TomTom BRIDGE 7" Truck/Pro 8275 (4FI70): Difference between revisions

No edit summary
m typo
 
(3 intermediate revisions by the same user not shown)
Line 1: Line 1:
[[File:Tomtom0.png|right|300px]]
[[File:Tomtom1.png|right|300px]]
== Overview ==
== Overview ==
The '''TomTom BRIDGE 7" Truck / PRO 8275 (model 4FI70)''' is a ruggedized, enterprise-grade GPS navigation and telematics device designed for commercial fleet and truck operations. It combines dedicated truck navigation with an open Android-based platform, allowing integration with business applications and fleet management systems such as WEBFLEET.
The '''TomTom BRIDGE 7" Truck / PRO 8275 (model 4FI70)''' is a ruggedized, enterprise-grade GPS navigation and telematics device designed for commercial fleet and truck operations. It combines dedicated truck navigation with an open Android-based platform, allowing integration with business applications and fleet management systems such as WEBFLEET.
Line 27: Line 30:
=== System ===
=== System ===
* Operating system: Android 4.3 (14 Jun 2017 kernel patches)
* Operating system: Android 4.3 (14 Jun 2017 kernel patches)
* Build number: '''17.223.2780796.4807.122 OS italia-rel-17.2.21095'''
* CPU: Qualcomm Snapdragon 400 (quad-core, 1.2 GHz)  
* CPU: Qualcomm Snapdragon 400 (quad-core, 1.2 GHz)  
* RAM: 1.5 GB  
* RAM: 1.5 GB  
Line 112: Line 116:


===== Observed behavior =====
===== Observed behavior =====
Testing on the PRO 8275 (Android 4.3 14 Jun 2017 kernel patches) indicated that:
Testing on the PRO 8275 (Android 4.3 with kernel patched up to 14 Jun 2017 and build 17.223.2780796.4807.122 OS italia-rel-17.2.21095) indicated that:
* Certain preinstalled or privileged applications expose functionality that can be accessed via <code>createPackageContext()</code>
* Certain preinstalled or privileged applications expose functionality that can be accessed via <code>createPackageContext()</code>
* In some cases, access controls appeared weaker than expected for a hardened enterprise deployment
* In some cases, access controls appeared weaker than expected for a hardened enterprise deployment
Line 121: Line 125:


Weakness in the system is the widget.json fechter from Internal storage.</br>
Weakness in the system is the widget.json fechter from Internal storage.</br>
 
<blockquote style="font-size: 90%; max-width: 600px;">
com.tomtom.navpad.widgetorganizerlib.WidgetInfoFetcher.fetchInstalledWidgets</br>
<syntaxhighlight lang="java">
com.tomtom.navpad.widgetorganizerlib.WidgetInfoFetcher.fetchInstalledWidgets
</syntaxhighlight>
</blockquote>
and</br>
and</br>
com.tomtom.navpad.widgetorganizerlib.WidgetInfoFetcher.fetchInstalledApplications</br>
<blockquote style="font-size: 90%; max-width: 600px;">
<syntaxhighlight lang="java">
com.tomtom.navpad.widgetorganizerlib.WidgetInfoFetcher.fetchInstalledApplications
</syntaxhighlight>
</blockquote>


<syntaxhighlight lang="java">
Vulnerable function in the WidgetInfoFetcher class in question.
<syntaxhighlight lang="java" highlight="36">
     private void fetchInstalledApplications(Context context, boolean showTestapps) {
     private void fetchInstalledApplications(Context context, boolean showTestapps) {
         Drawable iconDrawable;
         Drawable iconDrawable;
Line 232: Line 244:
</syntaxhighlight>
</syntaxhighlight>


<gallery widths="120px" heights="120px" perrow="3">
<gallery widths="200px" heights="120px" perrow="3">
https://i.ibb.co/0psNg8y4/error-after-injection.jpg|error after injection
File:Error after injection.jpg|Error after injection
https://i.ibb.co/HTHtyDL0/debugintentsender.jpg|DebugIntentSender class
File:Debugintentsender.jpg|DebugIntentSender class on the homescreen
https://i.ibb.co/bgZj324Y/broadcast.jpg|broadcast MASTER_CLEAR intent
File:Broadcast.jpg|Broadcast MASTER_CLEAR intent
</gallery>
 
===== Unlocking Factory Tools =====
Go to About your TomTom device. Now tap Model number 5 times.
<gallery widths="200px" heights="120px" perrow="1">
File:Factory tools.jpg|Factory Tools
</gallery>
</gallery>