Android Manager Agent protocol research

My mobile phone comes with Android Manager Agent. It is Android agent + Windows desktop application to manage phone, including managing contacts, SMS, media files, applications, etc. It is possible to use this software via WIFI or USB. Unfortunately desktop client is Windows only and i was not able to run it in Wine.

So i decided to reverse protocol using wire-shark and Java decompiler. It was found that communication is not encrypted, only protection is MD5 of the agent PIN (in WIFI mode). Every packet contains from “magic” header, command type, status field and (optionally) data field. My goal is to write utility to backup/restore contacts book and calendar (yes, i don`t want to store it on google) and, possibly to make a GUI for offline browsing/editing.

Right now client is in very early stage and only able to connect to device (WIFI) and request some information. Patches, comments and suggestions are welcome.

Prototype is hosted on github – https://github.com/samm-git/one_touch_993D_gsm/blob/master/android_manager_client.pl

JVPN 0.5.0 released

JVPN is a Perl script to connect to the Juniper VPN with Host Checker enabled. New version adds a lot of fixes + new experimental mode “ncui”. In this mode script trying to use libncui.so library instead of ncsvc directly. If you was able to get SSID but not able to connect in the previous version i am recommending to try ncui mode in version 0.5.0.

ATOP 2.0.2 performance monitor ported to FreeBSD

Today i updated my FreeBSD port of the ATOP full-screen performance monitor to the recent version. PR is already sent, it should be in a port tree soon. Atop is one of my favorite tool to monitor performance not only because it shows much more then system TOP(1), but also because it allows to record all activity to binary log to work with it later or generate different reports.

FreeBSD port supports all Linux version functionality except per-process network utilization (netatop). Netatop module porting/replacement is not something trivial and will require kernel patching.

md raid on Debian – setting timeout before assembling an array

I have one pretty old Debian Squeeze Linux server with SCSI and SATA drives. Root partition is mirrored between them using mdraid. The problem was that after reboot array always was in “degraded” state with only ATA disk in it.

Of course it was possible to manually re-add SCSI drive using “mdadm -a” command aft, but it was causing RAID rebuild process (and a lot of I/O next ~30 minutes). So, i decided to find a cause.  After analyzing dmesg it was found that “/dev/sda” (SATA) is appearing on 3rd second and “/dev/sdb” -on ~15, after slow initialization of SCSI controller. The problem is that mdadm is trying to assemble RAID before sdb is available and ready. After finding the reason fix was trivial:

1. I copied /usr/share/initramfs-tools/scripts/local-top/mdadm script to the /etc/initramfs-tools/scripts/local-top directory.
2. In /etc/initramfs-tools/scripts/local-top/mdadm file, after line:
   verbose && log_begin_msg "Assembling all MD arrays"
   line
   sleep 15
3. Run “update-initramfs -u” and reboot.

After reboot array was in consistent state, so problem is resolved.

Reading codes from RSA SecureID token

Why do I need this?

To access my VPN i need to use code from RSA Secure ID token. Sometime VPN disconnects and i need to enter token  again and again. It is annoying. Also i am afraid that once i will lost my token and it will take a lot of time to restore it.

So i decided to automate the process. There is no USB port on this token type, so only way to read digits is to “scan” LCD. I decided to do this with my old Logitech Webcam C200. This article shows how to do this. To backlight token i used IKEA lamp.

I used “cheese” tool to setup camera and token. Make sure that token is highlighted, numbers are big and readable.

Continue reading →

How to make delicious addon working with Firefox 16

I am using delicious bookmarking for a long time. I like an idea of tagged extensions (and can`t use default directory-like format). Delicious Bookmarks Firefox extensions was marked as incompatible in FF16 because its breaking awesome bar. I did a small hack to make it working again (without awesome bar integration, I never used it anyway). Small how-to provided below:

1. Change <em:maxVersion> to 20.* in the install.rdf (@ addon dir), restart FF and re-enabled addon in the addon list.
2. In the chrome/skin/overlay.css (extension directory) i commented out string after line “.autocomplete-richlistitem”.

This will disable integration with awesombar and make firefox happy. All basic functions of the Delicious extension seems to work fine.

Update: Delicious Bookmarks updated to 2.3.4, now compatible with Firefox 16.  The Delicious Bookmarks add-on has now been updated, and you can now reinstall the extension for Firefox 16 from  the following link: https://addons.mozilla.org/addon/delicious-bookmarks/

Using Twinkle VoIP client or Asterisk to dial in into intercall conferences

As consulter I have a lot of daily meetings. My company now switched to InterCall conferencing service with DialIn bridge. After calling in I need to enter every time my meeting ID what is a little annoying. I am using VoIP to dial into conference bridge, so I decided to solve this task using scripting.

I found not too much good VoIP clients in Linux. Ekiga is very buggy, most of other clients are not providing any API, sflphone on my Ubunty provides very limited interface and it is possible to interact with it only using Python API. So after all I am using Twinkle – it is old and using QT3 but still works much better then many modern clients.
Also it provides command line interface to manage running instance. Resulted script provided below:

#!/bin/sh

# intercall number, see http://www.intercallonline.com
INTERCALLNUM=800701065
# If no arguments given – ask conference number
if [ $# = 0 ]
then
echo -n “Enter conference number: “
read NUMBER
else
NUMBER=$1
fi
twinkle –immediate –call $INTERCALLNUM
sleep 7
twinkle –cmd “dtmf $NUMBER#”

This script will dial into bridge and then enter conference id + # sign. For the Cisco 7940/7960 users my old script with minimal changes should work fine.

Also i am planning to do this on Asterisk level, e.g. by sending command like <bridge_num>*<conf_num># to work from any SIP-enabled device.

Update: after reading asterisk documentation i found that its much easier to do in it, then inside VoIP client. Below is a part of the Asterisk configuration:

; intercall prg bridge, *10
exten => _*10ZX.,1,Progress
exten => _*10ZX.,2,Dial(SIP/800701065@siptrunk,,D(wwwwww${EXTEN:3}#))

Using this dialplan i need to enter *10<conf_code> to joint to the conference from any SIP enabled device. Also i found that it works more reliable then from Twinkle.

MCI730 status update – bootable kernel and mplayer package

Some updates on my Philips status: I finally was able to get bootable kernel. Problem was in supplied kernel configuration (.config) – it does not contain references to the required GPIO devices. After enabling them – kernel loads. But it does not work as expected – screen resolution is wrong, there are some problems with I2C bus. Now its clear that provided package is not containing up to date sources for the device. I requested updates from Philips, but it is not clear if they will provide them (they should by GPL).

Also for testers I did binary package with mplayer 1.1. I tested it with some sound formats (MP3, AAC+, FLAC, WAVPACK, APE and OGG) – everything works fine. Only problem I had was AAC+ with bitrate > 128k – seems that this CPU is not powerful enough for this job, everything else is good, including network playing. To use it – unpack it on your flash drive, insert it to the device and use mplay.sh wrapper from telnet. E.g.

/tmp/sda1/mplayer/mplay.sh http://sc1.abacast.com:8240

One note – I am not [yet] aware how to switch device inputs, so before first run switch to the “Internet Radio” mode. Please drop me a not it it works for you.

Update: it is also possible possible to run mplayer with output on the screen:
openvt 1 /tmp/sda1/mplayer/mplay.sh http://sc1.abacast.com:8240

jvpn – Perl script to connect to the Juniper VPN with Host Checker enabled

Overview

To access some company resources i need to use Network Connect  VPN from Juniper.  Network Connect is a software package that interfaces with its Secure Access hardware and provides a Virtual Private Network (VPN) solution. There are two software products that connect to Secure Access servers: Windows Secure Application Manager which, as you might guess, runs on Microsoft Windows; and Network Connect which runs on other platforms, in particular GNU/Linux. All  clients are closed source, without open source alternative.

I personally think that all closes source VPN clients should die one day – typically it is a perfect example of security by obscurity – internally they are using known algorithms and typically built with OpenSSL inside so there are no “secret” technologies. But closed source form will not allow to audit the code or to connect from non-supported OS (including non-x86 Linux, e.g. ARM). Also i`m  sure that code security level is very low – often such clients contains statically linked outdated libraries or input parameter validation is bad. In the worst case such clients including kernel modules (some s..t from Cisco) and then you forced to use only supported kernel. In Juniper case native Linux client requires Java + web browser installed. Also its built with JNI (Java Native Interface) so it will run only on 32-bit platforms. To run it on my Linux/x86_64 i installed 32 bit versions of the Firefox and Oracle  Java. It was very annoying to keep all this blobs in the RAM, so i decided to understand how it works and write some alternative.

How Network Connect works

After debugging with strace, java decompiler and tcpdump i got a clear view how Network Connect works:

1. In the web browser client opening VPN page and entering Login/Password (in my case password generated from RSA Secure device)
2. If authorization successful browser checks if VPN software is installed using Java applet. If it is not installed – ncLinux.jar file is downloaded and installation script is running. Client is installed to ~/.juniper_networks/network_connect. Also it will set SUID bit on ncsvc binary using su or sudo (password is prompted)
3. Then optionally host checker (tncc.jar) client is running. This package validating if your system conforms policies configured on VPN host. In my case HC  is running but probably is not strict – i am able to logon to VPN from my home Linux.
4. On next step Java Applet launcing NC.jar and passing some parameters to it. Most important one is DSID – dynamic session key, taken from the browser cookie.
5. NC.jar will start Java (AWT based) GUI and console client (ncsvc) using JNI (code is inside libncui.so). I found that after ncsvc startup it listening on TCP port 4242 (127.0.0.1 address). Then Java GUI starts and connecting to the ncsvc (port 4242).
6. After connecting Java GUI sending configuration to the ncsvc using non-documented protocol and ncsvc establishing remote connection. In configuration packet i found DSID, certificate md5 fingerprint, hostname and some other data.
7. When connection is established Java GUI getting reply and communicating with ncsvc to get connection statistic (number of data transferred, VPN algorithm, etc.).
8. On disconnect GUI sends special command to ncsvc process and it disconnecting from the remote host and doing some cleanup (e.g. reverting /etc/resolv.conf and /etc/hosts).

ncsvc client

Connection is established and maintained with ncsvc client. I found some information in the network (e.g. mad-scientist.us/juniper.html or www.joshhardman.net/juniper-network-connect-vpn-linux-64-bit/) on how to run it from command line, including some scripts. In my case all this scripts failed. If this scripts are working for you than you don`t need jvpn   Reason of fail was a Host Checker – related Juniper KB contains “Launch Network Connect only through the Internet browser on the supported Linux platforms” text. But i was not satisfied with this  and decided to emulate Java GUI to run client from command line, without web browser. Command line interface of ncsvc (see ncsvc -h) will not help in this case, because there is no possibility to pass DSID , and all other CLI options failing in my case. So i wrote a perl script – jvpn.pl, and hooray – i was able to establish connection.

jvpn.pl scrip – description

• To use this script you need Perl (with some modules) and openssl binary. Also unzip is required if client is not installed.
• jvpn.pl using configuration file jvpn.ini – before usage you will need to setup host name, login, password and realm. If you don`t know your realm – read HTML source for the login page – it will contain hidden “REALM” input element.
• If ncsvc client is not installed – jvpn will download it to the current directory automatically from your VPN host
• Then it logging in to the web site using your username/password and getting DSID. It handles some advanced scenarios like “active sessions found” and “additional code required” pages from VPN. It also getting md5 fingerprint of the SSL certificate using “openssl” binary.
• After getting DSID it starts ncsvs and sending configuration commands to it using TCP protocol (port 4242). On this stage ncsvs establishing VPN connection. Then jvpn.pl entering statistic loop, like Java GUI.
• On Ctrl+C jvpn.pl sending disconnect command to the ncsvs and also logging out from the VPN web site, to make sure that DSID is invalidated.

Screenshot

Download

Version 0.5.0 – samm.kiev.ua/jvpn/jvpn-0.5.0.tar.bz2. If you found some bugs or did some improvements – drop me a note.

Rooting MCI730/12 device

Promised post about getting root on Philips MCI730/12 media center. As always – no warranty, anything could happens with your device, you are doing this on your own risk.

1. You will need USB flash formatted to FAT or FAT32.
2. Put file firmware2010_102h.tgz to the root folder of the disk. This is not a real firmware and it will not modify your device. Only purpose of this package is to provide root access on boot.
3. Unplug AC cord to power off the device. Insert USB flash in the device. Press and hold EJECT key then plug AC cord. After some time device will start booting in the “Rescue” mode.
4. If everything done right you will see something like this:
5. To telnet device you need to connect to the Ethernet port. Device address is 192.168.101.211/255.255.255.0, telnetd is running on standard port (23). Password is root/root.
6. If you want to start telnetd in normal (non-rescue) mode permanently add line
   “/usr/sbin/telnetd -p 23 &” to the /usr/local/etc/mnetwork.conf file using command
   echo '/usr/sbin/telnetd -p 23 &' >> /usr/local/etc/mnetwork.conf
7. Reboot the device. Telnet will be running on standard (e.g. DHCP) device address, on port 23, with root/root login.

Some background information:

File firmware2010_102h.tgz emulate firmware update. When device booting in the “rescue” mode it extracting content of this file to the temporary directories and starts ./install shell script. In normal update tarball this script re-flashing device, but in our case it just configuring network interface and starting telnetd. I am using /usr/local/etc/mnetwork.conf to start telnetd because it only file located on r/w partition. This file is included by /etc/netinit.sh from the read-only (cramfs) rootfs. Also it is used by mediabolic server, but it seems that it silently ignoring this line, so this hack works fine.