Bypass certificate pinning on rooted android device

First of all, install Magisk on rooted device and then install TrustUserCertificates plugin:

Now you can install the Charles self-signed certificate on your device, as a standard User Custom Certificate, and then reboot your phone: the magisk plugin will do the magic and copy che Charles SSL certificate in the System Certificate Authorities list.

In this way, now you can intercept all the device apps using Charles, also production builds or APK downloaded from the Google Play Store.

But if an app uses SSL Certificate Pinning, Charles cannot intercept the encrypted traffic, so another step is required:

  • Download latest FRIDA server for android: link to the latest version. Download the android version and copy the executable file to your mobile phone, under /data/local/tmp folder.
  • Start frida on mobile phone
  • Install objection from github: link to the Github project.
  • run the following command
    • objection -g PACKAGE_NAME explore -q
    • android sslpinning disable
 

How to program ESP8266 with Arduino

Some notes, as a reminder

  • ESP8266 RX : to arduino RX
  • ESP8266 GPIO : GND while programming, to 3.3V for USAGE
  • ESP8266 GPIO2 : floating
  • ESP8266 RST: floating
  • ESP8266 CH_PD: to 3.3V
  • ESP8266 TX: to Arduino TX
  • Power and GND to 3.3V and ground…

Remember to use an Arduino UNO as board. On Arduino IDE select Generic ESP8266 as board

While programming, put also RST pin of Arduino board to GND. Check that GPIO0 is set to GND, and press Arduino RESET BUTTON BEFORE PLUG THE USB PORT.

 

Setup a Raspberry Pi TOR proxy

This is not a real HOW TO, it’s a two-step guide for setting up a Raspberry PI (with a wifi usb adapter) in order to create an easy-to-use TOR proxy on a WiFi Access Point.
Two simple steps:

  1. Create a Wifi Access Point on your Raspberry following this guide: https://learn.adafruit.com/setting-up-a-raspberry-pi-as-a-wifi-access-point/install-software https://www.raspberrypi.org/documentation/configuration/wireless/access-point.md
  2. Install and configure TOR using this git repo: https://github.com/sarbyn/tor_box/blob/master/README.md

So simple!

 

Kali linux Post-IT

This is another personal Post-IT about some kali linux tools. Every time I forgot the various options or steps in order to do some basic tasks.

This is NOT an Hacker HOW-TO. Remember to use those tools only on your own network and on your own device as target!

Ettercap for dummies

  • Open Ettercap and select Sniff –> Unified sniffing (CTRL + U)
  • Scan for hosts (CTRL + S)
  • Open hosts list (CTRL + H) and select your target as TARGET 1
  • Open Mitm –> ARP posioning  —> select “Sniff remote connections”
  • Stop sniffing (Maiusc + CTRL + E) and start again (Maiusc + CTRL + W)
  • View connections (Maiusc + CTRL + C)

Bettercap for dummies

Install “.bettercap/bettercap-ca.pem” certificate on target device. No needs to set iptables rules or run aprspoof. Remember some bettercap command line options:

  • -T <target ip>
  • -I <interface>
  • -X (enables sniffing)
  • –proxy (enables http proxy)
  • –proxy-https (enables https proxy)
  • –log <logfile>
  • -P ‘<parser name>’
  • –full-duplex
  • –log-http-response
 

Unpack, modify and rebuild an APK

This is NOT an “Android hacker HOW-TO”. This is only a quick reference for myself.

  • Step 1 : decompile APK using apktool d -f -r app_name.apk
  • Step 2 : delete the original apk
  • Step 2 : Modify SMALI files
  • Step 3 : Rebuild apk using apktool b app_name
  • Step 4 : Generate a signing key with keytool -genkey -keystore test.keystore -validity 10000 -alias test
  • Step 5 : Sign the new APK jarsigner -keystore test.keystore -verbose app_name.apk test
  • Step 7 : Install apk and enjoy!
apktool d -f -r app_name.apk
delete app_name.apk
--- modify smali files ---
apktool b app_name -o app_name.apk
keytool -genkey -keystore test.keystore -validity 10000 -alias test
zipalign -v 4 app_name.apk app_name_aligned.apk
apksigner sign --ks test.keystore --out app_name_aligned.apk app_name_signed.apk
adb install -r app_name_signed.apk
 

Install KODI on raspiNAS

My raspiNAS is based on a raspberry pi 2, with 1GB of ram and a 4core ARM processor, a more powerful board able to run a NAS and also a full HD media center. So in order to simplify my home setup and remove a raspberry I’ve decided to merge the KODI mediacenter (based on OSMC) into the raspiNAS board.

We have to create the group “input” if it doesn’t exist.

sudo addgroup --system input

Edit the file

sudo nano /etc/udev/rules.d/99-input.rules

enter the following text and save it:

SUBSYSTEM==input, GROUP=input, MODE=0660
KERNEL==tty[0-9]*, GROUP=tty, MODE=0660

Create & edit the following file:

sudo nano /etc/udev/rules.d/10-permissions.rules

enter this text and save it:

# input
KERNEL=="mouse*|mice|event*",   MODE="0660", GROUP="input"
KERNEL=="ts[0-9]*|uinput",     MODE="0660", GROUP="input"
KERNEL==js[0-9]*,             MODE=0660, GROUP=input
# tty
KERNEL==tty[0-9]*,            MODE=0666
# vchiq
SUBSYSTEM==vchiq,  GROUP=video, MODE=0660

Run the following commands for user pi (if you haven’t changed your user name):

sudo usermod -a -G audio pi
sudo usermod -a -G video pi
sudo usermod -a -G input pi
sudo usermod -a -G dialout pi
sudo usermod -a -G plugdev pi
sudo usermod -a -G tty pi

To play full HD video in Kodi, you have to set

gpu_mem=160

in /boot/config.txt (or higher) and reboot the board.

Now install kodi with:

sudo apt-get install kodi

Edit /etc/default/kodi in order to start kodi at boot:

# Set this to 1 to enable startup
ENABLED=1

# The user to run Kodi as
USER=pi

# Adjust niceness of Kodi (decrease for higher priority)
NICE=-5

Source: https://www.raspberrypi.org/forums/viewtopic.php?t=99866

 

Allow SSH trafic from local net and from a specific IP

I need to connect to my raspiNAS server from the local network and from a specific IP (my office IP address) but I don’t want to let it open to the world. So the steps are:
Configure a NAT rule in order to enable TCP port fowarding
Let’s play with iptables

# iptables -A INPUT -s OFFICE_IP/32 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
# iptables -A INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
# iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j DROP

Setup iptables at boot:

sudo bash -c 'iptables-save > /etc/network/iptables'
sudo nano /etc/network/interfaces

At the bottom add

pre-up iptables-restore < /etc/network/iptables
 

Error building i9515 kernel

My linux build machine died some days ago, and then I lost my working build environment.
Luckily I found this helpful post on XDA with a working VM out-of-the-box and then, after the usual repo sync… I found a strange error during kernel build

/bin/sh: -c: line 0: syntax error near unexpected token `('
/home/android/i9515/kernel/samsung/jf/scripts/Makefile.build:307: recipe for target 'scripts/mod/empty.o' failed

Changing the /bin/sh from /bin/dash to /bin/bash the error changes a little bit and shows some other infos

/bin/sh: -c: line 0: `set -e; echo ' CC scripts/mod/empty.o'; /home/android/i9515/kernel/samsung/jf/scripts/gcc-wrapper.py /home/android/i9515/prebuilts/misc/linux-x86/ccache/ccache /home/android/i9515/prebuilts/gcc/linux-x86/arm/arm-eabi-4.9/bin/arm-eabi-gcc -Wp,-MD,scripts/mod/.empty.o.d -nostdinc -isystem ccache: FATAL: /home/android/i9515/prebuilts/gcc/linux-x86/arm/arm-eabi-4.9/bin/arm-eabi-gcc: execv returned (No such file or directory)
[...]

So…this is simple an error with my cross compiler configuration. Google team changes the compiler name from arm-eabi to arm-linux-androideabi, and so it’s very simple to fix.
This is the diff for the “BoardConfigCommon.mk” file

diff --git a/BoardConfigCommon.mk b/BoardConfigCommon.mk
index 872bdc9..fe64f87 100644
--- a/BoardConfigCommon.mk
+++ b/BoardConfigCommon.mk
@@ -43,8 +43,8 @@ BOARD_MKBOOTIMG_ARGS := --ramdisk_offset 0x02000000
BOARD_KERNEL_PAGESIZE := 2048
TARGET_KERNEL_CONFIG := cyanogen_jfve_defconfig
TARGET_KERNEL_SOURCE := kernel/samsung/jf
-KERNEL_TOOLCHAIN := $(ANDROID_BUILD_TOP)/prebuilts/gcc/$(HOST_OS)-x86/arm/arm-eabi-4.9/bin
-KERNEL_TOOLCHAIN_PREFIX := arm-eabi-
+KERNEL_TOOLCHAIN := $(ANDROID_BUILD_TOP)/prebuilts/gcc/$(HOST_OS)-x86/arm/arm-linux-androideabi-4.9/bin
+KERNEL_TOOLCHAIN_PREFIX := arm-linux-androideabi-
 

RaspiNAS – DIY nas with a Raspberry

After more than one year with my NAS build over an ALIX, I bought a Raspberry pi 2 and I want to check if the “USB POWER BUG” is resolved now.

I don’t need an high speed NAS so the speed issue with the shared PCI link between USB hub and network adapter is not so important.

Advantages of a Raspberry pi 2 setup are:

  • Less power consumption: raspberry drain half the power of an Alix card
  • Flexibility: 4 USB ports instead of 2
  • Smaller: Raspberry Pi 2 is smaller than Alix board

So this is a copy&paste from my previous post, adapted for the new environment

Install Raspbian lite

Go to Raspbian download page and download the lite version

Install VIM
# apt-get install vim
Add new user
# useradd -m -s /bin/bash sarbyn
# passwd sarbyn
Add user to sudo
# visudo --- add user
Install NTFS-3G
# apt-get install ntfs-3g
Fstab and volumes
# mkdir /mnt/TimeMachine
# mkdir /mnt/MUSIC
# chown sarbyn:sarbyn /mnt/MUSIC
# chown sarbyn:sarbyn /mnt/TimeMachine

UUID=206606FF6606D606 /mnt/MUSIC ntfs-3g   rw,defaults     0       0
UUID=03c90579-88f0-4478-ae8d-adc64972a07d /mnt/TimeMachine ext4 defaults 0 0
Samba
# apt-get install samba samba-common-bin
# service samba stop
# mv /var/lib/samba /var/tmp/samba
# ln -s /var/tmp/samba /var/lib/samba
# smbpasswd -a sarbyn
[mnt]
path = /mnt
read only = Yes
guest only = Yes
guest ok = Yes

[mnt_RW]
path = /mnt
read only = No
valid user = sarbyn
browseable = yes
writable = yes
SSH
$ mkdir .ssh
$ chmod 0700 .ssh/
$ cd .ssh
$ ls
$ vim authorized_keys
$ chmod 600 authorized_keys

Disable root login and plaintext login in /etc/ssh/sshd_config file

Transmission
# apt-get install transmission-daemon
# service transmission-daemon start
FIX cracklib config

I don’t know if it is required with new Jessie debian version…but I’ve repeated it

# apt-get install cracklib-runtime
# create-cracklib-dict /usr/share/dict/*

Before
root@voyage:/var/cache/cracklib# ls -la
-rw-r--r-- 1 root root 1024 Oct 4 13:28 cracklib_dict.hwm
-rw-r--r-- 1 root root 16 Oct 4 13:28 cracklib_dict.pwd
-rw-r--r-- 1 root root 16 Oct 4 13:28 cracklib_dict.pwi
-rw-r--r-- 1 root root 65 Oct 4 13:17 src-dicts

AFTER
root@voyage:/var/cache/cracklib# ls -la
-rw-r--r-- 1 root root 1024 Oct 7 22:46 cracklib_dict.hwm
-rw-r--r-- 1 root root 412696 Oct 7 22:46 cracklib_dict.pwd
-rw-r--r-- 1 root root 22968 Oct 7 22:46 cracklib_dict.pwi
-rw-r--r-- 1 root root 65 Oct 4 13:17 src-dicts
# cd /usr/lib/
# root@voyage:/usr/lib# ln -s  /var/cache/cracklib/cracklib_dict.hwm
# root@voyage:/usr/lib# ln -s  /var/cache/cracklib/cracklib_dict.pwd
# root@voyage:/usr/lib# ln -s  /var/cache/cracklib/cracklib_dict.pwi
Netatalk

*DON’T USE NETATALK FROM DEBIAN REPOS*
The older version of netatalk are VERY…VERY unstable. Download the sources from Netatalk site and follow —> this tutorial <—

# apt-get install build-essential libevent-dev libssl-dev libgcrypt11-dev libkrb5-dev libpam0g-dev libwrap0-dev libdb-dev libtdb-dev libmysqlclient-dev avahi-daemon libavahi-client-dev libacl1-dev libldap2-dev libcrack2-dev systemtap-sdt-dev libdbus-1-dev libdbus-glib-1-dev libglib2.0-dev tracker libtracker-sparql-1.0-dev libtracker-miner-1.0-dev 
# apt-get install avahi-daemon

# insserv avahi-daemon
# insserv netatalk
# /etc/init.d/avahi-daemon start
# /etc/init.d/netatalk start

Edit “/usr/local/etc/afp.conf”.

[Global]
; Global server settings
uam list = uams_dhx.so,uams_dhx2.so
set password = yes

[MusicAFP]
    path = /mnt/MUSIC

[TimeMachineAFP]
    path = /mnt/TimeMachine
    time machine = yes

Add user to Netatalk (using the SHORT password)

# afppasswd -an sarbyn
FIX BOOT

The NTFS volume does not mount at boot, so add some lines on /etc/rc.local

# vim /etc/rc.local

service transmission-daemon stop
mount -a
swapon /mnt/MUSIC/swapfile
service transmission-daemon start

# chmod +x /etc/rc.local
NOIP client
# wget http://www.no-ip.com/client/linux/noip-duc-linux.tar.gz
# tar xzf noip-duc-linux.tar.gz
# cd no-ip-2.1.9
# make
# make install
# sudo noip2 -U 60
Install RPI monitor

Rpi monitor is a small web application that shows usage statistics of a raspberry pi board. Install rpi monitor following this link
Configure /etc/rpimonitor/storage.conf in order to setup storage monitoring and edit the /etc/rpimonitor/data.conf in order to include the storage.conf entry.

Optional – MiniDLNA support

If you need miniDLNA support follow this link

Final step – do a MicroSD backup

Now is all setted up but it’s better to do a MicroSD backup using dd

# dd if=DISK of=raspinas-backup.img bs=1m
 

How to build cm13 on i9515 (Samsung s4 Value Edition) [UPDATED]

XDA user “sombree” has ported CM 13.0 on Samsung Galaxy S4 Value Edition (i9515)

In order to build a working rom you need to add a local manifest with the right device configuration and kernel

mkdir .repo/local_manifests
vim .repo/local_manifests/roomservice.xml

Edit the file and add the following XML

<?xml version="1.0" encoding="UTF-8"?>
<manifest>
  <project name="jfvelte-dev/proprietary_vendor_samsung" path="vendor/samsung" remote="github" />
  <project name="CyanogenMod/android_device_qcom_common" path="device/qcom/common" remote="github" />
  <project name="CyanogenMod/android_device_samsung_qcom-common" path="device/samsung/qcom-common" remote="github" />
  <project name="jfvelte-dev/android_device_samsung_jfvelte" path="device/samsung/jfvelte" remote="github" />
  <project name="jfvelte-dev/android_device_samsung_jf-common" path="device/samsung/jf-common" remote="github" />
  <project name="jfvelte-dev/android_kernel_samsung_jf" path="kernel/samsung/jf" remote="github" />
</manifest>

Then do a simply

brunch jfvelte

Thanks to Sombree for the hints about roomservice.xml and for the porting, of course 🙂

Source: XDA Forum