bridge.1.devname=br0
bridge.1.fd=1
bridge.1.port.1.devname=eth0
bridge.1.port.2.devname=ath0
bridge.status=enabled
dhcpc.1.devname=br0
dhcpc.1.status=enabled
dhcpc.status=disabled
dhcpd.1.status=disabled
dhcpd.status=disabled
ebtables.1.cmd=-t nat -A PREROUTING --in-interface ath0 -j arpnat --arpnat-target ACCEPT
ebtables.1.status=enabled
ebtables.2.cmd=-t nat -A POSTROUTING --out-interface ath0 -j arpnat --arpnat-target ACCEPT
ebtables.2.status=enabled
ebtables.3.cmd=-t broute -A BROUTING --protocol 0x888e --in-interface ath0 -j DROP
ebtables.3.status=enabled
ebtables.status=enabled
httpd.port=80
httpd.status=enabled
netconf.1.devname=eth0
netconf.1.ip=0.0.0.0
netconf.1.netmask=255.255.255.0
netconf.1.promisc=enabled
netconf.1.status=enabled
netconf.1.up=enabled
netconf.2.devname=ath0
netconf.2.ip=0.0.0.0
netconf.2.netmask=255.255.255.0
netconf.2.status=enabled
netconf.2.up=enabled
netconf.3.devname=br0
netconf.3.ip=192.168.1.20
netconf.3.netmask=255.255.255.0
netconf.3.status=enabled
netconf.3.up=enabled
netconf.status=enabled
pwdog.delay=1
pwdog.host=192.168.1.1
pwdog.period=1
pwdog.retry=3
pwdog.status=enabled
radio.1.ack.auto=enabled
radio.1.acktimeout=48
radio.1.devname=ath0
radio.1.ieee_mode=G
radio.1.mode=Managed
radio.1.rate.auto=enabled
radio.1.rate.max=54M
radio.1.rx_antenna=1
radio.1.rx_antenna_diversity=disabled
radio.1.status=enabled
radio.1.tx_antenna=1
radio.1.tx_antenna_diversity=disabled
radio.1.txpower=26
radio.countrycode=840
radio.ratemodule=ath_rate_minstrel
radio.status=enabled
route.1.devname=br0
route.1.gateway=192.168.1.1
route.1.ip=0.0.0.0
route.1.netmask=0
route.1.status=enabled
route.status=enabled
sshd.status=enabled
users.1.name=ubnt
users.1.password=VvpvCwhccFv6Q
users.1.status=enabled
users.status=enabled
wireless.1.devname=ath0
wireless.1.hide_ssid=disabled
wireless.1.security=none
wireless.1.ssid=UBNT
wireless.1.status=enabled
wireless.status=enabled
Thursday, November 25, 2010
Sunday, November 29, 2009
Linux hidden IP address
Linux has a "feature" (I'd say this is a bug) to add an alias IP address(es) to the interface AND these addressess ARE NOT displayed by /sbin/ifconfig, netstat -rn, arp -na!!
There is a mysterious command /sbin/ip addr that actually shows the hidden aliaes.
Here is a proof-of-concept code: ip_secondary.c
There is a mysterious command /sbin/ip addr that actually shows the hidden aliaes.
Here is a proof-of-concept code: ip_secondary.c
Sunday, May 31, 2009
Artefact
64 bytes from aa.bb.cc.dd: icmp_seq=13663 ttl=64 time=41.861 ms
64 bytes from aa.bb.cc.dd: icmp_seq=13664 ttl=64 time=101.532 ms
64 bytes from aa.bb.cc.dd: icmp_seq=13665 ttl=64 time=20815607.405 ms
64 bytes from aa.bb.cc.dd: icmp_seq=13666 ttl=64 time=20814600.668 ms
64 bytes from aa.bb.cc.dd: icmp_seq=13667 ttl=64 time=20813598.921 ms
64 bytes from aa.bb.cc.dd: icmp_seq=13668 ttl=64 time=20812595.556 ms
64 bytes from aa.bb.cc.dd: icmp_seq=13669 ttl=64 time=20811586.249 ms
64 bytes from aa.bb.cc.dd: icmp_seq=13670 ttl=64 time=20810579.048 ms
64 bytes from aa.bb.cc.dd: icmp_seq=13671 ttl=64 time=20809569.809 ms
64 bytes from aa.bb.cc.dd: icmp_seq=13672 ttl=64 time=20808564.467 ms
64 bytes from aa.bb.cc.dd: icmp_seq=13673 ttl=64 time=20807555.147 ms
64 bytes from aa.bb.cc.dd: icmp_seq=13674 ttl=64 time=20806546.066 ms
64 bytes from aa.bb.cc.dd: icmp_seq=13675 ttl=64 time=20805536.577 ms
64 bytes from aa.bb.cc.dd: icmp_seq=13676 ttl=64 time=20804527.255 ms
64 bytes from aa.bb.cc.dd: icmp_seq=13677 ttl=64 time=20803517.852 ms
64 bytes from aa.bb.cc.dd: icmp_seq=13678 ttl=64 time=20802508.649 ms
64 bytes from aa.bb.cc.dd: icmp_seq=13679 ttl=64 time=20801499.345 ms
64 bytes from aa.bb.cc.dd: icmp_seq=13680 ttl=64 time=20800489.987 ms
64 bytes from aa.bb.cc.dd: icmp_seq=34268 ttl=64 time=6257.519 ms
64 bytes from aa.bb.cc.dd: icmp_seq=34269 ttl=64 time=5248.688 ms
64 bytes from aa.bb.cc.dd: icmp_seq=13664 ttl=64 time=101.532 ms
64 bytes from aa.bb.cc.dd: icmp_seq=13665 ttl=64 time=20815607.405 ms
64 bytes from aa.bb.cc.dd: icmp_seq=13666 ttl=64 time=20814600.668 ms
64 bytes from aa.bb.cc.dd: icmp_seq=13667 ttl=64 time=20813598.921 ms
64 bytes from aa.bb.cc.dd: icmp_seq=13668 ttl=64 time=20812595.556 ms
64 bytes from aa.bb.cc.dd: icmp_seq=13669 ttl=64 time=20811586.249 ms
64 bytes from aa.bb.cc.dd: icmp_seq=13670 ttl=64 time=20810579.048 ms
64 bytes from aa.bb.cc.dd: icmp_seq=13671 ttl=64 time=20809569.809 ms
64 bytes from aa.bb.cc.dd: icmp_seq=13672 ttl=64 time=20808564.467 ms
64 bytes from aa.bb.cc.dd: icmp_seq=13673 ttl=64 time=20807555.147 ms
64 bytes from aa.bb.cc.dd: icmp_seq=13674 ttl=64 time=20806546.066 ms
64 bytes from aa.bb.cc.dd: icmp_seq=13675 ttl=64 time=20805536.577 ms
64 bytes from aa.bb.cc.dd: icmp_seq=13676 ttl=64 time=20804527.255 ms
64 bytes from aa.bb.cc.dd: icmp_seq=13677 ttl=64 time=20803517.852 ms
64 bytes from aa.bb.cc.dd: icmp_seq=13678 ttl=64 time=20802508.649 ms
64 bytes from aa.bb.cc.dd: icmp_seq=13679 ttl=64 time=20801499.345 ms
64 bytes from aa.bb.cc.dd: icmp_seq=13680 ttl=64 time=20800489.987 ms
64 bytes from aa.bb.cc.dd: icmp_seq=34268 ttl=64 time=6257.519 ms
64 bytes from aa.bb.cc.dd: icmp_seq=34269 ttl=64 time=5248.688 ms
Thursday, May 07, 2009
FreeBSD SD/MMC/MemoryStick/xD cardreader
Does nothing on card insertion/removal :(
sdhci0@pci0:15:6:3: class=0x080500 card=0x011f1025 chip=0x803c104c rev=0x00 hdr=0x00
vendor = 'Texas Instruments (TI)'
device = 'PCIxx12 SDA Standard Compliant SD Host Controller'
class = base peripheral
subclass = SD host controller
sdhci0: mem 0xfc206800-0xfc2068ff irq 22 at device 6.3 on pci15
sdhci0-slot0: 48MHz 4bits 3.3V PIO
sdhci0-slot0: ============== REGISTER DUMP ==============
sdhci0-slot0: Sys addr: 0x00000000 | Version: 0x00008900
sdhci0-slot0: Blk size: 0x00000000 | Blk cnt: 0x00000000
sdhci0-slot0: Argument: 0x00000000 | Trn mode: 0x00000000
sdhci0-slot0: Present: 0x000a0000 | Host ctl: 0x00000000
sdhci0-slot0: Power: 0x00000000 | Blk gap: 0x00000000
sdhci0-slot0: Wake-up: 0x00000000 | Clock: 0x00000000
sdhci0-slot0: Timeout: 0x00000000 | Int stat: 0x00000000
sdhci0-slot0: Int enab: 0x01ff00fb | Sig enab: 0x01ff00fb
sdhci0-slot0: AC12 err: 0x00000000 | Slot int: 0x00000000
sdhci0-slot0: Caps: 0x018030b0 | Max curr: 0x00000000
sdhci0-slot0: ===========================================
sdhci0: 1 slot(s) allocated
sdhci0: [ITHREAD]
sdhci0@pci0:15:6:3: class=0x080500 card=0x011f1025 chip=0x803c104c rev=0x00 hdr=0x00
vendor = 'Texas Instruments (TI)'
device = 'PCIxx12 SDA Standard Compliant SD Host Controller'
class = base peripheral
subclass = SD host controller
sdhci0:
sdhci0-slot0: 48MHz 4bits 3.3V PIO
sdhci0-slot0: ============== REGISTER DUMP ==============
sdhci0-slot0: Sys addr: 0x00000000 | Version: 0x00008900
sdhci0-slot0: Blk size: 0x00000000 | Blk cnt: 0x00000000
sdhci0-slot0: Argument: 0x00000000 | Trn mode: 0x00000000
sdhci0-slot0: Present: 0x000a0000 | Host ctl: 0x00000000
sdhci0-slot0: Power: 0x00000000 | Blk gap: 0x00000000
sdhci0-slot0: Wake-up: 0x00000000 | Clock: 0x00000000
sdhci0-slot0: Timeout: 0x00000000 | Int stat: 0x00000000
sdhci0-slot0: Int enab: 0x01ff00fb | Sig enab: 0x01ff00fb
sdhci0-slot0: AC12 err: 0x00000000 | Slot int: 0x00000000
sdhci0-slot0: Caps: 0x018030b0 | Max curr: 0x00000000
sdhci0-slot0: ===========================================
sdhci0: 1 slot(s) allocated
sdhci0: [ITHREAD]
Monday, May 04, 2009
Wednesday, April 29, 2009
Friday, November 14, 2008
FreeBSD 7.0 on ACER Extensa 5220
Status
Do not work:
- Webcam (there is linux only driver in UVC)
- MMC/SD cardreader (works under Linux (OpenBSD?) with tifm_sd driver)
- Modem (may work under linux as hsf/hcf modem on hda bus)
- Audio out (audio in / microphone in?) does not work when headphones are connected
Work with problems when resumed after suspend:
- NDIS broadcom 4315 WiFi does not work (linux has native broadcom driver)
- console font setting have to be reapplied
Other issues:
- WiFi LED never blinks
- Multimedia, brightness, sound, dollar, euro, etc buttons can be turned on using xmodmap (using xev to get key codes) but they are not mapped in KDE. It should be possible to map volume/mute buttons to change mixer settings BUT it does not seem to be possible to control brightness with brightness buttons (needs acpi support).
Do not work:
- Webcam (there is linux only driver in UVC)
- MMC/SD cardreader (works under Linux (OpenBSD?) with tifm_sd driver)
- Modem (may work under linux as hsf/hcf modem on hda bus)
- Audio out (audio in / microphone in?) does not work when headphones are connected
Work with problems when resumed after suspend:
- NDIS broadcom 4315 WiFi does not work (linux has native broadcom driver)
- console font setting have to be reapplied
Other issues:
- WiFi LED never blinks
- Multimedia, brightness, sound, dollar, euro, etc buttons can be turned on using xmodmap (using xev to get key codes) but they are not mapped in KDE. It should be possible to map volume/mute buttons to change mixer settings BUT it does not seem to be possible to control brightness with brightness buttons (needs acpi support).
Tuesday, November 11, 2008
Optimizing the installations using symlinks
Attempting to optimize the StarOffice7 installation in my FreeBSD7 box I've made symlinks in /usr/ports/distfiles pointing to a previously downloaded files on a remote host (mounted via smbfs). Optimization was "great" (I have 2Mbit connection):
1. 300 Mbytes have been downloaded for checking the MD5 sum
2. 300 Mbytes have been downloaded again in attempt to check the SHA256 sum
3. 300 Mbytes are being downloaded in attempt to unpack the installation package (I hope this time it will be installed...)
Cool, yeah?
1. 300 Mbytes have been downloaded for checking the MD5 sum
2. 300 Mbytes have been downloaded again in attempt to check the SHA256 sum
3. 300 Mbytes are being downloaded in attempt to unpack the installation package (I hope this time it will be installed...)
Cool, yeah?
KDE4.alpha(qemu)+KDE3.5(host)
Guess what happens when you launch KDE4.alpha from QEMU on a box already running KDE3.5 ))))
%2BKDE3.5(host).bmp)
It looks nice but it us unusable due to QEMU slowness.
%2BKDE3.5(host).bmp)
It looks nice but it us unusable due to QEMU slowness.
Sunday, September 28, 2008
Gear4 Blackbox haxoring
So, I owned this cute boombox and.. yes, it has a USB interface ;-)
So, I downloaded the OpenMokoDFU.zip driver and plugged in the USB cable into my Gear4 Blackbox and switched the Blackbox ON ( how to find a USB port on a Blackbox ). Windows detected it with PID/VID 1234/0001 so I patched the driver to match the PID&VID and installed the driver. It's convinient to make another copy of driver, for these PID/VID also: 1234/ffff - you'll have to install this copy of driver when you acccess the Blackbox for the first time after it have been switched ON with USB connected. Then I used the dfu-util to get the firmware from the Blackbox: dfu-util.exe -t 512 -U original_fw.bin. I found the string "Gear4-Blackbox" (bluetooth name of the device) inside the firware, replaced it with my own string and attempted to write the modified firmware. I failed. Maybe there is a checksum inside the firmware that has to be recalculated before the firmware upload. Anyway I failed to upload the original firmware too. Will try again in my freetime...
Here are some interesting strings <>:
CSR-dfu2
LOADER=3kEnhancedFl2v0Blu..., STACK=3kEnhancedFl2v0Blu...
CSRbcfw1
Gear4-BlackBox
So, I downloaded the OpenMokoDFU.zip driver and plugged in the USB cable into my Gear4 Blackbox and switched the Blackbox ON ( how to find a USB port on a Blackbox ). Windows detected it with PID/VID 1234/0001 so I patched the driver to match the PID&VID and installed the driver. It's convinient to make another copy of driver, for these PID/VID also: 1234/ffff - you'll have to install this copy of driver when you acccess the Blackbox for the first time after it have been switched ON with USB connected. Then I used the dfu-util to get the firmware from the Blackbox: dfu-util.exe -t 512 -U original_fw.bin. I found the string "Gear4-Blackbox" (bluetooth name of the device) inside the firware, replaced it with my own string and attempted to write the modified firmware. I failed. Maybe there is a checksum inside the firmware that has to be recalculated before the firmware upload. Anyway I failed to upload the original firmware too. Will try again in my freetime...
Here are some interesting strings <>:
CSR-dfu2
LOADER=3kEnhancedFl2v0Blu..., STACK=3kEnhancedFl2v0Blu...
CSRbcfw1
Gear4-BlackBox
Friday, September 19, 2008
Sony-Ericsson W890i: Bluetooth Personal Area Networking (PAN)
Started Wireshark on the Personal Area Networking interface.
Connected to the phone's PAN bluetooth profile.
Wireshark showed that phone acted as DHCP server.
Phone accessed the internet APN using GPRS(EDGE) PPP and got its IP. It gave the a.b.c.d IP (plus DNS servers) to my PC using DHCP (a lease for 5 minutes only, wow), acting as a gateway and assigning itself the IP a.b.c.d+1 and using the netmask 255.255.255.240. Another time the netmask was 255.255.255.248 - I just wonder how is it chosen?..
The phone also reported its MAC when I tried to ping anything from the range that turned out to be on one subnet with the PC. Some IPs responded to PINGs with >2sec delay indicating that the phone translated (NATed) the packets to real IPs via the GPRS(EDGE) PPP session. The PC refused to ping the zero subnet (bug bug bug in Sony-Ericssons's PAN NAT implementation!). And I guess I should be unable to ping the broadcast subnet too (have not tried).
All other packets originated from the PS were sent to the default gateway (a.b.c.d+1) and the communication was OK -- nothing special.
So, why does the phone give such a large subnet - 16 hosts? Maybe it is capable to serve many simultaneous incoming PAN connections -- and to effectively NAT them?
I have not tried this but this would be a bug. This will cause failure to communicate with legitimate IPs owners. The IPs should be given to other incoming PAN clients asking for the address using DHCP and such behavior will cause failure in communication with the real IPs owners. IMHO the phone will refuse >1 incoming PAN connections... Hmm.. this could be very comfortable to use phone's connection with multiplie devices.
Another point. The phone asked for a DHCP address and assigned itself address 169.254.241.104 (netmask 255.255.0.0) after it failed to get the answer from DHCP the DHCP server.
Verdict: PAN implementation should be convinient but it is not 100% working - some addresses (at least two broadcasts) would be not accessible! I checked this by pinging the mensioned addresses from another host on another provider - it worked while I failed to ping the addresses from the mobile phone.
Connected to the phone's PAN bluetooth profile.
Wireshark showed that phone acted as DHCP server.
Phone accessed the internet APN using GPRS(EDGE) PPP and got its IP. It gave the a.b.c.d IP (plus DNS servers) to my PC using DHCP (a lease for 5 minutes only, wow), acting as a gateway and assigning itself the IP a.b.c.d+1 and using the netmask 255.255.255.240. Another time the netmask was 255.255.255.248 - I just wonder how is it chosen?..
The phone also reported its MAC when I tried to ping anything from the range that turned out to be on one subnet with the PC. Some IPs responded to PINGs with >2sec delay indicating that the phone translated (NATed) the packets to real IPs via the GPRS(EDGE) PPP session. The PC refused to ping the zero subnet (bug bug bug in Sony-Ericssons's PAN NAT implementation!). And I guess I should be unable to ping the broadcast subnet too (have not tried).
All other packets originated from the PS were sent to the default gateway (a.b.c.d+1) and the communication was OK -- nothing special.
So, why does the phone give such a large subnet - 16 hosts? Maybe it is capable to serve many simultaneous incoming PAN connections -- and to effectively NAT them?
I have not tried this but this would be a bug. This will cause failure to communicate with legitimate IPs owners. The IPs should be given to other incoming PAN clients asking for the address using DHCP and such behavior will cause failure in communication with the real IPs owners. IMHO the phone will refuse >1 incoming PAN connections... Hmm.. this could be very comfortable to use phone's connection with multiplie devices.
Another point. The phone asked for a DHCP address and assigned itself address 169.254.241.104 (netmask 255.255.0.0) after it failed to get the answer from DHCP the DHCP server.
Verdict: PAN implementation should be convinient but it is not 100% working - some addresses (at least two broadcasts) would be not accessible! I checked this by pinging the mensioned addresses from another host on another provider - it worked while I failed to ping the addresses from the mobile phone.
Saturday, September 13, 2008
Sony-Ericsson W890i operating system analysis: unexpected discovery - Samba Server on the phone -- accessible even via the carrier connection!
This is my short analysis of the latest OS for this mobile phone.
I flashed the latest version of the official firmware and connected the device via USB. There is the "USB mode" menu item in the phone's settings menu and I've set it to use the "USB network" mode. The phone uses several USB endpoints one of which is RNDIS (remote network interface adapter in Windows) -- it activates when you turn on the "USB network" in the phone's settings. The IP address was not automatically assigned for the "Sony-Ericsson Device 217 USB Ethernet Emulation (NDIS 5)" interface on my Windows XP PC. So I turned on the Internet Connection Sharing (ICS) for my Internet connection. "Sony-Ericsson Device 217 USB Ethernet Emulation (NDIS 5)" interface was automatically assigned with IP address 192.168.0.1 by Windows. This connection should provide the internet connection for the phone. Wireshark sniffing revealed alias name of that interface "MCCI(r) USB Driver Demo" LOL. So it is a demo driver )))
nmap phone scanning seems to be the most interesting part ;-).
Firstly, phone reboots when nmap scans its 139 port. What a shame for the Sony-Ericsson firmware writers.. So I had to omit the 139 port and the scan has been completed successfully discovering another open TCP port numbered 4035. I did not find out the what was the TCP/4035 port, the phone stopped listening on that port after nmapping it with a service scan twice.
The TCP/139 port seemed to be pretty interesting ;-)
I set the "Internet connections" -> "Allow local connections" to ON on the phone thus allowing it to connect to the internet through the computer's USB cable. I started the phone's browser and it did work to load the page using the computer's USB connection. Wireshark showed every packet and revealed that the phone randomly picked its IP address from the 192.168.0.0/24 subnet (possibly issued by the Windows XP DHCP server on the ICS interface). Wireshark also showed packets coming from 169.x.x.x phone's address. So the phone also picks up a random address from that subnet just like MS Windows do when there is no DHCP server: set up a random IP to be able to setup the network connectivity automatically between devices that behave the same way.
I set up the username, password and workgroup in the phone's "Network sharing" menu.
An attempt to list the phone's shares by entering its address "\\192.168.0.x" into Windows Explorer's address bar caused the phone to reboot (Sony-Ericsson drivers programmers should be ashamed). So I downloaded Samba for Windows package (http://www.smithii.com/files/plugins/z_samba.zip) and necessary Cygwin dlls (http://www.cygwin.com) and I listed the phone's shares using the smbclient. The phone provided access to shares named "Memory Stick" and "Phone Memory". I was able to connect to these shares and transfer few files and it was really slow comparing to the Windows Explorer's access to phone's files either in "Phone" mode or in "Mass Storage" mode. Btw, the phone notified when I connected to its shares. Later I tried to connect using the "net use" Windows command and I succeeded and the phone survived LOL.
Here's what smbclient told about the remote samba server:
Domain=[WORKGROUP] OS=[OSE] Server=[NQ 4.32]
Googling for "Sony-Ericsson OSE" revealed that "OSE" is the Sony-Ericsson's OS for the phones. I guess it is the "Operating System Sony-Ericsson" ;-)
So what we have is the samba server on the phone! %-) It may reboot the phone but it works! It looks weird, where are FTP and NFS servers?? %-)
The other point is that the samba server works on other phone's network interfaces: carrier (GPRS/EDGE/3G).. Yeah it is interesting solution: just input the \\phone's-ip in the Windows Explorer and access your phone's files using the carrier internet LOL. I guess we would need the DynDNS client for the phone to simplify the access %-)
The phone reboots after a simple scan of the TCP/139 port so the device is vulnerable to the DoS attacks and maybe even buffer overflow leading to unauthorized code execution.
It is also a security risk: if someone gets access to the device than he can set up the "Network sharing" username and password to be able to access files in the phone's memory or in the M2 card remotely via carrier's internet connection eventually.
Samba share would be accessible via the carrier connection after the following steps have been completed:
- The phone has "Network sharing"'s username and password set
- The phone has "USB mode" set to "Via computer"
- The phone is connected to the internet (browsing with the built-in browser is enough)
- The phone is connected via the USB in the "Phone" mode
After the last step have been completed the phone would start listening on a port TCP/139. It will accept samba connections both from the USB data connection and from the carrier's internet connection, too.
And the last thing I'd like to know..
Does Sony-Ericsson plan to implement the X11 server in their phones? %-)
I flashed the latest version of the official firmware and connected the device via USB. There is the "USB mode" menu item in the phone's settings menu and I've set it to use the "USB network" mode. The phone uses several USB endpoints one of which is RNDIS (remote network interface adapter in Windows) -- it activates when you turn on the "USB network" in the phone's settings. The IP address was not automatically assigned for the "Sony-Ericsson Device 217 USB Ethernet Emulation (NDIS 5)" interface on my Windows XP PC. So I turned on the Internet Connection Sharing (ICS) for my Internet connection. "Sony-Ericsson Device 217 USB Ethernet Emulation (NDIS 5)" interface was automatically assigned with IP address 192.168.0.1 by Windows. This connection should provide the internet connection for the phone. Wireshark sniffing revealed alias name of that interface "MCCI(r) USB Driver Demo" LOL. So it is a demo driver )))
nmap phone scanning seems to be the most interesting part ;-).
Firstly, phone reboots when nmap scans its 139 port. What a shame for the Sony-Ericsson firmware writers.. So I had to omit the 139 port and the scan has been completed successfully discovering another open TCP port numbered 4035. I did not find out the what was the TCP/4035 port, the phone stopped listening on that port after nmapping it with a service scan twice.
The TCP/139 port seemed to be pretty interesting ;-)
I set the "Internet connections" -> "Allow local connections" to ON on the phone thus allowing it to connect to the internet through the computer's USB cable. I started the phone's browser and it did work to load the page using the computer's USB connection. Wireshark showed every packet and revealed that the phone randomly picked its IP address from the 192.168.0.0/24 subnet (possibly issued by the Windows XP DHCP server on the ICS interface). Wireshark also showed packets coming from 169.x.x.x phone's address. So the phone also picks up a random address from that subnet just like MS Windows do when there is no DHCP server: set up a random IP to be able to setup the network connectivity automatically between devices that behave the same way.
I set up the username, password and workgroup in the phone's "Network sharing" menu.
An attempt to list the phone's shares by entering its address "\\192.168.0.x" into Windows Explorer's address bar caused the phone to reboot (Sony-Ericsson drivers programmers should be ashamed). So I downloaded Samba for Windows package (http://www.smithii.com/files/plugins/z_samba.zip) and necessary Cygwin dlls (http://www.cygwin.com) and I listed the phone's shares using the smbclient. The phone provided access to shares named "Memory Stick" and "Phone Memory". I was able to connect to these shares and transfer few files and it was really slow comparing to the Windows Explorer's access to phone's files either in "Phone" mode or in "Mass Storage" mode. Btw, the phone notified when I connected to its shares. Later I tried to connect using the "net use" Windows command and I succeeded and the phone survived LOL.
Here's what smbclient told about the remote samba server:
Domain=[WORKGROUP] OS=[OSE] Server=[NQ 4.32]
Googling for "Sony-Ericsson OSE" revealed that "OSE" is the Sony-Ericsson's OS for the phones. I guess it is the "Operating System Sony-Ericsson" ;-)
So what we have is the samba server on the phone! %-) It may reboot the phone but it works! It looks weird, where are FTP and NFS servers?? %-)
The other point is that the samba server works on other phone's network interfaces: carrier (GPRS/EDGE/3G).. Yeah it is interesting solution: just input the \\phone's-ip in the Windows Explorer and access your phone's files using the carrier internet LOL. I guess we would need the DynDNS client for the phone to simplify the access %-)
The phone reboots after a simple scan of the TCP/139 port so the device is vulnerable to the DoS attacks and maybe even buffer overflow leading to unauthorized code execution.
It is also a security risk: if someone gets access to the device than he can set up the "Network sharing" username and password to be able to access files in the phone's memory or in the M2 card remotely via carrier's internet connection eventually.
Samba share would be accessible via the carrier connection after the following steps have been completed:
- The phone has "Network sharing"'s username and password set
- The phone has "USB mode" set to "Via computer"
- The phone is connected to the internet (browsing with the built-in browser is enough)
- The phone is connected via the USB in the "Phone" mode
After the last step have been completed the phone would start listening on a port TCP/139. It will accept samba connections both from the USB data connection and from the carrier's internet connection, too.
And the last thing I'd like to know..
Does Sony-Ericsson plan to implement the X11 server in their phones? %-)
Wednesday, April 09, 2008
Wednesday, February 06, 2008
bashish in FreeBSD
fetch http://kent.dl.sourceforge.net/sourceforge/bashish/bashish-2.0.7.tar.gz
tar -zxf bashish-2.0.7.tar.gz
cd bashish-2.0.7
./configure
make
make install
fetch ftp://invisible-island.net/dialog/dialog.tar.gz
tar -zxf dialog.tar.gz
cd dialog-*
./configure
make
make install
export PATH=/usr/local/bin:$PATH #(need to enter everytime before using bashish, bashishtheme)
bashish
bashishtheme
These worked and looked nice to me: Conda, C64, POKER.
I'd be grateful to someone who explains how to make the Urban Down theme work OK. I tried setting LANG=C and terminal translation to UTF-8 and nothing helped.
tar -zxf bashish-2.0.7.tar.gz
cd bashish-2.0.7
./configure
make
make install
fetch ftp://invisible-island.net/dialog/dialog.tar.gz
tar -zxf dialog.tar.gz
cd dialog-*
./configure
make
make install
export PATH=/usr/local/bin:$PATH #(need to enter everytime before using bashish, bashishtheme)
bashish
bashishtheme
These worked and looked nice to me: Conda, C64, POKER.
I'd be grateful to someone who explains how to make the Urban Down theme work OK. I tried setting LANG=C and terminal translation to UTF-8 and nothing helped.
Nice command prompt in bash
Want to have this command prompt that shows exit status > 0 with another color and highlights the superuser with another color and shows number of suspended jobs and shows info in the xterm title bar and does a little bit more?
Here is the .bash_profile
Prompt works fine in this bash version 3.2.0(1) (were problems in older versions).
Tuesday, February 05, 2008
Topics to be covered
1. Installing & using FreeBSD-on-USB storage device.
2. Using Xwin+esd on Windows to connect to remote FreeBSD X11 xdm session with audio support.
3. Configuring the snd_net kernel module to stream audio to another host.
2. Using Xwin+esd on Windows to connect to remote FreeBSD X11 xdm session with audio support.
3. Configuring the snd_net kernel module to stream audio to another host.
Subscribe to:
Posts (Atom)