Startup Replacement

[sekkit]

Here is the project: JSONClientSRC.zip signtool.zip [Important]Must to be signed as system app to run.

Question is: 1) who called JSONClient during the startup procedure? 2) what else has been done before/after activation? 3) what is happening while activating? Some critical part is missing in decompilated code. protected void onPreExecute() { } //Activate code authentication happens here protected Object doInBackground(Object[] params_obj) { // :( Parsing error. Please contact me. } Also String.format('/sbin/eid recv {0}', result), this result is definitely missing, needs some debugging. 4) adb needs to be enabled in hacked boot.img for debugging.

Conclusion: Emulate the startup process means replace the original components without protection. JSONClient.apk might be just a part of it.

[ziegfeld]

great job! for 3: maybe try another smali decompiler to see those part again for a 2nd opinion, maybe https://bytecodeviewer.com/ ? (or some other windows platform smali2java tools from google results) It is for windows only and I am afraid I do not have access now.

for 4: does that adb in system.img /bin/ work?

for 1: in case you do not know yet, use this tool to have a look at boot.img, without a dpt device dd'd from the img (for system.img use mount and simg2img tool as in this repo via @happyZ ). Easier to grep and so on. https://github.com/cfig/Android_boot_image_editor
EDIT: adding a "strings boot_img_unpacked/sbin/eid" result for a glance. eid-strings.txt

[sekkit]

@ziegfeld wow, thx, this information is cool, seems to have some scripts inside. 1)export PATH=/system/bin:/system/xbin; export ANDROID_PROPERTY_WORKSPACE=8,0; export TERM=vt100; cd /data; busybox tar -zcvf - . --exclude=./dalvik-cache --exclude=./recv.bin --exclude=./firmware/imx | | busybox dd of=recv.bin; cd / It seems recv.bin is some important data inside /system/vendor/recv.bin

2)there are some scripts under /xbin, sqlfix.sh, preapk.sh that might help fix crashing problems.

I guess recv.bin might be the /data directory, flash boot.img -> system.img -> data.img. Just assumptions.

[sekkit]

attatched partition mapping: lrwxrwxrwx root root 2018-12-14 16:31 DTIM -> /dev/block/mmcblk0p4 lrwxrwxrwx root root 2018-12-14 16:31 MEP2 -> /dev/block/mmcblk0p3 lrwxrwxrwx root root 2018-12-14 16:31 MRD -> /dev/block/mmcblk0p1 lrwxrwxrwx root root 2018-12-14 16:31 MRD1 -> /dev/block/mmcblk0p2 lrwxrwxrwx root root 2018-12-14 16:31 NVM -> /dev/block/mmcblk0p12 lrwxrwxrwx root root 2018-12-14 16:31 boot -> /dev/block/mmcblk0p8 lrwxrwxrwx root root 2018-12-14 16:31 cache -> /dev/block/mmcblk0p14 lrwxrwxrwx root root 2018-12-14 16:31 ddat -> /dev/block/mmcblk0p16 lrwxrwxrwx root root 2018-12-14 16:31 diag -> /dev/block/mmcblk0p15 lrwxrwxrwx root root 2018-12-14 16:31 misc -> /dev/block/mmcblk0p10 lrwxrwxrwx root root 2018-12-14 16:31 pbootloader -> /dev/block/mmcblk0p7 lrwxrwxrwx root root 2018-12-14 16:31 radio -> /dev/block/mmcblk0p11 lrwxrwxrwx root root 2018-12-14 16:31 rbootloader -> /dev/block/mmcblk0p5 lrwxrwxrwx root root 2018-12-14 16:31 recovery -> /dev/block/mmcblk0p6 lrwxrwxrwx root root 2018-12-14 16:31 secure -> /dev/block/mmcblk0p13 lrwxrwxrwx root root 2018-12-14 16:31 system -> /dev/block/mmcblk0p9 lrwxrwxrwx root root 2018-12-14 16:31 userdata -> /dev/block/mmcblk0p17

I am still searching for /data partition's device. maybe userdata is the one. Maybe I'll try to flash recv.bin to /data

[ziegfeld]

@sekkit, cc @HappyZ @p4s2wd Hi, if you read Chinese, here's a thread about bypassing Kindle Android boot activation from Taobao kdroid, hopefully it would help us here for DPT (register for it if needed):

https://www.hi-pda.com/forum/viewthread.php?tid=2313206&extra=page%3D1 or here for a webpage-screenshot image file version: https://i.loli.net/2018/04/30/5ae6db6682572.png

Good luck and thanks to them.

[sekkit]

this is great news. But I can't get access to hi-pda. And right now DPT has been returned to retailer because of WiFi issue. I will try reimplement that method when next DPT arrived.

[ultraboy]

This topic is about how to crack a kindle which installed android by the same tabao seller who crack dpt. The main step is: 1.mount system image. 2.modify /system/framework/services.jar to bypass signature check. 3.modify JSONClient.jar so any password can pass password check.

[ziegfeld]

@sekkit please do register an account for access, or let me know what the problem is and let me see how to help. Because, from that bbs thread, updates (esp. from post no. 110) indicated the screenshot versiom is not 100% accurate and pointed out some errors/typos.

[sekkit]

@ziegfeld I registered for almost half a year, but not approved by admin yet. After flashing the third boot.img from another issue, my DPT can no longer connect to WiFi by DigitalPaperApp, even restored to original firmware. Not a clue for what might've happened.

[sekkit]

@ziegfeld hi Im going to repimplement these steps, could u export post no. 110 as pdf and send it to me?
PS: no need anymore, got a account now.

[ziegfeld]

@sekkit sorry for late reply. I forgot it then the holiday came. Glad that you got it! You can ask questions directly there this way!

[sekkit]

@ziegfeld @HappyZ After patching JSONClient.apk with Smali code, Activation has been done. But the device startup again in an activation loop. There is a step libjnidemo.so calls saveData function for saving server returned results into somewhere. Without that data, eid will not call post setup procedure concerning dd recv.bin to it's target. And there are some RSA en/decryption going on inside libjnidemo.so.

Some information found in eid && libjnidemo: eid's params: recv xpx gamma setstr eid proc

misc: runcommand((int32_t)"/system/xbin/sqlfix.sh vol on"); runcommand((int32_t)"busybox killall com.smart.swkey.nonroot"); int32_t v8 = function_1db58((int32_t)"/dev/block/mmcblk0p15", (int32_t)&g49, (int32_t)"ext4", 1, 0);
function_1d7b0((int32_t)"cp -aR /mnt/opt/sig.key /tmp; chmod 644 /tmp/sig.key"); /dev/block/mmcblk0

activation post JSON data && the format of returning data has been found. BUT the only thing in need is the "enc" field.

SEND data: wWEu6v/ljlOG4MQjjfAbW1HaqDeGgEIOtg0Aq0tpO58NQn7VgFmATv0ucnbVM06jn3JOEj3ZxQouunS7VSQ/1kIEgIx9v3gt5Z0u/TimYR0vxRpUeA6vAjAOQnQWAe9hFhdP4oEx9mnijlDSE2Fk6OgI2YTpmmfcTGKaxzju6J5VZuPKeUMJqlHQbLlvMGmX6t8mlt1UyvQsIwkR2F1VzAUGXRRjdrItRz7bWFv4NK3ZxQS1Eq+1LW7kmWaon6qIEq66y85OMxoOGWDvwazSHcyolFpROyvpEhc9hc0tdmSAnKd5/RmSqyTsnIXUUgR3pCr5JTWP1WNyoQRfmjxHtQ==

RETURN data: { "ret": "base64 of jsondata" }

jsondata = { "flag": "PASS", "pcbsn": "324658506502376x", "test": "", "enc": "MzIzZjNmOGU=", (this field in need) }

[sekkit]

int32_t createRSA(int32_t a1, int32_t a2) { int32_t v1; int32_t v2; int32_t format = (int32_t)"\x7c\xde\xff\xff\x2d\xe9\xf0\x4f\x83\xb0\x07\x46\x1a\x48\x0e\x46\x1a\x49\x78\x44\x48\xf6\x8a\x78\x41\xf2\xae\x49\x45\xf2\x7a\x7a\x0c\x58\xc1\xf2\x97\x28\x9b\x46\x15\x46\xcb\xf6\x37\x49\xc0\xf6\x81\x7a\x41\x46\x10\xe0\x28\x46\x01\x21\xff\xf7\xa1\xfe\x03\x46\x20\x68" + (int32_t)&g13; maybe this helps with RSAkey

[sekkit]

This pkg seems to be cracked by someone else and he is selling it too. In short, I think following that post is not enough, we need to MOD eid to bypass the post setup procedure.

[sekkit]

Update: After some digging: recv.bin is actually user_data partition dump, which is encrypted, and will be extracted and dd to mmcblk0p17.

[HappyZ]

if encrypted, they shall have the decryption method included somewhere; another easier way is just to get the extracted files :)

[sekkit]

if encrypted, they shall have the decryption method included somewhere; another easier way is just to get the extracted files :)

Made a schedule to go to dude's place this weekend and dd some partitions. mmcblk0p8 mmcblk0p9 mmcblk0p17

[sekkit]

Update: failed to get the dump of kdroid firmware this week unfortunately. Anyone be able to share one?

[ziegfeld]

Update: failed to get the dump of kdroid firmware this week unfortunately. Anyone be able to share one?

Hi @sekkit, glad you are still actively working! I think you can try at people in #52 .

[sekkit]

@HappyZ unfortunately, lastime I tried to enter diagnosis mode of a Hacked kdroid RP1, it failed. Today I tried again using dpt-tools to upload that two pkgs but it failed too. Any thoughts on this? I think the root psw change or disableid method not working on that device.

[sekkit]

Is 7.87k resister usb gonna work？

[HappyZ]

@sekkit can i get more insights what do you mean by using dpt-tools to upload that two pkgs but it failed too?

[sekkit]

@HappyZ shankerzhiwu’s exploit pkgs, unable to enter diag mode black square with’em uploaded. This is KDroid’s latest protection machanism