June 11, 2014 · bbos10 blackberry console debian development hacks linux openssh q10 qnx shell ssh tricks unix vim

SSH into Blackberry OS10

I own a BlackBerry Q10. It's an amazing smartphone. I've owned two Blackberries in the past. The good old Curve 8520 and a decent, but not that great, Torch 9800. On the way I got my hands on Samsung Galaxy Nexus, probably driven to Android by curiosity, but got back to BlackBerry anyway. It's probably because of the straight, candy-less user experience, amazing QWERTY keyboard, connectivity, BBM and, now, irreplaceable, BlackBerry Hub.

Since any BlackBerry with OS10 runs QNX, a Unix-like real-time operating system, I thought it might be worthwhile trying to get under the hood. What triggered my search for way to access the system from the back-door, was the need to extract data from my Google Authenticator app and idea to have a look under the hood. While the process is easy on Android systems, I couldn't find a way to access my Blackberry in any of the described ways (duh! it's a different system!). What is more, BlackBerry devices cannot be rooted as such, or at least, I couldn't have found a way to do so. Thankfully, BlackBerry has s Native SDK tools - Momentics IDE, available as a free download on RIM's website, that make it easier to access QNX layer.

Once I've installed the SDK, all I had to do was to enable Development Mode on my BlackBerry and plug it into my PC. Since I'm running Linux, the device is not recognisable "out of the box". To make it communicate with Linux machine, you have to change Access to Storage settings for USB Connections. This has to be changed from "Autodetect" option to "Connect to Mac":

Connect to BlackBerry

After this step, I plugged USB, and BlackBerry device was recognised by Linux perfectly.

The Momentics IDE gives the ability to connect to Blackberry OS 10 using SSH, using a built in terminal. I set up connection with the device with Development Mode password.


Now, I could either use the built-in terminal with "Launch SSH Session" option or move to Linux terminal.The IDE GUI lets you have it all in one place; it also provides information on running processes, memory, etc.

BlackBerry Momentics

As I'm more of a console type of user, I've decided to use terminal anyway.

From the terminal, I generated a 4096 bit key for SSH. Smaller keys just won't work:

% ssh-keygen -t rsa -b 4096 
Generating public/private rsa key pair. 
Enter file in which to save the key (/home/bubbl/.ssh/id_rsa): /home/bubbl/.rim/bbt_id_rsa 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/bubbl/.rim/bbt_id_rsa. 
Your public key has been saved in /home/bubbl/.rim/bbt_id_rsa. 

By default, SSH is not listening on BlackBerry device. To start the daemon from console, I used <mark>blackberry-connect</mark> command, found under <mark>/path/to/bbndk/host_xx_x_x_xx/linux/x86/usr/bin/</mark>. It uploads public SSH key to the device and starts the SSH daemon on the other side. -password option is the Development Mode password:

% ./blackberry-connect -password somePassword -sshPublicKey ~/.rim/bbt_id_rsa.pub 
Info: Connecting to target 
Info: Authenticating with target 
Info: Encryption parameters verified 
Info: Authenticating with target credentials. 
Info: Successfully authenticated with target credentials. 
Info: Sending ssh key to target 
Info: ssh key successfully transferred. 
Info: Successfully connected. 
This application must remain running in order to use debug tools. 
Exiting the application will terminate this connection.

You can connect to your device using Wi-Fi as well, all you have to do is to enable Access using Wi-Fi under Storage and Access settings menu. In second terminal window (as the blackberry-connect must remain running), I checked if SSH is working on the device:

Starting Nmap 6.00 ( https://nmap.org ) at 2014-06-10 22:49 BST 
Nmap scan report for 
Host is up (0.00074s latency). 
Not shown: 992 closed ports 
22/tcp open ssh 
80/tcp open http 
139/tcp open netbios-ssn 
443/tcp open https 
445/tcp open microsoft-ds 
5555/tcp open freeciv 
8000/tcp open http-alt 
8443/tcp open https-alt 
Nmap done: 1 IP address (1 host up) scanned in 10.61 seconds

Now, I could connect to my Q10 with SSH from terminal with devuser user:

% ssh -i ~/.rim/bbt_id_rsa devuser@
$ uname -a
QNX BubBerry 8.0.0 2014/04/30-21:54:52EDT MSM8960_V3.2.1.1_N_R085_Rev:16 armle
$ pwd
$ ifconfig
lo0: flags=8049&lt;UP,LOOPBACK,RUNNING,MULTICAST&gt; mtu 33192
    inet netmask 0xff000000
    inet6 ::1 prefixlen 128
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
bcm0: flags=8843&lt;UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST&gt; mtu 1500
    address: 40:6f:2a:e9:bb:a6
    inet netmask 0xffffff00 broadcast
    inet6 fe80::426f:2aff:fee9:bba6%bcm0 prefixlen 64 scopeid 0x11
bcm1: flags=8802&lt;BROADCAST,SIMPLEX,MULTICAST&gt; mtu 1500
    address: 40:6f:2a:e9:bb:a2
pflog0: flags=0 mtu 33192
lo2: flags=8048&lt;LOOPBACK,RUNNING,MULTICAST&gt; mtu 33192
msm0: flags=8890&lt;POINTOPOINT,NOARP,SIMPLEX,MULTICAST&gt; mtu 1514
    address: 02:00:00:00:00:00
    media: Ethernet autoselect
msm1: flags=8890&lt;POINTOPOINT,NOARP,SIMPLEX,MULTICAST&gt; mtu 1514
    address: 02:00:00:00:00:01
    media: Ethernet autoselect
msm2: flags=8890&lt;POINTOPOINT,NOARP,SIMPLEX,MULTICAST&gt; mtu 1514
    address: 02:00:00:00:00:02
    media: Ethernet autoselect
msm3: flags=8890&lt;POINTOPOINT,NOARP,SIMPLEX,MULTICAST&gt; mtu 1514
    address: 02:00:00:00:00:03
    media: Ethernet autoselect
msm4: flags=8890&lt;POINTOPOINT,NOARP,SIMPLEX,MULTICAST&gt; mtu 1514
    address: 02:00:00:00:00:04
    media: Ethernet autoselect
bptp0: flags=8043&lt;UP,BROADCAST,RUNNING,MULTICAST&gt; mtu 1356
    inet6 fd38:e983:2c4c:bdf3:1d8d:3649:1583:2425 prefixlen 8
    inet6 fe80::426f:2aff:fee9:bba6%bptp0 prefixlen 64 scopeid 0x38
    address: 42:6f:2a:e9:bb:a6
    inet netmask 0xfffffffc broadcast
    inet6 fe80::406f:2aff:fee9:bba6%ecm0 prefixlen 64 scopeid 0x39
$ pwd
$ ls -alh /
t-u--g--o- ln Owner     Group          Size Date         Filename
total 1911147
drwxr-xr-x   9 root      nto            4096 Apr 13  2013 .
drwxr-xr-x   9 root      nto            4096 Apr 13  2013 ..
drwx------   2 root      nto            4096 Apr 13  2013 .boot
-rw-rw----   1 root      nto               0 Apr 13  2013 .rootfs
-rw-------   1 root      nto              12 Jun 06 23:26 .rootfs.os.version
-rw-rw----   1 root      nto              12 Apr 13  2013 .rootfs.pps.version
-rw-------   1 root      nto              12 Jun 06 23:26 .rootfs.radio.version
drwxrwx---   5 root      nto            4096 Apr 13  2013 .seed
drwxr-xr-x   4 apps      nto            4096 Jan 16  2013 accounts
lrwxrwxrwx   1 root      nto               9 Jun 10 22:52 air -&gt; /base/air
drwxr-x--x+ 197 apps      nto           12288 Jun 08 14:23 apps
drwxrwxr-x   2 root      nto             480 May 01 04:00 base
lrwxrwxrwx   1 root      nto               9 Jun 10 22:52 bin -&gt; /base/bin
lrwxrwxrwx   1 root      nto              67 Jun 10 22:52 data -&gt; /accounts/1000/appdata/sys.android.gYABgKAOw1czN6neiAT72SGO.ns/data
lrwxrwxrwx   1 root      nto              17 Jun 10 22:52 db -&gt; /accounts/1000/db
drwxr-xr-x   2 root      nto              10 May 01 04:00 dev
drwxrwxr-x   3 root      nto            4096 Dec 04  2012 efs
dr-xr-xr-x   2 root      nto               0 Jun 10 22:52 enterprise
drwxr-xr-x   2 root      nto            4096 Apr 07  2013 etc
dr-xr-xr-x   2 root      nto               0 Jun 10 22:52 fs
lrwxrwxrwx   1 root      nto               9 Jun 10 22:52 lib -&gt; /base/lib
dr-xr-xr-x   2 root      nto               0 Jun 10 22:52 mnt
lrwxrwxrwx   1 root      nto               9 Jun 10 22:52 opt -&gt; /base/opt
drwxrwxr-x+  5 root      nto               0 Jun 06 23:17 pps
dr-xr-xr-x   2 root      nto       978448384 Jun 10 22:52 proc
drwxrwxr-x   2 root      nto             384 Apr 21 02:26 radio
drwxr-x---   2 root      nto            4096 Jun 06 23:12 root
lrwxrwxrwx   1 root      nto              10 Jun 10 22:52 sbin -&gt; /base/sbin
lrwxrwxrwx   1 root      nto              13 Jun 10 22:52 scripts -&gt; /base/scripts
lrwxrwxrwx   1 root      nto              34 Jun 10 22:52 sdcard -&gt; /accounts/1000/shared/misc/android
lrwxrwxrwx   1 root      nto              14 Jun 10 22:52 services -&gt; /base/services
dr-xr-xr-x   2 root      nto               0 Jun 10 22:52 sys
lrwxrwxrwx   1 root      nto              59 Jun 10 22:52 system -&gt; /apps/sys.android.gYABgKAOw1czN6neiAT72SGO.ns/native/system
lrwxr-xr-x   1 root      nto              10 May 01 04:00 tmp -&gt; /dev/shmem
lrwxrwxrwx   1 root      nto               9 Jun 10 22:52 usr -&gt; /base/usr
drwxr-xr-x  62 root      radio          4096 Jun 06 23:22 var

Now I can do more exploring of the QNX system. For now, not much can be done, as the <strong>devuser</strong> account isn't allowed to do much - this is a development account used for testing purposes. I cannot find a way to SSH into BlackBerry using other accounts, such as root or default 1000 user.

% ssh -i /home/bubbl/.rim/bbt_id_rsa 1000@ 
Permission denied (publickey,keyboard-interactive).

The thing is that the BlackBerry SSH daemon not exactly SSH daemon per se. The device relies on SDK tools and Development Mode. The daemon is launched in background once the SDK tools are run. Alas, without the development mode, SSH doesn't work:

Info: Connecting to target 
Info: Authenticating with target 
Error: Connection refused: Development mode is not enabled on the device.

And, without root access there is little chance of implementing openssh server on the device. So much for extracting any data from applications, or doing much with the QNX terminal. I guess it's because QNX is a commercial, not open-source, Unix platform. For the time being I can run vi on my device though.

  • LinkedIn
  • Tumblr
  • Reddit
  • Google+
  • Pinterest
  • Pocket