***LOCKED UNTIL FURTHER NOTICE*** System Shell Exploit - ALL Samsung Mobile Devices NO BL UNLOCK REQUIRED.

Status
Not open for further replies.
Search This thread

V0latyle

Forum Moderator
Staff member
It looks like this exploit caught the attention of the Magisk developer:
1674846369237.png
 

adfree

Senior Member
Jun 14, 2008
10,387
6,055
Samsung Galaxy Watch 4
Samsung Galaxy S22
Few GSI related tests... on my SM-R875F Original Stock Firmware (unmodified/not rooted)

Connected over WiFi with ADB on PC...

Code:
freshul:/ $ whoami
shell
freshul:/ $ gsi_tool enable
Could not find GSI install to re-enable


Reason for stupid tests...

A

In Source Code I see something like this:
Code:
must be root to install a GSI

B
Short lazy me tried on my SM-A202F with Termux Shell app... from phone itself...

And gsi-tool only from root possible... otherwise not start...

So need to check few things before I try to install something... GSI related...

Edit 1.

I have only 1 working Shell APK for GW4...

No idea if restrictions from APK... not enough permissions... or from user:
u0_a111

So I have tested yet 2 user(s)

Code:
shell
u0_a111

Later I will test System exploit... then later laaaater Root...

Btw.

How to find how many user types exists?

Edit 2.

System Shell Exploit...

Code:
S/system/bin/sh: can't find tty fd: No such device or address
/system/bin/sh: warning: won't have full job control
:/ $ whoami
system
:/ $ gsi_tool enable
Could not find GSI install to re-enable
70|:/ $

Edit 3.
Some Google search about users list...

Will try later...

btw... maybe we could add an user with "more" power then system...
 

Attachments

  • Screenshot_20230128_000458_shellterminalemulator.png
    Screenshot_20230128_000458_shellterminalemulator.png
    33.7 KB · Views: 46
  • Screenshot_20230128_000658_shellterminalemulator.png
    Screenshot_20230128_000658_shellterminalemulator.png
    42.7 KB · Views: 46
Last edited:

adfree

Senior Member
Jun 14, 2008
10,387
6,055
Samsung Galaxy Watch 4
Samsung Galaxy S22
Code:
[email protected]:~/imj$ ./imjtool super.img extract
Sparse image v1.0 detected, 1310720 blocks of 4096 bytes
1310720 blocks of 4096 bytes compressed into 39 chunks (71% compressed)
0 - Extracted image is in extracted/image.img
[email protected]:~/imj$ ./imjtool image.img extract
liblp dynamic partition (super.img) - Blocksize 0x1000, 2 slots
LP MD Header @0x3000, version 10.0, with 4 logical partitions on block device of 2560 GB, at partition super, first sector: 0x800
    Partitions @0x3080 in 2 groups:
        Group 0: default
        Group 1: group_basic
            Name: system (read-only, Linux Ext2/3/4/? Filesystem Image, @0x100000 spanning 1 extents and 1 GB) - extracted
            Name: vendor (read-only, Linux Ext2/3/4/? Filesystem Image, @0x55800000 spanning 1 extents and 88 MB) - extracted
            Name: product (read-only, Linux Ext2/3/4/? Filesystem Image, @0x5b100000 spanning 1 extents and 77 MB) - extracted
            Name: odm (read-only, Linux Ext2/3/4/? Filesystem Image, @0x5ff00000 spanning 1 extents and 4 MB) - extracted
[email protected]:~/imj$ cd extracted
[email protected]:~/imj/extracted$ gzip -c system_raw.img > system_raw.gz

Tiny progress GSI attempt related...

So I have the system.img pulled from super.img of:
Code:
COMBINATION_FAC_FBR0_R875FSQU1AVI4_FACFAC_CL25207558_QB57036605_REV00_user_mid_noship_MULTI_CERT.tar

gzipped as mentioned in this Link:

Now I will push the *.gz file to my SM-R875F...
Code:
adb push system_raw.gz /storage/emulated/0/Download/

700 MB over WiFi...

Hmm. adb push ... /sdcard should be the same...

Edit 1.

Result of attempt 1 with system shell... in "normal way"...

Code:
D:\Android\adb>adb shell
freshul:/ $ cd /sdcard
freshul:/sdcard $ ls -a1l
total 40
drwx------ 2 u0_a113  u0_a113  3452 2023-01-27 06:09 Alarms
drwxrws--x 5 media_rw media_rw 3452 2023-01-27 06:08 Android
drwx------ 2 u0_a113  u0_a113  3452 2023-01-27 06:09 Audiobooks
drwx------ 3 u0_a113  u0_a113  3452 2023-01-27 13:21 DCIM
drwx------ 2 u0_a113  u0_a113  3452 2023-01-27 06:09 Documents
drwx------ 2 u0_a113  u0_a113  3452 2023-01-27 06:09 Download
drwx------ 3 u0_a113  u0_a113  3452 2023-01-27 06:09 Movies
drwxrwxr-x 4 media_rw media_rw 3452 2023-01-27 06:09 Music
drwx------ 2 u0_a113  u0_a113  3452 2023-01-27 06:09 Notifications
drwx------ 3 u0_a113  u0_a113  3452 2023-01-27 06:09 Pictures
drwx------ 2 u0_a113  u0_a113  3452 2023-01-27 06:09 Podcasts
drwx------ 2 u0_a113  u0_a113  3452 2023-01-27 06:09 Ringtones
-rw------- 1 u0_a113  u0_a113     3 2023-01-27 08:46 mps_code.dat
freshul:/sdcard $ rm -mps_code.dat
rm: Unknown option 'mps_code.dat' (see "rm --help")
1|freshul:/sdcard $ rm mps_code.dat
freshul:/sdcard $ cd Download
freshul:/sdcard/Download $ ls -a1l
total 0
freshul:/sdcard/Download $ df -h
Filesystem            Size  Used Avail Use% Mounted on
tmpfs                 646M  1.2M  645M   1% /dev
tmpfs                 646M     0  646M   0% /mnt
/dev/block/dm-4       3.4G  3.4G  1.0M 100% /
/dev/block/dm-5        84M   81M  1.3M  99% /vendor
/dev/block/dm-6       169M  169M     0 100% /product
/dev/block/dm-7       3.9M  984K  2.9M  25% /odm
/dev/block/dm-8       581M  179M  390M  32% /prism
/dev/block/dm-9        39M  500K   37M   2% /optics
tmpfs                 646M     0  646M   0% /apex
/dev/block/mmcblk0p34  16M   24K   15M   1% /omr
/dev/block/mmcblk0p33 193M  4.5M  184M   3% /cache
/dev/block/mmcblk0p2  3.8M  1.3M  2.3M  37% /efs
/dev/block/dm-10      8.3G  763M  7.5G  10% /data
/dev/fuse             8.3G  763M  7.5G  10% /storage/emulated
freshul:/sdcard/Download $ exit

D:\Android\adb>adb push system_raw.gz /storage/emulated/0/Download/
system_raw.gz: 1 file pushed, 0 skipped. 1.8 MB/s (716177691 bytes in 375.507s)

D:\Android\adb>
D:\Android\adb>adb shell am start-activity \
-n com.android.dynsystem/com.android.dynsystem.VerificationActivity  \
-a android.os.image.action.START_INSTALL  \
-d file:///storage/emulated/0/Download/system_raw.gz  \
--el KEY_SYSTEM_SIZE $(du -b system_raw.img|cut -f1)  \
--el KEY_USERDATA_SIZE 2000000000
Exception occurred while executing 'start-activity':
java.lang.IllegalArgumentException: No intent supplied
        at android.content.Intent.parseCommandArgs(Intent.java:7849)
        at com.android.server.am.ActivityManagerShellCommand.makeIntent(ActivityManagerShellCommand.java:337)
        at com.android.server.am.ActivityManagerShellCommand.runStartActivity(ActivityManagerShellCommand.java:434)
        at com.android.server.am.ActivityManagerShellCommand.onCommand(ActivityManagerShellCommand.java:185)
        at android.os.BasicShellCommandHandler.exec(BasicShellCommandHandler.java:98)
        at android.os.ShellCommand.exec(ShellCommand.java:44)
        at com.android.server.am.ActivityManagerService.onShellCommand(ActivityManagerService.java:10983)
        at android.os.Binder.shellCommand(Binder.java:929)
        at android.os.Binder.onTransact(Binder.java:813)
        at android.app.IActivityManager$Stub.onTransact(IActivityManager.java:5104)
        at com.android.server.am.ActivityManagerService.onTransact(ActivityManagerService.java:2993)
        at android.os.Binder.execTransactInternal(Binder.java:1159)
        at android.os.Binder.execTransact(Binder.java:1123)

No idea if reduced user size is good idea... but I have only 7 GB...

Now will check same Command on system shell...

Edit 2.

System Shell Exploit spit little bit more...

Code:
S/system/bin/sh: can't find tty fd: No such device or address
/system/bin/sh: warning: won't have full job control
:/ $ am start-activity \
-n com.android.dynsystem/com.android.dynsystem.VerificationActivity  \
-a android.os.image.action.START_INSTALL  \
-d file:///storage/emulated/0/Download/system_raw.gz  \
--el KEY_SYSTEM_SIZE $(du -b system_raw.img|cut -f1)  \
--el KEY_USERDATA_SIZE 2000000000> > > > >
du: Unknown option 'b' (see "du --help")

Exception occurred while executing 'start-activity':
java.lang.NumberFormatException: For input string: "--el"
        at java.lang.Long.parseLong(Long.java:594)
        at java.lang.Long.valueOf(Long.java:808)
        at android.content.Intent.parseCommandArgs(Intent.java:7564)
        at com.android.server.am.ActivityManagerShellCommand.makeIntent(ActivityManagerShellCommand.java:337)
        at com.android.server.am.ActivityManagerShellCommand.runStartActivity(ActivityManagerShellCommand.java:434)
        at com.android.server.am.ActivityManagerShellCommand.onCommand(ActivityManagerShellCommand.java:185)
        at android.os.BasicShellCommandHandler.exec(BasicShellCommandHandler.java:98)
        at android.os.ShellCommand.exec(ShellCommand.java:44)
        at com.android.server.am.ActivityManagerService.onShellCommand(ActivityManagerService.java:10983)
        at android.os.Binder.shellCommand(Binder.java:929)
        at android.os.Binder.onTransact(Binder.java:813)
        at android.app.IActivityManager$Stub.onTransact(IActivityManager.java:5104)
        at com.android.server.am.ActivityManagerService.onTransact(ActivityManagerService.java:2993)
        at android.os.Binder.execTransactInternal(Binder.java:1159)
        at android.os.Binder.execTransact(Binder.java:1123)
255|:/ $

?

Code:
du: Unknown option 'b' (see "du --help")

Edit 3.

But du exists... on my SM-R875F...

Code:
D:\Android\adb>adb shell
freshul:/ $ du --help
usage: du [-d N] [-askxHLlmc] [FILE...]

Show disk usage, space consumed by files and directories.

Size in:
-k      1024 byte blocks (default)
-K      512 byte blocks (posix)
-m      Megabytes
-h      Human readable (e.g., 1K 243M 2G)

What to show:
-a      All files, not just directories
-H      Follow symlinks on cmdline
-L      Follow all symlinks
-s      Only total size of each argument
-x      Don't leave this filesystem
-c      Cumulative total
-d N    Only depth < N
-l      Disable hardlink filter

Edit 4.

Seems i have really no -b parameter in du...

Edit 5.

Puh...

Code:
255|:/ $
am start-activity \
-n com.android.dynsystem/com.android.dynsystem.VerificationActivity  \
-a android.os.image.action.START_INSTALL  \
-d file:///storage/emulated/0/Download/system_raw.gz  \
--el KEY_SYSTEM_SIZE $(du system_raw.img|cut -f1)  \
--el KEY_USERDATA_SIZE 2000000000255|:/ $ > > > > >
du: system_raw.img: No such file or directory

Exception occurred while executing 'start-activity':
java.lang.NumberFormatException: For input string: "--el"
        at java.lang.Long.parseLong(Long.java:594)
        at java.lang.Long.valueOf(Long.java:808)
        at android.content.Intent.parseCommandArgs(Intent.java:7564)
        at com.android.server.am.ActivityManagerShellCommand.makeIntent(ActivityManagerShellCommand.java:337)
        at com.android.server.am.ActivityManagerShellCommand.runStartActivity(ActivityManagerShellCommand.java:434)
        at com.android.server.am.ActivityManagerShellCommand.onCommand(ActivityManagerShellCommand.java:185)
        at android.os.BasicShellCommandHandler.exec(BasicShellCommandHandler.java:98)
        at android.os.ShellCommand.exec(ShellCommand.java:44)
        at com.android.server.am.ActivityManagerService.onShellCommand(ActivityManagerService.java:10983)
        at android.os.Binder.shellCommand(Binder.java:929)
        at android.os.Binder.onTransact(Binder.java:813)
        at android.app.IActivityManager$Stub.onTransact(IActivityManager.java:5104)
        at com.android.server.am.ActivityManagerService.onTransact(ActivityManagerService.java:2993)
        at android.os.Binder.execTransactInternal(Binder.java:1159)
        at android.os.Binder.execTransact(Binder.java:1123)

Edit 6.

Okidoki. I think I should go to Root and try first here... to prevent my exploding head...

Edit 7.

No on Root...

Code:
13|freshul:/ $ su
freshul:/ # adb shell am start-activity \
> -n com.android.dynsystem/com.android.dynsystem.VerificationActivity  \
> -a android.os.image.action.START_INSTALL  \
\> -d file:///storage/emulated/0/Download/system_raw.gz  \
> --el KEY_SYSTEM_SIZE $(du -b system_raw.img|cut -f1)  \
> --el KEY_USERDATA_SIZE 2000000000
du: Unknown option 'b' (see "du --help")
/system/bin/sh: adb: inaccessible or not found
127|freshul:/ # am start-activity \
n> -n com.android.dynsystem/com.android.dynsystem.VerificationActivity  \
> -a android.os.image.action.START_INSTALL  \
o> -d file:///storage/emulated/0/Download/system_raw.gz  \
.img|cut -f1)  > --el KEY_SYSTEM_SIZE $(du system_raw.img|cut -f1)  \
> --el KEY_USERDATA_SIZE 2000000000
du: system_raw.img: No such file or directory

Exception occurred while executing 'start-activity':
java.lang.NumberFormatException: For input string: "--el"
        at java.lang.Long.parseLong(Long.java:594)
        at java.lang.Long.valueOf(Long.java:808)
        at android.content.Intent.parseCommandArgs(Intent.java:7564)
        at com.android.server.am.ActivityManagerShellCommand.makeIntent(ActivityManagerShellCommand.java:337)
        at com.android.server.am.ActivityManagerShellCommand.runStartActivity(ActivityManagerShellCommand.java:434)
        at com.android.server.am.ActivityManagerShellCommand.onCommand(ActivityManagerShellCommand.java:185)
        at android.os.BasicShellCommandHandler.exec(BasicShellCommandHandler.java:98)
        at android.os.ShellCommand.exec(ShellCommand.java:44)
        at com.android.server.am.ActivityManagerService.onShellCommand(ActivityManagerService.java:10983)
        at android.os.Binder.shellCommand(Binder.java:929)
        at android.os.Binder.onTransact(Binder.java:813)
        at android.app.IActivityManager$Stub.onTransact(IActivityManager.java:5104)
        at com.android.server.am.ActivityManagerService.onTransact(ActivityManagerService.java:2993)
        at android.os.Binder.execTransactInternal(Binder.java:1159)
        at android.os.Binder.execTransact(Binder.java:1123)

Edit 8.

short tried this way...
Code:
D:\Android\adb>adb shell
freshul:/ $ su
freshul:/ # am start -n com.android.dynsystem/.VerificationActivity
D:\Android\adb>
D:\Android\adb>adb shell
freshul:/ $ su
freshul:/ # am start -n com.android.settings/.development.DSULoader
Starting: Intent { cmp=com.android.settings/.development.DSULoader }
Error type 3
Error: Activity class {com.android.settings/com.android.settings.development.DSULoader} does not exist.

Edit 9.

Found something but still no success...
Code:
freshul:/ # am start-activity \
> -n com.android.dynsystem/com.android.dynsystem.VerificationActivity  \
> -a android.os.image.action.START_INSTALL  \
> -d file:///sdcard/Download/system_raw.gz  \
> --el KEY_SYSTEM_SIZE 1433051136  \
> --el KEY_USERDATA_SIZE 2000000000
Starting: Intent { act=android.os.image.action.START_INSTALL dat=file:///sdcard/Download/system_raw.gz cmp=com.android.dynsystem/.VerificationActivity (has extras) }
freshul:/ #

the du -b thingie... found here:
 
Last edited:

adfree

Senior Member
Jun 14, 2008
10,387
6,055
Samsung Galaxy Watch 4
Samsung Galaxy S22
No idea... maybe we can study old ideas... about Root tactics...

tiny dejavu...

Only as info.

Best Regards


Edit 1.
@profi_fahrer


You solved your problem meanwhile?
 

subevilx

Member
Dec 30, 2022
38
8
Code:
[email protected]:~/imj$ ./imjtool super.img extract
Sparse image v1.0 detected, 1310720 blocks of 4096 bytes
1310720 blocks of 4096 bytes compressed into 39 chunks (71% compressed)
0 - Extracted image is in extracted/image.img
[email protected]:~/imj$ ./imjtool image.img extract
liblp dynamic partition (super.img) - Blocksize 0x1000, 2 slots
LP MD Header @0x3000, version 10.0, with 4 logical partitions on block device of 2560 GB, at partition super, first sector: 0x800
    Partitions @0x3080 in 2 groups:
        Group 0: default
        Group 1: group_basic
            Name: system (read-only, Linux Ext2/3/4/? Filesystem Image, @0x100000 spanning 1 extents and 1 GB) - extracted
            Name: vendor (read-only, Linux Ext2/3/4/? Filesystem Image, @0x55800000 spanning 1 extents and 88 MB) - extracted
            Name: product (read-only, Linux Ext2/3/4/? Filesystem Image, @0x5b100000 spanning 1 extents and 77 MB) - extracted
            Name: odm (read-only, Linux Ext2/3/4/? Filesystem Image, @0x5ff00000 spanning 1 extents and 4 MB) - extracted
[email protected]:~/imj$ cd extracted
[email protected]:~/imj/extracted$ gzip -c system_raw.img > system_raw.gz

Tiny progress GSI attempt related...

So I have the system.img pulled from super.img of:
Code:
COMBINATION_FAC_FBR0_R875FSQU1AVI4_FACFAC_CL25207558_QB57036605_REV00_user_mid_noship_MULTI_CERT.tar

gzipped as mentioned in this Link:

Now I will push the *.gz file to my SM-R875F...
Code:
adb push system_raw.gz /storage/emulated/0/Download/

700 MB over WiFi...

Hmm. adb push ... /sdcard should be the same...

Edit 1.

Result of attempt 1 with system shell... in "normal way"...

Code:
D:\Android\adb>adb shell
freshul:/ $ cd /sdcard
freshul:/sdcard $ ls -a1l
total 40
drwx------ 2 u0_a113  u0_a113  3452 2023-01-27 06:09 Alarms
drwxrws--x 5 media_rw media_rw 3452 2023-01-27 06:08 Android
drwx------ 2 u0_a113  u0_a113  3452 2023-01-27 06:09 Audiobooks
drwx------ 3 u0_a113  u0_a113  3452 2023-01-27 13:21 DCIM
drwx------ 2 u0_a113  u0_a113  3452 2023-01-27 06:09 Documents
drwx------ 2 u0_a113  u0_a113  3452 2023-01-27 06:09 Download
drwx------ 3 u0_a113  u0_a113  3452 2023-01-27 06:09 Movies
drwxrwxr-x 4 media_rw media_rw 3452 2023-01-27 06:09 Music
drwx------ 2 u0_a113  u0_a113  3452 2023-01-27 06:09 Notifications
drwx------ 3 u0_a113  u0_a113  3452 2023-01-27 06:09 Pictures
drwx------ 2 u0_a113  u0_a113  3452 2023-01-27 06:09 Podcasts
drwx------ 2 u0_a113  u0_a113  3452 2023-01-27 06:09 Ringtones
-rw------- 1 u0_a113  u0_a113     3 2023-01-27 08:46 mps_code.dat
freshul:/sdcard $ rm -mps_code.dat
rm: Unknown option 'mps_code.dat' (see "rm --help")
1|freshul:/sdcard $ rm mps_code.dat
freshul:/sdcard $ cd Download
freshul:/sdcard/Download $ ls -a1l
total 0
freshul:/sdcard/Download $ df -h
Filesystem            Size  Used Avail Use% Mounted on
tmpfs                 646M  1.2M  645M   1% /dev
tmpfs                 646M     0  646M   0% /mnt
/dev/block/dm-4       3.4G  3.4G  1.0M 100% /
/dev/block/dm-5        84M   81M  1.3M  99% /vendor
/dev/block/dm-6       169M  169M     0 100% /product
/dev/block/dm-7       3.9M  984K  2.9M  25% /odm
/dev/block/dm-8       581M  179M  390M  32% /prism
/dev/block/dm-9        39M  500K   37M   2% /optics
tmpfs                 646M     0  646M   0% /apex
/dev/block/mmcblk0p34  16M   24K   15M   1% /omr
/dev/block/mmcblk0p33 193M  4.5M  184M   3% /cache
/dev/block/mmcblk0p2  3.8M  1.3M  2.3M  37% /efs
/dev/block/dm-10      8.3G  763M  7.5G  10% /data
/dev/fuse             8.3G  763M  7.5G  10% /storage/emulated
freshul:/sdcard/Download $ exit

D:\Android\adb>adb push system_raw.gz /storage/emulated/0/Download/
system_raw.gz: 1 file pushed, 0 skipped. 1.8 MB/s (716177691 bytes in 375.507s)

D:\Android\adb>
D:\Android\adb>adb shell am start-activity \
-n com.android.dynsystem/com.android.dynsystem.VerificationActivity  \
-a android.os.image.action.START_INSTALL  \
-d file:///storage/emulated/0/Download/system_raw.gz  \
--el KEY_SYSTEM_SIZE $(du -b system_raw.img|cut -f1)  \
--el KEY_USERDATA_SIZE 2000000000
Exception occurred while executing 'start-activity':
java.lang.IllegalArgumentException: No intent supplied
        at android.content.Intent.parseCommandArgs(Intent.java:7849)
        at com.android.server.am.ActivityManagerShellCommand.makeIntent(ActivityManagerShellCommand.java:337)
        at com.android.server.am.ActivityManagerShellCommand.runStartActivity(ActivityManagerShellCommand.java:434)
        at com.android.server.am.ActivityManagerShellCommand.onCommand(ActivityManagerShellCommand.java:185)
        at android.os.BasicShellCommandHandler.exec(BasicShellCommandHandler.java:98)
        at android.os.ShellCommand.exec(ShellCommand.java:44)
        at com.android.server.am.ActivityManagerService.onShellCommand(ActivityManagerService.java:10983)
        at android.os.Binder.shellCommand(Binder.java:929)
        at android.os.Binder.onTransact(Binder.java:813)
        at android.app.IActivityManager$Stub.onTransact(IActivityManager.java:5104)
        at com.android.server.am.ActivityManagerService.onTransact(ActivityManagerService.java:2993)
        at android.os.Binder.execTransactInternal(Binder.java:1159)
        at android.os.Binder.execTransact(Binder.java:1123)

No idea if reduced user size is good idea... but I have only 7 GB...

Now will check same Command on system shell...

Edit 2.

System Shell Exploit spit little bit more...

Code:
S/system/bin/sh: can't find tty fd: No such device or address
/system/bin/sh: warning: won't have full job control
:/ $ am start-activity \
-n com.android.dynsystem/com.android.dynsystem.VerificationActivity  \
-a android.os.image.action.START_INSTALL  \
-d file:///storage/emulated/0/Download/system_raw.gz  \
--el KEY_SYSTEM_SIZE $(du -b system_raw.img|cut -f1)  \
--el KEY_USERDATA_SIZE 2000000000> > > > >
du: Unknown option 'b' (see "du --help")

Exception occurred while executing 'start-activity':
java.lang.NumberFormatException: For input string: "--el"
        at java.lang.Long.parseLong(Long.java:594)
        at java.lang.Long.valueOf(Long.java:808)
        at android.content.Intent.parseCommandArgs(Intent.java:7564)
        at com.android.server.am.ActivityManagerShellCommand.makeIntent(ActivityManagerShellCommand.java:337)
        at com.android.server.am.ActivityManagerShellCommand.runStartActivity(ActivityManagerShellCommand.java:434)
        at com.android.server.am.ActivityManagerShellCommand.onCommand(ActivityManagerShellCommand.java:185)
        at android.os.BasicShellCommandHandler.exec(BasicShellCommandHandler.java:98)
        at android.os.ShellCommand.exec(ShellCommand.java:44)
        at com.android.server.am.ActivityManagerService.onShellCommand(ActivityManagerService.java:10983)
        at android.os.Binder.shellCommand(Binder.java:929)
        at android.os.Binder.onTransact(Binder.java:813)
        at android.app.IActivityManager$Stub.onTransact(IActivityManager.java:5104)
        at com.android.server.am.ActivityManagerService.onTransact(ActivityManagerService.java:2993)
        at android.os.Binder.execTransactInternal(Binder.java:1159)
        at android.os.Binder.execTransact(Binder.java:1123)
255|:/ $

?

Code:
du: Unknown option 'b' (see "du --help")

Edit 3.

But du exists... on my SM-R875F...

Code:
D:\Android\adb>adb shell
freshul:/ $ du --help
usage: du [-d N] [-askxHLlmc] [FILE...]

Show disk usage, space consumed by files and directories.

Size in:
-k      1024 byte blocks (default)
-K      512 byte blocks (posix)
-m      Megabytes
-h      Human readable (e.g., 1K 243M 2G)

What to show:
-a      All files, not just directories
-H      Follow symlinks on cmdline
-L      Follow all symlinks
-s      Only total size of each argument
-x      Don't leave this filesystem
-c      Cumulative total
-d N    Only depth < N
-l      Disable hardlink filter

Edit 4.

Seems i have really no -b parameter in du...

Edit 5.

Puh...

Code:
255|:/ $
am start-activity \
-n com.android.dynsystem/com.android.dynsystem.VerificationActivity  \
-a android.os.image.action.START_INSTALL  \
-d file:///storage/emulated/0/Download/system_raw.gz  \
--el KEY_SYSTEM_SIZE $(du system_raw.img|cut -f1)  \
--el KEY_USERDATA_SIZE 2000000000255|:/ $ > > > > >
du: system_raw.img: No such file or directory

Exception occurred while executing 'start-activity':
java.lang.NumberFormatException: For input string: "--el"
        at java.lang.Long.parseLong(Long.java:594)
        at java.lang.Long.valueOf(Long.java:808)
        at android.content.Intent.parseCommandArgs(Intent.java:7564)
        at com.android.server.am.ActivityManagerShellCommand.makeIntent(ActivityManagerShellCommand.java:337)
        at com.android.server.am.ActivityManagerShellCommand.runStartActivity(ActivityManagerShellCommand.java:434)
        at com.android.server.am.ActivityManagerShellCommand.onCommand(ActivityManagerShellCommand.java:185)
        at android.os.BasicShellCommandHandler.exec(BasicShellCommandHandler.java:98)
        at android.os.ShellCommand.exec(ShellCommand.java:44)
        at com.android.server.am.ActivityManagerService.onShellCommand(ActivityManagerService.java:10983)
        at android.os.Binder.shellCommand(Binder.java:929)
        at android.os.Binder.onTransact(Binder.java:813)
        at android.app.IActivityManager$Stub.onTransact(IActivityManager.java:5104)
        at com.android.server.am.ActivityManagerService.onTransact(ActivityManagerService.java:2993)
        at android.os.Binder.execTransactInternal(Binder.java:1159)
        at android.os.Binder.execTransact(Binder.java:1123)

Edit 6.

Okidoki. I think I should go to Root and try first here... to prevent my exploding head...

Edit 7.

No on Root...

Code:
13|freshul:/ $ su
freshul:/ # adb shell am start-activity \
> -n com.android.dynsystem/com.android.dynsystem.VerificationActivity  \
> -a android.os.image.action.START_INSTALL  \
\> -d file:///storage/emulated/0/Download/system_raw.gz  \
> --el KEY_SYSTEM_SIZE $(du -b system_raw.img|cut -f1)  \
> --el KEY_USERDATA_SIZE 2000000000
du: Unknown option 'b' (see "du --help")
/system/bin/sh: adb: inaccessible or not found
127|freshul:/ # am start-activity \
n> -n com.android.dynsystem/com.android.dynsystem.VerificationActivity  \
> -a android.os.image.action.START_INSTALL  \
o> -d file:///storage/emulated/0/Download/system_raw.gz  \
.img|cut -f1)  > --el KEY_SYSTEM_SIZE $(du system_raw.img|cut -f1)  \
> --el KEY_USERDATA_SIZE 2000000000
du: system_raw.img: No such file or directory

Exception occurred while executing 'start-activity':
java.lang.NumberFormatException: For input string: "--el"
        at java.lang.Long.parseLong(Long.java:594)
        at java.lang.Long.valueOf(Long.java:808)
        at android.content.Intent.parseCommandArgs(Intent.java:7564)
        at com.android.server.am.ActivityManagerShellCommand.makeIntent(ActivityManagerShellCommand.java:337)
        at com.android.server.am.ActivityManagerShellCommand.runStartActivity(ActivityManagerShellCommand.java:434)
        at com.android.server.am.ActivityManagerShellCommand.onCommand(ActivityManagerShellCommand.java:185)
        at android.os.BasicShellCommandHandler.exec(BasicShellCommandHandler.java:98)
        at android.os.ShellCommand.exec(ShellCommand.java:44)
        at com.android.server.am.ActivityManagerService.onShellCommand(ActivityManagerService.java:10983)
        at android.os.Binder.shellCommand(Binder.java:929)
        at android.os.Binder.onTransact(Binder.java:813)
        at android.app.IActivityManager$Stub.onTransact(IActivityManager.java:5104)
        at com.android.server.am.ActivityManagerService.onTransact(ActivityManagerService.java:2993)
        at android.os.Binder.execTransactInternal(Binder.java:1159)
        at android.os.Binder.execTransact(Binder.java:1123)

Edit 8.

short tried this way...
Code:
D:\Android\adb>adb shell
freshul:/ $ su
freshul:/ # am start -n com.android.dynsystem/.VerificationActivity
D:\Android\adb>
D:\Android\adb>adb shell
freshul:/ $ su
freshul:/ # am start -n com.android.settings/.development.DSULoader
Starting: Intent { cmp=com.android.settings/.development.DSULoader }
Error type 3
Error: Activity class {com.android.settings/com.android.settings.development.DSULoader} does not exist.

Edit 9.

Found something but still no success...
Code:
freshul:/ # am start-activity \
> -n com.android.dynsystem/com.android.dynsystem.VerificationActivity  \
> -a android.os.image.action.START_INSTALL  \
> -d file:///sdcard/Download/system_raw.gz  \
> --el KEY_SYSTEM_SIZE 1433051136  \
> --el KEY_USERDATA_SIZE 2000000000
Starting: Intent { act=android.os.image.action.START_INSTALL dat=file:///sdcard/Download/system_raw.gz cmp=com.android.dynsystem/.VerificationActivity (has extras) }
freshul:/ #

the du -b thingie... found here:
try using dsu loader by VegaBobo on github
https://github.com/VegaBobo/DSU-Sideloader heres the link as well
 
  • Like
Reactions: adfree

adfree

Senior Member
Jun 14, 2008
10,387
6,055
Samsung Galaxy Watch 4
Samsung Galaxy S22
@subevilx

Thank you very much for DSU Sideloader Link.

At the moment I have tiny problems...

A
On my SM-R875F no valid Filemanager installed... to select folder...

I have to search 1...

B
On my SM-A202F Filemanager yes... but other problems... like unsupported blabla...

So need time to find valid Filemanager APK for GW4 to proceed...

Best Regards

Edit 1.

Attached from my SM-A202F... it is Android 11... but...

I hope because not seen such warnings... my GW4 have enough space with 8 GB User parttion...
Will check if I can find "myfiles" on APK Mirror...
 

Attachments

  • Screenshot_20230129-041434_DSU Sideloader.jpg
    Screenshot_20230129-041434_DSU Sideloader.jpg
    103 KB · Views: 56
  • Screenshot_20230129-041454_DSU Sideloader.jpg
    Screenshot_20230129-041454_DSU Sideloader.jpg
    94.4 KB · Views: 56
  • Screenshot_20230129-041501_DSU Sideloader.jpg
    Screenshot_20230129-041501_DSU Sideloader.jpg
    109.9 KB · Views: 55
  • Screenshot_20230129-041519_Files.jpg
    Screenshot_20230129-041519_Files.jpg
    153.3 KB · Views: 57
Last edited:

xVoidx

Member
Jul 14, 2008
26
2
So a lot of this is beyond me and there is a lot to digest in this thread but my question is simple. With this exploit would it be possible to give this app "VPNHotspot" the privilege it needs to function correctly? How would I do this if its possible?

Link to the apps gihub


My end goal here is to get the VPN hot spot app working but it needs root to tunnel traffic through an app like "AD Guard" to change the TTL of packets that go though the native hotspot.



Any advice on how to do this would be greatly appreciated.
 

subevilx

Member
Dec 30, 2022
38
8
@subevilx

Thank you very much for DSU Sideloader Link.

At the moment I have tiny problems...

A
On my SM-R875F no valid Filemanager installed... to select folder...

I have to search 1...

B
On my SM-A202F Filemanager yes... but other problems... like unsupported blabla...

So need time to find valid Filemanager APK for GW4 to proceed...

Best Regards

Edit 1.

Attached from my SM-A202F... it is Android 11... but...

I hope because not seen such warnings... my GW4 have enough space with 8 GB User parttion...
Will check if I can find "myfiles" on APK Mirror...
if u dont have a file manager u can download com.sec.android.app.myfiles
 
  • Like
Reactions: adfree

adfree

Senior Member
Jun 14, 2008
10,387
6,055
Samsung Galaxy Watch 4
Samsung Galaxy S22
I have no luck yet... can't proceed with GSI/DSU...

On Watch no "inbuilt" Filemanager...

Installed from Store 5 or 6... but DSU Sideloader APK not detect these...

com.sec.android.app.myfiles... Maybe meanwhile 10 tried... without success...

Downloaded from APKMirror...

In Combination Firmware from Watch... I saw Pics from MyFile Lite or something like this...
But I am not able to detect where it is...

...

Edit 1.

Found via Google... as not solved... my FileExplorer problem...
 
Last edited:

V0latyle

Forum Moderator
Staff member
Fingers crossed. Something comes out of it or if John Wu might take it an implement it for use in Magisk.
Eh, I don't think he would. That's partly why Magisk moved away from MagiskHide, because he's not interested in defeating Android security measures, but rather using Zygisk to work around them. At least that's my impression. He stated as much in his State of Magisk announcement a couple years ago, that Magisk would no longer intercept and modify system security signals.

I would definitely like to see this exploit used to unlock bootloaders on otherwise locked devices, but given what @wr3cckl3ss1 and @K0mraid3 found earlier, this might not be possible
 
  • Like
Reactions: wr3cckl3ss1
Eh, I don't think he would. That's partly why Magisk moved away from MagiskHide, because he's not interested in defeating Android security measures, but rather using Zygisk to work around them. At least that's my impression. He stated as much in his State of Magisk announcement a couple years ago, that Magisk would no longer intercept and modify system security signals.

I would definitely like to see this exploit used to unlock bootloaders on otherwise locked devices, but given what @wr3cckl3ss1 and @K0mraid3 found earlier, this might not be possible
Still exploring this option at the moment. As development continues on....more doors that the team has not explored are becoming open. Maybe one day...this can lead to something great.
 
  • Like
Reactions: V0latyle

V0latyle

Forum Moderator
Staff member
Still exploring this option at the moment. As development continues on....more doors that the team has not explored are becoming open. Maybe one day...this can lead to something great.
Right on, that's part of why I'm following this thread.

This is only Samsung, yes? Has anyone tried this exploit on any other OEM builds or AOSP?
 
  • Like
Reactions: wr3cckl3ss1
Right on, that's part of why I'm following this thread.

This is only Samsung, yes? Has anyone tried this exploit on any other OEM builds or AOSP?
At the moment. I'm trying to get it ported over to the P7P... specifically the VZW. Since it's the mecca of NO BL unlock and no root. In a couple of weeks, I hope to nail down some time to accomplish this, as all the time right now is with Samsung and getting support out where it's needed. As Samsung said themselves, they replicated System Shell on a Pixel 6 Pro. So I imagine the P7P isn't too far behind.
 
  • Like
Reactions: V0latyle

V0latyle

Forum Moderator
Staff member
At the moment. I'm trying to get it ported over to the P7P... specifically the VZW. Since it's the mecca of NO BL unlock and no root. In a couple of weeks, I hope to nail down some time to accomplish this, as all the time right now is with Samsung and getting support out where it's needed. As Samsung said themselves, they replicated System Shell on a Pixel 6 Pro. So I imagine the P7P isn't too far behind.
Well, you don't necessarily have to have a Pixel device to try this. Just use the AOSP 13 GSI Releases on any GSI-capable device; these are identical to the corresponding Pixel builds
 

xdagee

Senior Member
Sep 4, 2012
1,830
1,653
Accra
xdagee.github.io
Google Pixel 7
Well, you don't necessarily have to have a Pixel device to try this. Just use the AOSP 13 GSI Releases on any GSI-capable device; these are identical to the corresponding Pixel builds
From the look of things in this thread, I think the end goal is to be able to install custom rom without BL unlocked, at least a new way to install custom roms, if that's the case then i will glad be available for testing, I have got s10+ SD variant.
 

V0latyle

Forum Moderator
Staff member
From the look of things in this thread, I think the end goal is to be able to install custom rom without BL unlocked, at least a new way to install custom roms, if that's the case then i will glad be available for testing, I have got s10+ SD variant.
That is unfortunately not possible. Android Verified Boot prevents custom images from starting when bootloader is locked, and the only way around this would be to sign the images using the manufacturer's secret key.
 

mohitgalaxy3

Senior Member
Apr 18, 2011
1,965
546
35
Kuala Lumpur
Samsung Galaxy S21 Ultra
I was exploring what's inside imei folder and viewed prodcode.dat is having my device model no.
Was wondering if i can change it and if I can will it help to enable cross flashing or will it brick.

:/efs/imei $ cat /efs/imei/prodcode.dat
SM-G998NZSEKOO:

Someone has done similar thing on watch 2, but I am not sure this will work on phones. After changing efs info if cross flash doesn't work then device will get bricked for sure.

15. sdb root on
16. sdb shell
17. backup active-customer.info: sdb pull /csa/csc/csc-active-customer.inf
18. backup prodcode.dat: sdb pull /csa/imei/prodcode.dat
19. edit /csa/csc/csc-active-customer.inf and replace csc code (I used vim and the XAR for the US version, https://www.geeksforgeeks.org/vi-editor-unix/ )
20. edit /csa/imei/prodcode.dat and replace last three characters to csc code you want (don't enter the csc selection after this it will reset it to the factory region)
21. reboot the device into recovery (i used /usr/bin/csc-util --reboot customer_change but i'm not sure it's necessary)
22. run netodin again and select AP, BL and CSC to flash stock
23. enjoy samsung pay if you have a US credit card (seems like you no longer need to install samsung pay apks on non samsung phone it's part of the wearables app)
 
Last edited:
Status
Not open for further replies.

Top Liked Posts

  • There are no posts matching your filters.
  • 37
    ***MODERATOR ANNOUNCEMENT: THREAD CLOSED***

    @K0mraid3 you are hereby required to provide proper credit in your OP as follows:
    • Link the assigned CVE for this exploit as it mentions the author's blog and GitHub, OR
    • Link the original research repo as provided by @flanker017
    Further, while you may provide a means for donation, this project must remain free without condition of payment.

    Lastly, as you've been previously warned, you may not promote your Telegram channel on XDA. You may have ONE link to your TG channel in the OP.

    You must meet these conditions to continue to use XDA to share this project.

    As you have ignored my PM and
    previous warning, this thread is now CLOSED to further discussion. All download links relating to this project have been removed. This thread will remain closed until such time that @K0mraid3 is willing to comply with the above conditions.
    7
    Last warning: If you can't keep your bickering to PM and can't treat each other with respect, this thread will be locked. We don't want to do that, as with keeping in the "hacker" spirit of XDA, threads like this are the bread and butter of what we do.
    • ... and Please! keep all your personal bickering via PMs, do not pollute the forum with your personal indifferences.
      If you have a problem with a specific member please contact the Moderators for help, that's what we're here for, but we are not babysitters, we are here to gather, organize and provide useful information for our over priced phones
    That's why we've been removing posts.
    I've been quietly watching this for a while and I agree. I also find it unsettling that admins have removed the post discussing this issue.
    It's not that the questions shouldn't be asked, it's that they shouldn't be asked here. I'm going to start a PM thread involving a few of you so that we can get this straightened out.

    Now, more to the point: If you've used anyone else's source as a basis for your work, you MUST give them credit:
    12.1. Give credits where due - Credits and acknowledgements for using and releasing work which is based on someone else's work are an absolute must. Works reported to have no credits will be taken down until proper acknowledgements are added by the member in question;
    While this might not be considered development under our criteria, Rule 13 still applies as well:
    12.3. Re-releasing other's works as your own is forbidden. The code that you release into the wild must have something beyond minor aesthetic changes that makes it better than the last. As this can be subjective, kang reports will be reviewed on a case by case basis. If you feel that your code has been kanged, please contact the Developer Relations Team (DRT) if you cannot solve the issue amicably via PM. Please understand that you will be asked to provide evidence to substantiate your claim;

    So. Knock it off with the squabbling. Keep this thread on topic. If you have issues with sources or credits or whatever, bring it up to us. If your comment doesn't have directly to do with facilitating this exploit or reporting your progress in your own efforts, keep it out of this thread.
    6
    ***MODERATOR ANNOUNCEMENT: THREAD CLOSED***

    @K0mraid3 you are hereby required to provide proper credit in your OP as follows:
    • Link the assigned CVE for this exploit as it mentions the author's blog and GitHub, OR
    • Link the original research repo as provided by @flanker017
    Further, while you may provide a means for donation, this project must remain free without condition of payment.

    Lastly, as you've been previously warned, you may not promote your Telegram channel on XDA. You may have ONE link to your TG channel in the OP.

    You must meet these conditions to continue to use XDA to share this project.

    As you have ignored my PM and previous warning, this thread is now CLOSED to further discussion. All download links relating to this project have been removed.

    This thread will remain closed until such time that @K0mraid3 is willing to comply with the above conditions.
    6
    ***Moderator Announcement***

    Flaming and disrespect will absolutely not be tolerated. Repeated violations may result in account bans. Compliance with all XDA Forum Rules and Policies is MANDATORY for all members. While you're free to discuss the technical details and merits of this exploit, as well as the wisdom in deferring updates, you WILL treat each other with respect and dignity, and those who fail to do so will no longer be permitted to participate on XDA.

    In addition, keep your posts ON TOPIC.

    If you feel someone's posts violate the Forum Rules, use the Report button and let the moderator staff handle it before it becomes an issue.

    Don't make us get involved again.
    6
    Hi:

    I'm the original author of the SMT research (https://github.com/flankerhqd/vendor-android-cves/tree/master/SMT-CVE-2019-16253) and I have been notified about this thread. My original purpose to share my research is to help the community to better utilize and protect their devices, and to help the vendors to improve device security, and to help other researchers for technical insights. I'm always glad to see this research is given a new life, and helped someone else, and further development are welcome - but it should be legal, non-profit, with proper attribution, and in good faith. Sorry to hear about that the original research has not been properly given credit.

    To prove it's indeed me - same announcement as above can be found on the Github repo's README file.

    Thanks!