telnetd backdoor -- getting temporary root easily on Nokia 8110 4g / Firmware v16...

[speeduploop]

Hi people!

With the new version of the firmware HMD closed a big security hole... which also rendered all temporary roots we had useless.

So I created a new one - in app-form.

What you need:

-- OmniSD --> install as usual, and do the 'privileged factory reset' if you haven't done already.

-- telnetd --> my app zipped for OmniSD (which you can get in 'apps' folder of my cloud-drive --> https://www.magentacloud.de/share/sojjvrui22)

Now start the app and the Select-/Enter-Key will toggle the telnet-server on/off.

If it's on you also see the IP you need to connect to on the display.

So from a PC a simple

telnet 192.168.1.125

will connect you to your phone. (were '192.168.1.125' is just an example - use the IP shown on display...)

Or in an adb-shell you can also use

busybox telnet localhost

which is mostly faster because it then uses USB instead of WLAN.

--> the telnetd-server has root permissions!

You don't need to keep the app in foreground to work - leaving the app doesn't close it - or the telnet-server if it's started.

So you can start the app, start the server, leave the app -- and at a later time 'restart' the app to stop the server.

(it's not really a 'restart' because it stays in background. This is only tested on v16 -- I'm not completely sure if it's a new feature or if it is the same on older firmwares...)

If the app is 'really' closed (by webide for example or probably killed because of extremely low mem) -- then the server will also be stopped.

-- don't use it on public WLANs --> this should be obvious --

have fun!

speeduploop

[speeduploop]

Hi again!

I have one thing to correct --> If the app is killed becase of extremely low memory - the telnet server won't be closed - only the app.

(just tested with an extreme abuse of the browser)
--> so you won't accidently be locked out.

[ProgrammAbel]

Yay!

[ProgrammAbel]

This needs to be pinned...

[ProgrammAbel]

Can you sideload it via WebIDE?

[ProgrammAbel]

Nevermind, you can :D

[ProgrammAbel]

Could a moderator of the B-Hackers Store upload this app to it?

[Sylvain D]

Telnetd and FTPd are uploaded in B-Hacker's setings category!

[speeduploop]

Wouldn't 'net-tools' match a bit better?

(and the 'temporary root' hint should be on 'telnetd')

[Sylvain D]

updated the 'hint', thank you Speeduplooop!

I'm not sure about the category, as Gerdaroot is already there! 

Ivan, what do you think?

[speeduploop]

Yeah - but the root permissions are more a side-effect...

telnetd is a shell-access via wlan - and ftpd can be used as 'normal' file-transfer. (even if it has root access and so can mod files on /data directly)

-- you would need adb/usb less...

[Ivan]

these tools allow you to perform offline operations, so the "settings" category is just fine. But even uploading the same application into 2 categories is not a bad idea, it would help people find it better (see YouTube and the Google apps).

Actually I had thought of a new "Root" category, or something like that ... but at this point it wouldn't be necessary.

[speeduploop]

In reality no - all operations are network-operations in the first place... ;)

- but yeah - do as you like...

[Sylvain D]

Added in both categories!

Is a documentation or manual needed for ftpd?

[speeduploop]

That's not so easy - because it depends on the ftp-client you use...

Filezilla, 'ftp' on the command-line, your web-browser (for browsing/reading only) - all a bit different.

But probably I'll create a 'new' version of my 'uninstall pre-installed apps'-post using ftpd and Filezila - which is quite a bit easier than doing it on the command-line.

Or a 'how to get recovery-logs with ftpd and a browser' -- which 'just works' because you can browse /cache/recovery...

I think some 'use-cases' as posts wouöd be better than a how-to in the store.

(ftpd itself is quite simple to use - one button - and it explains itself on start)