TWRP Recovery for UHANS S1

Team Win Open Source Recovery for UHANS S1

The purpose of this project is to publicly release a version of the TWRP open source recovery that is suitable for and functional on the UHANS S1 model and to provide the source of the built recovery image, thus enabling users to gain greater control of their handsets and, among other things, allowing them to modify the official Freeme OS build running on their device and gain root privileges.

Importance

As to our understanding there does not exist a safe and functional way of rooting the S1 device that does not involve the installation of a custom recovery image. This TWRP recovery is essential to users who are affected by the malicious system applications present on some of the S1 models and wish to remove those from their devices.

Malware

Many UHANS handsets running Freeme OS v2.39+ out of the box came with a Trojan preinstalled, which was disguised as the Official YouTube application. The fake YouTube application was functional, detached from the Play Store and had high level device permissions. It was installed as a priv-app, and ultimately had access to information about the user's Google Account. The application has been detected as malicious by the Google Play Store since March 2018, warning users unaware of the fake video player. The YouTube apk can be disabled via the settings app, Play Store's prompt or third party tools. However, it can also re-enable itself after a reboot and can only be removed with root privileges. The European sales of the devices got terminated after the discovery of the malicious intent. The company went out of business in 2019, allowing the release of certain previously confidential device sources, excluding kernel sources. Other releases, such as the stock ramdisk can be found on my profile.

Background & role

I undertook an internship in the summer of 2016 as a Java Software Developer at the European Department of the Chinese smartphone company Uhans. In this role, my job was to work on the implementation and testing of regionally popular AOSP UI features in Freeme OS for the Uhans U200, U200S and S1 models, resulting in a sales boost of 16% in the target region.

On an upcoming firmware of the newly released S1 device, I discovered and reported to the regional supervisor a Trojan Agent disguised as the official YouTube apk. The YouTube app became suspicious to me due to running with elevated privileges as a system priv-app. Having discovered its non-matching signature, after further investigation I could confirm it to have access to personal information as well as credentials related to the user's Google account and to be communicating with a remote C&C server.

This discovery of mine eventually resulted in the termination of sales in the EEA and the recalling of all S1 models in Europe. The origin of the malware and whether firmware builds targeting other regions would also be affected were not confirmed.

Considering that there was no information available on non-EEA sales, following the termination of my legal agreements with Uhans, I released a TWRP recovery alternative for the device allowing existing users to gain greater control of their devices and remove malicious system application(s), receiving kudos from over half a dozen device owners from outside the EEA.

Technical specifications & features

The project is built on the official Team Win Recovery Project v3.0.2-1 and supports the following main features:

• mount /system partition
• mount /data partition
• NANDroid backup & restore
• mount external and OTG storage
• ADB sideload

There are no known limitations or bugs of the current live version.

Used technologies

Shell, C, CMake

References

• Check out the project on GitHub: https://github.com/almasen/twrp_android_device_uhans_s1
• To download the latest signed version, check out the releases.
• You can find detailed flashing instructions in the project readme.
• This project is actively supported by me, with any questions or problems feel free to create an issue.