First B593 s-22 exploit: Setup FTP to get /var/sshusers.cfg
Monday, February 23. 2015
I have a new version of B593_exploit.pl published. See this article about previous info.
This version has s-22 FTP hack added to it. u-12 has the classic FTP USB-share flaw where it is possible to create a FTP share of the /. Unfortunately in this box Huawei guys made the web GUI a bit smarter, you cannot do such a nice share anymore. The fortunate part is, that the guys don't check for that at the save. If you manage to lure the ../.. past the GUI, you can do it. That's what the exploit is about.
Example run:
./B593_exploit.pl 192.168.1.1 admin --ftp-setup \ ftpuser ftppassword
That command will share the first USB-device found at the filesystem root of the box. You have to have a physical USB-storage attached. It doesn't have to have anything on it and it won't be affected during the process. But setting a path will fail, if there is no USB-storage.
I had problems with the FTP-client, it kept complaining about FTP passive mode. I switched the client into NcFTP and that solved my problem.
When in the box the SSH passwords are at the classic /var/sshusers.cfg
. If configuration is of interest to you, it can be found from /app/curcfg.xml
. When the admin user's password is known, it is only a trivial task to SSH into the box and gain a shell access.
While looking around the box, I got carried away with the lteat
-command. I managed to brick the box. But that's an another story.)
iPhone (cell) Field Test mode
Saturday, February 21. 2015
A reader of this blog contacted me and wanted me to take a look at his Huawei E5186. During the meeting he showed the Field Test mode of his iPhone. I haven't done any iPhone hacks, and had never heard of such thing. In this mode you can see details of the cellular connection. It is completely limited to that, there is no "root"-mode, nor details about Wi-Fi connection, nor details of the phone itself. But if any of the SIM, GSM, UMTS or LTE details are of interest, this one is for you.
Every iPhone has this. Really! There are details of this Field Test mode in The Net from year 2009 (iPhone 3GS), maybe earlier if you'd really want to look close. My iPhone 6 has this, so I'm pretty sure your (whatever model) has it too.
How to get there? Easy. Dial *3001 # 12345#*. Like this:
As a result you will see either the 2G/3G (GSM/UMTS) or 4G (LTE) Field Test menu:
As you can see, the 2G/3G menu has more stuff in it. It is because this is the really old stuff back from the 90s. LTE menu is light, as it is the 2010s spec. Please remember, that it is a snapshot of the situation when menu was opened.
Also notice how there is no more bars on top of the screen, there is a number in dBm. The number will indicate RSSI (in 2G) or RSCP (in 3G) or RSRP (in 4G). See article Some GSM, UMTS and LTE Measurement Units for clarification of the units.
RSSI translation:
- -40 dBm - theorethical max., you won't get this even if you'd be right next to the cell tower
- -50 to -75 dBm - High
- -76 to -90 dBm - Medium
- -91 to -100 dBm - Low
- -101 to -120 dBm - Poor
RSRP translation:
- theorethical max. ? dBm
- -75 and -88 dBm - Very High
- -89 and -96 dBm - High
- -97 and -105 dBm - Medium
- -106 and -112 dBm - Low
- -113 and -125 dBm - Poor
As I didn't find much information about the actual contents of these menus, I'll try to gather here a comprehensive list. Not all of the items have a value in my phone, if there is a value recorded, but I don't know what it is for, there is a ?.
Menu / Submenu | Description | ||||
---|---|---|---|---|---|
SIM Info | |||||
(sub level 1) |
EF-FPLMN | ||||
EF-ICCID | |||||
EF-OPLMNAcT | |||||
EF-HPPLMN SEARCH PERIOD | |||||
EF-MSISDN | |||||
EF-3GPP MAIL BOX DIALING NUMBER | |||||
EF-ACCESS CONTROL CLASS | |||||
EF-OPERATOR PLMN LIST | |||||
EF-ACTING HPLMN | |||||
EF-ADMINISTRATIVE DATA | |||||
EF-RAT MODE | |||||
EF-LOCI | |||||
EF-GPRS/PS-LOCI | |||||
PDP Context Info | (List) Packet Data Protocol (PDP) Context (in GPRS), see http://developer.nokia.com/community/wiki/PDP for details of PDP | ||||
APN | Access Point Name: Connection setting | ||||
IPv4 | IPv4 address of the access point to connect to | ||||
GSM Cell Environment | [UMTS only] 2G/2.5G information | ||||
GSM RR Info | |||||
DTX Used | ? | ||||
RR State | |||||
Rx Quality Sub | |||||
RR Mode | |||||
RR Sub State | |||||
Serving Rx Level | |||||
DRX used | |||||
RR Status | |||||
Rx Quality Full | |||||
GSM Cell Info | |||||
GSM Serving Cell | |||||
(sub level 3) |
C1 Value | ||||
RSSI | |||||
ARFCN | Absolute radio-frequency channel number | ||||
Cell ID | http://en.wikipedia.org/wiki/Cell_ID Gather MCC, MNC, LAC and go http://opencellid.org/ to see where you are at |
||||
Mobile Allocation | |||||
(sub level 4) |
ARFCNs | (List) | |||
HSN | |||||
C2 Value | |||||
BSIC | ? bits | ||||
MA Dedicated ARFCN | |||||
Neighboring Cells | (List) | ||||
GPRS Information | |||||
Priority Access Threshold | ? | ||||
SI13 Location | ? | ||||
Ext Measurement Order | |||||
Access Burst Type | ? | ||||
DRX Timer Max | ? | ||||
Network Operating Mode | ? | ||||
PBCCH Present | |||||
Count LR | |||||
Packet PSI Status | |||||
PFC Supported | ? | ||||
Cell Reselect Hysteresis | |||||
Count HR | |||||
Packet SI Status | |||||
Network Control Order | ? | ||||
T3192 Timer | http://www.rfwireless-world.com/Terminology/GSM-timers.html [milliseconds] | ||||
UMTS Cell Environment | [UMTS only] 3G information | ||||
Neightbor Cells | |||||
Active Set | (List) | ||||
Detected Set | (List) | ||||
Monitored Set | (List) | ||||
UMTS Set | (List) The only one I have anything listed | ||||
Scrambling Code | Your "identifier" in the cell. See UMTS Quick Reference - Scrambling Code for more info | ||||
RSCP | Received signal code power: The number on top left of your screen. See UARFCN below. | ||||
Energy Per Chip | EcNo: RSCP divided by RSSI. See Some GSM, UMTS and LTE Measurement Units for details about RCSP and EcNo. | ||||
UARFCN | See UMTS RR Info below. In this set one of the cells has same scrambling code as UMTS RR Info has. That cell has the exact same RSCP what is displayed as your received signal strenght. | ||||
Virtual Active Set | (List) | ||||
GSM Set | (List) | ||||
HSDPA Info | |||||
Version | |||||
Primary HARQ Process | |||||
Sub Frames | |||||
Secondary HARQ Process | |||||
Carrier Info | |||||
UMTS RR Info | Information of the Radio Relay (cell tower) who is serving you | ||||
UARFCN | UTRA Absolute Radio Frequency Channel Number: The channel number you're currently at. Decimal number, see http://niviuk.free.fr/umts_band.php for listings of bands. | ||||
BLER | Block Error Rate (my phone displays nothing here) | ||||
Cell ID | http://en.wikipedia.org/wiki/Cell_ID Gather MCC, MNC, LAC and go http://opencellid.org/ to see where you are at |
||||
RRC State | See UMTS RCC States (my phone displays nothing here) | ||||
Downlink Frequency | (my phone displays nothing here) | ||||
Scrambling Code | Your "identifier" in the cell. See UMTS Quick Reference - Scrambling Code for more info | ||||
Uplink Frequency | (my phone displays nothing here) | ||||
Ciphering | (my phone displays nothing here) | ||||
Transmit Power | (my phone displays nothing here) | ||||
MM Info | [UMTS only] | ||||
Serving PLMN | Public land mobile network information | ||||
Location Area Code | LAC (decimal): http://en.wikipedia.org/wiki/Location_area_identity | ||||
Routing Area Code | ? | ||||
PLMN Sel Mod | |||||
Mobile Network Code | MNC (decimal): http://en.wikipedia.org/wiki/Mobile_country_code | ||||
Mobile Country Code | MCC (decimal): http://en.wikipedia.org/wiki/Mobile_country_code | ||||
Service Type | ? | ||||
Process PS | |||||
MM Sub State | |||||
MM State | |||||
MM Service State | |||||
Attach Reject Cause | |||||
Process CS | |||||
MM Sub State | |||||
MM State | |||||
MM Service State | |||||
LU Reject Cause | |||||
Equivalent PLMN List | |||||
Process CO | |||||
MM State | |||||
MM Service State | |||||
Neighbor Measurements | [LTE only] | ||||
E-ARFCN | |||||
Version | |||||
Neighbor Cells List | (List) | ||||
(sub level 2) |
Measured RSSI | ||||
Ant 0 Sample Offset | |||||
Physical Cell ID | |||||
Ant 0 Frame Offset | |||||
Average RSRP | |||||
Average RSRQ | |||||
Ant 1 Frame Offset | |||||
Srxlev | |||||
Ant 1 Sample Offset | |||||
Measured RSRP | |||||
Frequenct Offset | Typo? Frequency Offset | ||||
Measured RSRQ | |||||
Qrxlevmin | |||||
Connected mode LTE Intra-frequency Measurement | [LTE only] | ||||
Detected Cells | (List) | ||||
Measured Neighbor Cells | (List) | ||||
Serving Filtered RSRQ | |||||
Serving Physical Cell ID | |||||
Subframe Number | |||||
Serving Filtered RSRP | |||||
E-ARFCN | |||||
Serving Cell Info | [LTE only] | ||||
Download Bandwidth | |||||
Freq Band Indicator |
The frequency band you're at. See UARFCN for exact frequency. See http://niviuk.free.fr/umts_band.php for listings of bands and frequencies. Short list:
|
||||
Download Frequency | |||||
Num Tx Antennas | |||||
UARFCN | UTRA Absolute Radio Frequency Channel Number: The channel number you're currently at. Decimal number, see http://niviuk.free.fr/umts_band.php for listings of bands and frequencies. | ||||
Tracking Area Code | TAC | ||||
Cell Identity | LCID of the serving cell | ||||
Physical Cell ID | http://en.wikipedia.org/wiki/Cell_ID MCC, MNC and TAC is the exact location where the serving cell is located. |
||||
Upload Frequency | |||||
Upload Bandwidth | |||||
Reselection Candidates | [LTE only] | ||||
Version | |||||
Serving Cell ID | |||||
Serving EARFCN | |||||
Reselection Candidates List | (List) | ||||
Serving Cell Measurements | [LTE only] | ||||
Measured RSSI | |||||
Qrxlevmin | |||||
P_Max | |||||
Max UE Tx Power | |||||
Version | |||||
S Non Intra Search | |||||
Physical Cell ID | |||||
Average RSRP | |||||
Measurement Rules | |||||
Average RSRQ | |||||
Serving Layer Priority | |||||
Srxlev | |||||
Measured RSRP | |||||
Num of Consecutive DRX Cycles of S < 0 | |||||
Measurement Rules Updated | |||||
Measured RSRQ | |||||
E-ARFCN | |||||
S Intra Search |
Please help me complete this (at least all the good stuff). If you find something incorrect or missing, please drop me a comment.