Seva's notes

Wisdom, Awareness, Responsibility :)

Archive for the ‘software’ Category

Xiomi POCO F1 Locked with Numeric Keyboard (solved)

leave a comment »

I’ve got my Xiaomi Pocophone F1 Global version in September 2018. The main pros were the price, the feature set, the responsiveness of the development team, the speed of releasing the software updates, and especially the sweet security compliance with my employer’s policies.

Speaking of which, one of the security requirements was that the device must be locked with a complex password. Pattern or PIN was not enough. Nevertheless, I needed to type the password only after reboots, which were very rare, thanks to phone and OS stability.

Yesterday I was excited to find that a new version of MIUI 10.1.3.0 based on Android Pie (9.0) has been launched globally and landed on my phone. I upgraded the phone with no hesitations, as always…

The unpleasant surprise hit me when the installation was complete. My employer’s security team has not yet certified Android Pie, so the phone kept rebooting after logging in. My obvious reaction was to wipe out the data and remove the employer’s software until it’s certified. Ouch, that was a mistake.

After wiping out the data, the device was left locked to the existing Google account. And the Google account was locked with the phone protection password. Wiping the data did not annihilate that relation. So when proceeded with the fresh MIUI setup of the phone, it asked to confirm the phone protection password. I had the password memorized password perfectly, but there was a roadblock: the text field to type the password was numeric. Meaning, it allowed only to tap numbers. And here my saga began.

My 1st approach was to find an open a text field, type my password there and then paste it to the protection password field. I found my way via the WiFi setup wizard, where I hit “show password” button and could type and copy the unlock password. However that didn’t help, since the numeric field was not only disallowing typing non-numeric characters but also filtering them out on pasting.

The 2nd approach was to follow the conventional phone unlock process with MiFlash Unlock utility. However, that required linking the device to http://i.mi.com account retroactively in Developer Options, which I could not complete since device Settings were not accessible. For the same reason, full firmware reinstall would not work – it required changing “OEM Unlocking” flag in Developer Options.

The 3rd approach was the less straightforward “FRP bypass” method. In few words, the method is to exploit a variety of sideways in the setup process to access external sites and install specific APKs that help triggering system APIs to run system calls directly. I managed to reach Youtube, Google and even download a few different apps with that method, but none of them really helped.

Finally, after a few more random frictions, I found my way through. In very brief, I reached out from WiFi setup to Phone Calling app to Contacts to GMail to Exchange account setup to Certificate storage, that allowed me to change the device password-locking properties without entering the password. Posted my step-by-step guide here: https://en.miui.com/forum.php?mod=redirect&goto=findpost&ptid=4719331&pid=33303093

After resetting the password protection to Pattern, I went back and successfully finalized the MIUI setup process.

Written by Seva

2018-12-16 (December 16) at 12:14:30

Posted in hardware, mobile, past, software

Android adware removal story

leave a comment »

Yesterday started getting random spam ads on my OnePlus 2​:

  • overlay ads of certain popular junk games,
  • fake desktop icons linking to Google Play Store of same games,
  • fake missed calls linking to there.

It was virtually impossible to figure out the responsible processes without additional tools, mainly due to the hiding tactics of the adware.

To start I tried few most popular adware removers from the store, but they either didn’t detect anything, or crashed during the scan (maybe the adware killed them while they were running).

The first success was brought by Addons Detector (with all advanced detectors enabled). After another fake icon appearance it traced it to com.google.googlesearch (“Search”) which comes with AirPush component.

airpushdetector

Then I googled and found the package at AVG Threat Labs Android App Reports and used AVG to find one more malware process com.android.main.view (“Processor”) which was reported to have AirPlus in it.

The processes were installed as system apps. So the easiest way out was to use Titanium Backup Root Pro I already had installed (my phone is rooted).

After that I tried to dig further to understand how these processes appeared on my phone in the first place. I didn’t install any new apps recently, neither run any updates on root enabled apps. So the adware probably was here, but didn’t expose itself for few months.

I’m very conservative to give root access to software without trust research, but don’t rule out the chance that the junk could be injected with one of the few Aptoide originated apps I experimented with few months ago.

However, since AVG also identified 2 preinstalled bloatware apps to come with other dirty ad frameworks, my current hypothesis is that AirPush crap was on the phone from the very beginning, patiently waiting for its time to activate.

Written by Seva

2015-12-09 (December 9) at 05:33:07

Simple No-Framework Object Oriented Multi-Layer MVC Application Example

with one comment

Recently I’ve created the subj. It’s a memory game, written in pure PHP/HTML, called “PHP Memory”.

What was important for me to demonstrate is the next principles:

  1. Even if you don’t use a framework, you should write modular code with appropriate architecture.
  2. Despite that, the application design and code should match its required functionality with no overhead of unneeded patterns and abstraction or preparations for future enhancements, unless they’re planned.
  3. Nevertheless, the code should be readable and maintainable.
  4. The bottom line is – developing a framework versus developing an application are completely different tasks. The strategy and tactics should vary very much. Of course, developers should learn from the frameworks source code, since they accumulate collective experience of great coders, but the ideas implemented in frameworks sometimes not required or even harmful while developing an application.
The demo and source code can be found here.

Written by Seva

2011-08-30 (August 30) at 01:59:26

cURL HTTP1.1 empty POST bug

with 2 comments

Today we spent almost 2 hours on a weird discrepancy between our development and staging environments. It’s pretty rare, that I experience such low level issue, thus in my opinion it’s worth mentioning here.

Last weeks we were busy developing integration to a new data vendor. Everything went well until we deployed the application to stage.
Suddenly we started receiving HTTP status 411 on one of the calls. Since we work with cURL library, which we believed is stable enough, we thought the problem is somewhere between the source code and environment configuration.

Later we found that the same request gets accepted if sent from a client other than cURL (e.g. chrome-poster). The unique about this request is that it’s sent with POST method (the vendor’s strict requirement) but the content body is empty.

In the end we discovered that newer version (since 7.20) of cURL interprets missing body as a negotiation request – sends Expect: 100-continue header and Content-Length: -1.

So, the immediate solution was to send empty content body (zero-length string) to cURL, which aligned the behavior in all the environments.

On the way we discovered a useful option CURLINFO_HEADER_OUT, which enables a possibility to further retrieve the headers sent by cURL to the remote host. From now we use it in our error handling mechanism to trace the sent headers as well.

What can we conclude from this story?

  1. Try to synchronize the software of all of your environments. If possible, use exactly the same version OS version, libraries, tools, etc. It’s very easy if you host your applications on VPS and use VMs for development and staging servers. The least convenient case is when you have OSs of different architecture and (e.g. Windows for development and Linux for production).
  2. Don’t underestimate importance of error handling. Find the optimal level of handling for your application, which will be easily extended and configured.
Hope my sincere advices will help you, my dear friend, to save your precious time.

Written by Seva

2011-08-03 (August 3) at 12:47:35

Phing plugin for Eclipse PDT

with 6 comments

I love Ant integration into Eclipse JDT – it provides smart editor, handy auto-completion, and the most important – fully functional debugger.

Recently I have been laboring on porting a deployment system from shell scripts to Phing, a loose PHP port of Ant. And naturally, I miss the above. I still get a little aid from Eclipse – since Phing’s syntax is very close to Ant’s, I can at use Ant editor for Phing files to enjoy property navigation and target integrity validation.

I would be more than happy to announce that I’m going to fill the gap and implement Phing plugin for Eclipse PDT, but unfortunately – I’m too busy and too lazy. On the other hand, if you, my dear friend, will suddenly decide to accept this challenge, I can gladly invest my time in architecture, design, review & testing free of charge. 🙂 Or should I anyway try to start it myself?

Written by Seva

2010-04-15 (April 15) at 12:31:09

Heart-Touching Quotation

leave a comment »

…When I was going to school we were always taught, “In the olden days of computing, computers were expensive and programmers were cheap. Now it’s the reverse. Therefore…” We are back to the future. At internet scale, programmers are (sometimes) cheap compared to the cost of electricity.

Kent Beck

Written by Seva

2010-04-15 (April 15) at 12:06:29

Competing design attributes: performance vs. maintainability

leave a comment »

Q. Is performance more important than other attributes like ease of use, maintainability etc? When designing your new code, what level of importance would you give to the following attributes?

A. You should not compromise on architectural principles for just performance. You should make effort to write architecturally sound programs as opposed to writing only fast programs. If your architecture is sound enough then it would allow your program not only to scale better but also allows it to be optimized for performance if it is not fast enough. If you write applications with poor architecture but performs well for the current requirements, what will happen if the requirements grow and your architecture is not flexible enough to extend and creates a maintenance nightmare where fixing a code in one area would break your code in another area. This will cause your application to be re-written. So you should think about extendability (i.e. ability to evolve with additional requirements), maintainability, ease of use, performance and scalability (i.e. ability to run in multiple servers or machines) during the design phase. List all possible design alternatives and pick the one which is conducive to sound design architecturally (i.e. scalable, easy to use, maintain and extend) and will allow it to be optimized later if not fast enough. You can build a vertical slice first to validate the above mentioned design attributes.

(c) Whoever

Written by Seva

2010-03-16 (March 16) at 12:51:42

Posted in development, integration, software, thought

Tagged with