Weeping Angel Time Research

SECRET // REL US, UK

Time on Smart TV

TV Time

Go to Menu System > Time > Clock to configure/view time displayed anywhere on TV

Auto time pulls time based on timezone and DST

Manual can be used to set time different from timezone

When TV is unplugged on manual, time resets to –:– and requires configuration

TV Time is not effected and appears unrelated to the System Time

SmartHub pulls time from this setting

Backend (implant side) system time does not match or effect TV time

System Time

The system time resets to Unix Epoch (1 Jan 00:00:00 1970) each time the TV is unplugged

The system time persists when remote is used to turn TV off (in fake-off mode)

date command prints current system time (UTC)

Files created in the file system use the time reported by date as their creation/modification times

Files created in /mtd_rwcommon with current (2014) timestamps remain unaltered even when TV resets to Unix Epoch on power cycle

TODO: test implant to ensure timestamps on audio files use same time as reported by date

NTP Syncing

ntpd and rdate (deprecated) are NTP clients included with BusyBox and can fetch time from server but cannot set local system time

Error reported: "settimeofdate: bad address" related to underlying implementation in BusyBox

ntpclient (http:// doolittle.icarus.com/ntpclient/) is an NTP client for unix-alike computer and is a small subset of xntpd (not included in BusyBox)

Recommended by BusyBox in "External Tiny Utilities"

Compiled for Linux on 32-bit build environment. Ran on Virtual Machine to test functionality

Attempted to cross-compile for ARM but got error related to glib version

Found pre-compiled ARM build on SamyGo forums (forums.samygo.tv/download/file.php?id=1248)

Ran on TV using:

/mtd_rwcommon/ntpclient-arm -s -h pool.ntp.org

Successfully updated system time from Unix Epoch to current time reported by NTP server (uses different method of setting time than BusyBox)

-s flag for simple (implies -c 1) and -h for NTP host

Returns string in format:

<days since 1900<secs since midnight> <NTP transaction time> <internal server delay> <clock difference bt local and NTP (μS)> <dispersion> <adjtimex frequency (not implemented on ARM)>

Check ntpclient-2010/README and HOWTO for more details on flags and reported strings

HOWTO also has details on measuring and logging systems performance

ntpdate does not exist on the TV or in BusyBox

Syncing with NTP servers changes the System Time but appears to have not effect on TV Time

Clock Drift

Several simple attempts were made to measure the time drift

Started at 15:50:30 UTC on 6 AUG with System Time synced to pool.ntp.org

In approximately 22 hours, the drift on the TV was less than 1 second

No clarity was given beyond seconds is given by date so exact ms drift could not be determined

Same time period on Linux laptop yielded 600ms drift

Look into ntpclient's logging and measuring characteristics of hardware clock over period of time

Sync scripts (not started)

Sync time with NTP server on power-on and once? per day

Use non-US related NTP server

mx.pool.ntp.org - Does not currently have enough (1 active) servers in country/time zone

Recommend using north-america.pool.ntp.org (721 active)

TONS OF WEEPING ANGEL CIA IN WL V7

Weeping Angel (Extending) Engineering

SECRET // REL USA,UK

Accomplishments during joint workshop with MI5/BTSS (week of Jun 16, 2014)

Discovered delete and download keyfiles are sensitive to any newline characters.

Added feature to periodically re-acquire alsa (audio) device while in Fake-Off mode.

Suppress LEDs to improve look of Fake-Off mode.

Ported and modified TinyShell to provide shell, command execution, file transfer. This version is known as pshell since it's shell functionality is really a wrapper around popen() calls to emulate shell like

Received sanitized source code from UK with comms and encryption removed.

Factory reset: With TV powered off, enter the following key presses on the remote:

{{MUTE}} 182 {{POWER}}

ToDo / Future Work:

Build a console cable

Turn on or leave WiFi turned on in Fake-Off mode

Parse unencrypted audio collection

Clean-up the file format of saved audio. Add encryption??

Streaming audio

Video capture / Video snapshots

Samsung offers remote support – is this an area of functionality to investigate?

Is the browser or any default apps vulnerability to MitM attacks?

Disable auto-upgrade by changing the configuration file

Noted Anomalies or Limitations

Updating firmware over internet may remove implant (not tested) or portions of the implant

Firmware version 1118+ eliminated the current USB installation method

Blue LED on back remains powered when in Fake-Off mode

WiFi interface is disabled in Fake-Off mode

In Fake-Off mode, the Samsung and SmartHub logos are not shown.

Development Notes:

Build environment uses Ubuntu 12.10 and g++-4.7 compiler due to dependencies (on DEVLAN, use 10.6.5.73)

Current build system references compilers without the version number. To accommodate, create the following symbolic links:

/usr/bin/arm-linux-gnueabi-g++ -/usr/bin/arm-linux-gnueabi-g++-4.7

/usr/bin/arm-linux-gnueabi-gcc -/usr/bin/arm-linux-gnueabi

start is the same as empDownload

Update/data/files.zip/files contains busybox and dreamhost.

gcc-arm-linux-gnu-abi used to cross compile tools.

Detailed Notes regarding Samsung F8000 Smart TV networking

Installer Notes:

Installation process is similar to a standard Samsung app

UEP.b -app killer that checks signatures on installed apps

empDownload is replaced by our binary that we need to be executed. The installer backsup the real empDownload and then replaces it with our's. The installer uses the API to initiate a download which then causes our empDownload to execute. After installation, the original empDownload is restored.

start -binary is very similar to empDownload. Both, initially look for the "block" file which is an encrypted shell script.

libt.so -shared object used by UEF.f and injected into one of the main threads to hook several functions of interest

dreamhost -telnet server. same as remshd

busybox -fully featured version to include an FTP server

when Extending starts, it looks for dreamhost and busybox, and if they exist, starts them.

System Details:

Some of the primary Samsung applications are exe, exeApp, and exeDSP

Linux 3.0.33 SMP armv71

libc-2.14.1

/bin - busybox

/dtv - tempoary directory clear upon reboot

/mtd_swu/stb - SmartHub configuration file (STANDBYDOWNOFF = 0 -turns off automatic updates)

/webkit/webbrowser/settings.db - browser sqlite database. may contain credentials.

Audio Processing:

During initial development, a rough approximation of bit rates for different audio quality settings were made. Quality 1 settings required 100 kB/minutes. Quality 5 settings required 250 kB/minutes. Quality 7 settings required 350 kB/min. Quality 5 seemed to provide very nice results and is usually used.

All audio files saved are speex encoded files encapsulated within an Ogg header structure. The Ogg headers are not all properly filled out. All audio files are named fileUVWXYZn where UVWXYZ are random alphanumeric characters and n is a one up counter that starts at 1. It is believed that the 1 up file counter is used to maintain audio sequence information and this explains why some ogg headers appear incorrect or corrupt when speex decoded and the granular time increments have not been set.

A linux bash script named "processAudio.bsh" will process all audio files within the same directory as the script. It concatenates all audio files into one contiguous speex encoded file named speexfile_timeStamp.spx where the timeStamp is pulled from the system time running the script. It subsequently performs speex decoding at a 32000 Hz sampling rate to yield a wave file named processedFile_timeStamp.wav with all speex decoding output placed within the logFile_timeStamp.log file. It then uses aplay to play the processedFile_timeStamp.wav file.

Time and Clock:

View notes Weeping Angel Time Research SECRET

SECRET // REL USA,UK

>>680070

TONS OF WEEPING ANGEL CIA SECRET TESTING, RESEARCH, INSTRUCTIONS, ETC. IN WIKILEAKS VAULT 7

https:// wikileaks.org/ciav7p1/cms/page_12353643.html

Rain Maker CIA HACKING & DATA COLLECTION TOOLS

SECRET//20350629

1. (U) Scope

(U) This document establishes the User Guide for Rain Maker v1.0.

1.1 (U) System Overview and Description

(S) Rain Maker v1.0 is a collection tool intended to be run from removable media.

Version 1.0 specifically is designed for use with portable VLC Player (2.1.5). To trigger

collection, the user must open up VLC player on the target machine from the removable

media. The removable media can appear as either a fixed or removable drive but must be

formatted NTFS. Upon opening VLC player, Rain Maker collects a standard survey of

the machine (RoadRunner Survey) and a prioritized file collection. A survey will only be

taken on any machine if the last survey of the machine is seven days old or older. The

collected data is stored back to Alternate Data Streams off of the root of the volume. For

example, if the removable media appears as volume E:\, the data is stored in E:\:

$DataIdN. Configuration options allow the user to specify a prioritized list of directories

from which to collect files (environment variables can be used), a list of extensions to

collect, the percentage of drive space to be left free, and the drive to configure/tie the tool

to. Upon configuring a piece of removable media, a public/private key pair is generated

(the private key in generated in Implant\Deploy as well as in PostProcessor). The private

key must/must be kept in order to decrypt the returned data. Also, upon configuring

a drive, a “stub” is generated that ties the tool to the drive. The stub, once loaded,

decrypts Rain Maker and executes it. This means that if the drive is reformatted or if the

portable player is moved to another drive, the actual collection tool will not be decrypted

and as a result Rain Maker will not run.

(U) Assumptions and Constraints

(S) We assume that the target places files of interest into the directories we are collecting

from. We also assume that the files in the collection directories have the appropriate

extensions. It is required that the VLC player be run from the configured removable

media. It must run long enough to complete collection. The removable media must be

NTFS. VLC player should be exited before unplugging the removable media (a VLC

issue).

1. (U) Applicable Documents

(S) The following documents pertain to this tool. In the event of a conflict between the

documents referenced below, the contents of this document will be considered binding.

 Rain Maker v1.0 User Guide.doc (S//NF)

 Rain Maker v1.0 TDR Slides.ppt (S//NF)

 User Guide.txt (U)

SECRET//20350629

https:// wikileaks.org/ciav7p1/cms/files/Rain%20Maker%20v1.0%20User%20Guide.doc

When viewing the RAIN MAKER SECRET CIA CYBER COLLECTION TOOLS IN WIKILEAKS VAULT 7, be certain to view the version/release with children missing tag! It's not just for kids boys & girls! Clowns tools!

Rain Maker CIA HACKING & DATA COLLECTION TOOLS

SECRET//20350629

1. (U) Scope

(U) This document establishes the User Guide for Rain Maker v1.0.

1.1 (U) System Overview and Description

(S) Rain Maker v1.0 is a collection tool intended to be run from removable media.

Version 1.0 specifically is designed for use with portable VLC Player (2.1.5). To trigger

collection, the user must open up VLC player on the target machine from the removable

media. The removable media can appear as either a fixed or removable drive but must be

formatted NTFS. Upon opening VLC player, Rain Maker collects a standard survey of

the machine (RoadRunner Survey) and a prioritized file collection. A survey will only be

taken on any machine if the last survey of the machine is seven days old or older. The

collected data is stored back to Alternate Data Streams off of the root of the volume. For

example, if the removable media appears as volume E:\, the data is stored in E:\:

$DataIdN. Configuration options allow the user to specify a prioritized list of directories

from which to collect files (environment variables can be used), a list of extensions to

collect, the percentage of drive space to be left free, and the drive to configure/tie the tool

to. Upon configuring a piece of removable media, a public/private key pair is generated

(the private key in generated in Implant\Deploy as well as in PostProcessor). The private

key must/must be kept in order to decrypt the returned data. Also, upon configuring

a drive, a “stub” is generated that ties the tool to the drive. The stub, once loaded,

decrypts Rain Maker and executes it. This means that if the drive is reformatted or if the

portable player is moved to another drive, the actual collection tool will not be decrypted

and as a result Rain Maker will not run.

(U) Assumptions and Constraints

(S) We assume that the target places files of interest into the directories we are collecting

from. We also assume that the files in the collection directories have the appropriate

extensions. It is required that the VLC player be run from the configured removable

media. It must run long enough to complete collection. The removable media must be

NTFS. VLC player should be exited before unplugging the removable media (a VLC

issue).

1. (U) Applicable Documents

(S) The following documents pertain to this tool. In the event of a conflict between the

documents referenced below, the contents of this document will be considered binding.

 Rain Maker v1.0 User Guide.doc (S//NF)

 Rain Maker v1.0 TDR Slides.ppt (S//NF)

 User Guide.txt (U)

SECRET//20350629

https:// wikileaks.org/ciav7p1/cms/files/Rain%20Maker%20v1.0%20User%20Guide.doc