THIS IS ONLY FOR EDUCATION PURPOSES

This small project was inspired by Gotham Digital Science article published on June 19, 2014.

Project goal :

BY PASS ANY ROOTED SAMSUNG GALAXY S5 FINGERPRINT AUTHENTICATION WHEN ALTERNATE PASSWORD AUTHENTICATION IS AVAILABLE WITHOUT KNOWING THE PASSWORD ( CERTAIN CONDITION SHOULD BE MET ).

The strategy :

Use system level hooking with Cydia Substrate.

Activities :

  1. Identify the Fingerprint service APK & reverse engineer it.
  2. Identify the functions responsible for alternative password authentication. 
  3. Implement the Override authentication function at run time.

Assumptions :

  1. The device is rooted.
  2. The device has Cydia Substrate.
  3. You are able to run the application on the device.

1. Identify the Fingerprint service APK & reverse engineer it. 1-A 1.1 Download the APK  to your computer . 2-A 1.2 Decompile the APK. 1.2.1 Extract all the file from the APK using “Archive Manager” 1.2.2 Decompile DEX file using Dex2jar 4-A 1.2.3 Decompile Jar file with  JD 5-A 2. Identify the functions responsible for alternative password authentication. 

There is  to way to do this, either  searching  class by class hunting for functions with a name that may indicate the action we are looking for , or  understand the SDK API. By downloading  Samsung Galaxy S5 Pass  SDK  and reading the authentication example its possible  to identify the required interfaces then mapping them to implemented classes we land into The class  com.samsung.android.fingerprint.service.FingerprintManagerService this class has a interesting method public boolean verifyPassword(IBinder paramIBinder, String paramString, boolean paramBoolean).  In verfiyPassword there is a call to return this.mLockPatternUtils.checkFingerprintPassword(paramString); where mLockPatternUtils is an instance of com.android.internal.widget.LockPatternUtils AND this is THE CLASS WE WILL LOAD AT RUN TIME TO REPLACE ITS FUNCTION.   6-A

So our function is Boolean checkFingerprintPassword(String)  located at com.android.internal.widget.LockPatternUtils   3. Implement the Override authentication function at run time. Please take a look at the Cydia Substrate web site or the article of GDS for information about how to use Cydia i will explain here only the core implementation.

– Start point   9-A 1-  Check if we have root access

2- Check if Substrate is linked if so unlink

3- Link Substrate

4- Restart The device When the device will turns on again the Substrate will be on and updated with our new hook.

– When the device turns on Substrate will run the function initialize 8-A

– Where FPHookInformation.className provides the class we are targeting and FPClassLoader is an instance of ClassLoadHook a class that provides the interception mechanism for loading the class we are targeting at run-time

10-A

– The function is going to be replaced with  FPMethodProxy 7-A

Finally What ever password we enter will be accepted. Screenshot_2014-06-28-20-54-44  Screenshot_2014-06-29-19-01-42   Screenshot_2014-06-28-20-02-50

CONCLUSION:

ITS HIGHLY RECOMMENDED TO AVOID ROOTING ANY DEVICE IT MAY CONTAIN SENSITIVE DATA AND ALWAYS FOLLOW RECOMMENDED SECURITY MEASURES TO AVOID ANY MALEWARE  OR DATA LOST.

When we root a device  we are breaking the security model built by the manufacturers to provide the integrity and security of the device. if we don’t implement the security measures needed to protect a rooted device any malicious actor could use a rooted device to his advantage allowing him to gain unauthorized physical access, steal data remotely or simply destroy the device completely . In this project it was demonstrated how to bypass the authentication mechanism built to secure physical access to  Samsung cell phone (Galaxy S5), but this same technique could in other devices and with other purposes such as STEALING THE USERS FINGERPRINT.

   

TO-DO :

1- Embed substrate in the same application so we install it when it is run

2- Disable SuperSU  ( IF INSTALLED )

3- Intercept fingerprint recognition itself 

4- Substitute The activity with a hidden service

 

Download source code : GITHUB ChaddyHV

This may help in some way the process of debugging and developing a GCC PLUGIN 

#Needed Information
PROJECT_NAME=Name
PROJECT_WSPACE=Work space Path
GCC_SRC_NAME=Plugin Src File Name

#Needed Paths
GCC_LIB_PATH=GCC HEADER PATH

GCC_PLUGIN_SO_PATH=$(PROJECT_WSPACE)/$(PROJECT_NAME)/x_plugin
GCC_TEST_RESULT_PATH=$(PROJECT_WSPACE)/$(PROJECT_NAME)/x_results
GCC_TEST_TREES_PATH=$(GCC_TEST_RESULT_PATH)/x_trees/

# Test Information
GCC_INJECT_PATH=$(PROJECT_WSPACE)/$(PROJECT_NAME)/x_inject
GCC_INJECT_CASE=Test Case File Name

compilingPlugin:
# Create the plugin #
gcc -I $(GCC_LIB_PATH) -shared -fPIC -O2 $(GCC_SRC_NAME).c -o $(GCC_PLUGIN_SO_PATH)/$(GCC_SRC_NAME).so
# Execute with input test
gcc -fdump-tree-all -fplugin=$(GCC_PLUGIN_SO_PATH)/$(GCC_SRC_NAME).so $(GCC_INJECT_PATH)/$(GCC_INJECT_CASE).c -o $(GCC_TEST_RESULT_PATH)/$(GCC_INJECT_CASE)
#
# Move tree information
#
mv case_* $(GCC_TEST_TREES_PATH)

clean:
# Clean all paths #

if test -d $(GCC_PLUGIN_SO_PATH) ; then rm -f -r $(GCC_PLUGIN_SO_PATH) ;fi
if test -d $(GCC_TEST_RESULT_PATH); then rm -f -r $(GCC_TEST_RESULT_PATH) ;fi

# Make paths #

if ! test -d $(GCC_PLUGIN_SO_PATH); then mkdir $(GCC_PLUGIN_SO_PATH) ;fi
if ! test -d $(GCC_TEST_RESULT_PATH); then mkdir $(GCC_TEST_RESULT_PATH) ;fi
if ! test -d $(GCC_TEST_TREES_PATH); then mkdir $(GCC_TEST_TREES_PATH) ;fi
if ! test -d $(GCC_INJECT_PATH); then mkdir $(GCC_INJECT_PATH) ;fi

An Example

#Needed Information
PROJECT_NAME=framework_poc
PROJECT_WSPACE=/str/uniRepo/thesisGCC/appGCC
GCC_SRC_NAME=plugin_poc

#Needed Paths
GCC_LIB_PATH=/usr/lib/gcc/x86_64-linux-gnu/4.7/plugin/include/

GCC_PLUGIN_SO_PATH=$(PROJECT_WSPACE)/$(PROJECT_NAME)/x_plugin
GCC_TEST_RESULT_PATH=$(PROJECT_WSPACE)/$(PROJECT_NAME)/x_results
GCC_TEST_TREES_PATH=$(GCC_TEST_RESULT_PATH)/x_trees/

# Test Information
GCC_INJECT_PATH=$(PROJECT_WSPACE)/$(PROJECT_NAME)/x_inject
GCC_INJECT_CASE=case_1

 

compilingPlugin:
# Create the plugin #
gcc -I $(GCC_LIB_PATH) -shared -fPIC -O2 $(GCC_SRC_NAME).c -o $(GCC_PLUGIN_SO_PATH)/$(GCC_SRC_NAME).so
# Execute with input test
gcc -fdump-tree-all -fplugin=$(GCC_PLUGIN_SO_PATH)/$(GCC_SRC_NAME).so $(GCC_INJECT_PATH)/$(GCC_INJECT_CASE).c -o $(GCC_TEST_RESULT_PATH)/$(GCC_INJECT_CASE)
#
# Move tree information
#
mv case_* $(GCC_TEST_TREES_PATH)

clean:
# Clean all paths #

if test -d $(GCC_PLUGIN_SO_PATH) ; then rm -f -r $(GCC_PLUGIN_SO_PATH) ;fi
if test -d $(GCC_TEST_RESULT_PATH); then rm -f -r $(GCC_TEST_RESULT_PATH) ;fi

# Make paths #

if ! test -d $(GCC_PLUGIN_SO_PATH); then mkdir $(GCC_PLUGIN_SO_PATH) ;fi
if ! test -d $(GCC_TEST_RESULT_PATH); then mkdir $(GCC_TEST_RESULT_PATH) ;fi
if ! test -d $(GCC_TEST_TREES_PATH); then mkdir $(GCC_TEST_TREES_PATH) ;fi
if ! test -d $(GCC_INJECT_PATH); then mkdir $(GCC_INJECT_PATH) ;fi

 

I started working on my thesis A compiler-based infrastructure for software-protection , When I was researching the state of the art , One of the things I was looking for is on-line compiler services as I guessed there is lots of them , Google shows 14,000,000 result for the keyword “ Online Compiler ” ,

Screenshot from 2013-06-22 03:52:35

lest say 2% are really what we are looking for ,this makes 280000 web site offering this service , ignoring the on-line IDE Service even if thats probably working in the same architectural way , the thing really caught my attention was how this sites secure them self from command injection attacks vector ???

lets say this is the general architecture

General ONlineCompiler

Let say it should work like this

1- The user upload the code or write it on the interface

2- The Service Logic receives the compilation request ,

2.1 sanitate the parameters , and file name

2.2 request the compilation from the model

3- The model create a new ( remote or local ) process thread that triggers the compiler with code and requested parameters

3.1 The model reads warring’s ,errors ,

IF there is no errors

3.1.1 move the compiled object to boxed environment

3.1.2 execute the compiled object in the boxed environment

3.1.3 read the execution output stream

3.1.4 move the compiled code to public place allowing a download option

3.1.5 remove the compiled code and clean the session space in the boxed environment

4- the errors , warring’s and result is propagated backward to the user interface

4.1 the result is sanitized

I think using this pseudo steps we can mitigate a lot of risk and offer a good quality service , but turn out that more than 90% of analyzed ( I analyzed 20 ) web site leaks or bad implements the steps of 2.1 , 3.1.1 , 3.1.2 , 3.1.5 and 4.1 or doesn’t even follow any security consideration .

As an example this is the first result of the search on Goolge using the keywords “ online compiler “

 1- http://compileonline.com/

Languages Page Rank Owner

Support a lot of languages From C .. CSS

2

Mohammad Mohtashim

Screenshot from 2013-06-22 05:02:04

Attacks : From command injection to XSS

Sample attack vector

The web site offer a shell interpreter in uncontrolled environment so it wasn’t difficult to do the following

 – Browsing the os path

Screenshot from 2013-06-22 05:22:24

– Gathering information about the system

Screenshot from 2013-06-22 05:20:57

Screenshot from 2013-06-22 05:38:14


Screenshot from 2013-06-22 05:38:19

 Executing XSS attack

 Screenshot from 2013-06-22 05:35:34

Gathering /etc/passwd

Screenshot from 2013-06-22 05:34:46

 

2- http://ideone.com/

Languages Page Rank Owner

Support a lot of languages From C .. CSS

5

Idonea

 Screenshot from 2013-06-22 06:09:09

Attacks : Command injection

Sample attack vector

The web site offer a shell interpreter in CONTROLED environment but command injection can be done

– Browsing the OS path

– From shell code the permission police disallow this kind of injection

Screenshot from 2013-06-22 05:57:26

 BUT if we compile a file , we can see the police applied to the execution account of is different

Screenshot from 2013-06-22 06:29:04

– Gathering information about the system

Screenshot from 2013-06-22 05:54:59

Gathering /etc/passwd

Screenshot from 2013-06-22 05:56:28

In all of the the example we are able to inject a reverse back shell , and have more flexible control over the systems we even can exploit some kernel vulnerabilities to get root , I highly recommend the owners , to review the architecture and security police of there implementation .

Conclusion

1- Building such a service should be well architected

2- A highly security consideration has to be made and tested before deployment

3- A sanitation process should be injected in the incoming and outgoing flow

4- Sandboxing is a most in this kind of project  

I Was browsing my FBaccount and i sow my self reading this comment posted by Mohammad Hammada about the last post of https://www.facebook.com/WWW.RTV.GOV.SY?

خاص بلفضائية السورية means “Private to the general organization of radio and TV in Syria” ,

the post claimed to disclose a list of killers names related to massacre in Syria and bunch of pictures , ( I don’t use to follow such posts neither enter in political debates ) but the interesting part was ,the replay of the people “ Be careful there is a malware inside ” , I downloaded the file from http://www.mediafire.com it was 239.29 KB !! ( First thought how many pictures are there ? )

Screenshot from 2013-06-14 03:24:02

In the RAR there was 5 JPG ( Real Pictures , I will not post theme here due to strong content  ) and one file called _1194cds62rcs.txt it was easy to notice that the .txt it wasn’t a real text file , if you take a look at the TYPE column in the RAR you will see written “unknown” , i  extracted all of them after making sure there is no autorun   after extraction ,

Screenshot from 2013-06-14 03:24:16

so as we knew from the beginning is not text file , its an executable developed in .Net targeting MS Windows OS , lets go further and try to see what else we can get about this file ,

1- Using http://www.virustotal.com /

The file is detected as virus from 7 major AV solutions , so lets make an static and dynamic analysis

Screenshot from 2013-06-14 03:43:52

Screenshot from 2013-06-14 03:44:18 Screenshot from 2013-06-14 03:44:24 Screenshot from 2013-06-14 03:44:37

+ Result of static analysis

1- We got the real entry point and the version of the .Net Framework used to develop the maleware .

// Entry point: mc.Main

// Architecture: x86

// Runtime: .NET 2.0

2- The dependency

// dmcl40 // kernel32.dll // rpcrt4 // urlmon // netapi32 // difxapi // opengl32 // odbc32 // ole32

// crypt32 // hhctrl // winfax // odbccp32 // iprop // faultrep // mpr // winusb // irprops // dbghelp

// credui // mscorsn // comctl32 // hid // dnsapi

3- The malware is obfuscated and encrypted , it detects the presence of a debuggers and task managers

Screenshot from 2013-06-14 03:59:03 Screenshot from 2013-06-14 03:59:15

I reversed the code and made small script to decrypt and pull out more information

Screenshot from 2013-06-14 03:59:47

Screenshot from 2013-06-14 04:06:49

As result from the script

– It detects the presence of

  • OllyDBg
  • SbieCtrl
  • mbam
  • taskmgr
  • HijackThis
  • Virtual PC
  • TEMemoryScanner

– Store his self as cvtres.exe

– Use Kernel32 and ntdll to create a new process

– Query and manipulate a dozens of register key

– Query a name server and communicate (  i will soon disclose the information i can gather from the command center  )

– Put its self at Start-up

The creator putted a lots of effort in the process of obfuscating and encryption .

This group is the official Facebook group of http://www.rtv.gov.sy/ .

Screenshot from 2013-06-14 04:32:10

 Screenshot from 2013-06-14 06:10:23

Site

http://www.rtv.gov.sy

Netblock Owner

190 Internet Service Provider

Domain

gov.sy

Nameserver

ns1.tld.sy

IP address

82.137.248.19

DNS admin

dns@tld.sy

IPv6 address

Not Present

Reverse DNS

unknown

Domain registrar

unknown

Nameserver organisation

unknown

Organisation

unknown

Hosting company

net.sy

Top Level Domain

Syria (.sy)

DNS Security Extensions

unknown

Hosting country

 SY

Netblock owner

IP address

OS

Web server

Last changed

190 Internet Service Provider 82.137.248.19 Windows Server 2008 Microsoft-IIS/7.5 2-May-2013

A governmental page with high page rank on google

Screenshot from 2013-06-14 04:40:19

there is tow hypothesis

1- this is really done by the government

2- some one hacked to the account and did it

but if the Syrian gov is  spreading maleware using facebook pages I couldn’t imagine how many exploits they are lunching throw the web site it self ,this looks like since fiction  movie but the reality is that we are facing a time where cyber space is the battle field . i hope this can serve as an alert message  to everyone , be careful when you are wired , don’t trust on AV solutions only .

===== Update 14,2013 at 4:51

The Syrian Official web site http://www.rtv.gov.sy/ recognized losing the facebook page http://www.rtv.gov.sy/index.php?d=21&id=122915

Screenshot from 2013-06-14 12:45:31

Intro To x86

Posted: June 13, 2013 in Programming
Tags: ,

Intro to Intel X86

First thing we should know is that X86 is ( microprocessor ) and the X represents a number in the family of 86 , the main components you should aware of is

1- How Ram works RAM with the OS .

2- The Processor it self😀 , this tell you what architecture you are working with .

– Data Type

Length ( bits )

Intel – ASM

C

8 ( Bytes )

BYTE

Char

16 ( 2 Bytes )

Word

Short

32 ( 4 Bytes )

Double word

Int / long

128 ( 16 Bytes )

Quad word

Double /long long

– Representation

Decimal ( base 10 )

Binary ( base 2 )

Hex ( base 16 )

0

0000b

0x00

1

0001b

0x01

2

0010b

0x02

3

0011b

0x03

4

0100b

0x04

5

0101b

0x05

6

0110b

0x06

7

0111b

0x07

8

1000b

0x08

9

1001b

0x09

10

1010b

0x0A

11

1011b

0x0B

12

1100b

0x0C

13

1101b

0x0D

14

1110b

0x0E

15

1111b

0x0F

So how we represent the negative numbers .

1- Flips the one → zero , zero → one

2- Sum 1 to the flipped representation

Number Ones’ Comp Tow’s Comp. ( Negative )
0000-0001b : 0x01 1111-1110b : 0xFE 1111-1111b : 0xFF : -1
0000-0100b : 0x04 1111-1011b : 0xFB 1111-1100b : 0xFC : -4

What kind of architecture are there

1- CISC ,Complex Instruction Set Computer { Intel }

– It main characteristic is the huge number of special propose instructions

– Variable length is between 1 and 16 bytes long

2- RISC , Reduced Instruction Set Computer { PowerPC, ARM , SPARC, MIPS }

– Built upon small set of instructions

– Typically has more registers than CISC

In both previous architecture the y should find a way to map the bytes to the RAM

and there is to way to do that ( Little endian , Big endian )

Little endian : you store first the leas significant bytes , 0x12345678 → 0x78563412

Big endian : you store first the most significant byes , 0x12345678 → 0x12345678

Intel is Little endian , but network traffic for example is big endian , other architecture like ARM,SPARC , MIPS ) uses big endian too or can be configured as little endian .

Very important , ( Endianess operation are at byte level )

– Registers

Registers are small box of memory in the CPU some for general propose use and others very important specific uses

Int the INTEL architecture , we have 8 registers and the instruction pointer register

On x86-32 the registers are 32 bit size

On x86-64 the registers are 64 bit size

1- EBX ( Base pointer to the data section ) shorter form ( BX )

2- ECX ( Its used as counter ) shorter form ( CX )

3- EAX ( Stores function return values and shorter form ( AX )

4- EDX ( I / O Pointer ) shorter form ( DX )

5- EIS ( Index source of data ) shorter form ( IS )

6- EDI ( Destination Index ) shorter form ( DI )

7-EBP ( Stack Base Frame pointer ) shorter form ( BP )

8-ESP ( Stack pointer ) shorter form ( SP )

-EFLAG ( This register contains several sub registers each of 1 bit represents something )

ZF : Set to zero if the instruction result is 0

SF : Signed register is set to 1 if the most significant bit is 1 . we can use this register to see if the value is positive or negative .

– EIP ( Instruction Pointer )

– Conventions

Caller – Save register eax, edx , ecx

if the caller has any thing in the registers he is responsible to save the register data before calling, and restoring the data after calling , thats because the callee is highly likely to use this registers

Callee – Save register edx,eci,edi,ebx,ebp

if the callee is in need to change any registers other than the saved from the caller he is responsible of storing the value and restore them .

– Calling Convention

– C declaration : ( c-decl )

1. Parameter are saved into the stack from right to left

push x

2. Save Stack point

push esp

3. Create new Stack Frame

mov ebp , esp

4. return value stored on eax or edx:eax

5. caller is responsible for cleaning up the stack

pop ebp

move esp,ebp

“ IN RESUME CALLER CALL AND CALLER CLEAN UP “

How the call Instruction works

the only instruction that makes a jump to some location in the code and inject the mechanism to go back is the call ,

the call instruction , sets the EIP to the address its going to execute , but before that , it push the next instruction ( the one after the call ) address to the stack , allowing the return back mechanism by using the “RET “ instruction in the callee function .

Hi PPL  recently i bought HUAWEI HILINK with the main goal to make my own SMS Getaway

So this are the steps i followed

Installation 

1- In the inside memory of the Dongle there is the driver for both windows and linux , There is a way to make the devise appears as USB storage and this is done by using usb mode switch application BUT YOU CAN INSTALL THE DRIVER FROM HERE

2- The following command will install the driver and next time when you plug the dongle it will appeaser as Ethernet interface

chmod +x autorun.sh

./autorun.sh

3- To make sure everything is fin try to access http://hi.link/  you should  get The web interface😀

Programming 

As you can guess you cant use gammu or other standard libs that use /dev/ttyUSB   so after analyzing  the dongle web interface it appears that it runs as web service  and it is being consumed from the javascript libs of the web app . so here i will post the main methods that you can use to request information and trigger actions , you can build on them any lib from any language

Information : 

Connection Status :
URL : /api/monitoring/status
Request : empty
Respons :
<response>
<ConnectionStatus>901</ConnectionStatus> -> 902 Desconected , 901 -> Connected
<SignalStrength>96</SignalStrength>
<SignalIcon>5</SignalIcon>
<CurrentNetworkType>3</CurrentNetworkType>
<CurrentServiceDomain>3</CurrentServiceDomain>
<RoamingStatus>0</RoamingStatus>
<BatteryStatus></BatteryStatus>
<BatteryLevel></BatteryLevel>
<simlockStatus></simlockStatus>
<WanIPAddress>10.140.3.121</WanIPAddress>
<PrimaryDns>84.235.6.55</PrimaryDns>
<SecondaryDns>84.235.57.230</SecondaryDns>
<CurrentWifiUser></CurrentWifiUser>
<TotalWifiUser></TotalWifiUser>
<ServiceStatus>2</ServiceStatus>
<SimStatus>1</SimStatus>
<WifiStatus></WifiStatus>
</response>

Check Notifications :
URL : /api/monitoring/check-notifications
Request : empty
Response :
<response>
<UnreadMessage>0</UnreadMessage>
<SmsStorageFull>0</SmsStorageFull>
<OnlineUpdateStatus>10</OnlineUpdateStatus>
</response>

Network information :
URL : /api/net/current-plmn
Request : empty
Response :
<response>
<State>0</State>
<FullName> </FullName>
<ShortName> </ShortName>
<Numeric>42001</Numeric>
<Rat>0</Rat>

Device information :
URL : /api/device/information
Request : empty
Response :
<response>
<DeviceName>E3131</DeviceName>
<SerialNumber>G8J7SA1262800904</SerialNumber>
<Imei>862732017115150</Imei>
<Imsi>420013703501160</Imsi>
<Iccid>8996601370035011601F</Iccid>
<Msisdn></Msisdn>
<HardwareVersion>CH2E303SM</HardwareVersion>
<SoftwareVersion>22.157.39.00.00</SoftwareVersion>
<WebUIVersion>11.010.12.00.838</WebUIVersion>
<Uptime>5103</Uptime>
<MacAddress1>00:1E:10:E1:73:01</MacAddress1>
<MacAddress2></MacAddress2>
<ProductFamily>GW</ProductFamily>
<Classify>DataCard</Classify>
</response>

Operating
Desconnect :
URL : /api/dialup/dial
Request : <request><Action>0</Action></request>
OK – Response : <response>OK</response>

Connect :
URL : /api/dialup/dial
Request : <request><Action>1</Action></request>
OK – Response : <response>OK</response>
Get SMS Number :
URL : /api/sms/sms-count
Request : Empty
OK – Response :
<response>
<LocalUnread>0</LocalUnread>
<LocalInbox>0</LocalInbox>
<LocalOutbox>0</LocalOutbox>
<LocalDraft>0</LocalDraft>
<LocalDeleted>0</LocalDeleted>
<SimUnread>0</SimUnread>
<SimInbox>0</SimInbox>
<SimOutbox>0</SimOutbox>
<SimDraft>0</SimDraft>
<LocalMax>500</LocalMax>
<SimMax>100</SimMax>
</response>

Recive SMS Inbox :
URL : /api/sms/sms-list
Header : Referer = … /html/smsinbox.html?smsinbox
Request :
<request>
<PageIndex>1</PageIndex>
<ReadCount>20</ReadCount>
<BoxType>1</BoxType> -> 1 Full details
<SortType>0</SortType>
<Ascending>0</Ascending>
<UnreadPreferred>0</UnreadPreferred>
</request>
OK- Response:
Box Type 1 :
<response>
<Count>1</Count>
<Messages>
<Message>
<Smstat>0</Smstat>
<Index>20000</Index>
<Phone> ######## </Phone>
<Content>Message content here </Content>
<Date>2012-08-13 20:54:42</Date>
<Sca>########</Sca>
<SaveType>4</SaveType>
<Priority>0</Priority>
<SmsType>1</SmsType>
</Message>
</Messages>
</response>

IF THE PAGE NUMBER DOSE’T EXIST THE RESPONSE WILL BE
<response>
<Count>0</Count>
<Messages></Messages>
</response>

Set SMS AS READED :
URL : /api/sms/send-sms
Request : <request><Index>20000</Index></request>
OK – Response : <response>OK</response>

Send SMS :
URL : /api/sms/send-sms
Request :
<request>
<Index>-1</Index> -> -1 if its not a replay to any index
<Phones><Phone>+23428479287</Phone></Phones>
<Sca></Sca>
<Content>HELLO</Content>
<Length>29</Length>
<Reserved>1</Reserved>
<Date>2012-08-13 23:25:07</Date>
</request>
Response :
<response>OK</response>

Send USSD :
URL :
REQUEST : <request><content>*333#</content><codeType>CodeType</codeType></request>

RESPONSE : <response>OK</response>

Get OUTBOX SMS List :
URL : /api/sms/sms-list
HEADER : Referer = … /html/smsinbox.html?smssent
Request :
<request>
<PageIndex>1</PageIndex>
<ReadCount>20</ReadCount>
<BoxType>2</BoxType>
<SortType>0</SortType>
<Ascending>0</Ascending>
<UnreadPreferred>0</UnreadPreferred>
</request>
Response :
<response>
<Count>4</Count>
<Messages>
<Message>
<Smstat>3</Smstat>
<Index>20001</Index>
<Phone>########## </Phone>
<Content> asdfasdfasdf </Content>
<Date>2012-08-13 23:25:07</Date>
<Sca>+966505031999</Sca>
<SaveType>3</SaveType>
<Priority>4</Priority>
<SmsType>1</SmsType>
</Message>
….
</Messages>

Managment : 

Auto Connect Settings :
URL : /api/dialup/connection
Header : Referer: … /html/autoconnection.html
Request :
<request>
<RoamAutoConnectEnable>0</RoamAutoConnectEnable>
<AutoReconnect>1</AutoReconnect>
<RoamAutoReconnctEnable>1</RoamAutoReconnctEnable>
<ReconnectInterval>3</ReconnectInterval>
<MaxIdelTime>0</MaxIdelTime>
<ConnectMode>0</ConnectMode>
</request>
RESPONSE :
<response>OK</response>

Pin Operations :
URL : /api/pin/operate
Header : Referer: http://hi.link/html/pincodemanagement.html
OperationType = 1 Enable Pin
OperationType = 2 Disable Pin
OperationType = 3 New Pin

Example of OP3 :
Request :
<request>
<OperateType>3</OperateType>
<CurrentPin>6132</CurrentPin>
<NewPin>6132</NewPin>
<PukCode></PukCode>
</request>

Response :
<response>OK</response>

soon i will provide a Java and Python libs built on this services , if you have any question feel free to mail me