Have you ever wondered why certain phones only worked for certain carriers or in certain regions? If you have, then just like me, you might learn something meaningful from solving this challenge.
The challenge description is as follows:
https://mega.nz/#!1hFXCApD!0oq_bFqbnaPsquuOySg4TSIYjPemVjzWWNqfg8OJ0WI
openssl enc -d -aes-256-cbc -k KfRdN3YhyaMhAzLftsSw -in files22.enc -out files22.zip
unzip files22.zip
Find the LTE bands supported by this device, for example if the device suports the bands 1,2,3 the flag will be TMCTF{1,2,3}.
After decompressing the archives, one would find a file named "ModemSettings.txt" with the following (truncated) content:
At first sight, I did not know what I was looking at so I used Google to search a few of the keywords (e.g. modem settings nv items complete items inactive item). After reading a few of the articles suggested by Google, I realised that "NV" stands for non-volatile and I was looking at a dump of the non-volatile memory of a phone. The non-volatile memory of a phone is used to store many of the phone's static configurations (e.g. IMEI, allowed bands) and in this particular challenge, our aim is to find the LTE bands supported by this phone.
After reading through more resources (http://forum.xda-developers.com/galaxy-s5/general/how-to-add-rf-lte-frequency-bands-to-t2886059, http://forum.xda-developers.com/showthread.php?t=1954029), I learned that the permitted LTE bands are stored in items 6828 and 6829 of the non-volatile memory. Here's an extract of the data stored in items 6828 and 6829 of the given challenge:
6828 (0x1AAC) - OK FF 1D 1F 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6829 (0x1AAD) - Inactive item
It seems like item 6829 is inactive so we only have to extract the bands from item 6828. Since the resources indicate that the data is stored in little-endian format, the value that we are looking at is 0x031f1dff. After converting this to binary, we get 11000111110001110111111111.
Again according to the resources given, the band numbers are read from the least significant bit to the most significant bit. A zero would mean that the band is disabled and a one would mean that the band is enabled (or unlocked). Therefore, we can simply read the bands enabled off the bit string:
Using a short script, we can get the LTE bands:
>>> def get_bands(bit_string): # read from right to left bit_string = bit_string[::-1] bands = [] for (i, bit) in enumerate(bit_string): if bit == '1': bands.append(str(i + 1)) return ','.join(bands) >>> get_bands('11000111110001110111111111') '1,2,3,4,5,6,7,8,9,11,12,13,17,18,19,20,21,25,26'
Therefore, the flag is TMCTF{1,2,3,4,5,6,7,8,9,11,12,13,17,18,19,20,21,25,26}.
Cheers!
Comments
Post a Comment