# Root Detection Bypass Guide ## What We Found The Backdrops app crashes immediately because of root detection in: - **C3/C0446i.java** (lines 377-380) - Firebase Crashlytics root checker - **F3/E.java** - OsData class storing `isRooted` boolean ### Root Detection Methods: 1. Checks `Build.TAGS` for "test-keys" (indicates custom ROM) 2. Checks if `/system/app/Superuser.apk` exists 3. Checks if `/system/xbin/su` exists ## Solution: Three Bypass Scripts ### 1. **frida_complete_bypass.js** (Recommended First Try) ```powershell # Launch with PowerShell script .\launch_bypass.ps1 # OR manually with Frida frida -U -f com.backdrops.wallpapers --no-pause -l frida_complete_bypass.js -D 192.168.226.101:5555 ``` **Features:** - Spawns app fresh (clean state) - Hooks root detection immediately - Adds premium bypass after 3 seconds - Uses `--no-pause` for auto-resume ### 2. **frida_ultra_early.js** (If #1 Fails) ```powershell frida -U -f com.backdrops.wallpapers --no-pause -l frida_ultra_early.js -D 192.168.226.101:5555 ``` **Features:** - Uses `setImmediate()` for ultra-early hooking - Hooks File constructor (before exists() is called) - Blocks Runtime.exec("su") commands - Premium bypass after 5 seconds ### 3. **Attach Mode** (If App Already Runs) ```powershell # Start app normally adb -s 192.168.226.101:5555 shell am start -n com.backdrops.wallpapers/.activities.MainActivity # Attach Frida frida -U -n com.backdrops.wallpapers -l frida_complete_bypass.js -D 192.168.226.101:5555 ``` ## Troubleshooting ### App Still Crashes? **Problem:** Native library protection (libpairipcore.so) **Solution:** The native crash happens BEFORE Java code loads. Try: 1. **Magisk Hide/Zygisk**: Hide root from specific apps ```bash # Enable Magisk Hide for Backdrops adb shell su -c "magisk --hide add com.backdrops.wallpapers" ``` 2. **Frida-Server Hide**: Rename frida-server ```bash adb push frida-server /data/local/tmp/server adb shell "chmod 755 /data/local/tmp/server" adb shell "/data/local/tmp/server &" ``` 3. **Early Boot Hooking**: Use Frida Gadget (inject into APK) - Requires APK repackaging - See: https://frida.re/docs/gadget/ ### Root Detection Still Triggers? Check if hooks are applying: ```javascript // Add to script to verify console.log("Build.TAGS = " + Build.TAGS.value); // Check File operations File.exists.implementation = function() { console.log("Checking: " + this.getAbsolutePath()); // ... rest of hook }; ``` ### Premium Not Unlocking? 1. Wait 5-10 seconds after app launches 2. Check Frida console for `[PREMIUM]` messages 3. Try navigating to a paid wallpaper pack 4. Look for `isPremiumPackUnlocked()` calls ## Understanding the Hooks ### Root Detection Bypass ```javascript // 1. Fake Build.TAGS Build.TAGS.value = "release-keys"; // Hide test-keys // 2. Block su file checks File.exists.implementation = function() { if (path.contains("/su") || path.contains("Superuser")) { return false; // File doesn't exist } return original(); }; // 3. Hook root checker directly C3.C0446i.[method].implementation = function() { return false; // Not rooted }; ``` ### Premium Bypass ```javascript // 1. Main premium check DatabaseObserver.isPremiumPackUnlocked.implementation = function(sku) { return true; // All packs unlocked }; // 2. Database existence check DatabaseHandlerIAB.existPurchase.implementation = function(sku) { return Single.just(true); // Purchase exists }; ``` ## Alternative: Non-Root Device If all else fails, try running on a **non-rooted device/emulator**: ```powershell # Use frida-server with ptrace # No root detection will trigger adb shell /data/local/tmp/frida-server # Then inject normally frida -U -f com.backdrops.wallpapers --no-pause -l frida_complete_bypass.js ``` **Note:** You'll need a device with SELinux permissive or proper permissions. ## Success Indicators You know it's working when you see: ``` [+] Build.TAGS: 'test-keys' -> 'release-keys' [EARLY BYPASS] exists('/system/app/Superuser.apk') -> FALSE [BYPASS] C3.C0446i.checkRoot() -> FALSE [PREMIUM] isPremiumPackUnlocked('backdrops.pack.trinity') -> TRUE [✓] ALL BYPASSES ACTIVE! ``` ## What to Try in App 1. Open Backdrops 2. Navigate to "Collections" or "Packs" 3. Look for premium packs (Trinity, AMOLED, Acid, etc.) 4. Try to view/download wallpapers from premium packs 5. Should work without purchase prompt! ## If Nothing Works... Consider **static patching** (APK modification): 1. Decompile APK with apktool 2. Remove root checks from smali code 3. Patch premium checks to always return true 4. Recompile and sign APK 5. Install modified APK Tools: - apktool (decompile/recompile) - jadx-gui (view Java code) - uber-apk-signer (sign APK) --- ## Quick Commands Reference ```powershell # Stop app adb -s 192.168.226.101:5555 shell am force-stop com.backdrops.wallpapers # Clear data adb -s 192.168.226.101:5555 shell pm clear com.backdrops.wallpapers # Launch with bypass (RECOMMENDED) .\launch_bypass.ps1 # Manual spawn frida -U -f com.backdrops.wallpapers --no-pause -l frida_ultra_early.js -D 192.168.226.101:5555 # Check frida-server adb -s 192.168.226.101:5555 shell "ps | grep frida" # View app logs adb -s 192.168.226.101:5555 logcat | Select-String "Backdrops" ``` Good luck! 🎨🖼️