# Attemping "Cheesecake" Type Dealio - Verizon Variant



## JuggalotusHeat (Jul 20, 2011)

So i got a wild hair up my rectum and am trying to get something going, like samcripp did for the Atrix (http://forum.xda-dev...d.php?t=1254313). This ultimately got the Atrix BL Unlocked, so it's worth a shot.

Me and mmmeff, over on freenode are doing some packet captures and trying to see where our devices and/or Kies calls to for builds. Granted, this most likely won't give us the dev/staging servers, but it could lead us to a domain or subdomain to get the ball rolling.

Mmmheff, so far, found that his SGS3 (without kies) was calling to 64.186.176.220:443 pvzwmdm.vzw.motive.com. So it looks like, when it is done from the device, it tries to hit a vzw maintained area.

I am going to start digging on Kies in a minute here to see what I can find. If anyone would like to join in, go nuts. This is just an idea and hopefully we can get somewhere. Later y'all!







)

NOTE: Kies will shoot an error stating your device is not supported, if you are stock roated. At least that happened in my case.

_*UPDATE: Apparently another d00d is doing the same thing haha http://fus.nanzen.se*_

Upon further investigation it looks like the fus server is trying to handle everything. This is firmware check, OTA push AND validating whether your device is legit or not. It always hits the same subdomain. I highly doubt samsung is using one subdomain to do everything. Alek is working on lookign at some old scripts to see if we can get a list of files from fus.

I spoke with Jcase earlier and he said he has tried to do the same thing and it aint happenin. Basically, Moto is the only ones that provide true public facing dev/stating servers. So unless we get into hax0r mode and get inside it aint happenin. It was worth a try though. Now cross your fingers for the bootloader to be unlocked







). Late


----------



## JuggalotusHeat (Jul 20, 2011)

Looks like Kies will tell your device to go pound sand if you are stock rooted. I will factory tonight and see what I can find.


----------



## nbsdx (Jul 6, 2011)

I don't know if it's relevant or not, but when I do:

```
telnet 64.186.176.220 443
```
it just times out. Same for

```
<br />
telnet pvzwmdm.vzw.motive.com 443<br />
```
but it recognizes that the IP for [background=rgb(245, 245, 245)]pvzwmdm.vzw.motive.com is [/background]64.186.176.220. So as far as I can tell that port is closed..

```
<br />
telnet: connect to address 64.186.176.220: Connection timed out<br />
```
(This is from a Linux box, btw)

Edit: 
Upon closer inspection it seems that the ports on that address are marked filtered, and I'm assuming that they're marked to drop packets that aren't from a phone.


----------



## JuggalotusHeat (Jul 20, 2011)

nbsdx said:


> I don't know if it's relevant or not, but when I do:
> 
> ```
> telnet 64.186.176.220 443
> ...


cool cool, thanks. I will be trying out Kies tonight and throw some info in here.


----------



## ddggttff3 (Oct 11, 2011)

have you tried doing this from connectbot on the device when on vzw's network? might be set to only be accessible from there wireless network.


----------



## nbsdx (Jul 6, 2011)

I'm at work now, I should be home in a couple hours and if I remember I'll do some more digging. (I don't have adb installed here, otherwise I would haha)


----------



## ddggttff3 (Oct 11, 2011)

i tried and it successfully connects, but has no input/output. there must be arguments with it,or its http based on that port with arguments. I may do some packet sniffing later my self when im done working this summer at college (2 weeks or so)


----------



## nbsdx (Jul 6, 2011)

port 443 is https. Are you using telnet by ClockworkMod? I just ran that and got a similar result. I'm guessing that are args that are associated with it. But depending on where that check is made it will make it very difficult to fake. If this works though, we can just spoof the args and boom


----------



## nbsdx (Jul 6, 2011)

First off, Sorry for double post.

Secondly, I may have goofed - I forgot that my shell environment is screwed up here, and it won't accept the proxy that I gave it. I'll redo those tests when I get home.'

EDIT:
OK so, I goofed. Telnet will work from a linux box at least, but you get kicked after sending it failed messages I think? I'm not exactly sure right now.


----------



## alekm (Jul 12, 2012)

if you http to the IP, you get automatically redirected to HTTPS. there is an application layer firewall that is probably checking for a user agent, but I have yet to find one that works.

when i load it on my gnex, i get a jboss error.

It looks like the phone only does a put on that site and gets a return. I would love it if someone could send me a pcap of the phone contacting it so I could check it out.


----------



## alekm (Jul 12, 2012)

The cert is for 4g.vzwdm.com, btw. That is what the phone calls directly.

I just need to see the put string from the phone so I can try to replicate the conversation.


----------



## nbsdx (Jul 6, 2011)

alekm said:


> It looks like the phone only does a put on that site and gets a return. I would love it if someone could send me a pcap of the phone contacting it so I could check it out.


If you tell me what to do I can take one


----------



## JuggalotusHeat (Jul 20, 2011)

just went back to stock via odin and Kies checks into neofussvr.sslcs.cdngc.net. Problem right now is it is https. Time for more digging


----------

