Download Stock Rom intex i buddy connect 3g

DOWNLOAD FILE via Mediafire HERE

DOWNLOAD FILE via Googledrive HERE

>> alright, you hear mealright? >> good morning everyone. >> good morning. >>all right. ready to see some cool shit? >> yeah. >> okay.now, we are about to scare you a little bit, but a little bit ofdisclaimer and trigger warning we use a lot of stock photosjust for kicks so enjoy them and thank you to goldy and smig, youdon't know them, but we do. they helped us out they are awesome.we would like to say a big thank you to (indiscernible) thank youguys. it has been a pleasure working with you compared tosome others. these two cds have

been recorded and that is lengthfor the patch that has been released this morning. if youneed a minute to copy it -- and we're going do somethingdifferent this time and start with a demo. sound broke?(indiscernible) all right. i'm duplicating. here you go. allright. h is going to be ugly. got a little ocd. here you go.so what we have here on the table is a tablet. no wires.windows 1. 1 standard tablet the only difference is this has 4glpenabled. now, to show you that -- all right. t mobile. we'reall good. tablet is fine. now i

have a server, amazon that i'mgoing to connect to. and i'm going the start listening. inthe meantime i'm going to reboot the tablet. just to be clear, itis only lt right now, now wifi. i will reboot the tablet realquick. watch the left side of the screen and the tabletrestarting. time for awkward silence. if you guys have anyquestions, this the def con, feel free to interrupt. >> leftside is your (indiscernible) >> yes. discount they believe.externally on the internet. this is externally on the internet.>> (indiscernible) >> um, no.

(laughter) why is the tablet soslow? can i do this with iphones? >> no. here we go. sowait for it. just keeping you alive. what you see on the leftside a reverse shell coming from the internal lt module. this isnot fun part yet. wait wait wait. told you i'm going thescare you. just have to wait for the tablet. yes. >>(indiscernible) >> not they tablet the internal lt moduleinside the tablet connected back to my server. >> take a mic. >>so we have no code running into the tablet but we havecompromised the firmware of just

the lt at this point. >>starting point lt compromising lt module. sorry. >> so we havea tablet up. now, what i'm going to do from remote is i'm goingto get a malicious cd image from our trusted server (laughter)i'm going to run a script now keep your eye on the tablet.(indiscernible) (laughter) i am. this a the problem with a demo.windows has this thing they need to refresh their devices. let dothis again. hacking in progress. all right. wait for theprinters. there you go. anyone can think of a problem with thisdemo? >> yes. >> speak up. >>

(indiscernible) >> say thatagain. >> i didn't do nothing on the tablet but running afirmware update. >> (indiscernible) >> what i'mdoing in front of you is telling the module to display a cd romto host platform. yes. >> the device manager refresh. this issomething odd with windows we have to tell it to sometimes notalways we have to tell it to refresh and rescan devices forno apparent reason. they just need some sort of interruption.technically, yes. so anyone else can think of another problemwithin demo? come on. autorun.

who said that? okay. he knowsthe talk. we all fail. all right. autorun is enabled iswhich is not enabled by default in windows but -- this is a partwhere i scare you. i am going to go into (indiscernible) openinga command prompt and shutting down into options. this is goingto be fast so i do a troubleshoot and now the tabletrestarts and will appear in the virus window. there are waysaround that. if you shut the screen off, the tablet you thinkit is asleep, but still awake. i go to bed you would never know.so what happens now is

everything power cycles, so themodule itself is restarting and it is trying to require 4lgsignal and go back to my in my amazon system. now we wait. anyother questions? how much room do i have to drop on the module?sixty megs. >> (indiscernible) >> power shell. what? how muchroom do i have on the module to drop in the file? sixty megs.here we go. good thing i have this guy. so i'm loading ortelling the module to display another composition to the hostand when that is done, i'm going to end this script and this goesinto you can't see it clearly

but goes to reboot and disablesit. >> (indiscernible) >> nope. we will get to that. >>(indiscernible) >> what? >> (indiscernible) >> the keyboarddriver, are we emulating a keyboard driver? >> yes. weemulate a usb device. this is a live video. >> (indiscernible)>> what we have a remote across the internet usb mouse keyboardand device. someone scared? >> (indiscernible) >> yeah. >>what? someone asked a question? which tablet does this effect?this is not any problem with the tablet itself. we're going to gointo that so to scare you more

this has nothing to do withspecific plate forms. this will work on any machine that has m2slot and we will get to that too. lap demos are so boring. >>(indiscernible) >> has anyone (indiscernible) taken to dinner?>> maybe. (laughter) i don't know anyone from (indiscernible)so while this tablet is booting i have the module pinginggoogle. now, here is another scary thing i will put thing airplan mode. watch the ping. (clapping) it time for thattradition. (laughter) is it? >> yes. >> so give me one second ineed to finish this demo. so now

i'm disabling my autoconnectback script and rebooting the module. the module is youbrought your own. the module is restarting and if you look tothe right, the right side, there takes a while. we have normal ltconnection. just normal. def con is canceled by the way. no. >>(indiscernible) >> you have to wait for the talk itself. westarted with the demo. (laughter) >> all right. sothere is this tradition at def con where the goons come andtell the speaker to take a shot. so we said this time we're goingto let the goons take a shot so

any goons in here now? are you agoon? >> so goons are not allowed to take a shot. we havedispensation for the speaker. these guys are not allowed todrink while on duty. i would love to give them a shot butthey are not allowed to do that. so anyway, so don't drink yet.so this is for your new speakers, and i want to take ashot for the new -- so it's all about you, so cheers to anyone.(clapping) >> now you have to take another one. we fucked upand didn't give them their first shot. he has a special stash. wehave to do this. >> you want to

do it scout. >> i am totally upfor this. >> all right. if anyone else want to do a shotthis is time to come up here. >> all right. not the stage.(clapping) so you guy -- i want you guys to come on stage. youget the fire ball. >> shit. >> come on. i want you guys to comeup on the stage while we do it. so this is because we didn'tshoot them the first time. this is revenge people, revenge shot.>> so these guys (indiscernible) one second. use a cup. theseguys represent all of you, so to def con. (clapping) >> now, wecan start the presentation. so

first of all to the tabletquestion guy, this a dell. this is not any oem problem. doesn'thave to do with what device you're using the problem we withgoing to describe is a simple firmware update for internalmodule. adam -- these guys never forget secure firmware updates.if you remember (indiscernible) everyone remembers bad usb. coolthing in the medial it is a bad way of doing security updates.the problem is across many platforms and devices and wewant to show this as a not specific vendor specificsomething, this is across the

market a problem. hi. that isjesse he is awesome. he also talks and will do it later. sowe're talking about in internal 3g, 4g module that people use intheir tablets, the in ones ultra books you name the factor if ithas the right connector in it you can put the module in. putin a sim card and good to go. you see these devices all aroundmainly in big corporations. the reason we mention businessdevices because it is easier to get with support lg or gconnective. some are these are sold as lte computer lte laptop.anyone have a lt in laptop

tablet or device this raise yourhands. talk to charlie miller. what about hot spots? goodquestion. same problem. okay. so how are these cards or modulesplugged into your lab top or tablet. we have this m2connector. what you see is the picture one and the key. so itis basically the replacement for mini-pci cards so smaller andeverything is using this new slot. if you are a device andmini-pci card and you want to put the card in but looks likethe same connector that is it. this thing has these pro-focalspasses over it. 2pca buss, usb,

hell, yes. this thing goes withusb 3. 0 as well and usb3 is fast as hell. so you can do alot of bad things fast. so why did we choose to go with thisdevice anyway? we could have choosen anything else. anyinternal device would work the point is not the device. thepoint is this is a platform insider net. this is aindependent device inside your machine. this is how they look.these modules are available worldwide. obviously you can getthem on e-mail for 50 bucks. yes? >> (indiscernible) >> someorganizations use these devices

to backhaul data over firewalls.>> we can do that. can you write that done? (laughter) okayanyone else getting more scared? (laughter) >> airplane mode --don't matter to us. yes? >> (indiscernible) >> i have noidea. do you have an atm to give me? all right. any otherquestions? interrupts, comments random remarks. >> so thisdevice was found because it has the lt connection so we do stuffover the internet like this. yes? >> (indiscernible) >> thesecome in pca as well. pci compliance. i don't do that. >>as a hardware guy pci compliance

doesn't really talk to me. >>(indiscernible) >> (laughter) you have a question? how is thispowered? with the internal platform power. that depends perplatform some devices will have a direct link to the battery forthis thing so when you come up from sleep you will be poweredon and connected so you have consisted connection acrossthree boots. most of them will power cycle everything that iswhat we saw in the demo when we had to power cycle and we had towait for connect . any other questions? this the not iphone.what? >> (indiscernible) >> that

will be december 2018. any otherquestions? how the hell are we going to fix this? this hasalreadybeen fixed. let's talk about the bigger picture in asecond. the patch has been released today. awesome way ofcommunication with them. i did not expect that but it was veryresponsive and very pleasant communication over months.kudos. now let's talk about the hack itself. how are we on time?shit. want to help me. so we have this -- as we said at thebeginning the entry point is malware running a softwareupdate for the module or user is

running malicious update. theupdate utility we have for this specific module is running onwindows. the firm wire is packed into the utility. when we lookedat the firmware update utility we started looking around andsome things we spotted some things like linux strings so itlooked interesting so we found a password file with the hardcoded des password. we were able the crack that in about fourhours on the gpu cluster and get the password for the deviceimage and we wanted to take a closer look at the hardwareitself. >> we have a user name

and password so all your unitsthis is how you crack windows. so we're looking at this thing.it is this big. tiny. and what are we going do we are hardwarepeople let's look at the test pad. we start with this. andthen we go okay, we accidently bricked it. >> so we probed eachof test points all found the ur connection so two of those wiredare sod considered and another wired to reset and one to groundand we were able to do this for a couple of modules but do youknow how many we have gone through now? >> we broke aboutfour or six. got >> this was

cumbersome to solder new wiresand removing it and insert it again to came up with a muchbetter solution. >> we found this kit that has the m2 slotand breaks out everything with the sim card and usb in wesoldered for like two or three hours as process of getting thisfixed and ready these test pads are tiny and then you break thething in three minutes. and you were like shit. so we came upwith a better solution to break things and that is that.drilling a hole through the kit and using pins as you see theright side the mcguyver-ness of

it. this is duct taped.(clapping) and we have (indiscernible) yeah. that isnot exciting, i know. we have to do a happy show dance. and wehave to do success dance. let's recap. we have a root shell onthe linux powered independent device inside your platformwithout anyway of you controlling it other thanopening it up and taking it out. >> as you see the firmwareinstruction is awesome. the initial hack base got us accessto the degrees and started looking around and requireidentify -- and we spent

sometimes looking at themechanism in a figured out how basically as part of that doingsome changes and trying to flash update we discovered it was onlydoing a crc instead of firmware update. >> i was going the talkabout the -- so we spent some time reversing the firmwarestructure and there was a crc cover each of header block andwe're going write a tool to calculate those but we figuredout it was easier to patch the updater to do the work for us sowhen you first you run the updated it has this image aspart of updater and it will go

through check the crc to makesure everything works and then pass it over the modem so wejust changed the checks instead of doing compare branch if notequal to just replace crc and replace it in the firmware imagebefore it passes it on the modem where that does crc check. weonly needed to change six up codes in the firmware upgradeutility. not for branch up codes but were not that many changesat all in order to get this working. it works great. it aeasy do so they are not doing any kind of secure update andbecause of this we can

recalculate the crc and this hasa complete android running inside the modem so questioncreated a live module in order the live patch -- within the usbgad yet and we can reconfigure whatever want. we can have it domouse and keyboard have it do a cd rom drive. you can have a usbinternet and bridge the connection. and one point toremember about this is that all though it requires malwarepushing the firmware updates we can use that module as a root ofpersistence for malware so you can wipe the us after it hasbeen compromised. firmware

update asks the module to switchinto this update mode, so if the module ignores that reset it isdifficult to guarantee that you have cleaned the module aftersomething like this has happened. so it a interestingproblem to run into. >> we keep saying module but the modemmodule, this is an example. this is possible with many otherplatform devices, platform components and the risk herewhat we're trying to say is there is a platform risk andthis is like the worse case scenario where malware can'tpersist across wipe outs. if you

have a remote -- i can installthe us remote without you knowing it. that summed thingsup. all right. there is such a thing as insider threat. and ifanyone of you is involved with firmware updates secure it verywell. >> so basically because all of these different devicesin the platform should have a secure update functionality andlot of people used to think that usb was safe because but havethis arbitrary code in a place that is not viewable byantivirus soft wire running on the host system, will not have aability to look inside the

module unless the module givesit that capable but answering back request. so many differentplaces you will have similar excuse environments where youcould have malware do a similar attack like this and we want tolet people know to secure update through all these differentforms is really important and that means than just a crccheck. so do signature verifications. >> before we goto questions, we are going to run the video demo for the youtube talk, if that is okay with you all. we see the tablet onthe right. my bad. you have a

tablet on the right and we havethe remote connection, this is server on pc2. so powering onthe tablet. this one is going be faster, i promise. you can seethe go pro-light flashing when you go by. connecting to ourserver downloading a cd rom image. this is what we did nothave to do with a device refresh. so we load a cd romdevice first and we load the image cd getting in the driver.then the hacking is in progress. just remembering that we can alldo this when air plan mode is enabled is interesting also. >>you say interesting and i say

scary. so this was in case wefailed with a live demo. so this is where we enabled the -- skipforward a little bit. we load the configuration remotely. tellit to disable secure boot. the script is just shortening forthe key strokes. disables it. reboot. the module is pinginggoogle again. we are going to do refresh and airplane mode is on.and then we restart operation and you see the lt module to theright and it one internet. so now we have time for questions.>> and i have a mic phone. that would be good. >> i have twoquestions. did you patch the

firmware to keep the moduleactivated or is it always like that? >> in this case it wasalways like that. >> could you use the pci express to gainaccess to the hosts memory? >> technically yes if you have apci education press module. >> this particular code does nothave a pci line in the m2 slot. >> questions to the left. >> soyou said this is patch now. >> yes >> did they patch it to themodule itself or just patch the windows installer so firmwareupdater does verification. >> two step of verification hereone is software double check and

one the module itself performssecure boot. so the module itself is performing the checkso now you will not be able to load any un-authorized image tothis module. >> so one of the bullet points was to have moresecurity around security updates for the firm where so i amcurious how do make it more secure make a password you haveto to crack. >> i would recommend full rsa signatureverification. have a big enough key that you can't crack. >> sohow you could attack this? >> we just give you a link and youhave a update for you module.

that is it. for this specificcase. it varies per device. any other questions? me mind. thankyou everyone.