0xfeedface Tech musings and rants

I've decided to turn my desktop into a server and do some major network upgrades. 0xfeedface.org will be down for a minimum of two hours and maximum of twenty-four on the weekend of 04 Sep 2010. We may be opening up a cloud hosting environment to those who want it.

Android 2.2 (Froyo) leaked this morning. The site which hosts the leak, MyDroidWorld, came under immediate DDoS as soon as the leak was published. MyDroidWorld is back up and stable. I installed Froyo on my Droid X within just a few hours of the leak.

I had previously rooted my Droid X and removed some of the bloatware. I tried flashing the update.zip. It failed because CityID wasn't installed. Grrrr. I had to find the SBF (the original firmware that Verizon techs use when restoring your phone to its factory state) and flash it with a pirated copy of Motorola's flashing software. After restoring my phone to its factory state, the Froyo update worked. The radio failed to update, but I haven't had any issues, yet.

The phone is significantly and noticeably faster. The MotoBLUR UI that I hate so much has been toned down to a usable level. I dislike that the bloatware apps are installed again. Flash 10.1 is installed now. That'll be the first thing I remove.

Overall, I'm happy for this leak. I would recommend applying the leaked Froyo image to everyone who owns a Droid X. I'm excited for the real release of Froyo for the Droid X and the many improvements Motorola and Verizon will have for this phone in the years to come.

UPDATE: I posted an image of the failed radio update here.

I've been reading a lot about how GNU's runtime linker (RTLD) works. I'm almost ready to sit down and write more code. This weekend, I'll be reading through the source code for the RTLD. I need to see if I can piggyback on dlopen. Since the principal goal of libhijack is to be able to delete all physical evidence post-injection, I cannot use dlopen. I need all anonymous mappings. Using dlopen would require that the shared object remain on the file system after successful injection.

I just wanted to write and update everyone, letting my peeps know I'm not slacking. Progress is slow, but I'm working on it. I'm also thinking about submitting a paper for Shmoocon about the techniques used in this project.

As you may have heard, OpenSolaris is finally and officially dead. Oracle is killing off the distribution of one of the greatest open source enterprise operating systems today. Developers will still be able to run Solaris for free via Solaris 11 Express, which is supposedly debuting by the end of 2011.

Garrett D'Amore, a Nexenta employee, has written a detailed blog post about the subject. On IRC, he stated: "there is a mass exodus of talent leaving Oracle." Oracle is distancing itself from a very intelligent community. It's sad to see so much talent leave such a powerful product, but great things will happen with Illumos. Illumos will likely end up as a true fork of the OS.

I'm excited to see what Illumos brings to the table. The great talent leaving Oracle will be joining Illumos. I'm just sad it had to come to this. Hopefully, Illumos will provide a great enterprise-class OS with easy upgrade paths from OpenSolaris.

In discussion with the crew at SoldierX, I will be releasing a new version of Project Hijack for their community. Stay tuned within the next couple months for the official 1.0 release of libhijack. You will be able to inject full shared objects instead of hand-written assembly. The algorithms behind Project Hijack will be much faster and reliable. I will also be releasing both a whitepaper detailing the new technique I use and an API document showing how to use libhijack. I plan to make the 1.0 release 3-6 months from now.

My first Defcon, Defcon 18, was a success. I mostly hung out with some SoldierX peeps and with StankDawg from BinRev. Livinded and I got into Vegas on Wednesday evening. Bringing all the equipment in from his car was a major task. He and a few of his friends ran oCTF. They did a good job and everyone involved enjoyed the game. I met up with Blake and StankDawg on Thursday and we all chilled and had a good time. Continue reading to find out all that happened.

One of the great things about being bored sitting at a datacenter waiting for long processes to finish is the opportunity to fill that mind-numbing boredom with useful knowledge. I spent the past little while learning DTrace. I gotta say, I love it. The SolarisInternals site has many good scripts to help teach DTrace. One of the things I'd like to do with DTrace is use it for malicious purposes. In my linux days, I authored a project called Project Hijack, which allows an attacker to effortlessly inject arbitrary code into a process during runtime and hijack dynamically loaded functions. I'd like to port that project, or as much of it as possible, to DTrace.

It took me about 30 minutes to be comfortable writing simple DTrace scripts. Here's one tiny malicious script I wrote:

syscall::open:entry
/copyinstr(arg0) == "/tmp/mal.txt"/
{
copyoutstr("/tmp/haha.txt", arg0, strlen("/tmp/haha.txt"));
}


Any time an application tries to open /tmp/mal.txt, the application will actually open /tmp/haha.txt. This script is simple--the reason why I really love DTrace.

I'll write more about it later. The processes I'm running on our production server is almost finished. Also, I'll be at Defcon. If you wanna meet up, let me know. Drop a comment or send me an email.

I bought the Droid X. It's the largest phone I've ever purchased. It feels weird being back on Verizon. I started out with a dumbphone on Verizon three years ago then I went to AT&T for the iPhone 3G and finally ended up at T-Mobile with the Nexus One. T-Mobile doesn't have the best coverage so I wanted another carrier for trips and vacations. Verizon's network sure has changed (for the better, of course) in these last three years.

The phone itself is nice. I miss the trackball the G1, MyTouch 3G, and Nexus One all have and all of which I've owned. The screen size is perfect for reading material larger than Wordpress blogs. The size of the screen, though, can be a bit uncomfortable at times--like when playing solitaire. I'm used to using one hand with my Android devices, and the Droid X occasionally requires two hands.

I've found that I can bypass the Grooveshark wifi-only restriction for certain songs if I use Froyo's built-in wireless tether on my Nexus One to tether my Droid X. Unfortunately, Grooveshark isn't the most stable of apps and can poop out if there's any packet loss (which sadly happens frequently on T-Mobile's network in my area).

I'm not a fan at all of the Motoblur UI. I quickly installed ADW Launcher from the Market and got the familiar mostly stock UI I love.

Over all, I think the Droid X is a great Android phone. I'll be buying an HDMI cable for it shortly. It might launch me into the gaming scene. I haven't tested 720p recording or playback, yet. I'm sure I'll enjoy it just like I enjoy the rest of the phone. This phone is worth its weight in money.

I updated my Nexus One to the official Froyo FRF85B release a few days ago. I love the improvements Google and others have made to Android. One of my favorite features is WiFi tether. I have a mobile WiFi hotspot where ever I go. Everything is very noticeably faster on Froyo. I'm really impressed at how everything comes together in a unified manner.

I frequently bike to work. On my way, I listen to Pandora to make the twenty-mile journey bearable. I noticed that when I bike parallel and nearly underneath power lines, all data services die. My phone still shows full 3G bars, but all data synchronization stops. Pandora stops playing, email stops syncing, etc. I bike underneath power lines for around six of the twenty miles, a pretty significant portion to be without data services.

This problem didn't occur on Eclair. I tested on both Eclair and Froyo using both a bluetooth headset and regular 3.5mm headphones. No issue on Eclair with either headset, but it was an issue on Froyo with both headsets. My guess is that the Froyo radio is much more sensitive to interference than Eclair.

I contacted Google's Nexus One tech support. They've escalated the issue to the engineering department. I'll let you guys know what happens. Here is a thread I created on the Nexus One support forums about the issue.

A few years back, I researched runtime process infection. I developed a shared library to ease code injection and hijacking. The project, libhijack, only got up to version 0.3 but was full-featured at 0.3. I now own a Macbook Pro and would like to try my hand at porting libhijack to DTrace. I'd like to research how to use DTrace for malicious purposes.

I'll report back when I learn a bit more.