Attend XDA's Second Annual Developer Conference, XDA:DevCon 2014!
5,805,777 Members 41,887 Now Online
XDA Developers Android and Mobile Development Forum

[R&D|WIP] Reversing the Samsung OEM App/Bins

Tip us?
(Last edited by E:V:A; 20th June 2014 at 04:24 PM.) Reason: Edited and re-wrote wrong info regarding OTP
E:V:A's Avatar
Recognized Developer - OP
Thanks Meter 1,787
Posts: 1,341
Join Date: Dec 2011
Location: -∇ϕ
Default [R&D|WIP] Reversing the Samsung OEM App/Bins

This is a dumper thread for collecting research and development information on reversing some (or all) of the various Samsung proprietary Applications and binaries found in their later top models running at least 4.2.2, and preferably also SELinux enabled as Enforcing.

In these devices there is an extensive amount of hidden functions, applications and behind the scenes modifications that is completely outside anything that we will ever be able to find in the AOSP repositories. In addition Samsung is spending more energy into obfuscating many of these functions and applications, which makes security vulnerability research much harder. Why? What is it that they try to hide from public scrutiny?

So if you have any insights or are particularly good at reading obtuse OEM Java code. Please join the discussion and help us out.

One of the first Apps to look at is the Samsung ServiceMode apps. There are at least three of them.
1) serviceModeApp_FB.apk
2) serviceModeApp_RIL.apk
3) Samsungservice.apk

Let's have a look at the first one: serviceModeApp_FB.apk

The first thing that hits you in the face is the LibOTPSecurity. This class is using the time zone as a mechanism for obfuscating some security mechanism using OTP (One Time Password) as a means of temporary authorization for access. (Thanks @ryanbg) The code look like this:
package LibOTPSecurity;

import ibOTPSecurity.OTPSecurit;
import java.text.DecimalFormat;
import java.util.Calendar;
import java.util.TimeZone;

public class OTPSecurity
  private String GetDateString(int paramInt)
    Calendar localCalendar = Calendar.getInstance(TimeZone.getTimeZone("GMT"));
    localCalendar.add(12, paramInt * -1);
    return new StringBuilder(String.valueOf(new StringBuilder(String.valueOf(new StringBuilder(String.valueOf(new DecimalFormat("00").format(-2000 + localCalendar.get(1)))).append(new DecimalFormat("00").format(1 + localCalendar.get(2))).toString())).append(new DecimalFormat("00").format(localCalendar.get(12))).toString())).append(new DecimalFormat("00").format(localCalendar.get(5))).toString() + new DecimalFormat("00").format(localCalendar.get(11));

  private int MakeHashCode(String paramString)
    int i = 0;
    for (int j = 0; ; j++)
      if (j >= paramString.length())
        if (i < 0)
          i *= -1;
        return i;
      i = i + (i << 5) + paramString.charAt(j);

  public boolean CheckOTP(String paramString1, String paramString2)
    int j;
    for (int i = 5; ; i = j)
      j = i - 1;
      if (i <= -1)
        return false;
      if (paramString1.equalsIgnoreCase(Integer.toString(MakeHashCode(paramString2 + GetDateString(j)))))
        return true;

This is making a "hash" out of some date strings for comparison. hopefully we'll see later what exactly these strings come from.

The GetDateString function can be reformatted as:
  private String GetDateString(int paramInt) {
      Calendar localCalendar = Calendar.getInstance(TimeZone.getTimeZone("GMT"));
      localCalendar.add(12, paramInt * -1);
      return new StringBuilder(String.valueOf(new StringBuilder(String.valueOf(new StringBuilder(String.valueOf(new DecimalFormat("00")
              .format(-2000 + localCalendar.get(1))))
          .append(new DecimalFormat("00")
              .format(1 + localCalendar.get(2)))
          .append(new DecimalFormat("00")
      .append(new DecimalFormat("00")
      .toString() + new DecimalFormat("00")
I'd have been much happier if this was simplified to readable pseudo-code.

Another interesting part is the SysDump.class:
  private boolean checkForNoAuthorityAndNotEngBuild()
    this.settings = getSharedPreferences("SYSDUMPOTP", 0);
    boolean bool = this.settings.getBoolean("ril.OTPAuth", false);
    String str = String.valueOf(SystemProperties.get(""));
    if ((!bool) && (str.compareToIgnoreCase("eng") != 0))
      Log.e("SysDump", "It's user binary");
      return true;
    Log.e("SysDump", "It's eng binary");
    return false;
This clearly (!) determines whether or not your phone is currently set as an Engineering model or User model. To allow this you probably need to set these properties:
MSM8960 Info, Architecture and Bootloader(s)
El Grande Partition Table Reference
How to talk to the Modem with AT commands

[REF][ServiceMode] How to make your Samsung perform dog tricks
[REF|R&D|RF] RF/Radio properties of Samsung ServiceMode

Want to know when your phone is getting tracked or tapped?

Help us develop the IMSI Catcher / Spy Detector!
(To be part of the EFF & The Guardian Project toolsets.)
If you like what I do, just click THANKS!
Everything I do is free, altruism is the way!
I do not answer support related PM's.

The Following 3 Users Say Thank You to E:V:A For This Useful Post: [ Click to Expand ]
Senior Member
Thanks Meter 906
Posts: 390
Join Date: Jan 2008
Location: Minnesota
It's possible that OTP = One Time Password as a means of temporary authorization for accessing service/engineering features. It could be similar to the Blackberry engineering menu that is accessed by a code generated from the Date/Time and device specific information. I'm also doing some significant work on disassembling these applications. Major developments will be posted here.
The Following User Says Thank You to ryanbg For This Useful Post: [ Click to Expand ]
moonbutt74's Avatar
Senior Member
Thanks Meter 288
Posts: 634
Join Date: May 2014
Default fusedlocation.apk

is this [fusedlocation.apk] a samsung thing?
disabling/removing/dummyfile all cause reboot like failing critical service.
this has been bothering me for sometime. there is literally no intelligent information
i've been able to find on this. that killing it skunks the os suggest that it's not so simple
as "oh yeah derrr that's for gps or sumthin.."
i could go on but, that's the basics of it.

do you have a list of suspect or confirmed scummy files/bin/apks?


?quam similis est corvum e scrinium
DVDA DEV-HOST Include Syntax Mount Options

Kernel Sources Samsung Galaxty Tab 3 10.1
5210 Kernel Source 5200 Kernel Source 5220 Kernel Source
binary, java, obfuscated, reverseing, samsung
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes