Re: Dumping flash from HTC Desire 510

10 second problem may be solved by sending a backspace every 5 seconds - or some other keycode that is not a valid character.

Re: Dumping flash from HTC Desire 510

http://www.elm-chan.org/fsw/ff/00index_e.html

Re: Dumping flash from HTC Desire 510

Okay, I got the prevent_screenlock(); function working properly now. Essentially, I move the mouse up and then down, then I just click a button every 5 seconds.

This works well. Now, I just need to implement the file I/O stuff with the MicroSD card.

I think I need to open the file for reading / writing as soon as the device gets powered and read in the value, and then close the file descriptor. Then, when I try a new PIN, open it for writing, write the new pin, close. Then just keep doing that. That way, if the phone gets turned off, the file doesn't get damaged because the file handle is still opened or anything. There's a chance it could get shut off right when I'm writing a PIN, but I think that there's a very small chance for that to happen.

Re: Dumping flash from HTC Desire 510

I tried that, and it didn't work. I tried sending the ENTER key, and I also tried sending the 0 key. For some reason, when it's doing the 30 second countdown, it didn't work. Probably because keyboard is disabled during that time. But the mouse clicking worked.

Re: Dumping flash from HTC Desire 510

^ you are wearing the fuck out of the SDcard doing that way.... But i doubt you will do any damage, considering wear leveling is a thing. I would keep an eye on it after 8 Million or so writes, though And they fail gracefully. They go read-only to prevent (severe) data loss.

Re: Dumping flash from HTC Desire 510

Yes, I know I'm damaging the SDCard. Unfortunately, I couldn't find an easy way to do it without risking the damage.

It's running now, it does 30 attempts before the phone restarts. The problem originally was I wasn't closing the handle for the SD card (essentially, I wasn't unmounting it). It was a bit more complicated than I thought to write the code for the SD card stuff, but it works.

Every single attempt, I open the SD card, I write the new number, I flush the buffers, I close the file handle and the unmount the SD card, then I do it all over again. I believe this is the only way, because if the phone turns off while the SD card handle is opened or the file handle is open, it seems to open the card in read-only mode. The best time to turn it off is during the 30 second countdown. Got kinda lucky how it always turns off during the 30 second countdown.

If it's successful and it gets in, does anyone know if the countdown timer will still be active and have to be killed manually? If so, I have to sit here and watch it run, which could take a long, long time.....if not, I'm going to hook the phone up to my programmable power supply to power the phone and just let it run for a week or so.

Re: Dumping flash from HTC Desire 510

^ Not 100% sure if im parsing that last question correctly, but if you have a state file why didn't you write your program to start from the last pin attempt?

Re: Dumping flash from HTC Desire 510

microchip makes an 8pin spi ram chip

Re: Dumping flash from HTC Desire 510

That's what it does. But because the phone can reset, I have to write the pin to flash immediately, then unmount the SDCard (in case the phone resets), and then when it tries the next pin, it remounts the SDCard, and writes it to the file, then unmounts it and repeats. It only reads the pin number from the pin_num.txt file when it first starts up.

I'll try to give an example as to why I have to do it this way:
Let's say I mount the MicroSD card as soon as the Teeensy powers up and I read the last tried pin number, but I never unmount the SD card. As soon as the phone restarts, the MicroSD card seems to get mounted in read-only mode. I cannot write to it until I pull it from the Teensy and then run fsck.vfat on it.

I almost thought of powering the Teensy board myself, so it never loses power, and then trying to find away to monitor the USB port and see if I could detect the hub resetting....or maybe, instead of reading and writing the pin to microSD card, maybe I could read it from the serial console? I have a USB to TTL serial adapter that I hooked up to the Teensy and I send debugging messages to it. I send what pin number I'm on, etc. Maybe I can just write the pin to the serial console and then read it back when the USB hub resets? I dunno.

Re: Dumping flash from HTC Desire 510

I think I misunderstood what you were saying.

The last question there. Okay, so right now, the phone thinks I'm trying to hack into it, which I am. It sets some sort of kill timer. So, after so many minutes, regardless of whether I type something or not, the phone will physically restart. When this happens, my Teensy board loses power temporary and restarts.

My program does read the last pin it started out at. But I can't figure out how to write code to see if the Teensy entered the proper code. So, the idea was, let it run, even while I'm sleeping....and maybe one morning I wake up and it's logged into the phone, and still sending numbers to it.

My question was if it successfully enters the pin, will that shutdown timer still be active? I don't know much about smart phones. If the Teensy successfully guesses the pin, will I have to be there to watch it so I can manually kill the shutdown timer?

Re: Dumping flash from HTC Desire 510

^ You could use the 5v from the OTG to run the reset pin on the board (may need inversion). You would need to add a boot delay to your code... Really its no big deal to wear out an SD card every 30 phones or so. SD cards fail read-only. Just copy the firmware and state file from the old SD to the new one and keep going. The Ducky was sold with a low storage capacity (256m), high write capacity (100,000+ writes/cyl) SDcard.

The timer would probably have a prompt you need to click, so 100% autonomous isn't the best idea. and by throwing input events at the phone, it should keep the phone awake and unlocked once the timer stops.

Re: Dumping flash from HTC Desire 510

This phone also has some sort of SerialUSB port. I remember using modprobe usbserial vendor=<vendorID> product=<productID> I wonder if that serial port shows anything with invalid attempts or something. If there's a prompt for the timer once we're successfully in, just keeping the phone awake won't work. I'll have to watch it try every attempt, because it'll still reset the phone.

There's actually no firmware on the MicroSD card, just the pin_num.txt file. The firmware is all in the Teensy. I used the built-in serial port in there and hooked the TX, RX, and GND up to my USB TTL to serial converter. I send "updates" through the serial port connection, just so I got an idea of what's going on. I send what pin it's currently trying. When the phone restarts, I see where it stopped and when it starts back up, I make sure it starts where it left off at. If the MicroSD somehow gets in read-only mode or if the file system or file somehow gets corrupt, it'll just end up retrying the same pins each time and never properly updating the file.

My code just assumes a lot of things, and I know that's not good, but I don't really need it to be perfect.

Could you go a bit more in detail about the 5V / reset pin? The Teensy I'm using only supports 3.3V, so I'll need to step that 5V down. I already have a delay in the boot code, but that's if the Teensy gets reset (which it does when the phone gets reset). So I'd drop the 5V down to 3.3V, and hook it to some reset pin on the Teensy and just monitor that pin while I provide external power to my Teensy, and whenever I see the reset pin go low or something, I'd just jump back to the original bootup delay code? It sounds like the reset pin might, well, reset the Teensy. If it does that, wouldn't I lose the variables I have stored in memory and have to use the pin_num.txt on the MicroSD card anyways? Thanks!

Re: Dumping flash from HTC Desire 510

^ you will find output of failed attempts in the logcat. If debugging is enabled.

Use the 5v from the otg to drive a transistor that switches ground to the reset pin. You could also use some GPIO in the same way, being, when GPIO whatever is low (or high) run the program, otherwise hold.

I'm not familiar with microcontrollers, otherwise I could be of more help.

Re: Dumping flash from HTC Desire 510

Okay. Wouldn't the reset pin completely reset the Teensy and my program? Debugging on the phone is turned off. If it was enabled, I could do a lot more I think.

I like the GPIO idea though. Then I could do away with the MicroSD card, so long as I never stopped the program from running. Maybe it's best to keep the MicroSD card in, so I can watch it for a couple hours, take a break, start again the next day, etc.

Re: Dumping flash from HTC Desire 510

That's how you do it with the ducky. run it for 5 hours, stop, charge the phone, and start again.

Re: Dumping flash from HTC Desire 510

I've successfully cracked the pin using the Teensy 3.6 board and the firmware I wrote. I've actually only ran it twice, once the firmware was done. The first night, just to see if it was working, and then just now, when I had some free time.

The pin is: 0241

I don't see how to turn on Dev Mode yet....

Re: Dumping flash from HTC Desire 510

I got dev mode turned on now. I think I was mistaken about the kill timer. Now that I'm in, I seen the clock thing and I touched it. It opened an app and I stopped a timer, but it was some sort of wake up alarm. Anyway, even after being in, the phone restarts. Then when I log back in, it says the phone lost power unexpectedly (or something along those lines), hit here to send the report to HTC. I cannot view the report.

I know I lost one of those little tiny thermal pads under the heatsink near the NAND and CPU and RAM and all that. I think that's causing it. Where can I purchase thermal pads? It'd be nice to buy one giant roll or sheet that I can just cut into small pieces, so I can use it for other stuff. Is there any type you guys recommend? Maybe it's like thermal paste, where some brands are better than others?

I just cannot believe I got in! I wanted to thank Goontron for suggesting the Ducky, Diif for mentioning the Teensy, and Stj for the help with the code and all that! You guys really are the best!!!! I am SOOOOO glad I didn't let it run overnight while I was sleeping! If I hadn't been actually watching it, when it logged in, the phone would have still restarted and I'd probably be trying the 5-digit pins now! I'm kinda lucky he set a low pin number, 0241. I'm going to configure the USBSerial port on the Teensy and see when the correct pin is entered, if it sends anything over the USBSerial port (or SerialUSB port, whatever it's called). In Linux, I did the modprobe usbserial product=<productID> vendor=<vendorID> and then I used screen. It did stuff, I can't remember if I saw the dmesg log when it started, but I was able to type stuff. I couldn't type anything useful. Every time I typed one character, it'd say invalid command.

I think I'm supposed to send AT commands to it or something, but I think I'm supposed to use something besides screen to do it?

Also, to remove the pin, you have to know the current pin, so again, good thing I was watching! I don't remember who suggested to watch, but thanks! The smart phone my wife just bought me, I type 5 invalid attempts, and then I have to wait 30 seconds. Then I type 5 invalid attempts and I have to wait a minute, then 5 minutes, then 30 minutes, than an hour, then 2 hours. I haven't gone past the two hour thing, but I don't think this firmware I wrote for the Teensy would work with a newer version of Android. But if anyone wants a copy of the code, I can upload it. I used TeensyDuino (Arduino with some configuration / libraries to work with the Teensy board). I'd like to port the code over to just use the normal arm-gcc cross compiler....maybe later in life though.

Thanks!

Re: Dumping flash from HTC Desire 510

Nice work Spork.
I've bought various thickness thermal sheets from Aliexpress.
No idea on the quality vs USA made or elsewhere but I've never had an issue when using or a comeback.
I'd be interested to see your code.

Re: Dumping flash from HTC Desire 510

Glad you got it working. Welcome to infosec, the head-bashing wall is to your left, and the hash tables to your right. The papers to do a write up are every 10* around you.

I am also curious of your code.

Re: Dumping flash from HTC Desire 510

How should I upload it? Should I use a .tar.gz file or a more windows friendly archive format, like .7z or .zip? Not sure what OS you use. Remember, it's currently made for the TeensyDuino stuff. Essentially, you install Arduino, and then on the Teensy website, you download TeensyDuino and point it to where Arduino is installed. Then you have options in the Arduino interface to select the Teensy board and configure various options.