Comments on: Diagnose OTAP problems http://florent.clairambault.fr/diagnose-otap-problems?utm_source=rss&utm_medium=rss&utm_campaign=diagnose-otap-problems Wed, 28 Dec 2011 17:34:59 +0000 hourly 1 http://wordpress.org/?v=3.4-alpha-19719 By: Florent Clairambault http://florent.clairambault.fr/diagnose-otap-problems/comment-page-1#comment-7797 Florent Clairambault Sun, 25 Dec 2011 16:05:30 +0000 http://florent.clairambault.fr/?p=659#comment-7797 Yes, you're right. If you have access to one chip that shows the OTAP password and the other parameters (like the server name) are left unconfigured, you could update the program of all the chips. In the real world, I don't think that should be an issue. Because you still have to guess all the numbers, the correct APN settings and hope that nobody finds out what you did. Because I think it's clearly considered as hacking a system. One way of securing your chip could be to define an OTAP SMS password depending on a secret key and the IMEI. In PHP code this would look like this "$otapSmsPass = substr( md5( $key.'-'.$imei), 0, 8)". But the real solution, is to create deploy a certificate on the chip and sign all the produced code with it. This is the best way to create a really secure product but it takes a little bit of time. I think the real risk around OTAP is to get the program that runs the chip. Because reproducing the hardware is quite easy but running a successful software can be quite tricky, if you can steal it, you can save a lot of time. If the program is correctly built, you might just have few days of reverse-engineering and refactoring to do. As the TC65 programs usually do mostly AT Command and API calls, it's quite easy to do. Yes, you’re right. If you have access to one chip that shows the OTAP password and the other parameters (like the server name) are left unconfigured, you could update the program of all the chips.

In the real world, I don’t think that should be an issue. Because you still have to guess all the numbers, the correct APN settings and hope that nobody finds out what you did. Because I think it’s clearly considered as hacking a system.

One way of securing your chip could be to define an OTAP SMS password depending on a secret key and the IMEI. In PHP code this would look like this “$otapSmsPass = substr( md5( $key.’-’.$imei), 0, 8)”.

But the real solution, is to create deploy a certificate on the chip and sign all the produced code with it. This is the best way to create a really secure product but it takes a little bit of time.

I think the real risk around OTAP is to get the program that runs the chip. Because reproducing the hardware is quite easy but running a successful software can be quite tricky, if you can steal it, you can save a lot of time. If the program is correctly built, you might just have few days of reverse-engineering and refactoring to do. As the TC65 programs usually do mostly AT Command and API calls, it’s quite easy to do.

]]> By: Christian http://florent.clairambault.fr/diagnose-otap-problems/comment-page-1#comment-7793 Christian Fri, 23 Dec 2011 07:39:58 +0000 http://florent.clairambault.fr/?p=659#comment-7793 Is it possible to read the OTAP password from the TC65 with AT^SJOTAP command? If so, any ideas how to improve security so that people who have the chip in hand cannot get the OTAP password from it? Is it possible to read the OTAP password from the TC65 with AT^SJOTAP command? If so, any ideas how to improve security so that people who have the chip in hand cannot get the OTAP password from it?

]]> By: Kiran Kumar D http://florent.clairambault.fr/diagnose-otap-problems/comment-page-1#comment-6526 Kiran Kumar D Mon, 08 Aug 2011 05:13:29 +0000 http://florent.clairambault.fr/?p=659#comment-6526 Yes it should be a:/otap, But am not finding any files in a:/otap folder. Yes it should be a:/otap, But am not finding any files in a:/otap folder.

]]> By: Florent Clairambault http://florent.clairambault.fr/diagnose-otap-problems/comment-page-1#comment-6525 Florent Clairambault Sat, 06 Aug 2011 22:24:43 +0000 http://florent.clairambault.fr/?p=659#comment-6525 According to your jad file, it should be downloaded in a:/otap. I'm not interested in offering some personnal support. I answer questions on my blog or in the <a href="https://groups.google.com/forum/m/#!forum/javacint" rel="nofollow">javacint group</a> (best place to ask questions) or work with clients. According to your jad file, it should be downloaded in a:/otap.

I’m not interested in offering some personnal support. I answer questions on my blog or in the javacint group (best place to ask questions) or work with clients.

]]> By: Kiran Kumar D http://florent.clairambault.fr/diagnose-otap-problems/comment-page-1#comment-6524 Kiran Kumar D Sat, 06 Aug 2011 12:54:05 +0000 http://florent.clairambault.fr/?p=659#comment-6524 [OTAP] no sms PID check: 0 [OTAP] Try to establish a GPRS connection ... [OTAP] GPRS connection established. [OTAP] Try to get http://121.242.113.225/TC65/TestAt.jar ... [OTAP] Connected. [OTAP] Transfer finished. [OTAP] JAM status: 900 Success. [OTAP] Reboot now. Still am unable to find the Jar and JAD files on A:/ (i.e) On Module. what will be the problem KIran [OTAP] no sms PID check: 0
[OTAP] Try to establish a GPRS connection …
[OTAP] GPRS connection established.
[OTAP] Try to get http://121.242.113.225/TC65/TestAt.jar
[OTAP] Connected.
[OTAP] Transfer finished.
[OTAP] JAM status: 900 Success.
[OTAP] Reboot now.

Still am unable to find the Jar and JAD files on A:/ (i.e) On Module.
what will be the problem

KIran

]]> By: Kiran Kumar D http://florent.clairambault.fr/diagnose-otap-problems/comment-page-1#comment-6523 Kiran Kumar D Sat, 06 Aug 2011 08:50:56 +0000 http://florent.clairambault.fr/?p=659#comment-6523 HI Florent Clairambault, Thanks. but how can i change and where can i change this, am using Eclipse IDE can i know your skype id/gmail/Yahoo id to chat? Kiran HI Florent Clairambault,
Thanks. but how can i change and where can i change this, am using Eclipse IDE

can i know your skype id/gmail/Yahoo id to chat?

Kiran

]]> By: Florent Clairambault http://florent.clairambault.fr/diagnose-otap-problems/comment-page-1#comment-6522 Florent Clairambault Sat, 06 Aug 2011 07:16:30 +0000 http://florent.clairambault.fr/?p=659#comment-6522 In your JAR file, Midlet URL line is: MIDlet-Jar-URL: TestAt.jar It should be: http://121.242.113.225/TC65/TestAt.jar In your JAR file, Midlet URL line is:
MIDlet-Jar-URL: TestAt.jar

It should be:
http://121.242.113.225/TC65/TestAt.jar

]]> By: Kiran Kumar D http://florent.clairambault.fr/diagnose-otap-problems/comment-page-1#comment-6521 Kiran Kumar D Sat, 06 Aug 2011 07:02:32 +0000 http://florent.clairambault.fr/?p=659#comment-6521 t^scfg=Trace/Syslog/OTAP,1 SYSLOG ENABLED [OTAP] Short message: OTAP_IMPNG PWD:kiran BEARER:GPRS APNORNUM:AIRTELGPRS.COM JADUR L:HTTP://121.242.113.225/TC65/TestAt.jar APPDIR:a:/otap START:INSTALL [OTAP] SM ID found [OTAP] FILEURL = HTTP://121.242.1 [OTAP] APPDIR = a:/otap [OTAP] BEARER = GPRS [OTAP] APNORNUM = AIRTELGPRS.COM [OTAP] START = install [OTAP] Parameters set per AT command: [OTAP] JAD File URL: http://121.242.113.225/TC65/TestAt.jad [OTAP] App Dir: a: [OTAP] Bearer: GPRS [OTAP] Apn Or Num: airtelgprs.com [OTAP] Net User: [OTAP] Net Pwd: [OTAP] SM Pwd: kiran [OTAP] no sms PID check: 0 [OTAP] Parameters for current procedure: [OTAP] JAD File URL: http://121.242.113.225/TC65/TestAt.jad [OTAP] App Dir a: [OTAP] Http User: [OTAP] Http Pwd: [OTAP] Bearer: GPRS [OTAP] Apn Or Num: airtelgprs.com [OTAP] Net User: [OTAP] Net Pwd: [OTAP] Dns: 0.0.0.0 [OTAP] Notify URL: [OTAP] no sms PID check: 0 [OTAP] Try to establish a GPRS connection ... [OTAP] GPRS connection established. [OTAP] Try to get http://121.242.113.225/TC65/TestAt.jad ... [OTAP] Connected. [OTAP] Transfer finished. [OTAP] Try to get TestAt.jar ... [OTAP] Reboot now. [OTAP] ERROR: HTTP configuration! What this mean. where is he problem. ERROR:HTTP Configuration??? Kiran t^scfg=Trace/Syslog/OTAP,1
SYSLOG ENABLED

[OTAP] Short message: OTAP_IMPNG
PWD:kiran
BEARER:GPRS
APNORNUM:AIRTELGPRS.COM
JADUR L:HTTP://121.242.113.225/TC65/TestAt.jar
APPDIR:a:/otap
START:INSTALL

[OTAP] SM ID found
[OTAP] FILEURL = HTTP://121.242.1
[OTAP] APPDIR = a:/otap
[OTAP] BEARER = GPRS
[OTAP] APNORNUM = AIRTELGPRS.COM
[OTAP] START = install
[OTAP] Parameters set per AT command:
[OTAP] JAD File URL: http://121.242.113.225/TC65/TestAt.jad
[OTAP] App Dir: a:
[OTAP] Bearer: GPRS
[OTAP] Apn Or Num: airtelgprs.com
[OTAP] Net User:
[OTAP] Net Pwd:
[OTAP] SM Pwd: kiran
[OTAP] no sms PID check: 0
[OTAP] Parameters for current procedure:
[OTAP] JAD File URL: http://121.242.113.225/TC65/TestAt.jad
[OTAP] App Dir a:
[OTAP] Http User:
[OTAP] Http Pwd:
[OTAP] Bearer: GPRS
[OTAP] Apn Or Num: airtelgprs.com
[OTAP] Net User:
[OTAP] Net Pwd:
[OTAP] Dns: 0.0.0.0
[OTAP] Notify URL:
[OTAP] no sms PID check: 0
[OTAP] Try to establish a GPRS connection …
[OTAP] GPRS connection established.
[OTAP] Try to get http://121.242.113.225/TC65/TestAt.jad
[OTAP] Connected.
[OTAP] Transfer finished.
[OTAP] Try to get TestAt.jar …
[OTAP] Reboot now.
[OTAP] ERROR: HTTP configuration!

What this mean. where is he problem. ERROR:HTTP Configuration???

Kiran

]]> By: jj http://florent.clairambault.fr/diagnose-otap-problems/comment-page-1#comment-4668 jj Fri, 04 Feb 2011 07:57:11 +0000 http://florent.clairambault.fr/?p=659#comment-4668 We don't setup any password in the module This is the strange! We don’t setup any password in the module

This is the strange!

]]> By: Florent Clairambault http://florent.clairambault.fr/diagnose-otap-problems/comment-page-1#comment-4667 Florent Clairambault Fri, 04 Feb 2011 07:50:22 +0000 http://florent.clairambault.fr/?p=659#comment-4667 Well, passwords do not match. It could be that you set one on the chip and did not specify it in your SMS. Well, passwords do not match. It could be that you set one on the chip and did not specify it in your SMS.

]]>