This repository contains different tools written in python3 to examine properties of firmware binaries provided by Frontier Smart (former Frontier Silicon - FS) and to interact with the inbuild API. The decompiler used here was forked initially from the dead0007 repository.
Allthough there are some repositories that focus on that specific API, the implementation provided here contains all available Nodes that were invented/developed by Frontier Smart. The nodes were converted from java source code (The Tool is also in this repository).
In order to use the tools provided by this repository, almost all available firmware binaries are located in the folder bin/. Most of them were forked from here.
Table of Contents
A detailed review of the firmware binaries that are used to update Frontier Smart devicesis provided in the following document: firmware-2.0. The FSAPI (NetRemoteApi) by Frontier-Smart is described here: frontier-smart-api documentation. For decompiling the ECMAScript
Important Notice: The fisu module is deprecated and should not be used. All functionalities were ported to the isu sub-module of fsapi. Usage information and examples are given in the fsapi.isu documentation.
Notice (UNIX only): Since version 0.2.0 there is another sub-module placed in the fsapi directory - named ecmascript. Its functionalities are described in the fsapi.ecmascript part of the documentation.
As stated above, this repository provides a uitlity to interact with the FSAPI (Frontier Smart API) and a research on how the firmware binaries are structured. Devices and Apps used within the research:
Medion MD87805, Apps:Lifestream IIandUNDOK
The source code for these apps were retrieved directly from a mobile device with the adb-tool:
# list all installed packages and search for the app
$ adb pm list packages
# get the path to the specified app
$ adb pm path ${app.package.com}
# pull the source code to the local machine
$ adb pull $PATH_TO_APK_FILE $LOCAL_PATHIn order to view the decompiled java-code, the jadx
-decompiler and jadx-gui were used. This tool also provides an export function to save the decompiled java sources locally.
The source code contains a package called src/com/frontier_silicon/NetRemoteLib/Node/ where all available nodes are stored/ implemented with a java class each. There was also a tool created to convert these classes into python classes. To use the generated code you have to copy this python file. Update: When converting the Java-classes to Python code, four nodes won't be covered by default. Since 0.2.2 there are additional pre-defined Java-Classes that have to be copied before generating the nodes.
Lets take a look at the network traffic produced by the internet radio. In order to capture all packets, a proxy could be very useful. Because there is no possibility to setup a simple proxy on that device, the traffic was captured directly on the connected wifi access point.
Anyway, if you want to intercept traffic of the mobile device where an app is running, the following steps are required:
Setting up a simple proxy
- ZAP: Goto Options > Dynamic SSL Certificate > Generate and save the file to the local storage
- Copy the
cert-file to the internal storage of the device - Android: Goto Settings > Search > Type
Certificate> CA Certificate > Install Anyway and choose the file from the internal storage - ZAP: Goto Options > Local Proxies and remove the address of the proxy server > Ok
- Android: Goto Settings > wifi > select the current wifi > Change Proxy to manual and enter host address of the proxy server together with the port.
- Start the app
- Burp: Goto Proxy > Options > Add Proxy Listener, select bind to all Interfaces and provide a custom port
- Android: visit http://burpsuite to download CA-Certificate > installation same with the ZAP proxy
- Start the app
A quick look at the produced network traffic in wireshark reveals some interesting facts:
* The communication between the device and clients is handled
with HTTP
* Specific URLs are queried when looking for a software update.
These are:
> update.wifiradiofrontier.com/FindUpdate.aspx
> update.wifiradiofrontier.com/Update.aspx
The first URL returns 404 or 403 if no update is available. Is an update available, there will be a XML-response by the first URL-query. The structure is mentioned at the class defintion of ISUSoftwareElement.
The firmware binaries are located at the second URL with the mandatory parameter f=/updates/xxx. The name of the file is structured as follows:
> ir-$MODULE-$INTERFACE-$IFACEVERSION-${MODEL}_V$VERSION.$REVISION-$BRANCH
# on the internet radio device used here this expands to
> ir-mmi-FS2026-0500-0549_V2.12.25c.EX72088-1A12Note that the file name in the URL replaces the _V with a simple dot. To download an update file, you can use the fsapi module directly. The following command collects all firmware binaries specified in the given file.
$ python3 -m fsapi isu --file ./bin/updates.txt --verbose
# alternative with local device:
$ python3 -m fsapi isu --find --collect myFile $IP_ADDRESS --verboseThere are two tools included in this repository together with two python modules: isu_inspector and fisu, fsapi_tool and fsapi. Installation instructions follow:
Installation
Make sure you have installed the latest version of python setuptools and pip:
$ pip install setuptoolsThis respository uses setuptools to install the python packages locally. All dependnecies used by the provided libraries should be installed by default. To install the preferred package, just type the following command:
$ pip install .This command should install the selected library to the local site-packages. Now, you are good to go - execute the module with
python3 -m $module --help$ python3 -m fsapi.isu --help
usage: __main__.py [-h] -if IF [-of OF] [--verbose] [-insp INSP] [--header] [--archive] [-e] [--core]
optional arguments:
-h, --help show this help message and exit
-if IF The input file (must have the *.isu.bin or *.ota.bin extension)
-of OF The output file (Format: XML).
--verbose Prints useful information during the specified process.
-insp INSP Sets the ISUInspector descriptor, which will be used to retrieve the inspector instance.
information gathering:
--header Parses the header of the given file and extracts information.
--archive Parses the directory archive.
extract data:
-e, --extract Extract data (usually combined with other parameters).
--core Extract the compressed core partition source.
Example of isu_inspector.py:
$ python3 -m fsapi.isu -if bin/FS2026/0500/ir-mmi-FS2026-0500-0015.2.5.15.EX44478-1B9.isu.bin --header --verbose
╦╔═╗╦ ╦ ╦┌┐┌┌─┐┌─┐┌─┐┌─┐┌┬┐┌─┐┬─┐
║╚═╗║ ║───║│││└─┐├─┘├┤ │ │ │ │├┬┘
╩╚═╝╚═╝ ╩┘└┘└─┘┴ └─┘└─┘ ┴ └─┘┴└─
───────────────────────────────────────────
[+] Analyzing ISU File header...
- MeOS Version: 1
- Version: '2.5.15.EX44478-1B9'
| SDK Version: IR2.5.15 SDK
| Revision: 44478
| Branch: None
- Customisation: 'ir-mmi-FS2026-0500-0015'
| DeviceType: internet radio
| Interface: multi media interface
| Module: Venice 6 (version=0500)
[+] SystemEntries:
- SysEntry: type=0, partition=1, web_partition=False
- SysEntry: type=0, partition=2, web_partition=True
- SysEntry: type=1, partition=14, web_partition=False
[+] Declared Fields:
- DecompBuffer: Buffer=2957053952
- CompSize: Size=1384319
- DecompSize: Size=2621504
- CodeSize: Size=7760
- CompBuffer: Buffer=2952790016
$ python3 -m fsapi --help
usage: __main__.py [-h] [-W PIN] [-v] {explore,isu,get,set,list} ... target
positional arguments:
{explore,isu,get,set,list}
sub-commands:
explore Node Exploration
isu ISU Firmware Context
get Request a simple property
set Apply a value to a stored property.
list Query property lists
optional arguments:
-h, --help show this help message and exit
Global options:
target The host address in IPv4 format.
-W PIN, --pin PIN A PIN used by the device (default 1234).
-v, --verbose Prints useful information during the specified process.
Example of fsapi_tool.py:
$ python3 -m fsapi set -n netRemote.sys.info.friendlyName --args value:MedionIR $IP_ADDRESS
[+] fsapiResponse of netRemote.sys.info.friendlyName:
- status: FS_OK
$ python3 -m fsapi get -n netRemote.sys.info.friendlyName $IP_ADDRESS
[+] fsapiResponse of netRemote.sys.info.friendlyName:
- status: FS_OK
- value: MedionIR
- readonly: False
- notifying: True
$ python3 -m fsapi isu --find $IP_ADDRESS
[+] Generating current URL...
- url: https://update.wifiradiofrontier.com/Update.aspx?f=/updates/ir-mmi-FS2026-0500-0549.2.12.25c.EX72088-1A12.isu.bin
This module/tool is still under development and can cause errors an execution. Also, this tool can only be called on UNIX systems that are able to execute the ./decompiler/ecma-decompiler binary.
$ py -m fsapi.ecmascript --help
usage: __main__.py [-h] [-d] [-o OUT] [--use-decompiler DECOMPATH] [-r] path
positional arguments:
path The target file that will be used to operate on.
optional arguments:
-h, --help show this help message and exit
-d, --decompile Indicates that the given input file should be decompiled.
-o OUT, --out OUT The path were the decompiled output should be saved.
--use-decompiler DECOMPATH
Specifies the path to the decompiler.
-r, --recurse Indicates that all files in the given directory should be
decompiled
Contributions are what make the open source community such an amazing place to learn, inspire, and create. Any contributions you make are greatly appreciated.
If you have a suggestion that would make this better, please fork the repo and create a pull request. You can also simply open an issue with the tag "enhancement".
- Fork the Project
- Create your Feature Branch (
git checkout -b feature/AmazingFeature) - Commit your Changes (
git commit -m 'Add some AmazingFeature') - Push to the Branch (
git push origin feature/AmazingFeature) - Open a Pull Request
Distributed under the MIT License. See MIT.txt for more information.