FORUMS

T-Mobile rooted LGV20 rctd root checking (spying), possibly other carriers - SOLVED!!

1,522 posts
Thanks Meter: 596
 
By dimm0k, Senior Member on 24th August 2017, 04:26 AM
Post Reply Email Thread
For those with a T-Mobile branded LGV20 and rooted with Magisk and probably with SuperSU, I have an interesting discovery in my attempts at determining performance issues I was having with my device and for all I know with other carrier branded Android devices that I had rooted in the past (Samsung S4, S5, LGV10). what I've been noticing is even after a fresh stock device with the only thing changed being Magisk, there have been a number of 'sh' processes that keep increasing until the system is affected negatively. My research has lead me to believe that on a T-Mobile branded LGV20 a process/app called 'rctd' is triggered on boot, which checks for certain characteristics of root and if root is present something is logged mentioning so. while not much information is available on this, @k0nane posted on this a while back here https://forum.xda-developers.com/sho....php?t=2267909 regarding rctd. essentially it is a root checker/logger.

PLEASE HELP ME CONFIRM:
for those that are rooted on their LGV20, please check /persist/rct.cfg and see if it mentions a modified system with a modified /system partition. also from a shell, do a 'ps | grep sh' noting if there are numerous 'sh' processes. if there are then do a 'ps | grep rctd' and see if the PPid of those numerous processes match the PID of rctd. I'm willing to bet they do for most of them. the longer your device has not been rebooted, the more of these 'sh' processes you should have. please report back!


EDIT1: thanks to all those in this thread that helped put this nagging nail in the coffin! long story short, rctd is LG's root checker and it's started as a service within init.lge.rc, which is part of the boot/ramdisk so commenting out the lines that start the service need to be done in the boot.img itself. As a result for those that use stock kernels, I've created boot.img for 10k and 10p on the H918 T-Mobile variant of the LGV20 and 10h for the US996 unlocked variant of the LGV20.

H918 10k MD5SUM: 55a8dfd66ec9444a4a0d67eb39b34551
H918 10p MD5SUM: 9aa4cd481f1177f9d9d9f833f166ce80
US996 10h MD5SUM: 2bec2db396a81c73916ee3726e4cd334

flash your correct boot image and then remember to flash Magisk or SuperSU immediately after BEFORE LEAVING TWRP especially for those on 10k or 10p!!
The Following 31 Users Say Thank You to dimm0k For This Useful Post: [ View ] Gift dimm0k Ad-Free
24th August 2017, 05:53 AM |#2  
Senior Member
Thanks Meter: 307
 
More
Quote:
Originally Posted by dimm0k

PLEASE HELP ME CONFIRM:
for those that are rooted on their LGV20, please check /persist/rct.cfg and see if it mentions a modified system with a modified /system partition. also from a shell, do a 'ps | grep sh' noting if there are numerous 'sh' processes. if there are then do a 'ps | grep rctd' and see if the PPid of those numerous processes match the PID of rctd. I'm willing to bet they do for most of them. the longer your device has not been rebooted, the more of these 'sh' processes you should have. please report back!

I have a T-Mobile H918 rooted with SuperSU. I attached a screen of what my rct.cfg shows and what shows when I typed in terminal. When I tried "ps | grep rctd" it reply with anything and just started a new line
Attached Thumbnails
Click image for larger version

Name:	Capture+_2017-08-23-23-49-00.png
Views:	3780
Size:	165.7 KB
ID:	4250688   Click image for larger version

Name:	Capture+_2017-08-23-23-53-02.png
Views:	3752
Size:	129.7 KB
ID:	4250690  
The Following User Says Thank You to KUSOsan For This Useful Post: [ View ] Gift KUSOsan Ad-Free
24th August 2017, 06:17 AM |#3  
OP Senior Member
Thanks Meter: 596
 
More
Quote:
Originally Posted by KUSOsan

I have a T-Mobile H918 rooted with SuperSU. I attached a screen of what my rct.cfg shows and what shows when I typed in terminal. When I tried "ps | grep rctd" it reply with anything and just started a new line

sorry, if you need to be root when you run "ps | grep rtcd" otherwise you won't see all the processes running. I'm willing to be you have rtcd running and if you haven't rebooted your device for a few hours, you'll have a bunch of "sh" processes
24th August 2017, 06:22 AM |#4  
Senior Member
Thanks Meter: 83
 
More
Yeah my T-mobile H918 is reporting the same thing with Magisk 13.1 under WETA.

Rct.cfg lists:
Quote:

MODIFIED
Mount option has been changed
>/system
>/roottfs
Rooting related file had been installed
>.sh
>.ext
>su
>busybox

Detection time
> 2017-08-22 16:07

When I run "ps | grep rctd" I only get the single instance of:

Quote:

root 926 1 5836 2092 0 00ec90a994 S /sbin/rctd

The thread linked in the OP mentions disabling rctd via a build.prop value. But I'm going to try and rip it out manually.
The Following 2 Users Say Thank You to Aaren11 For This Useful Post: [ View ] Gift Aaren11 Ad-Free
24th August 2017, 06:30 AM |#5  
Ducter's Avatar
Senior Member
Thanks Meter: 1,215
 
Donate to Me
More
I delete all T-Mobile apps upon flashing, wish I could remember by name but I can't. Regardless, here's what I have.

Edit- SuperSU v2.82 SR1
Attached Thumbnails
Click image for larger version

Name:	Screenshot_2017-08-24-00-23-33.png
Views:	1950
Size:	111.2 KB
ID:	4250707   Click image for larger version

Name:	Screenshot_2017-08-24-00-29-11.png
Views:	1950
Size:	233.1 KB
ID:	4250710  
The Following User Says Thank You to Ducter For This Useful Post: [ View ] Gift Ducter Ad-Free
24th August 2017, 06:44 AM |#6  
OP Senior Member
Thanks Meter: 596
 
More
Quote:
Originally Posted by Aaren11

Yeah my T-mobile H918 is reporting the same thing with Magisk 13.1 under WETA.

Rct.cfg lists:


When I run "ps | grep rctd" I only get the single instance of:



The thread linked in the OP mentions disabling rctd via a build.prop value. But I'm going to try and rip it out manually.

please update us. I've been told by @Zacharee1 that moving/deleting /sbin/rctd and /sbin_orig/rctd is not effective as they come back after a reboot. I've verified that killing it in a terminal also respawns. 'ps' should only report one instance of /sbin/rctd, but I'm willing to bet that you have a bunch of 'sh' processes belonging to that rctd process.



Quote:
Originally Posted by Ducter

I delete all T-Mobile apps upon flashing, wish I could remember by name but I can't. Regardless, here's what I have.

Edit- SuperSU v2.82 SR1

this may prove helpful considering that you're rooted and yet your rct files look untouched! is it possible to provide me the rct and rct.cfg files from /persist?
24th August 2017, 07:58 AM |#7  
Senior Member
Thanks Meter: 307
 
More
Quote:
Originally Posted by dimm0k

sorry, if you need to be root when you run "ps | grep rtcd" otherwise you won't see all the processes running. I'm willing to be you have rtcd running and if you haven't rebooted your device for a few hours, you'll have a bunch of "sh" processes

Sorry bout that. Here's the corrected results.
Attached Thumbnails
Click image for larger version

Name:	Capture+_2017-08-24-01-55-50.jpg
Views:	1602
Size:	252.8 KB
ID:	4250749   Click image for larger version

Name:	Capture+_2017-08-24-01-56-19.jpg
Views:	1564
Size:	250.8 KB
ID:	4250751   Click image for larger version

Name:	Capture+_2017-08-24-01-57-13.jpg
Views:	1546
Size:	251.7 KB
ID:	4250752  
The Following User Says Thank You to KUSOsan For This Useful Post: [ View ] Gift KUSOsan Ad-Free
24th August 2017, 02:58 PM |#8  
runningnak3d's Avatar
Recognized Developer
Flag Largo
Thanks Meter: 7,196
 
Donate to Me
More
@dimm0k You just saved me from doing a warranty swap. Yeah, I have had bad performance issues, but it was intermittent.

For example if the phone sat for too long, and then I received a phone call, it might take 2 to 3 seconds before I could swipe to answer. The touch screen was non-responsive. But once the phone was woke up, the performance issues seemed to subside.

Since I have and H910 to compare performance and how the phone "feels" I just assumed that it was a faulty CPU that was being throttled, or maybe the heatsink wasn't on good.

Since I had debloated all the usual cruft I just didn't occur to me to look for some bull**** process sucking the life out of my phone.

I ripped rctd out by the roots and it is like I have a new phone.

Seriously, I was set to ship my phone off today. Thank you very much for finding this.

F*** you LG -- again.
F*** you T-Mobile -- again

-- Brian
The Following 3 Users Say Thank You to runningnak3d For This Useful Post: [ View ]
24th August 2017, 03:06 PM |#9  
Zacharee1's Avatar
Recognized Developer / Retired Forum Moderator
Thanks Meter: 3,549
 
Donate to Me
More
Quote:
Originally Posted by runningnak3d

@dimm0k You just saved me from doing a warranty swap. Yeah, I have had bad performance issues, but it was intermittent.

For example if the phone sat for too long, and then I received a phone call, it might take 2 to 3 seconds before I could swipe to answer. The touch screen was non-responsive. But once the phone was woke up, the performance issues seemed to subside.

Since I have and H910 to compare performance and how the phone "feels" I just assumed that it was a faulty CPU that was being throttled, or maybe the heatsink wasn't on good.

Since I had debloated all the usual cruft I just didn't occur to me to look for some bull**** process sucking the life out of my phone.

I ripped rctd out by the roots and it is like I have a new phone.

Seriously, I was set to ship my phone off today. Thank you very much for finding this.

F*** you LG -- again.
F*** you T-Mobile -- again

-- Brian

How did you "rip rctd out by the roots"?
The Following User Says Thank You to Zacharee1 For This Useful Post: [ View ]
24th August 2017, 03:29 PM |#10  
storm68's Avatar
Senior Member
Flag Orlando
Thanks Meter: 552
 
More
Quote:
Originally Posted by Zacharee1

How did you "rip rctd out by the roots"?

+1
The Following 2 Users Say Thank You to storm68 For This Useful Post: [ View ] Gift storm68 Ad-Free
24th August 2017, 04:29 PM |#11  
OP Senior Member
Thanks Meter: 596
 
More
Quote:
Originally Posted by runningnak3d

@dimm0k You just saved me from doing a warranty swap. Yeah, I have had bad performance issues, but it was intermittent.

For example if the phone sat for too long, and then I received a phone call, it might take 2 to 3 seconds before I could swipe to answer. The touch screen was non-responsive. But once the phone was woke up, the performance issues seemed to subside.

Since I have and H910 to compare performance and how the phone "feels" I just assumed that it was a faulty CPU that was being throttled, or maybe the heatsink wasn't on good.

Since I had debloated all the usual cruft I just didn't occur to me to look for some bull**** process sucking the life out of my phone.

I ripped rctd out by the roots and it is like I have a new phone.

Seriously, I was set to ship my phone off today. Thank you very much for finding this.

F*** you LG -- again.
F*** you T-Mobile -- again

-- Brian

glad to hear I'm not the only one suffering performance issues. the crazy thing is I don't know which devices this affects, but I have a feeling it's ALL T-Mobile branded devices on stock with root and as far as I can remember having an Android device since my Galaxy S4 days this has always been an issue for me. I have always rooted my devices and always experienced the same issue... after 3-4 days without rebooting my device it would slow to a crawl. now, after several years, I've discovered why! now to find a way to stop it... please share how you ripped rctd out by the roots!
Post Reply Subscribe to Thread

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes