lets try to find the 13.37 ota update url and zip!!

This is a discussion on lets try to find the 13.37 ota update url and zip!! within the Motorola Backflip Development & Hacking forums, part of the Motorola Backflip category; Originally Posted by turnyourbackandrun Hi, I'm rbmyr8 from m3. I've got a couple ideas. First, I have the post data for the update url from ...

Page 3 of 5 FirstFirst 12345 LastLast
Results 21 to 30 of 49

Thread: lets try to find the 13.37 ota update url and zip!!

  1. #21
    Senior Member Joe Coolcool's Avatar
    Join Date
    Apr 2010
    Posts
    408
    Quote Originally Posted by turnyourbackandrun View Post
    Hi, I'm rbmyr8 from m3. I've got a couple ideas. First, I have the post data for the update url from the packet sent by the phone. I may be able to create a fake form that posts this data, but it seems kind of unlikely. I think the better way would be to actually replay the packet sent by the phone and listen for the response... I'm just not sure how to do that...

    As far as the update.zip that I captured, after hex editing an update.zip from the droid, it looks extremely similar. So I know it's not too far off!


    Update:

    I just posted this over at m3, and thought I'd repost here in case anyone here isn't watching m3.



    So, apparently I captured all the packets I needed quite a while ago. Now that I learned how to merge capture files properly, I have a complete capture file from the update. Wireshark will even automagically export the update.zip (it's not called that, of course), which makes the hours I spent hacking the file together completely futile :P Anyway, I am 99.9% certain that I've got everything we need for a signed update.zip. Now, on to the bad news... The update.zip that wireshark exports (which, incidentally, is precisely the same as the one that I hacked together previously) still won't extract! However, I was noticing that although the bulk of the packets are sent to the same port on the phone, there are a few packets being sent to two other ports. I've got a sneaking suspicion that the data sent on the other ports- which is unrecognizable (by me, anyway), is important- maybe even part of update.zip. Is it possible that the phone combines file with a few bytes sent on other ports to create the final update.zip?

    The capture file itself is about 30 mb (most of the 14mb update file is duplicated, plus resent packets, headers etc...) so I'm not going to upload it until somebody expresses interest (I'm on a pretty slow connection). But by all means- if anyone is interested, it's yours. I think it's gonna take a bigger brain than I've got to figure it out, but I'm definitely not stopping now.

    One final thought: is it at all possible that the correct update.zip won't open in a regular zip program? Does the phone have a special way of unzipping it? Seems unlikely, but I thought I'd throw it out there. I'm tempted to just throw the file on an sd card and try to flash from the bootloader, but I'm not sure what happens when you flash a corrupt update.zip (probably nothing).
    I sure hope something comes from this. Sounds like you're pretty sure of yourself at least.

  2. #22
    Junior Member MLBZ521's Avatar
    Join Date
    Jul 2010
    Posts
    25
    Quote Originally Posted by turnyourbackandrun View Post
    The capture file itself is about 30 mb (most of the 14mb update file is duplicated, plus resent packets, headers etc...) so I'm not going to upload it until somebody expresses interest (I'm on a pretty slow connection). But by all means- if anyone is interested, it's yours. I think it's gonna take a bigger brain than I've got to figure it out, but I'm definitely not stopping now.
    Hey, rbmyr8, if you want, send the file to me and I can upload and host it. Anyone who's interested can download it. Just let me know.

  3. #23
    Junior Member turnyourbackandrun's Avatar
    Join Date
    May 2010
    Posts
    18
    http://drop.io/turnyourbackandrun/asset/update-zip

    Guest password is "android" - hope someone can make something of it!! The only thing I removed was the HTTP headers and the text "@upgrade:cloud:102:Blur_Version.0.13.35.MB300.ATT .en.US:-40094298€@.......€ " which comes before the PK.. signature of zip files. If anyone wants the exact hex values of what I removed, just ask, although I don't think it'll be useful.

    I've been taking some alternative approaches to this: I'm quite certain it's possible to extract the files individually... and I'm gonna try and use some VB to do so. So, this file is presumably signed with the private keys. Anyone know how to extract them? My best guess is that they're in the META-INF/CERT.RSA file, so that's what I'm trying to extract at the moment. Some other information that may be common knowledge: based on the file headers, it's encrypted using the deflate algorithm. So if we inflate the raw data, that should give us the individual files...

  4. #24
    Moderator SSeymour's Avatar
    Join Date
    Mar 2010
    Posts
    97
    The update zip has been combined wrong.In Ubuntu my archive manager is telling me there about 88373 extra bytes of data at either the start or within the file.Thats why it cant open and that is also why it is corrupt.If someone can figure out how to remove them it would probably work then.

    Also there are 188 files in that update.

    One more thing i managed to find an application that can open corrupt zip files and what you have is definantly an update(has META-INF).Bad news is i couldnt pull anything from it.The SYSTEM folder and BOOT.img where missing.Also all that was in the META-INF folder that i could find was the MANIFEST.MF wich is showing up as 0 bytes.


    Im sure the file could be cleaned up...i just dont know how to do it...lol
    CURRENT
    HTC Aria-Rooted
    Motorola Backflip Bricked getting replacement =(

    FORMER
    HTC Touch Pro (Fuze)
    LG Incite-Returned.
    ATT Tilt Broken charger port.

  5. #25
    Junior Member turnyourbackandrun's Avatar
    Join Date
    May 2010
    Posts
    18
    Yeah, I figured as much. When hex editing it, there's a bunch of plaintext including (half of) the message that pops up before the update, and tons of SHA1 hashes just before the update-script file. The former I think needs to go- I'm just not sure where it starts and ends. The latter I believe to be a comment that the phone uses to check the integrity of the update file. I'm not sure why moto sent my phone part of the update message again in the middle of the file, but if I remove just that packet, I can't extract update.zip at all.

    Also, I have a feeling that once the unnecessary parts are removed from the file, all the rest of the files will "magically" appear. The reason your archive manager only shows manifest.mf is because it's the first file in the archive, and the only one it can pull info from. When hex editing the file it's clear that all the rest of the files are there, including boot.img.

  6. #26
    Member weasel5i2's Avatar
    Join Date
    May 2010
    Location
    Austin, TX
    Posts
    87
    Another couple of things I noticed from your logs.. The filesize is apparently 14717041 according to the CusSM (customer State Machine?) app which handled it.

    Also, they patched a kernel module (/system/lib/dhd.ko - appears to be a wireless driver module) and the "crasher" app (/system/xbin/crasher) - maybe they found an exploitable bug in either of these, and fixed it with 0.13.37?

    I just updated my netsniff-ng to 0.5.5.0, so I'll test it with some ZIP downloads when I get home tonight, and see if I can't capture the file as it passes through my gateway. I also have Wireshark/tshark, so if you can give me details on exactly how you captured/reassembled your attempt, I can also try the same. Or differently, if there's something you wanted to try but can't now since your OTA download is done..? Lemme know, I'll put off this update for as long as I need to, in order to figure out how to snag it when I finally accept it!

    --W5i2

  7. #27
    Member weasel5i2's Avatar
    Join Date
    May 2010
    Location
    Austin, TX
    Posts
    87
    Also, I think it's interesting how (according to the logs) your phone connected to an IM (XMPP) channel on a Jabber server in their cloud?! Do you think that's just the transport layer for the MotoBlur™ stuff, or perhaps a special channel for doing things like, oh, I dunno, sending PKI keys in parallel with secured network operations? (such as securely downloading the update).. Doesn't look like it has very much, if anything, to do with the update download itself.

    I think we're on the right track with the packet capture and reconstruction..

    --W5i2

  8. #28
    Junior Member turnyourbackandrun's Avatar
    Join Date
    May 2010
    Posts
    18
    Wait... from my logs? I didn't upload the capture file... just the update.zip that I extracted. you're right though, the phone frequently connects to a jabber server... I think it's just for motoblur stuff, but i could be wrong... I noticed a bunch of packets containing stuff like my friends' status updates and profile pics from facebook.

    Also... I'm about to drop some very good news- once I'm sure it's not too good to be true :P


    Update:

    And... the good news. http://drop.io/turnyourbackandrun/as...te-partial-zip

    It can be unzipped :D

    Now, the bad news. That's most of the files, but some didn't decompress properly. For example, radio.img and recovery.img, among others. I'm still workin on 'em, though

    Most of the files are compressed with standard deflate compression, so I created a little VB program to split the zip into separate files and decompress them. Hopefully we're getting somewhere with this...



    Oh, and weasel, you don't worry about downloading the update. It gives you an option to "install later," and a factory restore will clear /cache where it's stored, meaning you can download it over and over.


    One more update before I go to bed. I have to give a lot of credit to nEx.Software and others for this thread, which helped me to see where I was going wrong. The update.zip file is sent to the phone with a special protocol- there's headers that the phone understands at specific intervals through the file. I've figured out one basic header that's sent at a very specific interval, but I think there's more to the protocol than that- I removed every instance of it, but it didn't help me recover any more of update.zip.

    Weasel- the patches can be applied on a i386 system via the bspatch command in the bsdiff package. I pulled the crasher binary with adb, patched it, and compared the two files... I saw where they differed, but it didn't seem significant to me, although it was kinda over my head. You may be on to something there though... I'm sure they patched up a hole somewhere that can be used to our advantage.


    Sseymour - the file header for boot.img is interrupted by said header. That could be why you didn't find it when hex editing (or, whatever program you were using). In a hex editor, try searching for "oot.img" - you'll find the 'b' just before it.

  9. #29
    Junior Member turnyourbackandrun's Avatar
    Join Date
    May 2010
    Posts
    18
    So... after reading through more of the thread I mentioned above, I figured out what I'm doing wrong. And I'm pretty sure I figured out how to fix it. The file needs to be pieced together using byte offsets, which can be found by running logcat while downloading. We should see a working update.zip tonight when I get out of work

    Sorry I didn't deliver last night. I actually got a chance to have some social interaction, and I took it. I did work on it a little, but every time I think I've got it, it gets more complicated. I'm close, though, I promise.

  10. #30
    Member weasel5i2's Avatar
    Join Date
    May 2010
    Location
    Austin, TX
    Posts
    87
    I've downloaded 0.13.37, but I'm fending off the 15-minute reminder and telling it to "Install Later" - until you can successfully extract the update file, I will wait.. That way, if you're unable to do it, I can at least try recreating the download/capture for you if you need it.

    Just give me the word that you've successfully captured it, and I'll update my phone!

    --W5i2

Page 3 of 5 FirstFirst 12345 LastLast

Remove Ads

http://www.scramblerducati.org/

Sponsored Links

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Search tags for this page

blur.svcmot.com
,
can't open ota zip corrupt
,
jabber-cloud105-blur.svcmot.com
,
jabbercloid
,
jaber-blur.svcmot.com
,
motorola backflip update 2.2 download
,
motorola backflip update 2.2 download zip
,
motorola mb300 ota update
,
o.13.37.mb300 softwere
,

rom motoblur mb300.sbf

,
sniff 3g traffic
,
update blur version.0.13.35.mb300.att.en.us dawnload
,
update.zip for motorola backflip using system recovery
,

what is ws-cloud105-blur.svcmot.com:80

,
ws.cloud***-blur.svcmot.com
Click on a term to search our sites for related topics.
Android Forum