Reversing Android firmware to get secret codes

While on holiday, I saw someone from my family bought a new tablet named K107. After some investigation, I found many vendors selling this kind of cheap chinese tablet.

So I wanted to know more about what is preinstalled on the tablet.

Getting the firmware

I searched the model of the tablet and quickly found the firmware.

But I found another tool that looked weird :

It also allows you to detect and remove the Pattern Lock or PIN Lock from the device. 

Nevermind in this blogpost our goal is to find some secret code.

So I downloaded the firmware and got a RAR file that I extracted, he contained the following :

$ file system.img 
system.img: Android sparse image, version: 1.0, Total of 393216 4096-byte output blocks in 4999 input chunks.

We need to convert it to mount it, there is a tool called simg2img(https://github.com/anestisb/android-simg2img) that can convert them to mountable image.

$ mkdir system
$ simg2img system.img system.raw
$ sudo mount system.raw system

Then you get the firmware's file.

Reversing vendor application

Here the folder that interested me was vendor/app, inside you can see the application EngineerMode.

Let's reverse it.

Inside the folder we have the following :

$ tree
.
├── EngineerMode.apk
└── oat
    └── arm
        └── EngineerMode.odex

2 directories, 2 files

One odex extension and one apk file.

Once the EngineerMode.apk opened in jadx-gui, it's quite empty and only contains resources file, not the code :

So let's reverse reverse the odex.

WHAT IS AN ODEX FILE?

In Android file system, applications come in packages with the extension .apk. These application packages, or APKs contain certain .odex files whose supposed function is to save space. These ‘odex’ files are actually collections of parts of an application that are optimized before booting. Doing so speeds up the boot process, as it preloads part of an application. On the other hand, it also makes hacking those applications difficult because a part of the coding has already been extracted to another location before execution.

So it's an apk pre-optimized for the android system. To reverse it I used baksmali (https://github.com/JesusFreke/smali)

To reverse odex you need to provide the /system/framework/arm, fortunately since we have the firmware we have it.

$ java -jar baksmali-2.3.4.jar x EngineerMode.odex -d k107-mb-8.1/system/framework/arm -o EngineerMode

We got the smali files in the EngineerMode folder :

$ tree
.
├── android
│   └── support
│       ├── annotation
│       │   ├── AnimatorRes.smali
│       │   ├── AnimRes.smali
│       │   ├── AnyRes.smali
│       │   ├── AnyThread.smali
│       │   ├── ArrayRes.smali
│       │   ├── AttrRes.smali
│       │   ├── BinderThread.smali
│       │   ├── BoolRes.smali
│       │   ├── CallSuper.smali
│       │   ├── CheckResult.smali
[...]
139 directories, 3162 files

But as i'm lazy I don't like reading smali code. So we will rebuild the original application.

Remember the apk file containing the resources, we can extract the resources and add them to the current project.

apktool project architecture is the following :

So let's rebuild the architecture using resources from the apk containing only resources:

$ apktool d EngineerMode.apk 

And then rebuild the app :

$ apktool b rebuild_folder -o rebuilt.apk

And open it in jadx-gui :

We now have understandable Java \o/

In the Manifest.xml we can see the following :

So if you type *#*#3646633#*#* it will launch the EngineerMode on the tablet. ( You can also use adb with am start com.mediatek.engineermode/.EngineerMode but you need to enable adb ).

And tadaaaa :

One more interesting thing is that there are some more code in the application maybe used in development, but not accessible anymore :