This is the interesting strings of the lib. After a first read we can see that libcrypto is used and the key and the password are backup in /data/backup/fpwd and /data/backup/fkey
Conversation
This is the code responsible of the password verification. 1st it check the length, calculate the hash and compare it to the correct one.
2
4
24
Unfortunately, I didn't find the password, so if some you are skilled in reversing native lib, your help is very welcome!
2
2
26
If the verification is passed the password hash is stored in /data/backup/fpwd
1
3
17
1
2
20
Using and the script attached, I managed to bypass the escalate and isEscalated methods and become root
5
10
52
Here the source code of the EngineerMode apk: github.com/fs0c131y/Engin. Feel free to dig on your own and share your findings!
3
21
77
cc @androidandme @AndroidSPIN you have a subject here to write an article. It's not normal to have this kind of backdoor in an end user product...
5
11
61
2
7
42
Awesome! Thanks to and the team, we have the password! It's now possible to root an device with a simple intent
23
30
146
Difficulty to install #SuperSu: 0! Everything is already preinstalled 🤔.
The OnePlus root application is coming soon :)
13
37
122
The best thing in this story is the password. It's angela (see the reference?). This backdoor is here intentionally. When the fiction become a reality. Good luck , you will need a very good explanation.
cc
GIF
11
82
196
My Twitter at the moment. Thank you all for the impact you give to this story!
GIF
3
8
137
70
32
75
I'm still waiting more samples to confirm but yes EngineerMode is installed on 5T. The DiagEnabled activity is here, so the backdoor too :)
8
7
21
11
17
53
7
15
42