Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

SECRET//20350112
packets through search algorithms specifically designed for a particular chat
client/protocol.
(S) Each search algorithm uses a bulk filter that can quickly identify the packet as chat
protocol. YM is bulk filtered by matching the first four data bytes of the packet to
“YMSG”. AIM is bulk filtered by matching the first data byte of the packet to 0x2A and
the second data byte to <= 0x04. MC is bulk filtered by matching the first ten data bytes
of the packet to “POST /chat”.
(S) If a packet passes the bulk filter for a particular chat algorithm, the algorithm then
parses out potential chat usernames. YM separates each protocol field with the two data
bytes: 0xc0, 0x80. AIM separates each protocol field with a byte indicating the length of
the next field. MC denotes a chat user logging on with the field “nickname=”, followed
by the nickname, and finally the ‘&’ character.
(S) For AIM and YM, each potential user field that is parsed is first checked for a valid
chat user length (Aim >=3 and <= 16 characters; YM >=3 and <= 32). If the field if of
valid length, then each byte of the field is then tested to see if it is a valid chat user
character for that protocol. AIM valid characters include any printable ASCII
character.YM valid characters include numbers, letters, dot, and underscore.
15.5 (S) Image Formation
(S) CB actively maintains an Image Formation tool that builds the CB implant into
firmware images for a range of devices (see Section 6). The list of supported devices is
continually expanding, and currently supported platforms are documented in “Wifi
Devices.xls”. Devices having passed FAT are listed in 6.2.
15.5.1 (U) Device Requirements
As of writing, the following requirements have to be met to support a new device:
1. Must be able to procure the device.
2. Must be able to download/acquire the manufacturer’s original firmware (MOFW)
image.
3. Must have at least ~100 kilobytes of available flash space (i.e., flash that is not
used by the MOFW image). Note that in some cases, processes can be removed
from the MOFW, although one should be wary of 5.2.3.14.
4. Must have at least 500 kilobytes of available RAM (i.e., RAM that is not used by
the MOFW during normal device operation).
5. MOFW must use linux (including uclinux) or VxWorks as an operating system.
VxWorks support is limited in comparison to linux.
6. Kernel must be configured with netfilter, linux routing, and linux bridging – the
Generic Filter is a netfilter kernel module with hooks into routing and bridging.
7. Kernel must support dynamic module loading – the Generic Filter is a netfilter
kernel module that is dynamically loaded on boot.
8. Must be able to extract, mount, and remake the filesystem from the MOFW.
137
SECRET//20350112

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh