unclear at this point.... read the latest posts in this thread for possible info. You can turn off auto-retrieve in MMS, but SF exists at other levels of the operating system. I suppose it couldn't hurt to do the build.prop, but don't rely on it.

voxluna said:
Excellent idea, +thanks. Et voilà:
media.stagefright.enable-player=false
media.stagefright.enable-meta=false
media.stagefright.enable-scan=false
media.stagefright.enable-http=false
media.stagefright.enable-rtsp=false
media.stagefright.enable-record=false​
Now, this will probably break all kinds of things, and I don't know that they all need to be false to plug this hole. But those are the relevant lines.
Click to expand...
Click to collapse
Thanks for the thanks!
You probably won't break much of anything; 90% of today's phones are powerful enough that you don't REALLY need Stagefright handling the media unless you're playing very intensive games on your device. The most you'll likely experience is not-quite-as-good benchmarking numbers.

pomeroythomas said:
Thanks for the thanks!
You probably won't break much of anything; 90% of today's phones are powerful enough that you don't REALLY need Stagefright handling the media unless you're playing very intensive games on your device. The most you'll likely experience is not-quite-as-good benchmarking numbers.
Click to expand...
Click to collapse
I had honestly never heard of StageFright, and I've been using Android since the very first device came out. But if it's possible to run all the usual media, just with a performance penalty, I'm going to change it right now (I did, and this happened).
Also, I just read an article claiming that fragmentation is not so much of an issue these days, because Google Play Services is mandatory. I wonder if it can proactively change something like this, on its own?

voxluna said:
I had honestly never heard of StageFright, and I've been using Android since the very first device came out. But if it's possible to run all the usual media, just with a performance penalty, I'm going to change it right now.
Click to expand...
Click to collapse
The only reason I even know about Stagefright is because my very first, 550MHz, resistive touchscreen Kyocera Zio shipped with Stagefright disabled by default. Haha.
Also, I just read an article claiming that fragmentation is not so much of an issue these days, because Google Play Services is mandatory. I wonder if it can proactively change something like this, on its own?
Click to expand...
Click to collapse
I would assume it's possible (this is just an arbitrary code execution issue, I think), but having had that vulnerability built into pretty much every ROM for the last 5 years could be a problem in that I'm not 100% sure that Google Play Services has the access to shut down the Stagefright service (no root access, etc), so I'm pretty sure Google Play Services would be less of a fix than a piece of software that actively tries to mitigate the breach.
I could be wrong, though; I'm basically guessing as I haven't looked into the malicious code.
Xposed Android will no doubt have either a module for this or existing bugfix modules will be updated to include this vulnerability in the coming days, and due to the nature of Xposed modules taking over services the ROM is trying to run without actually messing with your ROM, I'm sure it'll be a universal fix.
Personally, I just shut off the Stagefright service using my build.prop and am patiently awaiting someone more skilled than I to create a fix.

i could see this as a useful root method for lollipop, and other versions that don't have root methods yet.

Morlok8k said:
i could see this as a useful root method for lollipop, and other versions that don't have root methods yet.
Click to expand...
Click to collapse
Here's hoping!

Morlok8k said:
i could see this as a useful root method for lollipop, and other versions that don't have root methods yet.
Click to expand...
Click to collapse
pomeroythomas said:
I'm not 100% sure that Google Play Services has the access to shut down the Stagefright service (no root access, etc), so I'm pretty sure Google Play Services would be less of a fix than a piece of software that actively tries to mitigate the breach.
Click to expand...
Click to collapse
Come to think of it, if this exploit allows any kind of root, I suppose it'd be possible for Services itself to use that hole, and therefore be able to patch StageFright. A weird workaround, but entirely possible. Something tells me they won't use it, though, as technically feasable as it may be. I'm really hoping for that Xposed fix, just like GravityBox can patch FakeID. Which, indeed, Services eventually mitigated (for the most part).

commits on android.googlesource.com
Has anyone tracked any commits in android.googlesource.com related to stagefright?

Is this really a viable fix for this? I copied it from another website
If you turn off the following settings in your messaging app/apps on your device:
Auto-retrieve MMS. Check to automatically retrieve multimedia messages that you receive. If auto-retrieve is unchecked in your Messenger MMS settings, you must touch Download to view the message.
Roaming auto-retrieve. Check to automatically retrieve multimedia messages while roaming.
Then when you receive the text with this exploit it will not download to your phone unless you hit the download button. So looks like this can be turned off without a patch but patches are needed cause not everyone is smart enough to turn these off.

iverson3-1 said:
Is this really a viable fix for this? I copied it from another website
Auto-retrieve MMS. Check to automatically retrieve multimedia messages that you receive. If auto-retrieve is unchecked in your Messenger MMS settings, you must touch Download to view the message.
Roaming auto-retrieve. Check to automatically retrieve multimedia messages while roaming.
Then when you receive the text with this exploit it will not download to your phone unless you hit the download button. So looks like this can be turned off without a patch but patches are needed cause not everyone is smart enough to turn these off.
Click to expand...
Click to collapse
That should be one way to disable the hack. It's unclear from what I've read if it only affects Hangouts, or all SMS clients. What I've done is disable any auto MMS retrieve in my own messaging app, which in my case is mySMS. I suppose it couldn't hurt to do it in Hangouts as well.
This should cover it, but I think you still run the risk of someone you know sending (probably without their knowledge) an infected video -- much like trojans that take over a PC, and use the internal contact list to send mail as though they were your friend, they could exploit your trust.
Patching the build.prop theoretically protects from this, which I've personally done, but it's not for the faint of heart. If you screw it up, you could render your phone a mess. I wish I knew more about app development, because I would write something that did all this stuff automagically.

voxluna said:
Patching the build.prop theoretically protects from this, which I've personally done, but it's not for the faint of heart. If you screw it up, you could render your phone a mess.
Click to expand...
Click to collapse
Aaaaaand that's what I just did. I'm in a boot loop after changing the build.prop file. This is going to be really fun with an encrypted data partition that holds the backup I just made.
Be warned.
UPDATE: I had to reflash the ROM, and the entire experience took about 2.5 hours because I couldn't get a KDZ to work. I decided that since it was going to be a full wipe, at least I would upgrade to Lollipop, but I'll have to set up the entire phone all over again. I suspect the problem was that I didn't pay attention to the permissions of that file when I edited and transferred it from another machine. Ugh. I just went back and put warnings on all my posts about the build.prop lines.... and it would be better to just wait for patches, IMO. This thread is progressing quickly now.

i tried tracking the fix on android source repo. but the only recent commit against libstagefright is on July 7th.
Fix global-buffer-overflow in voAWB_Copy.
Copy() in frameworks/av/media/libstagefright/codecs/amrwbenc/src/util.c always
overreads the buffer by 4 bytes to the right, which, if we are very unlucky,
can even hit an unmapped memory page (in this case it is just a global
variable).
Click to expand...
Click to collapse

Hi all,
in my case, as I plainly don't use the MMS feature, I simpl deleted the MMS apn. Is this a possible workaround for this problem (at least, until it gets fixed somehow)?

Related

[Q] Problems with developing a custom GS2 rom for medicinal purposes.

Hello to you all people of XDA, firstly I must state that I've scoured the forums far and wide and have yet to find some valuable info regarding my problem.
So what we're doing is developing (or trying to, as is obvious from this post) a custom rom for the Galaxy S2 which would be used for a single medical application for sensor tracking and the processing and displaying of said data on the SGS2, while at the same time sending it to his/her doctor.
What we need to be able to achieve with this rom is to put it into the hands of the end-user (a chronical patient which will in turn be able to stay at home instead of being hospitalized) and be able to completely lock down the phone for his use (I know, it sounds terrible) so that he loses the phone/sms/games/youtube/internet functionality as we need the phone to run as stable and for as long as possible without any additional battery stress (the constant sending, processing and processing of data seems enough of a problem for now).
I've searched into some custom roms but we eventually came up with the need for a stock Samsung rom which could be modified as we want to.
See this is where the problem begins, we can't seem to get the phone rooted, the ROM customized and then unrooted again so that the phone can't be fiddled with anymore, except when it's completely dead and we need to fix it.
So to cap it all up:
It needs to allow for a custom load and bootscreen (I almost got this to work)
It needs to be completely locked down for the end user.
It has to have full BT, NFC and WiFi functionality
It has to be able to call out and reciev calls, but only to/from specific numbers (911, doctor, etc..)
It has to basically allow for 2-3 programs to be running, while the others simply don't exist on the phone.
I am terribly sorry if anything like this has been asked about before, I swear I put 2 days of me life into researching already.
Any help, any help at all, ideas and solutions, but mostly links are welcome.
Thank you and good day to all.
Just a detail, but the SGS2 doesn't have the NFC functionality. Project seems to be possible, I would look into CyanogenMod sources if I was you.
Sent from my GT-I9100 using XDA App
Why are you afraid of leaving the phone rooted and in hands of the patient?
Is he so uncritical that he can search the web and find means of unrooting a mobile phone and then get around to actually doing it?
LucLucLuc said:
Hello to you all people of XDA, firstly I must state that I've scoured the forums far and wide and have yet to find some valuable info regarding my problem.
So what we're doing is developing (or trying to, as is obvious from this post) a custom rom for the Galaxy S2 which would be used for a single medical application for sensor tracking and the processing and displaying of said data on the SGS2, while at the same time sending it to his/her doctor.
What we need to be able to achieve with this rom is to put it into the hands of the end-user (a chronical patient which will in turn be able to stay at home instead of being hospitalized) and be able to completely lock down the phone for his use (I know, it sounds terrible) so that he loses the phone/sms/games/youtube/internet functionality as we need the phone to run as stable and for as long as possible without any additional battery stress (the constant sending, processing and processing of data seems enough of a problem for now).
I've searched into some custom roms but we eventually came up with the need for a stock Samsung rom which could be modified as we want to.
See this is where the problem begins, we can't seem to get the phone rooted, the ROM customized and then unrooted again so that the phone can't be fiddled with anymore, except when it's completely dead and we need to fix it.
So to cap it all up:
It needs to allow for a custom load and bootscreen (I almost got this to work)
It needs to be completely locked down for the end user.
It has to have full BT, NFC and WiFi functionality
It has to be able to call out and reciev calls, but only to/from specific numbers (911, doctor, etc..)
It has to basically allow for 2-3 programs to be running, while the others simply don't exist on the phone.
I am terribly sorry if anything like this has been asked about before, I swear I put 2 days of me life into researching already.
Any help, any help at all, ideas and solutions, but mostly links are welcome.
Thank you and good day to all.
Click to expand...
Click to collapse
Block all internet access apart from ones you want or you can just setup iptables rules, shouldnt need root apart from when setting it up
As far as removing programs, just delete the apks from the zip, or before you remove root. My sig has a list of all apks in a upto date rom and what they do.
You can use gemini app manager to control autoruns (stop them etc) also to block (hide and disable apps)
As far removing root, your best bet is to once you are done, use adb (from the android sdk) to remove the superuser.apk then flash the stock kernel back, as far as I know without superuser apps cant grain root permisions.
OR
This app will allow you to block any app behind a password
This app will block incoming and outgoing sms and calls on white and blacklists
Custom boot logo (the first screen before the animation)
Custom boot animation need to go into system/media, I am not sure about the format but there are loads around, like this thread has loads, stock kernel should support them.
I hope that helps
Most of that is easily possible.
If you listed the apps needing removed, the apk files just need deleted.
To control calls, you can use a third party app from market for that.
It's possible to have the custom rom unrooted, and easily flashed, regardless of how badly the phone gets rooted
Boot animation is easy anyway... If you can provide it in a zip like other ones (zip containing numbered png's) then it's a piece of cake.
A little bit of clever firewall stuff would prevent any web traffic, in or out, except to your defined server, which is obviously a concern when a phone is handling sensitive medical info.
genieass said:
Why are you afraid of leaving the phone rooted and in hands of the patient?
The phones are going to be used by around 500.000 people in a year, it's not that we want to take anything away from the user, it's more about not having any problems with the firmware - like ever.
Thanks for all the help!
Click to expand...
Click to collapse
genieass said:
Why are you afraid of leaving the phone rooted and in hands of the patient?
The phones are going to be used by around 500.000 people in a year, it's not that we want to take anything away from the user, it's more about not having any problems with the firmware - like ever.
Thanks for all the help!
Click to expand...
Click to collapse
LucLucLuc, not sure where you live, but you're entering the patient confidentiality minefield with big, big boots.
Apart from the legal considerations, your question is definitely OS related and not device related.
I see what you want, but legally - where I live anyway - it's too much of a grey area to get involved with.
I use call recording a lot for referrals and info from other doctors, but I've always asked the other party if they're OK with it. I won't record patient conversations, and I won't accept any files whatsoever that have seen RIS or PACS first - not worth it.
Can't see it's worth your while, but I'd appreciate it if you keep me informed should you decide to work on it.
Big boots indeed
We are from Slovenia, Europe.
I'm actually just a student doing the research and some basic Android programming, thank god I wasn't let into the bigger of the projects
But yes, this project is a colaboration of several european firms and you can read more about it at chiron-project.eu - it's a very very interesting project afaic.
I don't think we'll be swimming with lawyer piranhas soon though, the project uses sensor data (which sorta is a privacy issue) which will be monitored on a tablet running Android (currently testing the Galaxy tab 10.1 - we were lucky to order one before Steve had another one of his fits), proccessed in real time and then stored on the central server, from where it will only be accessible by the patients doctor.
Patient consents are dealt with before we even start talking about mobile hospitalizations.
It's very encouraging to see some actual interest, if anyone wants to know more about anything related to this project contact me at [email protected]
Thanks again for all the help.

[Q] How can I prove that my Android Device (SGS2) has been used by someone else?

Back Story:
My phone was left in my house (shared with other people) yesterday while I was at work. When I got home I was checking missed calls, voicemail etc and I noticed that some text messages were missing. I looked a bit more and it seems that 2 seperate sms message threads had been deleted and a number of contacts had been deleted too. Now, this has happened before to another housemate but we couldn't prove that it had been done. We are pretty sure we know who did it but I need concrete evidence that the phone was accessed.
Phone Specs: Samsung Galaxy S2, rooted, running CM7 latest nightly. I also have Cerebrus installed if that helps.
So my questions are as follows:
1) Is it possible to see what activity was happening on my phone yesterday? I don't have any "logging" software running.
2) Is it possible to retrieve the deleted SMS messages?
I work in IT so am pretty tech savvy, just not in the workings of the Android OS!
All help greatly appreciated.
P.S. I have already been able to restore the contacts that were deleted using the restore functionality in gmail.
The short answer is no. It is, at least in theory, possible to "undelete" stuff, but it isn't usually practical. Even if you did, you wouldn't have "proof" in the legal sense.
That said, I have been involved in a similar situation. Here's the approach we used. It is reasonable to assume that this behavior will continue. Therefore, get some logging software installed. Do NOT talk about it. Do nothing out of the ordinary. Just quietly install some software that will let you see what is going on with your phone. I know there are apps which will email an alert when accessed, snap a pic from the front-facing camera, log SMS to email, remotely lock the phone, etc etc. Based on what you need to accomplish, get these set up and then BE PATIENT. wait a few days (unless you normally leave your phone at home) and leave it again when the person in question might be around.
A pic would be sufficient proof I would think for confronting a roomie. If nothing else log your sms's. I use integrated Google Voice so I'd get an alert on my PC even if I didn't have the phone (very handy, that), but that may not be an option for you.
I also use SeekDroid for remote locking, and I -think- there's a remote camera provision, but it's at a higher paid level than I am subscribed to. At any rate that's my suggestions.
Or, the simple solution: Put a better lock code on your phone.
-JB
A lock code would help prevent the behavior in the future. For catching the vandal red-handed, I believe an app like Gotcha! may do what you need.

Updated/Fixed wifi calling for ICS rom users

Hey guys when the latest RUU was released I pulled all the WiFi calling stuff out (well.. lots of bits and pieces) to update my fourth bar install... Figured I'd share it here. This will fix the increasing lag/delay with WiFi calling on all ICS sense based roms..
It shouldn't work on cm10 but i haven't tried it.I am pretty sure the movial implementation of WiFi calling requires many sense hooks though... But the interesting thing to me is that I have modified fourth bar quite a lot from the original to the point where there is practically no sensE stuff left whatsoever.. so it's either a modified telephony provider or it doesn't require sense at all... I haven't tested it much. Feel free to play around if you want.
Made this on the fly from my phone (and also is why I using DB) so let me know if it works if not I'll make one proper. Feel free to try on viper but if you do I'd suggest also.copying over htc frameworks.as well as telephony provider from a sense rom, just a suggestion!
You can tell.the update worked.because the WiFi calling active icon will be different. Oh and those using fourth.bar or speedrom..WiFi calling doesn't have to be permanent.. simply make a shortcut to the WiFi calling activity "wificall preferences" using apex or nova activity shortcuts.. you can also make shortcuts to the full IMS config including SIP reg server, auth info, protocol type, etc. I wouldn't mess with these.settings but could be useful to those porting. FLASH.THE ZIP.IN RECOVERY
LINK: http://db.tt/4B6tcCE1
(uHH... got a PM asking if it was odexed... these files are obviously deodexed..lol.. considering there's no .odex file... but yeah I mounted the system.img from the latest RUU, extracted it, deodexed the entire thing.. and pulled these out to make this zip. I've actually been combed through it with diff to the last RUU and there's really not a lot changed at all. Couple libs here and there, maybe a few other APKs... Not much at all!.. if you need it odexed, it's easy enough to reodex.. I actually prefer my phone to be odexed as well. Good tool to do this is called Dexo, The Universal Odexer.. you can find it on google. It's basically a couple of binaries and a script.. works like a DREAM and the basic script odexes your system apps as well as framework.. and it's easy enough to modify to odex data.. only thing with odexed data is you must delete the .odex file manually after you uninstall any apps because you'll get out of space etc errors if you do not... I find things are much MUCH faster on an odexed system, by far... matter of fact I'll go ahead and create another post with the Tool and a quick batch file I wrote for windows that makes the process very quick and easy.)
Good work :dance:
Just wondering, would there be anyway to get it to work with Miui
build.prop
might need to add this to the build prop if it isn't there
ro.ril.enable.ganlite=1
ro.ril.def.agps.feature=1
chevycowboyusa said:
might need to add this to the build prop if it isn't there
ro.ril.enable.ganlite=1
ro.ril.def.agps.feature=1
Click to expand...
Click to collapse
actually I think that's for the Kineto Gan implementation of Wifi calling, which uses a Userspace application (The one we tried to port over for Viper)
This is actually the Movial IMS implementation. Have you tried this implementation on viper perhaps? You would need some framework files, I think... but it's worth a shot honestly. I don't think it's as tightly hooked into Sense as a lot of us originally thought. I decompiled all of the APKs and I combed through it and I didn't really see any hooks into Sense.. I think that it more than likely depends on a modified telephony provider..
The Kineto Gan implementation used a bit of trickery with what's called a RIL switch, where it would (as the name implies) basically switch the RIL out on the fly between Kineto's RIL (for wifi calling) and the normal one. This implementation is a lot cleaner, and the configurations are included within the files themselves... It actually uses SIP. All the configuration info is actually easily found within the XMLs once the APKs are installed as system apps. The trickery is with the authentication. I've been running wireshark and capturing packets... between that and decompiling the APKs it appears that a basic SIP registration address is used for everyone, it's not unique. There's some kind of SIP address->mobile number translation that happens... the IMS project is open source, and the full source code is actually available on Google Code.. and it has even been updated for Jelly Bean. The interesting part is, I was able to compile the IMS Test App for ICS, take the configuration information I found.. entered it into the test App, and was able to establish half-way working service with the Test application. The thing is, even though it uses SIP, it's not your everyday run of the mill SIP. There's some wrapping and translation going on that uses info contained in the packets to determine where it's going (mobile number).. and don't even get me started on Text Messaging.... that looks like one giant hack-job...basically hijacking the SIP/RTP protocol for a proprietary implementation that just uses the base outline.
I tried to register with a regular SIP client using the configuration information I found (The password was TMO-VOIP-TRIAL) and i couldn't establish registration... and looking at the source I could definitely see why. There's a lot of stuff going on behind the scenes.
The good news is there's VERY LITTLE that appears to have been changed when it was updated for jellybean... what this means is... theoretically if someone was skilled enough they could take the DIFF's (which are freely available on google code) and update the IMS implementation for jellybean. It would take a good amount of time and effort, but I honestly think it's much more possible than a lot of people originally believed. It's the authentication part that's tricky..
But yeah, you might want to give it a shot on Viper! For a start I would probably move over ip-provider.apk, ims-service.apk, IPService.apk, WifiCall.apk (This is basically the on/off switch that Settings calls.. you can just use an activity shortcut to reach it though), and gba-service.apk
Push those all to /system/app
Then on the framework side I would move over javax.obex.jar, gba-service-lib.jar, and the other important one is going to be jsr-api.jar... I didn't know that it was related but it's clearly defined in the IMS source code (https://code.google.com/p/the-ims-open-source-project-for-android/source/browse/#git/jsr-api)
I would also copy over TelephonyProvider.apk and Phone.apk, for good measure. .. and see what happens.
You would need a way to trigger it ON, which can easily be done with Nova/Apex by making an activity shortcut to WIfiCall.apk, you can also make activity shortcuts to all the configuration options within the IMS-server itself but it comes preconfigured.
it's worth a shot... currently WiFi calling is working flawlessly for me on Fourth Bar and I have pretty much EVERYTHING htc related disabled. Including com.htc etc...
Could be in the HTC frameworks though.. or somewhere else... but it's def. worth a shot!
I think this is a awaresome job,although I don't know what's this...
Please do that!
Great work. I tried your file to no avail. Good catch on the other files. I read somewhere that phonesky is also required.
Biggest issue I had with the semi working one that I used is that it wouldn't read the SIM. I moved some files around and then it hung on connecting to the Wi-Fi due to a lack of server address
I'll follow your instructions tonight and see where I can get... I still am working on GPS and now vpn too. Last night I attempted a sense 3.6 venom build.
Wasn't pretty. Something kept failing in the updater script and I got too tired to pay with it..
**tried all the files and made the short cut..
No love.. It didn't work..
Still trying a few things
Any other ideas?
chevycowboyusa said:
Great work. I tried your file to no avail. Good catch on the other files. I read somewhere that phonesky is also required.
Biggest issue I had with the semi working one that I used is that it wouldn't read the SIM. I moved some files around and then it hung on connecting to the Wi-Fi due to a lack of server address
I'll follow your instructions tonight and see where I can get... I still am working on GPS and now vpn too. Last night I attempted a sense 3.6 venom build.
Wasn't pretty. Something kept failing in the updater script and I got too tired to pay with it..
**tried all the files and made the short cut..
No love.. It didn't work..
Still trying a few things
Any other ideas?
Click to expand...
Click to collapse
Hmm... there IS a build.prop entry that I actually just noticed
ro.ril.ims=1
I would try to add that.
Phonesky is just the updated google play market, I believe.
I would try that build.prop entry, then get a logcat if you can and post it. I'd try but currently can't really mess around with my phone as I need wifi calling for work stuff.
See what is going on in the logcat, or post it and I'll comb through it. See if there's API calls that are failing under something like Function does not exist or something or another.. that would seem to indicate some missing framework stuff that provides those functions. Then it might just be including said frameworks as well as altering the bootclasspath in the kernel (Pretty easy thing to do, just break the boot.img into parts with unpackbootimg, un-gzip the ramdisk with gzip and CPIO, edit the init.rc, recompress the ram disk with GZIP, then recompile the boot.img with mkbootimg) and I believe you'd also have to deodex the ROM itself, then if you wanted it odexed you'd have to odex it back with the correct BOOTCLASSPATH or else it will not boot. I'm not sure but I THINK deodexed APKs need to be built with the right bootclasspath.
There HAS to be a way to get it working on Viper. After all it's the same underlying android OS version.. The sensation guys got it worknig on CM9...
ok..
ericdjobs said:
Hmm... there IS a build.prop entry that I actually just noticed
ro.ril.ims=1
I would try to add that.
Phonesky is just the updated google play market, I believe.
I would try that build.prop entry, then get a logcat if you can and post it. I'd try but currently can't really mess around with my phone as I need wifi calling for work stuff.
See what is going on in the logcat, or post it and I'll comb through it. See if there's API calls that are failing under something like Function does not exist or something or another.. that would seem to indicate some missing framework stuff that provides those functions. Then it might just be including said frameworks as well as altering the bootclasspath in the kernel (Pretty easy thing to do, just break the boot.img into parts with unpackbootimg, un-gzip the ramdisk with gzip and CPIO, edit the init.rc, recompress the ram disk with GZIP, then recompile the boot.img with mkbootimg) and I believe you'd also have to deodex the ROM itself, then if you wanted it odexed you'd have to odex it back with the correct BOOTCLASSPATH or else it will not boot. I'm not sure but I THINK deodexed APKs need to be built with the right bootclasspath.
There HAS to be a way to get it working on Viper. After all it's the same underlying android OS version.. The sensation guys got it worknig on CM9...
Click to expand...
Click to collapse
I fixed VPN and I'm uploading it in a few. I think I noticed something as well. I went back to stock ota to see what was going on and noticed wifi calling isn't showing up in settings/more should be there with vpn/ wifi hotspot/ nfc etc....
ericdjobs said:
The trickery is with the authentication. I've been running wireshark and capturing packets... between that and decompiling the APKs it appears that a basic SIP registration address is used for everyone, it's not unique. There's some kind of SIP address->mobile number translation that happens... the IMS project is open source, and the full source code is actually available on Google Code.. and it has even been updated for Jelly Bean. The interesting part is, I was able to compile the IMS Test App for ICS, take the configuration information I found.. entered it into the test App, and was able to establish half-way working service with the Test application. The thing is, even though it uses SIP, it's not your everyday run of the mill SIP. There's some wrapping and translation going on that uses info contained in the packets to determine where it's going (mobile number).. and don't even get me started on Text Messaging.... that looks like one giant hack-job...basically hijacking the SIP/RTP protocol for a proprietary implementation that just uses the base outline.
I tried to register with a regular SIP client using the configuration information I found (The password was TMO-VOIP-TRIAL) and i couldn't establish registration... and looking at the source I could definitely see why. There's a lot of stuff going on behind the scenes.
Click to expand...
Click to collapse
How was the Test App half-way working for you? I didn't compile it, but I tried an apk I found a while back and it CLAIMED it was registered, but I couldn't make it call out. I tried random presence and subscribe options but I don't think they were taking and nothing happened when I called my mobile number from somewhere else. My guess is that I have to subscribe or set presence to something magic for my phone number. After not really finding what I should actually be doing from skimming the 4th or 5th spec, and noticing that the nexus 4 guys have a $1400 bounty and don't really have progress, I gave up.
Yeah there's a pile of authentication (on both sides) that IMS has over SIP. If I understand right, the first part of registration is similar, but then TMO's side says you're unauthorized along with a challenge that's supposed to be sent to the ISIM and part of a key for establishing an IPSec tunnel that everything else goes through. Can't tunnel, then use SIP because you need the key (and part of that probably comes from the ISIM too), and a regular SIP client will just think it failed.

Android/whatsapp hacked! Please help!

Hi, I really need some advice and help, please!
Someone hacked my galaxy note 8 (latest update of OS) using Bluetooth. Thereafter when I had Bluetooth turned off all the time I would sometimes found it had turned on again and at times a pic would randomly appear in my camera roll folder. I was targeted by a group of people and having recalled looking back I was encouraged to message through WhatsApp and I believe that chrome and Andoid webview extension were involved. They also got into my gmail and tried to delete my contacts and wipe my phone and whatsapp history. Aftert this I saw that a Linux device had been attached to my gmail account.
I then went to an iphone and received a whatsapp from someone and a pic appeared again in my camera roll. I believe they were trying to do the same again and not sure how effective it is on iOS.
But now I have a new galaxy note 8 and someone has sent me a pic and video. I don't know that they are involved and I think I'm being overly cautious, but I need to understand what they did before and what I can do to check if they have hacked my new phone and doing the same thing again, and what I can do now to ensure they don't do it. I'm worried now that if they have got into my new phone and WhatsApp, will they have been able to get my IMEI and is my new phone now permanently susceptible to attack?
If I wipe my phone back to factory settings and reinstall everything again and start a new whatsapp with a new number, will that work?
My MS surface has also been acting up and I'd like to know if there's an easy sign to check on there too.
Thanks so much in advance!
phoenix79802 said:
Hi, I really need some advice and help, please!
Someone hacked my galaxy note 8 (latest update of OS) using Bluetooth. Thereafter when I had Bluetooth turned off all the time I would sometimes found it had turned on again and at times a pic would randomly appear in my camera roll folder. I was targeted by a group of people and having recalled looking back I was encouraged to message through WhatsApp and I believe that chrome and Andoid webview extension were involved. They also got into my gmail and tried to delete my contacts and wipe my phone and whatsapp history. Aftert this I saw that a Linux device had been attached to my gmail account.
I then went to an iphone and received a whatsapp from someone and a pic appeared again in my camera roll. I believe they were trying to do the same again and not sure how effective it is on iOS.
But now I have a new galaxy note 8 and someone has sent me a pic and video. I don't know that they are involved and I think I'm being overly cautious, but I need to understand what they did before and what I can do to check if they have hacked my new phone and doing the same thing again, and what I can do now to ensure they don't do it. I'm worried now that if they have got into my new phone and WhatsApp, will they have been able to get my IMEI and is my new phone now permanently susceptible to attack?
If I wipe my phone back to factory settings and reinstall everything again and start a new whatsapp with a new number, will that work?
My MS surface has also been acting up and I'd like to know if there's an easy sign to check on there too.
Thanks so much in advance!
Click to expand...
Click to collapse
I do strongly advice you to do a full factory reset or go to the nearest technician if you don't know how to do it, to flash the phone from scratch inmediatly. Also try the best security app for android once you setup your device again. That's enough.
Enviado desde mi SM-G550T1 mediante Tapatalk
---------- Post added at 12:58 PM ---------- Previous post was at 12:52 PM ----------
I would also report the issue to the tech support of WhatsApp, if there's any. Also, change every passwords on your Google devices with more secure passwords, Google, banking, social. And do place a secure password to block your device. Good luck.
Enviado desde mi SM-G550T1 mediante Tapatalk
This is why I dislike Touchwiz, it's so outdated and vulnerable.
Just reflash your whole system, you can find guides on YouTube on how to flash a new firmware.
I would also recommend changing to a custom ROM with up to date security patches.
Edit: You should also change all your passwords to something very difficult like 'nJfi8t%Nc178c'
If you have difficulties remembering there's a lot of apps out there that can help, I personally use last pass, you should check it out.
davidzam said:
I would also report the issue to the tech support of WhatsApp, if there's any. Also, change every passwords on your Google devices with more secure passwords, Google, banking, social. And do place a secure password to block your device. Good luck.
Click to expand...
Click to collapse
If you were conned into downloading a webextension then this has nothing to do with whatsapp it has to do with the user. Conntact google security to change your account. In general if they hacked a phone the phone only is the problem but if they have access to all your info then it can always be a problem. About bluetooth always have at least a code between the devices (some BT keyboards do not even have this). Also look at the security update on the device if it is not the latest then swith to one of the custom roms here which are always secure.
As for passwords think of a sentence and use the first letters of each word incorperate numbers capital letters and a symbol this helps you to remember it.
For example
I Have A Dog Who Name Is Henry And I Love Him=IHADWNIHAILH
now change A for the & symbol one I for 1 and A for 4=1H4DWNIH&ILH
mix it up with some upper case and lower case (names)=1h4dwniH&Ilh
you can now add in other symbols or spell words such as [email protected] (too big so we will use only part @m )add ! after Henry and [] around &Ilh [email protected]![&ILH]
now you have a random easy to remember password. This password is the basis for all the security on android (at the current time) so even if you use a code it still unlocks with this and encrypts.
Applied Protocol said:
If you were conned into downloading a webextension then this has nothing to do with whatsapp it has to do with the user. Conntact google security to change your account. In general if they hacked a phone the phone only is the problem but if they have access to all your info then it can always be a problem. About bluetooth always have at least a code between the devices (some BT keyboards do not even have this). Also look at the security update on the device if it is not the latest then swith to one of the custom roms here which are always secure. As for passwords think of a sentence and use the first letters of each word incorperate numbers capital letters and a symbol this helps you to remember it. For example I Have A Dog Who Name Is Henry And I Love Him=IHADWNIHAILH now change A for the & symbol one I for 1 and A for 4=1H4DWNIH&ILH mix it up with some upper case and lower case (names)=1h4dwniH&Ilh you can now add in other symbols or spell words such as [email protected] (too big so we will use only part @m )add ! after Henry and [] around &Ilh [email protected]![&ILH] now you have a random easy to remember password.
Click to expand...
Click to collapse
Thanks for clarifying that fact for me.
Thanks so much! Would a custom firmware allow me to keep the use of knox? I'm thinking to flash it back to factory and only install and use everything from within knox.
Zep0th said:
This is why I dislike Touchwiz, it's so outdated and vulnerable.
Just reflash your whole system, you can find guides on YouTube on how to flash a new firmware.
I would also recommend changing to a custom ROM with up to date security patches.
Edit: You should also change all your passwords to something very difficult like 'nJfi8t%Nc178c'
If you have difficulties remembering there's a lot of apps out there that can help, I personally use last pass, you should check it out.
Click to expand...
Click to collapse
Applied Protocol said:
If you were conned into downloading a webextension then this has nothing to do with whatsapp it has to do with the user. Conntact google security to change your account. In general if they hacked a phone the phone only is the problem but if they have access to all your info then it can always be a problem. About bluetooth always have at least a code between the devices (some BT keyboards do not even have this). Also look at the security update on the device if it is not the latest then swith to one of the custom roms here which are always secure. As for passwords think of a sentence and use the first letters of each word incorperate numbers capital letters and a symbol this helps you to remember it. For example I Have A Dog Who Name Is Henry And I Love Him=IHADWNIHAILH now change A for the & symbol one I for 1 and A for 4=1H4DWNIH&ILH mix it up with some upper case and lower case (names)=1h4dwniH&Ilh you can now add in other symbols or spell words such as [email protected] (too big so we will use only part @m )add ! after Henry and [] around &Ilh [email protected]![&ILH] now you have a random easy to remember password.
Click to expand...
Click to collapse
Just another question regarding Knox Secure Folder.
If I were to install and run everything through the secure folder and I were to be compromised again through a web extension, would that then all hackers to view everything on my phone again regardless of whether it's in the knox environment or outside? Would a backdoor like that work into the secure environment as it did in my normal android system?
Thanks again!
phoenix79802 said:
Just another question regarding Knox Secure Folder.
If I were to install and run everything through the secure folder and I were to be compromised again through a web extension, would that then all hackers to view everything on my phone again regardless of whether it's in the knox environment or outside? Would a backdoor like that work into the secure environment as it did in my normal android system?
Thanks again!
Click to expand...
Click to collapse
If your knox is still working and not tripped then that would be a good idea. However understand that the way to get in and out of knox still relies on encryption methods see CVE-2016-1919 as well as the kernel level security CVE-2016-6584 see also https://googleprojectzero.blogspot.com/2017/02/lifting-hyper-visor-bypassing-samsungs.html, this means that if the key or encryption method is faulty you can get around it and the kernel is more complicated but will also do the same thing. The last way is to access a shared resource such as a clipboard that has access to both places a example of this is CVE-2016-3996. And CVE-2018-9142. Granted most of these are 2017 and 2018 and a quick look at the samsung CVA at https://www.cvedetails.com/vulnerability-list/vendor_id-822/Samsung.html does not have anything for Oreo this can be since until recently only the 9s' had it. But their is a recurring theme that the CVAs' are repeated out of the last 5 4 are repeated and some are simple mistakes (look at Googles project zero above in KALSAR). The question is is this enough and the answer is probably but a security orientated Rom might be a better bet. (I know this is not fair since they do not have CVAs). But a full wipe and fresh install should be enough. Add in a firewall too if you did not have that already.
phoenix79802 said:
Thanks so much! Would a custom firmware allow me to keep the use of knox? I'm thinking to flash it back to factory and only install and use everything from within knox.
Click to expand...
Click to collapse
Sorry for the late reply, but Knox, in my opinion is super vulnerable, new android versions are safe enough.
And no, using a custom ROM would not have Touchwiz integrated nor Knox. Why? Because it will most likely be running stock android vanilla.
More secure than Samsung's Touchwiz, recommend something like LineageOS.
Zep0th said:
Sorry for the late reply, but Knox, in my opinion is super vulnerable, new android versions are safe enough.
And no, using a custom ROM would not have Touchwiz integrated nor Knox. Why? Because it will most likely be running stock android vanilla.
More secure than Samsung's Touchwiz, recommend something like LineageOS.
Click to expand...
Click to collapse
Look this depends on your perspective
FACT: knox is a hardware based security system which is unique to Samsung
FACT: Samsung phones are the most sold
FACT: The maker of the hardware has the resources to secure it better
Therefore Samsung knox is more secure and yes more users using the phone make it more advantageous to crack it. However Samsung to their credit does try to increase security in other ways such as using the TrustZone more and SEAndroid policy strengthening. Lineage is a great choice however knox which will be tripped and ever if not it needs custom software to run AFAIK. Also samsung is DoD approved see DoD list and news article. This is not necessarily a good indication of overall security but it dos put things in a good perspective (DoD do not patch themselves rather rely on the developers and stay on top of things) Really high security Android OS such as copperhead also have such improvements as Knox (way better if you look carefully) but they are limited on what phones it will work on. Also Android 8 is a lot more secure but fact of the matter is the best party that can secure a Samsung phone is Samsung but I am not saying they do. I would recommend Stock Samsung but if you need a custom rom lineage is a good choice this is true also in terms of power (used to be snapdragon charging on a rooted phone is only up to 80% but I think there is a fix) but in versatility a custom rom always wins and power saver settings can be better than the original.

(What are) Must have APPS and To-Do to newbies to Galaxy S9+ (?)

Hey all.
Within a couple of days I'm getting my new Galaxy S9+ (Exynos) phone.
I made a year break from Android and switched to Apple, and now I'm back.
Unfortunately, I know nothing about newest Galaxy phones.
Maybe anyone has suggestions what should I do (download) when I'll set-up my phone (I've watched all the reviews of "must have" etc., don't suggest me to do that)?
I used to root and unlock bootloader for each my android phone, but I won't do that to my Galaxy S9+ at least for 6 months.
Hence, many root apps not working: "AdAway", "Viper4Android" etc.,
Maybe anyone knows Ad Blocking app without rooting a phone?
Or just mention anything that newbie to Galaxy S9+ should know.
(If you're wondering why am I "spamming" with these "stupid" questions: And no, I didn't find any similar thread to this)
Thanks in advance!
I use to root and rom all my phones, but I don't think it is as necessary as before.
I also use to download all the tweaks, but I don't do that either.
Non-root to block adds try Blokada it is in the F-Droid store.
It is Free and it Works.
I also swear by ES File Explorer to view and move files on your app. Also to sync any cloud storage you have.
If you have a regular phone number and google voice number going to the same phone
Voice Choice 2.0 is a nice app that allows you to make calls with a specific number
i.e. family and close friends have you carrier number
work partners, resume, business line has your google number
when you make a call you don't have to select anything, based on your rules set up it will dial out using the appropriate number.
re
qnc said:
I use to root and rom all my phones, but I don't think it is as necessary as before.
I also use to download all the tweaks, but I don't do that either.
Non-root to block adds try Blokada it is in the F-Droid store.
It is Free and it Works.
I also swear by ES File Explorer to view and move files on your app. Also to sync any cloud storage you have.
If you have a regular phone number and google voice number going to the same phone
Voice Choice 2.0 is a nice app that allows you to make calls with a specific number
i.e. family and close friends have you carrier number
work partners, resume, business line has your google number
when you make a call you don't have to select anything, based on your rules set up it will dial out using the appropriate number.
Click to expand...
Click to collapse
Thanks! Maybe you know anything about removing / disabling Bloatware as well?
LaurynasVP said:
Thanks! Maybe you know anything about removing / disabling Bloatware as well?
Click to expand...
Click to collapse
check out this thread at your own risk. It works I disabled Facebook (don't see why that would be on and unlocked phone fro Samsung, but i digress)
https://forum.xda-developers.com/galaxy-s9-plus/how-to/s9-s9-bloatware-removal-thread-g960u-t3817810
Be careful with the commands and understand what is being done before you hit the enter/return key
Good thing about disabling is if you fubar the phone you can do a factory restore and start all over
I only disabled Facebook. will investigate the other software as i play with the phone. Only had it 2 weeks so far.
re
qnc said:
check out this thread at your own risk. It works I disabled Facebook (don't see why that would be on and unlocked phone fro Samsung, but i digress)
https://forum.xda-developers.com/galaxy-s9-plus/how-to/s9-s9-bloatware-removal-thread-g960u-t3817810
Be careful with the commands and understand what is being done before you hit the enter/return key
Good thing about disabling is if you fubar the phone you can do a factory restore and start all over
I only disabled Facebook. will investigate the other software as i play with the phone. Only had it 2 weeks so far.
Click to expand...
Click to collapse
Thanks, I'll keep everything in mind

Categories

Resources