[ROOT][OUDHS][LUCID2] Spirited Away: RCT Nerfer :: 5/7/13 :: FULL NOTES ON RCT INSIDE

[k0nane]

I thought I'd crosspost this here for once, as I don't think RCT, the Root Checker Tool, is going away. Please note that the original Spirited Away is not my work and is used with permission. This post pertains to the Verizon-sold LG Lucid 2 (VS870). -k0

--

k0nane and the Official Unloved Devices Hit Squad present...
Spirited Away: RCT Nerfer Edition
With thanks to Dan Rosenberg and the original Spirited Away he created!

​

Root! Root, root root, root.

Verizon doesn't want you to have it. The OUDHS does! At the behest of everyone's favorite giant, oligopolist, anti-consumer, borderline-evil carrier, LG stuck what they call the Root Checker Tool (RCT) into the guts of the Lucid 2. Not present on the international model, the RCT checks for - and perhaps prevents the execution of - certain root tools. It also leaves logs of the presence or running of said tools. See the second post for more details.

This package cuts off RCT's head and gives you - not your carrier or the OEM - a bit more control over your phone. This does not unlock the bootloader, unfortunately. It's just root.

#include <external/cyanogenmod/std_disclaimer.h>
/*
 * I am not responsible for bricked devices, dead SD cards,
 * thermonuclear war, or you getting fired because the alarm app failed. Please
 * do some research if you have any concerns about features included in this ROM
 * before flashing it! YOU are choosing to make these modifications, and if
 * you point the finger at me for messing up your device, I will laugh at you.
 */

Instructions​

1. Download the package.
2. Extract the contents of the zip.
3. Ensure you have installed the drivers for your phone.
4. Connect it to USB, wait for it to be detected.
5. Double-click run.bat, follow on-screen instructions. Mac and Linux users, open the file and follow along, it's just a set of ADB commands.
6. Let it finish, continuing to follow instructions.

That's it! Your device will autoreboot. You will be rooted.

FAQ​

Q: What does this install?
A: Your device will have Superuser (ChainsDD's variant, the original), the su binary, and BusyBox 1.20.2 on it.

Q: Can I use this on a device that isn't the Verizon-model LG Lucid 2?
A: That's a bad idea. Don't do that. Don't whine to us if you break stuff by doing so.

Q: Will this survive OTAs?
A: Probably not, and it's almost guaranteed that RCT will come back with a vengeance! Be very careful with updates!

Q: I've tried to root already, can LG/Verizon tell?
A: Unless you reset what's already been written, they sure can. See the next post.

Downloads​

Download Root Package
Download Root Package (Mirror)
​

Credits:​

• Shabbypenguin: making me aware of the issues on this device, initial testing, general awesomesauce
• SICFreak: remote access to two devices, time, taking the risk, patience
• Dan Rosenberg (@djrbliss): Spirited Away exploit, reverse engineering of rctd post-root
• The OUD Hit Squad: for being made of either unstable isotopes of uranium, or pure greatness, one of the two
• LG and Verizon: just kidding, f*ck you both

Donations

This is not, and will never be donationware. Your generosity - if you feel like showing it - is highly appreciated! Thank you!

Donate to Dan Rosenberg:

​

 

[k0nane]

Technical Details
​

Just what do we know about RCT? RCT, the Root Checker Tool, has one primary purpose: to make persistent note of any presence of rooting-related tools, the running of su, or the remounting of the system partition as read-write. The main "meat" of the tool - if not all of it - is in /system/bin/rctd. Mr. Rosenberg was kind enough to decompile and analyze the tool, and state that it checks for the following files:

• /system/[bin,sbin,xbin]/su
• /sbin/su
• /data/local/tmp/su
• /system/app/[s,S]uper[u,U]ser.apk,
• /data/data/com.noshufou.android.su
• /data/local/tmp/[s,S]uper[u,U]ser.apk
• /system/[bin,xbin]/busybox
• /data/local/tmp/busybox

The tool writes a hexadecimal number to /persist/rct and /data/system/lgmdm_root_flags.txt (these files are identical in contents) that represents the "root status". Mr. Rosenberg confirms that "[the] number is an encoded representation of whether su, Superuser, busybox, etc. are installed". The tool writes a human-readable representation of what it's found to /persist/rct.cfg. An example from a rooted system (if used on a previously-virgin system, this package will prevent this from being written):

Rooted

 Not allowed command had been executed.
  > su
 Mount option had been changed.
  > /system
 Rooting related file had been installed.
  > su
  > superuser
  > busybox

[LG RCT v1.0.1220]

A "clean" system will display "not rooted" and nothing else except the bottom line.

RCT also writes copies of ls -l /, portions of /dev/log/main and /dev/log/system, ls -l /system/app, ls -l /persist/LostFound, df -h, and basic system information (see below) to files named after asteroids and stored in /persist/LostFound.

VS870 4G
Model name : L1v
Manufacture : LGE
OS Version : 4.1.2
Secure : 1
Operator : Verizon Wireless
Country : US
Product version : M8960A-AAAANAZM-3.0.0743
Build date : Wed Mar  6 21:51:54 KST 2013

RCT may have other functions. rctd only does what's described above - it's a logger and nothing more, according to Mr. Rosenberg. There may be other portions of the system, but I have not found them.

I do have "clean" copies of the entire /persist and lgmdm_root_flags.txt, but due to the sensitive nature of some of the logs, and to protect the privacy of my tester, I prefer not to publicly distribute them. If anyone needs them, please contact me here, on XDA, Twitter, or chat.freenode.net #oudhitsquad.

How RCT Starts/Is Triggered

rctd, the main daemon that makes up RCT, is started as a system service in init.l1v.rc. I seem to have misplaced my copy of this file/the kernel, but it's a very standard service start. As the bootloader is currently locked, there's not much that can be done about this.

Inside com.lge.systemservice.core, BootCompletedReceiver waits for the BOOT_COMPLETED signal to be thrown, then executes the following:

const-string v1, "ro.build.target_operator"

    const-string v2, ""

    invoke-static {v1, v2}, Landroid/os/SystemProperties;->get(Ljava/lang/String;Ljava/lang/String;)Ljava/lang/String;

    move-result-object v1

    const-string v2, "VZW"

    invoke-virtual-quick {v1, v2}, [email protected]

    move-result v1

    if-eqz v1, :cond_1d

    .line 12
    new-instance v0, Landroid/content/Intent;

    invoke-direct {v0}, Landroid/content/Intent;-><init>()V

    .line 13
    .local v0, mServiceIntent:Landroid/content/Intent;
    const-string v1, "com.lge.action.ROOTINGCHECKER"

    invoke-virtual-quick {v0, v1}, [email protected]

    .line 14
    invoke-virtual-quick {p1, v0}, [email protected]

    .line 16
    .end local v0           #mServiceIntent:Landroid/content/Intent;
    :cond_1d
    return-void

For those of you who don't speak smali, the real juicy bit of that appears as the following, when run through dex2jar:

[SIZE=2][SIZE=2][SIZE=2][SIZE=2][SIZE=2][SIZE=2][SIZE=2][SIZE=2][SIZE=2][SIZE=2][SIZE=2][SIZE=2][SIZE=2][SIZE=2]
[/SIZE][/SIZE][/SIZE][/SIZE][/SIZE][/SIZE][/SIZE][/SIZE][/SIZE][/SIZE][/SIZE][/SIZE][/SIZE][/SIZE]if (SystemProperties.get("ro.build.target_operator", "").equalsIgnoreCase("VZW"))
    {
      Intent localIntent = new Intent();
      localIntent.setAction("com.lge.action.ROOTINGCHECKER");
      paramContext.startService(localIntent);
    }

Yes, it really is just checking an item in build.prop to see whether it should run or not. That's an alternate way to stop rctd, but not one that I like. It is safe to remove the entirety of BootCompletedReceiver.smali, and for anyone working on modifications in the future, I would do so.

As you can see, an intent is thrown, and caught by rctd, which does its thing. It (rctd's main function) seems to run once per boot, but I cannot guarantee that.

Other Framework/System Finds

com.lge.mdm contains one item of interest. The rest of the framework, and /system/app, is largely clean. LGMDMGeneralController is the file of interest, and for the sake of readability in this post, I've run it through dex2jar. Here it is: Pastie This class contains a lot more than just RCT-related items, many potentially worth investigating.

Other things of note:

• Viewing strings of other binaries, including those pertaining to FOTA, indicate the presence of "rooting history tables". Where these are, I don't know, and it could be as simple as what's already outlined here. Do proceed with caution, particularly around updates, as the updater system is rife with checks and logging for modifications.
• There's an "ATS Agent" of some type hanging out in the framework. Its purpose is to take logs, and it may be responsible for the asteroid-namesake files. It is not present on the international model, thus can be assumed to be specific to VZW. Proceed with caution. I am automatically suspicious of these "diagnostic" tools after CIQ.
• There's a GUI for RCT's output. See below.

Finally, I found some dialer codes. There's fun to be had here - proceed with caution, but enjoy Verizon/LG's hidden menu, and see what's to be seen in the Rooting Check entry (RootingCheck class inside the hidden menu apps/JARs).

A Message for Verizon and LG

Teehee, you guys are funny. This wasn't hard, no more than Samsung's silly attempt to block package installation back on the Galaxy Indulge 4G (on MetroPCS). Go ahead and keep trying to prevent your users from controlling their devices... it's a losing battle.

Oh, and suck me. (And Dan.)

Credits/Donations

Please see the previous post for these notes. This was a good number of hours' worth of research - if I have helped you, please consider giving a small token. This system isn't going away any time soon.
​

 

[k0nane]

I'll take one more just in case.

--

P-O-S-T :: R-E-S-E-R-V-E-D

Original artwork by Pendulum via Gasolin3.

...for future use.

Follow me on Twitter @k0nane and @publik0!
Join the OUDHS and I on IRC at irc.freenode.net #oudhitsquad, or via the webchat link in my signature.
​

 

[GnatGoSplat]

Doesn't seem to work on an LG Lucid 2 with firmware VS87011A.
Someone on another forum mentioned having the same problem with the same firmware version. Any ideas?

 

[hkbladelawhk]

Doesn't seem to work on an LG Lucid 2 with firmware VS87011A.
Someone on another forum mentioned having the same problem with the same firmware version. Any ideas?

I'm curious too. I've yet to see anything.

 

[GnatGoSplat]

I'm curious too. I've yet to see anything.

I did manage to root it. I downgraded to old FW, rooted, installed Voodoo OTA Rootkeeper, then took the OTA update back to current and managed to stay rooted. Had to reinstall a Superuser app, I used SuperSU.

I have heard all that can be avoided by using Motochopper which supposedly will root the current FW, but I didn't try that method.

 

[cyberkeeper1]

I did manage to root it. I downgraded to old FW, rooted, installed Voodoo OTA Rootkeeper, then took the OTA update back to current and managed to stay rooted. Had to reinstall a Superuser app, I used SuperSU.

I have heard all that can be avoided by using Motochopper which supposedly will root the current FW, but I didn't try that method.

I just now used motochopper to root after enabling USB Debugging and clicking "skip" on the message "Checking for PC Drivers". if you do not, adb will NOT work. also, its best to use Charge Only when rooting unless you must have the SD Card mounted

 

[dismalskin]

Hello,

I have to send my D802 in service due to yellow display spots and i want to remove the "rooted" from download mode
i've tried flashing few stock firmware and it didn't worked
now i found this http://forum.xda-developers.com/showthread.php?t=2715114
but it seems that i don't hace the rct and rct.cfg file that it requires
can you give me those files ? do they have same content for each phone ?
or do you know any other way?

Thanks.