ud2 / advisories Goto Github PK
View Code? Open in Web Editor NEWSecurity advisories
License: GNU General Public License v2.0
advisories's People
Contributors
Stargazers
Watchers
Forkers
peta909 alvarofe bushalo floatingguy johnjohnsp1 scharsey x0day jilir baiyunping333 chensword 0x37n0w4n ant4g0nist binni97 decept1c0n iamckn ahpanna xlabsoft lucabongiorni jorisnobre gamehacker drooids sandeepl337 iwonasado jajp777 p4t0g3n0 wmswu luisgarcia87 netscape007 olivierh59500 bardhr gunawanw9 varbaek e3v3a toxicspot jamdart daveti jonathanvdev00 goldcat deeputom rabitw abdullah-alghoul colemancda cehfida franzieska misscoconut jadedgnome abdelhadinaimi xddmurrayx chapo182 14thec0de securecloud-biz singi mndo285 thibaultder letsunlockiphone obaidi2005 cplusecoder dantee296 mujrim707 reparatou sniper199 souleymane4k protektwar darkdroid403 5l1v3r1 zloedobro abynetadvisories's Issues
Other HW and usb switching
Hi! Great work! Too bad I didn't see this until now.
Just a couple of FYI.
The various AT commands are of course HW (baseband) dependent, and the ones mentioned in the issues are mostly for Qualcomm based phones. The ddexe filtering on Samsungs has been around for a very long time, since GT-I9100 (at least). However, since that filtering is only done on the AP, if you can get a direct connection to the AT shell, you can circumvent the filtering. Thus you will find that the AT commands available via USB vs. via internal /dev/smd0 (or equivalent) are different. In addition, there are "pseudo" AT commands that are not part of the baseband (BP) and directly handled by the datarouter...
In addition, on Samsungs there are already a ServiceMode menu and/or secret code, that allow you to do the serial mode switching (given that you have the drivers). It can also be done through the (root) command line by setprop XXXX. (I forgot the exact prop.)
Again recall the differences between the Qualcomm and Exynos + Shannon based Samsung phones.
For Other Devices
How could i find the header of other devices like MI or any with there respective Vendor ID and Product ID.
Important !!
What if i dont have any Samsung phone and i want to make connection through your script , then what kind of changes i have to do in your script
escaped hexadecimal
i was trying this exploit in hg532e but the file was returned into escaped hexadecimal, it wasn't readable. how to convert it back to readable ASCII string..
Smasung USB vulnerability
Guys a while back I wrote a paper, with a PoC and an attack scenario for this vulnerability, it might help.
Good luck.
Samsung Galaxy S5 Also vulnerable to nocve-2016-0004
I just tested you PoC against my Samsung Galaxy S5 and found that it is also vulnerable:
# gcc -o usbswitcher usbswitcher.c -lusb
# ./usbswitcher
[*] Device found, 2 configuration(s)
[*] Device opened, Switching to configuration #2
[!] Configuration switch failed
# ./usbswitcher
[*] Device found, 2 configuration(s)
[*] Device opened, Switching to configuration #2
[*] Configuration switched!
# lsusb -v
...
Bus 001 Device 003: ID 04e8:6860 Samsung Electronics Co., Ltd Galaxy (MTP)
Device Descriptor:
bLength 18
bDescriptorType 1
bcdUSB 2.10
bDeviceClass 0 (Defined at Interface level)
bDeviceSubClass 0
bDeviceProtocol 0
bMaxPacketSize0 64
idVendor 0x04e8 Samsung Electronics Co., Ltd
idProduct 0x6860 Galaxy (MTP)
bcdDevice 4.00
iManufacturer 1 SAMSUNG
iProduct 2 SAMSUNG_Android
iSerial 3 05d596ef
bNumConfigurations 2
Configuration Descriptor:
bLength 9
bDescriptorType 2
wTotalLength 39
bNumInterfaces 1
bConfigurationValue 1
iConfiguration 0
bmAttributes 0xc0
Self Powered
MaxPower 96mA
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 0
bAlternateSetting 0
bNumEndpoints 3
bInterfaceClass 6 Imaging
bInterfaceSubClass 1 Still Image Capture
bInterfaceProtocol 1 Picture Transfer Protocol (PIMA 15470)
iInterface 5 MTP
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x81 EP 1 IN
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x01 EP 1 OUT
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 1
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x82 EP 2 IN
bmAttributes 3
Transfer Type Interrupt
Synch Type None
Usage Type Data
wMaxPacketSize 0x001c 1x 28 bytes
bInterval 6
Configuration Descriptor:
bLength 9
bDescriptorType 2
wTotalLength 105
bNumInterfaces 3
bConfigurationValue 2
iConfiguration 0
bmAttributes 0xc0
Self Powered
MaxPower 96mA
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 0
bAlternateSetting 0
bNumEndpoints 3
bInterfaceClass 6 Imaging
bInterfaceSubClass 1 Still Image Capture
bInterfaceProtocol 1 Picture Transfer Protocol (PIMA 15470)
iInterface 5 MTP
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x81 EP 1 IN
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x01 EP 1 OUT
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 1
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x82 EP 2 IN
bmAttributes 3
Transfer Type Interrupt
Synch Type None
Usage Type Data
wMaxPacketSize 0x001c 1x 28 bytes
bInterval 6
Interface Association:
bLength 8
bDescriptorType 11
bFirstInterface 1
bInterfaceCount 2
bFunctionClass 2 Communications
bFunctionSubClass 2 Abstract (modem)
bFunctionProtocol 1 AT-commands (v.25ter)
iFunction 8 CDC Serial
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 1
bAlternateSetting 0
bNumEndpoints 1
bInterfaceClass 2 Communications
bInterfaceSubClass 2 Abstract (modem)
bInterfaceProtocol 1 AT-commands (v.25ter)
iInterface 6 CDC Abstract Control Model (ACM)
CDC Header:
bcdCDC 1.10
CDC Call Management:
bmCapabilities 0x00
bDataInterface 2
CDC ACM:
bmCapabilities 0x02
line coding and serial state
CDC Union:
bMasterInterface 1
bSlaveInterface 2
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x84 EP 4 IN
bmAttributes 3
Transfer Type Interrupt
Synch Type None
Usage Type Data
wMaxPacketSize 0x000a 1x 10 bytes
bInterval 9
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 2
bAlternateSetting 0
bNumEndpoints 2
bInterfaceClass 10 CDC Data
bInterfaceSubClass 0 Unused
bInterfaceProtocol 0
iInterface 7 CDC ACM Data
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x83 EP 3 IN
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x02 EP 2 OUT
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 0
Binary Object Store Descriptor:
bLength 5
bDescriptorType 15
wTotalLength 22
bNumDeviceCaps 2
USB 2.0 Extension Device Capability:
bLength 7
bDescriptorType 16
bDevCapabilityType 2
bmAttributes 0x00000000
(Missing must-be-set LPM bit!)
SuperSpeed USB Device Capability:
bLength 10
bDescriptorType 16
bDevCapabilityType 3
bmAttributes 0x00
wSpeedsSupported 0x000f
Device can operate at Low Speed (1Mbps)
Device can operate at Full Speed (12Mbps)
Device can operate at High Speed (480Mbps)
Device can operate at SuperSpeed (5Gbps)
bFunctionalitySupport 1
Lowest fully-functional device speed is Full Speed (12Mbps)
bU1DevExitLat 1 micro seconds
bU2DevExitLat 500 micro seconds
Device Status: 0x0000
(Bus Powered)
Samsung galaxy s4 usbswitching
Hello everyone!
I'm trying to use my galaxy s4 as modem, but when i use usbswitcher.c i have an error :
[ * ] Device found, 1 configuration(s)
[ * ] Device opened, Switching to configuration #2
[ ! ] Configuration switch failed
Need your help!
Thank you.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.