So yes, if you send the command: adb shell am start -n http://com.android .engineeringmode/.qualcomm.DiagEnabled --es "code" "password" with the correct code you can become root!
-
Show this thread
-
Here the Privilege class. Check the name of native library used to check the code: door... Ladies and Gentlemen please say hi to the backdoor made in
@Qualcommpic.twitter.com/ns0JI1nvWD
3 replies 83 retweets 155 likesShow this thread -
This lib is located in /system/lib/libdoor.so or /system/lib64/libdoor.so. You can find the sample here: https://www.virustotal.com/#/file/3e6df251ad4fe115563b51b302fec2d7836e14dd28ae06e8b41c1939d4bca33d …
1 reply 5 retweets 33 likesShow this thread -
This is the interesting strings of the lib. After a first read we can see that libcrypto is used and the key and the password are backup in /data/backup/fpwd and /data/backup/fkeypic.twitter.com/Y0JbAk3Fp7
1 reply 3 retweets 25 likesShow this thread -
This is the code responsible of the password verification. 1st it check the length, calculate the hash and compare it to the correct one.pic.twitter.com/efldDJO0Qu
2 replies 4 retweets 26 likesShow this thread -
Unfortunately, I didn't find the password, so if some you are skilled in reversing native lib, your help is very welcome!
2 replies 2 retweets 27 likesShow this thread -
If the verification is passed the password hash is stored in /data/backup/fpwdpic.twitter.com/lkcWlr7Wfb
1 reply 3 retweets 19 likesShow this thread -
and the key is made from different build properties like http://ro.build .type, http://ro.build .user,... and stored in /data/backup/fkeypic.twitter.com/NMto5BY7zp
1 reply 2 retweets 21 likesShow this thread -
Using
@fridadotre and the script attached, I managed to bypass the escalate and isEscalated methods and become rootpic.twitter.com/oXGGEIqFad
5 replies 12 retweets 60 likesShow this thread -
But you would need root to use Frida-server or repackage the app. How does this work without doing one of those which defeats the purpose of the vulnerable intent?
2 replies 0 retweets 2 likes
You're right, this is why I don't have the password. I didn't find a way to make a dynamic analysis of the lib
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.