In this post I will describe my recipe to have a Samsung Galaxy Nexus (codename “maguro”) using a rooted factory image, capable of getting OTA updates without loosing root access and with a locked bootloader, keeping the user data safe in case it gets lost or stolen, in the sense that the person getting it will not be able to extract personal details from it like Google accounts, settings, downloaded apps and their data, media, etc.
I assume the reader starts with a stock unmodified factory image, and knows how to use fastboot.
Posted in android, linux, security
Tagged android, bootloader, encryption, fastboot, galaxy nexus, maguro, root, security, superuser
TL;DR – the broadcom sta linux driver always fails in the first scan request after the interface is brought up, this produces a long delay when connecting to a wireless network. There’s an open source driver which does not have this problem, but is not good with power management. In this post I describe the steps I took to pinpoint the problem in the proprietary driver and to fix it.
The story begins when I updated Ubuntu from 11.10 to 12.04 on my MacBook Air, everything worked fine after upgrading except one thing that bothered me a lot: when resuming the laptop after suspending it, it took around 30 seconds to connect to my wireless network. It wouldn’t have bothered me if it had been the same in 11.10, but in 11.10 the time to connect was barely 5 or 6 seconds, so having to wait 30 seconds was totally unacceptable.
Initially I thought it was a bug in NetworkManager, and increased the debug level in the config file to finally come out to the conclusion that I was using a different driver in 12.04 than in 11.10.
There are two drivers available for the Broadcom BCM4353 802.11 Wireless Controller:
Posted in linux, wireless
Tagged brcmsmac, broadcom, CFG80211, dkms, kernel, lkm, module, networkmanager, ubuntu, WEXT, wifi, wireless, wl, wpasupplicant
As a quick reference, here’s a list of useful and most commonly used commands if you want to do Android development from command line (for example, without using eclipse or any other bloated IDE). You must have installed the Android SDK on your system, and make sure the tools and platform-tools folders from the android SDK are available in your PATH environment variable:
Posted in android
Tagged android, apk, application, command, commandline, development, eclipse, hello, hello world, java, line, shell, world
If you are running Linux on your MacBookAir and want the keyboard light brightness changed automatically depending on the ambient light (just as OS X does), continue reading.
I’ve written a small daemon named lightum, source is on github and licensed under GPL-2+.
Usage: lightum [-m value] [-p value] [-f]
-m 0..255 : maximum brightness value between 1 and 255 (default=255)
-p num : number of seconds between light sensor polls (default=8)
-f : run in foreground (do not daemonize)
-v : verbose mode, useful for debugging with -f
For it to work you need dbus installed, and your MacBook should have the light sensor located in /sys/devices/platform/applesmc.768/light (should be available on all MacBookAir and MacBookPro versions which have a backlight on keyboard, as far as I know).
If you are running Ubuntu, you can install it by adding lightum-mba ppa to your system:
sudo add-apt-repository ppa:poliva/lightum-mba
sudo apt-get update
sudo apt-get install lightum
Otherwise, you can build it from source.
Yesterday morning I received the wifi-only version of the 10.1-inch Android tablet Motorola Xoom. I bought it in USA because it wasn’t yet available in Europe when I purchased it. I choose the wifi-only version because of the following main reasons:
- the 3G/4G version available from Verizon USA uses CDMA technology and is not compatible with European GSM carriers.
- I didn’t want to wait more time to have an Android 3 tablet
- I don’t want to pay for another 3G data connection, because I already have one in my phone’s SIM card, which I can tether over wifi or bluetooth to give internet connectivity to the Xoom when there’s no wi-fi available.
Out of the box, the device comes with Android Honeycomb version 3.0.1, and no support for microSD card yet (it is advised in the manuals that microSD card support will be available trough a future system update).
The Xoom ships with an “unlockable” bootloader, that means you can connect via fastboot and issue the command ‘fastboot oem unlock‘ to be able to flash unsigned code at the expense of voiding your warranty, and that’s what you should do if you want support for microSD card today, because there’s an unofficial kernel with microSD support already available: Tiamat AOSP kernel Version 1.3.0.
I have made a quick patch for wifite r67, which adds support to crack WLAN and JAZZTEL networks in Spain, both WEP and WPA versions.
The WPA keys are computed statically using the already known algorithms and the guessed key is shown at start, when wifite shows the available networks.
The WEP keys are cracked using a dictionary attack, generated automatically using wlandecrypter and jazzteldecrypter, so you only need 4 IVs to start cracking using the dictionary.
The patch is available here, and it’s agains revision r67 (latest at the moment of writing this). You can see it in action in these youtube videos I have uploaded:
Android applications are packed inside a APK file, which is just a ZIP file containing among other things a compact Dalvik Executable (.dex) file.
First step is to extract the “classes.dex” file from the APK:
$ unzip program.apk classes.dex
Now, we use the tool dex2jar to convert the classes.dex file to Java .class files:
$ bash dex2jar/dex2jar.sh ./classes.dex
2 [main] INFO pxb.android.dex2jar.v3.Main - dex2jar ./classes.dex -> ./classes.dex.dex2jar.jar
From here we obtain the file “classes.dex.dex2jar.jar”, now we can use the java decompiler JD-GUI to extract the source code:
$ ./jd-gui classes.dex.dex2jar.jar
Now just go to “File -> Save all sources” and it will generate the zip file “classes.dex.dex2jar.src.zip” containing all the decompiled Java source code
Posted in android, linux, security
Tagged android, apk, class, decompile, dex, dex2jar, jar, java, jd-gui, jdgui
Today I had to change some image resources in a APK file, the process is easy once you know it, so I just post it here for future reference:
First use the tool “aapt” from the android SDK to list the resources:
$ANDROID/tools/aapt list file.apk
Once we locate the resources that we need to change, we use “remove” and “add” to replace them:
$ANDROID/tools/aapt remove file.apk res/drawable/file.png
$ANDROID/tools/aapt add file.apk res/drawable/file.png
Then we have to remove the old APK signature and replace it with a new one.
We will generate a fake self signed key to sign the APK:
$ openssl genrsa -out key.pem 1024
$ openssl req -new -key key.pem -out request.pem
$ openssl x509 -req -days 9999 -in request.pem -signkey key.pem -out certificate.pem
$ openssl pkcs8 -topk8 -outform DER -in key.pem -inform PEM -out key.pk8 -nocrypt
Remove the old signature from the APK:
for f in `$ANDROID/tools/aapt list file.apk |grep "META-INF"` ; do
$ANDROID/tools/aapt remove file.apk $f
And now we sign the APK, I use signapk.jar to do this:
$ java -jar signapk.jar certificate.pem key.pk8 file.apk file-signed.apk
That’s it, our APK is now ready to install… just remember to setup your android phone to allow installing applications from unknown sources
El 15 de Diciembre de 2010 la página de SeguridadWireless publico un servicio que calculaba las claves WPA de los SSID WLAN_XXXX y JAZZTEL_XXX screenshot aqui. No publicaron el código, y al cabo de pocas horas la página dejó de funcionar. Hoy me entero via Twitter de que finalmente a.s.r ha publicado en forocoches el algoritmo para sacar las claves de estas redes de Telefonica y Jazztel. Neikokz ha puesto un generador en esta página, basado en el script original de a.s.r.
Aquí teneis una versión modificada del script de a.s.r, que escanea las redes disponibles en busca de los SSIDs afectados, e imprime las claves de las que tengamos disponibles a nuestro alrededor:
$ ./calcwlan-ng.sh wlan0
 CalcWLAN-ng (original source by a.s.r, improved by pof)
Scanning wifi networks on interface wlan0
SSID: WLAN_D679 KEY: a36206418a9691112e29
Update: Añadido soporte para las redes WLAN_XXXX con BSSID 00:1F:A4 de los routers ZyXEL P660HW-B1A, basado en el algoritmo de neikokz.
Don’t be evil!
So you have two or more ADSL lines and want to use them all?
… or maybe you’re stealing your neighbor’s wifi and you have more than one network available?
… or you have cloned your SIM card and want to use multiple 3G connections simultaneously?
You can easily setup your Linux box to route multiple connections using iproute2, no matter how many WAN links you have! I have made a script to automate the process, it also comes with an optional failover watchdog which will monitor all the WAN links and automatically disable those which fail, re-enabling them when the connection is back.
Configuration is simple -one column for each WAN link-, you just need to have a separate interface for each link. If you want to use only one physical interface I recommend using a different VLAN on each WAN link. Edit the script to configure it as follows:
# Specify each WAN link in a separate column, example:
# In this example we have 3 wan links (vlanXXX interfaces) attached to a single
# physical interface because we use a vlan-enabled switch between the balancer
# machine and the ADSL routers we want to balance. The weight parameter should
# be kept to a low integer, in this case the ADSL line connected to vlan101 and
# vlan102 is 4Mbps and the ADSL line connected to vlan100 is 8Mbps (twice fast)
# so the WEIGHT value in vlan100 is 2 because it is two times faster.
# WANIFACE=\" vlan101 vlan100 vlan102\"
# GATEWAYS=\" 192.168.1.1 192.168.0.1 192.168.2.1\"
# NETWORKS=\" 192.168.1.0/24 192.168.0.0/24 192.168.2.0/24\"
# WEIGHTS=\" 1 2 1\"
# quick formula to calculate the weight: (LINKSPEED/MINSPEED)*NUM_LINKS
# If you don't want to use vlans, you should then use a separate physical
# interface for each link. IP aliasing on the same interface is not supported.
The script will set up the default route to be a multipath route, this will balance routes over the multiple WAN links and cache them depending on the destination address (so often used sites will always be sent over the same link). The weight parameters can be adjusted for each link in case you don’t have the same speed on each.