Tuesday, March 30, 2021

Evercoss Genpro X Pro S50 removing malware Android.Downloader.4930 /system/lib/libcheckperlib.so

 

Requirement:

  • rooted android or temporary root using mtk-su create by Diplomatic
  • pc with adb or Termux

This are steps to remove malware Android.Downloader.4930 /system/lib/libcheckperlib.so using Termux created by Grey Tshirts:

  1. Create these bash script and save it as s50_patch2021.sh
    #!/system/bin/sh

    FILE="/system/lib/libcheckperlib.so"

    echo "checking $FILE"

    if [ -f $FILE ]; then
     echo "File $FILE exists."
     echo "Try remount system rw."
     /system/bin/mount -o rw,remount /system
     echo "Backing up $FILE."
     /system/bin/mkdir /sdcard/dedetok
     /system/bin/cp $FILE /sdcard/dedetok
     echo "Removing $FILE"
     /system/bin/rm $FILE
     echo "Remount system ro"
     /system/bin/mount -o ro,remount /system
     echo "Done, reboot your Evercoss S50"
    else
     echo "File $FILE does not exist."
    fi
  2. Or you can download it from this site. Open Termux and type
    $ wget http://garasiku.my.id/folder/S50_patch2021.sh.txt
  3. rename it
    $ mv ./S50_patch2021.sh.txt ./S50_patch2021.sh
  4. change permission
    $ chmod 744 ./S50_patch2021.sh
  5. run mtk-su and run the cript
    # ./S50_patch2021.sh
  6. reboot your phone

Don't forget to run your antivirus after reboot your phone. android is not save operating system.

Android: How to backup your google contact when your account has been deleted by google

 

If your google account was blocked or deleted by google, Do not immediately remove your account. We need google account to backup our contact from old device into new device.

Backup your contact

  1. Open google contact
  2. Goto settings -> Export
  3. Leave name as contacts.vcf and save. It will backup all of your existing contact into Download folder on your device.

Create new google account

  1. Open Settings for your phone
  2. Goto Accounts -> Add account -> Google
  3. Fill all required data, for example dedetoke@gmail.com

Move your contact into your new google account

  1. Open google contact
  2. Tap on top right image profile and change your contact to your new google account for example dedetoke@gmail.com
  3. Goto settings -> Import
  4. Select .vcf file and choose your new google account for example dedetoke@gmail.com
  5. select contacts.vcf from Download folder
  6. Follow instruction until import finish
  7. Done, your contact will be backup into your new google account.

For whatsapp, if you want to save your chat you need to change your backup into your new google account.

You can do this, anytime google blocked or deleted your account, simple create a new account and let your dead email keep by google.

Sunday, March 14, 2021

Evercoss S50: iptables to block buildin bloatware

Note:

  1. you need to run as root or use mtk-su to run temporary root created by Diplomatic
  2. Termux with wget installed

These are backgroud connections capture in NoRoot Firewall by Grey Shirts

Anti Theft
ip 36.110.234.87 port 80 whois: CHINANET-BJ 36.110.0.0 - 36.110.255.255 CIDR 36.110.0.0/16
ip 104.192.109.67 port 5227 whois: CHINANET-LAX-IDC-2014 104.192.108.0 - 104.192.111.255 CIDR 104.192.108.0/22
ip 211.151.195.194 port 80 whois: CHINA-21VIANET 211.151.0.0 - 211.151.255.255 CIDR 211.151.0.0/16

com.android.sc
ip 47.90.110.234 port 80 whois: AL-3 47.88.0.0 - 47.91.255.255 CIDR 47.88.0.0/14
ip 104.192.110.206 port 80 whois: CHINANET-LAX-IDC-2014 104.192.108.0 - 104.192.111.255 CIDR 104.192.108.0/22
ip 104.192.110.243 port 80 whois: CHINANET-LAX-IDC-2014 104.192.108.0 - 104.192.111.255 CIDR 104.192.108.0/22
ip 124.156.123.59 port 443 whois: ACEVILLEPTELTD-SG 124.156.96.0 - 124.156.191.255 CIDR 124.156.96.0/19 124.156.128.0/18
ip 180.163.251.181 port 80 whois:CHINANET-SH 180.160.0.0 - 180.175.255.255 CIDR 180.160.0.0/12

Config Center
ip 104.182.110.205 port 443 whois: SIS-80-7-29-2014 104.176.0.0 - 104.191.255.255 CIDR 104.176.0.0/12

Initiator
ip 101.198.192.187 port 80 whois: QIHOO 101.198.196.0 - 101.198.199.255 CIDR 101.198.196.0/22
ip 101.198.192.189 port 80 whois: QIHOO 101.198.196.0 - 101.198.199.255 CIDR 101.198.196.0/22

The format to run iptables to drop packages

/system/bin/iptables -I INPUT -s [ip] -j DROP

Create script s50_iptables.sh

#!/bin/sh
echo "Inserting iptables"

if [ "$(/system/bin/iptables -S INPUT | grep -ce '36.110.0.0/16 -j DROP')" != 0 ]
then
    echo "Skiped 36.110.0.0/16 -j DROP"
else
    /system/bin/iptables -I INPUT -s 36.110.0.0/16 -j DROP
    echo "Added 36.110.0.0/16 -j DROP"
fi

if [ "$(/system/bin/iptables -S INPUT | grep -ce '104.192.108.0/22 -j DROP')" != 0 ]
then
    echo "Skiped 104.192.108.0/22 -j DROP"
else
    /system/bin/iptables -I INPUT -s 104.192.108.0/22 -j DROP
    echo "Added 104.192.108.0/22 -j DROP"
fi

if [ "$(/system/bin/iptables -S INPUT | grep -ce '211.151.0.0/16 -j DROP')" != 0 ]
then
    echo "Skiped 211.151.0.0/16 -j DROP"
else
    /system/bin/iptables -I INPUT -s 211.151.0.0/16 -j DROP
    echo "Added 211.151.0.0/16 -j DROP"
fi

if [ "$(/system/bin/iptables -S INPUT | grep -ce '47.88.0.0/14 -j DROP')" != 0 ]
then
    echo "Skiped 47.88.0.0/14 -j DROP"
else
    /system/bin/iptables -I INPUT -s 47.88.0.0/14 -j DROP
    echo "Added 47.88.0.0/14 -j DROP"
fi

if [ "$(/system/bin/iptables -S INPUT | grep -ce '124.156.96.0/19 -j DROP')" != 0 ]
then
    echo "Skiped 124.156.96.0/19 -j DROP"
else
    /system/bin/iptables -I INPUT -s 124.156.96.0/19 -j DROP
    echo "Added 124.156.96.0/19 -j DROP"
fi

if [ "$(/system/bin/iptables -S INPUT | grep -ce '124.156.128.0/18 -j DROP')" != 0 ]
then
    echo "Skiped 124.156.128.0/18 -j DROP"
else
    /system/bin/iptables -I INPUT -s 124.156.128.0/18 -j DROP
    echo "Added 124.156.128.0/18 -j DROP"
fi

if [ "$(/system/bin/iptables -S INPUT | grep -ce '180.160.0.0/12 -j DROP')" != 0 ]
then
    echo "Skiped 180.160.0.0/12 -j DROP"
else
    /system/bin/iptables -I INPUT -s 180.160.0.0/12 -j DROP
    echo "Added 180.160.0.0/12 -j DROP"
fi

if [ "$(/system/bin/iptables -S INPUT | grep -ce '104.176.0.0/12 -j DROP')" != 0 ]
then
    echo "Skiped 104.176.0.0/12 -j DROP"
else
    /system/bin/iptables -I INPUT -s 104.176.0.0/12 -j DROP
    echo "Added 104.176.0.0/12 -j DROP"
fi

if [ "$(/system/bin/iptables -S INPUT | grep -ce '101.198.196.0/22 -j DROP')" != 0 ]
then
    echo "Skiped 101.198.196.0/22 -j DROP"
else
    /system/bin/iptables -I INPUT -s 101.198.196.0/22 -j DROP
    echo "Added 101.198.196.0/22 -j DROP"
fi

echo "Done"

To run the script, open Termux and run mtk-su to gain root

Download the script

# wget http://garasiku.my.id/folder/s50_iptables.sh.txt

Rename and change permission

# mv ./s50_iptables.sh.txt ./s50_iptables.sh
# chmod 744 ./s50_iptables.sh

Run it

# ./s50_iptables.sh

To check it run

# /system/bin/iptables-save | grep INPUT

Or

# /system/bin/iptables -S INPUT

Known Problem: After restarting or boot the device, the firewall rules will be flush! In the future, I will fix to to put it in /system/etc/init and run it when the device finish booting.

To run on ADB, replace #!/bin/sh to #!/system/bin/sh.

Credit:

  • MTK-SU by Diplomatic
  • NoRoot Firewall by Grey Shirts
  • Application Inspector by UBQSoft

Android mtk-su: running Termux as root

 

For android release before 2020 with mtk processor, you can temporary root your phone using mtk-su created by Diplomatic. It is good to block bloatware behave badly!

You can make Termux as a root and make some system change to block bloatware. The steps are:

1. Download and install Termux from Play Store, APKPure, APKMirror or provider you trust.

2. Run termux and install wget
$ pkg install wget
Note: Do not install as root!

3. Download mtk-su created by Diplomatic or download from this site
$ wget http://garasiku.my.id/folder/mtk-su_r23.zip

4. unzip
$ unzip mtk-su_r23.zip

5. run it

$ ./arm/mtk-su
#
or
$ ./arm64/mtk-su
#

After your prompt change to #, you are a root user!

Reference link:

https://forum.xda-developers.com/t/amazing-temp-root-for-mediatek-armv8-2020-08-24.3922213/

Wednesday, March 10, 2021

Android Evercoss S50: using mtk-su to block hosts api.os.qiku.com and api-en.os.qiku.com

command verbose to block api.os.qiku.com and api-en.os.qiku.com

$ adb pull /system/etc/hosts ./

edit hosts
127.0.0.1       localhost
127.0.0.1       api.os.qiku.com
127.0.0.1       api-en.os.qiku.com
::1             ip6-localhost
::1             api.os.qiku.com
::1             api-en.os.qiku.com

$ adb push ./hosts /data/local/tmp/

$ adb shell
EVERCOSS_S50:/ $ cd /data/local/tmp
EVERCOSS_S50:/data/local/tmp $ ./mtk-su                                        
UID: 0  cap: 3fffffffff  selinux: permissive  
EVERCOSS_S50:/data/local/tmp # mount -o rw,remount /system
EVERCOSS_S50:/data/local/tmp # cat hosts
127.0.0.1       localhost
127.0.0.1       api.os.qiku.com
127.0.0.1       api-en.os.qiku.com
::1             ip6-localhost
::1             api.os.qiku.com
::1             api-en.os.qiku.com
EVERCOSS_S50:/data/local/tmp # cp hosts /system/etc/     
EVERCOSS_S50:/data/local/tmp # cat /system/etc/hosts
127.0.0.1       localhost
127.0.0.1       api.os.qiku.com
127.0.0.1       api-en.os.qiku.com
::1             ip6-localhost
::1             api.os.qiku.com
::1             api-en.os.qiku.com
EVERCOSS_S50:/data/local/tmp # mount -o ro,remount /system

Done!

Note: For Evercoss S50, You need to FORCE STOP and DISABLE "Anti-Theft"!

Download mtk-su from https://forum.xda-developers.com/t/amazing-temp-root-for-mediatek-armv8-2020-08-24.3922213/