Tag Archives: flash

hacker

Hack your way into the Misfit

Looking into the messy and promising world of IoT

And of course, all the other wearable devices (well, I won’t explain for them right here but the list is very long and not limited to : the Vivofit, Vivofit 2, your educational radar (yeah those one telling you in RED that you are currently over-speeding the 50Km/h limit BY 1Km/h !), etc…

But Here we are… I was given a Misfit Flash device few weeks ago and after some research on Google (I really like the filters 😉 inurl, etc…), I finally grabbed a SDK – the first one I found was limited – in parallel, I also checked on the website how could I grab the official SDK since I really wanted to work on my own app to perform those actions :

  • Grab my sleepin’ information
  • Show me how well I worked out during the day B° (you know, sitting down, getting up to grab my food when I am working in from of my Desktop :p)

Making your way into the hood

Well, I found some interesting information when compiling the example app given with the zipped archive I found.

First of all, launching the app, it was not anymore possible to use the app :( the SDK seemed to limit the app usability to :

  • having your Android devices connected to Internet
  • having the “network time” inferior to a timestamp based barrier !

” Dam**** ” – I first thought but hey, I am “security researcher” – so grabbed the misfit-sdk-android.jar file and exploded it \o/

mkdir tmp ; cd tmp ; unzip ../misfit-sdk-android.jar

^ I am a rockstar

What tools did I used then ? * JD-GUI * JBE

JD-GUI : used to reverse engineered quick enough the library and look into the hood JBE : Well, rewrite the class to later simply do this (i.e.)

jar ufv ../misfit-sdk-android.jar com/misftiwearables/..../SDKSetting.class

Those two part were really funny to perform

Rewrite the world to conquer the universe

My way into the library was really informative. I found some fuc***** newbies errors in it. First, they assumed that everything was “proguarded” well enough (seriously dudes…). Secondly, “shut your a**** !?”, 0_0, you put hardcoded non-possible proguardable values into the code to check the current timestamp to this long value. Yikes!! And terrible to show self confid… – Hum not sure about this one

Those type of coding issue were present in few place in the library – very easy to find, easy to circumvent and easy to reinsert (go to jar uf)

Please note that I found a day later, a complete SDK without those coding garbages in it :p – this library was the one I will use for now !

Betrayed by the company

I looked into the Documentation and the SDK, ** I DID NOT FIND ANY INFORMATION ABOUT THE SLEEP INFORMATION /!\ **. Maybe it was beacause the SDK found was too old, I then checked on Internet and I was completely surprised to see THAT ALL SDK lacks of those information. Seriously Misfit ? You keep those lines for you.

I reversed engineered the app to look for those lines – B)

adb pull /data/app/com.misfitwearables.prometheus....
mkdir misfit_tmp ; misfit_tmp ; unzip ../com.misf.....apk 
dex2jar classes.dex
open classes_dex2jar.jar -a JD-GUI # look into the source
mkdir ../misfit_decompiled ; cd ../misfit_decompiled ; unzip ../misfit_tmp/classes_dex2jar.jar

I then cross checked the two jars. I saw that the proguard feature was not used the same way (some classes were not proguarded in the app)

I finally erased all the non useful packages from the misfit_decompiled folder (the open sourced libraries, sdks etc…)

and applied the magic formula

jar uf path_to_misfit.jar com

AND TADAAA !

I now have a completely useful SDK (well, after copied the libstlport_shared.so and libSleepAlgorithm.so libs to the libs/armeabi folders

Final thing, I kept the Version file from the archive I found … but replaced the content to 1.x-codlab

Tidy things up

All this is not cleaned as for now. So what is currently needed to do :

  • rewrite the current SDK Documentation provided by Misfit since even for the current SDK, the documentation pdf is outdated or wrong (wrong class names, missings methods, members) (1)
  • add the whole Sleep information capability into the new documentation
  • create a proper gradle implementation – 2015… Eclipse is at its Sunset in the Android Development branch regarding IntelliJ and Android Studio
  • Create a github project
  • bring the whole project into our real world
  • rewrite internal classes for more clarity and efficiencies

Conclusion

To all companies out there – When you have successful products, open them, open the way for people to contribute, it is worth the risk – does your competitor did things like me before me, YES, did they will continue, YES. I consider opening a SDK is the minimum thing to do in 2015. Any script kiddies can achieve what I just did during those few days

Note : I will never mention here how I completely reversed the current firmwares in the archive and that I am currently able to change the way the Misfit behaves (seems that I can’t do anything but 80% is the current limit, I think)

Nota bene

People, CEO, CTO, I don’t care – please… MAKE SOMETHING ABOUT THE SECURITY OF YOUR DEVICES ! I can sniff around in the bus/trains/… and dump every non-synchronized data from your devices to your smartphone without having any user behing aware that I am doing this !!!

Men In Black Neuralyzer on Android

Just a post about a new application I just released on the Android Market. This time, it is a neuralyzer free to download which can operate as a neuralyzer (erf on/ neuralyser? neuraliser? neuralizer? /erf off)

How it works? It simply use the flash torch mode to start and stop the flash. You can simply use it this way through java code to handle Android’s Camera Flash

Camera cam = Camera.open();
Parameters cam_parameters = cam.getParameters();

cam_parameters.setFlashMode(Parameters.FLASH_MODE_TORCH);
cam.setParameters(cam_parameters);
… time
cam_parameters.setFlashMode(Parameters.FLASH_MODE_OFF);
cam.setParameters(cam_parameters);

cam.release()

TĂ©lĂ©charger un contenu dynamique d’un site ou simplement observer

Cet article va vous expliquer comment tĂ©lĂ©charger un contenu ou mĂȘme juste observer les transactions (requĂȘtes) se passant au sein de votre navigateur et de l’internet afin d’avoir un peu plus de contrĂŽle voir mĂȘme pouvoir rĂ©cupĂ©rer les liens vers des Ă©lĂ©ments dynamiques comme des fichiers utilisĂ©s par une quelconque technologie comme flash voir une image s’affichant comme banniĂšre du site observĂ©.

Tout d’abord munissez-vous de votre navigateur (ah oui, j’oubliais, je ne parlerais que de firefox ici :0) )et cherchez les addon FireBug et FlashGot (pour ce dernier trĂšs pratique pour tĂ©lĂ©charger des fichiers automatiquement (etc…)

Une fois ces deux addon tĂ©lĂ©chargĂ©s, vous verrez un “bug” (i.e. un insecte) Ă  droite de la barre d’Ă©tat de la fenĂȘtre de votre navigateur, faites un clic droit et activez chaque panneaux.

Maintenant cliquez (clic gauche) sur le mĂȘme icone et une fenĂȘtre (ou un menu selon votre configuration) apparaĂźtra.

Allez maintenant dans la partie rĂ©seau et si vous ne voyez rien, rechargez simplement votre page et lĂ , hop une multitude d’informations apparaissent : ensemble des requĂȘtes get sur des pages, post ou get de formulaires et j’en passe.

Note : une chose particuliĂšrement intĂ©ressante se situe sur les vidĂ©o et autres contenus dynamique, dĂ©passant les 1Mo bien souvent, vous pouvez facilement voir ce qu’il en est et tirer des “informations” dessus