[Exploit] [Shizuku Support] SMT Shell v2.0 - get a SYSTEM SHELL (UID 1000) within the app itself - and write your own system app with an API

[BLuFeNiX]

SMT Shell v2.0​

GitHub: https://github.com/BLuFeNiX/SMTShell

Hi everyone! After seeing the recent controversy over a similar tool, I have decided to maintain my own version of the Samsung system shell exploit, targeting CVE-2019-16253.

Original CVE: CVE-2019-16253

What does it do?​

This tool allows most Samsung devices to achieve a system shell (UID 1000). It was patched in OneUI 5.1, but will work on Android 13 running OneUI 5.0 or older, as well as some very early versions of OneUI 5.1 (like the S23). It should work as far back and Android 9.0 (and maybe earlier).

It has a feature set similar to Samsung Toolkit, but I've added even more stuff, and have additional plans for the future. It also has an API so you can write your own apps. You can think of it like SuperSU/Magisk for uid 1000 instead of root.

API source code and instructions: https://github.com/BLuFeNiX/SMTShell-API

Usage (with Shizuku)​

Simply run the app and grant Shizuku access.

Usage (no Shizuku)​

1. Downgrade the TTS app to the version provided (this must be done after every reboot):
   adb install -d com.samsung.SMT_v3.0.02.2.apk
   alternatively, you can use pm install -d /data/local/tmp/com.samsung.SMT_v3.0.02.2.apk if you copy the file to your device first, via adb push
2. Install and open the SMT Shell app.

Troubleshooting​

1. Try clearing the Samsung SMT app data: adb shell pm clear com.samsung.SMT
2. kill and run the SMT Shell app again
3. If the above fails, reboot and follow the usage instructions again.

Thanks to @flanker017 !!!​

This work is based purely off of the original 2019 exploit code, authored by flanker017. Although other similar projects may exist, this uses absolutely no code from them. You can find the original work at the following links:

* https://github.com/flankerhqd/vendor-android-cves (specifically the SMT-CVE-2019-16253 folder).
* https://blog.flanker017.me/text-to-speech-speaks-pwned/

Changes from the original exploit​

I have refactored/simplified nearly all of the code, as well as implemented my own reverse shell.

Suggestion? Bug report?​

Feel free to discuss here, but I will be most responsive if you create an issue on GitHub.

Update!​

Added Shizuku support! (v1.2)

 

[BLuFeNiX]

Reserved.

 

[goofwear]

Another developer on xda had his thread locked by a mod since they though it was a duplicate thread. The Dev was able to get the exploit /and or the system shell working on one UI 5.1.

I am not trying to hijack the thread.

 

[BLuFeNiX]

Another developer on xda had his thread locked by a mod since they though it was a duplicate thread. The Dev was able to get the exploit /and or the system shell working on one UI 5.1.

I am not trying to hijack the thread.

Thanks, I heard about this. I am under the impression that certain devices did not get the patch until a later update, so very early versions of 5.1 are affected on some devices, but the most up-to-date software is not affected by this exploit.

 

[goofwear]

Thank you for letting me know.
Keep up your work.

 

[Arealhooman]

Another developer on xda had his thread locked by a mod since they though it was a duplicate thread. The Dev was able to get the exploit /and or the system shell working on one UI 5.1.

I am not trying to hijack the thread.

Link?

 

[myhanbing]

An error occurred when I executed the downgrade install command:
```
H:\Users\Administrator\Downloads>adb install -d ./com.samsung.SMT_v3.0.02.2.apk
Performing Streamed Install
adb: failed to install ./com.samsung.SMT_v3.0.02.2.apk: Failure [INSTALL_FAILED_VERSION_DOWNGRADE]
```


Device info:
```
oneUI 1.0
Android 9.0
Model: SM-G9550 (Galaxy S8+)
Original SMT Version: 3.0.03.11
Android Secure Patch Level: 2020/12/01
```



####################Resolved###################
This command only supports Android 10+, so executing it on Android 9 will result in the above error .
refs:https://blog.esper.io/adb-29-how-to-downgrade-rollback-app/

 

[wr3cckl3ss1]

Another developer on xda had his thread locked by a mod since they though it was a duplicate thread. The Dev was able to get the exploit /and or the system shell working on one UI 5.1.

I am not trying to hijack the thread.

So what you're referring to is me, with the S23 Ultra on One UI 5.1. I did achieve system shell access on this device.

 

[goofwear]

@wr3cckl3ss1 yes I was talking about your work and thread.

Big fan of the work every one hase been doing on the system shell access the past few months.
Personally I would like to have it again since the 5.1 update but I know it is rude to ask.

 

[wr3cckl3ss1]

How this happened....only worked on the U variant for the S23 Ultra. No other devices, so far. If you have U1,you're still in luck. As long as @BLuFeNiX is okay with it. I can share how. But with that said. This will not be support for the S23 clan. I don't want to feel like I'm hijacking the OP either but as long as @BLuFeNiX is fine with it. I'll share the details soon.

 

[dubblecup]

Will rhe exploit work with shizuku and samsung toolkit?

 

[dubblecup]

S20 ultra. The exploit worked with 5.0 for me. Haven't worked since 5.1 update.

 

[BLuFeNiX]

How this happened....only worked on the U variant for the S23 Ultra. No other devices, so far. If you have U1,you're still in luck. As long as @BLuFeNiX is okay with it. I can share how. But with that said. This will not be support for the S23 clan. I don't want to feel like I'm hijacking the OP either but as long as @BLuFeNiX is fine with it. I'll share the details soon.

You don't need my permission to share your own research. Go for it!

 

[BLuFeNiX]

Will rhe exploit work with shizuku and samsung toolkit?

I am currently working on Shizuku support. I know nothing about Samsung Toolkit, but I assume it bundles it's own exploit. I might check it out when I have time

 

[wr3cckl3ss1]

So what you're referring to is me, with the S23 Ultra on One UI 5.1. I did achieve system shell access on this device.

For R&D purposes only
*S918U & S918U1 devices only*

Take the following info as is. Nothing too great about it. Just know, it wasn't anything hi tech or anything that required a whole lot of knowledge. I achieved system shell access on the S23 Ultra by flashing this.

Download Galaxy S23 Ultra SM-S918U (USC) S918USQU1AVKT in Samfw - Samsung firmware download

Galaxy S23 Ultra SM-S918U (USC - United States) S918USQU1AVKT T(Android 13) samsung firmware download all model, lastest, fast update, completely free and fast speed in Samfw.com ✅

samfw.com

This is a probably around the first known build available for the S23 Ultra. Security patch is Nov 1 2022. Samsung was in no way ever thinking about patching SMT back then. So I GOT LUCKY and figured it out by simply doing what i usually do when I get a new device. Flash this and follow the OP's instructions and you too can see system shell access. @BLuFeNiX @V0latyle

 

[ketopili81]

Hi
I have the same above error unfortunately.(INSTALL_FAILED_BLOCKED_CROSS_DOWN)
Device: SM-A015M , running android 10 , one ui core.
Also i have shizuku app installed with lspatch,but i can downgrade 3rd party apps only , not system apps.
I think the problem is with one ui core. I did adb shell pm clear com.samsung.SMT , but doesn' t work.
If someone have any advice, i'm wiiling to accept the suggested.
Oh well, anyway thank you for your work.
Bye.

 

[wr3cckl3ss1]

That's a new one. I've never came across seeing that error. Is your device older than 2019? What version of SMT, do you have on stock?

 

[wr3cckl3ss1]

Hi
I have the same above error unfortunately.(INSTALL_FAILED_BLOCKED_CROSS_DOWN)
Device: SM-A015M , running android 10 , one ui core.
Also i have shizuku app installed with lspatch,but i can downgrade 3rd party apps only , not system apps.
I think the problem is with one ui core. I did adb shell pm clear com.samsung.SMT , but doesn' t work.
If someone have any advice, i'm wiiling to listen.
Oh well, anyway thank you for your work.
Bye.

That's a new one. I've never came across seeing that error. Is your device older than 2019? What version of SMT, do you have on stock?

 

[BLuFeNiX]

Hi
I have the same above error unfortunately.(INSTALL_FAILED_BLOCKED_CROSS_DOWN)
Device: SM-A015M , running android 10 , one ui core.
Also i have shizuku app installed with lspatch,but i can downgrade 3rd party apps only , not system apps.
I think the problem is with one ui core. I did adb shell pm clear com.samsung.SMT , but doesn' t work.
If someone have any advice, i'm wiiling to listen.
Oh well, anyway thank you for your work.
Bye.

Not sure about that error, but try the new version which does the downgrade for you via Shizuku.

Will rhe exploit work with shizuku and samsung toolkit?

Shizuku support added!

 

[dubblecup]

Hey Shizuku is running. But fails to escalate with Samsung toolkit. I'm somewhat of a noob so don't know any other way to achieve system access to change csc etc. Was pretty convenient. I changed csc using samfw. But now I have have to connect to my computer.