so according to this article: https://arstechnica.com/gadgets/2017/11/oneplus-engineering-apk-exposes-backdoor-to-root-access/
"...The important part, though, is a "DiagEnabled" activity with a method called "escalatedUp." If this is set to "true," the app will allow root access over Android Debug Bridge, Android's command-line developer tools."
the article says the APK was also found in Asus and Xiaomi devices... I wonder if maybe it is also on the Moto Z?
I looked, it isn't there.
I was just wondering whether any bright mind who had his hands on those devices managed to save this as apk
I searched around a bit without too much of a success, but I do believe we can try running it on our Motorolas if we happen finding it.
On a separate note: invoking Rlz Debug UI aka 'Google Partner Setup' by entering *#*#759#*#* into dialer (see screenshot) lists one option called "OEM mode" with possibility to set it to true or false - does anyone know what this is meant for? What is OEM mode after all?
Related
First of all, while this is my first post, I have been a silent browser of xda for some time. This is such a wonderfull site.
My question is, is it possible to somehow get the settings for sideloading and usb/wifi teathering to show up in the settings menus? I assume that these have been removed or hidden somewhere in the source by commenting out or just been deleted. It seems to me that since these functions were built in to other android devices and I assume the I9000, that it sould be possable to reverse there removal. The settings.db has so many referances to other settings that are easily changed that it sould not require root access correct?
Now I must say that I am in no way a developer, and am not very good with linux. These are just some thoughts and conclutions that I have come up with while reading and pondering over countless articals on xda
Finaly , I want to say that I strongly disagree with Att's position on removing these items to increase there bottem line, and I would be with T-Mobile if they had good coverage in my house.
Usb tether is listed - called Pc internet. Sidwloading can be achieved by rooting and changing a settings.db file but no one has a fix for making it show up.
Sent from my SAMSUNG-SGH-I897 using XDA App
I am aware of the option to enable sideloading in the settings.db, all im saying is that there must be a way to but the option back in the settings menus. As for the USB teathering, isnt there an option on other devices to enable disable?
perhaps this thread would be better if it was moved to development?
djpittsford said:
I am aware of the option to enable sideloading in the settings.db, all im saying is that there must be a way to but the option back in the settings menus. As for the USB teathering, isnt there an option on other devices to enable disable?
perhaps this thread would be better if it was moved to development?
Click to expand...
Click to collapse
a) the sideloading thing is ATT and that will never show up in one of their phones (unless they somehow miss it) if you really want it THAT badly, you can flash eugene's vibrant hybrid and it's there
b) USB tether is directly available through the settings menu on stock firmware (looks like ATT missed it, because they had it removed in JH2 and JH3)
c) if you mean the WIRELESS (mobile access point) tethering, that was removed by ATT and we've already found workarounds to have it back.
d) this certainly does not belong in development, thanks for keeping it out of that forum
e) look at SRE, it contains basically all the things you're asking for
When developing an application for desktop windows, there's always a way to access functionality - sometimes through back doors like the registry, etc... I'm developing an application for Windows Phone 8.1, but there are certain pieces of functionality that aren't exposed in the PRT APIset that is available to me. For example, we want to ensure that the user has password protection on the lock screen when using the application. There doesn't seem to be any associated APIs to readily use. So my question is, are there back door ways to do such things? How? Is there a way to access ALL system settings - like a registry or something of the like?
proch said:
When developing an application for desktop windows, there's always a way to access functionality - sometimes through back doors like the registry, etc... I'm developing an application for Windows Phone 8.1, but there are certain pieces of functionality that aren't exposed in the PRT APIset that is available to me. For example, we want to ensure that the user has password protection on the lock screen when using the application. There doesn't seem to be any associated APIs to readily use. So my question is, are there back door ways to do such things? How? Is there a way to access ALL system settings - like a registry or something of the like?
Click to expand...
Click to collapse
Another question would be - if something like intune can enforce lock screen password policies, shouldn't I be able to do it the same way that intune does it? If so, how? If not - why not?
It's not possible to check if user enabled lock screen password or not as far as I know
but if you want to made your app secure (because it may include important data)
you can create a password for your own application !
I did it in a little notepad app my password page allow user to set a password with all English and Persian Characters , numbers and special Chars like [email protected]#$ and etc.
Sent from my RM-994_eu_poland_1183 using Tapatalk
It's pretty easy to check, using the registry, but at least in 8.0 that's not allowed at all for store apps (your app would get rejected). I don't know if the rules changed for 8.1. There are ways to sneak past the store checks, but they could pull your app from the store if they ever found out. I know of at least three ways to access the registry APIs (4 in WP8.1) and two of them are pretty hard to detect unless somebody checks for them specifically... but they're the kind of technique that malware uses, so such checks may be in place.
I don't know what InTune is doing, specifically - I'd need to pull the app apart to see - but there are special application capabilities (not normally available to third-party developers) that can query and even set policies. Apps without those capabilities will get Access Denied if they try to use the same methods though, and normally you can't add those capabilities to your app.
GoodDayToDie said:
It's pretty easy to check, using the registry, but at least in 8.0 that's not allowed at all for store apps (your app would get rejected). I don't know if the rules changed for 8.1. There are ways to sneak past the store checks, but they could pull your app from the store if they ever found out. I know of at least three ways to access the registry APIs (4 in WP8.1) and two of them are pretty hard to detect unless somebody checks for them specifically... but they're the kind of technique that malware uses, so such checks may be in place.
I don't know what InTune is doing, specifically - I'd need to pull the app apart to see - but there are special application capabilities (not normally available to third-party developers) that can query and even set policies. Apps without those capabilities will get Access Denied if they try to use the same methods though, and normally you can't add those capabilities to your app.
Click to expand...
Click to collapse
Thanks for this great and detailed information. See, that's exactly what I'd do if I were developing a desktop app - since i know that intune does it, I'd figure out how intune does it and voila. I'm finally getting over the idea that the same methodologies apply to windows phone development.
For my own educational purposes (since I want to understand this platform better), I would really like to know specifically how you go about accessing the registry APIs (for example). If there's any way for you to describe any number of these methods, I'd greatly appreciate it. Thanks again!
My NativeAccess libraries (check my signature, or search on the forum or on Codeplex) contain an example of one way to access the registry. The code is open-source; you may use the libraries as-is (don't expect to get them into the store, though I won't stop you from trying), use the source code as a reference, or modify/build them yourself; the license is very liberal (MS Permissive). The functions I use are generally documented on MSDN, in the desktop APIs section; the phone has the same functions, although the DLL names are changed and the header files hide them.
How to Remove FRP Lock From Android Device ?
The FRP feature is always enabled on your device as long as you have an active Google account. To disable FRP, you must remove your Google account.
To remove your Google account, follow these steps:
1 : From any Home screen, touch Apps > Settings.
2 : Touch Accounts > Google.
3 : Touch your Google account, and then touch MORE > Remove account.
Important: If you are sending your device in for service, selling your device, or giving it away, it is very important that you remove your Google account and reset your device.
Share it.
Wanheda-Klaus said:
How to Remove FRP Lock From Android Device ?
The FRP feature is always enabled on your device as long as you have an active Google account. To disable FRP, you must remove your Google account.
To remove your Google account, follow these steps:
1 : From any Home screen, touch Apps > Settings.
2 : Touch Accounts > Google.
3 : Touch your Google account, and then touch MORE > Remove account.
Important: If you are sending your device in for service, selling your device, or giving it away, it is very important that you remove your Google account and reset your device.
Share it.
Click to expand...
Click to collapse
How do you get around it if you bought a refurbished android moto XT1650-02 on FB and they didn't do what they should have done here in this post?
TonyDaTorch said:
How do you get around it if you bought a refurbished android moto XT1650-02 on FB and they didn't do what they should have done here in this post?
Click to expand...
Click to collapse
Have a look at my posts on this subject.
Currently I'm looking into whether I can side load some code via a FAT32 formatted SD card, and if possible, I need to locate where the flag is stored which sets this FRP. Now this could be stored on a rom chip of sorts and at this stage I dont want to break open the device to desolder chips, so this blog could be useful at giving clues into what needs to be looked at. Although the device is a Blink Mini camera, the technique can be applied on other devices, like smart phones.
Blink Mini RE, Part 3 -- Staring into the eye of the binary
If we stare at a binary for long enough, we will intimidate it into giving us its little secrets
astrid.tech
Ideally, I'd have a working device, dump the rom contents, then trigger the FRP and then dump the roms again to compare whats been changed, which would hilight areas for further investigation and maybe even the bit flag in question.
The other area of interest currently is Wireshark with the USB packet sniffer. Lenovo's/Motorola's Rescue and Smart Assist program aka LRMA can interrogate the device via a USB cable and detect the firmware. LRMA also suggests enabling the Developer mode/USB debugging which is enabled by clicking the build number seven times in the Google Android settings. So the question is can LRMA detect the FRP has been set? If it can, Ghidra https://ghidra-sre.org/ can be used to detect the FRP bit flag. I say bit Flag, it could be multiple bit flags in a variety of locations. Never under estimate your enemy.
I've used the Emergency Contact select a photo trick, to gain access to all apps, where I've gone straight for the Settings and Build number, tapped it 7 times as per LRMA's instructions but its not unhidden the developer mode and USB debugging options. This could be disabled once FRP is triggered, but its why I say it could be more than one bit flag which is set. Like you see with UEFI bios on some pc motherboards, there could actually be a two or more locations which could be used.
Like I said earlier, having a working device, dumping roms and then triggering FRP would be ideal, but when you dont have any money, it forces you to use your brain as you can't just step out and buy a new device mirrored in every way.
At this stage I dont know if this FRP flag can be undone. It might be like these RaspberryPi One Time Programmable switches as seen here, but I have been able to toggle some of those as well! https://github.com/raspberrypi/docu...asciidoc/computers/raspberry-pi/otp-bits.adoc
I've so far been unsuccessful in finding out if there is an equivalent of vcgencmd otp_dump for Android phones as this could be another way I might be able to find the FRP flag without having to dump the roms.
This is all new to me so I might be looking in the wrong area's as I'm just an unqualified out of work for decades boring old penniless windows programmer so I'm learning as I go along. But you might find what I've put is useful if you fancy a Thanksgiving, Xmas & New Year challenge for a change.
Hi There,
I am not at all into development. So unfortunatly I can't do this by myself. But perhaps someone with more skills thinks this is a useful tool & i willing to build it. I would love it.
[REQUEST]
A Module that is doing a 'shutdown' of the Android device after X wrong PINs / Passwords or X wrong Fingerprint-unlocks
(especially the 'wrong Fingerprint-unlock shutdown' would be important, for the use with a comined strong unlock password)
OPTIONAL (nice to have, too)
The Option to train the Phone with a "Security Fingerprint" (This is another one, not used for 'normal' unlock). This one will perform diffrent pre-chosen behaviours:
(1): "instantly" shutdown the Android , when the "Security Fingerprint" is scanned in the lockscreen.
OR:
[THIS could be awesome for anybody in a very oppressive enviroment: (Regimes / Police States / Border Controls where someone is forced to unlock the device)]
(2) "delete some pre-choosen folders , apps & THIS Module itself" and then do a legit unlock without any sign of even doing something, so that someone has Plausible Deniability if someone searches the Phone!
Have decided to rejoin XDA after a while off to see what sort of response I get to this.
A browse of the forum tells me that there is no known way to unlock fastboot, I was wondering what methods had been explored in an attempt to do this?
More specifically there are 2 potential methods I'd like to ask about.
1: I have seen mentioned in a comment here a tool I stumbled across a few months ago while messing around with another device,
edl/README.md at master · bkerler/edl
Inofficial Qualcomm Firehose / Sahara / Streaming / Diag Tools :) - edl/README.md at master · bkerler/edl
github.com
There is one option in particular that I think is of interest,
edl modules oemunlock enable -> Unlocks OEM if partition "config" exists, fastboot oem unlock is still needed afterwards
2: After a quick browse of the disassembled Oppo deeptesting app I can see a number of references to a class that is only accessible via reflection 'android.engineer.OplusEngineerManager'
and it contains a method 'fastbootUnlock'. Has anyone tried to access this class and its methods at all?
Maybe none of these things will be of any use, but before I spend too much time exploring them, I was interested to hear if anyone else had explored these at all? If so what progress was or wasn't made?
A little update for anyone who is interested:
So I have spent a little bit of time this morning seeing what I can do with the 'OplusEngineerManager' class. I made very simple app to see what access I could get to this class. After adding a library to allow the use of reflection to access non sdk classes I was able to get a list methods from the class, but so far have not been successfully invoke any of them, despite there being no exceptions caught.
User154 said:
A little update for anyone who is interested:
So I have spent a little bit of time this morning seeing what I can do with the 'OplusEngineerManager' class. I made very simple app to see what access I could get to this class. After adding a library to allow the use of reflection to access non sdk classes I was able to get a list methods from the class, but so far have not been successfully invoke any of them, despite there being no exceptions caught.
Click to expand...
Click to collapse
I took a look at the fastbootUnlock method itself (at /system/framework/oplus-framework.jar) and I believe that even if we could invoke it, it wouldn't work because it uses some sort of token (generated be Oppo?). I might be wrong though, I don't have much experience working with decompiled code, and the code I looked at was Realme one (I guess its same as Oppo).
daniml3 said:
I took a look at the fastbootUnlock method itself (at /system/framework/oplus-framework.jar) and I believe that even if we could invoke it, it wouldn't work because it uses some sort of token (generated be Oppo?). I might be wrong though, I don't have much experience working with decompiled code, and the code I looked at was Realme one (I guess its same as Oppo).
Click to expand...
Click to collapse
Its great that someone else is looking at this! I hadn't posted another update as I haven't made a huge amount of progress, and I wasn't sure anybody would be interested.
The fastbootUnlock method returns a boolean and takes 2 parameters, a byte array and an int. From what I can see it is the only method of the OplusEngineerManager class that the deeptesting app calls. It contains 2 calls to the fastbootUnlock method. Once where it calls it with an empty byte array and the int is 1. I was actually able to invoke the method from my test app in this way and got a false return value (rather than just getting null like the other methods I tried to invoke). The second is contained within a method of the deeptesting app that takes a string as its parameter. It then converts this string to a byte array which it passes as the paramter for the fastbootUnlock method along with the int of 1.
Edit:
The second call to fastbootUnlock uses the length of the byte array as the int and not 1. Please forgive me it was late when I wrote this and I was not looking at the source.
Thats about as far as I am with it at the moment, the next task is to find out what that string it passes is exactly, and is it something that needs to be generated by Oppo.
I would imagine the realme framework woukd be similar, if you would like to compare I can provide the full list of methods from the OplusEngineerManager class?
Hey guys, I would be interested in helping you somehow.
I have no prior experience with unlocking a device. (besides actually doing it with the tools provided by anyone else).
But I own an oppo find x3 pro, if you need me to do some testing for you, let me know
Thank you for your reaserch and trying to unlock the fastboot!
xarf903 said:
Hey guys, I would be interested in helping you somehow.
I have no prior experience with unlocking a device. (besides actually doing it with the tools provided by anyone else).
But I own an oppo find x3 pro, if you need me to do some testing for you, let me know
Thank you for your reaserch and trying to unlock the fastboot!
Click to expand...
Click to collapse
Hi, thanks for your reply. At the moment there isn't too nuch to test, but if I do manage to find a way I will need plenty of testers, so thank you
A small update:
I have found that the method in the deep testing app which takes a string and then ends up invoking the reflected fastbootUnlock method is called by a handler associated with one of the app's activities.
The handler gets the string extra from the intent which starts the activity, and then passes that as the parameter when calling the method.
The next problem is that I cannot find anywhere in the deep testing app that starts this activity. I can see as part of, what I believe to be, the normal flow of the deep testing app that an activity in the startup wizard is called, so I wonder if the startup wizard then starts the activity of interest in the deep testing app. This will be the next thing I look into
Edit:
I have looked into this more and it turns out most of this is wrong. The activity is started from within the deeptesting app and not the startup wizard
User154 said:
A small update:
I have found that the method in the deep testing app which takes a string and then ends up invoking the reflected fastbootUnlock method is called by a handler associated with one of the app's activities.
The handler gets the string extra from the intent which starts the activity, and then passes that as the parameter when calling the method.
The next problem is that I cannot find anywhere in the deep testing app that starts this activity. I can see as part of, what I believe to be, the normal flow of the deep testing app that an activity in the startup wizard is called, so I wonder if the startup wizard then starts the activity of interest in the deep testing app. This will be the next thing I look into
Click to expand...
Click to collapse
Great, from my side I tried running the fastbootUnlock method as you did, and got the same result (false). I looked at the logs and there was a selinux denial for finding the engineering service as my app is an untrusted app, so our only way to run the fastbootUnlock method is through the deep testing app I guess.
daniml3 said:
Great, from my side I tried running the fastbootUnlock method as you did, and got the same result (false). I looked at the logs and there was a selinux denial for finding the engineering service as my app is an untrusted app, so our only way to run the fastbootUnlock method is through the deep testing app I guess.
Click to expand...
Click to collapse
Do you mind if I see the logs? I have had no such denial that I can see.
How have you enabled access to hidden apis?
Have you used any of the permissions from the deeptesting app?
User154 said:
Do you mind if I see the logs? I have had no such denial that I can see.
How have you enabled access to hidden apis?
Have you used any of the permissions from the deeptesting app?
Click to expand...
Click to collapse
2022-08-30 14:30:02.115 669-669/? E/SELinux: avc: denied { find } for pid=22831 uid=10866 name=engineer scontext=u:r:untrusted_app_29:s0:c98,c259,c512,c768 tcontext=u:object_r:engineer_service:s0 tclass=service_manager permissive=0
2022-08-30 14:30:02.115 22831-22831/com.danieml.unlockme E/Unlockme: False
There are the logs. I enabled hidden apis, yes, didn't add any extra permissions though. By the way, did you use some specific keys for signing the app (platform keys for example)?
daniml3 said:
2022-08-30 14:30:02.115 669-669/? E/SELinux: avc: denied { find } for pid=22831 uid=10866 name=engineer scontext=u:r:untrusted_app_29:s0:c98,c259,c512,c768 tcontext=u:object_r:engineer_service:s0 tclass=service_manager permissive=0
2022-08-30 14:30:02.115 22831-22831/com.danieml.unlockme E/Unlockme: False
There are the logs. I enabled hidden apis, yes, didn't add any extra permissions though. By the way, did you use some specific keys for signing the app (platform keys for example)?
Click to expand...
Click to collapse
I had a closer look at the logs and I can see that sadly I am getting the same SELinux error.
I can't see much of a way around it at the moment.
I have made a thread in general should anyone wish to discuss this further. Most of this is applicable to all Oppo devices and there are people that have looked at this in different ways and found different things out when trying to unlock fastboot on other devices. I think it would be useful to have somewhere to discuss unlocking fastboot on Oppo devices in general.
[DISCUSSION] A thread to collate and share what is known about unlocking fastboot on Oppo devices
Admin: Please move/delete this thread if it is in the wrong place or against the rules. I wanted to create a thread to discuss unlocking fastboot mode on Oppo devices in general, rather than discussing it in terms of any one device in...
forum.xda-developers.com