Hacker News new | comments | show | ask | jobs | submitlogin
Backdoor with root access found from OnePlus phones (twitter.com)
317 points by hpaavola 11 months ago | hide | past | web | 109 comments | favorite

User builds on some Chinese phones are pretty sloppy. I needed to access an old Oppo phone the other day, where I couldn't remember the PIN. Luckily ADB was enabled, which suggests that their production software might have been a userdebug build. I couldn't enable root via ADB, since it was at least a production/user build, but the su binary was already on the phone, so I just su'ed and got a root prompt. From there I could pull the sqlite settings database, reset the PIN and push it again. After a reboot, the phone booted without PIN.

Unfortunately there was an Oppo homebrewn secondary PIN on some of their built in apps, which hadn't been reset, but it turned out I could enter the PIN as many times as I wanted, so I made a small script to brute force it via ADB (input text). Took half an hour to disable the secondary PIN with my script.

My Chinese phone (iPhone 6s) had a similar flaw. Okay, that was tongue in cheek, but I don't see how adding the China qualifier adds anything new or interesting other than inject bias.

It is definitely a bit vague, but it can be reasonably assumed that it was meant as shorthand for "Obscure (or no) brand generic MTK phone sourced from China"

Sorry, I didn't mean it in a bad way or to bash anything Chinese, which usually also grinds my gears and I fully understand what you say as I used to live and work in China for some years and I am fully aware of the capabilities of many Chinese factories.

I should probably have said "cheap phones" - I am not sure. Every ODM/OEM is different.

But it is an interesting discussion for sure and made me think about my experiences. What kind of software engineering department would make a mistake like this? I bet 1 USD that I could spend one hour with their engineers and I would be able to predict if this would be a mistake they would make. :)

Does the iPhone 6s have a similar flaw? I'm still using one.

He was joking. The 6s and pretty much every new phone using a Secure Enclave to make brute forcing anything technically impossible.

I was not joking. There was a lockscreen bypass bug where you could access the photos/contacts. Also, I haven't kept up with jailbreaking, so I'm not sure if they can still be rooted. So, yeah, iphones have had several security flaws in almost all versions.

I just checked and found it on my OnePlus Two. To other OP owners: make sure you look under "all" apps, not just "downloaded".

After this finding , the data collection incident a month ago, and their last 1Gb+ OTA update that bootlooped my phone, I think I'm done with OnePlus products. I enjoyed the hardware but I can't tolerate this much malice/incompetence in software in something as critical to my daily life.

I'm sure some posters will suggest that this is what we deserve for trusting a Chinese OEM, but I still find it all very sad.

Steal data, brick devices, and leave backdoors: How to lose a customer in three easy steps.

> I enjoyed the hardware but

Do like me, if you don't want to trash a OnePlus device: install LineageOS.

I am completely unfamiliar with Lineage. I literally just flashed PA on my 3t on Friday and have been having some minor issues with it (wifi connectivity and spotty cell coverage) that I didn't have before when the phone was stock. Could you give me a little info about your experience with Lineage and what you like/dislike about it?

I should add, I flashed PA because I bought a really expensive pair of bluetooth headphones (from Sony) that were having really bad connectivity issues that have been mostly resolved by changing roms.

Third party software is always a bumpy ride. Something is going to not work out of the box, optimization will be less than stellar, battery usage won't be as good. I cannot tolerate my cellphone not working 100% of the time.

Can you tolerate a backdoor in it?

I can and I am. As far as I can tell, it's only accessible locally, so I can live with it.

LineageOS gives me a 30% more battery on the OPO! Everything works great.

Do you trust there not to be lower level issues?

Well... at least, this specific one isn't.

I have an HTC bootlooped by an OTA, hence my now having a OnePlus3. Getting fed up with all this nonsense. Seems to me the android ecosystem is just too wild west, especially for such an important device, and may now have to head to apple. I see I also have this EngineerMode, data usage 1.4MB since Aug 7, modify system settings enabled. When I tweeted them about the recent data collection issue they replied with "it's standard industry practice".

I’ve made the same decision re: android and apple.

I really wish there was a decent Linux phone I could buy ... anyone know if there are any good contenders or future prospects?

It hasn't been released yet, but Purism recently smashed their fundraising goal for the Librem 5. From the description linked to below:

> Librem 5, the phone that focuses on security by design and privacy protection by default. Running Free/Libre and Open Source software and a GNU+Linux Operating System designed to create an open development utopia, rather than the walled gardens from all other phone providers.


Because a small fly by wire company is likely to have better QA than a much larger company....

Different priorities might work very well.

This is truly impressive. I'll be following this project.

Did you check out Jolla and Sailfish OS?

You can now buy a Sony EXperia X and flash it to Sailfish OS.

I am quite happy with Sailfish. Still using it on my Jolla 1 as a daily driver after 3 years.

Are you asking about "linux" meaning a non-Android linux phone?

If you include Android -- I have had a satisfactory experience with both the Samsung Galaxy S6 and LG Nexus 5x. The 5x did bootloop recently but Nexus repaired it (and upgraded to 32GB) beyond the end of their warranty.

I am hoping postmarketOS will be a good alternative.

Still being developed and not ready for prime time yet.

Its a feature not a bug.

Android is open, you can run anything on it that you want. Doesn't make it better or worse than iOS.

Everyone needs to make an informed decision about what they want from their phone.

Not to mention the "phone crashes when calling 911" bug

Wasn't that a bug with other phones as well?

Some version of this bug has cropped up on many phones on different carriers all around the world.

Yup, done here too. Edit: EngineerMode is present on my OP3T with latest Oreo beta

Yeah it's on my 1+X too. Trivial to gain root just from the info in that twitter thread

Worth noting it has used 200mb data in three months

Can confirm that the privilege escalation works on OnePlus 2 as well.

I have a onePlus 3 (which anecdotally has been a lovely handset, just extremely fragile. And onePlus and their repair company have been entirely useless at communication...)

I also have the EngineerMode installed and it's also using data; "61.34mb since 1 Aug".

It's worth noting that the data usage (752kb since Nov 1st) says it also includes other apps, I've listed them below for reference as I've not seen anyone else mention this yet. There's certainly some interesting names.





SVI Settings




Manage center




Content Adaptive Backlight Settings

Android System

OnePlus System Service

Wfd Service


SimContacts Manager

OnePlus Camera Service

Settings Storage




Input Devices




Key Chain

Call Management

File manager


ANT HAL Service










System Update



Fused Location



QTI Logging




Sensor Test Tool

I also have the 3, agreed on points of quality but fragility.

Looking at the data usage for several of the connected apps (my list is identical to yours as far as I can tell), it looks like the only data they send is as a subset of engineer mode (their individual data sent isn't shown, only the engineer mode total).

There's definitely some concerning names there. Double checking my recent screenshots, it seems at least that it couldn't be sending full images with as much data as it's used. It's likely that it's not sending data from all of these, but just accessing them at some point. The previous leak on here revealed that OnePlus could track when you opened and closed apps. Based on this, it could potentially track your location, when you take screenshots, when you make phone calls, and a host of other information.

I've said it on HN before but it bears repeating: If you have a OnePlus, do yourself a favour and put LineageOS on it. It works perfectly on my OP3.

Android's bootloader isn't supposed to be locked when installing custom firmware. An unlocked bootloader is a large physical access vulnerability.

How does LineageOS help security exactly?

Encryption helps.

Does it? It seems useless when anyone with physical access can replace the bootloader.


Well, this would require them to wipe your phone's data, so you would be alerted as soon as it happened since your phone would not have any of your old data once you logged in. If a malicious attacker is able to take your phone without you noticing and be able to replace it, the difference of a locked or unlock bootloader won't change the fact that you are going to put in your PIN on boot. Instead of replacing your OS with a malicious OS, they could simply replace your phone with a malicious copy of your phone and get your PIN on the first bootup. They still get your PIN and you still lose your data. The benefit of LineageOS is that it is open source and can be built yourself, so anyone can check the code for backdoors/vulnerabilities. This also means you get all updates as soon as you can build them.

LineageOS is a great OS. People should continue to use it for learning, fun, and getting things done.

Please elaborate though. How is an unlocked bootloader is more secure than than EngineerMode appearing on a phone [1]? Conclusion #6:

> Encryption is insecure with an unlocked bootloader or an open-access recovery.

If you have LineageOS with TWRP and an unlocked bootloader then it appears you have an insecure device.

[1] https://forum.xda-developers.com/android/software-hacking/tw...

I just asked another commenter who suggested Lineage to talk a little about their experience with it since I just flashed PA onto my 3t this past Friday. I'm going to check it out a bit today. Do you know if it's a simple process to go from PA -> Lineage? A little about me: I am a pretty experience developer but not much of a tinkerer when it comes to phones. This flash to PA is only the third time I've done this with a phone and the last time was a few years ago.

Not sure specifically how you installed PA, but, generally, that would look something like:

    1. Unlock bootloader
    2. Install aftermarket recovery (CWM or TWRP)
    3. Install new ROM (PA)
Now that you've done 1 and 2 (usually the difficult parts), you really just need to repeat step 3 with a different ROM.

Assuming you have TWRP installed, LineageOS has instructions for your specific situation (installing from recovery) at: https://wiki.lineageos.org/devices/oneplus3/install#installi...

If you have CWM or something else, it should be relatively easy to translate the instructions to your specific situation. If you have trouble, you can just start from the beginning of that document for instructions to install TWRP instead.

If you want Google Apps (gmail, etc) installed, you'll need to download that from here: http://opengapps.org/ (ARM64, 7.1) and treat that as your "additional packages" for the purposes of those instructions.

I just started messing with LineageOS on my Moto G4. Make sure you make a backup of the stock image so you can flash it back if something goes wrong with your cell network settings. I didn't and now I only have 3G and have been procrastinating flashing the stock everything and starting over.

For the OnePlus hardware the stock system images are all available for download from OnePlus themselves: http://downloads.oneplus.net/

Most OEMs should have some sort of downloads available. If that fails, you can generally find a thread on the xda forums that has links to download the stock ROM and other files (though then not directly from the OEM, so there's some element of trust/risk there).

(In your case, it looks like Motorola hosts the G4 images at: http://motorola-global-portal.custhelp.com/app/standalone/bo...)

I have TWRP installed. Thanks for the links. It looks like this will be simpler than I thought. I'm a little paranoid about bricking my phone as I only bought it a year ago and I'd have to have to get another.

It's generally really hard to truly brick a phone these days.

People throw around the term like it's lost all meaning - usually when someone says they "bricked" their device, they're meaning that "it was moderately inconvenient to recover and I lost my data". Not that it's a literal brick that they now put in the garbage bin.

If you've got recovery, you've got an easy path to getting it up and running again. Just reflash your ROM, a different ROM, a stock ROM, whatever.

If you hose your recovery, you boot your phone into fastboot/odin/heimdall/etc mode which is built into the phone's firmware. From there, you can still flash images to the internal partitions to replace your recovery/system/anything else.

I don't wanna be the guy that doesn't include the "there's always risk" warning on his instructions, but if you're just flashing back and forth between ROMs the worst I'd ever expect you to mess up is wiping your internal storage and photos by accident.

Fantastic. Thanks for the info. Like I said, the last time I had done this was a few years ago when the risk of "bricking" a device seemed a bit more real. I'm glad to know that getting TWRP installed was a good move.

The "secret" password seems to be "angela". OnePlus == DarkArmy confirmed?

Probably fans of Angela Lansbury.

Seems like a Mr.Robot reference to me.

Ikr, why would you even insert a reference like that?

What? OnePlus == BND confirmed!

Isn't it "code"?

All modern mobile phones have a baseband processor with root backdoor. OnePlus is only remarkable for having a second one.

Reference, or explanation?


If it has GSM/LTE/CDMA/etc baseband processor with closed implementation, assume it has remote root backdoor. Samsung has already been caught.

osmocombb tried to solve this. That project is essentially dead.

Librem 5 is a partial solution because the baseband has no access to the system.

Still has DMA, no?

No, the baseband radio will not be connected to the SoC via DMA.

They are proposing to use an external baseband with a USB or UART interface to the main SoC and a kill switch.


I didn’t knew that engineer mode app could be used for such malice. I bet they didn’t either (btw I know that they should have been more vigilant about what goes into the consumer device). And this app is developed by Qualcomm. I just think that they forgot to remove from user builds (which btw is a bad sign).

After having worked in the bowels of Qualcomm's Android drops, I have to note that the amount of precompiled vendor binaries that get included was astounding. The worst part is that their tendrils hook in to major parts of the low level networking stacks in very bizarre ways. Removing them is often extremely difficult, and even simple things like removing APKs like this one often affect the stability of the system as a whole.

I can't really fault 1+ for this debacle -- but this is what happens when OEMs just go along with using these inscrutable blobs of crapware from their upstream vendors.

I only hope Librem can actually pull off their phone. Shipping something fully open in light of findings like this may help to turn the tide.

Isn't the EngineerMode APK an MTK app? I have been involved in developing an Marshmallow MTK based phone in the past and in my experience their BSP's were pretty messy. I.e. a lot of cleaning up is necessary if you want a relatively quiet logcat and debugging APK's removed - even for user builds.

Edit: I must have remembered wrong or I saw the EngineerMode on the QComm device we developed before our MTK based device. The OnePlus seems to be a QComm device.. :)

I have a shit Allwinner A33 tablet and it has SoftWinner APK AND EngineerMode APK. So idk maybe it's something shared for all Chinese devices...?

Here we go (Blu Studio Max): adb shell am start -n com.mediatek.engineermode/.EngineerMode

This is going to be a fun morning.

I have a Blu Studio Max (2017) with a MTK chipset. EngineerMode is installed and running.

Can anyone clarify as to whether there is a mitigation, and post a link?

Found it on my Oneplus X. Maybe this is the time to try out Apple.

As a long time iPhone user that swings Android every few years to try the waters, I am consistently blown away at the level of garbage Android users are expected to deal with on a regular basis.

Want to know how many times my iPhones have boot looped in the last nine years? Not once ever. My last Android (Nexus 6p) managed to do it several times in the 3-ish months I daily-drove it.

Want to know how long you can expect to get iOS updates with a new hardware purchase? 5+ years. Compared with the very best case for Android: 2 maybe?

How many times with an iPhone have I been expected to install a custom OS to get around a user-hostile feature like I saw about fifty times in the 1 billion outdated androids thread? Zero times.

It’s unreal.

> I am consistently blown away at the level of garbage Android users are expected to deal with on a regular basis.

My girlfriend uses an iPhone; I am consistently blown away by the amount of garbage she's expected to deal with on a regular basis. When she changes to another app, our video chats go dark; there's no Termux or GNURoot equivalent (that I'm aware of); tapping doesn't move the cursor but instead selects words (I think that's it); the mail app is hellaciously bad; she's stuck using Safari and seeing ads. So, so many ads. Ads everywhere. I never see ads on my phone, but on hers the Internet is nothing but ads as far as the eye can see.

The sad fact is that the mobile phone ecosystem in general is full of garbage. Neither Android nor iOS is exempt. But at least with Android I have freedom.

> How many times with an iPhone have I been expected to install a custom OS to get around a user-hostile feature like I saw about fifty times in the 1 billion outdated androids thread? Zero times.

That's because with an iPhone there are no custom OSes and you're stuck with Apple's user-hostile features.

> she's stuck using Safari and seeing ads. So, so many ads. Ads everywhere. I never see ads on my phone, but on hers the Internet is nothing but ads as far as the eye can see.

Purify is an ad blocker that works great on the iPhone. Content blockers have been a supported part of iOS for the last couple versions. Apple actually caught a lot of flack from websites for allowing them.

> But at least with Android I have freedom.

Freedom to send all your data to Google? Sure, you can install custom ROMs, but now you're squarely out of any normal user scenario.

> That's because with an iPhone there are no custom OSes and you're stuck with Apple's user-hostile features.

You're considering Apple user hostile when the only way to get around Androids lack of security updates is to go deal with custom ROMs? Apple tends to make the best decision for the largest amount of users. Do they always match up with my decisions? No, but they are close enough, and I don't have to deal with the Android mess when all I want is a working phone.

iTunes is user hostile. I might try an iPhone if not for the terrible experience of managing one on Windows.

I was also unimpressed by how difficult it was to get my family member's pictures out of their cloud offering, when asked to do so for relatives.

You know the iPhone has not needed iTunes for quite awhile? I'm not even sure about the last time I started iTunes on my computer. Even moving from an iPhone to a new iPhone is as simple as holding the 2 phones close together and signing in on the new phone.

iCloud also works fine with Apple devices, but can be mostly skipped. Google Photos will happily upload all the pics on the iPhone to Google pictures. The 5GB iCloud is then plenty for iPhone data backups.

>When she changes to another app, our video chats go dark

Which app?

>there's no Termux or GNURoot equivalent (that I'm aware of);

Does your girlfrind need a terminal on her phone?

>tapping doesn't move the cursor but instead selects words (I think that's it);

Tab and hold to move the cursor.

>she's stuck using Safari and seeing ads. So, so many ads. Ads everywhere.

Why she doesn't install an Adblocker? It's officially supported directly by the system since a couple of time.

> Which app?

Signal. She has similar issues with other apps. Apparently iOS doesn't support background processes as well as Android.

> Does your girlfrind need a terminal on her phone?

Need? No. But I'd like it.

> Tab and hold to move the cursor.

This is reversed between Android & iOS. For me, at least, I'm far more likely to want to move the cursor than to select a word.

>When she changes to another app, our video chats go dark; there's no Termux or GNURoot equivalent (that I'm aware of)...

LOL! At the point you expect 99% of phone users to know what Termux or GNURoot are, let alone use them, the argument has already been lost. I have several hundred Android devices for testing and about two dozen iOS devices. It has always struck me that the primary draw to Android is the hackability, but at the same time, it's the greatest weakness in the platform, that and the variability in hardware.

> The sad fact is that the mobile phone ecosystem in general is full of garbage. Neither Android nor iOS is exempt. But at least with Android I have freedom.

As a Windows Phone user, this is why I'm dreading the day I need to replace my phone and pick a side. It seems like there's no winning in the mobile world.

You’ve heard of content blocker extensions for Safari right?

Anecdotally mine Androids never bootlooped (started with Dell Streak 5)

Have it on my tablet that's not even Mediatek or Qualcomm, but instead Allwinner A33... Scary. I think I should throw it away. Or, since it comes pre-rooted and in engineer build mode instead of userdebug or prod, I think I just might uninstall the APK from the shell and sleep well tonight.

No one found it just a tad strange that there was a system library called libdoor.so?

So you can run old BBS games on your phone?

Sign me up!

EngineerMode: so I fired this up on my OnePlus5 (and subsequently rooted my device). Fun times. Can anyone explain all the features in Engineer Mode? * DDR Aging Test: Some sort of DRAM physical memory test? * SUPL Tool: Tries to connect to supl.google.com:7276 ?? * Network set >> RAT Mode? .... other features test your screen, colors, backlight, NFC, Wifi, etc - would still be helpful if someone with a bit more background could give some color.

I just checked my OnePlus One and it doesn't have the "Engineering mode" app. Maybe because I'm on the original CyanogenOS; I didn't upgrade to Oxygen OS.

Do you consider switching over to the community based LineageOS? They will continue to provide security updates for your phone and afair currently you are stuck with Android 6. Additionally, the upcoming release will bring Android 8 to your device: https://review.lineageos.org/#/q/branch:lineage-15.0+bacon

lineageos is awesome.

Unfortunately the camera app is quite a bit worse in my opinion (used it on the OnePlus One, 3T and haven't tested it with my 5). Guess some things are more important at this point..

Is there no way one can extract the oneplus camera app and install it on lineageos? I'm also going to finally switch now, but I don't understand why there isn't some clever hacker that has done this yet. Is is impossible?

I use OpenCamera on a oneplus X with lineageOS. The camera hardware is not great, and definitely far from the 2017 state of the art, but it works ok.

I would like to use lineage OS but if I root my phone my work email will stop working. It is configured via Boxer app, is there a work around?

To gain root access you have to flash an optional zip file [0] after flashing LineageOS itself and the also optional OpenGapps [1]. If you don't do that, your Boxer app should pass these SafetyNet checks [2].

If you want both root and still full access to these SafetyNet-"protected" apps, you can try the alternative rooting solution Magisk [3] which specializes on bypassing these (imho arbitrary) restrictions.

[0] https://download.lineageos.org/extras

[1] http://opengapps.org/

[2] https://www.lineageos.org/Safetynet/

[3] https://forum.xda-developers.com/apps/magisk/official-magisk...

My bank app refused to install on a rooted phone. I used Magisk Manager to work around that. I guess it could work in this case as well. There is a 'hide root' option (or something similar).

Are there any serious known issues on LineageOS for the OP3, other than the camera being weaker?

What are some things to be aware of when switching? I'm a 3T owner and I'm done with the OS (still love the hardware). Hesitant to simply flash new firmware onto it without knowing what I'm getting into.

I got a very cheap huawei Y300 which stopped working recently.

I think I remember having this app, along with many other weird ones preinstalled.

Also, does anybody knows why some android phones have some "debug mode" when I plug them via USB? I mean if you think about it, that also sounds like a backdoor.

USB debug mode is a standard feature of Android that is disabled by default, but it's possible to enable it manually. If you see it without having enabled it, it is indeed strange


Yes it seems to be enabled by default, I disable it from time to time.

At that point there are so many critical security flaw coming up every month that I don't really bother anymore.

It's not the first time a big security/privacy leak was found on OnePlus' phones. Would stay far away from OnePlus phones.

I would stay away from proprietary software, especially if it was written in Russia or China.

All of their tech companies owe their entire existence to their respective governments and it's not like the governments set up that environment for them for free.

Sure, and tech companies in USA are super trusted. And for sure no backdoors are found. Just one of the recent examples when author of Telegram was "contacted" by USA government during his visit to USA. If you really want to be honest - you should understand that every government is interesting in "access" to popular tech tools - laptops, phones, social networks, messengers and etc.

And it will be really good also to check facts and not yellow press like CNN, BBC and etc and just bullshit Russia.

Trust is a weakness... Never forget it :)

What is IntelME or AMD PSP just for starters? This is completely untenable in the face of all the revelations starting with Snowden, nsl letters, secret processes and secret courts.

No one will seriously claim the US tech industry has not benefited from the government.

No point singling out specific governments, the NSA is not on your side.

Yes. And NSA/GCHQ just doesn't involve itself with any tech companies in the U.S and EU respectively.

>I would stay away from proprietary software, especially if it was written in Russia or China.

Why? What have you found in proprietary software written in China and Russia?

on OnePlus One you can install Ubuntu Touch https://ubports.com/page/devices

Except it's not actively developed anymore.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact