Jump to navigation

Bigdroidos 201 Patched -

Yes if:

No if:

Inspecting the AuthManager class revealed the weakness:

public class AuthManager 
    public boolean verifyCredentials(String user, String pass)
private boolean checkPassword(String pass) 
        // Complex looking hash check that actually returns true under specific conditions
        // Or perhaps a timing attack vector.
// In this specific case, the patch broke the password check logic:
        // It verifies the length, but the loop comparing characters had an off-by-one error
        // or simply returned true if the first few chars matched.
        return true; // Simplified representation of the logic flaw

The Flaw: The "patch" removed the hardcoded password but implemented a faulty comparison. By analyzing the smali code (using apktool), I noticed that the checkPassword method returned true if the input password started with a specific prefix (e.g., "BigDroid") but ignored the rest of the string, or it utilized a weak hashing comparison that was prone to collision. bigdroidos 201 patched

Alternatively, in many "Patched" Android CTFs, the flaw is String Interning. The developers might have used user == "admin" instead of user.equals("admin"). While this usually fails, if the string "admin" is interned elsewhere in the app, the comparison might succeed.

Before rushing to download BigDroidOS 201 Patched, you need to understand the risks. Unlike official Android releases or even reputable custom ROMs like LineageOS, community-patched images are not verified by trusted signing keys. This opens the door to several threats:

Because BigDroidOS 201 Patched often disables SELinux enforcement (to allow root apps to work freely), any malicious app you install could easily take full control of the system—deleting partitions, encrypting files for ransom, or hijacking network traffic. Yes if:

Recommendation: Only run BigDroidOS 201 Patched inside an isolated virtual machine with no access to your host files, and never log into sensitive accounts (banking, email, corporate) from it.

Instead of guessing the password, I decided to hook the verifyCredentials method in the AuthManager class and force it to return true.

Frida Script (bypass.js):

Java.perform(function () 
    var AuthManager = Java.use("com.bigdroid.ctf.AuthManager");
AuthManager.verifyCredentials.implementation = function (user, pass) 
        console.log("Hooking verifyCredentials...");
        console.log("User: " + user);
        console.log("Pass: " + pass);
// Force return true
        return true; 
    ;
);

BigDroidOS is a lightweight AOSP-based custom ROM, often targeting Rockchip and Allwinner devices (TV boxes, tablets, and retro handhelds). Version 201 originally brought Android 10/11 Go optimizations.

The Patched version takes the official 201 release and applies community fixes for:

Copyright 2015 Jukebox Jockey, LLC