mdukat

User Tools

Site Tools

Trace:
public:wikiblog:26-05-2025-en-reverse-engineering-blackberry-q5-setup-wifi-calls

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
public:wikiblog:26-05-2025-en-reverse-engineering-blackberry-q5-setup-wifi-calls [2025/05/26 23:17] mdukatpublic:wikiblog:26-05-2025-en-reverse-engineering-blackberry-q5-setup-wifi-calls [2025/05/27 00:25] (current) mdukat
Line 25: Line 25:
   - clients3.google.com   - clients3.google.com
   - cs.sl.blackberry.com (only after DNS response for inet.registration.blackberry.com)   - cs.sl.blackberry.com (only after DNS response for inet.registration.blackberry.com)
 +  - time.blackberry.com (only after answer to PKIOperation request)
  
 ==== Setting up local DNS server ==== ==== Setting up local DNS server ====
Line 166: Line 167:
 -----END CERTIFICATE----- -----END CERTIFICATE-----
 </code> </code>
 +
 +Let's make a simple Flask app and try answering an "OK" message. We'll also save the requests for later.
 +
 +<code python>
 +from flask import Flask, request
 +import os
 +import uuid
 +
 +app = Flask(__name__)
 +
 +@app.route('/ra/scep/rimbbcp-ica-1/rimbbcp-ira-1/rimbbcp-dev-p1', methods=['POST'])
 +def handle_post():
 +    filename = f"/tmp/request_{uuid.uuid4().hex}.dat"
 +    
 +    with open(filename, 'wb') as f:
 +        f.write(request.data)
 +    
 +    return "OK", 200
 +
 +if __name__ == '__main__':
 +    app.run(host='0.0.0.0', port=5000)
 +</code>
 +
 +Run, and... Nothing, Blackberry still says that there's no internet connection, even tho both ''wifiloginsuccess'' and ''PKIOperation'' return 200 OK. What's interesting, is that BB tries this PKIOperation request every second, five times. Kinda fast for a simple retry, I think?
 +
 +<code>
 +(venv) mdukat@mdukat-Latitude-5290:~/Documents$ python3 app.py 
 + * Serving Flask app 'app'
 + * Debug mode: off
 +WARNING: This is a development server. Do not use it in a production deployment. Use a production WSGI server instead.
 + * Running on all addresses (0.0.0.0)
 + * Running on http://127.0.0.1:5000
 + * Running on http://192.168.0.129:5000
 +Press CTRL+C to quit
 +127.0.0.1 - - [27/May/2025 01:55:48] "POST /ra/scep/rimbbcp-ica-1/rimbbcp-ira-1/rimbbcp-dev-p1?operation=PKIOperation HTTP/1.0" 200 -
 +127.0.0.1 - - [27/May/2025 01:55:49] "POST /ra/scep/rimbbcp-ica-1/rimbbcp-ira-1/rimbbcp-dev-p1?operation=PKIOperation HTTP/1.0" 200 -
 +127.0.0.1 - - [27/May/2025 01:55:51] "POST /ra/scep/rimbbcp-ica-1/rimbbcp-ira-1/rimbbcp-dev-p1?operation=PKIOperation HTTP/1.0" 200 -
 +127.0.0.1 - - [27/May/2025 01:55:52] "POST /ra/scep/rimbbcp-ica-1/rimbbcp-ira-1/rimbbcp-dev-p1?operation=PKIOperation HTTP/1.0" 200 -
 +127.0.0.1 - - [27/May/2025 01:55:53] "POST /ra/scep/rimbbcp-ica-1/rimbbcp-ira-1/rimbbcp-dev-p1?operation=PKIOperation HTTP/1.0" 200 -
 +</code>
 +
 +----
 +
 +After some more research, I learned that it is a base of [[https://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/116167-technote-scep-00.pdf|SCEP protocol]] for device enrollment, and that I would probably need a CA cert that's on the device itself, to sign it from "my" server.
 +
 +===== Files generated in this analysis =====
 +
 +  - {{ :public:wikiblog:26.05.2025-blackberry10-pkioperation-requests.tar }}
public/wikiblog/26-05-2025-en-reverse-engineering-blackberry-q5-setup-wifi-calls.1748301464.txt.gz · Last modified: 2025/05/26 23:17 by mdukat