***LOCKED UNTIL FURTHER NOTICE*** System Shell Exploit - ALL Samsung Mobile Devices NO BL UNLOCK REQUIRED.

Status
Not open for further replies.
Search This thread
By:
Advanced…
subevilx

subevilx

Member
Dec 30, 2022
34
8
adfree said:
I have not removed eToken crap...

My stupid Bootloader sboot.bin ONLY checks text string...

If "he" find mrk text string... then I can flash with Odin...

If FACtory text string fac...

Then blocked... by sboot.bin Exynos Bootloader...

But again...

My Bootloader sboot.bin is unlocked... AND vbmeta.img is patched by Magisk...
Or you can do it manually... because only 1 Byte...

This is no Rocket Science to change text... from same size...


Also my GW4 SM-R870 and SM-R875F allows Bootloader downgrade...

So full Rollback is possible... including ALL files and partitions... with Odin + USB cable.

IMHO Phones especially modern Samsung Phones are better protected... so sboot.bin downgrade is maybe close to impossible... if full Knox crap activated...

Best Regards
Click to expand...
Click to collapse
I tried this i was able to flash my boot.img and recovery but i got stuck on download mode then decided to do it for the whole file then I started getting secure boot fail for all files except boot and recovery i did this on a combination file any way to fix secure check?
 
  • Like
Reactions: adfree
A

adfree

Senior Member
Jun 14, 2008
10,320
6,034
Samsung Galaxy Watch 4
Samsung Galaxy S22
@subevilx
Now we come closer to Rocket Science... because damn Crypto...

Other files also different secured... Minimum by Samsung signing stuff...

For instance I have no idea how to disable Security check in:
Code: 
vbmeta_system.img

Similar to vbmeta.img... which holds Security info for boot.img and recovery.img

Then I could flash modified super.img... in theory...

Maybe somebody have an idea. As my Bootloader has no Fastboot Support...
Only FACtory sboot.bin has Fasboot...

Best Regards
 
M

Moshe fasten

Member
Feb 8, 2015
9
2
Someone may have already asked this question: but with this exploit, is there a way to enable call recording without changing to a different CSC? and if so how?
 
  • Like
Reactions: GodsendNYCc
A

adfree

Senior Member
Jun 14, 2008
10,320
6,034
Samsung Galaxy Watch 4
Samsung Galaxy S22
Memo to me...

Will try this week, what happens if I copy su into:
Code: 
/system/bin

Sorry, the test device is GW4 SM-R875F allready rooted with Magisk 25.2...
Bootloader sboot.bin is unlocked
vbmeta.img is patched by Magisk
boot.img is patched by Magisk

I have read AND write access...
Thanx to Magisk

Step 1.

Code: 
freshul:/ $ su
freshul:/ # cd /system/bin
freshul:/system/bin # ls -a1l su
lrwxrwxrwx 1 root root 8 2023-01-25 06:26 su -> ./magisk

For later to make the chmod Command correct...
For my tiny Windows Brain I need chmod calculator like this...


I have allready copied the working su Binary.... ehm... from Magisk...

Step 2.

I have to prepare few things...

But IMHO test 1 is writing boot.img and vbmeta.img from Stock Firmware... via Odin.

To check if my SM-R875F detect the modified super.img...

Only as stupid test...

Best Regards

Edit 1.

First attempts... to make it easier for me, as su as symlink allready exists... renamed into su2

Code: 
D:\Android\adb>adb push su2 /sdcard
su2: 1 file pushed, 0 skipped. 2.8 MB/s (154452 bytes in 0.052s)

D:\Android\adb>adb shell
freshul:/ $ su
freshul:/ # cd /sdcard
freshul:/sdcard # ls -a1l su
-rw------- 1 u0_a118 u0_a118 154452 2023-01-22 22:16 su
freshul:/sdcard # ls -a1l su2
-rw------- 1 u0_a118 u0_a118 154452 2023-01-22 22:17 su2
freshul:/sdcard # mount -vo remount,rw /
try '/dev/block/dm-0' type 'ext4' on '/'
freshul:/sdcard # cd /system/bin
freshul:/system/bin # ls -a1l su
lrwxrwxrwx 1 root root 8 2023-01-25 06:26 su -> ./magisk
freshul:/system/bin # ls -a1l su2
ls: su2: No such file or directory
1|freshul:/system/bin # cd /sdcard
freshul:/sdcard # cp su2 /system/bin
freshul:/sdcard # cd /system/bin
freshul:/system/bin # ls -a1l su
lrwxrwxrwx 1 root root 8 2023-01-25 06:26 su -> ./magisk
freshul:/system/bin # ls -a1l su2
-rw------- 1 root root 154452 2023-01-25 06:58 su2
freshul:/system/bin # chmod 6775 su2
freshul:/system/bin # ls -a1l su2
-rwsrwsr-x 1 root root 154452 2023-01-25 06:58 su2
freshul:/system/bin #

Okidoki... lazy me took chmod command from other Thread...

Need correct chmod for su2 to have same like su shows...

Edit 2.

Stupid mewinfanboy... lt could be from symlink... so maybe chmod 777 is enough... hopefully...

Code: 
freshul:/system/bin # ls -a1l su
lrwxrwxrwx 1 root root 8 2023-01-25 06:26 su -> ./magisk
freshul:/system/bin # ls -a1l su2
-rw------- 1 root root 154452 2023-01-25 06:58 su2
freshul:/system/bin # chmod 6775 su2
freshul:/system/bin # ls -a1l su2
-rwsrwsr-x 1 root root 154452 2023-01-25 06:58 su2
freshul:/system/bin # chmod 777 su2
freshul:/system/bin # ls -a1l su2
-rwxrwxrwx 1 root root 154452 2023-01-25 06:58 su2

Now will Factory Reset and boot... and try su without Magisk APK...


Edit 3.

Maybe i shoot in my own knie by playing before with few reboot Commands...
like reb..t secure

Because this funny Icon with x.... and I was not able to Factory Reset from menu... but from Recovery...
Puh... need to check how I can remove this...

Code: 
D:\Android\adb>adb shell
freshul:/ $ su2
/system/bin/sh: su2: inaccessible or not found
127|freshul:/ $ cd /system/bin
freshul:/system/bin $ ls -a1l su2
ls: su2: No such file or directory
1|freshul:/system/bin $ ls -a1l su
lrwxrwxrwx 1 root root 8 2023-01-25 07:16 su -> ./magisk
freshul:/system/bin $ su
Permission denied

Edit 4.

Interesting the symlink allready exists... so not the Magisk APK generates this...

Edit 5.

Okidoki... also after full activating Magisk with APK my su2 is missing...
Code: 
freshul:/ $ su
Permission denied
13|freshul:/ $ su
freshul:/ # cd /system/bin
freshul:/system/bin # ls -a1l su2
ls: su2: No such file or directory
1|freshul:/system/bin # ls -a1l su
lrwxrwxrwx 1 root root 8 2023-01-25 07:37 su -> ./magisk

So I need undo my stupid things before... to get rid of secure blabla...

I hope Bootloader lock unlock do this for me...

Edit 6.

Need some sleep... Watch need charging battery...

At the moment I have flashed back Original vbmeta.img and boot.img.. did few times Bootloader lock unlock...
Now only Bootloader is unlocked... Original boot.img... and only patched:
Code: 
vbmeta.img

Watch is starting... and accept my "modified" super.img... its not dream because I have insert APks and deleted few files...
Will try next days to understand what happens to su2...
 

Attachments

  • Screenshot_20230125_071940_sysui.png
    Screenshot_20230125_071940_sysui.png
    34.2 KB · Views: 44
Last edited:
  • Like
Reactions: Jacob1004
J

javadahut

Member
Aug 26, 2015
39
17
Abish4i said:
Could someone confirm having similar issue?

Failure [INSTALL_FAILED_BLOCKED_CROSS_DOWN: INSTALL_FAILED_BLOCKED_CROSS_DOWN] ROLLBACK FAILED

I tried manually installing SMT recommended version but after adb uninstall and uninstalling updates and resetting it doesn't work when I try to manually install it throws an error, though after few moments get voice data menu and as far as I get is lang.poc after nothing else also
Click to expand...
Click to collapse
Confirmed, I have the same issue.

Android 13
Nov 2022 Security Patch
Default SMT system app v3.3.02.75
 
M

mohitgalaxy3

Senior Member
Apr 18, 2011
1,961
546
35
Kuala Lumpur
Samsung Galaxy S21 Ultra
So trying to find how can i further improve network issues or find the difference between global and Korean model. Found that it doesn't support secondary 4G/LTE, though not sure the info is correct or not.
 

Attachments

  • Screenshot_20230125_191710_Chrome.jpg
    Screenshot_20230125_191710_Chrome.jpg
    269.7 KB · Views: 89
  • Screenshot_20230125_191820_Chrome.jpg
    Screenshot_20230125_191820_Chrome.jpg
    356.6 KB · Views: 89
P

profi_fahrer

Senior Member
Jul 19, 2016
297
118
Wels
Sadly, I can't get it working. It basicly stops after opening the two shells with the commands. The easy method is unable to access the needed DLLs, even with Windows Defender turned completly off.

Is the "K0mraids_POC.apk" supposed to show a blank screen on startup, or should it load something else?
 

Attachments

  • Screenshot_20230125_185721_langpoc.png
    Screenshot_20230125_185721_langpoc.png
    47.2 KB · Views: 80
A

adfree

Senior Member
Jun 14, 2008
10,320
6,034
Samsung Galaxy Watch 4
Samsung Galaxy S22
Somebody forked... whatever this means... and created exploit.sh...

Ehmmm... I am tooo blind to find this Shell Script.

Can somebody please help to find this?

Thanx in advance.

Best Regards

Edit 1.

Oh great... EXE AND Avira crashed on my old Notebook...

Edit 2.

The good news... for me.

SM-R860 tested also with "new" Firmware GWA3 successfully.

"""Security crap""" from January 2023...

So in theory also working for GW5... but here nobody confirmed yet...
 
Last edited:
A

adfree

Senior Member
Jun 14, 2008
10,320
6,034
Samsung Galaxy Watch 4
Samsung Galaxy S22
Please help... need few ideas about folders... from where I can execute Binaries...

Here again stupid test with su as su2 renamed... I can chmod 777 in /cache folder but not execute...

In /cahce I can also mkdir... from system...

adb push su2 to /sdcard i did from other adb Window... as normal user...

This output only from system shell...

Code: 
S/system/bin/sh: can't find tty fd: No such device or address
/system/bin/sh: warning: won't have full job control
:/ $ ls
ls: .: Permission denied
1|:/ $ cd /data/local/tmp
/system/bin/sh: <stdin>[2]: cd: /data/local/tmp: Permission denied
2|:/ $ cd /data/local/
:/data/local $ ls
ls: .: Permission denied
1|:/data/local $ mkdir test1
mkdir: 'test1': Permission denied
1|:/data/local $ cd ..
:/data $ mkdir test1
mkdir: 'test1': Permission denied
1|:/data $ whoami
system
:/data $ cd ..
:/ $ ls
ls: .: Permission denied
1|:/ $ fd -h
/system/bin/sh: <stdin>[11]: fd: inaccessible or not found
127|:/ $ df -h
Filesystem                                          Size  Used Avail Use% Mounted on
/dev/block/dm-0                                     3.4G  3.3G   99M  98% /
tmpfs                                               646M  1.2M  645M   1% /dev
tmpfs                                               646M     0  646M   0% /mnt
/dev/block/dm-1                                      84M   81M  1.3M  99% /vendor
/dev/block/dm-2                                     169M  169M     0 100% /product
/dev/block/dm-3                                     3.9M  984K  2.9M  25% /odm
/dev/block/platform/10500000.dwmmc0/by-name/prism   581M  179M  390M  32% /prism
/dev/block/platform/10500000.dwmmc0/by-name/optics   39M  500K   37M   2% /optics
tmpfs                                               646M     0  646M   0% /apex
/dev/block/by-name/omr                               16M   24K   15M   1% /omr
/dev/block/platform/10500000.dwmmc0/by-name/cache   193M  6.0M  183M   4% /cache
/dev/block/platform/10500000.dwmmc0/by-name/sec_efs 3.8M  1.3M  2.3M  37% /efs
/dev/fuse                                           8.3G  701M  7.5G   9% /storage/emulated
:/ $ cd /sdcard
:/sdcard $ ls
Alarms
Android
Audiobooks
DCIM
Documents
Download
Movies
Music
Notifications
Pictures
Podcasts
Ringtones
:/sdcard $ ls -a1l
total 36
drwx------ 2 u0_a117  u0_a117  3452 2023-01-25 08:04 Alarms
drwxrws--x 5 media_rw media_rw 3452 2023-01-25 08:04 Android
drwx------ 2 u0_a117  u0_a117  3452 2023-01-25 08:04 Audiobooks
drwx------ 2 u0_a117  u0_a117  3452 2023-01-25 08:04 DCIM
drwx------ 2 u0_a117  u0_a117  3452 2023-01-25 08:04 Documents
drwx------ 2 u0_a117  u0_a117  3452 2023-01-25 08:04 Download
drwx------ 3 u0_a117  u0_a117  3452 2023-01-25 08:04 Movies
drwxrwxr-x 4 media_rw media_rw 3452 2023-01-25 08:04 Music
drwx------ 2 u0_a117  u0_a117  3452 2023-01-25 08:04 Notifications
drwx------ 3 u0_a117  u0_a117  3452 2023-01-25 08:04 Pictures
drwx------ 2 u0_a117  u0_a117  3452 2023-01-25 08:04 Podcasts
drwx------ 2 u0_a117  u0_a117  3452 2023-01-25 08:04 Ringtones
:/sdcard $ ls -a1l
total 188
drwx------ 2 u0_a117  u0_a117    3452 2023-01-25 08:04 Alarms
drwxrws--x 5 media_rw media_rw   3452 2023-01-25 08:04 Android
drwx------ 2 u0_a117  u0_a117    3452 2023-01-25 08:04 Audiobooks
drwx------ 2 u0_a117  u0_a117    3452 2023-01-25 08:04 DCIM
drwx------ 2 u0_a117  u0_a117    3452 2023-01-25 08:04 Documents
drwx------ 2 u0_a117  u0_a117    3452 2023-01-25 08:04 Download
drwx------ 3 u0_a117  u0_a117    3452 2023-01-25 08:04 Movies
drwxrwxr-x 4 media_rw media_rw   3452 2023-01-25 08:04 Music
drwx------ 2 u0_a117  u0_a117    3452 2023-01-25 08:04 Notifications
drwx------ 3 u0_a117  u0_a117    3452 2023-01-25 08:04 Pictures
drwx------ 2 u0_a117  u0_a117    3452 2023-01-25 08:04 Podcasts
drwx------ 2 u0_a117  u0_a117    3452 2023-01-25 08:04 Ringtones
-rw------- 1 u0_a117  u0_a117  154452 2023-01-22 22:17 su2
:/sdcard $ chmod 777 su2
:/sdcard $ ls -a1l
total 188
drwx------ 2 u0_a117  u0_a117    3452 2023-01-25 08:04 Alarms
drwxrws--x 5 media_rw media_rw   3452 2023-01-25 08:04 Android
drwx------ 2 u0_a117  u0_a117    3452 2023-01-25 08:04 Audiobooks
drwx------ 2 u0_a117  u0_a117    3452 2023-01-25 08:04 DCIM
drwx------ 2 u0_a117  u0_a117    3452 2023-01-25 08:04 Documents
drwx------ 2 u0_a117  u0_a117    3452 2023-01-25 08:04 Download
drwx------ 3 u0_a117  u0_a117    3452 2023-01-25 08:04 Movies
drwxrwxr-x 4 media_rw media_rw   3452 2023-01-25 08:04 Music
drwx------ 2 u0_a117  u0_a117    3452 2023-01-25 08:04 Notifications
drwx------ 3 u0_a117  u0_a117    3452 2023-01-25 08:04 Pictures
drwx------ 2 u0_a117  u0_a117    3452 2023-01-25 08:04 Podcasts
drwx------ 2 u0_a117  u0_a117    3452 2023-01-25 08:04 Ringtones
-rw------- 1 u0_a117  u0_a117  154452 2023-01-22 22:17 su2
:/sdcard $ ./su2
/system/bin/sh: <stdin>[18]: ./su2: can't execute: Permission denied
126|:/sdcard $ ./su2
/system/bin/sh: <stdin>[18]: ./su2: can't execute: Permission denied
126|:/sdcard $ cd /cache
:/cache $ ls -a1l
total 48
drwxrwx---  7 system cache   4096 2023-01-25 08:02 .
drwxr-xr-x 27 root   root    4096 2008-12-31 15:00 ..
d?????????  ? ?      ?          ?                ? backup
drwx------  2 system system  4096 2023-01-25 08:02 backup_stage
drwxrwx---  2 system system  4096 2023-01-25 08:02 fota
drwxrwx---  2 root   root   16384 2023-01-25 08:02 lost+found
drwxrwx---  2 system cache   4096 2023-01-26 01:52 recovery
:/cache $ mkdir test1
:/cache $ ls -a1l
total 52
drwxrwx---  8 system cache   4096 2023-01-26 02:10 .
drwxr-xr-x 27 root   root    4096 2008-12-31 15:00 ..
d?????????  ? ?      ?          ?                ? backup
drwx------  2 system system  4096 2023-01-25 08:02 backup_stage
drwxrwx---  2 system system  4096 2023-01-25 08:02 fota
drwxrwx---  2 root   root   16384 2023-01-25 08:02 lost+found
drwxrwx---  2 system cache   4096 2023-01-26 01:52 recovery
drwx------  2 system system  4096 2023-01-26 02:10 test1
:/cache $ cd /sdcard
:/sdcard $ cp su2 /cache
:/sdcard $ cd /cache
:/cache $ ls -a1l su2
-rw------- 1 system system 154452 2023-01-26 02:11 su2
:/cache $ chmod 777 su2
:/cache $ ls -a1l su2
-rwxrwxrwx 1 system system 154452 2023-01-26 02:11 su2
:/cache $ ./su2
/system/bin/sh: <stdin>[29]: ./su2: can't execute: Permission denied
126|:/cache $ su2
/system/bin/sh: <stdin>[30]: su2: inaccessible or not found
127|:/cache $ /cache/su2
/system/bin/sh: <stdin>[31]: /cache/su2: can't execute: Permission denied


Maybe other usefull Binaries possible to run... or some *.sh shell scripts...

Thanx for every idea...

If we can not access to /system/bin... then maybe we can Copy and Paste to other path and run...

Who knows....:alien:

Best Regards

Edit 1.

Google search...
stackoverflow.com

Execute a pure binary file on Android

Is there a way to run a binary executable file (compile with NDK), on Android? /* #includes #defines ... */ int main(){ // Do something when this is executed return 0; } I want it to run
stackoverflow.com stackoverflow.com

Code: 
/data/bin

Hmmm... seems not exists in my device... I can not mkdir bin in /data

Edit 2.

From ADB Window...
Code: 
freshul:/sdcard $ ls
Alarms  Android  Audiobooks  DCIM  Documents  Download  Movies  Music  Notifications  Pictures  Podcasts  Ringtones  su2
freshul:/sdcard $ cp su2 /data/local/tmp
freshul:/sdcard $ cd /data/local/tmp
freshul:/data/local/tmp $ ls -a1l
total 15758
drwxrwx--x 2 shell shell     3452 2023-01-26 02:37 .
drwxr-x--x 4 root  root      3452 2023-01-25 08:02 ..
-rw-rw-rw- 1 shell shell 15955101 2023-01-18 17:08 samsungTTSVULN2.apk
-rw------- 1 shell shell   154452 2023-01-26 02:37 su2
freshul:/data/local/tmp $ chmod 777 su2
freshul:/data/local/tmp $ ls -a1l
total 15758
drwxrwx--x 2 shell shell     3452 2023-01-26 02:37 .
drwxr-x--x 4 root  root      3452 2023-01-25 08:02 ..
-rw-rw-rw- 1 shell shell 15955101 2023-01-18 17:08 samsungTTSVULN2.apk
-rwxrwxrwx 1 shell shell   154452 2023-01-26 02:37 su2

Edit 3.

Hmmmmmmmmmm... from ADB Window...
Code: 
freshul:/data/local/tmp $ /data/local/tmp/su2
su2: applet not found
1|freshul:/data/local/tmp $ /data/local/tmp/su2 -version
su2: applet not found
1|freshul:/data/local/tmp $ /data/local/tmp/su2 -h
su2: applet not found
1|freshul:/data/local/tmp $ /data/local/tmp/su2 --help
su2: applet not found

This su is taken from Magisk 25.2 ... will check some easier Binary...

Edit 4.

after found this...

Google Issue Tracker

issuetracker.google.com issuetracker.google.com

Tried via system shell...
Code: 
:/data/user/0 $ ls
android
com.acr.shellterminalemulator
com.android.backupconfirm
com.android.bluetooth
com.android.captiveportallogin
com.android.carrierconfig
com.android.cellbroadcastreceiver
com.android.certinstaller
com.android.companiondevicemanager
com.android.cts.ctsshim
com.android.cts.priv.ctsshim
com.android.dynsystem
com.android.hotspot2.osulogin
com.android.inputdevices
com.android.keychain
com.android.localtransport
com.android.location.fused
com.android.managedprovisioning
com.android.mms.service
com.android.modulemetadata
com.android.mtp
com.android.networkstack.inprocess
com.android.networkstack.permissionconfig
com.android.networkstack.tethering.inprocess
com.android.nfc
com.android.phone
com.android.providers.blockednumber
com.android.providers.calendar
com.android.providers.downloads
com.android.providers.media
com.android.providers.media.module
com.android.providers.settings
com.android.providers.telephony
com.android.providers.userdictionary
com.android.se
com.android.server.telecom
com.android.shell
com.android.soundpicker
com.android.statementservice
com.android.vending
com.android.wallpaperbackup
com.android.wearable.resources
com.android.wifi.resources
com.corproxy.files
com.google.android.apps.maps
com.google.android.apps.messaging
com.google.android.apps.wearable.retailattractloop
com.google.android.apps.wearable.settings
com.google.android.apps.wearable.systemui
com.google.android.apps.work.clouddpc
com.google.android.clockwork.oemsetup
com.google.android.ext.services
com.google.android.ext.shared
com.google.android.gms
com.google.android.gsf
com.google.android.marvin.talkback
com.google.android.networkstack.tethering.overlay
com.google.android.overlay.modules.cellbroadcastreceiver
com.google.android.packageinstaller
com.google.android.partnersetup
com.google.android.permissioncontroller
com.google.android.tts
com.google.android.wearable.ambient
com.google.android.wearable.app
com.google.android.wearable.app.overlay.refsysui.default
com.google.android.wearable.assistant
com.google.android.wearable.batteryservices
com.google.android.wearable.frameworkpackagestubs
com.google.android.wearable.healthservices
com.google.android.wearable.overlay.home.merlot
com.monotype.android.font.chococooky
com.monotype.android.font.cooljazz
com.monotype.android.font.foundation
com.monotype.android.font.rosemary
com.monotype.android.font.samsungone
com.samsung.SMT
com.samsung.SMT.lang.poc
com.samsung.aasaservice
com.samsung.accessibility
com.samsung.advancedcallservice
com.samsung.advp.imssettings
com.samsung.android.aircommandmanager
com.samsung.android.app.contacts
com.samsung.android.app.esimkeystring
com.samsung.android.app.reminder
com.samsung.android.app.routines
com.samsung.android.app.telephonyui
com.samsung.android.apps.wearable.recent
com.samsung.android.batterysavingsettings
com.samsung.android.bixby.agent
com.samsung.android.bixby.wakeup
com.samsung.android.calendar
com.samsung.android.cidmanager
com.samsung.android.clientconnection
com.samsung.android.dialer
com.samsung.android.dqagent
com.samsung.android.gallery.watch
com.samsung.android.honeyboard
com.samsung.android.incallui
com.samsung.android.location.locproxy
com.samsung.android.mcfds
com.samsung.android.mdecservice
com.samsung.android.mediacontroller
com.samsung.android.messaging
com.samsung.android.networkstack
com.samsung.android.providers.contacts
com.samsung.android.providers.factory
com.samsung.android.samsungnetworklocation
com.samsung.android.samsungpay.gear
com.samsung.android.scloud
com.samsung.android.sdk.handwriting.watch
com.samsung.android.service.health
com.samsung.android.shealthmonitor
com.samsung.android.smartgesture
com.samsung.android.stextclassifier
com.samsung.android.storage.watchstoragemanager
com.samsung.android.video.wearable
com.samsung.android.watch.alarm
com.samsung.android.watch.cameracontroller
com.samsung.android.watch.compass
com.samsung.android.watch.findmyphone
com.samsung.android.watch.findmywatch
com.samsung.android.watch.flashlight
com.samsung.android.watch.runestone.app
com.samsung.android.watch.safety_assistance
com.samsung.android.watch.screencapture
com.samsung.android.watch.stf
com.samsung.android.watch.stopwatch
com.samsung.android.watch.timer
com.samsung.android.watch.watchface.analogmodular
com.samsung.android.watch.watchface.analoguefont
com.samsung.android.watch.watchface.animal
com.samsung.android.watch.watchface.aremoji
com.samsung.android.watch.watchface.basicclock
com.samsung.android.watch.watchface.basicdashboard
com.samsung.android.watch.watchface.bespoke
com.samsung.android.watch.watchface.bitmoji
com.samsung.android.watch.watchface.companionhelper
com.samsung.android.watch.watchface.digitalfont
com.samsung.android.watch.watchface.digitalmodular
com.samsung.android.watch.watchface.dualwatch
com.samsung.android.watch.watchface.emergency
com.samsung.android.watch.watchface.endangeredanimal
com.samsung.android.watch.watchface.healthmodular
com.samsung.android.watch.watchface.large
com.samsung.android.watch.watchface.livewallpaper
com.samsung.android.watch.watchface.myphoto
com.samsung.android.watch.watchface.mystyle
com.samsung.android.watch.watchface.premiumanalog
com.samsung.android.watch.watchface.simpleanalogue
com.samsung.android.watch.watchface.simpleclassic
com.samsung.android.watch.watchface.simplecomplication
com.samsung.android.watch.watchface.superfiction
com.samsung.android.watch.watchface.tickingsound
com.samsung.android.watch.watchface.together
com.samsung.android.watch.watchface.typography
com.samsung.android.watch.watchface.weather
com.samsung.android.watch.weather
com.samsung.android.watch.worldclock
com.samsung.android.wcs.extension
com.samsung.android.wear.blockednumber
com.samsung.android.wear.calculator
com.samsung.android.wear.musictransfer
com.samsung.android.wear.shealth
com.samsung.android.wear.voicerecorder
com.samsung.android.wearable.music
com.samsung.android.wearable.samsungaccount
com.samsung.android.wearable.setupwizard
com.samsung.android.wearable.sysui
com.samsung.euicc
com.samsung.euicc.wmservice
com.samsung.packageinstalleroverlay
com.samsung.sec.android.application.csc
com.samsung.sree.classic
com.samsung.sree.countdown
com.samsung.sree.digital
com.samsung.sree.spin
com.samsung.wear.contacts.sync
com.sds.emm.cloud.knox.samsung
com.sec.android.RilServiceModeApp
com.sec.android.app.bluetoothtest
com.sec.android.app.factorykeystring
com.sec.android.app.factorymode
com.sec.android.app.hwmoduletest
com.sec.android.app.parser
com.sec.android.app.personalization
com.sec.android.app.servicemodeapp
com.sec.android.app.wlantest
com.sec.android.diagmonagent
com.sec.android.easyMover
com.sec.android.sdhms
com.sec.android.soagent
com.sec.app.RilErrorNotifier
com.sec.automation
com.sec.bcservice
com.sec.factory
com.sec.hiddenmenu
com.sec.imsservice
com.sec.location.nfwlocationprivacy
com.sec.modem.settings
com.sec.phone
com.sec.usbsettings
com.sem.factoryapp
com.skms.android.agent
com.wssyncmldm
de.szalkowski.activitylauncher
:/data/user/0 $

:/data/user/0 $ cd /sdcard
:/sdcard $ cp su2 /data/user/0
cp: /data/user/0/su2: Permission denied
 
Last edited:
subevilx

subevilx

Member
Dec 30, 2022
34
8
adfree said:
@subevilx
Now we come closer to Rocket Science... because damn Crypto...

Other files also different secured... Minimum by Samsung signing stuff...

For instance I have no idea how to disable Security check in:
Code: 
vbmeta_system.img

Similar to vbmeta.img... which holds Security info for boot.img and recovery.img

Then I could flash modified super.img... in theory...

Maybe somebody have an idea. As my Bootloader has no Fastboot Support...
Only FACtory sboot.bin has Fasboot...

Best Regards
Click to expand...
Click to collapse
1674751724789.png

I cant go beyond this if I change even one bit in a file im stuck on file analysis any help?
 
M

mauricio1352

New member
Jan 8, 2015
2
0
is there any way to contact you? I have an A71 with KG LOCKED, it would be interesting to test some commands on it, to see if I can get KG COMPLETED, just like yours🙂
 
T

Tofor

Senior Member
May 18, 2017
52
10
Samsung Galaxy Tab A8
sorry to bust in here and ask something somewhat off subject. But i was curious how you got the cmds for opening the hidden menus? What do all the numbers at the end stand for? I'm asking because there has always been something that has come up in my list of secret codes for samsung. near the end of the list there comes some secret codes that are in all caps letters. one such code that is on all my unlockable devices is *#UNLOCKKERNEL#. its part of the IOT hidden menu. but i cant find any such option inside the hidden menu itself. Curious if it could be executed the same way as you did for the other parts of the IOT Hidden Menu. to me. unlock kernel will either unlock the bootloader. or it will make the kernel debuggable. either would be awesome. Thanks for any light you can shed on this secret code.
 
T

Tofor

Senior Member
May 18, 2017
52
10
Samsung Galaxy Tab A8
Tofor said:
sorry to bust in here and ask something somewhat off subject. But i was curious how you got the cmds for opening the hidden menus? What do all the numbers at the end stand for? I'm asking because there has always been something that has come up in my list of secret codes for samsung. near the end of the list there comes some secret codes that are in all caps letters. one such code that is on all my unlockable devices is *#UNLOCKKERNEL#. its part of the IOT hidden menu. but i cant find any such option inside the hidden menu itself. Curious if it could be executed the same way as you did for the other parts of the IOT Hidden Menu. to me. unlock kernel will either unlock the bootloader. or it will make the kernel debuggable. either would be awesome. Thanks for any light you can shed on this secret code.
Click to expand...
Click to collapse
note. this secret code did not appear on my device until i used the system shell to enable the hidden menus
 
A

adfree

Senior Member
Jun 14, 2008
10,320
6,034
Samsung Galaxy Watch 4
Samsung Galaxy S22
Code: 
D:\Android\adb>adb shell
freshul:/ $ su
freshul:/ # mount -vo remount,rw /
try '/dev/block/dm-0' type 'ext4' on '/'
freshul:/ # cd /sdcard
freshul:/sdcard # ls -a1l su2
-rw------- 1 u0_a117 u0_a117 154452 2023-01-22 22:17 su2
freshul:/sdcard # cp su2 /system/bin
freshul:/sdcard # cd /system/bin
freshul:/system/bin # ls -a1l su2
-rw------- 1 root root 154452 2023-01-27 04:21 su2
freshul:/system/bin # chmod 777 su2
freshul:/system/bin # ls -a1l su2
-rwxrwxrwx 1 root root 154452 2023-01-27 04:21 su2
freshul:/system/bin # reboot



D:\Android\adb>adb shell
freshul:/ $ su
freshul:/ # cd /system/bin
freshul:/system/bin # ls -a1l su2
ls: su2: No such file or directory
1|freshul:/system/bin # exit
1|freshul:/ $ exit

D:\Android\adb>adb pull /sdcard .\dump
/sdcard/: 147 files pulled, 0 skipped. 2.6 MB/s (117491085 bytes in 42.623s)

D:\Android\adb>adb shell
freshul:/ $ su
freshul:/ # cd /sdcard
freshul:/sdcard # cp su2 /cache
freshul:/sdcard # cd /cache
freshul:/cache # ls -a1l su2
-rw------- 1 root root 154452 2023-01-27 04:48 su2
freshul:/cache # chmod 777 su2
freshul:/cache # ls -a1l su2
-rwxrwxrwx 1 root root 154452 2023-01-27 04:48 su2
freshul:/cache # /cache/su2 --help
su2: applet not found


Tried short again today...
On my Magisk rooted SM-R875F...

this time only rebooted after copied su2 into /system/bin

su2 is gone...

I am now trying to check what is in Log files... To find the "self cleaning"...

Also short tried same su2 from /cache folder with same result I know...

Plan for next days... flash normal unmodified Original Stock Firmware... and check other Binaries in /cache folder with system user...

Best Regards
 
  • Like
Reactions: mohitgalaxy3
A

adfree

Senior Member
Jun 14, 2008
10,320
6,034
Samsung Galaxy Watch 4
Samsung Galaxy S22

What is with lpflash...
Code: 
lpflash writes a non-sparse image from lpmake to a block device. It is intended to be run on the device itself.

Usage: lpflash /dev/block/sdX /path/to/image/file

Maybe this could be usefull... to prepare modified super.img...

Maybe this bypass Combination Firmware "problem"...

I need only to bring super.img to my SM-R875F...

boot.img and recovery.img I can flash via Odin...

Best Regards
 
A

adfree

Senior Member
Jun 14, 2008
10,320
6,034
Samsung Galaxy Watch 4
Samsung Galaxy S22
Friendly user from Telegram group inspired me to check litle bit GSI stuff...

No idea why... but this tool not require system or root to show it exists...

On my Android 11 SM-R875F

Code: 
freshul:/ $ gsi_tool --help
Unrecognized command: --help
gsi_tool - command-line tool for installing GSI images.

Usage:
  gsi_tool <disable|install|wipe|status> [options]

  disable      Disable the currently installed GSI.
  enable       [-s, --single-boot]
               [-d, --dsuslot slotname]
               Enable a previously disabled GSI.
  install      Install a new GSI. Specify the image size with
               --gsi-size and the desired userdata size with
               --userdata-size (the latter defaults to 8GiB)
               --wipe (remove old gsi userdata first)
  wipe         Completely remove a GSI and its associated data
  wipe-data    Ensure the GSI's userdata will be formatted
  cancel       Cancel the installation
  status       Show status
64|freshul:/ $ gsi_tool status
normal

After installing Treble Check APK from Playstore...
I have to sideload the APK with ADB...

I see few interesting things... see screenshots...

After some Google Power I saw this:
developer.android.com

Dynamic System Updates (DSU) | Android Developers

Dynamic System Updates (DSU) lets developers install a GSI side by side with the device's system image on a DSU-supported device that runs Android 10 or higher.
developer.android.com developer.android.com


Code: 
adb shell am start-activity \
-n com.android.dynsystem/com.android.dynsystem.VerificationActivity  \
-a android.os.image.action.START_INSTALL  \
-d file:///storage/emulated/0/Download/system_raw.gz  \
--el KEY_SYSTEM_SIZE $(du -b system_raw.img|cut -f1)  \
--el KEY_USERDATA_SIZE 8589934592

This looks not impossible to try...

My idea is to use system.img from Combination firmware... super.img...


So I have to prepare few steps before I can try... extracting with imjtool under Ubuntu...

Best Regards
 

Attachments

  • Screenshot_20230127_132108_treble.png
    Screenshot_20230127_132108_treble.png
    30.6 KB · Views: 47
  • Screenshot_20230127_132117_treble.png
    Screenshot_20230127_132117_treble.png
    35.2 KB · Views: 48
  • Screenshot_20230127_132134_treble.png
    Screenshot_20230127_132134_treble.png
    31.1 KB · Views: 39
  • Screenshot_20230127_132141_treble.png
    Screenshot_20230127_132141_treble.png
    36.9 KB · Views: 41
  • Screenshot_20230127_132201_treble.png
    Screenshot_20230127_132201_treble.png
    30.8 KB · Views: 38
  • Screenshot_20230127_132209_treble.png
    Screenshot_20230127_132209_treble.png
    33.4 KB · Views: 43
  • Screenshot_20230127_132222_treble.png
    Screenshot_20230127_132222_treble.png
    33.8 KB · Views: 43
  • Screenshot_20230127_132231_treble.png
    Screenshot_20230127_132231_treble.png
    29.2 KB · Views: 51
A

algarues

Senior Member
Feb 14, 2011
295
30
Samsung Galaxy S10
If after succesfull exploit
An app is launched from command, will it have super user privileges?

For instance, would app manager or similar be enabled to stop services, broadcasts etc?
 
Status
Not open for further replies.

Similar threads

K
Support List of KingRoot [Samsung]
Replies
284
Views
925K
Tousifmeer
Tousifmeer
Unjustified Dev
[GUIDE] New Root Method for LG Devices
Replies
1K
Views
1M
Oswald Boelcke
Oswald Boelcke
L
[SOLUTION] Samsung Mobile MTP Device -- CODE 10 error at Devicemanager
Replies
111
Views
610K
D
DavidScho
straycat
Android3D UI - TSF Shell Pro
Replies
4K
Views
591K
M
mb523
T
Unlock your Samsung i5500 (Where is my /efs?) [UPDATE]
Replies
635
Views
478K
Z
zukes1966

Top Liked Posts

24 Hours 30 Days All time
  • There are no posts matching your filters.
  • 6
    V0latyle
    V0latyle
    ***MODERATOR ANNOUNCEMENT: THREAD CLOSED***

    @K0mraid3 you are hereby required to provide proper credit in your OP as follows:
    • Link the assigned CVE for this exploit as it mentions the author's blog and GitHub, OR
    • Link the original research repo as provided by @flanker017
    Further, while you may provide a means for donation, this project must remain free without condition of payment.

    Lastly, as you've been previously warned, you may not promote your Telegram channel on XDA. You may have ONE link to your TG channel in the OP.

    You must meet these conditions to continue to use XDA to share this project.

    As you have ignored my PM and previous warning, this thread is now CLOSED to further discussion. All download links relating to this project have been removed.

    This thread will remain closed until such time that @K0mraid3 is willing to comply with the above conditions.
    View
    6
    V0latyle
    V0latyle
    Last warning: If you can't keep your bickering to PM and can't treat each other with respect, this thread will be locked. We don't want to do that, as with keeping in the "hacker" spirit of XDA, threads like this are the bread and butter of what we do.
    • ... and Please! keep all your personal bickering via PMs, do not pollute the forum with your personal indifferences.
      If you have a problem with a specific member please contact the Moderators for help, that's what we're here for, but we are not babysitters, we are here to gather, organize and provide useful information for our over priced phones
    Click to expand...
    Click to collapse
    That's why we've been removing posts.
    BLuFeNiX said:
    I've been quietly watching this for a while and I agree. I also find it unsettling that admins have removed the post discussing this issue.
    Click to expand...
    Click to collapse
    It's not that the questions shouldn't be asked, it's that they shouldn't be asked here. I'm going to start a PM thread involving a few of you so that we can get this straightened out.

    Now, more to the point: If you've used anyone else's source as a basis for your work, you MUST give them credit:
    12.1. Give credits where due - Credits and acknowledgements for using and releasing work which is based on someone else's work are an absolute must. Works reported to have no credits will be taken down until proper acknowledgements are added by the member in question;
    Click to expand...
    Click to collapse
    While this might not be considered development under our criteria, Rule 13 still applies as well:
    12.3. Re-releasing other's works as your own is forbidden. The code that you release into the wild must have something beyond minor aesthetic changes that makes it better than the last. As this can be subjective, kang reports will be reviewed on a case by case basis. If you feel that your code has been kanged, please contact the Developer Relations Team (DRT) if you cannot solve the issue amicably via PM. Please understand that you will be asked to provide evidence to substantiate your claim;
    Click to expand...
    Click to collapse

    So. Knock it off with the squabbling. Keep this thread on topic. If you have issues with sources or credits or whatever, bring it up to us. If your comment doesn't have directly to do with facilitating this exploit or reporting your progress in your own efforts, keep it out of this thread.
    View
    6
    F
    flanker017
    Hi:

    I'm the original author of the SMT research (https://github.com/flankerhqd/vendor-android-cves/tree/master/SMT-CVE-2019-16253) and I have been notified about this thread. My original purpose to share my research is to help the community to better utilize and protect their devices, and to help the vendors to improve device security, and to help other researchers for technical insights. I'm always glad to see this research is given a new life, and helped someone else, and further development are welcome - but it should be legal, non-profit, with proper attribution, and in good faith. Sorry to hear about that the original research has not been properly given credit.

    To prove it's indeed me - same announcement as above can be found on the Github repo's README file.

    Thanks!
    View
    4
    Oswald Boelcke
    Oswald Boelcke
    Moderator Announcement

    This is NOT a development thread and therefore I've sanitised it from all links to Telegram! Regarding social media links please observe that as an exemption from the last bullet of rule no. 5 of the XDA Forum Rules, we grant only developers the privilege to share references to their social media in their own development threads and if thorough support is provided in the thread. Additional information is also available here:

    Telegram Chat Channels - Way Forward

    WhatsApp/Telegram Groups and Channels - Going...
    forum.xda-developers.com forum.xda-developers.com
    Please refrain for sharing of social media references unless within your own development threads! @wr3cckl3ss1 I've deleted a few of your posts and I'd appreciate if you comply with my guidance in future. Thanks to everybody for your future cooperation.

    Regards
    Oswald Boelcke
    Senior Moderator

    CC: @V0latyle
    View
    3
    F
    flanker017
    adfree said:
    @flanker017

    Can you please add your Github repo... you mentioned?

    So it is easier for me to look at your work... instead Google or other search.

    Thanx in advance.

    Best Regards

    Edit 1.

    If I use this Link:

    Text-To-Speech speaks pwned

    Text-To-Speech engine is a default enabled...
    blog.flanker017.me

    And look for Github... then I can find this:

    GitHub - flankerhqd/vendor-android-cves: Collections of my POCs for android vendor CVEs

    Collections of my POCs for android vendor...
    github.com github.com
    Click to expand...
    Click to collapse
    Yes, that's correct. I've update the original post.
    View
  • 37
    K
    K0mraid3
    ***MODERATOR ANNOUNCEMENT: THREAD CLOSED***

    @K0mraid3 you are hereby required to provide proper credit in your OP as follows:
    • Link the assigned CVE for this exploit as it mentions the author's blog and GitHub, OR
    • Link the original research repo as provided by @flanker017
    Further, while you may provide a means for donation, this project must remain free without condition of payment.

    Lastly, as you've been previously warned, you may not promote your Telegram channel on XDA. You may have ONE link to your TG channel in the OP.

    You must meet these conditions to continue to use XDA to share this project.

    As you have ignored my PM and     previous warning, this thread is now CLOSED to further discussion. All download links relating to this project have been removed. This thread will remain closed until such time that @K0mraid3 is willing to comply with the above conditions.
    View
    6
    V0latyle
    V0latyle
    Last warning: If you can't keep your bickering to PM and can't treat each other with respect, this thread will be locked. We don't want to do that, as with keeping in the "hacker" spirit of XDA, threads like this are the bread and butter of what we do.
    • ... and Please! keep all your personal bickering via PMs, do not pollute the forum with your personal indifferences.
      If you have a problem with a specific member please contact the Moderators for help, that's what we're here for, but we are not babysitters, we are here to gather, organize and provide useful information for our over priced phones
    Click to expand...
    Click to collapse
    That's why we've been removing posts.
    BLuFeNiX said:
    I've been quietly watching this for a while and I agree. I also find it unsettling that admins have removed the post discussing this issue.
    Click to expand...
    Click to collapse
    It's not that the questions shouldn't be asked, it's that they shouldn't be asked here. I'm going to start a PM thread involving a few of you so that we can get this straightened out.

    Now, more to the point: If you've used anyone else's source as a basis for your work, you MUST give them credit:
    12.1. Give credits where due - Credits and acknowledgements for using and releasing work which is based on someone else's work are an absolute must. Works reported to have no credits will be taken down until proper acknowledgements are added by the member in question;
    Click to expand...
    Click to collapse
    While this might not be considered development under our criteria, Rule 13 still applies as well:
    12.3. Re-releasing other's works as your own is forbidden. The code that you release into the wild must have something beyond minor aesthetic changes that makes it better than the last. As this can be subjective, kang reports will be reviewed on a case by case basis. If you feel that your code has been kanged, please contact the Developer Relations Team (DRT) if you cannot solve the issue amicably via PM. Please understand that you will be asked to provide evidence to substantiate your claim;
    Click to expand...
    Click to collapse

    So. Knock it off with the squabbling. Keep this thread on topic. If you have issues with sources or credits or whatever, bring it up to us. If your comment doesn't have directly to do with facilitating this exploit or reporting your progress in your own efforts, keep it out of this thread.
    View
    6
    V0latyle
    V0latyle
    ***MODERATOR ANNOUNCEMENT: THREAD CLOSED***

    @K0mraid3 you are hereby required to provide proper credit in your OP as follows:
    • Link the assigned CVE for this exploit as it mentions the author's blog and GitHub, OR
    • Link the original research repo as provided by @flanker017
    Further, while you may provide a means for donation, this project must remain free without condition of payment.

    Lastly, as you've been previously warned, you may not promote your Telegram channel on XDA. You may have ONE link to your TG channel in the OP.

    You must meet these conditions to continue to use XDA to share this project.

    As you have ignored my PM and previous warning, this thread is now CLOSED to further discussion. All download links relating to this project have been removed.

    This thread will remain closed until such time that @K0mraid3 is willing to comply with the above conditions.
    View
    6
    V0latyle
    V0latyle
    ***Moderator Announcement***

    Flaming and disrespect will absolutely not be tolerated. Repeated violations may result in account bans. Compliance with all XDA Forum Rules and Policies is MANDATORY for all members. While you're free to discuss the technical details and merits of this exploit, as well as the wisdom in deferring updates, you WILL treat each other with respect and dignity, and those who fail to do so will no longer be permitted to participate on XDA.

    In addition, keep your posts ON TOPIC.

    If you feel someone's posts violate the Forum Rules, use the Report button and let the moderator staff handle it before it becomes an issue.

    Don't make us get involved again.
    View
    6
    F
    flanker017
    Hi:

    I'm the original author of the SMT research (https://github.com/flankerhqd/vendor-android-cves/tree/master/SMT-CVE-2019-16253) and I have been notified about this thread. My original purpose to share my research is to help the community to better utilize and protect their devices, and to help the vendors to improve device security, and to help other researchers for technical insights. I'm always glad to see this research is given a new life, and helped someone else, and further development are welcome - but it should be legal, non-profit, with proper attribution, and in good faith. Sorry to hear about that the original research has not been properly given credit.

    To prove it's indeed me - same announcement as above can be found on the Github repo's README file.

    Thanks!
    View

New posts