• After 15+ years, we've made a big change: Android Forums is now Early Bird Club. Learn more here.

Root [ROOT][OUDHS] Spirited Away: RCT Nerfer Edition :: 5/7/13 :: FULL TECHNICAL NOTES INSIDE

k0nane

Android Expert
Apr 8, 2011
803
779
127.0.0.1
www.k0nane.info
k0nane and the Official Unloved Devices Hit Squad present...
Spirited Away: RCT Nerfer Edition
With thanks to Dan Rosenberg and the original Spirited Away he created!


Root! Root, root root, root.

Verizon doesn't want you to have it. The OUDHS does! At the behest of everyone's favorite giant, oligopolist, anti-consumer, borderline-evil carrier, LG stuck what they call the Root Checker Tool (RCT) into the guts of the Lucid 2. Not yet seen on other LG models, the RCT checks for - and perhaps prevents the execution of - certain root tools. It also leaves logs of the presence or running of said tools. See the second post for more details.

This package cuts off RCT's head and gives you - not your carrier or the OEM - a bit more control over your phone. This does not unlock the bootloader, unfortunately. It's just root.

Code:
#include <external/cyanogenmod/std_disclaimer.h>
/*
 * I am not responsible for bricked devices, dead SD cards,
 * thermonuclear war, or you getting fired because the alarm app failed. Please
 * do some research if you have any concerns about features included in this ROM
 * before flashing it! YOU are choosing to make these modifications, and if
 * you point the finger at me for messing up your device, I will laugh at you.
 */
Instructions


  1. Download the package.
  2. Extract the contents of the zip.
  3. Ensure you have installed the drivers for your phone.
  4. Connect it to USB, wait for it to be detected.
  5. Double-click run.bat, follow on-screen instructions. Mac and Linux users, open the file and follow along, it's just a set of ADB commands.
  6. Let it finish, continuing to follow instructions.

That's it! Your device will autoreboot. You will be rooted.

FAQ

Q: What does this install?
A: Your device will have Superuser (ChainsDD's variant, the original), the su binary, and BusyBox 1.20.2 on it.

Q: Can I use this on a device that isn't the Verizon-model LG Lucid 2?
A: That's a bad idea. Don't do that. Don't whine to us if you break stuff by doing so.

Q: Will this survive OTAs?
A: Probably not, and it's almost guaranteed that RCT will come back with a vengeance! Be very careful with updates!

Q: I've tried to root already, can LG/Verizon tell?
A: Unless you reset what's already been written, they sure can. See the next post.

Downloads​



Credits:



  • Shabbypenguin: making me aware of the issues on this device, initial testing, general awesomesauce
  • SICFreak: remote access to two devices, time, taking the risk, patience
  • Dan Rosenberg (@djrbliss): Spirited Away exploit, reverse engineering of rctd post-root
  • The OUD Hit Squad: for being made of either unstable isotopes of uranium, or pure greatness, one of the two
  • LG and Verizon: just kidding, f*ck you both :D


Donations

This is not, and will never be donationware. However, bandwidth and time isn't free. :) Your generosity - if you feel like showing it - is highly appreciated! Thank you!

Donate to Dan Rosenberg:

 
Technical Details

Just what do we know about RCT? RCT, the Root Checker Tool, has one primary purpose: to make persistent note of any presence of rooting-related tools, the running of su, or the remounting of the system partition as read-write. The main "meat" of the tool - if not all of it - is in /system/bin/rctd. Mr. Rosenberg was kind enough to decompile and analyze the tool, and state that it checks for the following files:


  • /system/[bin,sbin,xbin]/su
  • /sbin/su
  • /data/local/tmp/su
  • /system/app/[s,S]uper[u,U]ser.apk,
  • /data/data/com.noshufou.android.su
  • /data/local/tmp/[s,S]uper[u,U]ser.apk
  • /system/[bin,xbin]/busybox
  • /data/local/tmp/busybox
The tool writes a hexadecimal number to /persist/rct and /data/system/lgmdm_root_flags.txt (these files are identical in contents) that represents the "root status". Mr. Rosenberg confirms that "[the] number is an encoded representation of whether su, Superuser, busybox, etc. are installed". The tool writes a human-readable representation of what it's found to /persist/rct.cfg. An example from a rooted system (if used on a previously-virgin system, this package will prevent this from being written):


Code:
Rooted

 Not allowed command had been executed.
  > su
 Mount option had been changed.
  > /system
 Rooting related file had been installed.
  > su
  > superuser
  > busybox

[LG RCT v1.0.1220]
A "clean" system will display "not rooted" and nothing else except the bottom line.

RCT also writes copies of ls -l /, portions of /dev/log/main and /dev/log/system, ls -l /system/app, ls -l /persist/LostFound, df -h, and basic system information (see below) to files named after asteroids and stored in /persist/LostFound.

Code:
VS870 4G
Model name : L1v
Manufacture : LGE
OS Version : 4.1.2
Secure : 1
Operator : Verizon Wireless
Country : US
Product version : M8960A-AAAANAZM-3.0.0743
Build date : Wed Mar  6 21:51:54 KST 2013
RCT may have other functions. rctd only does what's described above - it's a logger and nothing more, according to Mr. Rosenberg. There may be other portions of the system, but I have not found them.

I do have "clean" copies of the entire /persist and lgmdm_root_flags.txt, but due to the sensitive nature of some of the logs, and to protect the privacy of my tester, I prefer not to publicly distribute them. If anyone needs them, please contact me here, on XDA, Twitter, or chat.freenode.net #oudhitsquad.

How RCT Starts/Is Triggered

rctd, the main daemon that makes up RCT, is started as a system service in init.l1v.rc. I seem to have misplaced my copy of this file/the kernel, but it's a very standard service start. As the bootloader is currently locked, there's not much that can be done about this.

Inside com.lge.systemservice.core, BootCompletedReceiver waits for the BOOT_COMPLETED signal to be thrown, then executes the following:

Code:
const-string v1, "ro.build.target_operator"

    const-string v2, ""

    invoke-static {v1, v2}, Landroid/os/SystemProperties;->get(Ljava/lang/String;Ljava/lang/String;)Ljava/lang/String;

    move-result-object v1

    const-string v2, "VZW"

    invoke-virtual-quick {v1, v2}, vtable@0x18

    move-result v1

    if-eqz v1, :cond_1d

    .line 12
    new-instance v0, Landroid/content/Intent;

    invoke-direct {v0}, Landroid/content/Intent;-><init>()V

    .line 13
    .local v0, mServiceIntent:Landroid/content/Intent;
    const-string v1, "com.lge.action.ROOTINGCHECKER"

    invoke-virtual-quick {v0, v1}, vtable@0x6c

    .line 14
    invoke-virtual-quick {p1, v0}, vtable@0x60

    .line 16
    .end local v0           #mServiceIntent:Landroid/content/Intent;
    :cond_1d
    return-void
For those of you who don't speak smali, the real juicy bit of that appears as the following, when run through dex2jar:

Code:
[SIZE=2][SIZE=2][SIZE=2][SIZE=2][SIZE=2][SIZE=2][SIZE=2][SIZE=2][SIZE=2][SIZE=2][SIZE=2][SIZE=2][SIZE=2][SIZE=2]
[/SIZE][/SIZE][/SIZE][/SIZE][/SIZE][/SIZE][/SIZE][/SIZE][/SIZE][/SIZE][/SIZE][/SIZE][/SIZE][/SIZE]if (SystemProperties.get("ro.build.target_operator", "").equalsIgnoreCase("VZW"))
    {
      Intent localIntent = new Intent();
      localIntent.setAction("com.lge.action.ROOTINGCHECKER");
      paramContext.startService(localIntent);
    }
Yes, it really is just checking an item in build.prop to see whether it should run or not. That's an alternate way to stop rctd, but not one that I like. It is safe to remove the entirety of BootCompletedReceiver.smali, and for anyone working on modifications in the future, I would do so.

As you can see, an intent is thrown, and caught by rctd, which does its thing. It (rctd's main function) seems to run once per boot, but I cannot guarantee that.

Other Framework/System Finds

com.lge.mdm contains one item of interest. The rest of the framework, and /system/app, is largely clean. LGMDMGeneralController is the file of interest, and for the sake of readability in this post, I've run it through dex2jar. Here it is: Pastie This class contains a lot more than just RCT-related items, many potentially worth investigating.

Other things of note:

  • Viewing strings of other binaries, including those pertaining to FOTA, indicate the presence of "rooting history tables". Where these are, I don't know, and it could be as simple as what's already outlined here. Do proceed with caution, particularly around updates, as the updater system is rife with checks and logging for modifications.
  • There's an "ATS Agent" of some type hanging out in the framework. Its purpose is to take logs, and it may be responsible for the asteroid-namesake files. It is not present on the international model, thus can be assumed to be specific to VZW. Proceed with caution. I am automatically suspicious of these "diagnostic" tools after CIQ.
  • There's a GUI for RCT's output. See below.
Finally, I found some dialer codes. :D There's fun to be had here - proceed with caution, but enjoy Verizon/LG's hidden menu, and see what's to be seen in the Rooting Check entry (RootingCheck class inside the hidden menu apps/JARs).


A Message for Verizon and LG

Teehee, you guys are funny. :rolleyes: This wasn't hard, no more than Samsung's silly attempt to block package installation back on the Galaxy Indulge 4G (on MetroPCS). Go ahead and keep trying to prevent your users from controlling their devices... it's a losing battle.

Oh, and suck me. (And Dan.)

 
Upvote 0
I'll take one more just in case.

--

P-O-S-T :: R-E-S-E-R-V-E-D

AAvvp.png


Original artwork by Pendulum via Gasolin3.

...for future use.

Follow me on Twitter @k0nane and @publik0!
Join the OUDHS and I on IRC at irc.freenode.net #oudhitsquad, or via the webchat link in my signature.
 
Upvote 0
So... I'm inept and can't follow instructions. I've installed the latest drivers for the lg lucid 2 (for some reason it doesn't show up in my device manager when in charge mode) and usb debugging is enabled. When I run the bat file (in charge mode, I'm assuming) all it does is: 'Daemon not running. Starting it now. Daemon Started Successfully'

Thanks for the root guys, it's much appreciated, hopefully I can get it working today.
 
Upvote 0
So... I'm inept and can't follow instructions. I've installed the latest drivers for the lg lucid 2 (for some reason it doesn't show up in my device manager when in charge mode) and usb debugging is enabled. When I run the bat file (in charge mode, I'm assuming) all it does is: 'Daemon not running. Starting it now. Daemon Started Successfully'

Thanks for the root guys, it's much appreciated, hopefully I can get it working today.

I have the same issue as you, i'm wondering is windows 8 is the issue?
Also i tried the one sicfreak posted a little while ago before this one but it obviously didnt work. can something from that be affecting this? did i somehow trigger the rct already?
 
Upvote 0
@Nikguy, I'm going to try rooting it on my brother's laptop... I'm running Windows 8 as well, so I guess that may be an issue... I'll report back asap

*EDIT* : So it worked on windows 7... I'm not sure if this method will work on windows 8, but what I did was install the drivers, then after the drivers were done installing I ran the bat file as admin while the phone was on the usb pc connection selection screen (In other words, I didn't select anything on that screen, I just left it there). It worked instantly
 
Upvote 0
So... I'm inept and can't follow instructions. I've installed the latest drivers for the lg lucid 2 (for some reason it doesn't show up in my device manager when in charge mode) and usb debugging is enabled. When I run the bat file (in charge mode, I'm assuming) all it does is: 'Daemon not running. Starting it now. Daemon Started Successfully'

Thanks for the root guys, it's much appreciated, hopefully I can get it working today.

Put it into media sync (mtp) mode, and you'll have it.
 
  • Like
Reactions: xedis
Upvote 0
Nikguy, the latest drivers are available on the lg support site. Look for the 870 on metropcs

strange, that is what i did, but it also went on ahead and auto installed drivers of some sort right after i plugged it in. Do you think my issue is a driver problem? I might be able to install the driver on a new computer then turn off the internet connection and try again to prevent the auto-downloading of the drivers when i plug my phone into that one..?
 
Upvote 0

BEST TECH IN 2023

We've been tracking upcoming products and ranking the best tech since 2007. Thanks for trusting our opinion: we get rewarded through affiliate links that earn us a commission and we invite you to learn more about us.

Smartphones