• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!

Xiaomi firmware has multiple backdoors

Search This thread

NiTrOwow

Senior Member
Jul 20, 2010
199
56
So I've basically got myself in this sh*t because lack of care.. Until it pop'd and hit the highlights.

And now straight to the point. It doesn't f*ckin matters if you had a fw or not. As the backdoors are embedded in ROOT system processes.
And those where obviously white-listed as i didn't think of a nasty Chinese guy sitting in it calling back home. My friend who got the same phone found the article as i was having my vacation for a bit, so when i found out i did a bit a research of course on my device. After finding all this i e-mail'd him it and he posted it on the Xiaomi European forums. Guess what happened, it got deleted. So they know damn good what they're doing.

When you purchase Xiaomi products or services, we’ll collect relevant personal information, including but not limited: delivery information, bank account, credit card information, bill address, credit check and other financial information, contact or communication records.

OP said:
XMPP connection (always connected when network available)
54.255.185.236
hostname: ec2-54-255-185-236.ap-southeast-1.compute.amazonaws.com
(Seems not to have a domain) The IP address was also not found in any system modules in plain or unicode text. Assuming it is encoded / encrypted somewhere in a native application, system module, or not in a native app but in a dalvik compiled image.

Other connections
54.254.212.222
Hostname: ec2-54-254-212-222.ap-southeast-1.compute.amazonaws.com
Domains:
bbs.miui.com
reader.browser.miui.com
update.miui.com
www . miui.cn
www . miui.com
zhuomian.xiaomi.com

112.90.17.54
Domains:
pgv.m.xunlei.com
www . inewsgr.com

122.143.5.59
Hostname: 59.5.143.122.adsl-pool.jlccptt.net.cn
(Seems to be a adsl connection with no domain)

223.202.68.93
Hostname: out68-93.mxzwb3.hichina.com
Domains:
app.mi.com
dev.xiaomi.com
m.app.mi.com
mitunes.app.xiaomi.com

Music app(?) connects to:
202.173.255.152
2012-12-01 lrc.aspxp.net
2012-12-01 lrc.feiyes.net
2012-12-01 w.w.w.616hk.com
2012-12-01 w.w.w.hk238.com
2012-12-01 w.w.w.lrc123.com

123.125.114.145
2013-11-27 tinglog.baidu.com
1/53 2014-07-02 12:51:01 hxxp://tinglog.baidu.com

Latest detected files that communicate with this IP address
Latest files submitted to VirusTotal that are detected by one or more antivirus solutions and communicate with the IP address provided when executed in a sandboxed environment.

3/43 2014-07-08 07:39:24 facb146de47229b56bdc4481ce22fb5ec9e702dfbd7e70e82e4e4316ac1e7cbd
47/51 2014-04-28 09:25:27 091457f59fc87f5ca230c6d955407303fb5f5ba364508401a7564fb32d9a24fa
24/47 2014-01-08 08:19:43 3cf0a98570e522af692cb5f19b43085c706aa7d2f63d05469b6ac8db5c20cdcd
21/48 2013-12-02 15:15:45 7e34cb88fc82b69322f7935157922cdb17cb6c69d868a889468e297257ee9072
19/48 2013-12-01 20:02:32 bce4bd44d3373b2670a7d68e058c7ce0fa510912275d452d363777f640aa4c70

Latest URLs hosted in this IP address detected by at least one URL scanner or malicious URL dataset.
1/53 2014-07-02 12:47:57 hxxp://dev.baidu.com/

Android-system ANT HAL Service(Framework_ext.apk/jar) connect to:
42.62.48.207
VirusTotal's passive DNS only stores address records. The following domains resolved to the given IP address.
2014-04-28 app.migc.wali.com
2014-07-12 app.migc.xiaomi.com
2014-05-30 gamevip.wali.com
2014-05-30 log.wlimg.cn
2014-04-21 mitunes.game.xiaomi.com
2014-04-30 oss.wali.com
2014-05-17 p.tongji.wali.com
2014-07-13 policy.app.xiaomi.com

Latest detected URLs
Latest URLs hosted in this IP address detected by at least one URL scanner or malicious URL dataset.
1/58 2014-08-13 07:10:49 hxxp://policy.app.xiaomi.com/cms/interface/v1/checkpackages.php
1/58 2014-08-10 00:46:35 hxxp://policy.app.xiaomi.com/
1/53 2014-07-02 12:49:59 hxxtp://oss.wali.com

Messages(Mms.apk) connect to (it literary calls back home)
54.179.146.166
2014-08-12 api.account.xiaomi.com
2014-07-26 w.w.w.asani.com.pk

What it does? It sends phone numbers you call to, send messages to, add etc to a Resin/4.0.13 java application running on a nginx webserver to collect data. Checkpackages, embedded system process/app posts all installed apps to a Tengine a/k/a nginx webserver cms.

URL: hxxtp://api.account.xiaomi.com:81/pass/v3
Server: sgpaws-ac-web01.mias
Software: Tengine/2.0.1 | Resin/4.0.13

URL: hxxp://policy.app.xiaomi.com:8080/cms/interface/v1/
Server: lg-g-com-ngx02.bj
Software: Tengine | Resin

Bottom line
They don't give a single damn about your data.. All sent in plain text.

For messages APK (Mms.apk)
I don't believe it needs those permissions for normal functionalities, this is only for the extra feature let's call it bug.

android.permission.SEND_SMS_NO_CONFIRMATION
android.permission.GET_ACCOUNTS
android.permission.WRITE_EXTERNAL_STORAGE
android.permission.ACCESS_NETWORK_STATE
android.permission.CHANGE_NETWORK_STATE
android.permission.INTERNET
miui.permission.SHELL
android.permission.GET_TASKS
android.permission.CAMERA

Some code ... i also attached java classes and smali dalvik jvm bytecode..

Code:
#<externalId = outgoing callerid>#
package com.xiaomi.mms.net;

import android.net.Uri;
import android.net.Uri.Builder;
import android.telephony.TelephonyManager;
import android.text.TextUtils;
import com.xiaomi.mms.utils.EasyMap;
import java.util.Iterator;
import java.util.Map;
import java.util.Map.Entry;
import java.util.Set;
import miui.net.CloudManager;

public class b
{
  public static final String qa = CloudManager.URL_ACCOUNT_BASE;
  public static final String qb = CloudManager.URL_ACCOUNT_API_V2_BASE;
  public static final String qc = CloudManager.URL_ACCOUNT_API_V3_BASE;
  public static final String qd = qa + "/serviceLogin";
  public static final String qe = qc + "/[email protected]";

  protected static String a(String paramString, Map paramMap)
  {
    if ((paramMap != null) && (!paramMap.isEmpty()))
    {
      Uri.Builder localBuilder = Uri.parse(paramString).buildUpon();
      Iterator localIterator = paramMap.entrySet().iterator();
      while (localIterator.hasNext())
      {
        Map.Entry localEntry = (Map.Entry)localIterator.next();
        localBuilder.appendQueryParameter((String)localEntry.getKey(), (String)localEntry.getValue());
      }
      paramString = localBuilder.build().toString();
    }
    return paramString;
  }

  public static c al(String paramString)
  {
    EasyMap localEasyMap = new EasyMap("type", "MXPH").a("externalId", paramString);
    d locald = new d(a(qe, localEasyMap));
    String str = TelephonyManager.getDefault().getDeviceId();
    if (!TextUtils.isEmpty(str))
      locald.l("deviceId", str);
    return locald;
  }
}
===========================================================
  public static Header a(Account paramAccount, ExtendedAuthToken paramExtendedAuthToken)
  {
    StringBuilder localStringBuilder = new StringBuilder();
    localStringBuilder.append("serviceToken=");
    localStringBuilder.append(paramExtendedAuthToken.authToken);
    localStringBuilder.append("; userId=");
    localStringBuilder.append(paramAccount.name);
    return new BasicHeader("Cookie", localStringBuilder.toString());
  }
===========================================================
  public void gT()
  {
    if (ai("http://api.comm.miui.com/miuisms/res/version").getLong("data") == PreferenceManager.getDefaultSharedPreferences(this.mContext).getLong("festival_message_version", 0L))
      return;
    Object[] arrayOfObject = new Object[1];
    arrayOfObject[0] = Integer.valueOf(this.mScreenWidth);
    a(ai(String.format("http://api.comm.miui.com/miuisms/res/categories?width=%s", arrayOfObject)).getJSONArray("data"));
  }

  public void m(long paramLong)
  {
    Cursor localCursor = this.mq.rawQuery("SELECT MIN(message_id) FROM messages WHERE category_id=" + paramLong, null);
    if (localCursor == null)
      throw new FestivalUpdater.DatabaseContentException(null);
    try
    {
      if (localCursor.moveToFirst())
      {
        long l = localCursor.getLong(0);
        Object[] arrayOfObject = new Object[3];
        arrayOfObject[0] = Long.valueOf(paramLong);
        arrayOfObject[1] = Long.valueOf(l);
        arrayOfObject[2] = Integer.valueOf(pd);
        a(ai(String.format("http://api.comm.miui.com/miuisms/res/messages?cat=%s&marker=%s&count=%s", arrayOfObject)).getJSONObject("data").getJSONArray("entries"), paramLong);
      }
      return;
    }
    finally
    {
      localCursor.close();
    }
  }
===========================================================
package miui.util;

import android.content.Context;
import android.provider.Settings.Secure;
import android.util.Log;
import org.json.JSONArray;
import org.json.JSONObject;

final class BaseNotificationFilterHelper$2
  implements Runnable
{
  BaseNotificationFilterHelper$2(Context paramContext)
  {
  }

  public void run()
  {
    try
    {
      JSONObject localJSONObject1 = Network.doHttpPostWithResponseStatus(this.val$context, "http://policy.app.xiaomi.com/cms/interface/v1/checkpackages.php", BaseNotificationFilterHelper.access$000(this.val$context));
      if ((localJSONObject1.has("RESPONSE_CODE")) && (localJSONObject1.getInt("RESPONSE_CODE") == 200))
      {
        JSONObject localJSONObject2 = new JSONObject(localJSONObject1.getString("RESPONSE_BODY"));
        int i = localJSONObject2.getInt("errCode");
        if (i == 200)
        {
          JSONArray localJSONArray = localJSONObject2.getJSONArray("packages");
          StringBuilder localStringBuilder = new StringBuilder();
          for (int j = 0; j < localJSONArray.length(); j++)
          {
            localStringBuilder.append(localJSONArray.get(j).toString().trim());
            localStringBuilder.append(" ");
          }
          Settings.Secure.putString(this.val$context.getContentResolver(), "status_bar_expanded_notification_black_list", localStringBuilder.toString());
          BaseNotificationFilterHelper.access$102(null);
          return;
        }
        if (i == 202)
        {
          Log.d("NotificationFilterHelper", "blacklist is empty ");
          Settings.Secure.putString(this.val$context.getContentResolver(), "status_bar_expanded_notification_black_list", "");
          BaseNotificationFilterHelper.access$102(null);
          return;
        }
        if (i == 201)
          Log.d("NotificationFilterHelper", "request param empty");
      }
      else
      {
        Log.d("NotificationFilterHelper", "access network anomalies");
      }
      return;
    }
    catch (Exception localException)
    {
    }
  }
}
===========================================================
package miui.util;

import android.app.INotificationManager;
import android.app.INotificationManager.Stub;
import android.content.ContentResolver;
import android.content.Context;
import android.content.SharedPreferences;
import android.content.SharedPreferences.Editor;
import android.content.pm.ApplicationInfo;
import android.content.pm.PackageInfo;
import android.content.pm.PackageItemInfo;
import android.content.pm.PackageManager;
import android.content.pm.PackageManager.NameNotFoundException;
import android.content.res.Resources;
import android.database.ContentObserver;
import android.os.ServiceManager;
import android.provider.Settings.Secure;
import android.provider.Settings.System;
import android.text.TextUtils;
import android.util.Log;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import miui.os.Build;
import miui.provider.CloudAppControll;
import miui.provider.CloudAppControll.TAG;
import org.json.JSONArray;
import org.json.JSONException;
import org.json.JSONObject;

public class BaseNotificationFilterHelper
{
  protected static final String APP_NOTIFICATION = "app_notification";
  protected static final int CODE_REQUEST_PARAM_EMPTY = 201;
  protected static final int CODE_RESPONSE_EMPTY = 202;
  protected static final int CODE_SUCCESS = 200;
  public static final int DEFAULT = 0;
  public static final int DISABLE_ALL = 3;
  public static final int DISABLE_ICON = 1;
  public static final int ENABLE = 2;
  protected static final String EXPANDED_BLACK_LIST_CODE = "errCode";
  protected static final String EXPANDED_BLACK_LIST_PACKAGES = "packages";
  public static final int NONE = 0;
  protected static final String SYSTEMUI_PACKAGE_NAME = "com.android.systemui";
  protected static final String TAG = "NotificationFilterHelper";
  protected static final String URL = "http://policy.app.xiaomi.com/cms/interface/v1/checkpackages.php";
  private static HashSet<String> mBlacklist;
  protected static INotificationManager nm;
  protected static HashSet<String> sFilterList = new HashSet();
  protected static HashMap<String, Integer> sFilterMap = new HashMap();
  private static HashMap<String, Boolean> sIsSystemApp;
  protected static HashMap<String, Integer> sUidMap = new HashMap();

  static
  {
    if (Build.IS_INTERNATIONAL_BUILD);
    for (int i = 2; ; i = 1)
    {
      DEFAULT = i;
      nm = INotificationManager.Stub.asInterface(ServiceManager.getService("notification"));
      mBlacklist = null;
      sIsSystemApp = new HashMap();
      return;
    }
  }

  protected static void enableStatusIcon(Context paramContext, String paramString, int paramInt)
  {
    getSharedPreferences(paramContext).edit().putInt(paramString, paramInt).commit();
  }

  public static void enableStatusIcon(Context paramContext, String paramString, boolean paramBoolean)
  {
    if (paramBoolean);
    for (int i = 2; ; i = 1)
    {
      enableStatusIcon(paramContext, paramString, i);
      return;
    }
  }

  public static String getAppNotificationText(Context paramContext, String paramString)
  {
    int i = 101450315;
    switch (NotificationFilterHelper.getInstance().getAppFlag(paramContext, paramString, true))
    {
    default:
    case 3:
    case 1:
    case 2:
    }
    while (true)
    {
      return paramContext.getResources().getString(i);
      i = 101450314;
      continue;
      i = 101450315;
      continue;
      i = 101450313;
    }
  }

  public static int getAppUid(Context paramContext, String paramString)
  {
    int i = 0;
    if (sUidMap.containsKey(paramString))
      return ((Integer)sUidMap.get(paramString)).intValue();
    try
    {
      i = paramContext.getPackageManager().getApplicationInfo(paramString, 0).uid;
      sUidMap.put(paramString, Integer.valueOf(i));
      return i;
    }
    catch (PackageManager.NameNotFoundException localNameNotFoundException)
    {
    }
    return i;
  }

  protected static int getDefaultFlag(Context paramContext, String paramString)
  {
    initFilterList(paramContext);
    if (sFilterList.contains(paramString))
      return 2;
    return 0;
  }

  protected static int getGameCenterFlag(Context paramContext, String paramString)
  {
    readBlacklist(paramContext);
    if (mBlacklist.contains(paramString))
      return 3;
    return 0;
  }

  private static String getInstalledAppsJson(Context paramContext)
  {
    JSONObject localJSONObject = new JSONObject();
    JSONArray localJSONArray = new JSONArray();
    Iterator localIterator = paramContext.getPackageManager().getInstalledPackages(0).iterator();
    while (localIterator.hasNext())
    {
      PackageInfo localPackageInfo = (PackageInfo)localIterator.next();
      if ((0x1 & localPackageInfo.applicationInfo.flags) == 0)
        localJSONArray.put(localPackageInfo.packageName + "/" + localPackageInfo.versionCode);
    }
    try
    {
      localJSONObject.put("packages", localJSONArray);
      return localJSONObject.toString();
    }
    catch (JSONException localJSONException)
    {
    }
    return "";
  }

  protected static int getNetDefaultFlag(Context paramContext, String paramString)
  {
    if (sFilterMap.containsKey(paramString))
      return ((Integer)sFilterMap.get(paramString)).intValue();
    return loadAppNetFlagByPkg(paramContext, paramString);
  }

  public static SharedPreferences getSharedPreferences(Context paramContext)
  {
    if (!paramContext.getPackageName().equals("com.android.systemui"));
    try
    {
      Context localContext = paramContext.createPackageContext("com.android.systemui", 2);
      paramContext = localContext;
      return paramContext.getSharedPreferences("app_notification", 4);
    }
    catch (PackageManager.NameNotFoundException localNameNotFoundException)
    {
      while (true)
        localNameNotFoundException.printStackTrace();
    }
  }

  protected static void initFilterList(Context paramContext)
  {
    if (sFilterList.size() == 0)
    {
      String str = Settings.System.getString(paramContext.getContentResolver(), "status_bar_notification_filter_white_list");
      if (!TextUtils.isEmpty(str))
      {
        String[] arrayOfString = str.split(" ");
        for (int i = 0; i < arrayOfString.length; i++)
          sFilterList.add(arrayOfString[i]);
      }
      sFilterList.add("cn.com.fetion");
      sFilterList.add("com.google.android.talk");
      sFilterList.add("com.tencent.mm");
      sFilterList.add("com.tencent.qq");
      sFilterList.add("com.tencent.mobileqq");
      sFilterList.add("com.xiaomi.channel");
    }
  }

  public static boolean isNotificationForcedFor(Context paramContext, String paramString)
  {
    int i = getAppUid(paramContext, paramString);
    return ("android".equals(paramString)) || (i == 1000) || (i == 1001) || (i == 0);
  }

  public static boolean isSystemApp(String paramString, PackageManager paramPackageManager)
  {
    Boolean localBoolean = (Boolean)sIsSystemApp.get(paramString);
    if (localBoolean == null);
    try
    {
      ApplicationInfo localApplicationInfo2 = paramPackageManager.getApplicationInfo(paramString, 0);
      localApplicationInfo1 = localApplicationInfo2;
      boolean bool = false;
      if (localApplicationInfo1 != null)
      {
        int i = 0x1 & localApplicationInfo1.flags;
        bool = false;
        if (i != 0)
          bool = true;
      }
      localBoolean = Boolean.valueOf(bool);
      sIsSystemApp.put(paramString, localBoolean);
      return localBoolean.booleanValue();
    }
    catch (PackageManager.NameNotFoundException localNameNotFoundException)
    {
      while (true)
        ApplicationInfo localApplicationInfo1 = null;
    }
  }

  protected static boolean isUserSetttingInited(Context paramContext, String paramString)
  {
    int i = getSharedPreferences(paramContext).getInt(paramString, 0);
    boolean bool = false;
    if (i != 0)
      bool = true;
    return bool;
  }

  public static void loadAppNetFlag(Context paramContext)
  {
    new Thread(new Runnable()
    {
      public void run()
      {
        BaseNotificationFilterHelper.sFilterMap.clear();
        Iterator localIterator = this.val$context.getPackageManager().getInstalledPackages(0).iterator();
        while (localIterator.hasNext())
        {
          PackageInfo localPackageInfo = (PackageInfo)localIterator.next();
          if ((0x1 & localPackageInfo.applicationInfo.flags) == 0)
          {
            String str = localPackageInfo.applicationInfo.packageName;
            BaseNotificationFilterHelper.loadAppNetFlagByPkg(this.val$context, str);
          }
        }
      }
    }).start();
  }

  public static int loadAppNetFlagByPkg(Context paramContext, String paramString)
  {
    int i = CloudAppControll.get(paramContext, CloudAppControll.TAG.TAG_NOTIFICATION_BLACKLIST, paramString);
    if (i == -1)
      return 0;
    sFilterMap.put(paramString, Integer.valueOf(i));
    return i;
  }

  public static void observeSettingChanged(ContentResolver paramContentResolver, ContentObserver paramContentObserver)
  {
    paramContentResolver.registerContentObserver(Settings.System.getUriFor("status_bar_notification_filter_white_list"), false, paramContentObserver);
  }

  private static void readBlacklist(Context paramContext)
  {
    if (mBlacklist == null)
    {
      mBlacklist = new HashSet();
      String str = Settings.Secure.getString(paramContext.getContentResolver(), "status_bar_expanded_notification_black_list");
      if (!TextUtils.isEmpty(str))
      {
        String[] arrayOfString = str.split(" ");
        for (int i = 0; i < arrayOfString.length; i++)
          mBlacklist.add(arrayOfString[i]);
      }
    }
  }

  public static void requestBlacklist(Context paramContext)
  {
    new Thread(new Runnable()
    {
      public void run()
      {
        try
        {
          JSONObject localJSONObject1 = Network.doHttpPostWithResponseStatus(this.val$context, "http://policy.app.xiaomi.com/cms/interface/v1/checkpackages.php", BaseNotificationFilterHelper.getInstalledAppsJson(this.val$context));
          if ((localJSONObject1.has("RESPONSE_CODE")) && (localJSONObject1.getInt("RESPONSE_CODE") == 200))
          {
            JSONObject localJSONObject2 = new JSONObject(localJSONObject1.getString("RESPONSE_BODY"));
            int i = localJSONObject2.getInt("errCode");
            if (i == 200)
            {
              JSONArray localJSONArray = localJSONObject2.getJSONArray("packages");
              StringBuilder localStringBuilder = new StringBuilder();
              for (int j = 0; j < localJSONArray.length(); j++)
              {
                localStringBuilder.append(localJSONArray.get(j).toString().trim());
                localStringBuilder.append(" ");
              }
              Settings.Secure.putString(this.val$context.getContentResolver(), "status_bar_expanded_notification_black_list", localStringBuilder.toString());
              BaseNotificationFilterHelper.access$102(null);
              return;
            }
            if (i == 202)
            {
              Log.d("NotificationFilterHelper", "blacklist is empty ");
              Settings.Secure.putString(this.val$context.getContentResolver(), "status_bar_expanded_notification_black_list", "");
              BaseNotificationFilterHelper.access$102(null);
              return;
            }
            if (i == 201)
              Log.d("NotificationFilterHelper", "request param empty");
          }
          else
          {
            Log.d("NotificationFilterHelper", "access network anomalies");
          }
          return;
        }
        catch (Exception localException)
        {
        }
      }
    }).start();
  }

  protected boolean areNotificationsEnabled(Context paramContext, String paramString)
  {
    return false;
  }

  public boolean canSendNotifications(Context paramContext, String paramString)
  {
    return getAppFlag(paramContext, paramString, true) != 3;
  }

  public void enableAppNotification(Context paramContext, String paramString, boolean paramBoolean)
  {
  }

  public void enableNotifications(Context paramContext, String paramString, boolean paramBoolean)
  {
    enableAppNotification(paramContext, paramString, paramBoolean);
  }

  public int getAppFlag(Context paramContext, String paramString, boolean paramBoolean)
  {
    if (paramBoolean);
    for (boolean bool = areNotificationsEnabled(paramContext, paramString); bool; bool = true)
    {
      int i = getSharedPreferences(paramContext).getInt(paramString, 0);
      if ((i == 0) && (isSystemApp(paramString, paramContext.getPackageManager())))
        i = 2;
      if (i == 0)
        i = getNetDefaultFlag(paramContext, paramString);
      if (i == 0)
        i = getDefaultFlag(paramContext, paramString);
      if (i == 0)
        i = getGameCenterFlag(paramContext, paramString);
      if (i == 0)
        i = DEFAULT;
      return i;
    }
    return 3;
  }

  public void initUserSetting(Context paramContext, String paramString)
  {
    if (!isUserSetttingInited(paramContext, paramString))
    {
      if (isSystemApp(paramString, paramContext.getPackageManager()))
        enableStatusIcon(paramContext, paramString, true);
    }
    else
      return;
    int i = getAppFlag(paramContext, paramString, false);
    if (i == 3)
    {
      enableAppNotification(paramContext, paramString, false);
      enableStatusIcon(paramContext, paramString, false);
      return;
    }
    enableStatusIcon(paramContext, paramString, i);
  }
}

RELATED
http://apkscan.nviso.be/report/show/48b5666fa2bcbe738c0b623da712918f
http://lists.clean-mx.com/pipermail/viruswatch/20130714/072661.html

OTHER SOURCES
http://www.newmobilelife.com/2014/08/12/xiaomi-china-server/
http://www.htcmania.com/showthread.php?p=14730859
 

Attachments

  • doors.zip
    216.2 KB · Views: 395
Last edited:

NiTrOwow

Senior Member
Jul 20, 2010
199
56
Removing the backdoors.

Root your device & install

- System app remover (ROOT)
- Root browser
- Android terminal emulator
- Droidwall

Remove apps using System app remover:

* AntHalService
* XiaomiServiceFramework
* Cleanmaster
* com.xiaomi.gamecenter.adk.service
* com.duokan.airkan.phone

# MAKE BACKUP OF YOUR PHONE IN CASE OF FAILURE! #

Download XVI32 or use your favorite hex editor.

Copy framework_ext.odex from /system/framework/ to your sd card with root browser and then connect your phone to your pc and copy the file to you pc.
Open it in XVI32 or another hex editor and search for "http://" (without quotes) now replace all "http://www.example.com" or "http://example.com" with "http://localhost/leavealltheotherstuff.here.com" Don't removed lines or other stuff or it will f*ck up the dalvik bytecode.
Save the file as "framework_ext_.odex" and place it on your phone's internal memory.
Now open Root browser copy the patched file to /system/framework/ rename it to "framework_ext.odex" and overwrite the old system file with the patch (make sure you have a backup of your phone just in case!). Now open Terminal emulator on your phone and do the following,

Code:
su
now give the emulator root access
Code:
cd /system/framework
chmod 644 framework_ext.odex
chown root:root framework_ext.odex
ls -la framework_ext.odex
Verify this, if it looks fine
Code:
reboot

Now open Droidwall enable it and only select apps you trust, don't select any from Xiaomi. Even the music app sends data. So simply drop all of them.

HELP MY DEVICE IS BRICKED
No worries bro.
Get system.img for your version of miui and start the phone in fastboot (vol- + pwr)

Recovery.bat
Code:
@echo off
title Recovery
echo flashing system.img on device... please wait !
fastboot fastboot flash system system.img
fastboot erase cache
fastboot reboot
echo Done, rebooting
pause >nul

Use Droidwall to block ID 0(root system processes) and ID kernel. If you don't do this it will sent info about the apps you open to umeng.com.

Anyways that's it for so far. I hope this helps you.
 

E:V:A

Inactive Recognized Developer
Dec 6, 2011
1,449
2,215
-∇ϕ
That is seriously messed up and illegal in most European Countries! It seem that they are begging for a Class Action Lawsuit! Let them have it!

Thank you for your important and detailed work!

Perhaps @BSDgeek_Jake would consider to add all those servers to his MoaAB hosts file?
 

NiTrOwow

Senior Member
Jul 20, 2010
199
56
That is seriously messed up and illegal in most European Countries! It seem that they are begging for a Class Action Lawsuit! Let them have it!

Thank you for your important and detailed work!

Perhaps @BSDgeek_Jake would consider to add all those servers to his MoaAB hosts file?
They deserve a lawsuit, not only for cloning Apple's iOS but also for the backdoors and crapware that connects to the internet and does stuff. Such a big company as this can't just walk away if nothing has ever happaned. They have sold over 14 million phones. 14 MILLION!

Host file doesn't work as the other spyware is in system processes that runs as ID0 simply ignores the host file somehow. I tested it several times and it just ignores the host file? :(

A rom update/fix has pop'd up.
http://www.needrom.com/download/redmi-1s-wcdma-global-multi-4-3-no-spywarebloatware
It's MIUI v5 with nova in the pics you see (the rom appears to come just like stock but with no backdoor etc) thanks to whoever made it.
 
Last edited:

Palela

Member
Aug 16, 2008
34
24
Hi,

Can you give way to clean rom for Mi2S because applications are not the same as in your description :(
 

Accidd

Senior Member
Aug 16, 2009
110
89
Wroclaw
Wait so... this means XDA discovered that MIUI OS connects to the internet?

And you want to send Hugo a small fragment of mms app code with Cloud messaging - which is standard and optional MIUI feature?
Is that your proof? Congrats. Much ado about nothing...

GameSDKService? Of course because this is the stock chinese app with games (usually pirated), but the app is only in chinese original roms.
Every port, every multilang rom doesnt have those apps.

Also Duokan service provide online content to Music and Video apps. This is standard MIUI feature from beginning.
Please note that Global versions of the MIUI roms (so outside china mainland) doesnt have online features.

All stuff presented above IS not a proof!
If I were Hugo I would lough down this after reading.
 

zelendel

Senior Member
Aug 11, 2008
23,372
20,600
OnePlus 6T
Samsung Galaxy S21 Ultra
Wait so... this means XDA discovered that MIUI OS connects to the internet?

And you want to send Hugo a small fragment of mms app code with Cloud messaging - which is standard and optional MIUI feature?
Is that your proof? Congrats. Much ado about nothing...

GameSDKService? Of course because this is the stock chinese app with games (usually pirated), but the app is only in chinese original roms.
Every port, every multilang rom doesnt have those apps.

Also Duokan service provide online content to Music and Video apps. This is standard MIUI feature from beginning.
Please note that Global versions of the MIUI roms (so outside china mainland) doesnt have online features.

All stuff presented above IS not a proof!
If I were Hugo I would lough down this after reading.

First off XDA didn't find it a user did. It was just posted and asked for clarification.

Second off after the last privacy issue this OEM had you can expect people to be Leary of them.

Third. If a OEM is going to blatantly disregard copyright laws as well as the gpl you have to understand why people will not trust them. They need to very transparent with things like this. Mainly if they plain to ever make a world wide release.
 
  • Like
Reactions: NeRd^ and Mazda

Accidd

Senior Member
Aug 16, 2009
110
89
Wroclaw
I agree. But also take into account that not every piece of code presented by some user containing words "online", "sync" or ip tracing to chinese server is already a backdoor as the op presented to us. Which without proof is just a normal accusations.

As I said. In global versions of MIUI most of online Xiaomi services are disabled.

Wysłane z MI4 W
 

setmov

Senior Member
Dec 5, 2012
178
100
I agree. But also take into account that not every piece of code presented by some user containing words "online", "sync" or ip tracing to chinese server is already a backdoor as the op presented to us. Which without proof is just a normal accusations.

As I said. In global versions of MIUI most of online Xiaomi services are disabled.

Wysłane z MI4 W

Are you are working for Xiaomi? Marketing maybe?
 

Accidd

Senior Member
Aug 16, 2009
110
89
Wroclaw
Nope.
I'm working with MIUI roms for 4 years now. And also been using MI2, MI3, Redmi, MiPad and now MI4 devices.
I also translate MIUI to my own language and run Xiaomi.eu multilang project.
We do multilang roms there every week for many devices.

I do not have access to MIUI source code - as only xiaomi does that, but I'm digging in MIUI apps all the time.
Decoding, fixing MIUI bugs, recompile, build. Everything.

Take a look into this thread:
http://forum.xda-developers.com/showpost.php?p=55283079&postcount=8

where I explained some facts.
 
Last edited:

setmov

Senior Member
Dec 5, 2012
178
100
Nope.
I'm working with MIUI roms for 4 years now. And also been using MI2, MI3, Redmi, MiPad and now MI4 devices.
I also translate MIUI to my own language and run Xiaomi.eu multilang project.
We do multilang roms there every week for many devices.

I do not have access to MIUI source code - as only xiaomi does that, but I'm digging in MIUI apps all the time.
Decoding, fixing MIUI bugs, recompile, build. Everything.

Take a look into this thread:
http://forum.xda-developers.com/showpost.php?p=55283079&postcount=8

where I explained some facts.

I can understand your point, and frankly, I have not a Xiaomi phone, but I am using a MIUI Rom on my Lenovo. I love the rom, quick, smooth, great performance and fully of features and themes, simply beautiful, but I can also understand the concern raised in this thread. In these days, people (most of) accept things as they are, not as they should be. That way the "agencies" and all the other "followers" (software devs, manufacturers, and so on) are using their chances to mislead the masses, with the intent to control every single bit of information about our lives (from sensitive, to marketing purposes infos)! That said, I think that no one manufacturer is not misusing their power, and hope that one day, a solution will be found (even if I doubt it) to let us have our privacy as human being! I fully support this thread and would love to see more thread like this one, exactly because the aforementioned.
 

Accidd

Senior Member
Aug 16, 2009
110
89
Wroclaw
Well sometimes I don't get one thing. People are worried about using Chinese brands but they use Apple, or Google phones in USA that can give all your stuff to NSA in 5 minutes if they want so. If you prefere not to share your emails or photos with governments (USA or China) then don't use your smartphone. Use Nokia 3210.

Wysłane z MI4 W
 

zelendel

Senior Member
Aug 11, 2008
23,372
20,600
OnePlus 6T
Samsung Galaxy S21 Ultra
Well sometimes I don't get one thing. People are worried about using Chinese brands but they use Apple, or Google phones in USA that can give all your stuff to NSA in 5 minutes if they want so. If you prefere not to share your emails or photos with governments (USA or China) then don't use your smartphone. Use Nokia 3210.

Wysłane z MI4 W

There are laws here that protect people. The laws in China are very different. And China's own actions are the cause people dont trust them. I mean come on. They respect no ones rights at all. The are known for pirating apps, breaking copyright laws and flat out ignoring the laws that dictate what they need to do. Not to mention ripping off the work of others and claiming it as their own.
 

Accidd

Senior Member
Aug 16, 2009
110
89
Wroclaw
There are laws here that protect people. The laws in China are very different. And China's own actions are the cause people dont trust them. I mean come on. They respect no ones rights at all. The are known for pirating apps, breaking copyright laws and flat out ignoring the laws that dictate what they need to do. Not to mention ripping off the work of others and claiming it as their own.

Thats true and I agree. But Chinese also protect their identities. All syncing services in MIUI seems to be encrypted.
If some random guy claims different they let him prove it if his SMS is sent plain text and then other can read them.
And also users have choice. Again. You can use MIUI OS without syncing with Mi Cloud if you dont want to.

Pirating apps, breaking copyright laws is true for China. And you are right.
But the privacy, for some brands (maybe not all) can still be protected.

Thats why I make multilang roms over xiaomi.eu. We tend to cut lot of chinese apps that EU user wont need or it will not work for them. Mentioned GameServiceSDK or some Duokan services are just app features, that give users chinese content but not steal any data (as presented in first post). This can also be removed from rom as we do that.

So also this is not that we or I accept all chinese stuff in stock rom and use it. We try to minimase the chinese influence in rom to end user.
 

adkz

Senior Member
Feb 7, 2010
169
10
Kota Kinabalu
adkz.blogspot.com
Not to say I support china or what, but privacy issue? Apple cloud server got hacked and all the celeb personal picture got expose (tot apple claim it was not from them). Nobody was complaining this much when apple and google sync every little personal data into their server but complain about xiomi taking user data secretly? So it should be done openly? lol
 
  • Like
Reactions: 1BadWolf

setmov

Senior Member
Dec 5, 2012
178
100
Well sometimes I don't get one thing. People are worried about using Chinese brands but they use Apple, or Google phones in USA that can give all your stuff to NSA in 5 minutes if they want so. If you prefere not to share your emails or photos with governments (USA or China) then don't use your smartphone. Use Nokia 3210.

Wysłane z MI4 W


Yes you are right about that, but would be nice if there would be some way to protect ourselves.


There are laws here that protect people. The laws in China are very different. And China's own actions are the cause people dont trust them. I mean come on. They respect no ones rights at all. The are known for pirating apps, breaking copyright laws and flat out ignoring the laws that dictate what they need to do. Not to mention ripping off the work of others and claiming it as their own.


You are right about piracy and copyright, but it seems only things related to copyright concerns us (eg. multi million law suits). The strongest privacy laws are in Europe, not USA. In the USA we have no rights, since we are living in a drive-by-money country, not drive-by-laws! Sad thing is the fact that our "best" companies exploit Chinese people (eg. Apple pays $1,36 per iPhone for the labor force to the little Chinese people - and they sell them to us for $600), and we are concerned about our privacy, but actually we use a Chinese man made product (fact!!!). The point here is not to blame the manufacturer, or the retailer, but to find a way, by ourselves (because no "big guys" is gonna help you) to protect our privacy, both online or offline!


Not to say I support china or what, but privacy issue? Apple cloud server got hacked and all the celeb personal picture got expose (tot apple claim it was not from them). Nobody was complaining this much when apple and google sync every little personal data into their server but complain about xiomi taking user data secretly? So it should be done openly? lol


You are 100% right!
 

zelendel

Senior Member
Aug 11, 2008
23,372
20,600
OnePlus 6T
Samsung Galaxy S21 Ultra
Yes you are right about that, but would be nice if there would be some way to protect ourselves.





You are right about piracy and copyright, but it seems only things related to copyright concerns us (eg. multi million law suits). The strongest privacy laws are in Europe, not USA. In the USA we have no rights, since we are living in a drive-by-money country, not drive-by-laws! Sad thing is the fact that our "best" companies exploit Chinese people (eg. Apple pays $1,36 per iPhone for the labor force to the little Chinese people - and they sell them to us for $600), and we are concerned about our privacy, but actually we use a Chinese man made product (fact!!!). The point here is not to blame the manufacturer, or the retailer, but to find a way, by ourselves (because no "big guys" is gonna help you) to protect our privacy, both online or offline!





You are 100% right!


What Apple does in China is one of the reasons Ill never touch an apple product. The companies you stated tell you what they collect. The main issue here is they are not disclosing what they are collecting.

No if you think it is right or wrong is not important. What is important is finding a way to make them be very clear about what they are doing and how to stop it.

Now one user posted how to shut it off. IF it works good. IF not then we need to start ripping apart the system and remove the coding and all access to their services.

Might not be a matter here soon as there are teams already working on ripping MIUI apart and making it open source. It will take time but I am sure it will happen.
 
  • Like
Reactions: NeRd^ and paarkhi

yeahman45

Senior Member
Dec 26, 2010
1,683
108
are those backdoors the same thing that Xiaomi was saying that data was sent only because of their cloud messaging app?; they said they will provide option to disable in the next release?
 

Top Liked Posts

  • There are no posts matching your filters.
  • 10
    Removing the backdoors.

    Root your device & install

    - System app remover (ROOT)
    - Root browser
    - Android terminal emulator
    - Droidwall

    Remove apps using System app remover:

    * AntHalService
    * XiaomiServiceFramework
    * Cleanmaster
    * com.xiaomi.gamecenter.adk.service
    * com.duokan.airkan.phone

    # MAKE BACKUP OF YOUR PHONE IN CASE OF FAILURE! #

    Download XVI32 or use your favorite hex editor.

    Copy framework_ext.odex from /system/framework/ to your sd card with root browser and then connect your phone to your pc and copy the file to you pc.
    Open it in XVI32 or another hex editor and search for "http://" (without quotes) now replace all "http://www.example.com" or "http://example.com" with "http://localhost/leavealltheotherstuff.here.com" Don't removed lines or other stuff or it will f*ck up the dalvik bytecode.
    Save the file as "framework_ext_.odex" and place it on your phone's internal memory.
    Now open Root browser copy the patched file to /system/framework/ rename it to "framework_ext.odex" and overwrite the old system file with the patch (make sure you have a backup of your phone just in case!). Now open Terminal emulator on your phone and do the following,

    Code:
    su
    now give the emulator root access
    Code:
    cd /system/framework
    chmod 644 framework_ext.odex
    chown root:root framework_ext.odex
    ls -la framework_ext.odex
    Verify this, if it looks fine
    Code:
    reboot

    Now open Droidwall enable it and only select apps you trust, don't select any from Xiaomi. Even the music app sends data. So simply drop all of them.

    HELP MY DEVICE IS BRICKED
    No worries bro.
    Get system.img for your version of miui and start the phone in fastboot (vol- + pwr)

    Recovery.bat
    Code:
    @echo off
    title Recovery
    echo flashing system.img on device... please wait !
    fastboot fastboot flash system system.img
    fastboot erase cache
    fastboot reboot
    echo Done, rebooting
    pause >nul

    Use Droidwall to block ID 0(root system processes) and ID kernel. If you don't do this it will sent info about the apps you open to umeng.com.

    Anyways that's it for so far. I hope this helps you.
    8
    So I've basically got myself in this sh*t because lack of care.. Until it pop'd and hit the highlights.

    And now straight to the point. It doesn't f*ckin matters if you had a fw or not. As the backdoors are embedded in ROOT system processes.
    And those where obviously white-listed as i didn't think of a nasty Chinese guy sitting in it calling back home. My friend who got the same phone found the article as i was having my vacation for a bit, so when i found out i did a bit a research of course on my device. After finding all this i e-mail'd him it and he posted it on the Xiaomi European forums. Guess what happened, it got deleted. So they know damn good what they're doing.

    When you purchase Xiaomi products or services, we’ll collect relevant personal information, including but not limited: delivery information, bank account, credit card information, bill address, credit check and other financial information, contact or communication records.

    OP said:
    XMPP connection (always connected when network available)
    54.255.185.236
    hostname: ec2-54-255-185-236.ap-southeast-1.compute.amazonaws.com
    (Seems not to have a domain) The IP address was also not found in any system modules in plain or unicode text. Assuming it is encoded / encrypted somewhere in a native application, system module, or not in a native app but in a dalvik compiled image.

    Other connections
    54.254.212.222
    Hostname: ec2-54-254-212-222.ap-southeast-1.compute.amazonaws.com
    Domains:
    bbs.miui.com
    reader.browser.miui.com
    update.miui.com
    www . miui.cn
    www . miui.com
    zhuomian.xiaomi.com

    112.90.17.54
    Domains:
    pgv.m.xunlei.com
    www . inewsgr.com

    122.143.5.59
    Hostname: 59.5.143.122.adsl-pool.jlccptt.net.cn
    (Seems to be a adsl connection with no domain)

    223.202.68.93
    Hostname: out68-93.mxzwb3.hichina.com
    Domains:
    app.mi.com
    dev.xiaomi.com
    m.app.mi.com
    mitunes.app.xiaomi.com

    Music app(?) connects to:
    202.173.255.152
    2012-12-01 lrc.aspxp.net
    2012-12-01 lrc.feiyes.net
    2012-12-01 w.w.w.616hk.com
    2012-12-01 w.w.w.hk238.com
    2012-12-01 w.w.w.lrc123.com

    123.125.114.145
    2013-11-27 tinglog.baidu.com
    1/53 2014-07-02 12:51:01 hxxp://tinglog.baidu.com

    Latest detected files that communicate with this IP address
    Latest files submitted to VirusTotal that are detected by one or more antivirus solutions and communicate with the IP address provided when executed in a sandboxed environment.

    3/43 2014-07-08 07:39:24 facb146de47229b56bdc4481ce22fb5ec9e702dfbd7e70e82e4e4316ac1e7cbd
    47/51 2014-04-28 09:25:27 091457f59fc87f5ca230c6d955407303fb5f5ba364508401a7564fb32d9a24fa
    24/47 2014-01-08 08:19:43 3cf0a98570e522af692cb5f19b43085c706aa7d2f63d05469b6ac8db5c20cdcd
    21/48 2013-12-02 15:15:45 7e34cb88fc82b69322f7935157922cdb17cb6c69d868a889468e297257ee9072
    19/48 2013-12-01 20:02:32 bce4bd44d3373b2670a7d68e058c7ce0fa510912275d452d363777f640aa4c70

    Latest URLs hosted in this IP address detected by at least one URL scanner or malicious URL dataset.
    1/53 2014-07-02 12:47:57 hxxp://dev.baidu.com/

    Android-system ANT HAL Service(Framework_ext.apk/jar) connect to:
    42.62.48.207
    VirusTotal's passive DNS only stores address records. The following domains resolved to the given IP address.
    2014-04-28 app.migc.wali.com
    2014-07-12 app.migc.xiaomi.com
    2014-05-30 gamevip.wali.com
    2014-05-30 log.wlimg.cn
    2014-04-21 mitunes.game.xiaomi.com
    2014-04-30 oss.wali.com
    2014-05-17 p.tongji.wali.com
    2014-07-13 policy.app.xiaomi.com

    Latest detected URLs
    Latest URLs hosted in this IP address detected by at least one URL scanner or malicious URL dataset.
    1/58 2014-08-13 07:10:49 hxxp://policy.app.xiaomi.com/cms/interface/v1/checkpackages.php
    1/58 2014-08-10 00:46:35 hxxp://policy.app.xiaomi.com/
    1/53 2014-07-02 12:49:59 hxxtp://oss.wali.com

    Messages(Mms.apk) connect to (it literary calls back home)
    54.179.146.166
    2014-08-12 api.account.xiaomi.com
    2014-07-26 w.w.w.asani.com.pk

    What it does? It sends phone numbers you call to, send messages to, add etc to a Resin/4.0.13 java application running on a nginx webserver to collect data. Checkpackages, embedded system process/app posts all installed apps to a Tengine a/k/a nginx webserver cms.

    URL: hxxtp://api.account.xiaomi.com:81/pass/v3
    Server: sgpaws-ac-web01.mias
    Software: Tengine/2.0.1 | Resin/4.0.13

    URL: hxxp://policy.app.xiaomi.com:8080/cms/interface/v1/
    Server: lg-g-com-ngx02.bj
    Software: Tengine | Resin

    Bottom line
    They don't give a single damn about your data.. All sent in plain text.

    For messages APK (Mms.apk)
    I don't believe it needs those permissions for normal functionalities, this is only for the extra feature let's call it bug.

    android.permission.SEND_SMS_NO_CONFIRMATION
    android.permission.GET_ACCOUNTS
    android.permission.WRITE_EXTERNAL_STORAGE
    android.permission.ACCESS_NETWORK_STATE
    android.permission.CHANGE_NETWORK_STATE
    android.permission.INTERNET
    miui.permission.SHELL
    android.permission.GET_TASKS
    android.permission.CAMERA

    Some code ... i also attached java classes and smali dalvik jvm bytecode..

    Code:
    #<externalId = outgoing callerid>#
    package com.xiaomi.mms.net;
    
    import android.net.Uri;
    import android.net.Uri.Builder;
    import android.telephony.TelephonyManager;
    import android.text.TextUtils;
    import com.xiaomi.mms.utils.EasyMap;
    import java.util.Iterator;
    import java.util.Map;
    import java.util.Map.Entry;
    import java.util.Set;
    import miui.net.CloudManager;
    
    public class b
    {
      public static final String qa = CloudManager.URL_ACCOUNT_BASE;
      public static final String qb = CloudManager.URL_ACCOUNT_API_V2_BASE;
      public static final String qc = CloudManager.URL_ACCOUNT_API_V3_BASE;
      public static final String qd = qa + "/serviceLogin";
      public static final String qe = qc + "/[email protected]";
    
      protected static String a(String paramString, Map paramMap)
      {
        if ((paramMap != null) && (!paramMap.isEmpty()))
        {
          Uri.Builder localBuilder = Uri.parse(paramString).buildUpon();
          Iterator localIterator = paramMap.entrySet().iterator();
          while (localIterator.hasNext())
          {
            Map.Entry localEntry = (Map.Entry)localIterator.next();
            localBuilder.appendQueryParameter((String)localEntry.getKey(), (String)localEntry.getValue());
          }
          paramString = localBuilder.build().toString();
        }
        return paramString;
      }
    
      public static c al(String paramString)
      {
        EasyMap localEasyMap = new EasyMap("type", "MXPH").a("externalId", paramString);
        d locald = new d(a(qe, localEasyMap));
        String str = TelephonyManager.getDefault().getDeviceId();
        if (!TextUtils.isEmpty(str))
          locald.l("deviceId", str);
        return locald;
      }
    }
    ===========================================================
      public static Header a(Account paramAccount, ExtendedAuthToken paramExtendedAuthToken)
      {
        StringBuilder localStringBuilder = new StringBuilder();
        localStringBuilder.append("serviceToken=");
        localStringBuilder.append(paramExtendedAuthToken.authToken);
        localStringBuilder.append("; userId=");
        localStringBuilder.append(paramAccount.name);
        return new BasicHeader("Cookie", localStringBuilder.toString());
      }
    ===========================================================
      public void gT()
      {
        if (ai("http://api.comm.miui.com/miuisms/res/version").getLong("data") == PreferenceManager.getDefaultSharedPreferences(this.mContext).getLong("festival_message_version", 0L))
          return;
        Object[] arrayOfObject = new Object[1];
        arrayOfObject[0] = Integer.valueOf(this.mScreenWidth);
        a(ai(String.format("http://api.comm.miui.com/miuisms/res/categories?width=%s", arrayOfObject)).getJSONArray("data"));
      }
    
      public void m(long paramLong)
      {
        Cursor localCursor = this.mq.rawQuery("SELECT MIN(message_id) FROM messages WHERE category_id=" + paramLong, null);
        if (localCursor == null)
          throw new FestivalUpdater.DatabaseContentException(null);
        try
        {
          if (localCursor.moveToFirst())
          {
            long l = localCursor.getLong(0);
            Object[] arrayOfObject = new Object[3];
            arrayOfObject[0] = Long.valueOf(paramLong);
            arrayOfObject[1] = Long.valueOf(l);
            arrayOfObject[2] = Integer.valueOf(pd);
            a(ai(String.format("http://api.comm.miui.com/miuisms/res/messages?cat=%s&marker=%s&count=%s", arrayOfObject)).getJSONObject("data").getJSONArray("entries"), paramLong);
          }
          return;
        }
        finally
        {
          localCursor.close();
        }
      }
    ===========================================================
    package miui.util;
    
    import android.content.Context;
    import android.provider.Settings.Secure;
    import android.util.Log;
    import org.json.JSONArray;
    import org.json.JSONObject;
    
    final class BaseNotificationFilterHelper$2
      implements Runnable
    {
      BaseNotificationFilterHelper$2(Context paramContext)
      {
      }
    
      public void run()
      {
        try
        {
          JSONObject localJSONObject1 = Network.doHttpPostWithResponseStatus(this.val$context, "http://policy.app.xiaomi.com/cms/interface/v1/checkpackages.php", BaseNotificationFilterHelper.access$000(this.val$context));
          if ((localJSONObject1.has("RESPONSE_CODE")) && (localJSONObject1.getInt("RESPONSE_CODE") == 200))
          {
            JSONObject localJSONObject2 = new JSONObject(localJSONObject1.getString("RESPONSE_BODY"));
            int i = localJSONObject2.getInt("errCode");
            if (i == 200)
            {
              JSONArray localJSONArray = localJSONObject2.getJSONArray("packages");
              StringBuilder localStringBuilder = new StringBuilder();
              for (int j = 0; j < localJSONArray.length(); j++)
              {
                localStringBuilder.append(localJSONArray.get(j).toString().trim());
                localStringBuilder.append(" ");
              }
              Settings.Secure.putString(this.val$context.getContentResolver(), "status_bar_expanded_notification_black_list", localStringBuilder.toString());
              BaseNotificationFilterHelper.access$102(null);
              return;
            }
            if (i == 202)
            {
              Log.d("NotificationFilterHelper", "blacklist is empty ");
              Settings.Secure.putString(this.val$context.getContentResolver(), "status_bar_expanded_notification_black_list", "");
              BaseNotificationFilterHelper.access$102(null);
              return;
            }
            if (i == 201)
              Log.d("NotificationFilterHelper", "request param empty");
          }
          else
          {
            Log.d("NotificationFilterHelper", "access network anomalies");
          }
          return;
        }
        catch (Exception localException)
        {
        }
      }
    }
    ===========================================================
    package miui.util;
    
    import android.app.INotificationManager;
    import android.app.INotificationManager.Stub;
    import android.content.ContentResolver;
    import android.content.Context;
    import android.content.SharedPreferences;
    import android.content.SharedPreferences.Editor;
    import android.content.pm.ApplicationInfo;
    import android.content.pm.PackageInfo;
    import android.content.pm.PackageItemInfo;
    import android.content.pm.PackageManager;
    import android.content.pm.PackageManager.NameNotFoundException;
    import android.content.res.Resources;
    import android.database.ContentObserver;
    import android.os.ServiceManager;
    import android.provider.Settings.Secure;
    import android.provider.Settings.System;
    import android.text.TextUtils;
    import android.util.Log;
    import java.util.HashMap;
    import java.util.HashSet;
    import java.util.Iterator;
    import java.util.List;
    import miui.os.Build;
    import miui.provider.CloudAppControll;
    import miui.provider.CloudAppControll.TAG;
    import org.json.JSONArray;
    import org.json.JSONException;
    import org.json.JSONObject;
    
    public class BaseNotificationFilterHelper
    {
      protected static final String APP_NOTIFICATION = "app_notification";
      protected static final int CODE_REQUEST_PARAM_EMPTY = 201;
      protected static final int CODE_RESPONSE_EMPTY = 202;
      protected static final int CODE_SUCCESS = 200;
      public static final int DEFAULT = 0;
      public static final int DISABLE_ALL = 3;
      public static final int DISABLE_ICON = 1;
      public static final int ENABLE = 2;
      protected static final String EXPANDED_BLACK_LIST_CODE = "errCode";
      protected static final String EXPANDED_BLACK_LIST_PACKAGES = "packages";
      public static final int NONE = 0;
      protected static final String SYSTEMUI_PACKAGE_NAME = "com.android.systemui";
      protected static final String TAG = "NotificationFilterHelper";
      protected static final String URL = "http://policy.app.xiaomi.com/cms/interface/v1/checkpackages.php";
      private static HashSet<String> mBlacklist;
      protected static INotificationManager nm;
      protected static HashSet<String> sFilterList = new HashSet();
      protected static HashMap<String, Integer> sFilterMap = new HashMap();
      private static HashMap<String, Boolean> sIsSystemApp;
      protected static HashMap<String, Integer> sUidMap = new HashMap();
    
      static
      {
        if (Build.IS_INTERNATIONAL_BUILD);
        for (int i = 2; ; i = 1)
        {
          DEFAULT = i;
          nm = INotificationManager.Stub.asInterface(ServiceManager.getService("notification"));
          mBlacklist = null;
          sIsSystemApp = new HashMap();
          return;
        }
      }
    
      protected static void enableStatusIcon(Context paramContext, String paramString, int paramInt)
      {
        getSharedPreferences(paramContext).edit().putInt(paramString, paramInt).commit();
      }
    
      public static void enableStatusIcon(Context paramContext, String paramString, boolean paramBoolean)
      {
        if (paramBoolean);
        for (int i = 2; ; i = 1)
        {
          enableStatusIcon(paramContext, paramString, i);
          return;
        }
      }
    
      public static String getAppNotificationText(Context paramContext, String paramString)
      {
        int i = 101450315;
        switch (NotificationFilterHelper.getInstance().getAppFlag(paramContext, paramString, true))
        {
        default:
        case 3:
        case 1:
        case 2:
        }
        while (true)
        {
          return paramContext.getResources().getString(i);
          i = 101450314;
          continue;
          i = 101450315;
          continue;
          i = 101450313;
        }
      }
    
      public static int getAppUid(Context paramContext, String paramString)
      {
        int i = 0;
        if (sUidMap.containsKey(paramString))
          return ((Integer)sUidMap.get(paramString)).intValue();
        try
        {
          i = paramContext.getPackageManager().getApplicationInfo(paramString, 0).uid;
          sUidMap.put(paramString, Integer.valueOf(i));
          return i;
        }
        catch (PackageManager.NameNotFoundException localNameNotFoundException)
        {
        }
        return i;
      }
    
      protected static int getDefaultFlag(Context paramContext, String paramString)
      {
        initFilterList(paramContext);
        if (sFilterList.contains(paramString))
          return 2;
        return 0;
      }
    
      protected static int getGameCenterFlag(Context paramContext, String paramString)
      {
        readBlacklist(paramContext);
        if (mBlacklist.contains(paramString))
          return 3;
        return 0;
      }
    
      private static String getInstalledAppsJson(Context paramContext)
      {
        JSONObject localJSONObject = new JSONObject();
        JSONArray localJSONArray = new JSONArray();
        Iterator localIterator = paramContext.getPackageManager().getInstalledPackages(0).iterator();
        while (localIterator.hasNext())
        {
          PackageInfo localPackageInfo = (PackageInfo)localIterator.next();
          if ((0x1 & localPackageInfo.applicationInfo.flags) == 0)
            localJSONArray.put(localPackageInfo.packageName + "/" + localPackageInfo.versionCode);
        }
        try
        {
          localJSONObject.put("packages", localJSONArray);
          return localJSONObject.toString();
        }
        catch (JSONException localJSONException)
        {
        }
        return "";
      }
    
      protected static int getNetDefaultFlag(Context paramContext, String paramString)
      {
        if (sFilterMap.containsKey(paramString))
          return ((Integer)sFilterMap.get(paramString)).intValue();
        return loadAppNetFlagByPkg(paramContext, paramString);
      }
    
      public static SharedPreferences getSharedPreferences(Context paramContext)
      {
        if (!paramContext.getPackageName().equals("com.android.systemui"));
        try
        {
          Context localContext = paramContext.createPackageContext("com.android.systemui", 2);
          paramContext = localContext;
          return paramContext.getSharedPreferences("app_notification", 4);
        }
        catch (PackageManager.NameNotFoundException localNameNotFoundException)
        {
          while (true)
            localNameNotFoundException.printStackTrace();
        }
      }
    
      protected static void initFilterList(Context paramContext)
      {
        if (sFilterList.size() == 0)
        {
          String str = Settings.System.getString(paramContext.getContentResolver(), "status_bar_notification_filter_white_list");
          if (!TextUtils.isEmpty(str))
          {
            String[] arrayOfString = str.split(" ");
            for (int i = 0; i < arrayOfString.length; i++)
              sFilterList.add(arrayOfString[i]);
          }
          sFilterList.add("cn.com.fetion");
          sFilterList.add("com.google.android.talk");
          sFilterList.add("com.tencent.mm");
          sFilterList.add("com.tencent.qq");
          sFilterList.add("com.tencent.mobileqq");
          sFilterList.add("com.xiaomi.channel");
        }
      }
    
      public static boolean isNotificationForcedFor(Context paramContext, String paramString)
      {
        int i = getAppUid(paramContext, paramString);
        return ("android".equals(paramString)) || (i == 1000) || (i == 1001) || (i == 0);
      }
    
      public static boolean isSystemApp(String paramString, PackageManager paramPackageManager)
      {
        Boolean localBoolean = (Boolean)sIsSystemApp.get(paramString);
        if (localBoolean == null);
        try
        {
          ApplicationInfo localApplicationInfo2 = paramPackageManager.getApplicationInfo(paramString, 0);
          localApplicationInfo1 = localApplicationInfo2;
          boolean bool = false;
          if (localApplicationInfo1 != null)
          {
            int i = 0x1 & localApplicationInfo1.flags;
            bool = false;
            if (i != 0)
              bool = true;
          }
          localBoolean = Boolean.valueOf(bool);
          sIsSystemApp.put(paramString, localBoolean);
          return localBoolean.booleanValue();
        }
        catch (PackageManager.NameNotFoundException localNameNotFoundException)
        {
          while (true)
            ApplicationInfo localApplicationInfo1 = null;
        }
      }
    
      protected static boolean isUserSetttingInited(Context paramContext, String paramString)
      {
        int i = getSharedPreferences(paramContext).getInt(paramString, 0);
        boolean bool = false;
        if (i != 0)
          bool = true;
        return bool;
      }
    
      public static void loadAppNetFlag(Context paramContext)
      {
        new Thread(new Runnable()
        {
          public void run()
          {
            BaseNotificationFilterHelper.sFilterMap.clear();
            Iterator localIterator = this.val$context.getPackageManager().getInstalledPackages(0).iterator();
            while (localIterator.hasNext())
            {
              PackageInfo localPackageInfo = (PackageInfo)localIterator.next();
              if ((0x1 & localPackageInfo.applicationInfo.flags) == 0)
              {
                String str = localPackageInfo.applicationInfo.packageName;
                BaseNotificationFilterHelper.loadAppNetFlagByPkg(this.val$context, str);
              }
            }
          }
        }).start();
      }
    
      public static int loadAppNetFlagByPkg(Context paramContext, String paramString)
      {
        int i = CloudAppControll.get(paramContext, CloudAppControll.TAG.TAG_NOTIFICATION_BLACKLIST, paramString);
        if (i == -1)
          return 0;
        sFilterMap.put(paramString, Integer.valueOf(i));
        return i;
      }
    
      public static void observeSettingChanged(ContentResolver paramContentResolver, ContentObserver paramContentObserver)
      {
        paramContentResolver.registerContentObserver(Settings.System.getUriFor("status_bar_notification_filter_white_list"), false, paramContentObserver);
      }
    
      private static void readBlacklist(Context paramContext)
      {
        if (mBlacklist == null)
        {
          mBlacklist = new HashSet();
          String str = Settings.Secure.getString(paramContext.getContentResolver(), "status_bar_expanded_notification_black_list");
          if (!TextUtils.isEmpty(str))
          {
            String[] arrayOfString = str.split(" ");
            for (int i = 0; i < arrayOfString.length; i++)
              mBlacklist.add(arrayOfString[i]);
          }
        }
      }
    
      public static void requestBlacklist(Context paramContext)
      {
        new Thread(new Runnable()
        {
          public void run()
          {
            try
            {
              JSONObject localJSONObject1 = Network.doHttpPostWithResponseStatus(this.val$context, "http://policy.app.xiaomi.com/cms/interface/v1/checkpackages.php", BaseNotificationFilterHelper.getInstalledAppsJson(this.val$context));
              if ((localJSONObject1.has("RESPONSE_CODE")) && (localJSONObject1.getInt("RESPONSE_CODE") == 200))
              {
                JSONObject localJSONObject2 = new JSONObject(localJSONObject1.getString("RESPONSE_BODY"));
                int i = localJSONObject2.getInt("errCode");
                if (i == 200)
                {
                  JSONArray localJSONArray = localJSONObject2.getJSONArray("packages");
                  StringBuilder localStringBuilder = new StringBuilder();
                  for (int j = 0; j < localJSONArray.length(); j++)
                  {
                    localStringBuilder.append(localJSONArray.get(j).toString().trim());
                    localStringBuilder.append(" ");
                  }
                  Settings.Secure.putString(this.val$context.getContentResolver(), "status_bar_expanded_notification_black_list", localStringBuilder.toString());
                  BaseNotificationFilterHelper.access$102(null);
                  return;
                }
                if (i == 202)
                {
                  Log.d("NotificationFilterHelper", "blacklist is empty ");
                  Settings.Secure.putString(this.val$context.getContentResolver(), "status_bar_expanded_notification_black_list", "");
                  BaseNotificationFilterHelper.access$102(null);
                  return;
                }
                if (i == 201)
                  Log.d("NotificationFilterHelper", "request param empty");
              }
              else
              {
                Log.d("NotificationFilterHelper", "access network anomalies");
              }
              return;
            }
            catch (Exception localException)
            {
            }
          }
        }).start();
      }
    
      protected boolean areNotificationsEnabled(Context paramContext, String paramString)
      {
        return false;
      }
    
      public boolean canSendNotifications(Context paramContext, String paramString)
      {
        return getAppFlag(paramContext, paramString, true) != 3;
      }
    
      public void enableAppNotification(Context paramContext, String paramString, boolean paramBoolean)
      {
      }
    
      public void enableNotifications(Context paramContext, String paramString, boolean paramBoolean)
      {
        enableAppNotification(paramContext, paramString, paramBoolean);
      }
    
      public int getAppFlag(Context paramContext, String paramString, boolean paramBoolean)
      {
        if (paramBoolean);
        for (boolean bool = areNotificationsEnabled(paramContext, paramString); bool; bool = true)
        {
          int i = getSharedPreferences(paramContext).getInt(paramString, 0);
          if ((i == 0) && (isSystemApp(paramString, paramContext.getPackageManager())))
            i = 2;
          if (i == 0)
            i = getNetDefaultFlag(paramContext, paramString);
          if (i == 0)
            i = getDefaultFlag(paramContext, paramString);
          if (i == 0)
            i = getGameCenterFlag(paramContext, paramString);
          if (i == 0)
            i = DEFAULT;
          return i;
        }
        return 3;
      }
    
      public void initUserSetting(Context paramContext, String paramString)
      {
        if (!isUserSetttingInited(paramContext, paramString))
        {
          if (isSystemApp(paramString, paramContext.getPackageManager()))
            enableStatusIcon(paramContext, paramString, true);
        }
        else
          return;
        int i = getAppFlag(paramContext, paramString, false);
        if (i == 3)
        {
          enableAppNotification(paramContext, paramString, false);
          enableStatusIcon(paramContext, paramString, false);
          return;
        }
        enableStatusIcon(paramContext, paramString, i);
      }
    }

    RELATED
    http://apkscan.nviso.be/report/show/48b5666fa2bcbe738c0b623da712918f
    http://lists.clean-mx.com/pipermail/viruswatch/20130714/072661.html

    OTHER SOURCES
    http://www.newmobilelife.com/2014/08/12/xiaomi-china-server/
    http://www.htcmania.com/showthread.php?p=14730859
    5
    I agree. But also take into account that not every piece of code presented by some user containing words "online", "sync" or ip tracing to chinese server is already a backdoor as the op presented to us. Which without proof is just a normal accusations.

    As I said. In global versions of MIUI most of online Xiaomi services are disabled.

    Wysłane z MI4 W

    Are you are working for Xiaomi? Marketing maybe?
    3
    I knew it. It's just too hard to resist for the manufactures not to implement these backdoors!

    "In this session Taiwanese Researcher will demonstrate how Xiaomi Phones have been sending device data and personal data of Xiaomi Phone user to Chinese Servers. The Researcher will also release Server Logs, Mi Account username, Emails and passwords of millions of Xiaomi users which have been obtained using a Zero Day flaw in the Xiaomi Servers."

    Apparently the fight continues:

    Xiaomi's Response on Taiwanese Researcher 'Chen Huang' Claims:

    We have verified that the zero-day data breach allegation made by security researcher Chen Huang and the Ground Zero Summit organizing committee is a hoax. The zero-day vulnerability reported by the cyber security researcher, Chen Huang, is a deliberate falsehood, and Xiaomi is taking the necessary legal action against the parties involved.

    To date, throughout Xiaomi's history, there has only been one incident in which a two-year-old user account file was leaked in May 2014. After conducting a comprehensive investigation, we concluded that file contained information from user accounts registered before August 2012 in an old version of the Xiaomi user forum website. That information became obsolete when, in September 2012, we launched the Xiaomi Account integrated system.

    In response to the incident in May 2014, we immediately requested users to change their passwords. We also announced the incident publicly via social media and to our user forums on May 14, 2014.

    Chen Huang has recently threatened to expose data from the old user account file during a session at the upcoming Ground Zero Summit 2014, falsely claiming it to be data compromised through an existing vulnerability. This is a grave accusation, as we take our users' privacy very seriously, and we will seek legal action against the involved parties.

    - - - - - - - - - - - - - - - - -
    'Chen Huang' Response to Xiaomi:

    I am not surprised by the misleading and absurd claims made by Xiaomi. It is clearly evident that they are hiding much more than what they have revealed :) Their claims in the press statement are full of contradictions. I have few simple questions for them

    1) Why are they silent on issue of their servers picking up personal data of devices and users without their consent?

    2) If they think their servers being compromised and database leak is a hoax then why are they so worried about this session!!! As Xiamoi claims in their press statement " throughout Xiaomi’s history, there has only been one incident in which a two-year-old user account file was leaked in May 2014. After conducting a comprehensive investigation, we concluded that file contained information from user accounts registered before August 2012 in an old version of the Xiaomi user forum website. That information became obsolete when, in September 2012 we launched the Xiaomi Account integrated system."

    I Challenge Xiaomi to tell the world if the information is obsolete in September 2012 and was of no use, then why the ***** did Xiamoi ask their users to change their password as recently in may 2014. Xiaomi Caaamooonnnnnn!!!! the more you hide, more you will be shamed :D
    Anyways if my session is useless!!! Why are you guys worried :) !!!!! Let the world know everything, let them judge and let them decide.

    In defense of Privacy and freedom of truth,

    - - - - - - - - - - - - - - - - -
    News/Media Coverage:

    http://indiatoday.intoday.in/techno...urity-consultant-claims-servers/1/398350.html
    http://zeenews.india.com/news/net-n...xiaomi-server-firm-calls-it-hoax_1491792.html
    http://gadgets.ndtv.com/mobiles/new...es-and-passwords-allegedly-compromised-613990
    http://indianexpress.com/article/te...ims-hacking-xiaomi-server-firm-calls-it-hoax/
    http://tech.firstpost.com/news-anal...ack-that-steals-confidential-data-239653.html
    http://indiatoday.intoday.in/techno...urity-consultant-claims-servers/1/398350.html

    http://www.zippednews.com/ground-zero-summit
    http://www.newsnation.in/article/59...iaomi-server-hacked-company-calls-a-hoax.html
    http://blog.lifars.com/2014/10/30/chinese-smartphone-makes-xiaomi-under-attack-again/
    http://www.bubblews.com/news/9196648-expert-claims-hacking-xiaomi-server-firm-calls-it-hoax
    http://www.hackbusters.com/news/stories/145579-enigma-simulator
    http://tech.firstpost.com/news-anal...ack-that-steals-confidential-data-239653.html
    http://xiaomimedia.co/
    http://nvonews.com/expert-claims-hacked-xiaomi-server-company-rubbishes-it/
    http://www.prodefence.org/topic/110...g-xiaomi-talk-pulled-from-hacking-conference/
    http://www.lfa8.com/millet-servers-allegedly-prone-to-0-attack-steal-confidential-data.html
    http://thehackernews.com/2014/10/xiaomi-data-breach-hacker.html
    http://www.undernews.fr/telephonie-...utm_campaign=Feed:+undernews/oCmA+(UnderNews)
    http://translate.google.co.in/trans...d%3A+undernews%2FoCmA+(UnderNews)&prev=search
    http://blog.learnatchina.com/2014103053855.html
    http://translate.google.co.in/trans...i-lo-hong-zero-day-rat-nguy-hiem/&prev=search
    http://www.mobiletor.com/120096/expert-claims-hacked-xiaomi-server-company-calls-hoax/
    http://economictimes.indiatimes.com...r-firm-calls-it-hoax/articleshow/44985371.cms
    http://www.financialexpress.com/news/expert-claims-hacking-xiaomi-server-firm-calls-it-hoax/1303142
    http://indianexpress.com/article/te...ims-hacking-xiaomi-server-firm-calls-it-hoax/
    http://www.gizbot.com/mobile/expert...mi-server-company-calls-hoax-news-020272.html
    http://zeenews.india.com/news/net-n...xiaomi-server-firm-calls-it-hoax_1491792.html

    Resulting in THIS.
    2
    Wait so... this means XDA discovered that MIUI OS connects to the internet?

    And you want to send Hugo a small fragment of mms app code with Cloud messaging - which is standard and optional MIUI feature?
    Is that your proof? Congrats. Much ado about nothing...

    GameSDKService? Of course because this is the stock chinese app with games (usually pirated), but the app is only in chinese original roms.
    Every port, every multilang rom doesnt have those apps.

    Also Duokan service provide online content to Music and Video apps. This is standard MIUI feature from beginning.
    Please note that Global versions of the MIUI roms (so outside china mainland) doesnt have online features.

    All stuff presented above IS not a proof!
    If I were Hugo I would lough down this after reading.

    First off XDA didn't find it a user did. It was just posted and asked for clarification.

    Second off after the last privacy issue this OEM had you can expect people to be Leary of them.

    Third. If a OEM is going to blatantly disregard copyright laws as well as the gpl you have to understand why people will not trust them. They need to very transparent with things like this. Mainly if they plain to ever make a world wide release.