Discussion on SysScope

[bahtsiz_bedevi]

[Update] Solution is here SysScopeFix
​

A project have been started on github https://github.com/sinancetinkaya/DeviceStatus

Current Collaborators :
dwitherell (Big thanks to him)
[email protected]

If you know backsmali/smali stuff, feel free to join.

First of all, I want to thank to Samsung for bringing this headache to us.
I'm not a java programmer and nor an expert at those smali stuff. I know some C++ and little programming.
I just wondered how SysScope works and what can we do about it.
Apparently SysScope is using a SQL database SysScope\assets\databases\SysScope.db
And there is an interesting table

It looks like to me SysScope is reading su binary from the offset for the size bytes, and comparing the data's md5 hash?

Under \SysScope.apk\smali\com\sec\android\app\sysscope\job there two interesting subroutine

KernelStatusChecker: It's using libcordon.o library. I don't think this subroutine is responsible for setting the settings at the bootloader screen. More likely it's just generating some reports to make system modified and send it Samsung?

# virtual methods
.method public final a(Landroid/os/Bundle;)Lcom/sec/android/app/sysscope/service/f;
    .locals 4

    sget-object v0, Lcom/sec/android/app/sysscope/service/f;->f:Lcom/sec/android/app/sysscope/service/f;

    invoke-virtual {p0}, Lcom/sec/android/app/sysscope/job/KernelStatusChecker;->getCmdLine()Ljava/lang/String;

    move-result-object v1

    invoke-direct {p0, v1}, Lcom/sec/android/app/sysscope/job/KernelStatusChecker;->b(Ljava/lang/String;)Z

    move-result v1

    if-eqz v1, :cond_0

    sget-object v0, Lcom/sec/android/app/sysscope/service/f;->a:Lcom/sec/android/app/sysscope/service/f;

    :cond_0
    new-instance v1, Ljava/lang/StringBuilder;

    const-string v2, "code="

    invoke-direct {v1, v2}, Ljava/lang/StringBuilder;-><init>(Ljava/lang/String;)V

    invoke-virtual {p0}, Lcom/sec/android/app/sysscope/job/KernelStatusChecker;->getCmdLine()Ljava/lang/String;

    move-result-object v2

    invoke-virtual {v1, v2}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;

    move-result-object v1

    const-string v2, " custom binary download count="

    invoke-virtual {v1, v2}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;

    move-result-object v1

    iget-wide v2, p0, Lcom/sec/android/app/sysscope/job/KernelStatusChecker;->b:J

    invoke-virtual {v1, v2, v3}, Ljava/lang/StringBuilder;->append(J)Ljava/lang/StringBuilder;

    move-result-object v1

    invoke-virtual {v1}, Ljava/lang/StringBuilder;->toString()Ljava/lang/String;

    move-result-object v1

    invoke-virtual {p0, v1}, Lcom/sec/android/app/sysscope/job/KernelStatusChecker;->a(Ljava/lang/String;)V

    return-object v0
.end method

.method public final c()V
    .locals 0

    return-void
.end method

.method public final d()Ljava/lang/String;
    .locals 1

    const-string v0, "Kernel Checker"

    return-object v0
.end method

.method public final e()I
    .locals 1

    const/4 v0, 0x0

    return v0
.end method

RootProcessScanner: It's looks like this subroutine is checking the processes unde /proc and checking them whether they are in the approved list.

# virtual methods
.method public final a(Landroid/os/Bundle;)Lcom/sec/android/app/sysscope/service/f;
    .locals 11

    const/4 v4, 0x1

    const/4 v2, 0x0

    sget-object v0, Lcom/sec/android/app/sysscope/service/f;->a:Lcom/sec/android/app/sysscope/service/f;

    :try_start_0
    new-instance v1, Ljava/io/File;

    const-string v3, "/proc"

    invoke-direct {v1, v3}, Ljava/io/File;-><init>(Ljava/lang/String;)V

    invoke-virtual {v1}, Ljava/io/File;->exists()Z

    move-result v3

    if-nez v3, :cond_1

    new-instance v2, Ljava/io/FileNotFoundException;

    new-instance v3, Ljava/lang/StringBuilder;

    invoke-direct {v3}, Ljava/lang/StringBuilder;-><init>()V

    invoke-virtual {v3, v1}, Ljava/lang/StringBuilder;->append(Ljava/lang/Object;)Ljava/lang/StringBuilder;

    move-result-object v1

    const-string v3, " is missing (man 5 proc)"

    invoke-virtual {v1, v3}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;

    move-result-object v1

    invoke-virtual {v1}, Ljava/lang/StringBuilder;->toString()Ljava/lang/String;

    move-result-object v1

    invoke-direct {v2, v1}, Ljava/io/FileNotFoundException;-><init>(Ljava/lang/String;)V

    throw v2

    :catch_0
    move-exception v1

    :cond_0
    :goto_0
    return-object v0

    :cond_1
    new-instance v5, Ljava/util/ArrayList;

    invoke-direct {v5}, Ljava/util/ArrayList;-><init>()V

    invoke-virtual {v1}, Ljava/io/File;->listFiles()[Ljava/io/File;

    move-result-object v6

    if-eqz v6, :cond_2

    array-length v1, v6

    if-lez v1, :cond_2

    array-length v7, v6

    move v1, v2

    :goto_1
    if-lt v1, v7, :cond_3

    :cond_2
    invoke-interface {v5}, Ljava/util/List;->size()I

    move-result v1

    if-lez v1, :cond_0

    sget-object v1, Lcom/sec/android/app/sysscope/service/f;->d:Lcom/sec/android/app/sysscope/service/f;
    :try_end_0
    .catch Lcom/sec/android/app/sysscope/job/f; {:try_start_0 .. :try_end_0} :catch_0
    .catch Ljava/io/FileNotFoundException; {:try_start_0 .. :try_end_0} :catch_1

    :try_start_1
    const-string v0, ""

    :goto_2
    invoke-interface {v5}, Ljava/util/List;->size()I

    move-result v3

    if-lt v2, v3, :cond_7

    invoke-virtual {p0, v0}, Lcom/sec/android/app/sysscope/job/RootProcessScanner;->a(Ljava/lang/String;)V
    :try_end_1
    .catch Lcom/sec/android/app/sysscope/job/f; {:try_start_1 .. :try_end_1} :catch_3
    .catch Ljava/io/FileNotFoundException; {:try_start_1 .. :try_end_1} :catch_2

    move-object v0, v1

    goto :goto_0

    :cond_3
    :try_start_2
    aget-object v8, v6, v1

    invoke-virtual {v8}, Ljava/io/File;->isDirectory()Z

    move-result v3

    if-eqz v3, :cond_5

    const-string v3, "\\d+"

    invoke-virtual {v8}, Ljava/io/File;->getName()Ljava/lang/String;

    move-result-object v9

    invoke-static {v3, v9}, Ljava/util/regex/Pattern;->matches(Ljava/lang/String;Ljava/lang/CharSequence;)Z

    move-result v3

    if-eqz v3, :cond_5

    move v3, v4

    :goto_3
    if-eqz v3, :cond_6

    new-instance v3, Ljava/lang/StringBuilder;

    const-string v9, "/proc/"

    invoke-direct {v3, v9}, Ljava/lang/StringBuilder;-><init>(Ljava/lang/String;)V

    invoke-virtual {v8}, Ljava/io/File;->getName()Ljava/lang/String;

    move-result-object v9

    invoke-virtual {v3, v9}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;

    move-result-object v3

    invoke-virtual {v3}, Ljava/lang/StringBuilder;->toString()Ljava/lang/String;

    move-result-object v3

    invoke-virtual {p0, v3}, Lcom/sec/android/app/sysscope/job/RootProcessScanner;->checkIsApprivedProcess(Ljava/lang/String;)I

    move-result v3

    if-gez v3, :cond_6

    move v3, v4

    :goto_4
    if-eqz v3, :cond_4

    const-string v3, "SysScopeRootScanner"

    new-instance v9, Ljava/lang/StringBuilder;

    const-string v10, "isUnapprovedRootProcess returns true: "

    invoke-direct {v9, v10}, Ljava/lang/StringBuilder;-><init>(Ljava/lang/String;)V

    invoke-virtual {v8}, Ljava/io/File;->getName()Ljava/lang/String;

    move-result-object v10

    invoke-virtual {v9, v10}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;

    move-result-object v9

    invoke-virtual {v9}, Ljava/lang/StringBuilder;->toString()Ljava/lang/String;

    move-result-object v9

    invoke-static {v3, v9}, Lcom/sec/android/app/sysscope/engine/Log;->b(Ljava/lang/String;Ljava/lang/String;)I

    invoke-interface {v5, v8}, Ljava/util/List;->add(Ljava/lang/Object;)Z
    :try_end_2
    .catch Lcom/sec/android/app/sysscope/job/f; {:try_start_2 .. :try_end_2} :catch_0
    .catch Ljava/io/FileNotFoundException; {:try_start_2 .. :try_end_2} :catch_1

    :cond_4
    add-int/lit8 v1, v1, 0x1

    goto :goto_1

    :cond_5
    move v3, v2

    goto :goto_3

    :cond_6
    move v3, v2

    goto :goto_4

    :cond_7
    :try_start_3
    new-instance v3, Ljava/lang/StringBuilder;

    invoke-static {v0}, Ljava/lang/String;->valueOf(Ljava/lang/Object;)Ljava/lang/String;

    move-result-object v0

    invoke-direct {v3, v0}, Ljava/lang/StringBuilder;-><init>(Ljava/lang/String;)V

    invoke-interface {v5, v2}, Ljava/util/List;->get(I)Ljava/lang/Object;

    move-result-object v0

    check-cast v0, Ljava/io/File;

    invoke-static {v0}, Lcom/sec/android/app/sysscope/job/RootProcessScanner;->a(Ljava/io/File;)Ljava/lang/String;

    move-result-object v0

    invoke-virtual {v3, v0}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;

    move-result-object v0

    const-string v3, " "

    invoke-virtual {v0, v3}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;

    move-result-object v0

    invoke-virtual {v0}, Ljava/lang/StringBuilder;->toString()Ljava/lang/String;
    :try_end_3
    .catch Lcom/sec/android/app/sysscope/job/f; {:try_start_3 .. :try_end_3} :catch_3
    .catch Ljava/io/FileNotFoundException; {:try_start_3 .. :try_end_3} :catch_2

    move-result-object v3

    add-int/lit8 v0, v2, 0x1

    move v2, v0

    move-object v0, v3

    goto/16 :goto_2

    :catch_1
    move-exception v1

    goto/16 :goto_0

    :catch_2
    move-exception v0

    move-object v0, v1

    goto/16 :goto_0

    :catch_3
    move-exception v0

    move-object v0, v1

    goto/16 :goto_0
.end method

SysScope.apk\smali\com\sec\android\app\sysscope\service\f :

# direct methods
.method static constructor <clinit>()V
    .locals 9

    const/4 v8, 0x4

    const/4 v7, 0x3

    const/4 v6, 0x2

    const/4 v5, 0x1

    const/4 v4, 0x0

    new-instance v0, Lcom/sec/android/app/sysscope/service/f;

    const-string v1, "OK"

    invoke-direct {v0, v1, v4, v4}, Lcom/sec/android/app/sysscope/service/f;-><init>(Ljava/lang/String;II)V

    sput-object v0, Lcom/sec/android/app/sysscope/service/f;->a:Lcom/sec/android/app/sysscope/service/f;

    new-instance v0, Lcom/sec/android/app/sysscope/service/f;

    const-string v1, "ADB_RUNNING_AS_ROOT"

    const v2, 0x10001

    invoke-direct {v0, v1, v5, v2}, Lcom/sec/android/app/sysscope/service/f;-><init>(Ljava/lang/String;II)V

    sput-object v0, Lcom/sec/android/app/sysscope/service/f;->b:Lcom/sec/android/app/sysscope/service/f;

    new-instance v0, Lcom/sec/android/app/sysscope/service/f;

    const-string v1, "PARTITION_TAMPERED"

    const v2, 0x20001

    invoke-direct {v0, v1, v6, v2}, Lcom/sec/android/app/sysscope/service/f;-><init>(Ljava/lang/String;II)V

    sput-object v0, Lcom/sec/android/app/sysscope/service/f;->c:Lcom/sec/android/app/sysscope/service/f;

    new-instance v0, Lcom/sec/android/app/sysscope/service/f;

    const-string v1, "ROOT_PROCESS_FOUND"

    const/16 v2, 0x3001

    invoke-direct {v0, v1, v7, v2}, Lcom/sec/android/app/sysscope/service/f;-><init>(Ljava/lang/String;II)V

    sput-object v0, Lcom/sec/android/app/sysscope/service/f;->d:Lcom/sec/android/app/sysscope/service/f;

    new-instance v0, Lcom/sec/android/app/sysscope/service/f;

    const-string v1, "DANGEROUS_FILE_DETECTED"

    const v2, 0x40001

    invoke-direct {v0, v1, v8, v2}, Lcom/sec/android/app/sysscope/service/f;-><init>(Ljava/lang/String;II)V

    sput-object v0, Lcom/sec/android/app/sysscope/service/f;->e:Lcom/sec/android/app/sysscope/service/f;

    new-instance v0, Lcom/sec/android/app/sysscope/service/f;

    const-string v1, "NOT_OFFICIAL_BINARY"

    const/4 v2, 0x5

    const v3, 0x50001

    invoke-direct {v0, v1, v2, v3}, Lcom/sec/android/app/sysscope/service/f;-><init>(Ljava/lang/String;II)V

    sput-object v0, Lcom/sec/android/app/sysscope/service/f;->f:Lcom/sec/android/app/sysscope/service/f;

    const/4 v0, 0x6

    new-array v0, v0, [Lcom/sec/android/app/sysscope/service/f;

    sget-object v1, Lcom/sec/android/app/sysscope/service/f;->a:Lcom/sec/android/app/sysscope/service/f;

    aput-object v1, v0, v4

    sget-object v1, Lcom/sec/android/app/sysscope/service/f;->b:Lcom/sec/android/app/sysscope/service/f;

    aput-object v1, v0, v5

    sget-object v1, Lcom/sec/android/app/sysscope/service/f;->c:Lcom/sec/android/app/sysscope/service/f;

    aput-object v1, v0, v6

    sget-object v1, Lcom/sec/android/app/sysscope/service/f;->d:Lcom/sec/android/app/sysscope/service/f;

    aput-object v1, v0, v7

    sget-object v1, Lcom/sec/android/app/sysscope/service/f;->e:Lcom/sec/android/app/sysscope/service/f;

    aput-object v1, v0, v8

    const/4 v1, 0x5

    sget-object v2, Lcom/sec/android/app/sysscope/service/f;->f:Lcom/sec/android/app/sysscope/service/f;

    aput-object v2, v0, v1

    sput-object v0, Lcom/sec/android/app/sysscope/service/f;->i:[Lcom/sec/android/app/sysscope/service/f;

    return-void
.end method

Probably this subroutine is returning all the result codes that other subroutines need ?
Such as
is ADB_RUNNING_AS_ROOT
is PARTITION_TAMPERED
is ROOT_PROCESS_FOUND
is DANGEROUS_FILE_DETECTED
is NOT_OFFICIAL_BINARY

SysScope.apk\smali\com\sec\android\app\sysscope\engine\SystemDiagnosisManager
To me it looks like the main routine

# virtual methods
.method public final a()V
    .locals 10

    const/4 v3, 0x0

    const/4 v1, 0x0

    iget-object v4, p0, Lcom/sec/android/app/sysscope/engine/SystemDiagnosisManager;->c:[Ljava/lang/String;

    iget-object v5, p0, Lcom/sec/android/app/sysscope/engine/SystemDiagnosisManager;->d:Landroid/content/Context;

    new-instance v6, Ljava/util/ArrayList;

    invoke-direct {v6}, Ljava/util/ArrayList;-><init>()V

    array-length v7, v4

    move v2, v3

    :goto_0
    if-lt v2, v7, :cond_0

    invoke-interface {v6, v1}, Ljava/util/List;->remove(Ljava/lang/Object;)Z

    new-instance v0, Lcom/sec/android/app/sysscope/engine/f;

    invoke-direct {v0, v3}, Lcom/sec/android/app/sysscope/engine/f;-><init>(B)V

    invoke-static {v6, v0}, Ljava/util/Collections;->sort(Ljava/util/List;Ljava/util/Comparator;)V

    iput-object v6, p0, Lcom/sec/android/app/sysscope/engine/SystemDiagnosisManager;->b:Ljava/util/List;

    sget-object v0, Lcom/sec/android/app/sysscope/engine/SystemDiagnosisManager;->e:Lcom/sec/android/app/sysscope/job/c;

    invoke-virtual {v0}, Lcom/sec/android/app/sysscope/job/c;->a()V

    return-void

    :cond_0
    aget-object v0, v4, v2

    const-string v8, "rpscanner"

    invoke-virtual {v0, v8}, Ljava/lang/String;->equals(Ljava/lang/Object;)Z

    move-result v8

    if-eqz v8, :cond_1

    new-instance v0, Lcom/sec/android/app/sysscope/job/RootProcessScanner;

    invoke-direct {v0}, Lcom/sec/android/app/sysscope/job/RootProcessScanner;-><init>()V

    :goto_1
    if-eqz v0, :cond_7

    invoke-interface {v0}, Lcom/sec/android/app/sysscope/engine/d;->c()V

    invoke-interface {v0}, Lcom/sec/android/app/sysscope/engine/d;->b()Ljava/lang/String;

    move-result-object v8

    const-string v9, "general"

    invoke-virtual {v8, v9}, Ljava/lang/String;->equals(Ljava/lang/Object;)Z

    move-result v8

    if-eqz v8, :cond_6

    new-instance v8, Lcom/sec/android/app/sysscope/engine/l;

    invoke-direct {v8}, Lcom/sec/android/app/sysscope/engine/l;-><init>()V

    invoke-virtual {v8, v0}, Lcom/sec/android/app/sysscope/engine/l;->a(Lcom/sec/android/app/sysscope/engine/d;)Lcom/sec/android/app/sysscope/engine/g;

    move-result-object v0

    :goto_2
    invoke-interface {v6, v0}, Ljava/util/List;->add(Ljava/lang/Object;)Z

    add-int/lit8 v0, v2, 0x1

    move v2, v0

    goto :goto_0

    :cond_1
    const-string v8, "adbscanner"

    invoke-virtual {v0, v8}, Ljava/lang/String;->equals(Ljava/lang/Object;)Z

    move-result v8

    if-eqz v8, :cond_2

    new-instance v0, Lcom/sec/android/app/sysscope/job/a;

    invoke-direct {v0}, Lcom/sec/android/app/sysscope/job/a;-><init>()V

    goto :goto_1

    :cond_2
    const-string v8, "su_scanner"

    invoke-virtual {v0, v8}, Ljava/lang/String;->equals(Ljava/lang/Object;)Z

    move-result v8

    if-eqz v8, :cond_3

    new-instance v0, Lcom/sec/android/app/sysscope/job/g;

    invoke-direct {v0, v5}, Lcom/sec/android/app/sysscope/job/g;-><init>(Landroid/content/Context;)V

    goto :goto_1

    :cond_3
    const-string v8, "partition_checker"

    invoke-virtual {v0, v8}, Ljava/lang/String;->equals(Ljava/lang/Object;)Z

    move-result v8

    if-eqz v8, :cond_4

    new-instance v0, Lcom/sec/android/app/sysscope/job/b;

    invoke-direct {v0}, Lcom/sec/android/app/sysscope/job/b;-><init>()V

    goto :goto_1

    :cond_4
    const-string v8, "kernel_checker"

    invoke-virtual {v0, v8}, Ljava/lang/String;->equals(Ljava/lang/Object;)Z

    move-result v0

    if-eqz v0, :cond_5

    new-instance v0, Lcom/sec/android/app/sysscope/job/KernelStatusChecker;

    invoke-direct {v0}, Lcom/sec/android/app/sysscope/job/KernelStatusChecker;-><init>()V

    goto :goto_1

    :cond_5
    move-object v0, v1

    goto :goto_1

    :cond_6
    invoke-interface {v0}, Lcom/sec/android/app/sysscope/engine/d;->b()Ljava/lang/String;

    move-result-object v8

    const-string v9, "filescanning"

    invoke-virtual {v8, v9}, Ljava/lang/String;->equals(Ljava/lang/Object;)Z

    move-result v8

    if-eqz v8, :cond_7

    new-instance v8, Lcom/sec/android/app/sysscope/engine/c;

    invoke-direct {v8}, Lcom/sec/android/app/sysscope/engine/c;-><init>()V

    invoke-virtual {v8, v0}, Lcom/sec/android/app/sysscope/engine/c;->a(Lcom/sec/android/app/sysscope/engine/d;)Lcom/sec/android/app/sysscope/engine/g;

    move-result-object v0

    goto :goto_2

    :cond_7
    move-object v0, v1

    goto :goto_2
.end method

.method public final a(Lcom/sec/android/app/sysscope/engine/m;)V
    .locals 0

    iput-object p1, p0, Lcom/sec/android/app/sysscope/engine/SystemDiagnosisManager;->a:Lcom/sec/android/app/sysscope/engine/m;

    return-void
.end method

.method public final b()V
    .locals 10

    const/4 v3, 0x1

    const/4 v2, 0x0

    invoke-static {}, Ljava/util/concurrent/Executors;->newSingleThreadExecutor()Ljava/util/concurrent/ExecutorService;

    move-result-object v4

    iget-object v0, p0, Lcom/sec/android/app/sysscope/engine/SystemDiagnosisManager;->b:Ljava/util/List;

    if-nez v0, :cond_1

    iget-object v0, p0, Lcom/sec/android/app/sysscope/engine/SystemDiagnosisManager;->a:Lcom/sec/android/app/sysscope/engine/m;

    invoke-interface {v0}, Lcom/sec/android/app/sysscope/engine/m;->a()V

    iget-object v0, p0, Lcom/sec/android/app/sysscope/engine/SystemDiagnosisManager;->a:Lcom/sec/android/app/sysscope/engine/m;

    const-string v1, "no jobs loaded"

    invoke-interface {v0, v2, v1}, Lcom/sec/android/app/sysscope/engine/m;->a(ZLjava/lang/String;)V

    :cond_0
    :goto_0
    return-void

    :cond_1
    iget-object v0, p0, Lcom/sec/android/app/sysscope/engine/SystemDiagnosisManager;->a:Lcom/sec/android/app/sysscope/engine/m;

    if-eqz v0, :cond_2

    iget-object v0, p0, Lcom/sec/android/app/sysscope/engine/SystemDiagnosisManager;->a:Lcom/sec/android/app/sysscope/engine/m;

    iget-object v1, p0, Lcom/sec/android/app/sysscope/engine/SystemDiagnosisManager;->b:Ljava/util/List;

    invoke-interface {v1}, Ljava/util/List;->size()I

    move-result v1

    invoke-interface {v0, v1}, Lcom/sec/android/app/sysscope/engine/m;->a(I)V

    :cond_2
    new-instance v5, Lcom/sec/android/app/sysscope/service/SysScopeResultInfo;

    invoke-direct {v5}, Lcom/sec/android/app/sysscope/service/SysScopeResultInfo;-><init>()V

    iget-object v0, p0, Lcom/sec/android/app/sysscope/engine/SystemDiagnosisManager;->b:Ljava/util/List;

    invoke-interface {v0}, Ljava/util/List;->iterator()Ljava/util/Iterator;

    move-result-object v6

    move v1, v2

    :cond_3
    :goto_1
    invoke-interface {v6}, Ljava/util/Iterator;->hasNext()Z

    move-result v0

    if-nez v0, :cond_5

    invoke-interface {v4}, Ljava/util/concurrent/ExecutorService;->shutdown()V

    iget-object v0, p0, Lcom/sec/android/app/sysscope/engine/SystemDiagnosisManager;->b:Ljava/util/List;

    invoke-interface {v0}, Ljava/util/List;->clear()V

    invoke-static {}, Lcom/sec/android/app/sysscope/engine/j;->a()Lcom/sec/android/app/sysscope/engine/j;

    move-result-object v0

    invoke-virtual {v0, v5}, Lcom/sec/android/app/sysscope/engine/j;->a(Lcom/sec/android/app/sysscope/service/SysScopeResultInfo;)V

    invoke-virtual {v5}, Lcom/sec/android/app/sysscope/service/SysScopeResultInfo;->a()I

    move-result v0

    const-string v1, "SysScopeDiagnosisManager"

    new-instance v4, Ljava/lang/StringBuilder;

    const-string v6, "SysDiagnosisManager > call storeResult"

    invoke-direct {v4, v6}, Ljava/lang/StringBuilder;-><init>(Ljava/lang/String;)V

    invoke-virtual {v4, v0}, Ljava/lang/StringBuilder;->append(I)Ljava/lang/StringBuilder;

    move-result-object v4

    invoke-virtual {v4}, Ljava/lang/StringBuilder;->toString()Ljava/lang/String;

    move-result-object v4

    invoke-static {v1, v4}, Lcom/sec/android/app/sysscope/engine/Log;->b(Ljava/lang/String;Ljava/lang/String;)I

    invoke-virtual {p0, v0}, Lcom/sec/android/app/sysscope/engine/SystemDiagnosisManager;->storeResult(I)I

    move-result v1

    const-string v4, "SysScopeDiagnosisManager"

    new-instance v6, Ljava/lang/StringBuilder;

    const-string v7, "SysDiagnosisManager > storeResult:"

    invoke-direct {v6, v7}, Ljava/lang/StringBuilder;-><init>(Ljava/lang/String;)V

    invoke-virtual {v6, v1}, Ljava/lang/StringBuilder;->append(I)Ljava/lang/StringBuilder;

    move-result-object v1

    invoke-virtual {v1}, Ljava/lang/StringBuilder;->toString()Ljava/lang/String;

    move-result-object v1

    invoke-static {v4, v1}, Lcom/sec/android/app/sysscope/engine/Log;->b(Ljava/lang/String;Ljava/lang/String;)I

    iget-object v1, p0, Lcom/sec/android/app/sysscope/engine/SystemDiagnosisManager;->a:Lcom/sec/android/app/sysscope/engine/m;

    if-eqz v1, :cond_0

    iget-object v1, p0, Lcom/sec/android/app/sysscope/engine/SystemDiagnosisManager;->a:Lcom/sec/android/app/sysscope/engine/m;

    if-eq v0, v3, :cond_4

    move v2, v3

    :cond_4
    invoke-virtual {v5}, Lcom/sec/android/app/sysscope/service/SysScopeResultInfo;->toString()Ljava/lang/String;

    move-result-object v0

    invoke-interface {v1, v2, v0}, Lcom/sec/android/app/sysscope/engine/m;->a(ZLjava/lang/String;)V

    goto :goto_0

    :cond_5
    invoke-interface {v6}, Ljava/util/Iterator;->next()Ljava/lang/Object;

    move-result-object v0

    check-cast v0, Lcom/sec/android/app/sysscope/engine/g;

    if-eqz v0, :cond_3

    invoke-virtual {v0}, Lcom/sec/android/app/sysscope/engine/g;->a()I

    move-result v7

    const/4 v8, 0x2

    if-gt v7, v8, :cond_3

    invoke-interface {v4, v0}, Ljava/util/concurrent/ExecutorService;->submit(Ljava/util/concurrent/Callable;)Ljava/util/concurrent/Future;

    move-result-object v7

    iget-object v8, p0, Lcom/sec/android/app/sysscope/engine/SystemDiagnosisManager;->a:Lcom/sec/android/app/sysscope/engine/m;

    if-eqz v8, :cond_6

    iget-object v8, p0, Lcom/sec/android/app/sysscope/engine/SystemDiagnosisManager;->a:Lcom/sec/android/app/sysscope/engine/m;

    invoke-virtual {v0}, Lcom/sec/android/app/sysscope/engine/g;->b()Ljava/lang/String;

    move-result-object v0

    invoke-interface {v8, v1, v0}, Lcom/sec/android/app/sysscope/engine/m;->a(ILjava/lang/String;)V

    :cond_6
    sget-object v0, Lcom/sec/android/app/sysscope/service/f;->a:Lcom/sec/android/app/sysscope/service/f;

    :try_start_0
    invoke-interface {v7}, Ljava/util/concurrent/Future;->get()Ljava/lang/Object;

    move-result-object v0

    check-cast v0, Landroid/os/Bundle;

    add-int/lit8 v1, v1, 0x1

    if-eqz v0, :cond_3

    const-string v7, "result"

    invoke-virtual {v0, v7}, Landroid/os/Bundle;->getInt(Ljava/lang/String;)I

    move-result v7

    invoke-static {v7}, Lcom/sec/android/app/sysscope/service/f;->a(I)Lcom/sec/android/app/sysscope/service/f;

    move-result-object v7

    sget-object v8, Lcom/sec/android/app/sysscope/service/f;->a:Lcom/sec/android/app/sysscope/service/f;

    if-eq v7, v8, :cond_3

    const-string v8, "info"

    invoke-virtual {v0, v8}, Landroid/os/Bundle;->getString(Ljava/lang/String;)Ljava/lang/String;

    move-result-object v0

    invoke-virtual {v7, v0}, Lcom/sec/android/app/sysscope/service/f;->a(Ljava/lang/String;)V

    invoke-virtual {v5, v7}, Lcom/sec/android/app/sysscope/service/SysScopeResultInfo;->a(Lcom/sec/android/app/sysscope/service/f;)V
    :try_end_0
    .catch Ljava/lang/InterruptedException; {:try_start_0 .. :try_end_0} :catch_0
    .catch Ljava/util/concurrent/ExecutionException; {:try_start_0 .. :try_end_0} :catch_1

    goto/16 :goto_1

    :catch_0
    move-exception v0

    move-object v9, v0

    move v0, v1

    move-object v1, v9

    invoke-virtual {v1}, Ljava/lang/InterruptedException;->printStackTrace()V

    move v1, v0

    goto/16 :goto_1

    :catch_1
    move-exception v0

    move-object v9, v0

    move v0, v1

    move-object v1, v9

    invoke-virtual {v1}, Ljava/util/concurrent/ExecutionException;->printStackTrace()V

    move v1, v0

    goto/16 :goto_1
.end method

 

[faria]

My 2 cents:
Funny thing is if you build an odin rom and add the root files etc and flash it this Spyware is unable to detect it and therefore the device remains official and able to check for OTA updates. I have tested this in 2 Samsung devices.

BUT...as soon you add,remove, modify anything in the system folder it detects the change.

Since the devices are scanned (up to 2 minutes in some devices)every boot for changes i find this kind of weird,this tell me that either the database is somewhat locked till you mess with the system folder or assumes that since its a "official rom" nothing has changed.

 

[bahtsiz_bedevi]

@faria
Yes, you're right.
The permanent solution is to modify SysScope.
I know this will never end, samsung always will come up with new measures
That's why I'm disappointed in Samsung. They spend their efforts for such things rather than making their devices unbrickable

"SysScope.apk\smali\com\sec\android\app\sysscope\service\f" has been widely used in the code. Looks like returning result codes.
These lines are interesting

    const/4 v8, 0x4

    const/4 v7, 0x3

    const/4 v6, 0x2

    const/4 v5, 0x1

    const/4 v4, 0x0

    new-instance v0, Lcom/sec/android/app/sysscope/service/f;

    const-string v1, "OK"

    invoke-direct {v0, v1, v4, v4}, Lcom/sec/android/app/sysscope/service/f;-><init>(Ljava/lang/String;II)V

    sput-object v0, Lcom/sec/android/app/sysscope/service/f;->a:Lcom/sec/android/app/sysscope/service/f;

above you see v1 is status message which is "OK" and v4 status code which is described above "0x0"

invoke-direct {v0, v1, v4, v4}, Lcom/sec/android/app/sysscope/service/f;-><init>(Ljava/lang/String;II)V

this goes on

    new-instance v0, Lcom/sec/android/app/sysscope/service/f;

    const-string v1, "ADB_RUNNING_AS_ROOT"

    const v2, 0x10001

    invoke-direct {v0, v1, v5, v2}, Lcom/sec/android/app/sysscope/service/f;-><init>(Ljava/lang/String;II)V

    sput-object v0, Lcom/sec/android/app/sysscope/service/f;->b:Lcom/sec/android/app/sysscope/service/f;

    new-instance v0, Lcom/sec/android/app/sysscope/service/f;

    const-string v1, "PARTITION_TAMPERED"

    const v2, 0x20001

    invoke-direct {v0, v1, v6, v2}, Lcom/sec/android/app/sysscope/service/f;-><init>(Ljava/lang/String;II)V

    sput-object v0, Lcom/sec/android/app/sysscope/service/f;->c:Lcom/sec/android/app/sysscope/service/f;

    new-instance v0, Lcom/sec/android/app/sysscope/service/f;

    const-string v1, "ROOT_PROCESS_FOUND"

    const/16 v2, 0x3001

    invoke-direct {v0, v1, v7, v2}, Lcom/sec/android/app/sysscope/service/f;-><init>(Ljava/lang/String;II)V

    sput-object v0, Lcom/sec/android/app/sysscope/service/f;->d:Lcom/sec/android/app/sysscope/service/f;

    new-instance v0, Lcom/sec/android/app/sysscope/service/f;

    const-string v1, "DANGEROUS_FILE_DETECTED"

    const v2, 0x40001

    invoke-direct {v0, v1, v8, v2}, Lcom/sec/android/app/sysscope/service/f;-><init>(Ljava/lang/String;II)V

    sput-object v0, Lcom/sec/android/app/sysscope/service/f;->e:Lcom/sec/android/app/sysscope/service/f;

   new-instance v0, Lcom/sec/android/app/sysscope/service/f;

    const-string v1, "NOT_OFFICIAL_BINARY"

    const/4 v2, 0x5

    const v3, 0x50001

    invoke-direct {v0, v1, v2, v3}, Lcom/sec/android/app/sysscope/service/f;-><init>(Ljava/lang/String;II)V

    sput-object v0, Lcom/sec/android/app/sysscope/service/f;->f:Lcom/sec/android/app/sysscope/service/f;

Rather than trying to understand whole process code, just modifying the result codes to make always send "OK" and "0x0" would help.
I tried to do that with apktool but apk file was never compiled correctly.
I have no time to figure out how apktool works
Can somebody who knows apktool better help us?

 

[faria]

I can help you with the apk tools. this apks versions are from 4.1.1 or 4.1.2?

 

[bahtsiz_bedevi]

I can help you with the apk tools. this apks versions are from 4.1.1 or 4.1.2?

4.1.2
change each result code like from this

    new-instance v0, Lcom/sec/android/app/sysscope/service/f;

    const-string v1, "ROOT_PROCESS_FOUND"

    const/16 v2, 0x3001

    invoke-direct {v0, v1, v7, v2}, Lcom/sec/android/app/sysscope/service/f;-><init>(Ljava/lang/String;II)V

    sput-object v0, Lcom/sec/android/app/sysscope/service/f;->d:Lcom/sec/android/app/sysscope/service/f;

to this

    new-instance v0, Lcom/sec/android/app/sysscope/service/f;

    const-string v1, "[COLOR=Red]OK[/COLOR]"
 
    const/16 v2, 0x3001

    invoke-direct {v0, v1, [COLOR=Red]v4, v4[/COLOR]}, Lcom/sec/android/app/sysscope/service/f;-><init>(Ljava/lang/String;II)V

    sput-object v0, Lcom/sec/android/app/sysscope/service/f;->d:Lcom/sec/android/app/sysscope/service/f;

 

[bahtsiz_bedevi]

And additionally
change these lines from this

    const/4 v8, 0x4

    const/4 v7, 0x3

    const/4 v6, 0x2

    const/4 v5, 0x1

    const/4 v4, 0x0

to this

    const/4 v8, [COLOR=Red]0x0[/COLOR]

    const/4 v7, [COLOR=Red]0x0[/COLOR]

    const/4 v6, [COLOR=Red]0x0[/COLOR]

    const/4 v5, [COLOR=Red]0x0[/COLOR]

    const/4 v4, 0x0

 

[faria]

Im not at home at the moment, meanwhile im uploading the apk tools with all the resources for the note2.
you can also reach me via skype or any other messaging service if you want.
I must stress that my knowledge of smali is limited.
Also you can send me the modified files and i can try to compile them later.

 

[faria]

Here are the tools:

https://dl.dropboxusercontent.com/u/7696581/APK-Multi-Tool-note2-4.1.2.zip

 

[bahtsiz_bedevi]

Thanks but I already have this too.
The problem is signing the apk file. I can build apk file but it can't get installed.

 

[bahtsiz_bedevi]

Im not at home at the moment, meanwhile im uploading the apk tools with all the resources for the note2.
you can also reach me via skype or any other messaging service if you want.
I must stress that my knowledge of smali is limited.
Also you can send me the modified files and i can try to compile them later.

Here is the modified one.

 

[faria]

Thanks but I already have this too.
The problem is signing the apk file. I can build apk file but it can't get installed.

Since its a system app all you have todo is copy to the app folder and set the right permissions, Personally i never sign system apps that i modify.

 

[faria]

the apk you posted does not run, the service aint running .

 

[bahtsiz_bedevi]

the apk you posted does not run, the service aint running .

Can you decompile and compile SysScope.apk without modification, and test it.

 

[faria]

A bit of remote desktop
I decompile your apk and recompiled , nothing, "its dead Jim".

Same thing happened with my own apk, i guess this one needs signing

Also all the modified apks fail to appear on Titanium Backup list.

 

[bahtsiz_bedevi]

There is a check routine in SecSettings.apk for checking SysScope is not modified.
Well done Samsung, I'm impressed

 

[bahtsiz_bedevi]

some conclusions

SysScope is run and checked by
1. BCService.apk (BroadCast Service, periodically starts SysScope)
2. SecSettings.apk
Both apk have similar functions such as SysScopeVerifier that is checking SysScope against modifications

.method private startSysScopeStatue()V
    .locals 2

    .prologue
    .line 474
    new-instance v0, Lcom/sec/android/app/sysscope/service/SysScope;

    invoke-direct {v0, p0}, Lcom/sec/android/app/sysscope/service/SysScope;-><init>(Landroid/content/Context;)V

    iput-object v0, p0, Lcom/sec/bcservice/BroadcastService;->mSysScope:Lcom/sec/android/app/sysscope/service/SysScope;

    .line 475
    iget-object v0, p0, Lcom/sec/bcservice/BroadcastService;->mSysScope:Lcom/sec/android/app/sysscope/service/SysScope;

    if-nez v0, :cond_0

    .line 476
    const-string v0, "BCService"

    const-string v1, "mSysScope == null"

    invoke-static {v0, v1}, Landroid/util/Log;->e(Ljava/lang/String;Ljava/lang/String;)I

    .line 477
    :cond_0
    return-void
.end method

Still can't understand why we can't compile these apks with apktool

 

[Aou]

some conclusions

SysScope is run and checked by
1. BCService.apk (BroadCast Service, periodically starts SysScope)
2. SecSettings.apk
Both apk have similar functions such as SysScopeVerifier that is checking SysScope against modifications

...

Still can't understand why we can't compile these apks with apktool

Greetings @[email protected] - I'm coming from the AT&T Galaxy S4 where we have a locked bootloader and can't otherwise get rid of an annoying "Custom" boot screen by modifying the bootloader. After poking around a bit, @scott14719 and I have determined that SysScope is certainly to blame for this "Custom" status. It appears we'll need to do the same as you: modify SysScope.apk, compile it, and get away with it (not let BCService or SecSettings find out about it).

Have you or your peers here found a solution to this yet, or have we determined this would be simply impossible?

Many thanks.

 

[bahtsiz_bedevi]

Greetings @[email protected] - I'm coming from the AT&T Galaxy S4 where we have a locked bootloader and can't otherwise get rid of an annoying "Custom" boot screen by modifying the bootloader. After poking around a bit, @scott14719 and I have determined that SysScope is certainly to blame for this "Custom" status. It appears we'll need to do the same as you: modify SysScope.apk, compile it, and get away with it (not let BCService or SecSettings find out about it).

Have you or your peers here found a solution to this yet, or have we determined this would be simply impossible?

Many thanks.

Rather than modifying SysScope, we need to edit SecSettings and BCService first. Both app are checking SysScope against modifications.
Apparently Samsung developers are better than I thought they were

The problem is that I can't compile apks with apktool and I don't know why.
We need to find a guy that knows how to work with apktool (especially system apks, signing etc)

 

[Aou]

Rather than modifying SysScope, we need to edit SecSettings and BCService first. Both app are checking SysScope against modifications.
Apparently Samsung developers are better than I thought they were

The problem is that I can't compile apks with apktool and I don't know why.
We need to find a guy that knows how to work with apktool (especially system apks, signing etc)

I never had much luck compiling any APKs using apktool, but I'm pretty novice in that area to begin with. ^_^

Also, I'm wondering if this thread may help you out?

 

[bahtsiz_bedevi]

I never had much luck compiling any APKs using apktool, but I'm pretty novice in that area to begin with. ^_^

Also, I'm wondering if this thread may help you out?

Thank you bud but I seriously tried everything on google that I found. None worked. I'm a bit tired of this
On the thread you've given to me, there is a guy has had the same problem and no answer given to him.

To everyone: if you ever find a solution, please try it first before you post here.
Just decompile and compile SysScope.apk and/or SecSettings.apk without modifications. Then install it on your device. If it runs, please post here along with details (links, steps)