Tuesday, January 5, 2021

Android MTK Bug to remove Android bloatware (mtk-su)

 

There is a bug in MTK Devices that affected to most MTK Handset with Android firmware release before 2020.

You can gain root in MTK Device, using mtk-su https://forum.xda-developers.com/t/amazing-temp-root-for-mediatek-armv8-2020-08-24.3922213/ or https://forum.xda-developers.com/t/rapid-temporary-root-for-hd-8-hd-10.3904595/.

I try to remove bloatware in Genpro X Pro S50 (Android 7.0) i.e. com.android.sc (Android/Trojan.Syringe.AD part of System Application).

I'm sorry I unable to conpile twrp source nor magisk source for Genpro X Pro S50.

Requirement Any PC with any operating system with:

  • working adb
  •  phone/hangset with developer option and USB debugging enable

1. download mtk-su.zip (versi 23 or latest) from https://forum.xda-developers.com/t/amazing-temp-root-for-mediatek-armv8-2020-08-24.3922213/ or https://forum.xda-developers.com/t/rapid-temporary-root-for-hd-8-hd-10.3904595/ and unzip it.

2. push ./arm/mtk-su into /data/local/tmp

$ adb push ./arm/mtk-su /data/local/tmp/
./arm/mtk-su: 1 file pushed, 0 skipped. 78.7 MB/s (60840 bytes in 0.001s)

3 login into handset shell and change permission to execute

$ ./adb shell

EVERCOSS_S50:/ $ cd /data/local/tmp
EVERCOSS_S50:/data/local/tmp $ chmod 755 mtk-su

4. run ./mtk-su

EVERCOSS_S50:/data/local/tmp $ ./mtk-su -v                    
armv7l machine
param1: 0x1000, param2: 0x8040, type: 4
Building symbol table
kallsyms_addresses pa 0x40bc2460
kallsyms_num_syms 54191, addr_count 54191
kallsyms_names pa 0x40bf7330, size 646794
kallsyms_markers pa 0x40c951c0
kallsyms_token_table pa 0x40c95510
kallsyms_token_index pa 0x40c95890
Patching credentials
Parsing current_is_single_threaded
c0362760: MOVW R0, #0x8d50
c0362764: MOVT R0, #0xc102
Possible list_head tasks at offset 0x290
comm swapper/0 at offset 0x400
Found own task_struct at node 1
cred VA: 0xc9dbe000
init_task VA: 0xc1028d50
Parsing avc_denied
c0aeca70: MOVW R12, #0x1278
c0aeca74: MOVT R12, #0xc113
selinux_enforcing VA: 0xc1131278
Setting selinux_enforcing
Switched selinux to permissive
starting /system/bin/sh
UID: 0  cap: 3fffffffff  selinux: permissive

5. try to remove com.android.sc

EVERCOSS_S50:/data/local/tmp # pm uninstall -k --user 0 com.android.sc
Success

NOTE:

  1. This method can not remove com.android.sc permanenly.
  2. adb push must be place at directory /data/local/tmp !
  3. # means you are in root mode.
  4. after you restart your device, com.android.sc still active!

FOR EDUCATION PURPOSE ONLY

  1. source code com.android.sc Syringe.AD https://garasiku.my.id/android_malware_source/com.android.sc-1.3.3-1033_source_from_JADX.zip
  2. source code "App Settings" droped by com.android.sc https://garasiku.my.id/android_malware_source/com.app.settings.amtapp-2.66-266_source_from_JADX.zip
  3. source code com.viysr.wkcx droped by com.android.sc https://garasiku.my.id/android_malware_source/com.viysr.wkcx-1.0-1_source_from_JADX.zip

Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)