rename log tailler

.gitignore

@@ -1,2 +1,3 @@
 .~lock.*#
 *.swp
+output.json

README.md

@@ -2,6 +2,10 @@
 `pysalx` - scripts for interacting with the SciAps XRF and LIBS analyzers.
 
 
+# Status
+Alpha software under development.
+
+
 # Installation
 Tools to interact with the device are available in most free software
 oriented distributions, such as Debian.
@@ -22,6 +26,12 @@ See `./scripts/` directory in this repo for current scripts.
 
 Current scripts:
 
+* `pysalx-api-config` --- Get analyzer configuration via API.
+* `pysalx-api-id` --- Get analyzer ID via API.
+* `pysalx-api-port` --- Forward web port 8080 via USB to localhost.
+* `pysalx-api-status` --- Get analyzer status via API.
+* `pysalx-api-test` --- Do Analyzer test via API.
+* `pysalx-api-wlcalibration` --- Get analyzer wavelength calibration via API.
 * `pysalx-backup-export` --- Backup the export directory, with spectra from
    templates.
 * `pysalx-backup-extsd` --- Backup the ext SD card.
@@ -29,15 +39,9 @@ Current scripts:
 * `pysalx-backup-sd` --- Backup the SD card.
 * `pysalx-date-set` --- Set time/date on analyzer using workstation's time.
 * `pysalx-install-deps` --- Install script dependencies (initial setup).
-* `pysalx-tail-log` --- View the analyzer logfile in semi-real-time.
-
-
-TODO HOWTOs
-
-* Connect to device.
-* Copy SD card data, such as samples and photos.
-* Mount device.
-* Initiate sampling remotely via USB and/or wifi.
+* `pysalx-record` --- Display device screen. XXX TODO
+* `pysalx-screen` --- Display device screen on workstation.
+* `pysalx-log` --- View the analyzer logfile in semi-real-time.
 
 
 ## Usage
@@ -73,6 +77,16 @@ debian@workstation:~$ adb shell tail -f /storage/sdcard0/ngl.log
 See more notes in the `doc/` directory.
 
 
+# Other Useful Apps
+To view the screen of the device remotely via USB, install
+`scrcpy`.
+
+```
+sudo apt update
+sudo apt install scrcpy
+./scripts/
+```
+
 # SciAps Analyzers
 In sum, they are Android-derived 64-bit ARM systems.
 So they interact with standard free software Android

doc/HARDWARE.md

@@ -1,4 +1,116 @@
 # Hardware
+
+## X-555
+```
+root@ngx:/ # free
+             total         used         free       shared      buffers
+Mem:        940860       768020       172840            0         4440
+-/+ buffers:             763580       177280
+Swap:       524284        48272       476012
+
+root@ngx:/ # cat /proc/cpuinfo
+Processor	: AArch64 Processor rev 0 (aarch64)
+processor	: 0
+processor	: 1
+processor	: 2
+processor	: 3
+Features	: fp asimd evtstrm crc32
+CPU implementer	: 0x41
+CPU architecture: 8
+CPU variant	: 0x0
+CPU part	: 0xd03
+CPU revision	: 0
+
+Hardware	: Qualcomm Technologies, Inc APQ8016
+
+root@ngx:/ # df
+Filesystem               Size     Used     Free   Blksize
+/dev                   459.4M    52.0K   459.4M   4096
+/sys/fs/cgroup         459.4M    12.0K   459.4M   4096
+/mnt/asec              459.4M     0.0K   459.4M   4096
+/mnt/obb               459.4M     0.0K   459.4M   4096
+/system                  1.2G     1.1G    81.0M   4096
+/data                    4.8G   243.9M     4.6G   4096
+/cache                 248.0M   152.0K   247.8M   4096
+/persist                27.5M   168.0K    27.3M   4096
+/firmware               64.0M    19.0M    44.9M   16384
+/storage/extsdcard      14.4G    58.4M    14.4G   4096
+/mnt/media_rw/sdcard0    15.0G    11.2M    15.0G   8192
+/mnt/secure/asec        15.0G    11.2M    15.0G   8192
+/storage/sdcard0        15.0G    11.2M    15.0G   8192
+```
+
+## CPU
+Qualcomm APQ8016, aka "Snapdragon 410".
+
+
+* https://www.qualcomm.com/products/apq8016e
+
+* Spec sheet:
+https://www.qualcomm.com/media/documents/files/snapdragon-410e-apq-8016e-data-sheet.pdf
+
+* Product brief:
+https://www.qualcomm.com/media/documents/files/apq8016e-product-brief.pdf
+
+Spec:
+* Quad Core ARM Cortex A53, 1.2GHz
+* 64-bit/32-bit
+
+
+The initial release of the chip was 2015. The `E` part (revision)
+was in 2016.
+
+
+## Wifi
+On Qualcomm SoC.
+
+Spec:
+* 802.11a/b/g, 802.11n
+
+
+## Bluetooth
+On Qualcomm SoC.
+
+Spec:
+* Bluetooth 4.1
+
+
+## GPS
+SoC has GPS, but it appears analyzer uses device tethering to
+acquire GPS signals.
+
+
+## GPU
+On Qualcomm SoC.
+
+* Adreno 306 GPU
+
+
+## eMMC
+
+Spec:
+* eMMC 4.5
+
+
+## SD
+
+Spec:
+* 3.0 (UHS-I)
+
+
+## Memory
+On Qualcomm SoC.
+
+* LPDDR2, LPDDR3
+
+* 533MHz
+
+
+## Display
+* ILITEK LCD ?
+
+
+## Z-903
 ```
 root@ngl:/ # free
              total         used         free       shared      buffers

doc/MISC.md

@@ -3,3 +3,85 @@
 * Device powered off screen from ESD. Went to touch screen,
 small zap, screen went blank, green light on top.
 
+
+# Files of Note
+
+## X-555
+These are open/running per `lsof`:
+
+* `/system/bin/XRFService`
+* `/system/bin/XRFComputeService`
+* `/system/bin/thermal-engine`
+* `/system/vendor/lib64/libvendorconn.so`
+* `/system/bin/surfaceflinger`
+* `/system/bin/rfs_access`
+* `/system/bin/tftp_server` `<---`
+* `/system/bin/rmt_storage`
+* `/system/bin/netd`
+* `/system/bin/debuggerd` `/system/bin/debuggerd64`
+* `/system/bin/mediaserver`
+* `/system/bin/installd`
+* `/system/bin/qcom-system-daemon`  `<---`
+* `/system/bin/ptt_socket_app` 
+* `/system/bin/app_process64`, `zygote64` user
+* `/system/framework/framework-res.apk`, `/system/framework/core-libart.jar`
+* `/system/bin/dpmd`
+* `/system/bin/cnss-daemon`
+* `/dev/smem_log`
+* `/system/bin/loc_launcher`
+* `/system/bin/mm-qcamera-daemon`
+* `/system/bin/time_daemon`  Once upon a time...
+* `/system/bin/audiod`
+* `/system/bin/sh` Everybody's favorite app.
+* `/system/vendor/lib64/libdpmctmgr.so`
+* `/system/bin/location-mq`
+* `/system/bin/xtwifi-inet-agent`
+* `/data/app/com.sciaps.xrf-1/base.apk`
+* `/data/app/com.sciaps.ngxhome-1/base.apk`
+* `/system/app/AntHalService/AntHalService.apk`
+* `/system/priv-app/Telecom/Telecom.apk`
+* `/system/priv-app/com.qualcomm.location/com.qualcomm.location.apk`
+* `/system/framework/com.android.location.provider.jar`
+* `/system/priv-app/MediaProvider/MediaProvider.apk`
+* `/system/priv-app/DownloadProvider/DownloadProvider.apk`
+* `/data/data/com.android.providers.downloads/databases/downloads.db`
+* `/data/data/com.android.providers.media/databases/external-43c1bc6d.db`
+* `/data/data/com.android.providers.media/databases/external-43c1bc6d.db-shm`
+* `/data/data/com.android.providers.media/databases/external-43c1bc6d.db-wal`
+* `/data/data/com.android.providers.media/databases/internal.db`
+* `/data/data/com.android.providers.media/databases/internal.db-wal`
+* `/data/data/com.android.providers.media/databases/internal.db-shm`
+* `/data/data/com.android.providers.media/databases/internal.db`
+* `/data/data/com.android.providers.media/databases/internal.db-wal`
+* `/system/bin/sdcard`
+* `/mnt/media_rw/sdcard0/sciaps/xrf.log`
+* `/mnt/media_rw/sdcard0/Android/data/com.sand.airdroid/files/main.log`
+* `/mnt/media_rw/sdcard0/Android/data/com.sand.airdroid/files/push.log`
+* `/system/app/LatinIME/LatinIME.apk`
+* `/data/data/com.android.inputmethod.latin/databases/pendingUpdates.com.android.inputmethod.latin`
+* `/system/priv-app/CNEService/CNEService.apk` --- Some programmer has wry
+  humor naming that service.
+* `/system/framework/com.quicinc.cne.jar`
+* `/system/app/RCSBootstraputil/RCSBootstraputil.apk`
+* `/system/priv-app/TeleService/TeleService.apk`
+* `/system/priv-app/TelephonyProvider/TelephonyProvider.apk`
+* `/data/data/com.android.providers.telephony/databases/cdmacalloption.db`
+* `/data/data/com.android.providers.telephony/databases/HbpcdLookup.db`
+* `/system/app/PhoneFeatures/PhoneFeatures.apk`
+* `/system/framework/qcrilhook.jar`
+* `/data/data/com.android.providers.telephony/databases/telephony.db`
+* `/data/data/com.android.providers.telephony/databases/mmssms.db`
+* `/system/app/GsmTuneAway/GsmTuneAway.apk`
+* `/system/app/QtiDdsSwitchService/QtiDdsSwitchService.apk`
+* `/system/app/datastatusnotification/datastatusnotification.apk`
+* `/system/app/xdivert/xdivert.apk`
+* `/system/app/Stk/Stk.apk`
+* `/storage/extsdcard/db/UsersAndPermissions.db`
+* `/system/app/WAPPushManager/WAPPushManager.apk`
+* `/system/app/qcrilmsgtunnel/qcrilmsgtunnel.apk`
+* `/system/priv-app/SystemUI/SystemUI.apk`
+* `/system/priv-app/Dialer/Dialer.apk`
+* `/system/app/SnapdragonCamera/SnapdragonCamera.apk`
+* `/system/bin/drmserver`
+* `/system/bin/rild`
+

doc/NET.md

@@ -1,5 +1,11 @@
 # Network
 
+## Static IP
+Both X-555 and Z-903 use IP `192.168.42.129` statically assigned,
+hardcoded in a binary. They also set IP via DHCP when connecting
+via wifi.
+
+## tftp_server
 ```
 # from lsof:
 /system/bin/tftp_server
@@ -8,3 +14,5 @@ root@ngl:/ # netstat
 Proto Recv-Q Send-Q Local Address          Foreign Address        State
  tcp       0      0 127.0.0.1:5037         0.0.0.0:*              LISTEN
 ```
+
+

doc/SEC.md

@@ -1,5 +1,11 @@
 # Security
-Quick evaluation is it is basically and older Android device, likely
+aka, I'd rather be teaching an AI to categorize spectra, but since I
+can't do that, I'm sitting around doing this in the interim.
+
+* https://spacecruft.org/spacecruft/pysalx/issues/1
+
+
+Quick evaluation is it is basically an older Android device, likely
 vulnerable to a wide range of older attacks. Has wifi, bluetooth,
 maybe even GSM...
 
@@ -38,5 +44,125 @@ Not sure this is necessary... (?)
 /system/framework/com.android.location.provider.jar
 ```
 
-Uses SELinux kernel.
+Uses SELinux kernel, may even have that old special hole! `:)`
+(cf. Brad Spengler attack).
+
+
+# Net
+When connected to wifi the device tries to connect to port `80` of
+IP `142.250.72.14`, which is allocated to `Google LLC`.
+
+
+It also tries to connect to port `443` of IP `157.240.19.19`.
+That IP is owned by `Facebook, Inc.` Not sure why that is needed.
+
+
+# Binaries
+The busybox binaries are (ancient) 32-bit(?).
+
+```
+$ file xbin/zcat 
+xbin/zcat: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), statically linked, for GNU/Linux 2.6.16, stripped
+```
+
+# Vulnerability Surface
+The analyzers have Android on board, which is generally well documented.
+There have been numerous Android security holes published in the last
+decade or so. The analyzers have a lot of binaries dating back many versions,
+some as old as 2013.
+
+
+# Attack Surface
+
+* Wifi
+
+* Bluetooth
+
+* Cell ?
+
+* USB
+
+# Hypothetical Scenarios
+Nature of attacks, once exploited.
+
+* Device can be fed bogus data. For example, hack a competitor's device to
+say there's no gold when there is gold.
+
+* Nefarious polluting company could root EPA's device
+when they come inspect contaminated land, and make the device's readings
+say everything is ok.
+
+* Attacker sells bullion to vendor. Vendor tests with analyzer, which
+attacker has rooted. Grade of bullion is found to be pure, when fake.
+Vendor overpays for fake metal.
+
+* Device can be a remote access point back into a corporate network.
+Since the device is taken into the field and back into corporate offices,
+it makes it an ideal vector to further penetrate networks. An employee
+takes the analyzer into the field, exploitation and implant occurs, the
+employee takes analyzer back to office to download data. In doing so,
+they connect the analyzer to the network (e.g. even via USB), where the
+device then phones home back to attackers.
+
+* Safety features of the device can be overridden, causing it to emit
+xray or laser power beyond default limits.
+
+
+# Misc
+
+* All devices have the same static IP hardcoded in binary.
+
+* The devices query remote servers on port `80` in cleartext. This can be
+easily hijacked and fed false data.
+
+
+# CVE
+The system is running kernel `3.10.49` which has a vast list of known
+vulnerabilities.
+
+
+## Known Kernel Holes:
+The system uses Linux kernel `3.10.49`. This kernel was released
+July 17th, 2014. Release announcement:
+
+* https://lwn.net/Articles/605933/
+
+
+There were twenty-five Kernel 3.10.49 vulnerabilities disclosed in 2021:
+
+* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4083
+
+* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23222
+
+* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-46283
+
+* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28715
+
+...
+
+* This doozy is considered a top 25. Nice how it has a CVE from 2018,
+but disclosure in 2021! :)
+
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-25020 
+
+...
+
+* Too numerous to list for now...
+
+## Other Known Issues
+The `3.10` kernel series was declared a LTS kernel by Greg KH in 2013.
+This blog post linked below from 2017 reflects back on it's history. 
+In that post it says there were `3,456` known unfixed bugs in the
+`3.10.49` kernel in 2017. The number has likely increased.
+
+https://wtarreau.blogspot.com/2017/11/look-back-to-end-of-life-lts-kernel-310.html
+
+The last release in the stable 3.10 series was `3.10.108`, which was
+released November 4th, 2017.
+
+The post was released by the kernel developer that made the 3.10.108
+commit to the official linux-stable archive. Last line, from 2017:
+
+
+*So it's really time to switch now! 3.10 is dead.*
 

scripts/pysalx-api-acquire

@@ -0,0 +1,11 @@
+#!/bin/bash
+# Acquire a sample via API
+
+# XXX kruft
+SCIAPSIP=`cat ~/.sciaps-ip`
+SCIAPSPORT=`cat ~/.sciaps-port`
+
+#curl -X POST -H "Content-Type: application/json" -d @settings.json --output output.json http://192.168.1.1:8080/api/v2/acquire/all?mode=Alloy
+
+curl -X POST -H "Content-Type: application/json" -d @settings.json --output output.json http://$SCIAPSIP:$SCIAPSPORT/api/v2/acquire/all?mode=Alloy
+

scripts/pysalx-api-config

@@ -0,0 +1,10 @@
+#!/bin/bash
+# Get Analyzer Configuration via API
+
+# XXX kruft
+SCIAPSIP=`cat ~/.sciaps-ip`
+SCIAPSPORT=`cat ~/.sciaps-port`
+
+curl									\
+	http://$SCIAPSIP:$SCIAPSPORT/api/v2/config
+

scripts/pysalx-api-id

@@ -0,0 +1,10 @@
+#!/bin/bash
+# Get Analyzer ID via API
+
+# XXX kruft
+SCIAPSIP=`cat ~/.sciaps-ip`
+SCIAPSPORT=`cat ~/.sciaps-port`
+
+curl									\
+	http://$SCIAPSIP:$SCIAPSPORT/api/v2/id
+

scripts/pysalx-api-port-forward

@@ -0,0 +1,17 @@
+#!/bin/bash
+# The API listens on port 8080 on the device.
+# That can be connected to while using the device's
+# shell (e.g. `adb shell`), or remotely via the
+# DHCP assigned IP or the static IP 192.168.42.129.
+#
+# This script will allow you to access the device's API,
+# when plugged in via USB, on port 8080 of the local
+# workstation.
+# So, for example after running this, you can hit this
+# from the workstation:
+# http://127.0.0.1:8080/api/v2/status
+
+set -x
+
+adb forward tcp:8080 tcp:8080
+

scripts/pysalx-api-status

@@ -0,0 +1,10 @@
+#!/bin/bash
+# Get Analyzer status via API
+
+# XXX kruft
+SCIAPSIP=`cat ~/.sciaps-ip`
+SCIAPSPORT=`cat ~/.sciaps-port`
+
+curl									\
+	http://$SCIAPSIP:$SCIAPSPORT/api/v2/status
+

scripts/pysalx-api-test

@@ -0,0 +1,14 @@
+#!/bin/bash
+# Do Analyzer test via API
+
+# XXX kruft
+SCIAPSIP=`cat ~/.sciaps-ip`
+SCIAPSPORT=`cat ~/.sciaps-port`
+
+curl									\
+	-X POST								\
+	-H "Content-Type: application/json"				\
+	-d '{}'								\
+	--output output.json						\
+	http://$SCIAPSIP:$SCIAPSPORT/api/v2/test
+

scripts/pysalx-api-wlcalibration

@@ -0,0 +1,10 @@
+#!/bin/bash
+# Get Analyzer wavelength calibration via API
+
+# XXX kruft
+SCIAPSIP=`cat ~/.sciaps-ip`
+SCIAPSPORT=`cat ~/.sciaps-port`
+
+curl									\
+	http://$SCIAPSIP:$SCIAPSPORT/api/v2/wlcalibration
+

scripts/pysalx-backup-export

@@ -4,9 +4,7 @@
 
 set -x
 
-NOW=`date +%Y%m%d%H%M%S`
+mkdir -p "./export"
 
-mkdir -p "./$NOW"
-
-adb pull -a /storage/sdcard0/export/ "./$NOW"
+adb pull -a /storage/sdcard0/export/ "./"
 

scripts/pysalx-backup-export-now

@@ -0,0 +1,12 @@
+#!/bin/bash
+# Script to backup the extsdcard on the analyzer.
+# It will create a timestamped directory.
+
+set -x
+
+NOW=`date +%Y%m%d%H%M%S`
+
+mkdir -p "./$NOW"
+
+adb pull -a /storage/sdcard0/export/ "./$NOW"
+

scripts/pysalx-backup-sampledetect

@@ -0,0 +1,12 @@
+#!/bin/bash
+# Script to backup the sampledetect directory on the analyzer.
+# It will create a timestamped directory.
+
+set -x
+
+NOW=`date +%Y%m%d%H%M%S`
+
+mkdir -p "./$NOW"
+
+adb pull -a /storage/sdcard0/sciaps/sampledetect/ "./$NOW"
+

scripts/pysalx-date-set

@@ -4,6 +4,8 @@
 
 # sudo ntpdate time.mit.edu
 
+echo "Be the root"
+adb root
 echo "Current time on analyzer"
 adb shell busybox date
 echo
@@ -13,4 +15,12 @@ adb shell busybox date -s \"$NOW\"
 echo
 echo "Current time on analyzer"
 adb shell busybox date
+echo
+echo "Write time to hardware clock"
+adb shell hwclock -w -u
+echo "Current hardware clock time"
+adb shell hwclock -u
+
+# Set the timezone, ala:
+#setprop persist.sys.timezone "America/Denver"
 

scripts/pysalx-log

@@ -5,5 +5,5 @@
 set -x
 
 adb root
-adb shell tail -f /storage/sdcard0/ngl.log
+adb shell tail -f /sdcard/sciaps/xrf.log
 

scripts/pysalx-screen

@@ -0,0 +1,17 @@
+#!/bin/bash
+# Connect & run scrcpy
+
+adb root
+
+scrcpy						\
+	--window-x=240				\
+	--window-y=320				\
+	--window-width=480			\
+	--window-height=640			\
+	--window-title="SciAps XRF X555"	\
+	--lock-video-orientation=0		\
+	--hid-keyboard				\
+	--disable-screensaver			\
+	--stay-awake				\
+	--always-on-top
+

scripts/pysalx-shell

@@ -0,0 +1,8 @@
+#!/bin/bash
+# Thi script will give you a root shell on the analyzer
+
+set -x
+
+adb root
+adb shell
+