I was free to code the new FactoryTestBroadcastReceiver receiver (you can find the code in this project's files) as I pleased and I decided on a generic approach - that way I could supply a payload in the form of shell commands which would then be executed in onReceive() and the output would be sent back to my app in a form of another Broadcast. That way I could issue a "cat /data/misc/wifi/wpa_supplicant.conf" to read the contents of the file or "pm disable" to get rid of the preinstalled app bloat.

I compiled this class into a Dalvik cache compatible .odex on both OS versions: 4.2.2 and 4.4.2 and packaged it into my app together with the dirtycow binary which I XOR'd so that virustotal.com would not upset any of my more curious neighbors - I was not trying to hack them, after all. In any case, I disclosed how the app works in my instructions page so it was all good.

My first 2.0 app asked the user to reboot so that the new Dalvik cache would be used (since it was in-use and running in the background at the time), but since the tablet was trapped in a wall mount with difficult access to the reset button and the only other way (which I discovered too late in any case) was to enable a on-screen accessibility menu, I was glad to think of the weird free-for-all KILL_BACKGROUND_PROCESSES permission which can be used with killBackgroundProcesses("com.sec.factory") to kill the system app without any special permissions. Then I could dirtycow (which is now a verb I guess) the .dex and the next Broadcast would make the Android OS wake up the app and luckily for me it would load the new code now - no reboot needed!

I was very happy with the results and preparing to share my app with my neighbors.