[HN Gopher] Bypassing Android MDM Using a $1.50 Electric Gas Lig... ___________________________________________________________________ Bypassing Android MDM Using a $1.50 Electric Gas Lighter Author : paulgerhardt Score : 175 points Date : 2020-09-25 15:23 UTC (7 hours ago) (HTM) web link (payatu.com) (TXT) w3m dump (payatu.com) | paulcarroty wrote: | Oh, just remembered I need to buy the one :) | Hasz wrote: | Next step in cheap but effective is building a small waveguide | for your arc lighter -- probably easier to target what you want | vs the point source you have now. | | Can basically be a few pieces of carefully sized tinfoil, or some | copper wire with copper clad soldered around it. | | Also, the term "Jugaad" for Indian macgyverism is excellent! | ComodoHacker wrote: | So did this guy just revived a long declined market of "tough" | mobile devices (rugged, EM shielded, thermoresistant etc.)? | trhway wrote: | using X-ray generator and knowing the chip layout one can | probably target specific registers/memory cells | marunmagesh wrote: | Hey Guys! I am the OP for this blog. Please direct your queries | to me. | arunmagesh wrote: | huh?? If you're me. who am i??? | mcraiha wrote: | Will the real OP please stand up? | magesharun wrote: | He is not you, I am you. | namanaggarwal wrote: | I would like to report this if this is not genuine | danbruc wrote: | What is the point of those color gradients in the photos? [1] Are | they supposed to conceal the chip? If so, that didn't work very | well. [2] Just make it completely black, people have failed often | enough to properly redact information because they tried to do | something fancy, something more visually pleasing. At least | unless they did this intentionally, either because they wanted it | to be visible but also wanted some deniability as an accident, or | to mislead by embedding false information. | | [1] | https://payatu.com/static/images/remoteblogs/arun/emfi_blog/... | | [2] http://www.unisoc.com/sc9863a | arunmagesh wrote: | Ouch. That was not an intended one. Those colourful overlays | are just android stickers. I didn't expect them to be | translucent. . :( I fixed it. I would kindly request you to | modify / remove the link part please . :( | [deleted] | kspacewalk2 wrote: | >I would kindly request you to modify / remove the link part | please . :( | | But... why? | arunmagesh wrote: | This might give out information about the device we used. | That should be a secret. | dylan604 wrote: | I'm sorry, but this is your fault. You improperly tried | to conceal a picture by being cute instead of effective | while trying to earn bragging points with a very public | announcement about your hack. You brought the eye of | Sauron upon yourself. It'll be a painful lesson to learn, | but I'm guessing you won't make this mistake again. Some | of us have been there before. Welcome to the club. We've | got jackets. | jerome-jh wrote: | If MDM is deployed by companies, the device may come from | the author's employer, friend's employer, government? | Memory ref + CPU ref makes it somewhat identifiable. | danbruc wrote: | That's now unfortunately too late, I can no longer edit or | delete the comment, maybe one of the mods can censor it. And | by the way, you added a new photo to the article but the | original file is still there, following the link in my | comment still yields the photo with the visible part number. | There might very well be people out there that notice that | the article has 1.png, 2.png, 3.png, 44.png, an image with | something hidden, and then 5.jpg [1] and then start to wonder | what 4.png or 4.jpg might look like. | | [1] Yes, there are also 5.png, 6.png, and 8.png in between | out of order, it is not a perfect pattern, but it is still | close enough that one might notice the missing 4.png. | crazysim wrote: | the blog poster can edit the image on their own site right? | danbruc wrote: | But they can not get the link to the chip out of my | comment. | jstanley wrote: | If you think the numbers on the chip contain some personally | identifiable information: fear not, they are generally just | part numbers and sometimes date codes. | | If that's not the reason for trying to redact them, what is | the reason? I can't think of anything else reasonable. | | EDIT: I now realise that this was a very condescending | comment to write to someone who, based on the submitted blog | post, is considerably better at electronics than I am. Sorry | about that! | nom wrote: | A bit OT but this just reminded me of something I haven't thought | about for many many years. Just wanted to share. | | I bypassed the payment procedure in a coke vending machine with a | lighter. | | Germany, around 2004 we had a coke vending machine at school, | probably from the mid 90s. Someone told me you get free coke if | you flick a (non-piezo) lighter in front of the display at the | right time. I didn't believe it one bit, but when I tried it, it | actually worked. It quickly spread around our school until months | later the service guy fixed it. | | Many years later I realized what has happened. The flick of the | lighter emitted a strong IR impulse that triggered an infrared | receiver (which was probably used for debugging, configuring | etc). | | This must have caused an interrupt, and if triggered at the same | time the machine vended the bottle, it completed vending but | never got back to actually decrementing the money you put into | it. You could empty out the whole machine with nothing else but 1 | Euro and a lighter and you even got your money back. | | Lots of cokes were had. | worstenbrood wrote: | I have a similar experience. 20 years ago a friend told me a | trick which only worked on vending machines from a particular | brand. It only worked on the drinks with the lowest price. You | had to put the exact money in the machine for a certain drink, | add one cent and press the button for that drink right when you | hear the "click" of the money. You get the drink and your money | was increased by one cent. After you were done you could just | get the money back. It required some practice but when your | timing was good you could empty a complete machine. Since most | of the vending machines had redbull and jupiler, which had the | highest price, we had alot of free cola/sprite/.... I wonder if | it still works. | narwally wrote: | When my sister lost the "sensor bar" on her Wii I showed her | how to use a pair of candles to replace it. The sensor bar is | just a a set of IR lights that the camera on the wii-mote | detects. | jagraff wrote: | I'd imagine a pair of candles would cause the cursor to jump | around a lot because of the flickering - how did you solve | that problem? | xyzzy_plugh wrote: | With a clean, dry wick it's pretty easy to get a very still | flame for a long, long period of time. Though if you have a | fan or something blowing, you're out of luck. | function_seven wrote: | I imagine a vigorous game of Wii Tennis will cause those | candles to flicker. | | And will provide a convenient excuse why I was unable to | return that serve. | chrischen wrote: | Valve lighthouse "trackers" work in a similar, albeit | slightly more complicated, way. | mipmap04 wrote: | Yeah it's funny that it is called a sensor bar when it has no | sensors. | | For my undergrad, we had a cross-major project to build a | robot that shot pingpong balls at various targets that were | tagged with IR lights. We used 2 wiimotes to calculate the 3D | space. | moron4hire wrote: | Using an electrical shock to bypass a subsystem in Android makes | me think of Data in Star Trek glitching out when he got stuck in | an EPS conduit once. | ben_w wrote: | Phrasing it like that makes him sound like a cat, which is a | fantastic mental image for the entirety of TNG. | benjaminjackman wrote: | Makes me wish there was a Data / spot consciousness swap | episode. | FriedPickles wrote: | The author claimed to use a "cheap electric Arc Gas lighter", | which I had never heard of. I think they actually just mean an | electric arc lighter because I wasn't able to find such a thing | (which would presumably mean a butane lighter with an electric | arc igniter rather than piezo). | arunmagesh wrote: | ah my bad!! I get the confusion. It is a arc lighter for gas | stoves. :/ | tdeck wrote: | I wondered about this too, since I have never seen on of these. | Perhap the author is in a country where manual-light gas stoves | are more common? In the US I have never encountered such a | stove, and searching target.com (good proxy for common | household items) brings up no lighters of this style. | pjbk wrote: | Being in the embedded safety/security industry for years, piezo | igniters and sparklers are one of my go-to system test and side | attack tools. They were also effective opening an August smart | lock some time ago when one of my coworkers had to enter a room | in a hurry and were not carrying their phone with the app. | Amazingly a few zaps around the enclosure did it. | | The big ones for gas stoves even work some feet away on some | badly shielded products. Growing complexity, size/weight | reduction and low power technology have made all these devices | quite flimsy these days. | jacquesm wrote: | This was a pretty common trick to glitch slot machines, they are | hardened quite a bit against this sort of trickery. A mobile | phone is much more delicate in general construction and doesn't | have access to a handy ground wire. | w0mbat wrote: | It was a similar story with gas pumps, which truck drivers used | to glitch to get most of their fill-up for free. | p1mrx wrote: | Attacking a gas pump with a high voltage lighter sounds like | a good way to win a Darwin Award. | grishka wrote: | Slot machines are on someone else's premises and (disclaimer: | I've never been to a casino myself) are most likely under | surveillance, so they'll probably void your winnings and ban | you if you start doing something sketchy. | | Devices that implement any restrictions against the end user | like DRM or MDM, on the other hand, are in possession of the | said user. I heard a saying that getting root privileges on a | device you physically possess is only a matter of time and | effort. | | In other words, you can totally take your phone apart as much | as your tools and skills allow, but you'll get arrested if you | try taking a slot machine apart. | jacquesm wrote: | Sure, the owners would not be happy. But slot machines are | installed all over the world and not just in casinos. | | The idea was not to take the machine apart but to try to | glitch it by hitting metal parts that were not properly | grounded. This would then allow the voltage spike to make it | into the circuitry, either leading to breakage, no effect, or | fault injection. The latter could sometimes be converted into | a win on a subsequent spin. | | This is 80's stuff, I'm pretty sure todays' slot machines are | tamper proof to the point that trying this is totally | pointless, and even back then hardening against this was | common. | mschuster91 wrote: | > This is 80's stuff, I'm pretty sure todays' slot machines | are tamper proof to the point that trying this is totally | pointless, and even back then hardening against this was | common. | | They are. Source: I own a modern-ish computer based slot | machine and tried my fair share of tricks against it. | dan000892 wrote: | The very first technical standards for slot machines in | Nevada are ESD testing to confirm it's safe for the | player and that the integrity of the device is unimpacted | by 27kV discharge to any point on the exterior of the | machine while it's being played (and the test labs really | go to town finding gaps in panels and really trying to | make something bad happen). | | Given the absence of mechanical reels and the fact that | the components likely to be susceptible to glitching | aren't remotely close to the outside of the machine this | isn't a viable attack method for machines in operation. | | Source: NV Tech Standard 1 [1] also have zapped modern | slot machines with an ESD gun. | | [1]: https://gaming.nv.gov/modules/showdocument.aspx?docu | mentid=2... | xxpor wrote: | I happened to be in AP Stats back in HS with the son of the | owner of the business who certified all electronic casino | games for the state of NJ. We took a field trip to the | business and his dad gave us all a tour and explained all | of the testing they do for this sort of stuff, the code | reviews, making sure the machine's odds were actually what | they said they were etc. I don't remember many details at | this point (it was 12 years ago, which is insane), but I do | distinctly remember the scale and just the amount of stuff | they did. It's very serious business, because it was in | both the casino owners and NJ's interest to make sure the | machines were in fact not hackable as much as possible. | ideals wrote: | This looks like what we used to do with electric lighters to turn | them into weak tasers and zap each other at school. | | Disposable cameras had a little more umph though. | ocdtrekkie wrote: | My first lesson in "capacitors store electricity" when I was a | kid was when I took the battery out of a disposable camera... | and then managed to shock myself with the flash discharge | anyways. | TeMPOraL wrote: | I shocked myself a few times with these too, in the process | of disassembling the cameras. I needed components (capacitors | and the flash circuit) for the ignition system for the rocket | engines we were building with a friend, so I went to a local | photo store and asked nicely for used cameras with flash. | They gave me a bag with some 20 of them. | | (The shocks I got were through carelessness; I used a kitchen | knife to discharge the caps after ripping off the plastic | shell of the camera, but sometimes I touched the wrong thing | while disassembling. Roughly half the cameras I got had the | caps charged to the point they'd spark brightly on discharge, | and one of them damaged the knife.) | | Context for those too young to remember: back before digital | cameras were available and affordable, you could buy | disposable cameras in kiosks and stores cheaply. These would | come pre-loaded with a single roll of film, and after you | used it up (~30 photos), you'd take the whole camera to a | photo store. The photo store people would rip the roll out of | the camera, develop your photos, and throw the camera away. | Some models came with flash, so if you could get the used | ones from the store (or their trash), you got a free source | of high-voltage capacitors.) | agumonkey wrote: | Did the same at a school trip, after taking off the film I | thought I could tear the camera apart, thus exposing the cap | connection. Left hand fingers would lean peeerfectly on these | metallic parts when playing with the flash. | | It became a game between kids. The shock was more intense | than harmful, although I saw two white dots on my nail that I | assumed was due to the shock. | | Today I rip microwave ovens, but I carry gloves and remove | caps before anything else. | leptons wrote: | I used to work at radio shack. The rug behind the counter was | very efficient at providing static electricity and whenever | we touched the barcode scanning wand - zap. So I got a | package of 2kv high voltage capacitors and held one lead | while touching the other lead to the wand while rubbing my | shoes on the carpet, thereby charging the capacitor. I left | the charged capacitor on the POS terminal keyboard for the | asshole I worked with to discover. Of course he fell right | into my trap and picked up the capacitor. It was pretty funny | to me, but not to him. This jerk would often steal my sales | and talk down to me, he had it coming. | thelazydogsback wrote: | I did it by sticking a screwdriver where I shouldn't have and | touching the flyback cap on an old (CRT) TV that was only | recently unplugged. Luckily I wasn't well-grounded and the | part of the screwdriver shunted the current turned to slag. | tgsovlerkhgsel wrote: | Did you get shocked at all? I'm trying to understand what | the return path for the current would be in this situation. | throwanem wrote: | Through the screwdriver shank, as it's placed across the | capacitor terminals. This creates a dead short through | which the differing potentials on the capacitor plates | can equalize - and if the capacitor is large enough, they | do so quite enthusiastically. | | I ruined a screwdriver of my own that way once, | discharging a photoflash cap in a flash head whose | control circuit had died with the cap at full charge. | Didn't do my hearing any good, either, I'm sure - it took | fully half an hour for the ringing to go away. ___________________________________________________________________ (page generated 2020-09-25 23:00 UTC)