Profile picture
Elliot Alderson @fs0c131y
, 34 tweets, 17 min read Read on Twitter
<Thread> Hey @OnePlus! I don't think this EngineerMode APK must be in an user build...🤦‍♂️
This app is a system app made by @Qualcomm and customised by @OnePlus. It's used by the operator in the factory to test the devices.
If you have an OnePlus device, I'm pretty sure you have this app pre-installed. To check open Settings -> Apps -> Menu -> Show system apps and search EngineerMode in the app list to check
With telephony secret code you can access to manual tests like GPS test, root status test as stated in this article xda-developers.com/oneplus-hardwa… pointed by @AleGrechi . But can do better...
You can access to the "main" activity by sending this command: adb shell am start com.android.engineeringmode/.EngineeringMode
You will have access to everything, not just the manual test.
Having access to all these functions is a real issue. Combined with this attack, researchcenter.paloaltonetworks.com/2017/09/unit42…, a malicious app can do a lot of thing.
I will find time to make a POC.
But it's not the biggest issue with this app.
The DiagEnabled, which is a @Qualcomm made activity, is the best class in this EngineerMode APK. Check the methods in this activity: escalatedUp(boolean, string) sounds like a cool thing no 😀?
In the onCreate method if the intent is not null the escalatedUp method is called with the parameter enable=true and password=getIntent().getStringExtra("code"). Do you see where I'm going?
The escalatedUp method is calling Privilege.escalate(password) and if the result is true, it set the system property persist.sys.adbroot and oem.selinux.reload_policy to 1
So yes, if you send the command: adb shell am start -n com.android.engineeringmode/.qualcomm.DiagEnabled --es "code" "password" with the correct code you can become root!
Here the Privilege class. Check the name of native library used to check the code: door... Ladies and Gentlemen please say hi to the backdoor made in @Qualcomm
This lib is located in /system/lib/libdoor.so or /system/lib64/libdoor.so. You can find the sample here: virustotal.com/#/file/3e6df25…
This is the interesting strings of the lib. After a first read we can see that libcrypto is used and the key and the password are backup in /data/backup/fpwd and /data/backup/fkey
This is the code responsible of the password verification. 1st it check the length, calculate the hash and compare it to the correct one.
Unfortunately, I didn't find the password, so if some you are skilled in reversing native lib, your help is very welcome!
If the verification is passed the password hash is stored in /data/backup/fpwd
and the key is made from different build properties like ro.build .type, ro.build .user,... and stored in /data/backup/fkey
Using @fridadotre and the script attached, I managed to bypass the escalate and isEscalated methods and become root
Here the source code of the EngineerMode apk: github.com/fs0c131y/Engin…. Feel free to dig on your own and share your findings!
cc @AndroidAuth @AndroidPolice @androidandme @Androidheadline @AndroidPolice @xdadevelopers @AndroidSPIN @Gadgets360 @TheHackersNews you have a subject here to write an article. It's not normal to have this kind of backdoor in an end user product...
Any comments from @getpeid @OnePlus or @Qualcomm?
EngineerMode APK is not the only interesting app left by @Oneplus. More thread to come :)
Awesome! Thanks to @insitusec and the @NowSecureMobile team, we have the password! It's now possible to root an @Oneplus device with a simple intent
I will publish an application on the PlayStore to root your @OnePlus device in the next hours
cc @JAMESWT_MHT I forgot to add you :)
Difficulty to install #SuperSu: 0! Everything is already preinstalled 🤔.
The OnePlus root application is coming soon :)
The best thing in this story is the password. It's angela (see the reference?). This backdoor is here intentionally. When the fiction become a reality. Good luck @getpeid, you will need a very good explanation.
cc @whoismrrobot
My Twitter at the moment. Thank you all for the impact you give to this story!
Once again this app is a system app made by @Qualcomm. So possibly a lot of @Qualcomm based phones are affected. Can you open Settings -> Apps -> Menu -> Show system apps and search EngineerMode in the list to check? If you find the app reply to this tweet with your device model
Thanks to you, I have now a sample of the EngineerMode apk from @Asus Zenfone, @miuirom, @Redmi 3s, @OnePlus 5T. Expect more fun!
I'm still waiting more samples to confirm but yes EngineerMode is installed on @OnePlus 5T. The DiagEnabled activity is here, so the backdoor too :)
Thanks to the awesome @AdrianoDiLuzio, it's pretty easy to install supersu!
Write up made by @AdrianoDiLuzio to root your OnePlus device using the backdoor + #Magisk: gist.github.com/aldur/b785257a…
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Elliot Alderson
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($3.00/month or $30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!