FORUMS

Xiaomi firmware has multiple backdoors

181 posts
Thanks Meter: 57
 
By NiTrOwow, Senior Member on 13th August 2014, 11:34 PM
Post Reply Email Thread
So I've basically got myself in this sh*t because lack of care.. Until it pop'd and hit the highlights.

And now straight to the point. It doesn't f*ckin matters if you had a fw or not. As the backdoors are embedded in ROOT system processes.
And those where obviously white-listed as i didn't think of a nasty Chinese guy sitting in it calling back home. My friend who got the same phone found the article as i was having my vacation for a bit, so when i found out i did a bit a research of course on my device. After finding all this i e-mail'd him it and he posted it on the Xiaomi European forums. Guess what happened, it got deleted. So they know damn good what they're doing.

Quote:

When you purchase Xiaomi products or services, we’ll collect relevant personal information, including but not limited: delivery information, bank account, credit card information, bill address, credit check and other financial information, contact or communication records.

Quote:
Originally Posted by OP

XMPP connection (always connected when network available)
54.255.185.236
hostname: ec2-54-255-185-236.ap-southeast-1.compute.amazonaws.com
(Seems not to have a domain) The IP address was also not found in any system modules in plain or unicode text. Assuming it is encoded / encrypted somewhere in a native application, system module, or not in a native app but in a dalvik compiled image.

Other connections
54.254.212.222
Hostname: ec2-54-254-212-222.ap-southeast-1.compute.amazonaws.com
Domains:
bbs.miui.com
reader.browser.miui.com
update.miui.com
www . miui.cn
www . miui.com
zhuomian.xiaomi.com

112.90.17.54
Domains:
pgv.m.xunlei.com
www . inewsgr.com

122.143.5.59
Hostname: 59.5.143.122.adsl-pool.jlccptt.net.cn
(Seems to be a adsl connection with no domain)

223.202.68.93
Hostname: out68-93.mxzwb3.hichina.com
Domains:
app.mi.com
dev.xiaomi.com
m.app.mi.com
mitunes.app.xiaomi.com

Music app(?) connects to:
202.173.255.152
2012-12-01 lrc.aspxp.net
2012-12-01 lrc.feiyes.net
2012-12-01 w.w.w.616hk.com
2012-12-01 w.w.w.hk238.com
2012-12-01 w.w.w.lrc123.com

123.125.114.145
2013-11-27 tinglog.baidu.com
1/53 2014-07-02 12:51:01 hxxp://tinglog.baidu.com

Latest detected files that communicate with this IP address
Latest files submitted to VirusTotal that are detected by one or more antivirus solutions and communicate with the IP address provided when executed in a sandboxed environment.

3/43 2014-07-08 07:39:24 facb146de47229b56bdc4481ce22fb5ec9e702dfbd7e70e82e 4e4316ac1e7cbd
47/51 2014-04-28 09:25:27 091457f59fc87f5ca230c6d955407303fb5f5ba364508401a7 564fb32d9a24fa
24/47 2014-01-08 08:19:43 3cf0a98570e522af692cb5f19b43085c706aa7d2f63d05469b 6ac8db5c20cdcd
21/48 2013-12-02 15:15:45 7e34cb88fc82b69322f7935157922cdb17cb6c69d868a88946 8e297257ee9072
19/48 2013-12-01 20:02:32 bce4bd44d3373b2670a7d68e058c7ce0fa510912275d452d36 3777f640aa4c70

Latest URLs hosted in this IP address detected by at least one URL scanner or malicious URL dataset.
1/53 2014-07-02 12:47:57 hxxp://dev.baidu.com/

Android-system ANT HAL Service(Framework_ext.apk/jar) connect to:
42.62.48.207
VirusTotal's passive DNS only stores address records. The following domains resolved to the given IP address.
2014-04-28 app.migc.wali.com
2014-07-12 app.migc.xiaomi.com
2014-05-30 gamevip.wali.com
2014-05-30 log.wlimg.cn
2014-04-21 mitunes.game.xiaomi.com
2014-04-30 oss.wali.com
2014-05-17 p.tongji.wali.com
2014-07-13 policy.app.xiaomi.com

Latest detected URLs
Latest URLs hosted in this IP address detected by at least one URL scanner or malicious URL dataset.
1/58 2014-08-13 07:10:49 hxxp://policy.app.xiaomi.com/cms/interface/v1/checkpackages.php
1/58 2014-08-10 00:46:35 hxxp://policy.app.xiaomi.com/
1/53 2014-07-02 12:49:59 hxxtp://oss.wali.com

Messages(Mms.apk) connect to (it literary calls back home)
54.179.146.166
2014-08-12 api.account.xiaomi.com
2014-07-26 w.w.w.asani.com.pk

What it does? It sends phone numbers you call to, send messages to, add etc to a Resin/4.0.13 java application running on a nginx webserver to collect data. Checkpackages, embedded system process/app posts all installed apps to a Tengine a/k/a nginx webserver cms.

URL: hxxtp://api.account.xiaomi.com:81/pass/v3
Server: sgpaws-ac-web01.mias
Software: Tengine/2.0.1 | Resin/4.0.13

URL: hxxp://policy.app.xiaomi.com:8080/cms/interface/v1/
Server: lg-g-com-ngx02.bj
Software: Tengine | Resin

Bottom line
They don't give a single damn about your data.. All sent in plain text.

For messages APK (Mms.apk)
I don't believe it needs those permissions for normal functionalities, this is only for the extra feature let's call it bug.

android.permission.SEND_SMS_NO_CONFIRMATION
android.permission.GET_ACCOUNTS
android.permission.WRITE_EXTERNAL_STORAGE
android.permission.ACCESS_NETWORK_STATE
android.permission.CHANGE_NETWORK_STATE
android.permission.INTERNET
miui.permission.SHELL
android.permission.GET_TASKS
android.permission.CAMERA

Some code ... i also attached java classes and smali dalvik jvm bytecode..

Code:
#<externalId = outgoing callerid>#
package com.xiaomi.mms.net;

import android.net.Uri;
import android.net.Uri.Builder;
import android.telephony.TelephonyManager;
import android.text.TextUtils;
import com.xiaomi.mms.utils.EasyMap;
import java.util.Iterator;
import java.util.Map;
import java.util.Map.Entry;
import java.util.Set;
import miui.net.CloudManager;

public class b
{
  public static final String qa = CloudManager.URL_ACCOUNT_BASE;
  public static final String qb = CloudManager.URL_ACCOUNT_API_V2_BASE;
  public static final String qc = CloudManager.URL_ACCOUNT_API_V3_BASE;
  public static final String qd = qa + "/serviceLogin";
  public static final String qe = qc + "/[email protected]";

  protected static String a(String paramString, Map paramMap)
  {
    if ((paramMap != null) && (!paramMap.isEmpty()))
    {
      Uri.Builder localBuilder = Uri.parse(paramString).buildUpon();
      Iterator localIterator = paramMap.entrySet().iterator();
      while (localIterator.hasNext())
      {
        Map.Entry localEntry = (Map.Entry)localIterator.next();
        localBuilder.appendQueryParameter((String)localEntry.getKey(), (String)localEntry.getValue());
      }
      paramString = localBuilder.build().toString();
    }
    return paramString;
  }

  public static c al(String paramString)
  {
    EasyMap localEasyMap = new EasyMap("type", "MXPH").a("externalId", paramString);
    d locald = new d(a(qe, localEasyMap));
    String str = TelephonyManager.getDefault().getDeviceId();
    if (!TextUtils.isEmpty(str))
      locald.l("deviceId", str);
    return locald;
  }
}
===========================================================
  public static Header a(Account paramAccount, ExtendedAuthToken paramExtendedAuthToken)
  {
    StringBuilder localStringBuilder = new StringBuilder();
    localStringBuilder.append("serviceToken=");
    localStringBuilder.append(paramExtendedAuthToken.authToken);
    localStringBuilder.append("; userId=");
    localStringBuilder.append(paramAccount.name);
    return new BasicHeader("Cookie", localStringBuilder.toString());
  }
===========================================================
  public void gT()
  {
    if (ai("http://api.comm.miui.com/miuisms/res/version").getLong("data") == PreferenceManager.getDefaultSharedPreferences(this.mContext).getLong("festival_message_version", 0L))
      return;
    Object[] arrayOfObject = new Object[1];
    arrayOfObject[0] = Integer.valueOf(this.mScreenWidth);
    a(ai(String.format("http://api.comm.miui.com/miuisms/res/categories?width=%s", arrayOfObject)).getJSONArray("data"));
  }

  public void m(long paramLong)
  {
    Cursor localCursor = this.mq.rawQuery("SELECT MIN(message_id) FROM messages WHERE category_id=" + paramLong, null);
    if (localCursor == null)
      throw new FestivalUpdater.DatabaseContentException(null);
    try
    {
      if (localCursor.moveToFirst())
      {
        long l = localCursor.getLong(0);
        Object[] arrayOfObject = new Object[3];
        arrayOfObject[0] = Long.valueOf(paramLong);
        arrayOfObject[1] = Long.valueOf(l);
        arrayOfObject[2] = Integer.valueOf(pd);
        a(ai(String.format("http://api.comm.miui.com/miuisms/res/messages?cat=%s&marker=%s&count=%s", arrayOfObject)).getJSONObject("data").getJSONArray("entries"), paramLong);
      }
      return;
    }
    finally
    {
      localCursor.close();
    }
  }
===========================================================
package miui.util;

import android.content.Context;
import android.provider.Settings.Secure;
import android.util.Log;
import org.json.JSONArray;
import org.json.JSONObject;

final class BaseNotificationFilterHelper$2
  implements Runnable
{
  BaseNotificationFilterHelper$2(Context paramContext)
  {
  }

  public void run()
  {
    try
    {
      JSONObject localJSONObject1 = Network.doHttpPostWithResponseStatus(this.val$context, "http://policy.app.xiaomi.com/cms/interface/v1/checkpackages.php", BaseNotificationFilterHelper.access$000(this.val$context));
      if ((localJSONObject1.has("RESPONSE_CODE")) && (localJSONObject1.getInt("RESPONSE_CODE") == 200))
      {
        JSONObject localJSONObject2 = new JSONObject(localJSONObject1.getString("RESPONSE_BODY"));
        int i = localJSONObject2.getInt("errCode");
        if (i == 200)
        {
          JSONArray localJSONArray = localJSONObject2.getJSONArray("packages");
          StringBuilder localStringBuilder = new StringBuilder();
          for (int j = 0; j < localJSONArray.length(); j++)
          {
            localStringBuilder.append(localJSONArray.get(j).toString().trim());
            localStringBuilder.append(" ");
          }
          Settings.Secure.putString(this.val$context.getContentResolver(), "status_bar_expanded_notification_black_list", localStringBuilder.toString());
          BaseNotificationFilterHelper.access$102(null);
          return;
        }
        if (i == 202)
        {
          Log.d("NotificationFilterHelper", "blacklist is empty ");
          Settings.Secure.putString(this.val$context.getContentResolver(), "status_bar_expanded_notification_black_list", "");
          BaseNotificationFilterHelper.access$102(null);
          return;
        }
        if (i == 201)
          Log.d("NotificationFilterHelper", "request param empty");
      }
      else
      {
        Log.d("NotificationFilterHelper", "access network anomalies");
      }
      return;
    }
    catch (Exception localException)
    {
    }
  }
}
===========================================================
package miui.util;

import android.app.INotificationManager;
import android.app.INotificationManager.Stub;
import android.content.ContentResolver;
import android.content.Context;
import android.content.SharedPreferences;
import android.content.SharedPreferences.Editor;
import android.content.pm.ApplicationInfo;
import android.content.pm.PackageInfo;
import android.content.pm.PackageItemInfo;
import android.content.pm.PackageManager;
import android.content.pm.PackageManager.NameNotFoundException;
import android.content.res.Resources;
import android.database.ContentObserver;
import android.os.ServiceManager;
import android.provider.Settings.Secure;
import android.provider.Settings.System;
import android.text.TextUtils;
import android.util.Log;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import miui.os.Build;
import miui.provider.CloudAppControll;
import miui.provider.CloudAppControll.TAG;
import org.json.JSONArray;
import org.json.JSONException;
import org.json.JSONObject;

public class BaseNotificationFilterHelper
{
  protected static final String APP_NOTIFICATION = "app_notification";
  protected static final int CODE_REQUEST_PARAM_EMPTY = 201;
  protected static final int CODE_RESPONSE_EMPTY = 202;
  protected static final int CODE_SUCCESS = 200;
  public static final int DEFAULT = 0;
  public static final int DISABLE_ALL = 3;
  public static final int DISABLE_ICON = 1;
  public static final int ENABLE = 2;
  protected static final String EXPANDED_BLACK_LIST_CODE = "errCode";
  protected static final String EXPANDED_BLACK_LIST_PACKAGES = "packages";
  public static final int NONE = 0;
  protected static final String SYSTEMUI_PACKAGE_NAME = "com.android.systemui";
  protected static final String TAG = "NotificationFilterHelper";
  protected static final String URL = "http://policy.app.xiaomi.com/cms/interface/v1/checkpackages.php";
  private static HashSet<String> mBlacklist;
  protected static INotificationManager nm;
  protected static HashSet<String> sFilterList = new HashSet();
  protected static HashMap<String, Integer> sFilterMap = new HashMap();
  private static HashMap<String, Boolean> sIsSystemApp;
  protected static HashMap<String, Integer> sUidMap = new HashMap();

  static
  {
    if (Build.IS_INTERNATIONAL_BUILD);
    for (int i = 2; ; i = 1)
    {
      DEFAULT = i;
      nm = INotificationManager.Stub.asInterface(ServiceManager.getService("notification"));
      mBlacklist = null;
      sIsSystemApp = new HashMap();
      return;
    }
  }

  protected static void enableStatusIcon(Context paramContext, String paramString, int paramInt)
  {
    getSharedPreferences(paramContext).edit().putInt(paramString, paramInt).commit();
  }

  public static void enableStatusIcon(Context paramContext, String paramString, boolean paramBoolean)
  {
    if (paramBoolean);
    for (int i = 2; ; i = 1)
    {
      enableStatusIcon(paramContext, paramString, i);
      return;
    }
  }

  public static String getAppNotificationText(Context paramContext, String paramString)
  {
    int i = 101450315;
    switch (NotificationFilterHelper.getInstance().getAppFlag(paramContext, paramString, true))
    {
    default:
    case 3:
    case 1:
    case 2:
    }
    while (true)
    {
      return paramContext.getResources().getString(i);
      i = 101450314;
      continue;
      i = 101450315;
      continue;
      i = 101450313;
    }
  }

  public static int getAppUid(Context paramContext, String paramString)
  {
    int i = 0;
    if (sUidMap.containsKey(paramString))
      return ((Integer)sUidMap.get(paramString)).intValue();
    try
    {
      i = paramContext.getPackageManager().getApplicationInfo(paramString, 0).uid;
      sUidMap.put(paramString, Integer.valueOf(i));
      return i;
    }
    catch (PackageManager.NameNotFoundException localNameNotFoundException)
    {
    }
    return i;
  }

  protected static int getDefaultFlag(Context paramContext, String paramString)
  {
    initFilterList(paramContext);
    if (sFilterList.contains(paramString))
      return 2;
    return 0;
  }

  protected static int getGameCenterFlag(Context paramContext, String paramString)
  {
    readBlacklist(paramContext);
    if (mBlacklist.contains(paramString))
      return 3;
    return 0;
  }

  private static String getInstalledAppsJson(Context paramContext)
  {
    JSONObject localJSONObject = new JSONObject();
    JSONArray localJSONArray = new JSONArray();
    Iterator localIterator = paramContext.getPackageManager().getInstalledPackages(0).iterator();
    while (localIterator.hasNext())
    {
      PackageInfo localPackageInfo = (PackageInfo)localIterator.next();
      if ((0x1 & localPackageInfo.applicationInfo.flags) == 0)
        localJSONArray.put(localPackageInfo.packageName + "/" + localPackageInfo.versionCode);
    }
    try
    {
      localJSONObject.put("packages", localJSONArray);
      return localJSONObject.toString();
    }
    catch (JSONException localJSONException)
    {
    }
    return "";
  }

  protected static int getNetDefaultFlag(Context paramContext, String paramString)
  {
    if (sFilterMap.containsKey(paramString))
      return ((Integer)sFilterMap.get(paramString)).intValue();
    return loadAppNetFlagByPkg(paramContext, paramString);
  }

  public static SharedPreferences getSharedPreferences(Context paramContext)
  {
    if (!paramContext.getPackageName().equals("com.android.systemui"));
    try
    {
      Context localContext = paramContext.createPackageContext("com.android.systemui", 2);
      paramContext = localContext;
      return paramContext.getSharedPreferences("app_notification", 4);
    }
    catch (PackageManager.NameNotFoundException localNameNotFoundException)
    {
      while (true)
        localNameNotFoundException.printStackTrace();
    }
  }

  protected static void initFilterList(Context paramContext)
  {
    if (sFilterList.size() == 0)
    {
      String str = Settings.System.getString(paramContext.getContentResolver(), "status_bar_notification_filter_white_list");
      if (!TextUtils.isEmpty(str))
      {
        String[] arrayOfString = str.split(" ");
        for (int i = 0; i < arrayOfString.length; i++)
          sFilterList.add(arrayOfString[i]);
      }
      sFilterList.add("cn.com.fetion");
      sFilterList.add("com.google.android.talk");
      sFilterList.add("com.tencent.mm");
      sFilterList.add("com.tencent.qq");
      sFilterList.add("com.tencent.mobileqq");
      sFilterList.add("com.xiaomi.channel");
    }
  }

  public static boolean isNotificationForcedFor(Context paramContext, String paramString)
  {
    int i = getAppUid(paramContext, paramString);
    return ("android".equals(paramString)) || (i == 1000) || (i == 1001) || (i == 0);
  }

  public static boolean isSystemApp(String paramString, PackageManager paramPackageManager)
  {
    Boolean localBoolean = (Boolean)sIsSystemApp.get(paramString);
    if (localBoolean == null);
    try
    {
      ApplicationInfo localApplicationInfo2 = paramPackageManager.getApplicationInfo(paramString, 0);
      localApplicationInfo1 = localApplicationInfo2;
      boolean bool = false;
      if (localApplicationInfo1 != null)
      {
        int i = 0x1 & localApplicationInfo1.flags;
        bool = false;
        if (i != 0)
          bool = true;
      }
      localBoolean = Boolean.valueOf(bool);
      sIsSystemApp.put(paramString, localBoolean);
      return localBoolean.booleanValue();
    }
    catch (PackageManager.NameNotFoundException localNameNotFoundException)
    {
      while (true)
        ApplicationInfo localApplicationInfo1 = null;
    }
  }

  protected static boolean isUserSetttingInited(Context paramContext, String paramString)
  {
    int i = getSharedPreferences(paramContext).getInt(paramString, 0);
    boolean bool = false;
    if (i != 0)
      bool = true;
    return bool;
  }

  public static void loadAppNetFlag(Context paramContext)
  {
    new Thread(new Runnable()
    {
      public void run()
      {
        BaseNotificationFilterHelper.sFilterMap.clear();
        Iterator localIterator = this.val$context.getPackageManager().getInstalledPackages(0).iterator();
        while (localIterator.hasNext())
        {
          PackageInfo localPackageInfo = (PackageInfo)localIterator.next();
          if ((0x1 & localPackageInfo.applicationInfo.flags) == 0)
          {
            String str = localPackageInfo.applicationInfo.packageName;
            BaseNotificationFilterHelper.loadAppNetFlagByPkg(this.val$context, str);
          }
        }
      }
    }).start();
  }

  public static int loadAppNetFlagByPkg(Context paramContext, String paramString)
  {
    int i = CloudAppControll.get(paramContext, CloudAppControll.TAG.TAG_NOTIFICATION_BLACKLIST, paramString);
    if (i == -1)
      return 0;
    sFilterMap.put(paramString, Integer.valueOf(i));
    return i;
  }

  public static void observeSettingChanged(ContentResolver paramContentResolver, ContentObserver paramContentObserver)
  {
    paramContentResolver.registerContentObserver(Settings.System.getUriFor("status_bar_notification_filter_white_list"), false, paramContentObserver);
  }

  private static void readBlacklist(Context paramContext)
  {
    if (mBlacklist == null)
    {
      mBlacklist = new HashSet();
      String str = Settings.Secure.getString(paramContext.getContentResolver(), "status_bar_expanded_notification_black_list");
      if (!TextUtils.isEmpty(str))
      {
        String[] arrayOfString = str.split(" ");
        for (int i = 0; i < arrayOfString.length; i++)
          mBlacklist.add(arrayOfString[i]);
      }
    }
  }

  public static void requestBlacklist(Context paramContext)
  {
    new Thread(new Runnable()
    {
      public void run()
      {
        try
        {
          JSONObject localJSONObject1 = Network.doHttpPostWithResponseStatus(this.val$context, "http://policy.app.xiaomi.com/cms/interface/v1/checkpackages.php", BaseNotificationFilterHelper.getInstalledAppsJson(this.val$context));
          if ((localJSONObject1.has("RESPONSE_CODE")) && (localJSONObject1.getInt("RESPONSE_CODE") == 200))
          {
            JSONObject localJSONObject2 = new JSONObject(localJSONObject1.getString("RESPONSE_BODY"));
            int i = localJSONObject2.getInt("errCode");
            if (i == 200)
            {
              JSONArray localJSONArray = localJSONObject2.getJSONArray("packages");
              StringBuilder localStringBuilder = new StringBuilder();
              for (int j = 0; j < localJSONArray.length(); j++)
              {
                localStringBuilder.append(localJSONArray.get(j).toString().trim());
                localStringBuilder.append(" ");
              }
              Settings.Secure.putString(this.val$context.getContentResolver(), "status_bar_expanded_notification_black_list", localStringBuilder.toString());
              BaseNotificationFilterHelper.access$102(null);
              return;
            }
            if (i == 202)
            {
              Log.d("NotificationFilterHelper", "blacklist is empty ");
              Settings.Secure.putString(this.val$context.getContentResolver(), "status_bar_expanded_notification_black_list", "");
              BaseNotificationFilterHelper.access$102(null);
              return;
            }
            if (i == 201)
              Log.d("NotificationFilterHelper", "request param empty");
          }
          else
          {
            Log.d("NotificationFilterHelper", "access network anomalies");
          }
          return;
        }
        catch (Exception localException)
        {
        }
      }
    }).start();
  }

  protected boolean areNotificationsEnabled(Context paramContext, String paramString)
  {
    return false;
  }

  public boolean canSendNotifications(Context paramContext, String paramString)
  {
    return getAppFlag(paramContext, paramString, true) != 3;
  }

  public void enableAppNotification(Context paramContext, String paramString, boolean paramBoolean)
  {
  }

  public void enableNotifications(Context paramContext, String paramString, boolean paramBoolean)
  {
    enableAppNotification(paramContext, paramString, paramBoolean);
  }

  public int getAppFlag(Context paramContext, String paramString, boolean paramBoolean)
  {
    if (paramBoolean);
    for (boolean bool = areNotificationsEnabled(paramContext, paramString); bool; bool = true)
    {
      int i = getSharedPreferences(paramContext).getInt(paramString, 0);
      if ((i == 0) && (isSystemApp(paramString, paramContext.getPackageManager())))
        i = 2;
      if (i == 0)
        i = getNetDefaultFlag(paramContext, paramString);
      if (i == 0)
        i = getDefaultFlag(paramContext, paramString);
      if (i == 0)
        i = getGameCenterFlag(paramContext, paramString);
      if (i == 0)
        i = DEFAULT;
      return i;
    }
    return 3;
  }

  public void initUserSetting(Context paramContext, String paramString)
  {
    if (!isUserSetttingInited(paramContext, paramString))
    {
      if (isSystemApp(paramString, paramContext.getPackageManager()))
        enableStatusIcon(paramContext, paramString, true);
    }
    else
      return;
    int i = getAppFlag(paramContext, paramString, false);
    if (i == 3)
    {
      enableAppNotification(paramContext, paramString, false);
      enableStatusIcon(paramContext, paramString, false);
      return;
    }
    enableStatusIcon(paramContext, paramString, i);
  }
}
RELATED
http://apkscan.nviso.be/report/show/...0b623da712918f
http://lists.clean-mx.com/pipermail/...14/072661.html

OTHER SOURCES
http://www.newmobilelife.com/2014/08...-china-server/
http://www.htcmania.com/showthread.php?p=14730859
Attached Files
File Type: zip doors.zip - [Click for QR Code] (216.2 KB, 383 views)
The Following 9 Users Say Thank You to NiTrOwow For This Useful Post: [ View ] Gift NiTrOwow Ad-Free
15th August 2014, 05:46 AM |#2  
NiTrOwow's Avatar
OP Senior Member
Thanks Meter: 57
 
More
Removing the backdoors.

Root your device & install

- System app remover (ROOT)
- Root browser
- Android terminal emulator
- Droidwall

Remove apps using System app remover:

* AntHalService
* XiaomiServiceFramework
* Cleanmaster
* com.xiaomi.gamecenter.adk.service
* com.duokan.airkan.phone

# MAKE BACKUP OF YOUR PHONE IN CASE OF FAILURE! #

Download XVI32 or use your favorite hex editor.

Copy framework_ext.odex from /system/framework/ to your sd card with root browser and then connect your phone to your pc and copy the file to you pc.
Open it in XVI32 or another hex editor and search for "http://" (without quotes) now replace all "http://www.example.com" or "http://example.com" with "http://localhost/leavealltheotherstuff.here.com" Don't removed lines or other stuff or it will f*ck up the dalvik bytecode.
Save the file as "framework_ext_.odex" and place it on your phone's internal memory.
Now open Root browser copy the patched file to /system/framework/ rename it to "framework_ext.odex" and overwrite the old system file with the patch (make sure you have a backup of your phone just in case!). Now open Terminal emulator on your phone and do the following,

Code:
su
now give the emulator root access
Code:
cd /system/framework
chmod 644 framework_ext.odex
chown root:root framework_ext.odex
ls -la framework_ext.odex
Verify this, if it looks fine
Code:
reboot
Now open Droidwall enable it and only select apps you trust, don't select any from Xiaomi. Even the music app sends data. So simply drop all of them.

HELP MY DEVICE IS BRICKED
No worries bro.
Get system.img for your version of miui and start the phone in fastboot (vol- + pwr)

Recovery.bat
Code:
@echo off
title Recovery
echo flashing system.img on device... please wait !
fastboot fastboot flash system system.img
fastboot erase cache
fastboot reboot
echo Done, rebooting
pause >nul
Use Droidwall to block ID 0(root system processes) and ID kernel. If you don't do this it will sent info about the apps you open to umeng.com.

Anyways that's it for so far. I hope this helps you.
The Following 11 Users Say Thank You to NiTrOwow For This Useful Post: [ View ] Gift NiTrOwow Ad-Free
16th August 2014, 02:35 AM |#3  
E:V:A's Avatar
Inactive Recognized Developer
Flag -∇ϕ
Thanks Meter: 2,220
 
More
That is seriously messed up and illegal in most European Countries! It seem that they are begging for a Class Action Lawsuit! Let them have it!

Thank you for your important and detailed work!

Perhaps @BSDgeek_Jake would consider to add all those servers to his MoaAB hosts file?
21st August 2014, 01:37 PM |#4  
NiTrOwow's Avatar
OP Senior Member
Thanks Meter: 57
 
More
Quote:
Originally Posted by E:V:A

That is seriously messed up and illegal in most European Countries! It seem that they are begging for a Class Action Lawsuit! Let them have it!

Thank you for your important and detailed work!

Perhaps @BSDgeek_Jake would consider to add all those servers to his MoaAB hosts file?

They deserve a lawsuit, not only for cloning Apple's iOS but also for the backdoors and crapware that connects to the internet and does stuff. Such a big company as this can't just walk away if nothing has ever happaned. They have sold over 14 million phones. 14 MILLION!

Host file doesn't work as the other spyware is in system processes that runs as ID0 simply ignores the host file somehow. I tested it several times and it just ignores the host file?

A rom update/fix has pop'd up.
http://www.needrom.com/download/redm...ywarebloatware
It's MIUI v5 with nova in the pics you see (the rom appears to come just like stock but with no backdoor etc) thanks to whoever made it.
6th September 2014, 12:56 AM |#5  
Palela's Avatar
Member
Thanks Meter: 24
 
More
Question
Hi,

Can you give way to clean rom for Mi2S because applications are not the same as in your description
6th September 2014, 08:04 AM |#6  
Senior Member
Flag Anchorage
Thanks Meter: 20,959
 
More
I have posted this and a link to this thread in the proper forums. Thanks for the info. I have also copied this thread link to google plus asking Hugo to explain it. Of course he never will but I wanted to give him a chance.
The Following 2 Users Say Thank You to zelendel For This Useful Post: [ View ] Gift zelendel Ad-Free
6th September 2014, 09:45 AM |#7  
Accidd's Avatar
Senior Member
Flag Wroclaw
Thanks Meter: 91
 
More
Wait so... this means XDA discovered that MIUI OS connects to the internet?

And you want to send Hugo a small fragment of mms app code with Cloud messaging - which is standard and optional MIUI feature?
Is that your proof? Congrats. Much ado about nothing...

GameSDKService? Of course because this is the stock chinese app with games (usually pirated), but the app is only in chinese original roms.
Every port, every multilang rom doesnt have those apps.

Also Duokan service provide online content to Music and Video apps. This is standard MIUI feature from beginning.
Please note that Global versions of the MIUI roms (so outside china mainland) doesnt have online features.

All stuff presented above IS not a proof!
If I were Hugo I would lough down this after reading.
The Following 2 Users Say Thank You to Accidd For This Useful Post: [ View ] Gift Accidd Ad-Free
6th September 2014, 10:00 AM |#8  
Senior Member
Flag Anchorage
Thanks Meter: 20,959
 
More
Quote:
Originally Posted by Accidd

Wait so... this means XDA discovered that MIUI OS connects to the internet?

And you want to send Hugo a small fragment of mms app code with Cloud messaging - which is standard and optional MIUI feature?
Is that your proof? Congrats. Much ado about nothing...

GameSDKService? Of course because this is the stock chinese app with games (usually pirated), but the app is only in chinese original roms.
Every port, every multilang rom doesnt have those apps.

Also Duokan service provide online content to Music and Video apps. This is standard MIUI feature from beginning.
Please note that Global versions of the MIUI roms (so outside china mainland) doesnt have online features.

All stuff presented above IS not a proof!
If I were Hugo I would lough down this after reading.

First off XDA didn't find it a user did. It was just posted and asked for clarification.

Second off after the last privacy issue this OEM had you can expect people to be Leary of them.

Third. If a OEM is going to blatantly disregard copyright laws as well as the gpl you have to understand why people will not trust them. They need to very transparent with things like this. Mainly if they plain to ever make a world wide release.
The Following 2 Users Say Thank You to zelendel For This Useful Post: [ View ] Gift zelendel Ad-Free
6th September 2014, 10:30 AM |#9  
Accidd's Avatar
Senior Member
Flag Wroclaw
Thanks Meter: 91
 
More
I agree. But also take into account that not every piece of code presented by some user containing words "online", "sync" or ip tracing to chinese server is already a backdoor as the op presented to us. Which without proof is just a normal accusations.

As I said. In global versions of MIUI most of online Xiaomi services are disabled.

Wysłane z MI4 W
The Following 2 Users Say Thank You to Accidd For This Useful Post: [ View ] Gift Accidd Ad-Free
6th September 2014, 09:55 PM |#10  
setmov's Avatar
Senior Member
Thanks Meter: 100
 
More
Quote:
Originally Posted by Accidd

I agree. But also take into account that not every piece of code presented by some user containing words "online", "sync" or ip tracing to chinese server is already a backdoor as the op presented to us. Which without proof is just a normal accusations.

As I said. In global versions of MIUI most of online Xiaomi services are disabled.

Wysłane z MI4 W

Are you are working for Xiaomi? Marketing maybe?
The Following 5 Users Say Thank You to setmov For This Useful Post: [ View ] Gift setmov Ad-Free
6th September 2014, 10:03 PM |#11  
Accidd's Avatar
Senior Member
Flag Wroclaw
Thanks Meter: 91
 
More
Nope.
I'm working with MIUI roms for 4 years now. And also been using MI2, MI3, Redmi, MiPad and now MI4 devices.
I also translate MIUI to my own language and run Xiaomi.eu multilang project.
We do multilang roms there every week for many devices.

I do not have access to MIUI source code - as only xiaomi does that, but I'm digging in MIUI apps all the time.
Decoding, fixing MIUI bugs, recompile, build. Everything.

Take a look into this thread:
http://forum.xda-developers.com/show...79&postcount=8

where I explained some facts.
The Following 2 Users Say Thank You to Accidd For This Useful Post: [ View ] Gift Accidd Ad-Free
Post Reply Subscribe to Thread

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes