Merge pull request #30 from EFForg/bootstrap

Add bootstrapping support

Cargo.toml

@@ -3,5 +3,7 @@
 members = [
     "lib",
     "bin",
+    "serial",
+    "rootshell",
 ]
 resolver = "2"

README.md

@@ -1,11 +1,11 @@
 # Rayhunter
 
 ```
- @@@@@@@   @@@@@@  @@@ @@@      @@@  @@@ @@@  @@@ @@@  @@@ @@@@@@@ @@@@@@@@ @@@@@@@ 
- @@!  @@@ @@!  @@@ @@! !@@      @@!  @@@ @@!  @@@ @@!@!@@@   @@!   @@!      @@!  @@@
- @!@!!@!  @!@!@!@!  !@!@!       @!@!@!@! @!@  !@! @!@@!!@!   @!!   @!!!:!   @!@!!@! 
- !!: :!!  !!:  !!!   !!:        !!:  !!! !!:  !!! !!:  !!!   !!:   !!:      !!: :!! 
-  :   : :  :   : :   .:          :   : :  :.:: :  ::    :     :    : :: :::  :   : :
+ @@@@@@@   @@@@@@  @@@ @@@ @@@  @@@ @@@  @@@ @@@  @@@ @@@@@@@ @@@@@@@@ @@@@@@@ 
+ @@!  @@@ @@!  @@@ @@! !@@ @@!  @@@ @@!  @@@ @@!@!@@@   @@!   @@!      @@!  @@@
+ @!@!!@!  @!@!@!@!  !@!@!  @!@!@!@! @!@  !@! @!@@!!@!   @!!   @!!!:!   @!@!!@! 
+ !!: :!!  !!:  !!!   !!:   !!:  !!! !!:  !!! !!:  !!!   !!:   !!:      !!: :!! 
+  :   : :  :   : :   .:     :   : :  :.:: :  ::    :     :    : :: :::  :   : :
                                                                                     
                                                
 _      _      _      _      _      _      _      _
@@ -32,12 +32,11 @@ Rayhunter is an IMSI Catcher Catcher for the Orbic mobile hotspot. Based on code
 Code is built and tested for the Orbic RC400L mobile hotspot, it may work on other orbics and other 
 linux/qualcom devices but this is the only one we have tested on. Buy the orbic [using bezos bucks](https://www.amazon.com/gp/product/B09CLS6Z7X/)
 
-Root your device on windows using the instructions here: https://xdaforums.com/t/resetting-verizon-orbic-speed-rc400l-firmware-flash-kajeet.4334899/#post-87855183
-(script to root on linux coming soon) 
 
 
 
 ## Setup
+### If your are on x86 linux
 on your linux laptop install rust the usual way and then install cross compiling dependences. 
 run `sudo apt install  build-essential libc6-armhf-cross libc6-dev-armhf-cross gcc-arm-linux-gnueabihf`
 
@@ -47,13 +46,27 @@ rustup target add x86_64-unknown-linux-gnu
 rustup target add armv7-unknown-linux-gnueabihf
 ```
 
+Now you can root your device and install rayhunter by running `./install.sh` - **Note:** You will have to install the cross compile tooling below before running this. 
+
+
+### If you aren't on linux or can't run the install scripts 
+Root your device on windows using the instructions here: https://xdaforums.com/t/resetting-verizon-orbic-speed-rc400l-firmware-flash-kajeet.4334899/#post-87855183
+
 Build for arm using `cargo build` 
 
 Run tests using `cargo test_pc`
 
-
 Push the scripts in `scripts/` to /etc/init.d  on device and make a directory called /data/rayhunter using `adb shell` (and sshell for your root shell if you followed the steps above) 
 
 you also need to copy `config.toml.example` to /data/rayhunter/config.toml
 
-Then run ./make.sh this will build the binary and push it over adb. Restart your device or run `/etc/init.d/rayhunter_daemon start` on the device and you are good to go. 
+Then run `./make.sh` this will build the binary and push it over adb. Restart your device or run `/etc/init.d/rayhunter_daemon start` on the device and you are good to go. 
+
+## Development
+Write your code and write tests 
+
+Build for arm using `cargo build` 
+
+Run tests using `cargo test_pc`
+
+push to the device with `./make.sh`

install.sh

@@ -0,0 +1,34 @@
+cd serial 
+cargo build_pc
+cd ..
+cd rootshell
+cargo build --release
+cd ..
+# Force a switch into the debug mode to enable ADB
+target/x86_64-unknown-linux-gnu/debug/serial AT
+echo -n "adb enabled, waiting for reboot"
+until adb shell true 2> /dev/null
+do
+    echo -n .
+    sleep 1
+done
+echo
+echo "it's alive!"
+adb push target/armv7-unknown-linux-gnueabihf/release/rootshell /tmp/
+target/x86_64-unknown-linux-gnu/debug/serial "AT+SYSCMD=mv /tmp/rootshell /bin/rootshell"
+sleep 1
+target/x86_64-unknown-linux-gnu/debug/serial "AT+SYSCMD=chown root /bin/rootshell"
+sleep 1
+target/x86_64-unknown-linux-gnu/debug/serial "AT+SYSCMD=chmod 4755 /bin/rootshell"
+echo "we have root!"
+adb shell /bin/rootshell -c id
+adb shell '/bin/rootshell -c "mkdir /data/rayhunter"'
+adb push config.toml.example /data/rayhunter/config.toml
+adb push scripts/rayhunter_daemon /tmp/rayhunter_daemon
+adb push scripts/misc-daemon /tmp/misc-daemon
+adb shell '/bin/rootshell -c "mv /tmp/rayhunter_daemon /etc/init.d/rayhunter_daemon"'
+adb shell '/bin/rootshell -c "mv /tmp/misc-daemon /etc/init.d/misc-daemon"'
+adb shell '/bin/rootshell -c "chmod 755 /etc/init.d/rayhunter_daemon"'
+adb shell '/bin/rootshell -c "chmod 755 /etc/init.d/misc-daemon"'
+./make.sh
+adb shell '/bin/rootshell -c "/etc/init.d/rayhunter_daemon start"'

make.sh

@@ -1,2 +1,3 @@
 cargo build --release
 adb push target/armv7-unknown-linux-gnueabihf/release/rayhunter /data/rayhunter/rayhunter
+adb shell '/bin/rootshell -c "/etc/init.d/rayhunter_daemon restart"'

rootshell/Cargo.toml

@@ -0,0 +1,8 @@
+[package]
+name = "rootshell"
+version = "0.1.0"
+edition = "2021"
+
+# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
+
+[dependencies]

rootshell/src/main.rs

@@ -0,0 +1,15 @@
+use std::process::Command;
+use std::os::unix::process::CommandExt;
+use std::env;
+
+fn main() {
+   let mut args = env::args();
+
+   // discard argv[0]
+   let _ = args.next();
+   Command::new("/bin/bash")
+	.args(args)
+	.uid(0)
+	.gid(0)
+	.exec();
+}

scripts/rayhunter_daemon

@@ -1,4 +1,4 @@
-#! /bin/sshell
+#! /bin/bash
 
 set -e
 

serial/Cargo.toml

@@ -0,0 +1,10 @@
+[package]
+name = "serial"
+version = "0.1.0"
+edition = "2021"
+
+# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
+
+[dependencies]
+rusb = "0.9.3"
+

serial/src/main.rs

@@ -0,0 +1,127 @@
+use std::str;
+use std::thread::sleep;
+use std::time::Duration;
+
+use rusb::{
+    Context, DeviceHandle, UsbContext,
+};
+
+fn main() {
+    let args: Vec<String> = std::env::args().collect();
+
+    if args.len() < 2 {
+        println!("usage: {0} <command>", args[0]);
+        return;
+    }
+
+    match Context::new() {
+	Ok(mut context) => match open_orbic(&mut context) {
+	    Some(mut handle) => {
+		send_command(&mut handle, &args[1])
+	    },
+	    None => panic!("No Orbic device found"),
+	},
+	Err(e) => panic!("Failed to initialize libusb: {0}", e),
+    }
+}
+
+fn send_command<T: UsbContext>(
+    handle: &mut DeviceHandle<T>,
+    command: &str,
+) {
+    let mut data = String::new();
+    data.push_str("\r\n");
+    data.push_str(command);
+    data.push_str("\r\n");
+
+    let timeout = Duration::from_secs(1);
+    let mut response = [0; 256];
+
+    // Set up the serial port appropriately
+    handle.write_control(0x21, 0x22, 3, 1, &[], timeout).expect("Failed to send control request");
+
+    // Send the command
+    handle.write_bulk(0x2, data.as_bytes(), timeout).expect("Failed to write command");
+
+    // Consume the echoed command
+    handle.read_bulk(0x82, &mut response, timeout).expect("Failed to read submitted command");
+
+    // Read the actual response
+    handle.read_bulk(0x82, &mut response, timeout).expect("Failed to read response");
+
+    let responsestr = str::from_utf8(&response).expect("Failed to parse response");
+    if !responsestr.starts_with("\r\nOK\r\n") {
+	println!("Received unexpected response{0}", responsestr)
+    }
+}
+
+fn switch_device<T: UsbContext>(
+    handle: &mut DeviceHandle<T>,
+) {
+    // Send a command to switch the device into generic mode, exposing serial
+    let timeout = Duration::from_secs(1);
+
+    if let Err(e) = handle.write_control(0x40, 0xa0, 0, 0, &[], timeout) {
+	// If the device reboots while the command is still executing we
+	// may get a pipe error here
+	if e == rusb::Error::Pipe {
+	    return
+	}
+	panic!("Failed to send device switch control request: {0}", e)
+    }
+}
+
+fn open_orbic<T: UsbContext>(
+    context: &mut T,
+) -> Option<DeviceHandle<T>> {
+    // Device after initial mode switch
+    if let Some(handle) = open_device(context, 0x05c6, 0xf601) {
+	return Some(handle)
+    }
+
+    // Device with rndis enabled as well
+    if let Some(handle) = open_device(context, 0x05c6, 0xf622) {
+	return Some(handle)
+    }
+
+    // Device in out-of-the-box state, need to switch to diag mode
+    match open_device(context, 0x05c6, 0xf626) {
+	Some(mut handle) => switch_device(&mut handle),
+	None => panic!("No Orbic device detected")
+    }
+
+    for _ in 1..10 {
+	if let Some(handle) = open_device(context, 0x05c6, 0xf601) {
+	    return Some(handle)
+	}
+	sleep(Duration::from_secs(10))
+    }
+    panic!("No Orbic device detected")
+}
+
+fn open_device<T: UsbContext>(
+    context: &mut T,
+    vid: u16,
+    pid: u16,
+) -> Option<DeviceHandle<T>> {
+    let devices = match context.devices() {
+	Ok(d) => d,
+	Err(_) => return None,
+    };
+
+    for device in devices.iter() {
+	let device_desc = match device.device_descriptor() {
+	    Ok(d) => d,
+	    Err(_) => continue,
+	};
+
+	if device_desc.vendor_id() == vid && device_desc.product_id() == pid {
+	    match device.open() {
+		Ok(handle) => return Some(handle),
+		Err(e) => panic!("device found but failed to open: {}", e),
+	    }
+	}
+    }
+
+    None
+}