[GUIDE][17.06.2019] RMM/KG bypass - Root/Install TWRP on Exynos Samsung after 2018

Search This thread

bojan.1995

Senior Member
Aug 31, 2013
146
10
G950F Oreo 8.0

OEM Unlock is Enabled.
USB Debuging is Enabled.

I flashed TWRP with ODIN (Guide didn't say anything about UNCHECK "Auto Reboot").
Moved no-verity-opt-encrypt-6.1 to SD and tried to flash with Read only permission.
GOT
ERROR 1.



After Reboot:
TWRP is switched with Samsung Recovery.
In Settings > Developers > Bootloader is already unlocked.

I found this guide and this guide.

One of the guide says I need to flash RMM-State_Bypass.zip BEFORE no-verity-opt-encrypt-6.1.
But there is
no link for that RMM zip.

In further Updates I think I didn't flash no-verity-opt-encrypt-6.1 (not 100% sure, You can check in logs)

UPDATE 1:
I did from step 1 with unchecked "Auto Reboot"
I am in TWRP and "Allowed modification"
After flashing RMM-State_Bypass_Mesa_v2.zip (Found it on Google)
I got errors. I am still in TWRP.

Here is Recovery log
https://www.mediafire.com/file/l4ge427nsg2i5hg/recovery.log/file

and dmesg.log
https://www.mediafire.com/file/mpz5p7t3niv1ymy/dmesg.log/file




Update 2:
In the same TWRP (I didn't started from Step 1)
I did Wipe > Format Data > Yes
I flashed Disable_Dm-Verity_ForceEncrypt-master.zip

Here are logs:
https://www.mediafire.com/file/4xs1nel7muj8qng/recovery2.log/file
https://www.mediafire.com/file/swm300p9s7270dd/dmesg2.log/file

Now I am bricked :ROFLMAO::LOL: but I can boot into TWRP ;)


Update 3:
Currently installing Alexis Rom 9

Here are logs:
https://www.mediafire.com/file/7a91h8a0leie4v2/ALEXISROM_9.3.zip.log.txt/file

https://www.mediafire.com/file/99067b8zvcwrprk/recovery+3.log/file

https://www.mediafire.com/file/or7ftctdwup9eah/dmesg+3.log/file

Update 4:
From TWRP I shut down the phone but the phone boot into TWRP again.
So I went to Reboot > System.
I can breath easier now, I successfully booted into Alexis Rom 9.3 (Android 9).
Thanks to AlexisXDA for including Root option into installation (Magisk or Su).

Just to double check I boot into TWRP once again and it works.
 
Last edited:
Aug 28, 2017
18
3
Because Samsung wants you to discard your device and purchase a new one!! That's why they don't released 8.1 Oreo updates. If you think like them you will get the same thought. Who's gonna buy a new device if the current device still working and updated? In my thoughts in think they could release updates even for previous android version. We have Android 12, let's release Android 10 for these old devices that can support. But I guess we should wait sitting...
 

ShadowDeath

Member
Dec 4, 2013
22
2
any fixed the rmm stated after 30 november of last year, because i found this post and seems we are out of options now https://forum.xda-developers.com/t/...d-expired-certificate-whats-next-lol.4403393/

Because Samsung wants you to discard your device and purchase a new one!! That's why they don't released 8.1 Oreo updates. If you think like them you will get the same thought. Who's gonna buy a new device if the current device still working and updated? In my thoughts in think they could release updates even for previous android version. We have Android 12, let's release Android 10 for these old devices that can support. But I guess we should wait sitting...
BTW i dont think so, because if they do that i mean im not gonna buy a samsung phone lol to be locked again with this crappy rmm thing? no thanks.
 
Last edited:

Gecko505

Member
May 3, 2022
6
0
Does this fix this work? I am getting RMM prenormal on my Samsung Galaxy J4 and I am now supposed to wait 7 days even though OEM unlock is toggled in Developer options. Initially, I was using a magisk patched AP file and Odin. I might have to wait 7 days and try again with TWRP. So before I risk getting another 7 days ban, does this fix still work?
 

Altarentys

Member
May 8, 2022
11
1
Can anyone confirm that flashing no-verity-opt-encrypt is necessary only if I want to root my device ? So if I'm only installing a rom w/o rooting I don't need it ?
 

kramer04

Senior Member
Jan 15, 2011
602
232
France
Hello
trying to understand how to install TWRP because there are new instructions to install magisk on Samsung
I've Samsung Note9 latest stock rom android 10
someone have successful install TWRP ?
 

alemir25

Member
Jul 1, 2021
7
0
Only if you have RMM status in download mode.
Not need for later version of android 9 and up.
Hello, I had a question for you. My phone is SM-A025F. The OEM setting does not appear in the developer settings of my phone. I tried to download the software, but the problem did not improve. I wonder if I can solve this problem if I install the software of another country? Or how can I solve this problem?,thanks.
 
Aug 28, 2017
18
3
Welll we're on 05/06/2022 and this sh** stills giving headaches to solve. I never tried those workaround to bypass this lock. I have a lot of stuffs such as bank app authorization to work, other apps that needs to validate to work and do all this again and again sucks. I will buy another devices and will not be Samsung so after i
 

Top Liked Posts

  • There are no posts matching your filters.
  • 174
    UPDATE 17.06.2019 - NEW RMM/KG bypass patch

    UPDATE 23.02.2019 - Pie and more

    Please take some time and read carefully the whole post. I am not and i won`t be responsable for anything.

    Disclaimer
    I am not responsible for bricked devices, dead SD cards, thermonuclear war, or you getting fired because the alarm app failed.
    Please do some research if you have any concerns about this guide!
    YOU are choosing to make these modifications, and if you point the finger at me for messing up your device, I will laugh at you.
    Flashing any custom binary will trigger knox and you may lose your warranty. Make sure you know what you do to your device.

    Introduction
    December 2017 update (for some even older) brought us a different lock, that creates panic among users as usual. As described here by my friend @BlackMesa123, this is not a lock to developement, rather an advanced lock for theft or scams. This has a bypass too, specially when you`re the owner of the device.

    How it works
    This lock is in bootloader, but the trigger to it is inside the system, it`s hard to reproduce, but usually happens when you plug another country sim than your firmware country, because changing the country might not seem as a traveling guy and more like a thief. If you are on stock rom all this time, you might not feel the change, as the device reboots and wipes data, but it will eventually boot. The nice thing comes if you already have custom binary installed (rooted kernel or twrp), as you can`t boot anymore because bootloader is preventing you to boot on custom binaries and alter the system.

    Devices confirmed to have the lock:
    • Any other Samsung device manufactured after 2017
    • Samsung Galaxy S9 & S9+ - SM-G960F & SM-G965F
    • Samsung Galaxy Note 8 - SM-N950F
    • Samsung Galaxy S8 & S8+ - SM-G950F & SM-G955F
    • Samsung Galaxy A8 & A8+(2018) - SM-A530F & SM-A730F
    • Samsung Galaxy A Series (2017) - SM-A320F/FL, SM-A520F & SM-A720F
    • Samsung Galaxy Note FE - N935F

    How to know if you are locked
    There are 3 things at this chapter:
    1. "Only official released binaries are allowed to be flashed" message shows up and now you know for sure you got locked outside your phone
    2. Missing OEM unlock toggle in developer settings, if your device has FRP
    3. "RMM state = Prenormal" in download mode

    How to unlock
    1. As i personally did, and other users reported, if you face any of the things above, flash latest full stock fw of your country with Odin, boot up, don`t reboot, don`t unplug the sim and don`t disconnect the network connection for 7 full days (168h). It seems that after 7 days of uptime, RMM state resets and you can flash TWRP again without issues. You can see uptime in settings/about device/status.
    2. Some users reported this guide was working in first Oreo fw releases, can't guarantee it still works.

    How to avoid getting locked again
    Unfortunately bootloader can`t be reverted to older revisions, so we need to live with this. My friend @BlackMesa123 made some investigation and found out how to disable this lock. After waiting those 7 days, go to settings/developer option and enable OEM unlock. In order to never get locked again, flash TWRP for your device (install instructions below), boot into TWRP (do not boot into rom yet as you might get locked again), download and flash his fix from here (don`t forget to thank him too for his findings).
    You can keep this zip near and flash it after flashing any custom rom, to be sure you don`t get locked again. The zip contains an universal script that disables the services responsable. Can be flashed on any device, if the device has the lock, won`t get locked again, if not, nothing will happend. I like to say "better safe than sorry".

    How to safely install TWRP
    Considering you are already unlocked (waited those 7 days), follow the next steps carefully:
    1. Make sure you downloaded latest Odin, samsung usb drivers installed, latest RMM-State_Bypass fix (download links are in #2 post) and latest TWRP available for your device
    2. Put RMM-State_Bypass.zip in external sdcard
    3. Go to settings/Developer options and enable OEM unlock (If you don't see developer settings, go into Settings/About phone/Software info and tap "Build number" 10 times to show Developer options menu)
    4. Reboot the phone into download mode and connect the usb cable
    5. Open Odin, go into options and untick Auto-reboot and put the TWRP tar file in AP tab of odin, hit Start and wait
    6. When Odin shows "PASS", take your device in hands, disconnect the usb cable and press simultaneously the "Home" + "Vol. Down" + "Power" buttons until the downoad mode disappears
    7. At the precise moment the screen becomes black, immediately release the "Vol.Down" button and press the "Home" + "Vol. Up" + "Power" buttons during 10 to 15sec to forcefully enter TWRP
      ***Don't boot into rom because it will lock your device again!!!!
    8. Once the custom recovery booted, swipe to "Allow modification" and flash RMM-State_Bypass.zip as normal zip
    Now you can reboot into rom and hopefully never get locked again.
    If any of above steps fail, redo from step 1, more carefully this time.


    How to safely root
    Considering you already unlocked (waited those 7 days) and you have TWRP installed, follow the next steps carefully:
    1. Download root zip and no-verity-opt-encrypt-6.0 (download links are in #2 post) and drop the zips into external sdcard
    2. Boot into TWRP and swipe "Allow modifications"
    3. Go into Wipe menu and select "Format data" - note that this will erase all your data including internal storage
    4. Reboot recovery, swipe to "Allow modification" and flash RMM-State_Bypass.zip
    5. Flash no-verity-opt-encrypt-6.0 zip downloaded at step #1 to disable data partition encryption
    6. Flash root zip downloaded at step #1
    7. Reboot the phone into system
    8. After booting up in setting wizard make sure to uncheck diagnostic data
    If any of above steps fail, redo from step 1, more carefully this time.


    You can read more about it here here, here, here, here or here.

    Credits
    @BlackMesa123
    @RicePlay33
    @Yahia Angelo
    @TaifAljaloo
    @ananjaser1211
    69
    Useful links

    FAQ
    Q: TWRP can't mount data partition, what to do?
    A: Make sure you formatted data partition.

    Q: Phone is not booting even after 20 minutes?
    A: Try to reboot. If still not booting, make sure you formatted data partition.

    Q: How to format data partition?
    A:
    ymlnQUE.jpg


    Q: Why do i need to format data partition?
    A: Because old rom encrypted your data partition and new rom can't decrypt and use that content / root needs access to data partition to place misc files / phone not booting after flashing root until data partition gets formatted.

    Q: Why not formatting data at twrp install?
    A: Phone will boot even if data is encrypted if you don't root. Also system partition is not encrypted meaning you can flash RMM-State_Bypass anyway.
    56
    And here it is, the long waited update of RMM bypass zip.
    First of all i need to mention few things:

    • This only applies after you unlocked your phone and installed TWRP successfully (check first post for more details about that)
    • This patch is compatible with both Oreo and Pie
    • This patch is compatible only with exynos Samsung devices
    • This patch is needed only on exynos Samsung devices manufactured after 2017
    • This patch comes with absolutely no warranty, you may get locked back anytime without any notice, don't try to blame me or other people involved in this for your failure.
    So as i said in my previous pie post, things have changed a bit with Pie and old patch didn't work anymore. After some time i discovered a bypass for the new KG/Payment lock thing, which i included in my roms/kernels with the purpose of mass testing the behaviour, which proven to be good.
    For those who want to know exactly what's going on and what's behind the patch:
    Most of the RMM code moved to KnoxGuard app, vaultkeeper turned from a binary service a fully functional service based on libs and integrated in the services.jar.
    After some digging i found out that services.jar loads libvkjni.so, which loads libvkmanager.so/libvkservice.so, which eventually trigger KnoxGuard.apk to do it's thing inside the running rom.
    So basically deleting libvkjni.so, libvkmanager.so/libvkservice.so and KnoxGuard.apk/Rlc.apk will disable the service.
    Optional (requires decrypted csc), you can check in the csc files for

    Code:
    <CscFeature_Knox_SupportKnoxGuard>[COLOR="Red"]TRUE[/COLOR]</CscFeature_Knox_SupportKnoxGuard>
    make sure you set it to
    Code:
    <CscFeature_Knox_SupportKnoxGuard>[COLOR="Red"]FALSE[/COLOR]</CscFeature_Knox_SupportKnoxGuard>
    Here's what logs say about this: (you can see in red the important things)

    Code:
    W system_server: Lcom/android/server/VaultKeeperService; failed initialization: java.lang.UnsatisfiedLinkError: [COLOR="Red"]Library vkjni not found[/COLOR]; tried [/system/lib64/libvkjni.so, /system/vendor/lib64/libvkjni.so]
    W system_server:   at void java.lang.Runtime.loadLibrary0(java.lang.ClassLoader, java.lang.String) (Runtime.java:1040)
    W system_server:   at void java.lang.System.loadLibrary(java.lang.String) (System.java:1669)
    W system_server:   at void com.android.server.VaultKeeperService.<clinit>() (VaultKeeperService.java:69)
    W system_server:   at void com.android.server.SystemServer.startOtherServices() (SystemServer.java:-1)
    W system_server:   at void com.android.server.SystemServer.run() (SystemServer.java:-1)
    W system_server:   at void com.android.server.SystemServer.main(java.lang.String[]) (SystemServer.java:-1)
    W system_server:   at java.lang.Object java.lang.reflect.Method.invoke(java.lang.Object, java.lang.Object[]) (Method.java:-2)
    W system_server:   at void com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run() (RuntimeInit.java:493)
    W system_server:   at void com.android.internal.os.ZygoteInit.main(java.lang.String[]) (ZygoteInit.java:944)
    W system_server: 
    W System.err: java.lang.UnsatisfiedLinkError: [COLOR="Red"]Library vkjni not found[/COLOR]; tried [/system/lib64/libvkjni.so, /system/vendor/lib64/libvkjni.so]
    W System.err:   at java.lang.Runtime.loadLibrary0(Runtime.java:1040)
    W System.err:   at java.lang.System.loadLibrary(System.java:1669)
    W System.err:   at com.android.server.VaultKeeperService.<clinit>(VaultKeeperService.java:69)
    W System.err:   at com.android.server.SystemServer.startOtherServices(Unknown Source:819)
    W System.err:   at com.android.server.SystemServer.run(Unknown Source:273)
    W System.err:   at com.android.server.SystemServer.main(Unknown Source:5)
    W System.err:   at java.lang.reflect.Method.invoke(Native Method)
    W System.err:   at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:493)
    W System.err:   at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:944)
    E SystemServer: [COLOR="red"]Failed to add VaultKeeper Service[/COLOR].
    And a bit after this comes the nice part:
    Code:
    I SystemServer: StartKnoxGuard
    E VaultKeeperManager: VaultKeeperService is null
    E VaultKeeperManager: Unauthorized Pkg. Manager can't be provided.
    D KG.Utils: getRlcState.
    I KgvManager: query(void)
    E KgvManager: [-5]Error from VaultKeeper Manager is null object
    E KG.Utils: [COLOR="red"]KnoxGuardVaultManager not supported[/COLOR] (KnoxGuardVaultException)
    I KG.IntegrityUtil: setInitialState
    E KG.IntegrityUtil: Client Notfound : android.content.pm.PackageManager$NameNotFoundException: com.samsung.android.kgclient
    As a basic check one of my testers was locked on his S8+ running stock rom. He downgraded the bootloader and modem to Oreo, flashed TWRP, deleted libvkjni.so, libvkmanager.so/libvkservice.so and KnoxGuard.apk/Rlc.apk, flashed Pie bootloader and modem and booted up with no lock and no more red text "Only official released binaries are allowed to be flashed".

    How long this will last? Well, Samsung can always turn it into a mandatory thing or even fully change the way this works, making our phones get stuck in bootloop, nobody can tell, but for now let's enjoy it while it lasts.
    As further instructions, for safety reasons make sure you flash this bypass zip after flashing any Samsung based rom (Touchwiz/OneUI), it may take a while until all devs integrate it in their roms.

    Last but not least, make sure you understand the following:
    • This only applies after you unlocked your phone and installed TWRP successfully (check first post for more details about that)
    • This patch is compatible with both Oreo and Pie
    • This patch is compatible only with exynos Samsung devices
    • This patch is needed only on exynos Samsung devices manufactured after 2017
    • This patch comes with absolutely no warranty, you may get locked back anytime without any notice, don't try to blame me or other people involved in this for your failure.
    If you are going to include any part of this in your work, make sure you give proper credits. Thank you
    Special thanks goes to @BlackMesa123 for initial work, @_alexndr for script improvements, @ananjaser1211 for further testing and supporting all my things all the time, all my testers/users that got dragged into this without even knowing, and of course people who already kanged the patch from my kernel zip (if i didn't say anything doesn't mean i didn't saw it ;) ).
    You can find KG/RMM Bypass zip attached to this post.
    All the best!
    23
    As gathering some more feedback from users i will give an update to this thread hoping that i cover at least some of the problems that occured since the last update.

    1. Some users noticed me they can't make OEM toggle show even after waiting those 168h, for me last time i got locked on purpose i managed to make it show after 3 days (72h) without doing anything specific. For the moment my advice will be to flash oldest firmware available for your device that has same bootloader and modem revision as your current, and try again with date trick or with waiting 168h.
    You can find out what bl/modem rev you have by checking the current build number of your current rom. Let's take A520FXXU7CRL8 - in this build number 7 is the revision, leave other numbers and letters for some other time. To be able to flash older firmware it must be same revision, or odin will fail. Search on the firmware related websites for older fw of your phone/region that has that same revision. So for the device mentioned before A520FXXU7CRHA is the oldest fw that can be flashed.

    2. Pie is out. Funny that, but it also has new locks, new things, all still new to everyone, fixes not working yet and so on. Few people including me got locked on Pie and we found some workarounds to it to prevent data loss.
    First of all, old patch doesn't help anymore so flashing it will be pointless. The RMM v2 is called KG too (KnoxGuard) which also comes attached with the apk that throws you in "payment lock" if you delete it. You can see it in download mode as "KG state = prenormal" if you have the lock. Do note "KG state = checking" is harmless (phone is unlocked), that's how it is on most of the devices.
    My personal advice for this is to reflash Oreo bootloader and modem (which i did), ofc following the rules posted at 1), bootloader and modem being same revision as your current. Flashing oreo bootloader and modem will force the phone from RMM v2 to RMM v1, and since pie doesn`t have anymore files of RMM v1 inside, will simply get unlocked (for the moment). Now, this is not a permanent solution because things may change in pie and require updating of bootloader and modem.
    My friend @_alexndr details here an alternative way, as the oreo method, which concludes in flashing full pie firmware and wait to get unlocked by itself, either flash oreo, get ota update to pie and wait to get unlocked by itself.
    The real issue of this is that we couldn't find yet the secrets behind the new locks so, without a flashable patch to disable further locks, it can come in any custom roms, stock roms rooted etc.
    Stay safe!
    9
    Please take some time and read carefully the whole post. I am not and i won`t be responsable for anything.

    Awesome guide corsi this needs to get around.