Profile picture
Elliot Alderson @fs0c131y
, 34 tweets, 17 min read Read on Twitter
<Thread> Hey @OnePlus! I don't think this EngineerMode APK must be in an user build...🤦‍♂️
This app is a system app made by @Qualcomm and customised by @OnePlus. It's used by the operator in the factory to test the devices.
If you have an OnePlus device, I'm pretty sure you have this app pre-installed. To check open Settings -> Apps -> Menu -> Show system apps and search EngineerMode in the app list to check
With telephony secret code you can access to manual tests like GPS test, root status test as stated in this article xda-developers.com/oneplus-hardwa… pointed by @AleGrechi . But can do better...
You can access to the "main" activity by sending this command: adb shell am start com.android.engineeringmode/.EngineeringMode
You will have access to everything, not just the manual test.
Having access to all these functions is a real issue. Combined with this attack, researchcenter.paloaltonetworks.com/2017/09/unit42…, a malicious app can do a lot of thing.
I will find time to make a POC.
But it's not the biggest issue with this app.
The DiagEnabled, which is a @Qualcomm made activity, is the best class in this EngineerMode APK. Check the methods in this activity: escalatedUp(boolean, string) sounds like a cool thing no 😀?
In the onCreate method if the intent is not null the escalatedUp method is called with the parameter enable=true and password=getIntent().getStringExtra("code"). Do you see where I'm going?
The escalatedUp method is calling Privilege.escalate(password) and if the result is true, it set the system property persist.sys.adbroot and oem.selinux.reload_policy to 1
So yes, if you send the command: adb shell am start -n com.android.engineeringmode/.qualcomm.DiagEnabled --es "code" "password" with the correct code you can become root!
Here the Privilege class. Check the name of native library used to check the code: door... Ladies and Gentlemen please say hi to the backdoor made in @Qualcomm
This lib is located in /system/lib/libdoor.so or /system/lib64/libdoor.so. You can find the sample here: virustotal.com/#/file/3e6df25…
This is the interesting strings of the lib. After a first read we can see that libcrypto is used and the key and the password are backup in /data/backup/fpwd and /data/backup/fkey
This is the code responsible of the password verification. 1st it check the length, calculate the hash and compare it to the correct one.
Unfortunately, I didn't find the password, so if some you are skilled in reversing native lib, your help is very welcome!
If the verification is passed the password hash is stored in /data/backup/fpwd
and the key is made from different build properties like ro.build .type, ro.build .user,... and stored in /data/backup/fkey
Using @fridadotre and the script attached, I managed to bypass the escalate and isEscalated methods and become root
Here the source code of the EngineerMode apk: github.com/fs0c131y/Engin…. Feel free to dig on your own and share your findings!
cc @AndroidAuth @AndroidPolice @androidandme @Androidheadline @AndroidPolice @xdadevelopers @AndroidSPIN @Gadgets360 @TheHackersNews you have a subject here to write an article. It's not normal to have this kind of backdoor in an end user product...
Any comments from @getpeid @OnePlus or @Qualcomm?
EngineerMode APK is not the only interesting app left by @Oneplus. More thread to come :)
Awesome! Thanks to @insitusec and the @NowSecureMobile team, we have the password! It's now possible to root an @Oneplus device with a simple intent
I will publish an application on the PlayStore to root your @OnePlus device in the next hours
cc @JAMESWT_MHT I forgot to add you :)
Difficulty to install #SuperSu: 0! Everything is already preinstalled 🤔.
The OnePlus root application is coming soon :)
Nice report @AndroidPolice androidpolice.com/2017/11/13/one…
The best thing in this story is the password. It's angela (see the reference?). This backdoor is here intentionally. When the fiction become a reality. Good luck @getpeid, you will need a very good explanation.
cc @whoismrrobot
My Twitter at the moment. Thank you all for the impact you give to this story!
Once again this app is a system app made by @Qualcomm. So possibly a lot of @Qualcomm based phones are affected. Can you open Settings -> Apps -> Menu -> Show system apps and search EngineerMode in the list to check? If you find the app reply to this tweet with your device model
Thanks to you, I have now a sample of the EngineerMode apk from @Asus Zenfone, @miuirom, @Redmi 3s, @OnePlus 5T. Expect more fun!
I'm still waiting more samples to confirm but yes EngineerMode is installed on @OnePlus 5T. The DiagEnabled activity is here, so the backdoor too :)
Thanks to the awesome @AdrianoDiLuzio, it's pretty easy to install supersu!
Write up made by @AdrianoDiLuzio to root your OnePlus device using the backdoor + #Magisk: gist.github.com/aldur/b785257a…
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Elliot Alderson
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Related hashtags

#SuperSu #Magisk

More from @fs0c131y see all

Profile picture
In 1981, the Primrose fails on a beach of the North Sentinel Island, pushed by a typhoon. You can still see the wreckage on Google Map, in a creek, in the northwest. The crew was saved only by a helicopter operated by the Indian Navy.
Exact coordinates on Google Maps. Open the link, this Island is wonderful! google.com/maps/place/Nor…
Awesome article in French about the North Sentinel Island from @lemondefr lemonde.fr/international/…
Read 3 tweets
Profile picture
I have a @Frida question: How to deal with a HashMap? I'm intercepting a Java method, "this" has a Hashmap in his attributes. I want to print the content of this HashMap cc @oleavr @enovella_
cc @NowSecureMobile 👋
cc @fridadotre
Read 3 tweets
Profile picture
.@Paytm, the most used banking app in #India, just sent a dummy notification to his users in the middle of the night. Imagine the reaction of the guy (hacker?) when he realised that he just sent a notification to millions of people
Paytm published a tweet regarding this notification
Read 3 tweets

Related threads

Profile picture
<thread> with breaking news "Mueller seeks Roger Stone’s testimony to House intelligence panel"
washingtonpost.com/politics/muell…

Where Stone has great legal jeopardy

1 Russia-Wikileaks collusion:

justsecurity.org/61652/jereome-…

2 Lying to Congress. What statements to Congress exactly? ...
Roger Stone probably lied to Congress about

1. how and when he learned of Wikileaks’ possession of Podesta’s emails

2. his advanced knowledge of content of Wikileaks’ documents on Clinton

3. his communications with Wikileaks

4. his contacts with Russians
Roger Stone also probably made false statements (or lied) about his communications and relationship with the Trump Campaign.

@NatashaBertrand reported that Stone amended his testimony THREE times as news emerged contradicting his testimony
theatlantic.com/politics/archi…
Read 4 tweets
Profile picture
@PortlusGlam
(1/4) Didn't want to break the <thread> you're working on, but think you'll like this short video by @wmur9 via @BostonGlobe:
0:35 "Cottage Hospital officials say they have been a leader in automated recordkeeping for years... (con't)
(2/4) and were recognized by the gov't for their work in 2012."
0:45 "They say they have about 20 million medical records on file and with a database that large security is critical." (con't)
(3/4) DrMariaRyan: "It's not that they want to know if you've had a heart attack. They want your financial information. They want your social security number. So thankfully thru our very strong IT dept nobody has been able to penetrate us but it's a real threat every single day."
Read 4 tweets
Profile picture
<THREAD>

There's been some talk of "primarying out" Democrats who voted for the CR. We've all heard of the Tea Party, but does anyone know who founded it?

I do. His name is Damon Eris./1
Damon championed third-party politics and urged us to "Dump the Duopoly." We used to comment on each others blogs. Even though we disagreed, Damon would promote liberals as well as conservatives, as long as they weren't Democrats of Republicans./2

politeaparty.blogspot.com
I remember when the the Kochs co-opted the Tea Party, effectively deposing him leader. Damon was devastated. There's a difference between being politically conservative & being a racist. Damon was the former, and was deeply troubled by the vulgar conservatives who usurped him./3
Read 11 tweets
Profile picture
<Thread> Is there a thing in politics called "compressed perspective?" If not, let me coin that. Bear with me. In photography (and other optics) if you are far away from an object, and there's another object, yet father from that, viewed through a long lens --
2 -- the two objects, while not close to each other at all, will appear to be close to each other, almost on the same plane. Compressed perspective. The farther you are from those two objects, the closer they will appear together.
3 (that's how they do those pictures of the Golden Gate Bridge or Eiffle Tower with a ridiculously enormous moon). So, politically, what I'm seeing in politics in the U.S., is that the far right and the far left, are so far to each side...
Read 14 tweets
Profile picture
<THREAD> This is a season of peace, but we need to pause for a minute to talk about war. The greatest security threat in the coming year is the prospect of a massive war on the Korean Peninsula—& Trump's dangerous gambit toward North Korea makes that outcome much more likely. 1/
North Korea has had nukes since the mid-2000s. During the 2016 campaign, when the North’s capability only seemed to threaten our regional allies South Korea and Japan, Trump was relatively sanguine. 2/
In fact, candidate Trump even suggested that Seoul & Tokyo should fend for themselves and consider getting their own nukes to counter the threat from North Korea rather than turning to America for help. nytimes.com/2016/03/27/us/… 3/
Read 37 tweets
Profile picture
<THREAD> Separate from the very real possibility of Trump-Russia collusion, the Flynn revelations this week speak to a clear pattern of behavior by both Team Trump and GOP leadership: conspiring to go easy on the Kremlin despite Russian interference in our election. 1/
We know the Kremlin reached out to the Trump campaign (e.g., Papadopoulos, Don Jr) via multiple channels to offer Clinton “dirt”/emails, and received a welcome response from Team Trump. washingtonpost.com/news/politics/… 2/
We know that Trump urged Russia to hack HRC in the summer of 2016 & that Trump surrogates repeatedly sought emails via Russian hackers & WikiLeaks. slate.com/blogs/the_slat… 3/
Read 16 tweets

Trending hashtags

#Democrats #GreatFallsMT #MBTA #BlueWave #BurmaShaveBillboard #TreasonWeasels #WePayYOU #DemExit #NunesMemo #ComeyHearing #dataviz #GoSilent #RefusePolarization #JillNotHill #Brazil #NSS #MentalHealth #BLM #LockHerUp #MemeWar #MemorialDay #MakeItMatter #TakeItBack #CW #Resistance

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($3.00/month or $30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!