Welcome to XDA

Search to go directly to your device's forum

Register an account

Unlock full posting privileges

Ask a question

No registration required
Post Reply

[R&D|WIP] Reversing the Samsung OEM App/Bins

OP E:V:A

7th June 2014, 01:36 PM   |  #1  
E:V:A's Avatar
OP Recognized Developer
Flag -∇ϕ
Thanks Meter: 1,904
 
1,385 posts
Join Date:Joined: Dec 2011
This is a dumper thread for collecting research and development information on reversing some (or all) of the various Samsung proprietary Applications and binaries found in their later top models running at least 4.2.2, and preferably also SELinux enabled as Enforcing.

In these devices there is an extensive amount of hidden functions, applications and behind the scenes modifications that is completely outside anything that we will ever be able to find in the AOSP repositories. In addition Samsung is spending more energy into obfuscating many of these functions and applications, which makes security vulnerability research much harder. Why? What is it that they try to hide from public scrutiny?

So if you have any insights or are particularly good at reading obtuse OEM Java code. Please join the discussion and help us out.


One of the first Apps to look at is the Samsung ServiceMode apps. There are at least three of them.
1) serviceModeApp_FB.apk
2) serviceModeApp_RIL.apk
3) Samsungservice.apk


Let's have a look at the first one: serviceModeApp_FB.apk

The first thing that hits you in the face is the LibOTPSecurity. This class is using the time zone as a mechanism for obfuscating some security mechanism using OTP (One Time Password) as a means of temporary authorization for access. (Thanks @ryanbg) The code look like this:
Code:
package LibOTPSecurity;

import ibOTPSecurity.OTPSecurit;
import java.text.DecimalFormat;
import java.util.Calendar;
import java.util.TimeZone;

public class OTPSecurity
{
  private String GetDateString(int paramInt)
  {
    Calendar localCalendar = Calendar.getInstance(TimeZone.getTimeZone("GMT"));
    localCalendar.add(12, paramInt * -1);
    return new StringBuilder(String.valueOf(new StringBuilder(String.valueOf(new StringBuilder(String.valueOf(new DecimalFormat("00").format(-2000 + localCalendar.get(1)))).append(new DecimalFormat("00").format(1 + localCalendar.get(2))).toString())).append(new DecimalFormat("00").format(localCalendar.get(12))).toString())).append(new DecimalFormat("00").format(localCalendar.get(5))).toString() + new DecimalFormat("00").format(localCalendar.get(11));
  }

  private int MakeHashCode(String paramString)
  {
    int i = 0;
    for (int j = 0; ; j++)
    {
      if (j >= paramString.length())
      {
        if (i < 0)
          i *= -1;
        return i;
      }
      i = i + (i << 5) + paramString.charAt(j);
    }
  }

  public boolean CheckOTP(String paramString1, String paramString2)
  {
    int j;
    for (int i = 5; ; i = j)
    {
      j = i - 1;
      if (i <= -1)
        return false;
      if (paramString1.equalsIgnoreCase(Integer.toString(MakeHashCode(paramString2 + GetDateString(j)))))
        return true;
    }
  }
}

This is making a "hash" out of some date strings for comparison. hopefully we'll see later what exactly these strings come from.

The GetDateString function can be reformatted as:
Code:
  private String GetDateString(int paramInt) {
      Calendar localCalendar = Calendar.getInstance(TimeZone.getTimeZone("GMT"));
      localCalendar.add(12, paramInt * -1);
      return new StringBuilder(String.valueOf(new StringBuilder(String.valueOf(new StringBuilder(String.valueOf(new DecimalFormat("00")
              .format(-2000 + localCalendar.get(1))))
          .append(new DecimalFormat("00")
              .format(1 + localCalendar.get(2)))
          .toString()))
          .append(new DecimalFormat("00")
          .format(localCalendar.get(12)))
          .toString()))
      .append(new DecimalFormat("00")
          .format(localCalendar.get(5)))
      .toString() + new DecimalFormat("00")
      .format(localCalendar.get(11));
  }
I'd have been much happier if this was simplified to readable pseudo-code.

Another interesting part is the SysDump.class:
Code:
  private boolean checkForNoAuthorityAndNotEngBuild()
  {
    this.settings = getSharedPreferences("SYSDUMPOTP", 0);
    boolean bool = this.settings.getBoolean("ril.OTPAuth", false);
    String str = String.valueOf(SystemProperties.get("ro.build.type"));
    if ((!bool) && (str.compareToIgnoreCase("eng") != 0))
    {
      Log.e("SysDump", "It's user binary");
      return true;
    }
    Log.e("SysDump", "It's eng binary");
    return false;
  }
This clearly (!) determines whether or not your phone is currently set as an Engineering model or User model. To allow this you probably need to set these properties:
Code:
ro.build.type=eng
ril.OTPAuth=true
Last edited by E:V:A; 20th June 2014 at 05:24 PM. Reason: Edited and re-wrote wrong info regarding OTP
The Following 3 Users Say Thank You to E:V:A For This Useful Post: [ View ]
9th June 2014, 03:27 PM   |  #2  
Senior Member
Flag Minnesota
Thanks Meter: 1,021
 
467 posts
Join Date:Joined: Jan 2008
More
It's possible that OTP = One Time Password as a means of temporary authorization for accessing service/engineering features. It could be similar to the Blackberry engineering menu that is accessed by a code generated from the Date/Time and device specific information. I'm also doing some significant work on disassembling these applications. Major developments will be posted here.
The Following User Says Thank You to ryanbg For This Useful Post: [ View ]
14th June 2014, 10:33 PM   |  #3  
moonbutt74's Avatar
Senior Member
Thanks Meter: 458
 
951 posts
Join Date:Joined: May 2014
fusedlocation.apk
is this [fusedlocation.apk] a samsung thing?
disabling/removing/dummyfile all cause reboot like failing critical service.
this has been bothering me for sometime. there is literally no intelligent information
i've been able to find on this. that killing it skunks the os suggest that it's not so simple
as "oh yeah derrr that's for gps or sumthin.."
i could go on but, that's the basics of it.

do you have a list of suspect or confirmed scummy files/bin/apks?

thanks

m
Post Reply Subscribe to Thread

Tags
binary, java, obfuscated, reverseing, samsung
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes