Tuesday, February 4, 2014

Can I clone CDMA line?

I could. Was done for education proposes but here's interesting thing i want to share.

I had 
- VIrgin mobile iPhone 4 CDMA phone 
- Samsung CDMA phone of boost mobile 

Jailbraking iPhone and setting up it wth cdmatool didn't take long time, I've registered ESN with my CDMA carrier before so I had phone line working in half an hour on my iPhone 

With samsung I had to pass through painful flashing, SPC reset and so on but finaly CDMAtool could recognize device and I set it up for my carrier too instead of one detail, I changed ESN of Samsung to iPhones' one

Both devices could register in the network
- inboard SMS could get only one of two
- incoming calls could answer both phones ! So I had conference call

I reverted back ESN on samsung on factory one so test is successful 

TotalPlay HUAWEI GPON 8245 / 8247

Aceso a web interfaz de GPON


Fuente : http://www.websec.mx/advisories/view/Huawei-web-puerta-trasera-y-acceso-remoto

Se puede : cambiar ajustes de SIP y el mas interesante cambiar VLAN ID o / y habilitar puertos y SSID

Thursday, August 29, 2013

Bliss S5 Замена IMEI

Заблокировал опеартор мой IMEI по непонятной причине слот1 не пускал ни в одну сеть. Ну что ж, я решил сделать рут, предварительно перешив его по инструкции с x-pda , все прошло успешно

Ну а так, как чип это квалькоммовский то отлично подошел QPST , NV Editor -> Line 500
примерно в 500 записи НВ я нашел Имей и мне повезло, это был имей первого слота. Вобщем будете менять - почитайте как его вводить, поставьте галку Хекс и вводите задом на перед. Я долго решался но ввел, начал писать - тулза ругнулась на рид онли записи, но ими оказались прочие записи не имеющие отношения к имею, имей вписался. Перезагружаем телефон и мы снова в сети)

Tuesday, August 13, 2013

Huawei hg8247 hack

I was playing with my router and here I'll give nice howtos if you are newbie

So we've got huawei hg8247 router. I got it from totalplay company in Mexico. Login pair is root/admin

There's one more user - admin, is another web interface user with extended permissions . To get its password we need to connect by telnet to the router.

Usually Telnet is disabled for LAN or WLAN . So an easear way I found is: 
- go with root/ admin username to web interface, in wan status I got my nat ip and connected by nat ip from my friend who has same ISP using root/admin or admin/root telnet credentials.

You need to get plain text password from one of XML configs. Now they encrypt it,
But there's a way to get plain text XML

Go to web interface , management and click config backup button. Don't even try to download config - is restricted. Backup will make a copy of XML file in /mnt/jssf2 dir on router

So open telnet, connect by nat . Use windows! I got trouble using shell with Mac . They say router has buggy busybox version installed.

Type : shell and than watch config with vi or cat. Last lines of file.

IMPORTANT: if VI doesn't work use "show text /mnt/jssf2/whatever"

Changing macs: ifconfig wan0 hw 00:00:00:00:00 or whatever

When you got the password simply login to your web interface, than you can go and find in settings of security OLT management and turn on telnet from LAN and disable it from wan

Don't forget to disable TR069 otherwise config will be overwritten :)

Playing with your GPON can break your config :) so take care


Have no idea how they develop web pages here in Mexico . There's a bug over bug. Login to your account, click My account button , open firebug and change account number in a hidden field. Set new password and capcha. Save

We've just changed password of other account


Friday, August 9, 2013

Sunday, June 9, 2013

Sniffing Mobile apps

Hi friends, Here is my new article how to sniff HTTP / HTTPS traffic of iOS and Android apps.
There may be different needs, for example if you wanna test your app or whatever. I'm not responsible for your actions at the end.

So what you need:
 - iOS or Android Device
 - App you want to sniff installed on device
 - PC / Mac connected to same WiFi network with mobile device.
 - Magic tool "BURP" get a free copy here

BURP is a Jar file, you can run it on PC or Mac, just don't forget to have Java installed.

So to sniff trafic you need to go to properties of WiFi connection on your mobile device and in additional settings enable HTTP proxy. The host will be local ip of your computer, and port 8080.

Than run BURP , keep all settings by default if you are not sure.The only thing you need to do is to turn off Interception. Proxy Tab -> Intercept Tab, Intercept OFF.

Than open History Tab and there you will see all HTTP requests your mobile or some app does.
If the app is trying to make HTTPS request it will fail, because now you are not porxifying HTTPS property. To get all magic you need to do the following things:

Open Proxy Options tab and check that options of Certificate is "Per Host" and Generate CA signed per host request are set.

After that open any browser, for example safari on your local computer, set proxy settings to localhost:8080 including HTTP and HTTPS proxy, On Mca is done in your network settings. If you use Firefox it's configured in local settings of Firefox.

So when you are done try to open any HTTPS url and you will get SSL error warning. I avoid using Chrome because they have additional SSL verifications, really im not sure how it works there.

So when you get SSL warning you should open warning details and set CA certificate as trusted on you local machine. After that it will perfectly and in logs of BURP you will see all SSL requests you do through your browser.

To make you mobile accept this SSL you need to:
 - Export CA ROOT certificate which now you have in your Keychain to the file (crt i guess)
 - Import it to your mobile.

In case of Android is very easy, just copy it to the root of sd card, insert it to device, go to settings of security and import Certificate from SD card. After that certificate will become trusted and you can sniff SSL traffic. Just don't forget that if you use Chrome Mobile it will also raise errors about wrong SSL, but all other apps will accept it. And all requests will appear in history of BURP.

With iOS is more tricky.
1. Download iPhone Configuration Utility form Apple website
2. Open it and create new profile , keep blank everything except profile name / id and in Certificates Tab add CRT you want to add as trusted on your device.

Than connect your iPhone / iPod etc to your Mac and install created profile to the device. Later you can go to device settings and in profiles section you'll see installed CA root certificate. That's all

Now you can easily see what your phone is sending / receiving.

Unfortunately you can't download Apps from appStore with proxy enabled, so just don't forget to disable proxy settings on wifi Tab when you finish your tests.