Monday, October 3, 2016

How to hardware hack Android over UART

The four holes on the left are the UART port (the ones of the right are USB endpoints), the router makes made this easy for us as the pins are labelled. To actually read the data, we need to connect these to a USB receiver and then we can talk directly to the console of the router.
To make this easier the first step is to solder some header pins directly to the board, these can be seen below. Note, I’m not very good at soldering, so I won’t show the underside : )
UART2
Now we can wire this to a USB to UART module. These are quite easy to find and cheap, mine cost me less than £3.00. This handles all the USB gubbins to ensure that you can just plug it in and treat it like a serial connection.

Finally we need to join up the pins, as below:
Purpose Port on Router Port on USB/UART module
Receive RX TX
Transmit TX RX
3.3V power VCC Don’t attach
Ground GND GND
Finally, connect it all together and plug it into a computer:
UART3
The observant may have noticed that the above circuit board isn’t the same as the previous pictures. This was my testing device, an old Sagem router which I soldered up before I thought to take photos first.

Once it’s connected we can just load up a serial console program, such as HyperTerm or minicom and watch it boot:
UARTBigTable
This could be a simple way of uploading malicious firmware to an existing router to set up a wireless sniffer, except it’s over complicated and it would be easier just to hide a small wireless device, such as a wi-fi pineapple.

But, this works for other devices, such as some mobile phones! One of my colleagues found an interesting article on how to connect to UART on a Nexus 4 via the headphone jack.
Basically if the device sees a voltage of more than 2.8V on the microphone jack it turns the connector into a UART port.
So, once again the old soldering iron is produced and a cable is made, we actually left out the resistors as they’re a safety net and not actually required (voltage from the USB to UART convertor is 3.3V, so it meets the requirements).
This time I can’t hide my lack of soldering ability:
UART4
Which we can then connect to another USB to UART convertor and plug into my laptop:

UART5
And we can read the console as the device boots up:

UARTSmallTable
After Android has finished booting it will continuously feed out data about the hardware state of the device. You can even connect whilst the device is running.

Some phones (such as the Samsung Galaxy S2) allow two way communication through a UART connection, which can allow low level communication, such as reset the “yellow flag” which shows if an unsigned image is written to the flash memory.
In conclusion, simple hardware hacking is quite quick to perform, the greatest delays I faced were waiting for components to arrive and the longest single period of time taken was spent when my soldering iron developed a short and tripped the house electrics’.
Although there’s no immediate security risks, it can present a way in to custom devices.

 https://www.pentestpartners.com/blog/how-to-hardware-hack-android-over-uart/

 

android-serialport-api - android_to_rs232_guideline.wiki

  Here is a page describing the different ways you could use to connect an Android device to an RS232 peripheral.

https://code.google.com/archive/p/android-serialport-api/wikis/android_to_rs232_guideline.wiki 

I'm looking for away to "bypass" the 8 codes zip parsing of the android system, so they can not detect you, specialy on google maps (that's another part of the question ...the very common e beacon or trace cookie...) so the idea is to decompress any zip from any app by reading it on a web string !

You might get a small performance boost from using shouldInterceptRequest instead of loadDataWithBaseUrl. That won't solve your block size problem but it will allow WebKit to start parsing your content before you've finished decompressing the whole thing.
The way you'd use it is:
class MyWebViewClient extends WebViewClient {
@Override
public WebResourceResponse shouldInterceptRequest (WebView view, String url) {
    // this method is *not* called on the UI thread, be careful to not touch UI classes.
    if (Uri.parse(url).getHost().equals(Uri.parse("file:///android_asset/..."))) {
        // This assumes you pass in the AssetManager to the MyWebViewClient constructor.
        InputStream is = assetManager.open(sFileName);
        ZipInputStream zipInputStream = new ZipInputStream(is); 
        return new WebResourceResponse("text/html", "UTF-8", zipInputStream);
    }
    return super.shouldInterceptRequest(view, url);
}
 
 
http://stackoverflow.com/questions/22259773/android-java-reading-file-from-zip-file-into-webview-string-why-zipinputstream 

Satellite hacking Intel 1 (BACK@WAR CyberArmy friends let´s start Satellite GPS navigation hack IT WILL HV A PRICE)

  https://stackoverflow.com/questions/63010812/how-to-access-http-port-5001-from-public-internet