olivierlemoal

diff --git a/rootdir/etc/init.qcom.usb.rc b/rootdir/etc/init.qcom.usb.rc
index bb37a28..ccb5514 100644
--- a/rootdir/etc/init.qcom.usb.rc
+++ b/rootdir/etc/init.qcom.usb.rc
@@ -75,6 +75,7 @@ on boot
     mkdir /config/usb_gadget/g1/functions/audio_source.gs3
     mkdir /config/usb_gadget/g1/functions/midi.gs5
     mkdir /config/usb_gadget/g1/functions/ffs.adb
+    mkdir /config/usb_gadget/g1/functions/diag.diag
     mkdir /config/usb_gadget/g1/functions/gsi.rmnet

olivierlemoal

// start with:
//   frida -U -l pinning.js -f [APP_ID] --no-pause

Java.perform(function () {
    console.log('')
    console.log('===')
    console.log('* Injecting hooks into common certificate pinning methods *')
    console.log('===')

    var X509TrustManager = Java.use('javax.net.ssl.X509TrustManager');

olivierlemoal

display-switch install and config

yay -S display-switch-git

• doc : https://github.com/haimgel/display-switch
• Note that the preferred way is to have this app installed on both computers. Switching "away" is problematic: if the other computer has put the monitors to sleep, they will switch immediately back to the original input.

olivierlemoal

adb shell
$ su
$ setprop sys.usb.config diag,adb

# Setup scat https://github.com/fgsect/scat
$ python scat.py -t qc -u -a 001:042 -i 0

olivierlemoal

import hashlib
from multiprocessing import Pool, cpu_count
from binascii import unhexlify

# Retrieves DATALOCK values with AT^NVRDEX=50502,0,128
# Worst case scenario takes 44s on i7-7700K

def test_code(params):
    text1, text2, min_code, max_code = params
    for i in range(min_code, max_code):

olivierlemoal

pacman -S qemu-arch-extra
yay -S gdb-multiarch

get ARM libs from http://mirror.archlinuxarm.org/armv7h/core/ and extract usr/ :
tar -xvpf glibc-2.30-3-armv7h.pkg.tar.xz usr

$ qemu-arm -L usr -g 12345 ./a.out &
$ gdb-multiarch ./a.out
(gdb) set arch arm
The target architecture is assumed to be mips

olivierlemoal

git clone https://github.com/buildroot/buildroot
cd buildroot
git checkout 2020.02
make qemu_arm_versatile_defconfig
make menuconfig # add packages (dropbear ...)
unset LD_LIBRARY_PATH

=================
File sharing
https://superuser.com/questions/628169/how-to-share-a-directory-with-the-host-without-networking-in-qemu

olivierlemoal

sudo qemu-system-x86_64 -drive file=amf_apl-gw,if=virtio,cache=off -m 1024 -enable-kvm -cpu host -vga virtio -device virtio-net,netdev=network0 -netdev tap,id=network0,ifname=tap0,script=no,downscript=no -runas $(whoami)
run as sudo to let qemu create tap devices, but use -runas user to drop privileges

====================================
Mutiple cores :
-smp cores=n
====================================
Telnet monitor
-monitor telnet:127.0.0.1:55555,server,nowait;
====================================

olivierlemoal

Reverse / Debugging

• Instrumentation
  • LIEF - Library to Instrument Executable Formats
  • Frida - Dynamic instrumentation toolkit
• Binary analysis
  • Kaitai - A new way to develop parsers for binary structures.
  • binwalk - Firmware Analysis Tool
  • UEFItools - Working with UEFI firmware images
• 010 Editor - Professional Text/Hex Editor with Binary Templates

olivierlemoal

Linux

Local transparent proxy

Import CA

From https://wiki.archlinux.org/index.php/User:Grawity/Adding_a_trusted_CA_certificate

Currently Arch Linux uses p11-kit from Fedora, which has more features (e.g. explicit distrusts) than the older scripts from Debian. To import a trust anchor using p11-kit, do: