mdukat

User Tools

Site Tools

Trace:
public:wikiblog:26-05-2025-en-reverse-engineering-blackberry-q5-setup-wifi-calls

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
public:wikiblog:26-05-2025-en-reverse-engineering-blackberry-q5-setup-wifi-calls [2025/05/26 21:50] – created mdukatpublic:wikiblog:26-05-2025-en-reverse-engineering-blackberry-q5-setup-wifi-calls [2025/05/27 00:25] (current) mdukat
Line 8: Line 8:
  
   - Dell Latitude 5290 with Ubuntu 24.04   - Dell Latitude 5290 with Ubuntu 24.04
-  - Blackberry Q5 with some weird BBOS 10 version that I'm unable to exploit+  - Blackberry Q5 with BBOS 10.2.1.3247
  
 ...and that's it. ...and that's it.
Line 25: Line 25:
   - clients3.google.com   - clients3.google.com
   - cs.sl.blackberry.com (only after DNS response for inet.registration.blackberry.com)   - cs.sl.blackberry.com (only after DNS response for inet.registration.blackberry.com)
 +  - time.blackberry.com (only after answer to PKIOperation request)
  
 ==== Setting up local DNS server ==== ==== Setting up local DNS server ====
Line 77: Line 78:
   - Then it wants to do a ''PKIOperation'' which I would believe to be a [[https://en.wikipedia.org/wiki/Public_key_infrastructure|Public key request]]   - Then it wants to do a ''PKIOperation'' which I would believe to be a [[https://en.wikipedia.org/wiki/Public_key_infrastructure|Public key request]]
   - And after pressing the "Hotspot login" button on BB, it asks about ''wifiloginsuccess'' again   - And after pressing the "Hotspot login" button on BB, it asks about ''wifiloginsuccess'' again
 +
 +What we can do with this information:
 +
 +  - Crash the browser using some webkit exploit in hopes it exits to home screen?
 +  - Check what this PKI Operation sends to server and try to make our own?
 +
 +==== Checking out PKI Operation request ====
 +
 +Let's check that PKI Operation request. Quick fix in nginx configuration to forward requests to port 5000 which we will use later:
 +
 +<code>
 +location /ra/scep/rimbbcp-ica-1/rimbbcp-ira-1/rimbbcp-dev-p1 {
 + proxy_pass http://localhost:5000;
 + proxy_set_header Host $host;
 + proxy_set_header X-Real-IP $remote_addr;
 + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 + proxy_set_header X-Forwarded-Proto $scheme;
 +}
 +</code>
 +
 +Restart nginx, run netcat to listen at port 5000, tee output to some file (''nc -l -p 5000 | tee test.bin''), and we get...
 +
 +<code>
 +POST /ra/scep/rimbbcp-ica-1/rimbbcp-ira-1/rimbbcp-dev-p1?operation=PKIOperation HTTP/1.0
 +Host: pki.services.blackberry.com
 +X-Real-IP: 10.42.0.61
 +X-Forwarded-For: 10.42.0.61
 +X-Forwarded-Proto: http
 +Connection: close
 +Content-Length: 2013
 +Accept: */*
 +
 +0�0�1 *�H��
 +��0�1�0�`�He0� *�H��
 +[...]
 +</code>
 +
 +After removing the header from file, let's check what we're working with...
 +
 +<code>
 +mdukat@mdukat-Latitude-5290:~$ file Downloads/test.bin 
 +Downloads/test.bin: DER Encoded PKCS#7 Signed Data
 +mdukat@mdukat-Latitude-5290:~$ openssl pkcs7 -inform der -in Downloads/test.bin -print_certs -text
 +Certificate:
 +    Data:
 +        Version: 3 (0x2)
 +        Serial Number: 9020257421968243025 (0x7d2e64557aff7951)
 +        Signature Algorithm: ecdsa-with-SHA512
 +        Issuer: C=CA, O=Research In Motion Limited, OU=BlackBerry, CN=2BD06E17
 +        Validity
 +            Not Before: May 26 23:06:27 2025 GMT
 +            Not After : May 26 23:06:27 2026 GMT
 +        Subject: C=CA, O=Research In Motion Limited, OU=BlackBerry, CN=2BD06E17
 +        Subject Public Key Info:
 +            Public Key Algorithm: id-ecPublicKey
 +                Public-Key: (256 bit)
 +                pub:
 +                    04:36:d2:a1:09:92:39:e2:3d:22:3a:f7:26:61:6d:
 +                    b8:2a:da:d9:d5:ac:16:61:34:59:c1:41:22:c7:40:
 +                    ae:48:9b:8d:87:cc:6c:df:a5:7c:6e:93:83:9d:4f:
 +                    90:3b:cb:16:b2:a0:3c:4e:4d:d4:ba:3a:4b:d0:9d:
 +                    2d:14:b3:e7:c8
 +                ASN1 OID: prime256v1
 +                NIST CURVE: P-256
 +        X509v3 extensions:
 +            X509v3 Key Usage: critical
 +                Digital Signature, Key Encipherment
 +            X509v3 Extended Key Usage: critical
 +                TLS Web Server Authentication, TLS Web Client Authentication
 +    Signature Algorithm: ecdsa-with-SHA512
 +    Signature Value:
 +        30:46:02:21:00:be:df:fe:bf:46:a6:ff:5e:79:2c:39:d3:f6:
 +        d0:8b:f2:01:e0:3b:6c:40:22:ae:3f:d8:28:40:cf:9c:3f:af:
 +        a4:02:21:00:e8:31:5b:b9:ae:24:5e:b7:7e:54:88:d1:cf:3e:
 +        c1:55:84:43:aa:00:fb:e1:ee:19:b4:db:a3:60:da:1d:b7:48
 +-----BEGIN CERTIFICATE-----
 +MIIB3zCCAYSgAwIBAgIIfS5kVXr/eVEwCgYIKoZIzj0EAwQwWjELMAkGA1UEBhMC
 +Q0ExIzAhBgNVBAoMGlJlc2VhcmNoIEluIE1vdGlvbiBMaW1pdGVkMRMwEQYDVQQL
 +DApCbGFja0JlcnJ5MREwDwYDVQQDDAgyQkQwNkUxNzAeFw0yNTA1MjYyMzA2Mjda
 +Fw0yNjA1MjYyMzA2MjdaMFoxCzAJBgNVBAYTAkNBMSMwIQYDVQQKDBpSZXNlYXJj
 +aCBJbiBNb3Rpb24gTGltaXRlZDETMBEGA1UECwwKQmxhY2tCZXJyeTERMA8GA1UE
 +AwwIMkJEMDZFMTcwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQ20qEJkjniPSI6
 +9yZhbbgq2tnVrBZhNFnBQSLHQK5Im42HzGzfpXxuk4OdT5A7yxayoDxOTdS6OkvQ
 +nS0Us+fIozQwMjAOBgNVHQ8BAf8EBAMCBaAwIAYDVR0lAQH/BBYwFAYIKwYBBQUH
 +AwEGCCsGAQUFBwMCMAoGCCqGSM49BAMEA0kAMEYCIQC+3/6/Rqb/XnksOdP20Ivy
 +AeA7bEAirj/YKEDPnD+vpAIhAOgxW7muJF63flSI0c8+wVWEQ6oA++HuGbTbo2Da
 +HbdI
 +-----END CERTIFICATE-----
 +</code>
 +
 +Let's make a simple Flask app and try answering an "OK" message. We'll also save the requests for later.
 +
 +<code python>
 +from flask import Flask, request
 +import os
 +import uuid
 +
 +app = Flask(__name__)
 +
 +@app.route('/ra/scep/rimbbcp-ica-1/rimbbcp-ira-1/rimbbcp-dev-p1', methods=['POST'])
 +def handle_post():
 +    filename = f"/tmp/request_{uuid.uuid4().hex}.dat"
 +    
 +    with open(filename, 'wb') as f:
 +        f.write(request.data)
 +    
 +    return "OK", 200
 +
 +if __name__ == '__main__':
 +    app.run(host='0.0.0.0', port=5000)
 +</code>
 +
 +Run, and... Nothing, Blackberry still says that there's no internet connection, even tho both ''wifiloginsuccess'' and ''PKIOperation'' return 200 OK. What's interesting, is that BB tries this PKIOperation request every second, five times. Kinda fast for a simple retry, I think?
 +
 +<code>
 +(venv) mdukat@mdukat-Latitude-5290:~/Documents$ python3 app.py 
 + * Serving Flask app 'app'
 + * Debug mode: off
 +WARNING: This is a development server. Do not use it in a production deployment. Use a production WSGI server instead.
 + * Running on all addresses (0.0.0.0)
 + * Running on http://127.0.0.1:5000
 + * Running on http://192.168.0.129:5000
 +Press CTRL+C to quit
 +127.0.0.1 - - [27/May/2025 01:55:48] "POST /ra/scep/rimbbcp-ica-1/rimbbcp-ira-1/rimbbcp-dev-p1?operation=PKIOperation HTTP/1.0" 200 -
 +127.0.0.1 - - [27/May/2025 01:55:49] "POST /ra/scep/rimbbcp-ica-1/rimbbcp-ira-1/rimbbcp-dev-p1?operation=PKIOperation HTTP/1.0" 200 -
 +127.0.0.1 - - [27/May/2025 01:55:51] "POST /ra/scep/rimbbcp-ica-1/rimbbcp-ira-1/rimbbcp-dev-p1?operation=PKIOperation HTTP/1.0" 200 -
 +127.0.0.1 - - [27/May/2025 01:55:52] "POST /ra/scep/rimbbcp-ica-1/rimbbcp-ira-1/rimbbcp-dev-p1?operation=PKIOperation HTTP/1.0" 200 -
 +127.0.0.1 - - [27/May/2025 01:55:53] "POST /ra/scep/rimbbcp-ica-1/rimbbcp-ira-1/rimbbcp-dev-p1?operation=PKIOperation HTTP/1.0" 200 -
 +</code>
 +
 +----
 +
 +After some more research, I learned that it is a base of [[https://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/116167-technote-scep-00.pdf|SCEP protocol]] for device enrollment, and that I would probably need a CA cert that's on the device itself, to sign it from "my" server.
 +
 +===== Files generated in this analysis =====
 +
 +  - {{ :public:wikiblog:26.05.2025-blackberry10-pkioperation-requests.tar }}
public/wikiblog/26-05-2025-en-reverse-engineering-blackberry-q5-setup-wifi-calls.1748296248.txt.gz · Last modified: 2025/05/26 21:50 by mdukat