Discussion on SysScope

[dwitherell]

If all you are after are smali edits (seems to be in this case), you can just pull out the classes.dex from the apks themselves and get at them using baksmali/smali. In the spirit of sharing near exactly what I did - I have a windows machine (I tend to use CygWin for tinkering), so I end up using something like (note you will need to change file names and paths/directories as appropriate of course):

java -jar baksmali-1.4.2.jar -a 16 -o /wherever/the/decompiled/stuff/should/go/outSysScope/ classes.dex

I know little really, but I think this is basically saying "hey java take this baksmali jar file and use it to decompile the 4.1.x classes.dex file and throw the results of that into this directory"

Then do the edits, and

java -Xmx1024M -jar smali-1.4.2.jar -a 16 /wherever/the/to/be/recompiled/stuff/is/outSysScope/ -o classes.dex

Again, my interpretation is this is just saying "hey java using up to this much memory use this smali jar file and recompile the stuff in this directory into a 4.1.x classes.dex file"

The new classes.dex can get dropped back into the apk, then push/stick it in a flashable zip and all is well. I've done this for both SecSettings and SysScope on a T-Mobile T889 stock 4.1.2 base. Hope this helps

Also - have you found the methods that do the sysscope checking in BCService and SecSettings? Just curious - I can look for them as well but figured I would ask first to not redo work already done

 

[bahtsiz_bedevi]

Also - have you found the methods that do the sysscope checking in BCService and SecSettings? Just curious - I can look for them as well but figured I would ask first to not redo work already done

Thanks for the info. I really don't understand how this backsmali/smali thing works. This nothing like a programming language at all but at least gives clues.

it's called SysScopeVerifier.smali under SecSettings.apk\smali\com\sec\android\app\sysscope\service

.method private verifyWithPmKey()Z
    .locals 3

    .prologue
    .line 67
    iget-object v0, p0, Lcom/sec/android/app/sysscope/service/SysScopeVerifier;->mContext:Landroid/content/Context;

    invoke-virtual {v0}, Landroid/content/Context;->getPackageManager()Landroid/content/pm/PackageManager;

    move-result-object v0

    .line 68
    const-string v1, "com.android.settings"

    const-string v2, "com.sec.android.app.sysscope"

    .line 67
    invoke-virtual {v0, v1, v2}, Landroid/content/pm/PackageManager;->checkSignatures(Ljava/lang/String;Ljava/lang/String;)I

    move-result v0

    if-nez v0, :cond_0

    const/4 v0, 0x1

    :goto_0
    return v0

    :cond_0
    const/4 v0, 0x0

    goto :goto_0
.end method


# virtual methods
.method final verifySysScopeService()Z
    .locals 5

    .prologue
    const/4 v2, 0x0

    .line 37
    const/4 v0, 0x0

    .line 39
    .local v0, apkPath:Ljava/lang/String;
    new-instance v1, Ljava/io/File;

    const-string v3, "/data/app/com.sec.android.app.sysscope-1.apk"

    invoke-direct {v1, v3}, Ljava/io/File;-><init>(Ljava/lang/String;)V

    .line 41
    .local v1, file:Ljava/io/File;
    invoke-virtual {v1}, Ljava/io/File;->exists()Z

    move-result v3

    if-eqz v3, :cond_0

    .line 42
    const-string v0, "/data/app/com.sec.android.app.sysscope-1.apk"

    .line 52
    :goto_0
    invoke-direct {p0, v0}, Lcom/sec/android/app/sysscope/service/SysScopeVerifier;->parseScopeApk(Ljava/lang/String;)Z

    move-result v3

    if-nez v3, :cond_2

    .line 53
    const-string v3, "SysScopeVerifier"

    const-string v4, "parse error"

    invoke-static {v3, v4}, Landroid/util/Log;->e(Ljava/lang/String;Ljava/lang/String;)I

    .line 62
    :goto_1
    return v2

    .line 44
    :cond_0
    new-instance v1, Ljava/io/File;

    .end local v1           #file:Ljava/io/File;
    const-string v3, "/data/app/com.sec.android.app.sysscope-2.apk"

    invoke-direct {v1, v3}, Ljava/io/File;-><init>(Ljava/lang/String;)V

    .line 45
    .restart local v1       #file:Ljava/io/File;
    invoke-virtual {v1}, Ljava/io/File;->exists()Z

    move-result v3

    if-eqz v3, :cond_1

    .line 46
    const-string v0, "/data/app/com.sec.android.app.sysscope-2.apk"

    goto :goto_0

    .line 48
    :cond_1
    const-string v0, "/system/app/SysScope.apk"

    goto :goto_0

    .line 57
    :cond_2
    invoke-direct {p0}, Lcom/sec/android/app/sysscope/service/SysScopeVerifier;->verifyWithPmKey()Z

    move-result v3

    if-nez v3, :cond_3

    .line 58
    const-string v3, "SysScopeVerifier"

    const-string v4, "verifyWithPmKey error"

    invoke-static {v3, v4}, Landroid/util/Log;->e(Ljava/lang/String;Ljava/lang/String;)I

    goto :goto_1

    .line 62
    :cond_3
    const/4 v2, 0x1

    goto :goto_1
.end method

 

[dwitherell]

Thanks for the info. I really don't understand how this backsmali/smali thing works. This nothing like a programming language at all but at least gives clues.

it's called SysScopeVerifier.smali under SecSettings.apk\smali\com\sec\android\app\sysscope\service...

Gotcha - thanks

It looks like it calls a general signature verification method from services.jar as well - one for other reasons I needed to get around already thanks to @wanam . I'm going to play with this later tonight and I'll report back - I take it the BCService.apk method is pretty similar to the one in SecSettings.apk?

 

[bahtsiz_bedevi]

Gotcha - thanks

It looks like it calls a general signature verification method from services.jar as well - one for other reasons I needed to get around already thanks to @wanam . I'm going to play with this later tonight and I'll report back - I take it the BCService.apk method is pretty similar to the one in SecSettings.apk?

Yes, both have similar methods.
I'm really glad to have you here :good:

 

[dwitherell]

Yes, both have similar methods.
I'm really glad to have you here :good:

Ok - and don't be glad yet lol. Just thought I could try and lend a hand

 

[dwitherell]

Alright - I made a number of edits. Most of them follow the pattern you set up in prior posts, with a few minor twists and some extra things I noticed. I'm testing it out on some other things I'm working on - but if you UL the SecSettings, SysScope, and BCService you have I'll make the same changes and reUL to see if it works for you.

 

[bahtsiz_bedevi]

Alright - I made a number of edits. Most of them follow the pattern you set up in prior posts, with a few minor twists and some extra things I noticed. I'm testing it out on some other things I'm working on - but if you UL the SecSettings, SysScope, and BCService you have I'll make the same changes and reUL to see if it works for you.

I tried to do some changes too by following your instructions. At the end I get "Application is not installed" error. It's frustrating

Thankfully you know smali/backsmali better than me.
Here my files from stock XXDMB5 https://dl.dropboxusercontent.com/u/54474190/APK.7z
(in case of need) Wanam XXDMB5 deodexed https://dl.dropboxusercontent.com/u/54474190/APKWanam.7z

 

[bahtsiz_bedevi]

Finally I figured out my mistake about installing apks

 

[dwitherell]

Finally I figured out my mistake about installing apks

Nice! So does that mean I should leave the editing to you, or did you still want me to take a crack at the files you posted? I'm fine either way, I just wanted to touch base before moving forward

 

[bahtsiz_bedevi]

Nice! So does that mean I should leave the editing to you, or did you still want me to take a crack at the files you posted? I'm fine either way, I just wanted to touch base before moving forward

No, No please keep going. Two heads are better than one.
Moreover, I would like to contact you via PM.

 

[bahtsiz_bedevi]

A project have been started on github https://github.com/sinancetinkaya/DeviceStatus

Current Collaborators :
dwitherell (Big thanks to him)
[email protected]


If you know backsmali/smali stuff, feel free to join.

 

[MattBooth]

I'll try to get in on this over the next few days

CAn you give me a summary of the edits we should make? I won't have an issue recompiling.

Also, you should only need to resign an apk if you modify the AndroidManifest.xml file. smali edits and anything else is fine.

 

[dwitherell]

I'll try to get in on this over the next few days

CAn you give me a summary of the edits we should make? I won't have an issue recompiling.

Also, you should only need to resign an apk if you modify the AndroidManifest.xml file. smali edits and anything else is fine.

Not to speak for [email protected], but the original focus was on the SysScopeVerifier and ResultCode smali files that can be found in BCService, SecSettings, SyncmlDM, EdmSysScopeService, FactoryTest, and SysScope (just ResultCode there) apks. Basically we wanted any scan results to be equivalent to "OK", and any attempt to assess whether SysScope had been tampered with to come back as negative - this was done in 1 (ResultCode) or 2 methods in each of those smali files in each of those apks. That worked out, so [email protected] was thinking the next step would be to simply remove SysScope altogether if possible, and has started doing so - he managed to remove connections between SysScope and SyncmlDM by brute force deleting all the SysScope-relevant smali files in SyncmlDM as well as modifying the initiating method (in XDMService.smali) to skip out on any calls to SysScope stuffs and instead return the "everything is fine" response.

I think that sums things up - and I'm excited to see where this heads

 

[MattBooth]

OK I'll check it out. BTW have you tried "dex2jar" as a method of reading the code? I find Java much easier to read than smali! You still need to edit in smali though

 

[bahtsiz_bedevi]

As dwitherell said, original idea is to manipulate result codes
However SysScope service is a bit more complicated since we are not working with original java code.

I'm trying to remove SysScope service completely if I can.

dwitherell, SysScope service is called by changeSysScopeStatus() in SecSettings. I modified it not to call SysScope service and changed Device Status to be "Normal" manually.
However when I get into "Status" it crashes. Can you look at it?

.method private changeSysScopeStatus()V
    .registers 2

    .prologue

    .line 834
    const-string v0, "sysscope_status"

    invoke-virtual {p0, v0}, Lcom/android/settings/deviceinfo/Status;->findPreference(Ljava/lang/CharSequence;)Landroid/preference/Preference;

    move-result-object v2

    .line 854
    iget v0, p0, Lcom/android/settings/deviceinfo/Status;->isSysScopeStatus:I

    .line 857
    const v0, 0x7f090123

    invoke-virtual {p0, v0}, Lcom/android/settings/deviceinfo/Status;->getString(I)Ljava/lang/String;

    move-result-object v0

    invoke-virtual {v2, v0}, Landroid/preference/Preference;->setSummary(Ljava/lang/CharSequence;)V

    .line 862
    return-void
.end method

 

[MattBooth]

There is this also:

com\sec\android\app\sysscope\service\SysScopeResultInfo.smali

Not sure if you've been there yet, but:

.method public getResult()I
    .locals 4

    const/4 v1, 0x1

    :cond_0
    :goto_0
    return v1

    throw p0

    throw v2

    move-result-object v2

    :cond_1
    invoke-interface {v2}, Ljava/util/Iterator;->hasNext()Z

    move-result v3

    if-eqz v3, :cond_0

    invoke-interface {v2}, Ljava/util/Iterator;->next()Ljava/lang/Object;

    move-result-object v0

    check-cast v0, Lcom/sec/android/app/sysscope/service/ResultCode;

    sget-object v3, Lcom/sec/android/app/sysscope/service/ResultCode;->OK:Lcom/sec/android/app/sysscope/service/ResultCode;

    throw v0

    move-result v3

    if-nez v3, :cond_1

    const/4 v1, 0x2

    goto :goto_0
.end method

Reports the status as "Normal" in the System Settings -> Status section.

However, when you use system update it, still says the device is modified and cannot update OTA.

This code should help for changeSysScopeStatus:

smali/com/android/settings/deviceinfo/Status.smali

.method private changeSysScopeStatus()V
    .locals 2

    const-string v0, "sysscope_status"

    invoke-virtual {p0, v0}, Lcom/android/settings/deviceinfo/Status;->findPreference(Ljava/lang/CharSequence;)Landroid/preference/Preference;

    move-result-object v0

    const v1, 0x7f090128 #sysscope_normal

    invoke-virtual {p0, v1}, Lcom/android/settings/deviceinfo/Status;->getString(I)Ljava/lang/String;

    move-result-object v1

    invoke-virtual {v0, v1}, Landroid/preference/Preference;->setSummary(Ljava/lang/CharSequence;)V

    return-void
.end method

But all that is doing is changing the string... unless the two together help.

 

[MattBooth]

Since we're all programmers... we probably know more about Java than smali, right? This can help:

1 Drop an apk in the "dex2jar" folder

2. Run the dex2jar batch file

3. Open the jd-gui folder and run the jd-gui.exe (apologies if you're running Linux, I don't have a necessary binary for that)

4. navigate to the dex2jar folder and open the .jar file to see the Java code.

You can't edit the code, but it can give you a good idea of what is going on.

 

[bahtsiz_bedevi]

There is this also:

com\sec\android\app\sysscope\service\SysScopeResultInfo.smali

Not sure if you've been there yet, but:

.method public getResult()I
    .locals 4

    const/4 v1, 0x1

    :cond_0
    :goto_0
    return v1

    throw p0

    throw v2

    move-result-object v2

    :cond_1
    invoke-interface {v2}, Ljava/util/Iterator;->hasNext()Z

    move-result v3

    if-eqz v3, :cond_0

    invoke-interface {v2}, Ljava/util/Iterator;->next()Ljava/lang/Object;

    move-result-object v0

    check-cast v0, Lcom/sec/android/app/sysscope/service/ResultCode;

    sget-object v3, Lcom/sec/android/app/sysscope/service/ResultCode;->OK:Lcom/sec/android/app/sysscope/service/ResultCode;

    throw v0

    move-result v3

    if-nez v3, :cond_1

    const/4 v1, 0x2

    goto :goto_0
.end method

Reports the status as "Normal" in the System Settings -> Status section.

However, when you use system update it, still says the device is modified and cannot update OTA.

This code should help for changeSysScopeStatus:

.method private changeSysScopeStatus()V
    .locals 2

    const-string v0, "sysscope_status"

    invoke-virtual {p0, v0}, Lcom/android/settings/deviceinfo/Status;->findPreference(Ljava/lang/CharSequence;)Landroid/preference/Preference;

    move-result-object v0

    const v1, 0x7f090128 #sysscope_normal

    invoke-virtual {p0, v1}, Lcom/android/settings/deviceinfo/Status;->getString(I)Ljava/lang/String;

    move-result-object v1

    invoke-virtual {v0, v1}, Landroid/preference/Preference;->setSummary(Ljava/lang/CharSequence;)V

    return-void
.end method

But all that is doing is changing the string... unless the two together help.

Have you tried my new SyncmlDM.apk? It should work without sysscope service.
And your solution, yes I tried that too but always ended up com.android.phone FC.
We are doing some tests right now. If it's ok, we'll publish.

 

[bahtsiz_bedevi]

Since we're all programmers... we probably know more about Java than smali, right? This can help:

1 Drop an apk in the "dex2jar" folder

2. Run the dex2jar batch file

3. Open the jd-gui folder and run the jd-gui.exe (apologies if you're running Linux, I don't have a necessary binary for that)

4. navigate to the dex2jar folder and open the .jar file to see the Java code.

You can't edit the code, but it can give you a good idea of what is going on.

That's a very good tool, thank you

 

[MattBooth]

Hmm, those two method changes don't FC for me!