View Single Post
Old 06-17-2015, 08:07 PM   #7
NiLuJe
BLAM!
NiLuJe ought to be getting tired of karma fortunes by now.NiLuJe ought to be getting tired of karma fortunes by now.NiLuJe ought to be getting tired of karma fortunes by now.NiLuJe ought to be getting tired of karma fortunes by now.NiLuJe ought to be getting tired of karma fortunes by now.NiLuJe ought to be getting tired of karma fortunes by now.NiLuJe ought to be getting tired of karma fortunes by now.NiLuJe ought to be getting tired of karma fortunes by now.NiLuJe ought to be getting tired of karma fortunes by now.NiLuJe ought to be getting tired of karma fortunes by now.NiLuJe ought to be getting tired of karma fortunes by now.
 
NiLuJe's Avatar
 
Posts: 13,506
Karma: 26047202
Join Date: Jun 2010
Location: Paris, France
Device: Kindle 2i, 3g, 4, 5w, PW, PW2, PW5; Kobo H2O, Forma, Elipsa, Sage, C2E
Note that said poison filename worked because there is (was?) indeed a shiny system() call at some point of the various checks done by the support library used by the OTA updater.

That was 'fixed' by renaming all incoming .bin file w/ a random uuid in the 'update_<uuid>.bin' form, and that before said step.

----

We've (mostly) always used some kind of logic flaw in the OTA updater, because it started as (again, mostly) a simple shell script, and with most of the rest of the system being obfuscated java, that made it an obvious attack vector.

The fact that more recently, parts of its job have been off-loaded to C libraries put a serious dent in those kind of shenanigans, since none of us have any real skill in ARM assembly, which becomes kind of a basic requirement to look into things further.

Same with the other slightly less obvious attack vectors, they kind of require more specialized skills than simply poking at things with a stick for fun (which is basically where I sit, personally ^^).

Last edited by NiLuJe; 06-17-2015 at 08:17 PM.
NiLuJe is offline   Reply With Quote