How much is Chinese android Chinese phones
China and loader lock
At first glance - what can there be with the bootloader? It is either blocked or not. But not everything is so simple.
In Android with loaders, there is generally a breaking and tenting. There are (except manufacturers of the first, second and third echelons) devices with a fully unlocked loader: come in, dear! There are such, the bootloader from which can be unlocked officially, at their own risk, with the mandatory strengthening of all data. In such devices, the loader unlocking is often accompanied by a manufacturer's warranty loss (as in some Sony and Motorola models), but there are options and without it (both in the Google Nexus, OnePlus line devices, some Motorola models).
There are devices, which, as it were, is blocked, but load the unsigned nucleus with the FASTBOOT BOOT BOOT.IMG command without loss for some reason, they allow. These include, for example, many ASUS smartphones and tablets (by the way, is this a manufacturer of the second or third echelon?).
What exactly does not happen to the certified Google manufacturers is devices that quite calmly allow you to unlock the bootloader without obligatory wiping data. Unlocking the bootloader is always an exceptional situation, developers and advanced users who want to get a Root access and who understand (or should understand) the risks associated with this resort to it.
But the vast majority of Chinese manufacturers have an unlocked bootloader - a business and death. The fact is that in China, Google services are officially prohibited and manufacturers do not install them in their devices designed for sale in the local market. Which completely does not interfere with cunning intermediaries to sell such smartphones at international trading floors. But who in their right mind will buy a phone without a Google store and related services? At this place, the seller is installed by the seller of the “basement” firmware. Of the unknown sources, Chinese craftsmen take modified firmware in which Google services are installed. But there are no good Samaritans in “unknown sources”, and the craftsmen beat off their time with the installation of a variety of garbage into the firmware. In the English literature, the term Potentially Unwanded Programs is used for him, but we will limit ourselves to the standard definition of “malicious programs”.
In the classical sense of the word, these programs are not: they will not be able to infect another apparatus. Most likely, they will not most likely not begin to delete or encrypt your files. But to activate in a week or two after you set up the phone, download and install in the system region (so that for sure!) Several applications that will show you the most outright advertisement at the most unexpected moments are for a sweet soul.
So, in order to install third -party firmware in the phone, in most cases the FASTBOOT commands are used either by themselves (through Fastboot Flash System), or for the purpose of firming the recovery area) through Fastboot Flash Recovery, after which further actions are already underway From a more friendly interface.
The problem here, in general, is one: for the correct operation of the whole farm, it is necessary to disable the check of the digital signature by the bootloader of the device. In other words, unlock the bootloader. But in the case of Chinese devices, everything is much easier. Most devices are delivered to the market with loaders open for any manipulation; Minority - allows you to unlock the bootloader with one command. A completely exceptional minority either does not allow you to unlock the bootloader in general (as in the new Meizu devices), or, like Xiaomi, requires (at least in theory) some unobvious manipulations.
As a result, you as a user receive a smartphone with a deliberately unlocked loader and incomprehensible firmware with a bunch of Trojan. Well, with quite a standard firmware for the international market, but again with a unlocked loader.
Special loader Xiaomi
In the case of Xiaomi smartphones to two conventional bootloader states, "blocked" and "unlocked" - is added to the third: "not blocked". It is in such an unlocked state that most devices are supplied from the factory. Installing a fresh official firmware (via OTA or independently) leads to an immediate loader lock - for security purposes. Unlock the downloader after that (to lead to the "unlocked" state, which will allow you to install any firmware) through the official request from the MI Account account. The desire is commendable, but rollback to the older version of MIUI allows you to return the bootloader to the "not blocked" state even without losing data. Apple developers probably bite elbows from envy.
Than bad unlocked bootloader
So, with possible conditions of the bootloader, we more or less figured out. Because of what, in fact, the entire fuss and why do we focus on the condition of the bootloader? Everything is simple: from a device with an unlotted bootloader, data can be removed to the "time" account. Yes, Android in general does not shine with safety, and data from smartphones, for example, LG can be removed so, using specialized software and service mode. Yes, and other manufacturers are often available the mode that most manufacturers of mobile chipsets have, including Qualcomm, MTK, SpreadTRUM and Allwinner. But there the attacker will have to try a little more, the result is not guaranteed, and if encryption is activated, it is not guaranteed at all.
In the Chinese devices, your data is submitted by an attacker on a saucer with a blue bucket. Here's your phone, here you have a TWRP, connect the OTG flash drive and drain the information on it. No qualifications or specialized software are needed, and even there will be no traces. The only thing that can help here is to activate the encryption of the data section in the device settings. However, not always: for example, a serious vulnerability has been found in Qualcomm Snapdragon system logic sets, using which you can remove encryption from Trustzone.
What can steal
And what, in fact, can be stolen from the phone? Passwords there seemed to be not stored, everyone has long switched to authentication markers ... or how? Indeed, the passwords are not preserved, but with the help of an authentication marker, gain access to your accounts is quite possible, not to mention the fact that all the data saved on the smartphone will also fall into the hands of the attacker. Moreover, if you use a two -factor authentication and you have a Google authenticator application or the like, then the attacker can easily extract and calmly use these applications on another device: the generated codes work, we checked.
Fingerprint sensors
Another interesting and not at all obvious moment is how Chinese manufacturers implement the user authentication on the fingerprint sensor (on this topic - a separate detailed article in the next issue). If in a nutshell, then biometric authentication in Android passed through the stage "it would be better not for it" (prints are stored in the form of BMP files available to anyone when the device is connected to the computer via USB) to the modern state "until it works, but you try ! " (From the news: "The police got access to the data by unlocking the phone with a fingerprint made on a 3D printer").
At the same time, blame the developers of Google, the main Locomotive Android, hard: in Android 6.0, appeared both API and mandatory for all certified device manufacturers on Android a set of requirements for implementing fingerprint checks. So, the smartphones based on Android 6.0 from certified manufacturers are simply required to use the "correct" authentication mechanism for imprints with a reliable storage of the imprint itself in the device's memory.
All is well, that's just this very certification is needed solely in order for the manufacturer to legally install Google services on its devices. Not Android itself, namely the Google Play shop, Google Services, Google Maps and other applications, without which the Western user does not imagine the phone on Android. And if Google services (prohibited in the territory of the People's Republic of China) are not installed in the device, it is not necessary to take place at all.
What do you think there are many Chinese manufacturers, ready to throw up a tet of thousands of dollars on certification that do not need them completely? Such a certificate is obtained only on those models that are officially supplied to the western market, and the price of the procedure is logically included in the cost price. Purchased in Chinese online stores are certainly not certified.
As a result, you get a device in which the fingerprint sensor (if any) is somehow fastened. The prints themselves are somehow stored, and the phone is somehow unlocked when the finger is applied. Google's strict requirements will not be observed (why the Chinese manufacturer, and even more so the developer of custom firmware complicate life and spend money on testing and certification?). Accordingly, unlock such a device can be even easier than the crosspower of PIN codes.
But it's not just in the print sensor. Starting with Android 6.0, Google requires manufacturers to enable the encryption of the data section "from the box". (There are subtleties concerning quite weak devices, but such models do not interest us.) But the Chinese manufacturers are ignored by Chinese manufacturers with clean conscience.
How to hack android on a chinese smartphone
If the Chinese apparatus came to your hands, from which - in purely research purposes! - You are going to extract data, the algorithm here is quite simple.
Step 1
Phone is on or off? If enabled, try to unlock it. Succeeded? Check if encryption activated. If not, then the data you can pull out from the loaded system (if there is root access) and from the recovery (which may have to be installed). If you work in the police, I will recommend at this stage to make a backup of data via ADB. To do this, you need to activate USB DEBUGGING mode in the settings for the developer, connect the phone to the computer and execute the ADB Backup command. The ADB utility itself is a part of the Android SDK and is in the folder path / to / SDK / Platfrom-Tools.
So you will get far from all the information, but this step will have to have - further actions can lead to data modifications. After that, you can safely overload the phone to the recovery mode and move to the next step. But if the data section encryption is enabled (you can check the "Settings -> Security" menu -> Encrypt data ") - in no case turn the phone and do not allow it to be blocked. Kui iron, while hot, and remove the image of the data section of any of the many appropriate programs.
Step 2
If the phone was turned off or you made sure that the encryption in it would not smell, then try to load it into the recovery mode. As a rule, for this, it is enough to turn off the device, then turn it on with a clipped volume button (VOL +). Saw a backup TWRP? Perfectly! Insert the OTG flash drive (or the usual USB flash drive via the OTG adapter, or even a clean SD card), mount it using the Mount Storage button, choose it as a repository and draw backup (Nandroid Backup) by the Backup command. For your purposes, a copy of the data section is quite enough (it will be saved in the usual TAR.GZ format archive).
And if you are met by stock recovery from the manufacturer? There are several options here. If the bootloader is not blocked, then you can try to flash the TWRP (TWRP.img - a specific image of TWRP for a particular model):
After that, overload the phone to the recovery mode and make a backup of the data section. If it is important to ensure the integrity of the data, then the recovery can not be flashing, but download:
The result will be the same.
Step 2, alternative
What if the FastBoot is not available, and the custom recovery does not load and not stitching? If the device is Chinese, then with a high probability to be used there will be a chipset from MediaTek (MTK). This chipset is very friendly to hackers. You will need the VCOM drivers from MediaTek, the SP Flash Tool utility and MTK Droid Tools. I will not paint the algorithm to work with the SP Flash Tool in detail, I will not paint in the network more than enough (once, two).
This approach may not work with A-brand devices (Sony, LG) that block the bootloader. The locked bootloader will not allow the universal boot image by which SP Flash Tools performs operations on the smartphone.
Spreadtrum chipset
If you came across a phone based on Spreadtrum (the second most popular and even cheaper Chinese chipset) - I sympathize. The situation with the loaders is similar to MTK, but the devil lies in the details: there is no universal loading image, as in SP Flash Tools. This means that you will have to look for a bootloader for a particular model (or modify the available for similar).
And if the chipset from Qualcomm? Try to convert the phone to Qualcomm Download Mode (also known as Firmware Recovery Mode 9006, Qualcomm MMC Storage (Diag 9006), Qualcomm HS-USB Diagnostics or Simple 9006, QUAMMMMMMM from the device). The phone falls into this mode, if you turn it off, clamp the volume reduction button (vol-) and connect to the computer via USB.
If everything went fine, then an unknown device will appear in the Windows device dispatcher, for which you will have to find and install the desired driver. After installing the driver, an amazing one will occur: several nameless sections will appear in the DiskMGMT.MSC (Windows) console. It will not be possible to mount them: the file system (usually Ext4 or F2FS) does not understand Windows. So HDD RAW Copy Tool or EMMC RAW Tool in your hands - and take off the dump of data section! I hope I do not need to explain how to mount the RAW image.
The most difficult thing you can meet is an encrypted data section. In this case, the nandroid backup or a dump of the encrypted section you can do, but it will bring you little good. The password can be circumvented, but there is almost no point in this: the password for encrypting the data section is encrypted by password for the phone. If the bootloader is not blocked, then the password can be triggered to hack through the dump of memory from the device and specialized software (for example, UFED), but this is not so simple. Additional Information.
findings
As you can see, pulling your data from the Chinese smartphone is very, very simple. What to do now? If we are talking about protection against special services and law enforcement agencies, you should definitely not look towards Chinese smartphones. From a qualified hacker with access to specialized software and iron, ordinary methods will also not save; Here you need to focus on the BlackBerry Android smartphones. But from a random gopnik or kulkhatker Vasya Pupkina, it is quite possible to protect the data.
A combination of three factors will help: it is a PIN-code protection, disconnected Smart Lock and activated encryption. But things such as a TWRP password do not help at all: an unlocked bootloader allows you to download the device in any other recovery that ignores your password. On the other hand, if you put the password on TWRP and block the bootloader ... Most likely, you will get a “brick”, but an unskilled hacker certainly will not get to encrypted data.
With the protection of the PIN code, everything is clear: without it, even Apple devices are completely unprotected. Smart Lock is a noble sabotage and a wide security hole, which allows you to unlock the phone based on the coincidence of the weak point of view of factors.
Encryption is a strong argument, to bypass which can be brutened with a PIN code, which requires special equipment, knowledge and time. If the bootloader is unlocked - the PIN code is possible to choose if you do not have something like Q3 # LFAS4E # ka0_Wej. Password will be selected by Brutfors on a dump or an attack in a very special recovery, which will give the opportunity to run the attack on the device itself bypassing the security restrictions built into Android.
At the same time, encryption in Android slows the operation of the device and leads to an increased load on CPU and the battery charge consumption. The resistance of encryption in firmware that has not passed the Google certification raises questions.
#Security and World #Security #Internet