T-Mobile rooted LGV20 rctd root checking (spying), possibly other carriers - SOLVED!!

Search This thread

dimm0k

Senior Member
Jan 25, 2014
1,651
644
Google Pixel 4 XL
For those with a T-Mobile branded LGV20 and rooted with Magisk and probably with SuperSU, I have an interesting discovery in my attempts at determining performance issues I was having with my device and for all I know with other carrier branded Android devices that I had rooted in the past (Samsung S4, S5, LGV10). what I've been noticing is even after a fresh stock device with the only thing changed being Magisk, there have been a number of 'sh' processes that keep increasing until the system is affected negatively. My research has lead me to believe that on a T-Mobile branded LGV20 a process/app called 'rctd' is triggered on boot, which checks for certain characteristics of root and if root is present something is logged mentioning so. while not much information is available on this, @k0nane posted on this a while back here https://forum.xda-developers.com/showthread.php?t=2267909 regarding rctd. essentially it is a root checker/logger.

PLEASE HELP ME CONFIRM:
for those that are rooted on their LGV20, please check /persist/rct.cfg and see if it mentions a modified system with a modified /system partition. also from a shell, do a 'ps | grep sh' noting if there are numerous 'sh' processes. if there are then do a 'ps | grep rctd' and see if the PPid of those numerous processes match the PID of rctd. I'm willing to bet they do for most of them. the longer your device has not been rebooted, the more of these 'sh' processes you should have. please report back!


EDIT1: thanks to all those in this thread that helped put this nagging nail in the coffin! long story short, rctd is LG's root checker and it's started as a service within init.lge.rc, which is part of the boot/ramdisk so commenting out the lines that start the service need to be done in the boot.img itself. As a result for those that use stock kernels, I've created boot.img for 10k and 10p on the H918 T-Mobile variant of the LGV20 and 10h for the US996 unlocked variant of the LGV20.

H918 10k MD5SUM: 55a8dfd66ec9444a4a0d67eb39b34551
H918 10p MD5SUM: 9aa4cd481f1177f9d9d9f833f166ce80
US996 10h MD5SUM: 2bec2db396a81c73916ee3726e4cd334

flash your correct boot image and then remember to flash Magisk or SuperSU immediately after BEFORE LEAVING TWRP especially for those on 10k or 10p!!
 
Last edited:

KUSOsan

Senior Member
Jul 21, 2013
855
294
PLEASE HELP ME CONFIRM:
for those that are rooted on their LGV20, please check /persist/rct.cfg and see if it mentions a modified system with a modified /system partition. also from a shell, do a 'ps | grep sh' noting if there are numerous 'sh' processes. if there are then do a 'ps | grep rctd' and see if the PPid of those numerous processes match the PID of rctd. I'm willing to bet they do for most of them. the longer your device has not been rebooted, the more of these 'sh' processes you should have. please report back!

I have a T-Mobile H918 rooted with SuperSU. I attached a screen of what my rct.cfg shows and what shows when I typed in terminal. When I tried "ps | grep rctd" it reply with anything and just started a new line
 

Attachments

  • Capture+_2017-08-23-23-49-00.png
    Capture+_2017-08-23-23-49-00.png
    165.7 KB · Views: 3,820
  • Capture+_2017-08-23-23-53-02.png
    Capture+_2017-08-23-23-53-02.png
    129.7 KB · Views: 3,795
  • Like
Reactions: dimm0k

dimm0k

Senior Member
Jan 25, 2014
1,651
644
Google Pixel 4 XL
I have a T-Mobile H918 rooted with SuperSU. I attached a screen of what my rct.cfg shows and what shows when I typed in terminal. When I tried "ps | grep rctd" it reply with anything and just started a new line

sorry, if you need to be root when you run "ps | grep rtcd" otherwise you won't see all the processes running. I'm willing to be you have rtcd running and if you haven't rebooted your device for a few hours, you'll have a bunch of "sh" processes
 

Aaren11

Senior Member
Dec 12, 2015
185
84
Yeah my T-mobile H918 is reporting the same thing with Magisk 13.1 under WETA.

Rct.cfg lists:
MODIFIED
Mount option has been changed
>/system
>/roottfs
Rooting related file had been installed
>.sh
>.ext
>su
>busybox

Detection time
> 2017-08-22 16:07

When I run "ps | grep rctd" I only get the single instance of:

root 926 1 5836 2092 0 00ec90a994 S /sbin/rctd

The thread linked in the OP mentions disabling rctd via a build.prop value. But I'm going to try and rip it out manually.
 

Ducter

Senior Member
Jan 10, 2009
1,919
1,241
I delete all T-Mobile apps upon flashing, wish I could remember by name but I can't. Regardless, here's what I have.

Edit- SuperSU v2.82 SR1
 

Attachments

  • Screenshot_2017-08-24-00-23-33.png
    Screenshot_2017-08-24-00-23-33.png
    111.2 KB · Views: 1,958
  • Screenshot_2017-08-24-00-29-11.png
    Screenshot_2017-08-24-00-29-11.png
    233.1 KB · Views: 1,958
Last edited:
  • Like
Reactions: dimm0k

dimm0k

Senior Member
Jan 25, 2014
1,651
644
Google Pixel 4 XL
Yeah my T-mobile H918 is reporting the same thing with Magisk 13.1 under WETA.

Rct.cfg lists:


When I run "ps | grep rctd" I only get the single instance of:



The thread linked in the OP mentions disabling rctd via a build.prop value. But I'm going to try and rip it out manually.

please update us. I've been told by @Zacharee1 that moving/deleting /sbin/rctd and /sbin_orig/rctd is not effective as they come back after a reboot. I've verified that killing it in a terminal also respawns. 'ps' should only report one instance of /sbin/rctd, but I'm willing to bet that you have a bunch of 'sh' processes belonging to that rctd process.



I delete all T-Mobile apps upon flashing, wish I could remember by name but I can't. Regardless, here's what I have.

Edit- SuperSU v2.82 SR1

this may prove helpful considering that you're rooted and yet your rct files look untouched! is it possible to provide me the rct and rct.cfg files from /persist?
 

KUSOsan

Senior Member
Jul 21, 2013
855
294
sorry, if you need to be root when you run "ps | grep rtcd" otherwise you won't see all the processes running. I'm willing to be you have rtcd running and if you haven't rebooted your device for a few hours, you'll have a bunch of "sh" processes
Sorry bout that. Here's the corrected results.
 

Attachments

  • Capture+_2017-08-24-01-55-50.jpg
    Capture+_2017-08-24-01-55-50.jpg
    252.8 KB · Views: 1,606
  • Capture+_2017-08-24-01-56-19.jpg
    Capture+_2017-08-24-01-56-19.jpg
    250.8 KB · Views: 1,570
  • Capture+_2017-08-24-01-57-13.jpg
    Capture+_2017-08-24-01-57-13.jpg
    251.7 KB · Views: 1,551
  • Like
Reactions: dimm0k

runningnak3d

Recognized Developer
Nov 10, 2010
2,649
7,220
Largo
@dimm0k You just saved me from doing a warranty swap. Yeah, I have had bad performance issues, but it was intermittent.

For example if the phone sat for too long, and then I received a phone call, it might take 2 to 3 seconds before I could swipe to answer. The touch screen was non-responsive. But once the phone was woke up, the performance issues seemed to subside.

Since I have and H910 to compare performance and how the phone "feels" I just assumed that it was a faulty CPU that was being throttled, or maybe the heatsink wasn't on good.

Since I had debloated all the usual cruft I just didn't occur to me to look for some bull**** process sucking the life out of my phone.

I ripped rctd out by the roots and it is like I have a new phone.

Seriously, I was set to ship my phone off today. Thank you very much for finding this.

F*** you LG -- again.
F*** you T-Mobile -- again

-- Brian
 

Zacharee1

Recognized Developer / Retired Forum Moderator
@dimm0k You just saved me from doing a warranty swap. Yeah, I have had bad performance issues, but it was intermittent.

For example if the phone sat for too long, and then I received a phone call, it might take 2 to 3 seconds before I could swipe to answer. The touch screen was non-responsive. But once the phone was woke up, the performance issues seemed to subside.

Since I have and H910 to compare performance and how the phone "feels" I just assumed that it was a faulty CPU that was being throttled, or maybe the heatsink wasn't on good.

Since I had debloated all the usual cruft I just didn't occur to me to look for some bull**** process sucking the life out of my phone.

I ripped rctd out by the roots and it is like I have a new phone.

Seriously, I was set to ship my phone off today. Thank you very much for finding this.

F*** you LG -- again.
F*** you T-Mobile -- again

-- Brian

How did you "rip rctd out by the roots"?
 
  • Like
Reactions: KUSOsan

dimm0k

Senior Member
Jan 25, 2014
1,651
644
Google Pixel 4 XL
@dimm0k You just saved me from doing a warranty swap. Yeah, I have had bad performance issues, but it was intermittent.

For example if the phone sat for too long, and then I received a phone call, it might take 2 to 3 seconds before I could swipe to answer. The touch screen was non-responsive. But once the phone was woke up, the performance issues seemed to subside.

Since I have and H910 to compare performance and how the phone "feels" I just assumed that it was a faulty CPU that was being throttled, or maybe the heatsink wasn't on good.

Since I had debloated all the usual cruft I just didn't occur to me to look for some bull**** process sucking the life out of my phone.

I ripped rctd out by the roots and it is like I have a new phone.

Seriously, I was set to ship my phone off today. Thank you very much for finding this.

F*** you LG -- again.
F*** you T-Mobile -- again

-- Brian

glad to hear I'm not the only one suffering performance issues. the crazy thing is I don't know which devices this affects, but I have a feeling it's ALL T-Mobile branded devices on stock with root and as far as I can remember having an Android device since my Galaxy S4 days this has always been an issue for me. I have always rooted my devices and always experienced the same issue... after 3-4 days without rebooting my device it would slow to a crawl. now, after several years, I've discovered why! now to find a way to stop it... please share how you ripped rctd out by the roots!
 

runningnak3d

Recognized Developer
Nov 10, 2010
2,649
7,220
Largo
Yea, I was so pissed when I read this post that it didn't occur to me to reboot my phone to see if it came back. Also "ripped it out by the roots" would imply that I uninstalled it, sorry for the confusion. It is so embedded into the framework that I don't think there is going to be any getting truly rid of it, but I will settle for it not loading and then spawning a million freaking processes...

Anyway to get rid of it from at least loading, edit init.lge.rc and comment out the lines that deal with the POS. Reboot. No more rctd. PROFIT! Well at least a much faster phone.

-- Brian
 
Last edited:

dimm0k

Senior Member
Jan 25, 2014
1,651
644
Google Pixel 4 XL
Yea, I was so pissed when I read this post that it didn't occur to me to reboot my phone to see if it came back. Also "ripped it out by the roots" would imply that I uninstalled it, sorry for the confusion. It is so embedded into the framework that I don't think there is going to be any getting truly rid of it, but I will settle for it not loading and then spawning a million freaking processes...

Anyway to get rid of it from at least loading, edit init.lge.rc and comment out the lines that deal with the POS. Reboot. No more rctd. PROFIT! Well at least a much faster phone.

-- Brian

awesome!! I was thinking of creating a 0 byte rctd file replacement, but this is definitely more elegant! thanks for helping me put a nail is this ugly coffin!! I'm going to see if I can create a Magisk module out of this...
 

storm68

Senior Member
Sep 8, 2010
1,881
551
Orlando
Yea, I was so pissed when I read this post that it didn't occur to me to reboot my phone to see if it came back. Also "ripped it out by the roots" would imply that I uninstalled it, sorry for the confusion. It is so embedded into the framework that I don't think there is going to be any getting truly rid of it, but I will settle for it not spawning a million freaking processes...

Anyway to get rid of it from at least loading, edit init.lge.rc and comment out the lines that deal with the POS. Reboot. No more rctd. PROFIT! Well at least a much faster phone.

-- Brian

So delete the root checker lines as shown? All of it?
 

Attachments

  • Screenshot_2017-08-24-16-17-46.jpg
    Screenshot_2017-08-24-16-17-46.jpg
    246.9 KB · Views: 1,231

storm68

Senior Member
Sep 8, 2010
1,881
551
Orlando
Ok.. sounds good. Thanks. Good idea. I think I'll wait a few days and see what other comments we get...
 

runningnak3d

Recognized Developer
Nov 10, 2010
2,649
7,220
Largo
My 3D Mark score for Sling Shot Extreme went from a 1767 (absolutely abysmal) to a 2437 (still not an iPad Pro, but not as expensive as one either :) ) just by getting rid of this crapware.

-- Brian
 

daverup

Senior Member
Apr 4, 2008
349
78
I'd like to see rctd disabled, but editing init.lge.rc does not survive a reboot for me. It is replaced by an unmodified version.
 

Top Liked Posts

  • There are no posts matching your filters.
  • 30
    For those with a T-Mobile branded LGV20 and rooted with Magisk and probably with SuperSU, I have an interesting discovery in my attempts at determining performance issues I was having with my device and for all I know with other carrier branded Android devices that I had rooted in the past (Samsung S4, S5, LGV10). what I've been noticing is even after a fresh stock device with the only thing changed being Magisk, there have been a number of 'sh' processes that keep increasing until the system is affected negatively. My research has lead me to believe that on a T-Mobile branded LGV20 a process/app called 'rctd' is triggered on boot, which checks for certain characteristics of root and if root is present something is logged mentioning so. while not much information is available on this, @k0nane posted on this a while back here https://forum.xda-developers.com/showthread.php?t=2267909 regarding rctd. essentially it is a root checker/logger.

    PLEASE HELP ME CONFIRM:
    for those that are rooted on their LGV20, please check /persist/rct.cfg and see if it mentions a modified system with a modified /system partition. also from a shell, do a 'ps | grep sh' noting if there are numerous 'sh' processes. if there are then do a 'ps | grep rctd' and see if the PPid of those numerous processes match the PID of rctd. I'm willing to bet they do for most of them. the longer your device has not been rebooted, the more of these 'sh' processes you should have. please report back!


    EDIT1: thanks to all those in this thread that helped put this nagging nail in the coffin! long story short, rctd is LG's root checker and it's started as a service within init.lge.rc, which is part of the boot/ramdisk so commenting out the lines that start the service need to be done in the boot.img itself. As a result for those that use stock kernels, I've created boot.img for 10k and 10p on the H918 T-Mobile variant of the LGV20 and 10h for the US996 unlocked variant of the LGV20.

    H918 10k MD5SUM: 55a8dfd66ec9444a4a0d67eb39b34551
    H918 10p MD5SUM: 9aa4cd481f1177f9d9d9f833f166ce80
    US996 10h MD5SUM: 2bec2db396a81c73916ee3726e4cd334

    flash your correct boot image and then remember to flash Magisk or SuperSU immediately after BEFORE LEAVING TWRP especially for those on 10k or 10p!!
    10
    @storm68 Here you go: link.
    Since this was a flashable zip, all I did was extract it, then extract the initrd, modify, and zip it back up -- so you can flash it in TWRP just like you could with the original kernel.
    @Nukewire The first link that I posted is the Albatross Werewolf kernel for the H918. I am running v10k as my base ROM.

    -- Brian
    8
    Here is the Werewolf kernel with rctd disabled: link

    This is NOT a flahable zip. I did this quick and dirty. You need to flash this with adb:

    * adb reboot recovery
    * adb push boot_no_rctd.img /sdcard
    * adb shell
    * cd /sdcard
    * dd if=boot_no_rctd.img of=/dev/block/bootdevice/by-name/boot

    Reboot and enjoy a faster phone....

    Notice the hash tags, and no rctd running. I flashed a fresh clean system to make sure that nothing else that I had done was preventing it from starting. If someone would like me to do the stock kernel, or some other kernel, please post a link.
    Code:
    elsa:/ # cat init.lge.rc | grep rctd                                           
    #service rctd /sbin/rctd
    #    seclabel u:r:rctd:s0
    elsa:/ # ps | grep rctd
    1|elsa:/ #

    If you would like to do this yourself, let me know and I will type it up, but I am not going to waste my time since it is quite a bit to type up if no one is interested.
    6
    Made a thread for my removal script: https://forum.xda-developers.com/v20/how-to/rctd-remover-script-feedback-t3675968

    Would love testers and feedback.
    6
    OK guys, it's kind of terrifying how much of a difference removing the rtcd file makes.

    I'm going to see if I can make a super simple Android app to remove it dynamically, so we don't have to patch every kernel that comes along.