SSH into Blackberry OS10
I own a BlackBerry Q10. It's an amazing smartphone. I've owned two Blackberries in the past. The good old Curve 8520 and a decent, but not that great, Torch 9800. On the way I got my hands on Samsung Galaxy Nexus, probably driven to Android by curiosity, but got back to BlackBerry anyway. It's probably because of the straight, candy-less user experience, amazing QWERTY keyboard, connectivity, BBM and, now, irreplaceable, BlackBerry Hub.
Since any BlackBerry with OS10 runs QNX, a Unix-like real-time operating system, I thought it might be worthwhile trying to get under the hood. What triggered my search for way to access the system from the back-door, was the need to extract data from my Google Authenticator app and idea to have a look under the hood. While the process is easy on Android systems, I couldn't find a way to access my Blackberry in any of the described ways (duh! it's a different system!). What is more, BlackBerry devices cannot be rooted as such, or at least, I couldn't have found a way to do so. Thankfully, BlackBerry has s Native SDK tools - Momentics IDE, available as a free download on RIM's website, that make it easier to access QNX layer.
Once I've installed the SDK, all I had to do was to enable Development Mode on my BlackBerry and plug it into my PC. Since I'm running Linux, the device is not recognisable "out of the box". To make it communicate with Linux machine, you have to change Access to Storage settings for USB Connections. This has to be changed from "Autodetect" option to "Connect to Mac":
After this step, I plugged USB, and BlackBerry device was recognised by Linux perfectly.
The Momentics IDE gives the ability to connect to Blackberry OS 10 using SSH, using a built in terminal. I set up connection with the device with Development Mode password.
Now, I could either use the built-in terminal with "Launch SSH Session" option or move to Linux terminal.The IDE GUI lets you have it all in one place; it also provides information on running processes, memory, etc.
As I'm more of a console type of user, I've decided to use terminal anyway.
From the terminal, I generated a 4096 bit key for SSH. Smaller keys just won't work:
% ssh-keygen -t rsa -b 4096 Generating public/private rsa key pair. Enter file in which to save the key (/home/bubbl/.ssh/id_rsa): /home/bubbl/.rim/bbt_id_rsa Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/bubbl/.rim/bbt_id_rsa. Your public key has been saved in /home/bubbl/.rim/bbt_id_rsa.
By default, SSH is not listening on BlackBerry device. To start the daemon from console, I used
<mark>blackberry-connect</mark> command, found under
<mark>/path/to/bbndk/host_xx_x_x_xx/linux/x86/usr/bin/</mark>. It uploads public SSH key to the device and starts the SSH daemon on the other side.
-password option is the Development Mode password:
% ./blackberry-connect 169.254.0.1 -password somePassword -sshPublicKey ~/.rim/bbt_id_rsa.pub Info: Connecting to target 169.254.0.1:4455 Info: Authenticating with target 169.254.0.1:4455 Info: Encryption parameters verified Info: Authenticating with target credentials. Info: Successfully authenticated with target credentials. Info: Sending ssh key to target 169.254.0.1:4455 Info: ssh key successfully transferred. Info: Successfully connected. This application must remain running in order to use debug tools. Exiting the application will terminate this connection.
You can connect to your device using Wi-Fi as well, all you have to do is to enable Access using Wi-Fi under Storage and Access settings menu. In second terminal window (as the
blackberry-connect must remain running), I checked if SSH is working on the device:
nmap 169.254.0.1 Starting Nmap 6.00 ( https://nmap.org ) at 2014-06-10 22:49 BST Nmap scan report for 169.254.0.1 Host is up (0.00074s latency). Not shown: 992 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 139/tcp open netbios-ssn 443/tcp open https 445/tcp open microsoft-ds 5555/tcp open freeciv 8000/tcp open http-alt 8443/tcp open https-alt Nmap done: 1 IP address (1 host up) scanned in 10.61 seconds
Now, I could connect to my Q10 with SSH from terminal with
% ssh -i ~/.rim/bbt_id_rsa email@example.com $ uname -a QNX BubBerry 8.0.0 2014/04/30-21:54:52EDT MSM8960_V18.104.22.168_N_R085_Rev:16 armle $ pwd /accounts/devuser $ ifconfig lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33192 inet 127.0.0.1 netmask 0xff000000 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1 bcm0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 address: 40:6f:2a:e9:bb:a6 inet 192.168.1.7 netmask 0xffffff00 broadcast 192.168.1.255 inet6 fe80::426f:2aff:fee9:bba6%bcm0 prefixlen 64 scopeid 0x11 bcm1: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500 address: 40:6f:2a:e9:bb:a2 pflog0: flags=0 mtu 33192 lo2: flags=8048<LOOPBACK,RUNNING,MULTICAST> mtu 33192 msm0: flags=8890<POINTOPOINT,NOARP,SIMPLEX,MULTICAST> mtu 1514 address: 02:00:00:00:00:00 media: Ethernet autoselect msm1: flags=8890<POINTOPOINT,NOARP,SIMPLEX,MULTICAST> mtu 1514 address: 02:00:00:00:00:01 media: Ethernet autoselect msm2: flags=8890<POINTOPOINT,NOARP,SIMPLEX,MULTICAST> mtu 1514 address: 02:00:00:00:00:02 media: Ethernet autoselect msm3: flags=8890<POINTOPOINT,NOARP,SIMPLEX,MULTICAST> mtu 1514 address: 02:00:00:00:00:03 media: Ethernet autoselect msm4: flags=8890<POINTOPOINT,NOARP,SIMPLEX,MULTICAST> mtu 1514 address: 02:00:00:00:00:04 media: Ethernet autoselect bptp0: flags=8043<UP,BROADCAST,RUNNING,MULTICAST> mtu 1356 inet6 fd38:e983:2c4c:bdf3:1d8d:3649:1583:2425 prefixlen 8 inet6 fe80::426f:2aff:fee9:bba6%bptp0 prefixlen 64 scopeid 0x38 ecm0: flags=8a43<UP,BROADCAST,RUNNING,ALLMULTI,SIMPLEX,MULTICAST> mtu 1500 address: 42:6f:2a:e9:bb:a6 inet 169.254.0.1 netmask 0xfffffffc broadcast 169.254.0.3 inet6 fe80::406f:2aff:fee9:bba6%ecm0 prefixlen 64 scopeid 0x39 $ pwd /accounts/devuser $ ls -alh / t-u--g--o- ln Owner Group Size Date Filename total 1911147 drwxr-xr-x 9 root nto 4096 Apr 13 2013 . drwxr-xr-x 9 root nto 4096 Apr 13 2013 .. drwx------ 2 root nto 4096 Apr 13 2013 .boot -rw-rw---- 1 root nto 0 Apr 13 2013 .rootfs -rw------- 1 root nto 12 Jun 06 23:26 .rootfs.os.version -rw-rw---- 1 root nto 12 Apr 13 2013 .rootfs.pps.version -rw------- 1 root nto 12 Jun 06 23:26 .rootfs.radio.version drwxrwx--- 5 root nto 4096 Apr 13 2013 .seed drwxr-xr-x 4 apps nto 4096 Jan 16 2013 accounts lrwxrwxrwx 1 root nto 9 Jun 10 22:52 air -> /base/air drwxr-x--x+ 197 apps nto 12288 Jun 08 14:23 apps drwxrwxr-x 2 root nto 480 May 01 04:00 base lrwxrwxrwx 1 root nto 9 Jun 10 22:52 bin -> /base/bin lrwxrwxrwx 1 root nto 67 Jun 10 22:52 data -> /accounts/1000/appdata/sys.android.gYABgKAOw1czN6neiAT72SGO.ns/data lrwxrwxrwx 1 root nto 17 Jun 10 22:52 db -> /accounts/1000/db drwxr-xr-x 2 root nto 10 May 01 04:00 dev drwxrwxr-x 3 root nto 4096 Dec 04 2012 efs dr-xr-xr-x 2 root nto 0 Jun 10 22:52 enterprise drwxr-xr-x 2 root nto 4096 Apr 07 2013 etc dr-xr-xr-x 2 root nto 0 Jun 10 22:52 fs lrwxrwxrwx 1 root nto 9 Jun 10 22:52 lib -> /base/lib dr-xr-xr-x 2 root nto 0 Jun 10 22:52 mnt lrwxrwxrwx 1 root nto 9 Jun 10 22:52 opt -> /base/opt drwxrwxr-x+ 5 root nto 0 Jun 06 23:17 pps dr-xr-xr-x 2 root nto 978448384 Jun 10 22:52 proc drwxrwxr-x 2 root nto 384 Apr 21 02:26 radio drwxr-x--- 2 root nto 4096 Jun 06 23:12 root lrwxrwxrwx 1 root nto 10 Jun 10 22:52 sbin -> /base/sbin lrwxrwxrwx 1 root nto 13 Jun 10 22:52 scripts -> /base/scripts lrwxrwxrwx 1 root nto 34 Jun 10 22:52 sdcard -> /accounts/1000/shared/misc/android lrwxrwxrwx 1 root nto 14 Jun 10 22:52 services -> /base/services dr-xr-xr-x 2 root nto 0 Jun 10 22:52 sys lrwxrwxrwx 1 root nto 59 Jun 10 22:52 system -> /apps/sys.android.gYABgKAOw1czN6neiAT72SGO.ns/native/system lrwxr-xr-x 1 root nto 10 May 01 04:00 tmp -> /dev/shmem lrwxrwxrwx 1 root nto 9 Jun 10 22:52 usr -> /base/usr drwxr-xr-x 62 root radio 4096 Jun 06 23:22 var
Now I can do more exploring of the QNX system. For now, not much can be done, as the
<strong>devuser</strong> account isn't allowed to do much - this is a development account used for testing purposes. I cannot find a way to SSH into BlackBerry using other accounts, such as
root or default
% ssh -i /home/bubbl/.rim/bbt_id_rsa firstname.lastname@example.org Permission denied (publickey,keyboard-interactive).
The thing is that the BlackBerry SSH daemon not exactly SSH daemon per se. The device relies on SDK tools and Development Mode. The daemon is launched in background once the SDK tools are run. Alas, without the development mode, SSH doesn't work:
Info: Connecting to target 192.168.1.7:4455 Info: Authenticating with target 192.168.1.7:4455 Error: Connection refused: Development mode is not enabled on the device.
And, without root access there is little chance of implementing openssh server on the device. So much for extracting any data from applications, or doing much with the QNX terminal. I guess it's because QNX is a commercial, not open-source, Unix platform. For the time being I can run
vi on my device though.