[R&D|WIP] Reversing the Samsung OEM App/Bins

Search This thread
By:
Advanced…
E:V:A

E:V:A

Inactive Recognized Developer
Dec 6, 2011
1,447
2,222
-∇ϕ
This is a dumper thread for collecting research and development information on reversing some (or all) of the various Samsung proprietary Applications and binaries found in their later top models running at least 4.2.2, and preferably also SELinux enabled as Enforcing.

In these devices there is an extensive amount of hidden functions, applications and behind the scenes modifications that is completely outside anything that we will ever be able to find in the AOSP repositories. In addition Samsung is spending more energy into obfuscating many of these functions and applications, which makes security vulnerability research much harder. Why? What is it that they try to hide from public scrutiny?

So if you have any insights or are particularly good at reading obtuse OEM Java code. Please join the discussion and help us out.


One of the first Apps to look at is the Samsung ServiceMode apps. There are at least three of them.
1) serviceModeApp_FB.apk
2) serviceModeApp_RIL.apk
3) Samsungservice.apk


Let's have a look at the first one: serviceModeApp_FB.apk

The first thing that hits you in the face is the LibOTPSecurity. This class is using the time zone as a mechanism for obfuscating some security mechanism using OTP (One Time Password) as a means of temporary authorization for access. (Thanks @ryanbg) The code look like this:
Code: 
[SIZE=2]package LibOTPSecurity;

import ibOTPSecurity.OTPSecurit;
import java.text.DecimalFormat;
import java.util.Calendar;
import java.util.TimeZone;

public class OTPSecurity
{
  private String GetDateString(int paramInt)
  {
    Calendar localCalendar = Calendar.getInstance(TimeZone.getTimeZone("GMT"));
    localCalendar.add(12, paramInt * -1);
    return new StringBuilder(String.valueOf(new StringBuilder(String.valueOf(new StringBuilder(String.valueOf(new DecimalFormat("00").format(-2000 + localCalendar.get(1)))).append(new DecimalFormat("00").format(1 + localCalendar.get(2))).toString())).append(new DecimalFormat("00").format(localCalendar.get(12))).toString())).append(new DecimalFormat("00").format(localCalendar.get(5))).toString() + new DecimalFormat("00").format(localCalendar.get(11));
  }

  private int MakeHashCode(String paramString)
  {
    int i = 0;
    for (int j = 0; ; j++)
    {
      if (j >= paramString.length())
      {
        if (i < 0)
          i *= -1;
        return i;
      }
      i = i + (i << 5) + paramString.charAt(j);
    }
  }

  public boolean CheckOTP(String paramString1, String paramString2)
  {
    int j;
    for (int i = 5; ; i = j)
    {
      j = i - 1;
      if (i <= -1)
        return false;
      if (paramString1.equalsIgnoreCase(Integer.toString(MakeHashCode(paramString2 + GetDateString(j)))))
        return true;
    }
  }
}

[/SIZE]
This is making a "hash" out of some date strings for comparison. hopefully we'll see later what exactly these strings come from.

The GetDateString function can be reformatted as:
Code: 
[SIZE=2]  private String GetDateString(int paramInt) {
      Calendar localCalendar = Calendar.getInstance(TimeZone.getTimeZone("GMT"));
      localCalendar.add(12, paramInt * -1);
      return new StringBuilder(String.valueOf(new StringBuilder(String.valueOf(new StringBuilder(String.valueOf(new DecimalFormat("00")
              .format(-2000 + localCalendar.get(1))))
          .append(new DecimalFormat("00")
              .format(1 + localCalendar.get(2)))
          .toString()))
          .append(new DecimalFormat("00")
          .format(localCalendar.get(12)))
          .toString()))
      .append(new DecimalFormat("00")
          .format(localCalendar.get(5)))
      .toString() + new DecimalFormat("00")
      .format(localCalendar.get(11));
  }[/SIZE]
I'd have been much happier if this was simplified to readable pseudo-code.

Another interesting part is the SysDump.class:
Code: 
[SIZE=2]  private boolean checkForNoAuthorityAndNotEngBuild()
  {
    this.settings = getSharedPreferences("SYSDUMPOTP", 0);
    boolean bool = this.settings.getBoolean("ril.OTPAuth", false);
    String str = String.valueOf(SystemProperties.get("ro.build.type"));
    if ((!bool) && (str.compareToIgnoreCase("eng") != 0))
    {
      Log.e("SysDump", "It's user binary");
      return true;
    }
    Log.e("SysDump", "It's eng binary");
    return false;
  }
[/SIZE]
This clearly (!) determines whether or not your phone is currently set as an Engineering model or User model. To allow this you probably need to set these properties:
Code: 
ro.build.type=eng
ril.OTPAuth=true
 
Last edited:
  • Like
Reactions: ImbaWind, KINGbabasula, iplexus4 and 1 other person
R

ryanbg

Inactive Recognized Developer
Jan 3, 2008
858
1,739
movr0.com
It's possible that OTP = One Time Password as a means of temporary authorization for accessing service/engineering features. It could be similar to the Blackberry engineering menu that is accessed by a code generated from the Date/Time and device specific information. I'm also doing some significant work on disassembling these applications. Major developments will be posted here.
 
  • Like
Reactions: E:V:A
M

moonbutt74

Guest
fusedlocation.apk

is this [fusedlocation.apk] a samsung thing?
disabling/removing/dummyfile all cause reboot like failing critical service.
this has been bothering me for sometime. there is literally no intelligent information
i've been able to find on this. that killing it skunks the os suggest that it's not so simple
as "oh yeah derrr that's for gps or sumthin.."
i could go on but, that's the basics of it.

do you have a list of suspect or confirmed scummy files/bin/apks?

thanks

m
 
You must log in or register to reply here.

Similar threads

fivefour
OUTDATED - [MOD] CrossBreeder - Lag-/Entropy+/DNS+/Tether+/Ads-/Censors-/.bit support!!
Replies
7K
Views
2M
fivefour
fivefour
L
[APK] Seeder 2.0.0 entropy generator to provide significant lag reduction
Replies
4K
Views
3M
ravingrabbid_
ravingrabbid_
Snoop05
[OFFICIAL][TOOL][WINDOWS] ADB, Fastboot and Drivers - 15 seconds ADB Installer v1.4.3
Replies
2K
Views
7M
abdulkareem786
abdulkareem786
amarullz
[CWM-APP][2.00] AROMA Filemanager + TERMINAL :: 15022810 :: Open Source
Replies
1K
Views
2M
I
ivergad13
D
[Guide][Root+CWM] Samsung Trend plus GT-S7580
Replies
146
Views
490K
dxdandy
dxdandy

Top Liked Posts

24 Hours All time
  • There are no posts matching your filters.
  • 4
    E:V:A
    E:V:A
    This is a dumper thread for collecting research and development information on reversing some (or all) of the various Samsung proprietary Applications and binaries found in their later top models running at least 4.2.2, and preferably also SELinux enabled as Enforcing.

    In these devices there is an extensive amount of hidden functions, applications and behind the scenes modifications that is completely outside anything that we will ever be able to find in the AOSP repositories. In addition Samsung is spending more energy into obfuscating many of these functions and applications, which makes security vulnerability research much harder. Why? What is it that they try to hide from public scrutiny?

    So if you have any insights or are particularly good at reading obtuse OEM Java code. Please join the discussion and help us out.


    One of the first Apps to look at is the Samsung ServiceMode apps. There are at least three of them.
    1) serviceModeApp_FB.apk
    2) serviceModeApp_RIL.apk
    3) Samsungservice.apk


    Let's have a look at the first one: serviceModeApp_FB.apk

    The first thing that hits you in the face is the LibOTPSecurity. This class is using the time zone as a mechanism for obfuscating some security mechanism using OTP (One Time Password) as a means of temporary authorization for access. (Thanks @ryanbg) The code look like this:
    Code: 
    [SIZE=2]package LibOTPSecurity;

import ibOTPSecurity.OTPSecurit;
import java.text.DecimalFormat;
import java.util.Calendar;
import java.util.TimeZone;

public class OTPSecurity
{
  private String GetDateString(int paramInt)
  {
    Calendar localCalendar = Calendar.getInstance(TimeZone.getTimeZone("GMT"));
    localCalendar.add(12, paramInt * -1);
    return new StringBuilder(String.valueOf(new StringBuilder(String.valueOf(new StringBuilder(String.valueOf(new DecimalFormat("00").format(-2000 + localCalendar.get(1)))).append(new DecimalFormat("00").format(1 + localCalendar.get(2))).toString())).append(new DecimalFormat("00").format(localCalendar.get(12))).toString())).append(new DecimalFormat("00").format(localCalendar.get(5))).toString() + new DecimalFormat("00").format(localCalendar.get(11));
  }

  private int MakeHashCode(String paramString)
  {
    int i = 0;
    for (int j = 0; ; j++)
    {
      if (j >= paramString.length())
      {
        if (i < 0)
          i *= -1;
        return i;
      }
      i = i + (i << 5) + paramString.charAt(j);
    }
  }

  public boolean CheckOTP(String paramString1, String paramString2)
  {
    int j;
    for (int i = 5; ; i = j)
    {
      j = i - 1;
      if (i <= -1)
        return false;
      if (paramString1.equalsIgnoreCase(Integer.toString(MakeHashCode(paramString2 + GetDateString(j)))))
        return true;
    }
  }
}

[/SIZE]
    This is making a "hash" out of some date strings for comparison. hopefully we'll see later what exactly these strings come from.

    The GetDateString function can be reformatted as:
    Code: 
    [SIZE=2]  private String GetDateString(int paramInt) {
      Calendar localCalendar = Calendar.getInstance(TimeZone.getTimeZone("GMT"));
      localCalendar.add(12, paramInt * -1);
      return new StringBuilder(String.valueOf(new StringBuilder(String.valueOf(new StringBuilder(String.valueOf(new DecimalFormat("00")
              .format(-2000 + localCalendar.get(1))))
          .append(new DecimalFormat("00")
              .format(1 + localCalendar.get(2)))
          .toString()))
          .append(new DecimalFormat("00")
          .format(localCalendar.get(12)))
          .toString()))
      .append(new DecimalFormat("00")
          .format(localCalendar.get(5)))
      .toString() + new DecimalFormat("00")
      .format(localCalendar.get(11));
  }[/SIZE]
    I'd have been much happier if this was simplified to readable pseudo-code.

    Another interesting part is the SysDump.class:
    Code: 
    [SIZE=2]  private boolean checkForNoAuthorityAndNotEngBuild()
  {
    this.settings = getSharedPreferences("SYSDUMPOTP", 0);
    boolean bool = this.settings.getBoolean("ril.OTPAuth", false);
    String str = String.valueOf(SystemProperties.get("ro.build.type"));
    if ((!bool) && (str.compareToIgnoreCase("eng") != 0))
    {
      Log.e("SysDump", "It's user binary");
      return true;
    }
    Log.e("SysDump", "It's eng binary");
    return false;
  }
[/SIZE]
    This clearly (!) determines whether or not your phone is currently set as an Engineering model or User model. To allow this you probably need to set these properties:
    Code: 
    ro.build.type=eng
ril.OTPAuth=true
    View
    1
    R
    ryanbg
    It's possible that OTP = One Time Password as a means of temporary authorization for accessing service/engineering features. It could be similar to the Blackberry engineering menu that is accessed by a code generated from the Date/Time and device specific information. I'm also doing some significant work on disassembling these applications. Major developments will be posted here.
    View

New posts