It has been a little over a month since OnePlus was found to be collecting personally identifiable information for analytics. The company quickly reversed course, and in an update the company promised to be more transparent by clearly giving users the option to opt out of OxygenOS analytics. Though that debacle has since resolved, another is rearing its ugly head tonight. A user on Twitter who goes by the name “Elliot Anderson” (named after the main character of the popular Mr. Robot television series) has discovered that OnePlus accidentally left in place a diagnostic testing application made by Qualcomm. After decompiling this application, he discovered that it can be exploited to grant root access—effectively acting as a backdoor.
The application is called “EngineerMode” and it’s essentially a system application made by Qualcomm and provided to OEMs like OnePlus in order for OEMs to easily test all hardware components of the device. The application is pre-installed on all OnePlus 3, OnePlus 3T, and OnePlus 5 devices and can be easily accessible through any activity launcher as all of the app’s activities are exported.
We actually covered the existence of this application several months ago, but at the time we had no idea what it could be used for. The Twitter user decompiled the application (its source has been posted online here) and found an interesting activity called DiagEnabled. In particular, one method stood out within the activity: escalatedUp. This method accepts a boolean value (true/false) and a string. The string is a password that is checked by the method before it sets the system properties
oem.selinux.reload_policy to 1.
The first system property is particularly interesting as it allows the user to run ADB as root. This immediately opens up the possibility of acquiring full root access on the phone—all without unlocking the bootloader. So how exactly do you get the EngineerMode app to set these system properties to be ‘1’?
@fs0c131y needed to find the correct password to send in the intent in order to pass the logic in the method posted above. Finding this password is not a simple task, however. He decompiled the library responsible for generating the password (called libdoor.so) and found where the password hash was located:
/data/backup/fpwd. The password is generated from various build properties such as
ro.product.brand and would not be easy to reverse engineer.
All one has to do is send an intent in this format:
adb shell am start -n com.android.engineeringmode/.qualcomm.DiagEnabled --es "code" "angela"
where com.android.engineermode/.qualcommDiagEnabled is the component name of the DiagEnabled Activity we are exploiting, and “code” is the string name and “password” is the relevant password value.
@fs0c131y states he will publish an application soon that will send this intent to elevate ADB into root privileges, patch the boot image to disable dm-verity, and install the su binaries. Keep an eye out on the XDA forums for when this root application gets posted.
What this means for end users is that you can easily root your OnePlus 3, OnePlus 3T, and OnePlus 5 without ever unlocking your bootloader. Of course, this is considered an exploit and we hope that OnePlus patches this soon. All they would really need to do is remove this application from future builds.
Update 1: The Password is ‘angela’
User @fs0c131y posted an update on his Twitter page with the password that you need to get into a rooted ADB shell. That password is…angela. For those of you who don’t watch Mr. Robot, Angela is the name of one of the protagonists. I guess there must be a lot of Mr. Robot fans at Qualcomm.
If you enter the command I posted above in ADB, you will notice that ADB immediately disconnects and the server restarts. Enter ADB again, and you will notice that it is now a rooted shell.