[App] SysScope Scanner

Search This thread

TrevE

Retired Recognized Developer
Apr 27, 2007
2,031
3,659
androidsecuritytest.com
Background

Starting with the GS4, Samsung removed the ability to see SysScope status. As you S3 users may know, this is the "Root Detection" software that runs on devices. It has 3 status's, Scanning, Normal, and modified. The results of this status gets sent off to the RIL layer as the form of an AT command (AT+SYSSCOPE) in order to be remotely queried by whoever.

What does Sysscope Query?

Files-

/proc/stat - not sure why, but it does
/proc/cmdline - checks for authorized kernels
/proc/task - not sure why
busybox - in any classpath
su - in any classpath
/proc/mounts - Checks if /system is in RW mode​

Props-

ro.csc.sales_code - Read my rant in S3 dev section, DO NOT CHANGE THIS VALUE TO LOLs
ril.sales_code - See above
ro.secure - adb props
ro.debuggable - adb props​

Does this App let me change status?
NO. This app does not modify any stock functionality it just gives you the ability to see what status you are passing. You will see what your Carrier/whoever else knows about the SysScope status of your device.

Using App:

Test 1:
  1. First push apk to SYSTEM/APP. This is important and I do not believe it will work in /data/app.
  2. Open the app. Go to menu -> Preferences. Turn on "Start on SysScope Event". This will automagically open the app whenever an event is received.
  3. Reboot the device. Wait about 30 seconds. The app should open and show a response.
If the app did not start at all after boot, you likely have a -1 and failed SysScope with a modified.
*Once it is queried you can turn off the SysScope preference*

Test 2:
  1. Click the read button and allow root access.


What the status's mean: (GS4 specific, app works on GS3 just do not know status's)
-1 means scanning. If the state stays at a -1 for more than 120 seconds, it means the device is modified (Sysscope was removed)
0 is also a failure. It means sysscope was removed
1 is a Status of NORMAL. This is what stock roms will return
2 is a status of MODIFIED.​

If the app did not start at all after boot, you likely have a -1 and failed SysScope with a modified.

Thanks
Eschelon/Ziggy471/NxtGenCowboy/Virus for testing/being awesome!
See if you can find the hidden Ziggy easter egg :)
 

Attachments

  • Treve.SysScopeScanner_v1.apk
    68.8 KB · Views: 3,338
Last edited:

techusky

Senior Member
Jan 26, 2011
103
63
Thank you for all your hard work and meticulous attention to privacy! It is much appreciated, especially in these times.
 
  • Like
Reactions: TrevE

CPA Poke

Senior Member
Oct 23, 2012
1,515
3,334
Tulsa, OK
Just to clarify, is the purpose of this to help anyone who is working on a workaround to "fool" the SysScope app into thinking that the device is unrooted/unmodified (ie to remove the custom padlock splash screen at boot)?
 
  • Like
Reactions: Tankpdx

TrevE

Retired Recognized Developer
Apr 27, 2007
2,031
3,659
androidsecuritytest.com
Just to clarify, is the purpose of this to help anyone who is working on a workaround to "fool" the SysScope app into thinking that the device is unrooted/unmodified (ie to remove the custom padlock splash screen at boot)?

Yep, we like giving users visibility to see mods done like this so they do not have to take dev's words for it. Always a fan of giving everyone a way to test for themselves. The S3 had a menu item right in settings, this brings back that removed functionality.
 

CPA Poke

Senior Member
Oct 23, 2012
1,515
3,334
Tulsa, OK
Yep, we like giving users visibility to see mods done like this so they do not have to take dev's words for it. Always a fan of giving everyone a way to test for themselves. The S3 had a menu item right in settings, this brings back that removed functionality.

Awesome, I was hoping that's what it was for :)
 

E:V:A

Inactive Recognized Developer
Dec 6, 2011
1,447
2,222
-∇ϕ
@TrevE Sorry to revive old thread, but did you reverse this thing? What is the code used for the AT, and where can I find it? What other binaries are involved in this. I'm on 4.2.2...
 

Top Liked Posts

  • There are no posts matching your filters.
  • 12
    Background

    Starting with the GS4, Samsung removed the ability to see SysScope status. As you S3 users may know, this is the "Root Detection" software that runs on devices. It has 3 status's, Scanning, Normal, and modified. The results of this status gets sent off to the RIL layer as the form of an AT command (AT+SYSSCOPE) in order to be remotely queried by whoever.

    What does Sysscope Query?

    Files-

    /proc/stat - not sure why, but it does
    /proc/cmdline - checks for authorized kernels
    /proc/task - not sure why
    busybox - in any classpath
    su - in any classpath
    /proc/mounts - Checks if /system is in RW mode​

    Props-

    ro.csc.sales_code - Read my rant in S3 dev section, DO NOT CHANGE THIS VALUE TO LOLs
    ril.sales_code - See above
    ro.secure - adb props
    ro.debuggable - adb props​

    Does this App let me change status?
    NO. This app does not modify any stock functionality it just gives you the ability to see what status you are passing. You will see what your Carrier/whoever else knows about the SysScope status of your device.

    Using App:

    Test 1:
    1. First push apk to SYSTEM/APP. This is important and I do not believe it will work in /data/app.
    2. Open the app. Go to menu -> Preferences. Turn on "Start on SysScope Event". This will automagically open the app whenever an event is received.
    3. Reboot the device. Wait about 30 seconds. The app should open and show a response.
    If the app did not start at all after boot, you likely have a -1 and failed SysScope with a modified.
    *Once it is queried you can turn off the SysScope preference*

    Test 2:
    1. Click the read button and allow root access.


    What the status's mean: (GS4 specific, app works on GS3 just do not know status's)
    -1 means scanning. If the state stays at a -1 for more than 120 seconds, it means the device is modified (Sysscope was removed)
    0 is also a failure. It means sysscope was removed
    1 is a Status of NORMAL. This is what stock roms will return
    2 is a status of MODIFIED.​

    If the app did not start at all after boot, you likely have a -1 and failed SysScope with a modified.

    Thanks
    Eschelon/Ziggy471/NxtGenCowboy/Virus for testing/being awesome!
    See if you can find the hidden Ziggy easter egg :)
    1
    Thank you for all your hard work and meticulous attention to privacy! It is much appreciated, especially in these times.
    1
    Just to clarify, is the purpose of this to help anyone who is working on a workaround to "fool" the SysScope app into thinking that the device is unrooted/unmodified (ie to remove the custom padlock splash screen at boot)?