This is a dumper thread for collecting research and development information on reversing some (or all) of the various Samsung proprietary Applications and binaries found in their later top models running at least 4.2.2, and preferably also SELinux enabled as Enforcing.
In these devices there is an extensive amount of hidden functions, applications and behind the scenes modifications that is completely outside anything that we will ever be able to find in the AOSP repositories. In addition Samsung is spending more energy into obfuscating many of these functions and applications, which makes security vulnerability research much harder. Why? What is it that they try to hide from public scrutiny?
So if you have any insights or are particularly good at reading obtuse OEM Java code. Please join the discussion and help us out.
One of the first Apps to look at is the Samsung ServiceMode apps. There are at least three of them.
1) serviceModeApp_FB.apk
2) serviceModeApp_RIL.apk
3) Samsungservice.apk
Let's have a look at the first one: serviceModeApp_FB.apk
The first thing that hits you in the face is the LibOTPSecurity. This class is using the time zone as a mechanism for obfuscating some security mechanism using OTP (One Time Password) as a means of temporary authorization for access. (Thanks @ryanbg) The code look like this:
This is making a "hash" out of some date strings for comparison. hopefully we'll see later what exactly these strings come from.
The GetDateString function can be reformatted as:
I'd have been much happier if this was simplified to readable pseudo-code.
Another interesting part is the SysDump.class:
This clearly (!) determines whether or not your phone is currently set as an Engineering model or User model. To allow this you probably need to set these properties:
In these devices there is an extensive amount of hidden functions, applications and behind the scenes modifications that is completely outside anything that we will ever be able to find in the AOSP repositories. In addition Samsung is spending more energy into obfuscating many of these functions and applications, which makes security vulnerability research much harder. Why? What is it that they try to hide from public scrutiny?
So if you have any insights or are particularly good at reading obtuse OEM Java code. Please join the discussion and help us out.
One of the first Apps to look at is the Samsung ServiceMode apps. There are at least three of them.
1) serviceModeApp_FB.apk
2) serviceModeApp_RIL.apk
3) Samsungservice.apk
Let's have a look at the first one: serviceModeApp_FB.apk
The first thing that hits you in the face is the LibOTPSecurity. This class is using the time zone as a mechanism for obfuscating some security mechanism using OTP (One Time Password) as a means of temporary authorization for access. (Thanks @ryanbg) The code look like this:
Code:
[SIZE=2]package LibOTPSecurity;
import ibOTPSecurity.OTPSecurit;
import java.text.DecimalFormat;
import java.util.Calendar;
import java.util.TimeZone;
public class OTPSecurity
{
private String GetDateString(int paramInt)
{
Calendar localCalendar = Calendar.getInstance(TimeZone.getTimeZone("GMT"));
localCalendar.add(12, paramInt * -1);
return new StringBuilder(String.valueOf(new StringBuilder(String.valueOf(new StringBuilder(String.valueOf(new DecimalFormat("00").format(-2000 + localCalendar.get(1)))).append(new DecimalFormat("00").format(1 + localCalendar.get(2))).toString())).append(new DecimalFormat("00").format(localCalendar.get(12))).toString())).append(new DecimalFormat("00").format(localCalendar.get(5))).toString() + new DecimalFormat("00").format(localCalendar.get(11));
}
private int MakeHashCode(String paramString)
{
int i = 0;
for (int j = 0; ; j++)
{
if (j >= paramString.length())
{
if (i < 0)
i *= -1;
return i;
}
i = i + (i << 5) + paramString.charAt(j);
}
}
public boolean CheckOTP(String paramString1, String paramString2)
{
int j;
for (int i = 5; ; i = j)
{
j = i - 1;
if (i <= -1)
return false;
if (paramString1.equalsIgnoreCase(Integer.toString(MakeHashCode(paramString2 + GetDateString(j)))))
return true;
}
}
}
[/SIZE]
The GetDateString function can be reformatted as:
Code:
[SIZE=2] private String GetDateString(int paramInt) {
Calendar localCalendar = Calendar.getInstance(TimeZone.getTimeZone("GMT"));
localCalendar.add(12, paramInt * -1);
return new StringBuilder(String.valueOf(new StringBuilder(String.valueOf(new StringBuilder(String.valueOf(new DecimalFormat("00")
.format(-2000 + localCalendar.get(1))))
.append(new DecimalFormat("00")
.format(1 + localCalendar.get(2)))
.toString()))
.append(new DecimalFormat("00")
.format(localCalendar.get(12)))
.toString()))
.append(new DecimalFormat("00")
.format(localCalendar.get(5)))
.toString() + new DecimalFormat("00")
.format(localCalendar.get(11));
}[/SIZE]
Another interesting part is the SysDump.class:
Code:
[SIZE=2] private boolean checkForNoAuthorityAndNotEngBuild()
{
this.settings = getSharedPreferences("SYSDUMPOTP", 0);
boolean bool = this.settings.getBoolean("ril.OTPAuth", false);
String str = String.valueOf(SystemProperties.get("ro.build.type"));
if ((!bool) && (str.compareToIgnoreCase("eng") != 0))
{
Log.e("SysDump", "It's user binary");
return true;
}
Log.e("SysDump", "It's eng binary");
return false;
}
[/SIZE]
Code:
ro.build.type=eng
ril.OTPAuth=true
Last edited: