Tuesday, August 25, 2015

So let's look at my setup here:


XT1045, locked up tight
SM-T230, fully rooted test device
Emulators TBD


Using 2x versions of sunshine.apk for testing currently.




 So immediately, I have a couple of ideas on how to RE this puppy. The conventional (and perhaps, hopefully, overly difficult) method is illustrated, in part above.




1. The hard way

     - I popped open Wireshark,
     - started a SOCKS proxy on my computer,
     - changed network connection on XT1045 to forward through local IP:port of comp via proxy
     - ran sunshine on the device and collected the network data it used

Unfortunately(?), sunshine reported that I was using an outdated version and directed me to update.

Buuut... Now I've got a TCP stream contained within a pcap file on my computer, which hypothetically contains data hashed via the private key within sunshine.apk.

The next step here is to strip the SSL from the TCP stream and then disassemble sunshine with IDAPRO6 to start finding the hash, then use that to decrypt the app stream and figure out exactly what it's sending up to the server (theroot.ninja, in fact).

>I almost posted my TCP stream here but thought better of it, considering I don't yet know what it contains...

However, I've never disassembled an APK like that and it occurred to me there may be a far easier way to do this, courtesy of the environment within which theroot.ninja has been forced to code.




2. The smart way(?)

Here's my current plan:

Run sunshine.apk inside of an emulator/sandbox, determine what exactly it's pulling from the XT1045 data-wise, figure out what it's receiving, and determine what all it's using for license verification (and if we're lucky enough to only be dealing with Google Play LVL).

However, there are a BUTTLOAD of potential pitfalls here if the devs coded against this, which is very easy to do. They could presumably brick my device after all my tests indicate that my cr*ck has succeeded completely. But hell, let's try it.



Next post will elaborate on what exactly we need to unlock this damn bootloader.




Posted by at

2 comments:

  1. UnknownDecember 17, 2015 at 9:46 AM

    "the private key within sunshine.apk" Why would I embed a private key in the apk? or even ever let one touch the device itself?

    ReplyDelete
  2. UnknownDecember 17, 2015 at 9:46 AM

    "the private key within sunshine.apk" Why would I embed a private key in the apk? or even ever let one touch the device itself?

    ReplyDelete

Subscribe to: Post Comments (Atom)