Dante63
Senior Member
- Nov 1, 2015
- 4,336
- 4,670
- 30
Oh it takes a lot of time, not stuck, I also thought it got stuck but it's a looooong task
I waited for more than an hour. Nothing happened. Is it supposed to take that long?
Dante63
Senior Member
- Nov 1, 2015
- 4,336
- 4,670
- 30
No, not that long, for me it took no more than 5~10 mins...
Using watch version...?
I used Shizuku method, I didn't go manual...
How did you start shizuku on watch? I tried it but wasn't able to start shizuku. Not so familiar with wear os.
Btw I'm using galaxy watch 4 classic.
Dante63
Senior Member
- Nov 1, 2015
- 4,336
- 4,670
- 30
Phone version or watch version of the smt exploit?
You'll sideload Shizuku phone app on your watch, you'll need to run adb command to change density (only once to allow app permission always then you can revert back)
After that start it on 5555, if first time, you will see a pop-up message then after allowing a script running and hangs (after 1 minute, if it doesn't change go back and run it again)...
On second time you run it, the script successfully run and autoclose by itself stating Shizuku is running, now you leave the app and open smt exploit...
Thanks for the tips, I'm using the watch version of SMT exploit. I had already tried these steps yesterday to start shizuku on watch. But was unable to start it using the ADB command in the shizuku app, it shows permission denied. Am I missing something here?
Dante63
Senior Member
- Nov 1, 2015
- 4,336
- 4,670
- 30
Yes, please do. Will be of great help. Will wait till then.
Dante63
Senior Member
- Nov 1, 2015
- 4,336
- 4,670
- 30
First, I would like to apologize.
I posted the wrong APK to GitHub, so re-download the APK again, and things should work fine...
Here is the video.
The process took me no more than 5 minutes...
Everyone seems to be convinced that OEM unlocking is not possible.... but i think it's still possible we have multiple options but it seems nobody is interested in looking into it.... i cannot focus a.t.m. because of medication but the OEM signing keys might be in the samsung leaked files.... then we can downgrade and unlock the bootloader or root the phone.
Mod edit: Reference to the "Samsung Hack: removed.
Last edited by a moderator:
Please stop posting references to the "Samsung Hack" as this is the official XDA stance on this matter as seen here.
Thank you: Badger50
works on sm-a426u running on verizon
For R&D purposes only
*S918U & S918U1 devices only*
Take the following info as is. Nothing too great about it. Just know, it wasn't anything hi tech or anything that required a whole lot of knowledge. I achieved system shell access on the S23 Ultra by flashing this.
Download Galaxy S23 Ultra SM-S918U (USC) S918USQU1AVKT in Samfw - Samsung firmware download
Galaxy S23 Ultra SM-S918U (USC - United States) S918USQU1AVKT T(Android 13) samsung firmware download all model, lastest, fast update, completely free and fast speed in Samfw.com ✅samfw.com
This is a probably around the first known build available for the S23 Ultra. Security patch is Nov 1 2022. Samsung was in no way ever thinking about patching SMT back then. So I GOT LUCKY and figured it out by simply doing what i usually do when I get a new device. Flash this and follow the OP's instructions and you too can see system shell access. @BLuFeNiX @V0latyle
wr3cckl3ss1
Senior Member
I see that you're a new member. Welcome. Welcome to the land of overage misfits and disgruntled ex tech employees. Always remember to use that search button up at the top and always be respectful because someone here will always have something to say. Is your device on One UI 5.0 or 5.1? If on 5.0, SMT Shell works as is. If on 5.1, then this will not work but using that search option can direct you to bypassing Samsung's bandaids up until May 2023.
thank you, I have been looking around the forms for a couple years now, just never really bothered to make an account until now,
device is on 5.1 I misinterpreted the downgrade comment as talking about the 5.1 bypass and that it only worked on as I did see in that thread some people couldn't get it to run on the april security patch, I was just confirming that the bypass does indeed work on the phone
wr3cckl3ss1
Senior Member
GitHub - wr3cckl3ss/system_shell_2: SMT Shell with a twist! Fully updated and upgraded.
SMT Shell with a twist! Fully updated and upgraded. - wr3cckl3ss/system_shell_2
github.com
Hi.
GitHub - wr3cckl3ss/system_shell_2: SMT Shell with a twist! Fully updated and upgraded.
SMT Shell with a twist! Fully updated and upgraded. - wr3cckl3ss/system_shell_2
Thank you very much for keeping the project alive. My april upgraded galaxy note 10+ exynos (SM-N975F) feels very happy again.
Salu2
Similar threads
Top Liked Posts
-
There are no posts matching your filters.
-
17
SMT Shell v2.0
GitHub: https://github.com/BLuFeNiX/SMTShell
Hi everyone! After seeing the recent controversy over a similar tool, I have decided to maintain my own version of the Samsung system shell exploit, targeting CVE-2019-16253.
Original CVE: CVE-2019-16253
What does it do?
This tool allows most Samsung devices to achieve a system shell (UID 1000). It was patched in OneUI 5.1, but will work on Android 13 running OneUI 5.0 or older, as well as some very early versions of OneUI 5.1 (like the S23). It should work as far back and Android 9.0 (and maybe earlier).
It has a feature set similar to Samsung Toolkit, but I've added even more stuff, and have additional plans for the future. It also has an API so you can write your own apps. You can think of it like SuperSU/Magisk for uid 1000 instead of root.
API source code and instructions: https://github.com/BLuFeNiX/SMTShell-API
Usage (with Shizuku)
Simply run the app and grant Shizuku access.
Usage (no Shizuku)
- Downgrade the TTS app to the version provided (this must be done after every reboot):
adb install -d com.samsung.SMT_v3.0.02.2.apk
alternatively, you can usepm install -d /data/local/tmp/com.samsung.SMT_v3.0.02.2.apkif you copy the file to your device first, viaadb push - Install and open the SMT Shell app.
Troubleshooting
- Try clearing the Samsung SMT app data:
adb shell pm clear com.samsung.SMT - kill and run the SMT Shell app again
- If the above fails, reboot and follow the usage instructions again.
Thanks to @flanker017 !!!
This work is based purely off of the original 2019 exploit code, authored by flanker017. Although other similar projects may exist, this uses absolutely no code from them. You can find the original work at the following links:
* https://github.com/flankerhqd/vendor-android-cves (specifically the SMT-CVE-2019-16253 folder).
* https://blog.flanker017.me/text-to-speech-speaks-pwned/
Changes from the original exploit
I have refactored/simplified nearly all of the code, as well as implemented my own reverse shell.
Suggestion? Bug report?
Feel free to discuss here, but I will be most responsive if you create an issue on GitHub.
Looking for a version that supports Samsung Watches?
See this neat fork by @Dante636Guess it's been awhile since I came to these parts....
As many of you know... about my project.
This thread is for the SMT Shell exploit....not #system3.
I kindly ask that you respect the post and it's author. As per XDA rule,
This thread is for his project and anything related to it. And with that said. I will not open up a separate thread for this on XDA but I'll think about opening up a chat on a different platform. As it was already mentioned by @V0latyle that only one thread about a system shell can be made and as per XDA rule.
I will follow all protocol here and respect XDA's wishes.
Futhermore If it's possible and with permission with the moderators here. If and when I do make this chat, would it be possible to link an outside link pointing to it, in case someone comes along to find support. If it's not allowed on this thread. I do HAVE one option, which i think will be better suited for the mods here. Since it will not go against what the moderators have here and that's by again using XDA rule,
I would have posted the ONE link to TG rule but as of this writing. But I have failed to find where it's located. Unless something was changed as of recently and I'm not aware of it. But I will take a look at the FORUM RULES and read thru again, as it was edited on Jan 31st 2023 @4:12pm which was roughly 5 hours ago.
If this rule still stands and is allowed. I believe my ONE link to TG hasn't been used. And I do have one thread that is open as of today. And unless I'm mistaken and from my recollection, the one link to TG doesn't have a specific location of where it needs to be. I could be wrong but would need more clarification on this once I find a direct reference about the TG rule. And given that in my ONE thread that is open, I have posted screenshots of #system3 and were not flagged for breaking XDA rule,
Then it would only be a matter of going in my thread and updating one the posts to include a link pointing to the chat....
Above all it's about respecting the rules set in place. We might not agree with them but rules are rules. And I'm ALL for them. So I ask that those here speaking on my project to either wait PENDING MY APPROVAL to possibly open something somewhere else and also of the moderators and ask that the integrity of this thread be kept and respected. Thank you for your time and I hope to see some of you guys very very soon.
@V0latyle
@Oswald Boelcke
@Badger505*COMMANDS FOR SYSTEM AND/OR ROOT USE ONLY*
**WARNING**
Do your research and find out what something does before you aimlessly execute the commands and mess something up. This is your only warning.
IOTHiddenMenu.apk
am start -n com.sec.hiddenmenu/.KOREA_Mode -e 7267864872 72678647376477466
am start -n com.sec.hiddenmenu/.KoreaMode_Prevail -e 7267864872 72678647376477466
am start -n com.sec.hiddenmenu/.SerialPort -e 7267864872 72678647376477466
am start -n com.sec.hiddenmenu/.ItsOnMenu -e 7267864872 72678647376477466
am start -n com.sec.hiddenmenu/.ServiceModeApp -e 7267864872 72678647376477466
am start -n com.sec.hiddenmenu/.Test -e 7267864872 72678647376477466
am start -n com.sec.hiddenmenu/.PhoneUtil -e 7267864872 72678647376477466
am start -n com.sec.hiddenmenu/.OTATest -e 7267864872 72678647376477466
am start -n com.sec.hiddenmenu/.LTE -e 7267864872 72678647376477466
am start -n com.sec.hiddenmenu/.FIELDTESTMODE -e 7267864872 72678647376477466
am start -n com.sec.hiddenmenu/.HiddenMenuEnable -e 7267864872 72678647376477466
am start -n com.sec.hiddenmenu/.GlobalHiddenMenuEnable -e 7267864872 72678647376477466
Change your CSC thru Preconfiguration. (Exclusive to primarily US devices)
am start -n com.samsung.android.cidmanager/.modules.preconfig.PreconfigActivity -a com.samsung.android.action.SECRET_CODE -d secret_code://27262826 --ei type 2
Option #2 for Possible CSC change on devices not from US.
am start -n com.samsung.android.cidmanager/.preconfig.PreconfigActivity -a android.provider.Telephony.SECRET_CODE -d secret_code://272837883 --ei type 3
Service Menu
am broadcast -a com.samsung.android.action.SECRET_CODE -d android_secret_code://27663368378 -n com.sec.android.RilServiceModeApp/.SecKeyStringBroadcastReceiver
Hidden Network Band Selection
am start -n com.samsung.android.app.telephonyui/.hiddennetworksetting.MainActivity
Use with CAUTION***
am start -n com.wssyncmldm/com.idm.fotaagent.enabler.ui.admin.feature.AdminFeatureAndActionActivity
am start -n com.wssyncmldm/com.samsung.android.fotaagent.common.feature.FeatureInjectionActivity
am start -n com.sec.android.app.factorykeystring/com.sec.android.app.shutdown.ShutdownPreference
am start -n com.samsung.android.sdm.config/.ui.DevConfigActivity
am start -n com.sec.android.sdhms/.debugger.ui.ThermalLimitSettingActivity
am start -n com.sec.usbsettings/.USBSettings
am start -n com.android.settings/.development.DSULoader
am start -n com.sec.android.app.servicemodeapp/com.sec.android.app.modemui.activities.PhoneUtil
am start -n com.sec.android.app.myfiles/.external.ui.developer.DeveloperSettingActivity
am start -n com.sec.android.app.factorykeystring/com.sec.android.app.phoneutil.UsbLogging
am start -n com.samsung.sdm/com.samsung.sdm.logic.DMApp
Have fun...
--wr3cckl3ss14
I guess the days of doing research and exploring for yourself are long gone. Here you are gentlemen. As per you requests, I'll kindly point you all to ONE of those apps. What you do with it, is all on you and please refrain from asking "Why", "Where" or "How".
3
For R&D purposes only
*S918U & S918U1 devices only*
Take the following info as is. Nothing too great about it. Just know, it wasn't anything hi tech or anything that required a whole lot of knowledge. I achieved system shell access on the S23 Ultra by flashing this.
Download Galaxy S23 Ultra SM-S918U (USC) S918USQU1AVKT in Samfw - Samsung firmware download
Galaxy S23 Ultra SM-S918U (USC - United...
This is a probably around the first known build available for the S23 Ultra. Security patch is Nov 1 2022. Samsung was in no way ever thinking about patching SMT back then. So I GOT LUCKY and figured it out by simply doing what i usually do when I get a new device. Flash this and follow the OP's instructions and you too can see system shell access. @BLuFeNiX @V0latyle - Downgrade the TTS app to the version provided (this must be done after every reboot):
New posts
-
-
Question S23 - call recording - possibility of changing CSC ?
- Latest: xdauser2024
-
-
Question Serenity now....been trying to adb sideload stock os to my phone
- Latest: Appreciative