Samsung SPH-M330

From Legacy Portable Computing Wiki
A Samsung SPH-M330 in hand whilst fully extended.

The Samsung SPH-M330, also known as the Samsung Seek, is a 3G CDMA mobile phone released in the late 2000's. It's a slider phone and was a Sprint-exclusive model.

There is a non-sprint version of the phone, the "PLS-M330". It's hardware is identical, with the only differences being the lack of sprint branding and slightly different firmware.

Specs

Basics

SPH-M330
HW Platform/ChipsetQualcomm QSC6055 (192 MHz ARM926EJ-S)
SW Platform/OSSamsung Proprietary (Qualcomm REX OS-based)
Display 128 x 160, TFT, 16-bit color
Physical display size2" (5.08cm)
SensorsA-GPS
Flash memory16MB(?) (Samsung K5W1257ACM-BL60)
Memory card slotNone
Phonebook capacity500
Charging and data connectorMicro USB
Regulatory infoFCC ID: A3LSPHM330 (approved 2009-07-31)

Connectivity

SPH-M330
Operating modesCDMA (850/1900)
Data1x RTT
BluetoothYes, v2.0
Bluetooth profilesHSP, HFP, DUN, Object Push Profile, PBA
PC LinkQualcomm DIAG support

Input

SPH-M330
Input methods12-key keypad with T9
Soft keysAbove speaker and Back button
Side keysLeft: volume rocker
Right: Shutter key

Media

SPH-M330
Rear cameraVGA, fixed focus
Night mode, self-timer, brightness/white balance adjustment
Supported image formatsGIF, JPG, PNG..
Supported sound formatsMID, MP3, PMD..
Speaker configurationEar speaker with loudspeaker on back
Line out2.5mm audio jack
SynthesizerQualcomm CMX 4.1

Messaging

SPH-M330
SMSYes
MMSYes

Software

SPH-M330
JavaYes (elaborate; to be filled in)
BREWYes, 3.1.5.145 SP01 (AppManager can be opened by dialing ##2739#
Flash Lite1.1

Hidden BREW support

As seen above, it is possible to access the BREW AppManager using the dial code ##2739# and entering the 6-digit SPC when asked.

This dial code has been tested to work on other Sprint-branded and Sprint MVNO offerings by Samsung from around the same time period, and while not tested on the SPH-M330 specifically, you can change the ESN to match the latest available BREW test signature to leverage sideloading BREW applications.

Arbitrary Sprint limitations

The only way to pull user photos off of the phone is via the debug port (Bitpim*, QCSuper or Revskills) or "PictBridge". Sending and receiving photos via Bluetooth has been artificially disabled, and any photo that gets assigned to a contact is stripped out in the Bluetooth sending process. Thanks Sprint!

  • Bitpim's phone searching routine causes the phone to display "File system is starting up". This deletes all user data on the phone!

Note on phone's software

All of the phone's stock features appear to be integrated in the AEE. There are no extra mod or sig files, and there is only one MIF file. This means large attack surfaces like the JRE and built-in web browser are baked into the firmware itself (probably the AEEShell or something).

With such large attack surfaces like the Web Browser and JRE built into the firmware itself, the possibility to find exploits is simpler compared to other Qualcomm CDMA phones as there won't be a need to privilege escalate from the context of the Qualcomm Brew's mod sandbox/execution environment.

J2ME Support

The phone comes with three preinstalled Java games: "American Idol", "Asphalt 4: Elite Racing", and "The Price is Right". All of them demos (what is it with feature phones and the preinstalled games/software always being demos!?) and all three get reinstalled on factory reset.

These games are installed in /brew/card1/AMSDL/CONTENT/Games, each game gets it's respective folder. American Idol is Americ645, Asphalt 4 is Asphal343, and The Price is Right is The_Pr035. Both JAR and JAD files are named accordingly, but "MANIFEST.MF" is left alone.

While it is possible to sideload apps by overwriting the existing jars, they must have the initial class be named the exact same as the original JAR ("com.ea.americanidol.TextMIDlet" for American Idol, "GloftASP4" for Asphalt 4, and "Game_PRICE" for The PRICE is Right). Modifying the JAD or MF file in the directory has no effect.

The reason is because the phone keeps track of the installed JARs in "/brew/card1/DB/Ace.dat". Instead of looking up the initial class to load from the JAR, MANIFEST.MF, or JAD, it loads it from Ace.dat.

It has been discovered that "Ace.dat" can be modified, but only when the phone is turned off and on the battery charging screen. This is because when the phone is booted, the file is locked due to it being in use.

The phone also does not accept JARs sent over Bluetooth. Which is sad.

Battery Bypass

If you don't have a battery and are willing to do some tinkering, it's possible to make your own 'genuine' battery for the M330.

The phone checks for a ~4.7kOhm resistor between GND and the middle battery (BSI pin).

This is not entirely recommended though. Soldering skills are a requirement, and doing this will make permanent marks (i.e., there will always be solder on the battery terminals), and the battery you choose must have built in protection.

It is highly recommended you instead get a proper replacement battery. Only do this if you are both skilled, have the tools on hand, and don't want to buy a replacement.

Not only that, but it is possible that doing this battery bypass may harm the phone's power management system.

"commonres.bar"

In the folder "/brew/mod/common" are two files: "commonres.bar" and "commonres_bk.bar".

These appear to contain the GUI elements for the BREW shell. Most of the resources are "image/bci" files, which appear to be a format that's long since been forgotten. The contents of these files can be extracted using either Qualcomm's official tools or BREW Utils, with "dumpbci" capable of partially decoding BCI files.

The BCI formatted files in question are comprised of two primary parts: An uncompressed (possibly unsigned short[]?) array defining the RGB color palette, and a zlib compressed unsigned char[] array. The color palette appears to be in an "RGB32" format. For the bitmap area, each pixel is one byte, defining its red, green, blue, and alpha channels. Each channel is 2 bits.

It is odd, however, how only the bitmap section is compressed.

"rawpixels.net" can be used to create a grayscale image of the decompressed and extracted bitmap section.

Exploits/Entry Points

Qualcomm EFS Move Busy File

When a file is in use, you cannot modify or delete it via the debug port. But you can rename/move it.

Not _quite_ an exploit, but it is potentially useful unintended behavior.

The program QCSuper is capable of moving/renaming files on the phone.

platformRequest()

There is a buffer overflow on the heap in the phone's implementation of "platformRequest()", which is accessible from the J2ME runtime environment.

An excerpt from "https://github.com/userse31/SPH-M330_PLAT_REQ_BUG/blob/main/src/Game_PRICE.java":

String treat="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0000";
try {
     platformRequest(treat);
} catch (ConnectionNotFoundException ex) {
    ex.printStackTrace();
}
destroyApp(false);
notifyDestroyed();

The phone only crashes when the midlet exits.

SMS database buffer overread

Text messages on the phone are saved at "/nvm/sms". Files are named as "sms_xxxx" (with "xxxx" being a 4 digit decimal number) alongside "sms_segmentedmsg_data" which does... something? Messages exceeding 160 characters get stored there.

The byte at offset 3 (counting from zero) in the singular sms files stores how long the text body of the message is. By increasing this value, a buffer overread is achieved. This usually results in various "garbage data" being added to the message's list containing the receiving phone numbers/emails.

Gallery