 Hi, and welcome. In the following hour, we will talk about how to hack an FMotor cell and how to intercept and hijack data and all its commands and all its communication. How to use the main content? We will show you. But now let me introduce ourselves first. We are from Unicom team or Chihuac company. And we concentrate on radio and hardware research. We also design a lot of interesting gadgets. You may see them in the Wendell region. Of course, we have a lot of talent team members. And my name is Yi Wei Zhang. I'm interested in secreting the embedded system and I'd like to deeply dig into some mystery systems. And the blackberry is all my tasks in 2011. And this is another speaker, Hao Qi Shan. Hi, everyone. A lot of people are a little bit confused. And my name is Hao Qi Shan and I'm just a wireless hardware security researcher in Unicom team. And I just obtained my bachelor degrees of electronic engineering this year. So a little bit useful while I'm hacking some embedded device and some electronic device. So I focused on the Wi-Fi hacking, the GSM systems and your router, your switchers and something else. And now let's take a look at this. So let's just focus on this. Why do we need a film to sell? I believe you guys have seen the vehicle hacking at Black Hat just a day before yesterday. Well, just before, yeah. So once they just hacking it, this vehicle is not in Wi-Fi. Well, it will connect through the 3G generation or 2G generation. And so if you want to hack it, if you want to know what is going on, you need a film to sell. That's a very useful device. And besides, when you want to research on the products that integrated cellular model, the film to sell is the best choice that you ever have. And if you want to capture or hijack or modify the SMS, the voice, the data traffic, well, you need it. So maybe someone want to ask why do you guys not just use software-based GSM stations such as OpenBTS, USRP or GNU radio? So why not? Because if you want to, this software-based station can do the data traffic hijack. But if you want to know the SMS, if you want to modify the data traffic, well, it's not okay. And it will access denied to the operator's core network. And while it has no real uplink or downlink SMS, so you cannot hijack it, you can know what's going on or what's going on, but you won't know what's going on. So this is the film to sell advantage. So now you have access to the network, to the network's core operators, core network. And well, if you hack it, well, you can know what's going on, you can know the SMS and data traffic, well, you can capture it, you can hijack it, you can modify it. What's more, now you have the ability to remain in the operator's network. You can just hack their switches, you can hack their secure getaway, or you can, if you are cool that you can hack basically everything. This is the interface that you can go in. So if you guys want to use a film to sell in research, such as you want to hike a vehicle with cellular modem, well, you can just, if you hack the film to sell, you just put it here and pull on, well, you can capture all the control command. Well, such as the SMS that contains that, such as pull on or something else, that you can modify the traffic data, and well, actually some device that use the data traffic will know that if it's connected with a true or fake base station, so this is a real base station, so you can bypass it, well, and besides the data traffic is all in your hands, so you can find your system's box, and now you can fix it or just hack it. So here is the point, how can we get a free film to sell? Well, actually in China, a little bit difficult to buy one because according to some policy, they won't let you to buy it freely, but they just don't give you, well, if you want to buy it, it's illegal, so we can buy one, so let's just use some social engineering. Well, in China, if you guys at home that will have not good signals, well, you can just make a phone call and you can just turn off your phone and on again, so you can just make a phone call to again and again, well, finally in the end, you can make a complaint to the management department, so this department will just call them that, yeah, you should solve this problem, and finally, we receive a phone call that says, sir, please permit us to get a to set up a film to sell in your home, and it's free, and you can make your network signal quality better, so well, we get it. So now we have one, so let's just hack it, and well, instead of this film to sell, just about these things, Home Node B router with Wi-Fi, and absolutely, apparently, yeah, one port and two LAN ports, and here is the most important thing that is configuration IP, and the router's IP is 197.1, and the Home Node B configuration IP is 197.241, well, you guys can see that absolutely, the most important IP is the Home Node B IP, because this is the GSM signal that you can configure, so just a quick simple and quick and simple port scan, just a map it, yeah, we got a lot of, oh, we can see a lot of surprise that it offered some FTP, Town Net, IDDP, and well, well, it seems something interesting that says WDBRPC, so let's just try easily things, so login or just town net it, well, it comes up to a product that VX works login, well, it seems that VX works operating system, so yeah, the first thing in our mind is just enemy, enemy router, well, basically it's wrong, and something interesting is the IRO password again and again, well, you can, you will get a longer and longer time between the promoter shows up, so let's forget about the protocols, so that doesn't work, try another way, well, according to it's VX works, well, you can just get something know about it, it's a real time operating system, and used a lot of, a lot of in the military device, the medication device, and some all rocket, just you know, Apple airport X-ray, and well, of course, it's not open source, so it's hard to break it, and well, let's just Google it, it seems that a lot, just two ones that comes up that, so let's just try to, oh, oh, another thing, that if you guys focused on FIMO 2 Cell before, and you will know that the last year and the year before the last year, also in Black Hat DefiCon, they hacked FIMO 2 Cell, and they modified a lot, and it looks similar to this one, but here are the different things, most of the different things, that there's a Linux test, and you can just write a module and get in here, but this is VX works, it seems pretty hard, and this is different, and much harder, so let's use, remember the port that we just scanned, there will be a WDBRPC, so the past phones that will have the Dumpel memory, that just use the call-A and try it, well, it seems this debugging interface doesn't work, so, and of course, this exploit was right by writing my ID more, so thank you, so, well, we are done with this, according to what we started to use, and let's scan this version, well, repair it again, so what's going on, well, it seems it doesn't work, so we just try it another way, and we just disassembled this hardware, and see what's chip in here, and try to modify it, and dump the firmware to analysis, and well, this is the two parts, the home node B and your router, the home node B is of course the OMAP chip, and it contains the DSP, the ARM9, and of course FPGA, and the router is ARM9341, and it got a router and wired your Wi-Fi IP, so, so if you guys want a hacked embedded device before, so you will know that lots of devices will have debug ports on their board, so the developer can just debug it through this port, so what we do is just to find it out, and well, it is, it's just on the board, and I will tell you, this is the debug board, so it will say, this is the TX, this is the RX, so you can just simply connect it with your laptop, so I'm through an USB to server port, TTR signal adapter, so you just connect to the board with your laptop, well, it's just a gift, so, of course, it's a debug case, so let's just use it, and we, in the same, that's a lot of information, so while this device is booting, and it says this is the X-Works 6.8, well, apparently it fixed some a lot of bugs, and, well, you can see that just, since the, it tell you, putting any key to, to stop autobots, well, you can just press simple space, well, it stopped, and give us the most important thing, the X-Works boot shell, so now just use it, thank you, so let's just, oh, well, our nature, just help, or get this hard list, and say what to command, what commands we can use, and, well, apparently some, if you see it, you will know some, which one is important, well, the, uh, uh, both farms, the changeable farms, and your load of both files, and, well, of course, they have got some display memory, modify memory, fill memory, copy memory, well, the memory is everything, right, so you can just, let's check a quick use, and we just press P, and enter, well, here it got something out, well, seems, well, we tried it, this, this command, this information is nothing, and, well, let's see some, let's see the directory structure, so we arrest, and, well, it comes out a lot of things, and, apparently, I use days to say, well, which file it means what, and can use it, and how hard it is, well, the most basic, basically, most terrible things, really, really terrible, yeah, and, well, now I can tell you that this is the most important things that, yeah, my work, and, well, this is the directory structure, and the common is the configuration file, and the user one is the currently running the version, that this VxWorks system, and your router, and your GSM board apps, and the user two is the last version, so here are the things, when this film to sell upgrade, the last version, last version, from where we remain in his, in this board, on this board, so, if you guys, a little bit of things is that, if the bug is fixed, so you can just put in another structure, then it comes back again, and what I'm back up, this is the router from where backup files, so, we don't have a lot of way to hack it, so just dump it from where, and uncompress it, and analysis it, so here is the thing, that's how do we download it, now we should download it from where, and remember we used, we scanned it out to the chaptv part, well, just a simple, make a simple test, we upgrade, we upload, and we download, well, it works fine, so, we know the path, and we just cp chaptv guys, and one by one, one by one, well, you can just write a simple script, don't like me, I just typed, so, here is the thing, that according to our work, we know the npc.z is the most important file that is currently in my, so, let's just uncompress it, and disassemble it, now, this is my call to work UI, got it? Okay, and from the file name npc.z, we can guess that maybe I compressed the image, but, well, I used the, been working to our tool, try to find any information about the image type, and, I got nothing, and after consulting to the Google search, I found an article, understanding the boot ROM image or xbox, what is accepted from the xbox manual, in this article, some close indicates that the xbox image or compressed with deflate algorithm, but, even though, with deflate method from the leap, what I got was Android area, and, I examine to waiting on the image, we got the, oh five, one five, oh one, oh oh, from the header, the four bytes is fixed, maybe it's magic, and the next four bytes from the header is, oh oh, 3D, CC, CC one, and, I guess it's a length, and verify that, this length trust, nine, was equal to the file length, and after we escape the first nine bytes, just use, at 12, the leap fleet to decompress it, and now, let's examine, let's examine, let's examine, let's immediately, and your strength to check if we take high, a lot of literal strings, yes, it contain a lot of literal strings, and it's success, now we can analyze the firmware, This image decompress from the MPCS.Z with raw binary. It's not the EF image and it's not contain any information about the location and the blinking information. And from the boot shell, we can use our command to load the MPC.Z. We can see that this image has been loaded to say oh, oh, oh, oh, oh. This is the address the WaxWax can now be secured from. And now we can load it immediately to IDA Pro and just reload the image to address say oh, oh, oh, oh, oh. And currently there is somebody coded. It's very difficult and often his name all unliteral. And to find the information is difficult. And after a lot of time, we can definitely require the sample. And then I found the user security function is angry. Why is the user and hash all password? It seems that it has been encoded by base 64. The hash has been encoded and after decoder, we get a 32 binary. Now we must to find out what the hash method is used. So sorry we got our laptop got something wrong. Well, it's not our house. Oh, it's windows. And it's Lenovo. Yeah, we are trying to bring out our own laptop, but according to some policy, our laptop can come to America. Yeah, we should buy one, buy a Mac. Well, it's a power out. Sorry, almost down. Yeah, it's just here. Yeah. We are back. Okay. And we know that the MD5 is 16 bytes and SH1 is 20 bytes. And SHA 256 is 32 bytes. So we guess it's maybe hashed by SHA 256. And we know that it's decoded with online decoder website. We got a password. It's just 128. So, always try 128 fast. But sometimes we don't always have good luck. And this topic we are sure a general method to bypass the password. And if the system does not use the which password, what can we do? In fact, the new evaluation of this somewhere, they had to change the password. And the website kind of decoded. And from the assembly code, we found that after they used the name and the password have been inputted, the hash computing function will be cuted. And in this situation, in this function, you'll have to call the hash to compute the hash function. And use the IP auth hash get to get the original hash code. And then use the memcomp to compare the two. So, we just patch this instruction. And let's use the always branch tool. And we have to wait to patch it. And we may patch the firmware and the label compress it and aid the header. Then download it. They file by TFTP and copy it to the user one directory. But for some point, we can also use the hot patch method. And in the boot shell, first they use the command to load and decompress the MPC door to the memory. And then we use the M commander to change this instruction from DFFFOA to DFFFEA. Exactly, we just patch the B code instruction to B instruction. Now, we can log in, use the MPC door. And then we can add any password. We can get the X-Wars cannot show. And there are a lot of tools can be used. We can get the main point and let's capture the data traffic and try to analyze it. We can use a computer to share an internet link with Linux IP table or when the internet connection share in service. Or use a router with polynomial function. We can use the Wi-Fi to capture the packaging in real time now. Here is the data package. But now data contains any little real text. What the hell is this? And we can use the Wi-Fi to open the package. We open it. Well, how do you open the package? So you guys, if you want to give a speech or presentation, use your own laptop. Press here. Yeah, double click. So it's okay. We got it. So, we got it. And we can save in the package. Well, it's a big package because we just capture two days and all our neighbors, SMS, we can all see. Yeah. Yeah. The package, but the package is, have a lot of error and they, why Jack can't decode it. And they can do it. And you may say, all packages have a mail form. Maybe it's encrypted. And it's encrypted with the IPsec and we can decode it. That's the way we designed the portal from 500 to the SACMP and the 60 to 96 to UDP in-cape. And now, either they, this part of the form of the log away can decrypt it. But it's a long protocol and as I show you on the White Shark, we reversed the image to find the, which protocol we use it and they wonder how changed the protocol. And while a lot of reverse work, we found that the RIMP protocol exactly has been modified. And after decoding the protocol, we can analyze the short message and one second of the RIMP have been replaced with a protocol and the GPRS has, GPRS have been replaced with BSGP protocol. So we rewrite a White Shark decoder and either can decode the, this package correctly. This is the short message package that we captured. Currently, I will show you the, we will show you the correct results. Yeah, here is my version of White Shark. You can download it, but you can't. GSM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM. SM package now. And we can show you I read you about it. Wow, this, I mean just show you some video that prove it. So, one, yeah. Well, here is the phone to cell. That's it. And besides that, that's my batch. Well, you guys know my phone number. Now you can hack me. Yeah, you can see the details that we just sent. Well, now we are capturing our package. The data grows, grows, grows. Yeah. Okay, just like a quick small, yeah. Okay. Let's just prove it to the GSM slash GSM. Yeah. Oh, wait a moment. Let's see. Well, here it is. Now we can see the details. And of course I got a video about how to capture the mail contents. But according to our time, after time, yeah, we just consider. And also we got a vendor area in the, in the vendor area. So, if you guys want to know something that you can contact me with that, or you can, in the end of the PowerPoint, they have my email. So you can just send an email or just let us know your questions. And my apologize for my accent. And according to some policy, we deleted, we have deleted some important things that we are not waiting to. And I'm really sorry about that. Yeah. And so if you guys want to know about it, just contact me in private, okay? Yeah, sure. Let me show you my email. Okay. I see, I see. Yeah, just my name and it's 315. That's okay. That's okay. You guys can find the PDF. They got something out here. Yeah. Let's just go to the, oh, sorry. Yeah. Here is the HTTP traffic. Yeah, you can know your neighbor is visiting some website. Yeah. Here is our, our email and our password. Well, this is just a basic America e-bike. Well, this is the mail. Yeah. Well, this is a summary and we got a lot of reference and we are thanking. Yeah. Yeah. This is my email and we got a vendor at the Unicorn team that you can buy things or just ask me some a lot of questions. So we are waiting for you. Bye guys. Yeah. So thank you.