[ROOT][OUDHS] Spirited Away: RCT Nerfer Edition :: 5/7/13 :: FULL TECHNICAL NOTES INSIDE

Last Updated:

  1. k0nane

    k0nane Well-Known Member Developer

    k0nane and the Official Unloved Devices Hit Squad present...
    Spirited Away: RCT Nerfer Edition
    With thanks to Dan Rosenberg and the original Spirited Away he created!

    Root! Root, root root, root.

    Verizon doesn't want you to have it. The OUDHS does! At the behest of everyone's favorite giant, oligopolist, anti-consumer, borderline-evil carrier, LG stuck what they call the Root Checker Tool (RCT) into the guts of the Lucid 2. Not yet seen on other LG models, the RCT checks for - and perhaps prevents the execution of - certain root tools. It also leaves logs of the presence or running of said tools. See the second post for more details.

    This package cuts off RCT's head and gives you - not your carrier or the OEM - a bit more control over your phone. This does not unlock the bootloader, unfortunately. It's just root.

    Code (Text):
    1. #include <external/cyanogenmod/std_disclaimer.h>
    2. /*
    3.  * I am not responsible for bricked devices, dead SD cards,
    4.  * thermonuclear war, or you getting fired because the alarm app failed. Please
    5.  * do some research if you have any concerns about features included in this ROM
    6.  * before flashing it! YOU are choosing to make these modifications, and if
    7.  * you point the finger at me for messing up your device, I will laugh at you.
    8.  */

    1. Download the package.
    2. Extract the contents of the zip.
    3. Ensure you have installed the drivers for your phone.
    4. Connect it to USB, wait for it to be detected.
    5. Double-click run.bat, follow on-screen instructions. Mac and Linux users, open the file and follow along, it's just a set of ADB commands.
    6. Let it finish, continuing to follow instructions.

    That's it! Your device will autoreboot. You will be rooted.


    Q: What does this install?
    A: Your device will have Superuser (ChainsDD's variant, the original), the su binary, and BusyBox 1.20.2 on it.

    Q: Can I use this on a device that isn't the Verizon-model LG Lucid 2?
    A: That's a bad idea. Don't do that. Don't whine to us if you break stuff by doing so.

    Q: Will this survive OTAs?
    A: Probably not, and it's almost guaranteed that RCT will come back with a vengeance! Be very careful with updates!

    Q: I've tried to root already, can LG/Verizon tell?
    A: Unless you reset what's already been written, they sure can. See the next post.



    • Shabbypenguin: making me aware of the issues on this device, initial testing, general awesomesauce
    • SICFreak: remote access to two devices, time, taking the risk, patience
    • Dan Rosenberg (@djrbliss): Spirited Away exploit, reverse engineering of rctd post-root
    • The OUD Hit Squad: for being made of either unstable isotopes of uranium, or pure greatness, one of the two
    • LG and Verizon: just kidding, f*ck you both :D


    This is not, and will never be donationware. However, bandwidth and time isn't free. :) Your generosity - if you feel like showing it - is highly appreciated! Thank you!

    Donate to Dan Rosenberg:

  2. k0nane

    k0nane Well-Known Member Developer

    Technical Details

    Just what do we know about RCT? RCT, the Root Checker Tool, has one primary purpose: to make persistent note of any presence of rooting-related tools, the running of su, or the remounting of the system partition as read-write. The main "meat" of the tool - if not all of it - is in /system/bin/rctd. Mr. Rosenberg was kind enough to decompile and analyze the tool, and state that it checks for the following files:

    • /system/[bin,sbin,xbin]/su
    • /sbin/su
    • /data/local/tmp/su
    • /system/app/[s,S]uper[u,U]ser.apk,
    • /data/data/com.noshufou.android.su
    • /data/local/tmp/[s,S]uper[u,U]ser.apk
    • /system/[bin,xbin]/busybox
    • /data/local/tmp/busybox
    The tool writes a hexadecimal number to /persist/rct and /data/system/lgmdm_root_flags.txt (these files are identical in contents) that represents the "root status". Mr. Rosenberg confirms that "[the] number is an encoded representation of whether su, Superuser, busybox, etc. are installed". The tool writes a human-readable representation of what it's found to /persist/rct.cfg. An example from a rooted system (if used on a previously-virgin system, this package will prevent this from being written):

    Code (Text):
    1. Rooted
    3.  Not allowed command had been executed.
    4.   > su
    5.  Mount option had been changed.
    6.   > /system
    7.  Rooting related file had been installed.
    8.   > su
    9.   > superuser
    10.   > busybox
    12. [LG RCT v1.0.1220]
    A "clean" system will display "not rooted" and nothing else except the bottom line.

    RCT also writes copies of ls -l /, portions of /dev/log/main and /dev/log/system, ls -l /system/app, ls -l /persist/LostFound, df -h, and basic system information (see below) to files named after asteroids and stored in /persist/LostFound.

    Code (Text):
    1. VS870 4G
    2. Model name : L1v
    3. Manufacture : LGE
    4. OS Version : 4.1.2
    5. Secure : 1
    6. Operator : Verizon Wireless
    7. Country : US
    8. Product version : M8960A-AAAANAZM-3.0.0743
    9. Build date : Wed Mar  6 21:51:54 KST 2013
    RCT may have other functions. rctd only does what's described above - it's a logger and nothing more, according to Mr. Rosenberg. There may be other portions of the system, but I have not found them.

    I do have "clean" copies of the entire /persist and lgmdm_root_flags.txt, but due to the sensitive nature of some of the logs, and to protect the privacy of my tester, I prefer not to publicly distribute them. If anyone needs them, please contact me here, on XDA, Twitter, or chat.freenode.net #oudhitsquad.

    How RCT Starts/Is Triggered

    rctd, the main daemon that makes up RCT, is started as a system service in init.l1v.rc. I seem to have misplaced my copy of this file/the kernel, but it's a very standard service start. As the bootloader is currently locked, there's not much that can be done about this.

    Inside com.lge.systemservice.core, BootCompletedReceiver waits for the BOOT_COMPLETED signal to be thrown, then executes the following:

    Code (Text):
    1. const-string v1, "ro.build.target_operator"
    3.     const-string v2, ""
    5.     invoke-static {v1, v2}, Landroid/os/SystemProperties;->get(Ljava/lang/String;Ljava/lang/String;)Ljava/lang/String;
    7.     move-result-object v1
    9.     const-string v2, "VZW"
    11.     invoke-virtual-quick {v1, v2}, vtable@0x18
    13.     move-result v1
    15.     if-eqz v1, :cond_1d
    17.     .line 12
    18.     new-instance v0, Landroid/content/Intent;
    20.     invoke-direct {v0}, Landroid/content/Intent;-><init>()V
    22.     .line 13
    23.     .local v0, mServiceIntent:Landroid/content/Intent;
    24.     const-string v1, "com.lge.action.ROOTINGCHECKER"
    26.     invoke-virtual-quick {v0, v1}, vtable@0x6c
    28.     .line 14
    29.     invoke-virtual-quick {p1, v0}, vtable@0x60
    31.     .line 16
    32.     .end local v0           #mServiceIntent:Landroid/content/Intent;
    33.     :cond_1d
    34.     return-void
    For those of you who don't speak smali, the real juicy bit of that appears as the following, when run through dex2jar:

    Code (Text):
    1. [SIZE=2][SIZE=2][SIZE=2][SIZE=2][SIZE=2][SIZE=2][SIZE=2][SIZE=2][SIZE=2][SIZE=2][SIZE=2][SIZE=2][SIZE=2][SIZE=2]
    2. [/SIZE][/SIZE][/SIZE][/SIZE][/SIZE][/SIZE][/SIZE][/SIZE][/SIZE][/SIZE][/SIZE][/SIZE][/SIZE][/SIZE]if (SystemProperties.get("ro.build.target_operator", "").equalsIgnoreCase("VZW"))
    3.     {
    4.       Intent localIntent = new Intent();
    5.       localIntent.setAction("com.lge.action.ROOTINGCHECKER");
    6.       paramContext.startService(localIntent);
    7.     }
    Yes, it really is just checking an item in build.prop to see whether it should run or not. That's an alternate way to stop rctd, but not one that I like. It is safe to remove the entirety of BootCompletedReceiver.smali, and for anyone working on modifications in the future, I would do so.

    As you can see, an intent is thrown, and caught by rctd, which does its thing. It (rctd's main function) seems to run once per boot, but I cannot guarantee that.

    Other Framework/System Finds

    com.lge.mdm contains one item of interest. The rest of the framework, and /system/app, is largely clean. LGMDMGeneralController is the file of interest, and for the sake of readability in this post, I've run it through dex2jar. Here it is: Pastie This class contains a lot more than just RCT-related items, many potentially worth investigating.

    Other things of note:

    • Viewing strings of other binaries, including those pertaining to FOTA, indicate the presence of "rooting history tables". Where these are, I don't know, and it could be as simple as what's already outlined here. Do proceed with caution, particularly around updates, as the updater system is rife with checks and logging for modifications.
    • There's an "ATS Agent" of some type hanging out in the framework. Its purpose is to take logs, and it may be responsible for the asteroid-namesake files. It is not present on the international model, thus can be assumed to be specific to VZW. Proceed with caution. I am automatically suspicious of these "diagnostic" tools after CIQ.
    • There's a GUI for RCT's output. See below.
    Finally, I found some dialer codes. :D There's fun to be had here - proceed with caution, but enjoy Verizon/LG's hidden menu, and see what's to be seen in the Rooting Check entry (RootingCheck class inside the hidden menu apps/JARs).

    A Message for Verizon and LG

    Teehee, you guys are funny. :rolleyes: This wasn't hard, no more than Samsung's silly attempt to block package installation back on the Galaxy Indulge 4G (on MetroPCS). Go ahead and keep trying to prevent your users from controlling their devices... it's a losing battle.

    Oh, and suck me. (And Dan.)

    NumbChops and grossejager like this.
  3. k0nane

    k0nane Well-Known Member Developer

    I'll take one more just in case.


    P-O-S-T :: R-E-S-E-R-V-E-D


    Original artwork by Pendulum via Gasolin3.

    ...for future use.

    Follow me on Twitter @k0nane and @publik0!
    Join the OUDHS and I on IRC at irc.freenode.net #oudhitsquad, or via the webchat link in my signature.
  4. to3kn33

    to3kn33 Member

    Oh thank you...thank you..thank you..I have waited for this. Also, this by far has been the easiest root I have ever done. I will definitely be donating. YOu guys are awsome
  5. perry475

    perry475 Member

    So... I'm inept and can't follow instructions. I've installed the latest drivers for the lg lucid 2 (for some reason it doesn't show up in my device manager when in charge mode) and usb debugging is enabled. When I run the bat file (in charge mode, I'm assuming) all it does is: 'Daemon not running. Starting it now. Daemon Started Successfully'

    Thanks for the root guys, it's much appreciated, hopefully I can get it working today.
  6. Nikguy

    Nikguy Well-Known Member

    I have the same issue as you, i'm wondering is windows 8 is the issue?
    Also i tried the one sicfreak posted a little while ago before this one but it obviously didnt work. can something from that be affecting this? did i somehow trigger the rct already?
  7. perry475

    perry475 Member

    @Nikguy, I'm going to try rooting it on my brother's laptop... I'm running Windows 8 as well, so I guess that may be an issue... I'll report back asap

    *EDIT* : So it worked on windows 7... I'm not sure if this method will work on windows 8, but what I did was install the drivers, then after the drivers were done installing I ran the bat file as admin while the phone was on the usb pc connection selection screen (In other words, I didn't select anything on that screen, I just left it there). It worked instantly
  8. to3kn33

    to3kn33 Member

    when the phone is plugged up to usb and comp change the charge settings to: Internet connection...then ethernet. That is how I got mine to show up
  9. Nikguy

    Nikguy Well-Known Member

    Edit- Deleted long log
  10. SicFreak

    SicFreak The Message is SIC!

    Put it into media sync (mtp) mode, and you'll have it.
    xedis likes this.
  11. SicFreak

    SicFreak The Message is SIC!

    Nikguy, the latest drivers are available on the lg support site. Look for the 870 on metropcs
  12. Nikguy

    Nikguy Well-Known Member

    strange, that is what i did, but it also went on ahead and auto installed drivers of some sort right after i plugged it in. Do you think my issue is a driver problem? I might be able to install the driver on a new computer then turn off the internet connection and try again to prevent the auto-downloading of the drivers when i plug my phone into that one..?
  13. to3kn33

    to3kn33 Member

    You know mine said the same thing that yours did. I have root access and super user, but no busybox.
  14. Nikguy

    Nikguy Well-Known Member

    well i have super user but no root or busybox. IDK why im getting "file exists" and read only errors. Im pretty sure the drivers are correct
  15. k0nane

    k0nane Well-Known Member Developer

    Please remove the incredibly long log you pasted above. I suspect both you and to3kn33 attempted to root before this package, correct?
  16. Nikguy

    Nikguy Well-Known Member

    Yes i did. I could attempt a factory reset if you think it would be needed.
  17. k0nane

    k0nane Well-Known Member Developer

    The easiest thing to do would certainly be to flash the KDZ in this forum.
    Nikguy likes this.
  18. Nikguy

    Nikguy Well-Known Member

    Ok, that makes sense, thank you for the help!
  19. Thessarion

    Thessarion New Member

    This worked perfectly! Thanks!
  20. to3kn33

    to3kn33 Member

  21. k0nane

    k0nane Well-Known Member Developer

  22. Nikguy

    Nikguy Well-Known Member

    worked great thanks!
  23. k0nane

    k0nane Well-Known Member Developer

    Good, thanks for your support.

    Mod, thanks for the sticky.
  24. sammyz

    sammyz LG Whiz Kid Guide

    That was me :p
  25. k0nane

    k0nane Well-Known Member Developer

Share This Page