Preinstalled EngineerMode app on OnePlus phones gives root access without unlocking the bootloader
Rooting Android phones is fairly common these days, and it opens up the possibility of doing things that would not otherwise be an option. But if you are rooting your phone, you want it to be you who is in charge of the process. If you have a OnePlus phone, you may be interested -- and a little disturbed -- to learn that the company is preinstalling an app that acts as a backdoor to root access.
The app is called EngineerMode and it is preinstalled on the OnePlus 3, 3T and 5. It is possible to exploit the app to gain root access to a device -- all it takes is a simple command and a password that can be determined fairly easily. On one hand this is a worrying discovery; on the other, it opens up a way to root OnePlus phones without unlocking the bootloader.
See also:
- Leaked: Here is the OnePlus 5T
- OnePlus 5T launches in Brooklyn on November 16 -- and you can be there
- OnePlus opens up about its secret data collection and promises an opt-out opportunity
The discovery was made by a Twitter user going by the name of Elliot Alderson, using the handle @fs0c131y. They found that the application -- used for factory testing -- could be easily used to gain root access to phones. The fact that it is preinstalled on handsets is something of a concern, and OnePlus is yet to respond to questions about the app and its potential for exploit.
The app is produced by Qualcomm, and The Hacker News explains how to see if you have it:
You can also check if this application is installed on your OnePlus device or not. For this, simply go to settings, open apps, enable show system apps from top right corner menu (three dots) and search for EngineerMode.APK in the list.
If it's there, anyone with physical access to your device can exploit EngineerMode to gain root access on your smartphone.
Details of the exploit have been shared on Twitter:
The escalatedUp method is calling Privilege.escalate(password) and if the result is true, it set the system property persist.sys.adbroot and oem.selinux.reload_policy to 1 pic.twitter.com/92LeBfDPAv
— Elliot Alderson (@fs0c131y) November 13, 2017
Elliot Alderson / @fs0c131y intends to use the existence of the app to release a simple tool for rooting OnePlus phones:
I will publish an application on the PlayStore to root your @OnePlus device in the next hours
— Elliot Alderson (@fs0c131y) November 13, 2017
Oh, and if you don’t want to wait for the tool to be released, the code you need to execute to root your phone is:
adb shell am start -n com.android.engineeringmode/.qualcomm.DiagEnabled --es "code" "angela"
Although OnePlus has not said whether it intends to push out an update to plug the potential security hole this poses, company co-founder Carl Pei said an investigation is under way:
Thanks for the heads up, we're looking into it.
— Carl Pei (@getpeid) November 13, 2017