[Update: OnePlus Responds] OnePlus Accidentally Pre-Installed an App that acts as a Backdoor to Root Access
It has been a little over a month since OnePlus was found to be collecting personally identifiable information for analytics. The company quickly reversed course, and in an update the company promised to be more transparent by clearly giving users the option to opt out of OxygenOS analytics. Though that debacle has since resolved, another is rearing its ugly head tonight. A user on Twitter who goes by the name “Elliot Alderson” (named after the main character of the popular Mr. Robot television series) has discovered that OnePlus accidentally left in place a diagnostic testing application made by Qualcomm. After decompiling this application, he discovered that it can be exploited to grant root access—effectively acting as a backdoor.
The application is called “EngineerMode” and it’s essentially a system application made by Qualcomm and provided to OEMs like OnePlus in order for OEMs to easily test all hardware components of the device. The application is pre-installed on all OnePlus 3, OnePlus 3T, and OnePlus 5 devices and can be easily accessible through any activity launcher as all of the app’s activities are exported.
We actually covered the existence of this application several months ago, but at the time we had no idea what it could be used for. The Twitter user decompiled the application (its source has been posted online here) and found an interesting activity called DiagEnabled. In particular, one method stood out within the activity: escalatedUp. This method accepts a boolean value (true/false) and a string. The string is a password that is checked by the method before it sets the system properties
oem.selinux.reload_policy to 1.
The first system property is particularly interesting as it allows the user to run ADB as root. This immediately opens up the possibility of acquiring full root access on the phone—all without unlocking the bootloader. So how exactly do you get the EngineerMode app to set these system properties to be ‘1’?
@fs0c131y needed to find the correct password to send in the intent in order to pass the logic in the method posted above. Finding this password is not a simple task, however. He decompiled the library responsible for generating the password (called libdoor.so) and found where the password hash was located:
/data/backup/fpwd. The password is generated from various build properties such as
ro.product.brand and would not be easy to reverse engineer.
All one has to do is send an intent in this format:
adb shell am start -n com.android.engineeringmode/.qualcomm.DiagEnabled --es "code" "angela"
where com.android.engineeringmode/.qualcomm.DiagEnabled is the component name of the DiagEnabled Activity we are exploiting, and “code” is the string name and “angela” is the relevant password value.
@fs0c131y states he will publish an application soon that will send this intent to elevate ADB into root privileges, patch the boot image to disable dm-verity, and install the su binaries. Keep an eye out on the XDA forums for when this root application gets posted.
What this means for end users is that you can easily root your OnePlus 3, OnePlus 3T, and OnePlus 5 without ever unlocking your bootloader. This exploit doesn’t allow for a malicious app to grant itself root access, though, so unless someone has physical access to your device to set up ADB, then you’re safe from exploitation.
In case you want to protect yourself from this exploit regardless, you can uninstall the app from the current user which will prevent the intent from being sent to the EngineerMode app. Just use the following command in ADB:
adb shell pm uninstall -k --user 0 com.android.engineermode
Of course, this is still considered an exploit and we hope that OnePlus patches this soon. All they would really need to do is remove this application from future builds.
Update 1: The Password is ‘angela’
User @fs0c131y posted an update on his Twitter page with the password that you need to get into a rooted ADB shell. That password is…angela. For those of you who don’t watch Mr. Robot, Angela is the name of one of the protagonists. I guess there must be a lot of Mr. Robot fans at Qualcomm.
If you enter the command I posted above in ADB, you will notice that ADB immediately disconnects and the server restarts. Enter ADB again, and you will notice that it is now a rooted shell.
Update 2: How the Password was Derived
Security firm Now Secure has published a blog post detailing how they derived the password needed for this root exploit to occur. You can read their full post here.
Update 3: More devices affected
This latest news shouldn’t come as a surprise, but more devices appear to be affected by this exploit. That’s because the EngineerMode app is a Qualcomm app, so it’s possible that other OEMs left it pre-installed on their devices. So far, users have reached out to @fs0c131y on Twitter to confirm that the application is installed on some Asus Zenfone and Xiaomi devices. You can easily check to see if your device has this application by going into Settings and seeing what apps are installed.
Update 4: Rooting your Device
Using a few commands through the rooted ADB shell, it’s now possible to push the su binary onto your device. Using that, you can then install a root manager app like SuperSU and then freely grant root access to other apps. All without unlocking your bootloader!
Update 5: OnePlus Responds
OnePlus has officially responded to the situation. In a blog post, the company reiterates that this exploit can only be utilized if an attacker has physical access to the device and has enabled USB Debugging. In order to enable USB Debugging, the attacker also needs your device’s pin/password. Thus, the root backdoor isn’t easily exploitable by any app or person, but nevertheless OnePlus will address users’ concerns by removing this functionality from the EngineerMode app.