Uncategorized

Collabora: Changing the Android boot animation

Quick hack: Changing the Android boot animation

Posted on 21/04/2017 by Robert Foss

For various reasons you might want to change the Android boot animation to something other than the stock one, this is how you do it. There exists official documentation for how to create a custom boot animation, but unfortunately it is lacking in actual examples. So this guide is a bit more hands-on. Without covering too much of the same gound as the documentation, let’s have a quick look at what is in a simple bootanimation.zip.[…]

https://www.collabora.com/news-and-blog/blog/2017/04/21/quick-hack-changing-the-android-boot-animation/

https://android.googlesource.com/platform/frameworks/base/+/master/cmds/bootanimation/FORMAT.md

Standard
Uncategorized

DR.CHECKER: Linux kernel driver vulnerability detection tool

 DR.CHECKER : A Soundy Vulnerability Detection Tool for Linux Kernel Drivers

usage: run_all.py [-h] [-l LLVM_BC_OUT] [-a CHIPSET_NUM] [-m MAKEOUT] [-g COMPILER_NAME] [-n ARCH_NUM] [-o OUT] [-k KERNEL_SRC_DIR] [-skb] [-skl] [-skp] [-ske] [-ski] [-f SOUNDY_ANALYSIS_OUT]

optional arguments:
-h, –help show this help message and exit
-l LLVM_BC_OUT Destination directory where all the generated bitcode files should be stored.
-a CHIPSET_NUM Chipset number. Valid chipset numbers are:
1(mediatek)|2(qualcomm)|3(huawei)|4(samsung)
-m MAKEOUT Path to the makeout.txt file.
-g COMPILER_NAME Name of the compiler used in the makeout.txt, This is
needed to filter out compilation commands. Ex: aarch64-linux-android-gcc
-n ARCH_NUM Destination architecture, 32 bit (1) or 64 bit (2).
-o OUT Path to the out folder. This is the folder, which
could be used as output directory during compiling
some kernels. (Note: Not all kernels needs a separate out folder)
-k KERNEL_SRC_DIR Base directory of the kernel sources.
-skb Skip LLVM Build (default: not skipped).
-skl Skip Dr Linker (default: not skipped).
-skp Skip Parsing Headers (default: not skipped).
-ske Skip Entry point identification (default: not
skipped).
-ski Skip Soundy Analysis (default: not skipped).
-f SOUNDY_ANALYSIS_OUT Path to the output folder where the soundy analysis output should be stored.

https://github.com/ucsb-seclab/dr_checker

Standard
Uncategorized

Huawei boot loader vulnerability

3 boot loader/smartphone security vulnerabilities from Huawei. Text of two and links to all 3 are below:

Security Advisory – Out-of-Bounds Memory Access Vulnerability in the Boot Loaders of Huawei Mobile Phones
SA No:huawei-sa-20170816-01-smartphone
Initial Release Date: 2017-08-16
The boot loaders of some Huawei mobile phones have an out-of-bounds memory access vulnerability due to the lack of parameter validation. An attacker with the root privilege of an Android system may trick a user into installing a malicious APP. The APP can modify specific data to cause buffer overflow in the next system reboot, causing out-of-bounds memory read which can continuous system reboot. (Vulnerability ID: HWPSIRT-2017-01070)
This vulnerability has been assigned a CVE ID: CVE-2017-8149. Huawei has released software updates to fix this vulnerability. Successful exploit could cause out-of-bounds memory read, leading to continuous system reboot.
This vulnerability can be exploited only when the following conditions are present: 1) The attacker has gained the root privilege of an Android system and successfully tricked a user into installing the malicious APP. 2) An attacker with the root privilege of an Android system may trick a user into installing a malicious APP. The APP can modify specific data to cause out-of-bounds memory read, leading to continuous system reboot. This vulnerability was reported to Huawei PSIRT by Aravind, Machiry. Huawei would like to thank Aravind, Machiry for working with us and coordinated vulnerability disclosure to protect our customers.[…]

Security Advisory – Authentication Bypass Vulnerability in Huawei Honor 5S Smart Phones
SA No:huawei-sa-20170816-03-smartphone
Initial Release Date: 2017-08-16
Huawei Honor 5S smart phones have an authentication bypass vulnerability due to the improper design of some components. An attacker can get a user’s smart phone and install malicious apps in the mobile phone, allowing the attacker to reset the password and fingerprint of the phone without authentication. (Vulnerability ID: HWPSIRT-2017-07037). This vulnerability has been assigned a CVE ID: CVE-2017-8151. Huawei has released software updates to fix this vulnerability. Successful exploit could allow the attacker to reset the password and fingerprint of the phone. This vulnerability can be exploited only when the following conditions are present: 1) The attacker obtains a user’s smart phone in unlocked state. An attacker can get a user’s smart phone and install malicious apps in the mobile phone, allowing the attacker to reset the password and fingerprint of the phone without authentication. This vulnerability was reported to Huawei PSIRT by security researcher Zhang Qing. Huawei would like to thank Zhang Qing for working with us and coordinated vulnerability disclosure to protect our customers.

http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20170816-01-smartphone-en
http://www.huawei.com/my/psirt/security-advisories/huawei-sa-20170807-01-smartphone-en
http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170816-03-smartphone-en
http://www.huawei.com/us/psirt

https://www.linkedin.com/in/aravind-kumar-machiry-00459923

https://cn.linkedin.com/in/%E6%B8%85-%E5%BC%A0-4b37b2108

 

Standard
Uncategorized

Frida 10.4 released

Frida provides quite a few building blocks that make it easy to do portable instrumentation across many OSes and architectures. One area that’s been lacking has been in non-portable use-cases. While we did provide some primitives like Memory.alloc(Process.pageSize) and Memory.patchCode(), making it possible to allocate and modify in-memory code, there wasn’t anything to help you actually generate code. Or copy code from one memory location to another. Considering that Frida needs to generate and transform quite a bit of machine code for its own needs, e.g. to implement Interceptor and Stalker, it should come as no surprise that we already have C APIs to do these things across six different instruction set flavors. Initially these APIs were so barebones that I didn’t see much value in exposing them to JavaScript, but after many years of interesting internal use-cases they’ve evolved to the point where the essential bits are now covered pretty well. So with 10.4 we are finally exposing all of these APIs to JavaScript. It’s also worth mentioning that these new bindings are auto-generated, so future additions will be effortless.[…]

https://www.frida.re/news/2017/08/15/frida-10-4-released/

Standard
Uncategorized

Android 8.0 (“Oreo”) security changes

https://android-developers.googleblog.com/2017/08/introducing-android-8-oreo.html

https://developer.android.com/about/versions/o/android-8.0-changes.html#security-all

https://developer.android.com/topic/security/index.html

https://developer.android.com/about/versions/o/index.html

 

Standard