So, I decided to have a look at how my Cat B15Q actually recieves OTA updates. Turns out the lifting is done by two apk's in /system, FWUpgrade.apk and FWUpgradeProvider.apk.
Notes taken during reverse engineering:
Because I don't really like unknown parties being able to link together my SIM and IMEI (especially any random wifi snoop, this thing is a background service), I have killed off the OTA service and wrote me a little script to check and fetch updates: https://gist.github.com/msmuenchen/c3fb276f264058b8d51e
By the way, I don't know what the ... the guys at mediatek are smoking, but that code... it is sufficient to say that it would be trivial to thoroughly **** up any OTA distribution, up to the point of distributing malware and rootkits. To top it off, some guy even dumped a boatload of internal mediatek stuff to github, and the horrors I have seen there are beyond imaginable.
Notes taken during reverse engineering:
- the entire upgrade mechanism runs over plain HTTP, so you can use tools like fiddler or wireshark to listen and manipulate the entire mechanism (just imagine deploying a malicious proxy with ettercap on a conference wifi and pwning all mediatek devices)
- mediatek seems to supply handset manufacturers with a set of PHP scripts for providing OTA upgrades.
- the whole code is littered with typos ("onHandsakeAuthentication", "downlaod" and more), commented-out code and other stuff which makes me wonder just how it works, but well I always have that feeling when I have to read Mediatek source code
- an old version of the client-side source, written for another mediatek device, is at https://github.com/kupyxa4444/baoxue...tpManager.java
- something in the core methods apparently messes up both JD-GUI and Procyon decompilers
- the core mechanism for obtaining a download/checkversion token is just a md5sum (fixed "tag string" 15811375356 + server-sent "rand"); funny enough that this "tag string" is sent as "serial number" during login and is apparently totally hardcoded.
- at least in this 2012 ROM dump, the endpoint addresses are stored in res/values/address.xml, however this is not present in "my" apk, nor in /data/data/com.fw.upgrade. Looks like the new version uses SharedPreferences, but there is no backing store in /data/data/com.fw.upgrade either.
Because I don't really like unknown parties being able to link together my SIM and IMEI (especially any random wifi snoop, this thing is a background service), I have killed off the OTA service and wrote me a little script to check and fetch updates: https://gist.github.com/msmuenchen/c3fb276f264058b8d51e
By the way, I don't know what the ... the guys at mediatek are smoking, but that code... it is sufficient to say that it would be trivial to thoroughly **** up any OTA distribution, up to the point of distributing malware and rootkits. To top it off, some guy even dumped a boatload of internal mediatek stuff to github, and the horrors I have seen there are beyond imaginable.