***LOCKED UNTIL FURTHER NOTICE*** System Shell Exploit - ALL Samsung Mobile Devices NO BL UNLOCK REQUIRED.

Status
Not open for further replies.
Search This thread

xdagee

Senior Member
Sep 4, 2012
1,829
1,653
Accra
xdagee.github.io
Google Pixel 7
That is unfortunately not possible. Android Verified Boot prevents custom images from starting when bootloader is locked, and the only way around this would be to sign the images using the manufacturer's secret key.
Oh wow, how heartbreaking. 😢What exactly can be achieved with this exploit, and what are the possibilities of the outcome of the research?
 
Last edited:
  • Like
Reactions: V0latyle

adfree

Senior Member
Jun 14, 2008
10,331
6,034
Samsung Galaxy Watch 4
Samsung Galaxy S22
@oakieville
@K0mraid3

Dear oakieville.

Please share the adb Commands inside your EXE.

I spent so much time to find alternate steps but fail with Galaxy Watch.

Thanx in advance.

Best Regards

Edit 1.

Files I have downloaded...
Code:
Komraids System Shell V4.5.zip
Komraids System Shell V4.4.zip
K0mraids_Shell (2).zip


A

I have realized. APK inside EXE is NOT the same inside ZIP...

Example.... Komraid3s_POC_V1.6.apk is NOT what EXE push to device...


B

For me working EXE shows this... bad visible because Colors... only if I mark text...
Code:
samsungTTSVULN2.apk: 1 file pushed, 0 skipped. 1.2 MB/s (15955101 bytes in 12.473s)
Performing Streamed InstallSuccess
Success
start shell
Starting: Intent { cmp=com.samsung.SMT/.gui.DownloadList }

Starting: Intent { cmp=com.samsung.SMT/.gui.DownloadList }
Starting: Intent { cmp=com.samsung.SMT.lang.poc/.MainActivity }

Starting: Intent { cmp=com.samsung.SMT.lang.poc/.MainActivity }


I see 2 lines twice/double...

First I thought is Error... as it is possible to double click so also file pushed double...

C

On non tested working EXE I can see better... but...
Code:
ROLLBACK COMPLETE
STARTING SYSTEM SHELL PLEASE WAIT
IF SYSTEM SHELL DID NOT START
 PLEASE REBOOT THE DEVICE AND RETRY

And the other NOT working EXE shows this for me:

Code:
samsungTTSVULN2.apk: 1 file pushed, 0 skipped. 1.1 MB/s (15955101 bytes in 14.209s)
Performing Streamed InstallSuccess
Success
start shell
Starting: Intent { cmp=com.samsung.SMT/.gui.DownloadList }

Starting: Intent { cmp=com.samsung.SMT/.gui.DownloadList }
Starting: Intent { cmp=com.samsung.SMT.lang_en_us_m00/.MainActivity }

Starting: Intent { cmp=com.samsung.SMT.lang_en_us_m00/.MainActivity }


com.samsung.SMT.lang_en_us_m00/.MainActivity

With my old blind eyes I can see differences...


D

Conclusion for me...

POC APK differ in EXE...
And also Commands differ...

And I can see some experiments with Port...

Edit 2.

I need this for Galaxy Watch 4 like SM-R860 SM-R870 SM-R875F

EXE work only from this ZIP
Code:
Komraids System Shell V4.5.zip
MD5 9961198CE20CDCB3AF4049DEC4404D4E

Edit 3.

Working APK inside working EXE can be found in:
Code:
Komraids System Shell V4.4.zip

Code:
komraids_POC_V1.5.apk
MD5 2A40F3443260DC955CE100FE0E84962E

Edit 4.

Code:
samsungTTSVULN2.apk
MD5 F1244F782A0F16850629ECC90E85D1CE


Edit 5.

"EXE" in both Zips same:
Code:
Komraids System Shell V4.4.zip
Komraids System Shell V4.5.zip
MD5 07DFC1042F08965AA7A6C4A282BF48A3

Code:
systemshell-v1.3.exe

This is the working 1 for me...
 
Last edited:

adfree

Senior Member
Jun 14, 2008
10,331
6,034
Samsung Galaxy Watch 4
Samsung Galaxy S22
After Win 7 ... I can now also confirm Win 10 for this "EXE":
Code:
systemshell-v1.3.exe

I have AVIRA Antivir on both... so folder adb is set to ignore Virus alert...

No idea if I manage this year to check my Windows 11 with other Antivir crap...

Procedure work for Galaxy Watch 4 and Watch 5...


Firmware Version GWA3 /AWA3...

Only as info... (for me)

Best Regards
 

ForestCat

Senior Member
Nov 29, 2012
102
26
Is there any possible way to get this type of exploit to work on a device w/ 6.0.1/Marshmallow? It shows version 201503021 as the installed Samsung-text-to-speech engine. From what I can tell, the vulnerable version requires Android 9+ ?? I need to pull the last OTA download (in /cache, I think) off of this bone-stock SM-N910T device, can't do that without root(or can I?), can't root without obliterating the stored OTA update, then I won't be able to get the OTA again? Needed for VoLTE on this device.
 

adfree

Senior Member
Jun 14, 2008
10,331
6,034
Samsung Galaxy Watch 4
Samsung Galaxy S22
Tested successfully EXE with nice Colors on Win 7 Win 10 and Win 11...

With my Galaxy Watch 4... SM-R875F


No idea if normal that EXE close under Win 11...

No idea if I will test second time...

Only as info... tiny summary for Galaxy Watch 4 and Galaxy Watch 5 user(s).

Best Regards
 

adfree

Senior Member
Jun 14, 2008
10,331
6,034
Samsung Galaxy Watch 4
Samsung Galaxy S22
Maybe really something interesting inside...

SM-R875F rooted... for easier switch to system...

Will later try to pull all files and folders for study...

Code:
freshul:/ $ su
Permission denied
13|freshul:/ $ su
freshul:/ # cd /data/system
freshul:/data/system # ls -a1l
total 1699
drwxrwxr-x 23 system system         8192 2023-02-05 10:40 .
drwxrwx--x 54 system system         4096 2023-02-05 10:31 ..
drwx------  3 system system         3452 2023-02-05 10:18 .aasa
-rw-------  1 system system           13 2023-02-05 10:25 HWParamTime.bin
-rw-rw----  1 system system        24576 2023-02-05 10:33 LPX_GnssBatchHistory
-rw-------  1 system system            0 2023-02-05 10:20 LPX_GnssBatchHistory-journal
-rw-rw----  1 system system        24576 2023-02-05 10:40 LPX_LowPowerModeHistory
-rw-------  1 system system            0 2023-02-05 10:20 LPX_LowPowerModeHistory-journal
-rw-rw----  1 system system        24576 2023-02-05 10:33 LPX_MobileSettingHistory
-rw-------  1 system system            0 2023-02-05 10:20 LPX_MobileSettingHistory-journal
-rw-rw----  1 system system        24576 2023-02-05 10:33 LPX_ProviderHistory
-rw-------  1 system system            0 2023-02-05 10:20 LPX_ProviderHistory-journal
-rw-rw----  1 system system        24576 2023-02-05 10:33 LPX_SettingHistory
-rw-------  1 system system            0 2023-02-05 10:20 LPX_SettingHistory-journal
-rw-rw----  1 system system        24576 2023-02-05 10:33 LPX_location-history
-rw-------  1 system system            0 2023-02-05 10:20 LPX_location-history-journal
-rw-rw----  1 system system        32768 2023-02-05 10:31 PkgPredictions.db
-rw-------  1 system system            0 2023-02-05 10:18 PkgPredictions.db-journal
drwx------  3 system system         3452 2023-02-05 10:18 appops
-rw-------  1 system system        12902 2023-02-05 10:31 appops.xml
drwx------  2 system system         3452 2023-02-05 10:31 battery-history
drwx------  2 system system         3452 2023-02-05 10:18 battery-saver
-rw-------  1 system system       185980 2023-02-05 10:31 batterystats.bin
-rw-------  1 system system          261 2023-02-05 10:32 cachequota.xml
-rw-------  1 system system          136 2023-02-05 10:22 device_policies.xml
-rw-------  1 system system          367 2023-02-05 10:18 display-manager-state.xml
-rw-------  1 system system          149 2023-02-05 10:23 display_settings.xml
drwx------  2 system system         3452 2023-02-05 10:40 dropbox
-rw-------  1 system system          512 2023-02-05 10:31 entropy.dat
drwx------  3 system system         3452 2023-02-05 10:23 graphicsstats
drwx------  2 system system         3452 2023-02-05 10:17 heapdump
drwx------  2 system system         3452 2023-02-05 10:18 ifw
drwx------  2 system system         3452 2023-02-05 10:18 install_sessions
-rw-------  1 system system           70 2023-02-05 10:31 install_sessions.xml
drwx------  2 system system         3452 2023-02-05 10:18 integrity_rules
drwx------  2 system system         3452 2023-02-05 10:18 integrity_staging
drwx------  2 system system         3452 2023-02-05 10:40 job
-rw-------  1 system system            0 2023-02-05 10:18 last-fstrim
-rw-------  1 system system          484 2023-02-05 10:32 last-header.txt
-rw-rw----  1 system system        20480 2023-02-05 10:32 locksettings.db
-rw-------  1 system system          272 2023-02-05 10:32 log-files.xml
srwxrwxrwx  1 system system            0 2023-02-05 10:31 ndebugsocket
-rw-------  1 system system          292 2023-02-05 10:31 netpolicy.xml
drwx------  2 system system         3452 2023-02-05 10:33 netstats
-rw-rw----  1 system system        28672 2023-02-05 10:33 notification_log.db
-rw-------  1 system system            0 2023-02-05 10:18 notification_log.db-journal
-rw-------  1 system system        23102 2023-02-05 10:40 notification_policy.xml
-rw-------  1 system system         1852 2023-02-05 10:31 overlays.xml
-rw-------  1 system system          358 2023-02-05 10:31 package-cstats.list
-rw-------  1 system system         1227 2023-02-05 10:31 package-dcl.list
-rw-------  1 system system         5185 2023-02-05 10:31 package-dex-usage.list
-rw-------  1 system system         8753 2023-02-05 10:31 package-usage.list
-rw-------  1 system system          536 2023-02-05 10:33 package-watchdog.xml
drwx------  3 system system         3452 2023-02-05 10:31 package_cache
-rw-rw----  1 system system       488363 2023-02-05 10:33 packages-backup2.xml
-rw-r-----  1 system package_info  28675 2023-02-05 10:33 packages.list
-rw-rw----  1 system system       488363 2023-02-05 10:33 packages.xml
-rw-------  1 system system          151 2023-02-05 10:30 predictor-structure
drwx------  2 system system         3452 2023-02-05 10:18 procexitstore
drwx------  2 system system         3452 2023-02-05 10:31 procstats
-rw-rw----  1 system system        45056 2023-02-05 10:31 recoverablekeystore.db
-rw-rw----  1 system system        16384 2023-02-05 10:34 rut.db
-rw-------  1 system system            0 2023-02-05 10:18 rut.db-journal
-rw-------  1 system system           14 2023-02-05 10:30 screen_on_time
drwx------  2 system system         3452 2023-02-05 10:18 sensor_service
-rw-------  1 system system          114 2023-02-05 10:19 shortcut_service.xml
-rw-------  1 system system         1026 2023-02-05 10:30 ssrm_heating.log
drwx------  2 system system         3452 2023-02-05 10:18 stats_pull
drwx------  2 system system         3452 2023-02-05 10:30 sync
drwxrwxr-x  2 system system         3452 2023-02-05 10:31 time
-rwxrwxr--  1 system system         7808 2023-02-05 10:41 uiderrors.txt
srw-rw-rw-  1 system system            0 2023-02-05 10:31 unsolzygotesocket
drwxrwxr-x  4 system system         3452 2023-02-05 10:31 users
-rw-rw----  1 system system        16384 2023-02-05 10:31 watchlist_report.db
-rw-------  1 system system            0 2023-02-05 10:18 watchlist_report.db-journal
-rw-------  1 system system          238 2023-02-05 10:18 watchlist_settings.xml

Edit 1.

Code:
freshul:/data/system $ cd ..
freshul:/data $ cp -r system /sdcard/Download
cp: /sdcard/Download: Permission denied
1|freshul:/data $ exit
1|freshul:/data/system # whoami
root
freshul:/data/system # cd ..
freshul:/data # cp -r system /sdcard/Download
cp: /sdcard/Download/system/unsolzygotesocket: Permission denied
cp: /sdcard/Download/system/ndebugsocket: Permission denied

Will check first result...

Edit 2.

Code:
D:\Android\adb>adb pull /sdcard/Download .\sys1
/sdcard/Download/: 313 files pulled, 0 skipped. 0.3 MB/s (4691250 bytes in 15.747s)

Edit 3.

Device is in Standalone Mode... later I will try to pair/setup... to see if with Samsung Account and Google Account and the other crap... this snapshot folder appear...

Code:
recoverablekeystore.db

Is stupid SQlite Database... at the moment empty...
 
Last edited:

adfree

Senior Member
Jun 14, 2008
10,331
6,034
Samsung Galaxy Watch 4
Samsung Galaxy S22
After many failSSS... tiny progress with Combination Firmware WITHOUT eToken.


Galaxy Watch 4... Rooted SM-R875F...

Only as info... maybe for me...

Best Regards
 

omaralwardian

Member
Apr 9, 2020
37
11
New Brunswick
Starting: Intent { cmp=com.samsung.SMT/.gui.DownloadList }
Error: Activity not started, unknown error code -101

??
Samsung Snapdragon S21 Ultra Canada (you mentioned most Samsungs should work)
 

adfree

Senior Member
Jun 14, 2008
10,331
6,034
Samsung Galaxy Watch 4
Samsung Galaxy S22

@omaralwardian


Maybe if you give more details... what you tried and where you fail.

Example...

Windows User? You play with the "EXE" or you tried the manually way or you on Linux or you...

Then maybe also helpfull... to give more infos about your S21...
Firmware Details...

I am for instance from Germany... so I have no device from Canada...

Best Regards
 

omaralwardian

Member
Apr 9, 2020
37
11
New Brunswick

@omaralwardian


Maybe if you give more details... what you tried and where you fail.

Example...

Windows User? You play with the "EXE" or you tried the manually way or you on Linux or you...

Then maybe also helpfull... to give more infos about your S21...
Firmware Details...

I am for instance from Germany... so I have no device from Canada...

Best Regards

Yes, my friend, sorry about that.

So, two different methods I have tried so far. Details:

Product—S21 Ultra 512 GB, 16 GB RAM

MODEL—SM-G998W

Processor—SD 888

CSC - XAC

Windows 10

Android security patch level
January 1, 2023

1.) I downloaded your .zip file from GitHub, and followed those directions, your app opens up, I click on start new shell, the dialogue begins in your app window, eventually the APK opens on my phone (lang.pac) and the shell opens on my PC. The black shell window opens but does not fill with any text. I tried to type something in and nothing happens. Same with your app after the start download command is given, nothing happens. Eventually, the shell window closes, and I cannot open it again without rebooting my phone. The restart shell button basically doesn't work whatsoever. It says fail, reboot the phone almost every time.

2.) I went through the manual process of opening my shell, and pushing your APK, installing the provided APK on my device, after I got to step 5 where I put the download command in which is listed in the steps, that is the message I got and I cannot get any further.
 
  • Like
Reactions: adfree

adfree

Senior Member
Jun 14, 2008
10,331
6,034
Samsung Galaxy Watch 4
Samsung Galaxy S22
No panic. Nothing here is my....

I know it is not easy.

Sorry I have no modern Phone like S21...

You have seen this forked Github?

Steps​


  1. Install the app-release.apk in the latest release
  2. Reboot the device
  3. Run the script in assets, making sure to also have the apk directory in the same directory as the script.
    • If you're on Linux this is exploit.sh
    • If you're on Windows this is exploit.bat
  4. If all goes well, the script should say:
    • /system/bin/sh: can't find tty fd: No such device or address
      /system/bin/sh: warning: won't have full job control

Maybe this is easier to handle with your S21.

Hopefully somebody with S21 can help you.

Best Regards
 

omaralwardian

Member
Apr 9, 2020
37
11
New Brunswick
No panic. Nothing here is my....

I know it is not easy.

Sorry I have no modern Phone like S21...

You have seen this forked Github?



Maybe this is easier to handle with your S21.

Hopefully somebody with S21 can help you.

Best Regards
Hi,

Is there any way you can update your EXE? I think the SMT package you have on the script might be off.

Here is what I have:

Samsung Text-to-Speech
com.samsung.SMT

Actives close which are present in that package:

com.samsung.SMT.gui.DownloadList
com.samsung.SMT.gui.DownloadListEx
 

omaralwardian

Member
Apr 9, 2020
37
11
New Brunswick
@adfree


Capture.JPG
Capture2.JPG
 
  • Like
Reactions: adfree

sunil_suny

New member
Feb 7, 2023
2
0
I am getting this error
adb shell pm install -r -d -f -g --full --install-reason 3 --enable-rollback /data/local/tmp/samsungTTSVULN2.apk
Failure [-3005: INSTALL_FAILED_ADP_VERSION_LOCKED]

Samsung F23 5G, India model.
 
Last edited:

adfree

Senior Member
Jun 14, 2008
10,331
6,034
Samsung Galaxy Watch 4
Samsung Galaxy S22
@omaralwardian

Sorry. I wasted my time... successfully... only with the EXE file and my Galaxy Watch 4... SM-R875F

Under Windows 7 and Windows 10 and Windows 11 with Avira Antivir...

Looks like this:



I have NO solution for me working without EXE... but I have only GW4 for tests...


Maybe somebody with modern phone can help...

Same for you.

@sunil_suny

I am not 100 % sure if this is "impossible" now on S23...

I read something on telegram group...

Better somebody with S23 can confirm.

I hope somebody will answer.

Best Regards
 
Feb 7, 2023
12
1
is there any way to contact you? I have an A71 with KG LOCKED, it would be interesting to test some commands on it, to see if I can get KG COMPLETED, just like yours🙂
I am also in the same boat. Im wondering if I can somehow root my S22 ultra (KG blocked, KG state: LOCKED) or atleast a way to get the bootloader unlocker. If someone could please help me
 
  • Like
Reactions: w9909989
Status
Not open for further replies.

Top Liked Posts

  • There are no posts matching your filters.
  • 6
    Hi:

    I'm the original author of the SMT research (https://github.com/flankerhqd/vendor-android-cves/tree/master/SMT-CVE-2019-16253) and I have been notified about this thread. My original purpose to share my research is to help the community to better utilize and protect their devices, and to help the vendors to improve device security, and to help other researchers for technical insights. I'm always glad to see this research is given a new life, and helped someone else, and further development are welcome - but it should be legal, non-profit, with proper attribution, and in good faith. Sorry to hear about that the original research has not been properly given credit.

    To prove it's indeed me - same announcement as above can be found on the Github repo's README file.

    Thanks!
    6
    ***MODERATOR ANNOUNCEMENT: THREAD CLOSED***

    @K0mraid3 you are hereby required to provide proper credit in your OP as follows:
    • Link the assigned CVE for this exploit as it mentions the author's blog and GitHub, OR
    • Link the original research repo as provided by @flanker017
    Further, while you may provide a means for donation, this project must remain free without condition of payment.

    Lastly, as you've been previously warned, you may not promote your Telegram channel on XDA. You may have ONE link to your TG channel in the OP.

    You must meet these conditions to continue to use XDA to share this project.

    As you have ignored my PM and previous warning, this thread is now CLOSED to further discussion. All download links relating to this project have been removed.

    This thread will remain closed until such time that @K0mraid3 is willing to comply with the above conditions.
    3
    @flanker017

    Can you please add your Github repo... you mentioned?

    So it is easier for me to look at your work... instead Google or other search.

    Thanx in advance.

    Best Regards

    Edit 1.

    If I use this Link:

    And look for Github... then I can find this:
    Yes, that's correct. I've update the original post.
    1
    Additional note: If someone wants to continue this work and is willing to provide credit where credit is due, see this post and contact the moderator staff.
  • 37
    ***MODERATOR ANNOUNCEMENT: THREAD CLOSED***

    @K0mraid3 you are hereby required to provide proper credit in your OP as follows:
    • Link the assigned CVE for this exploit as it mentions the author's blog and GitHub, OR
    • Link the original research repo as provided by @flanker017
    Further, while you may provide a means for donation, this project must remain free without condition of payment.

    Lastly, as you've been previously warned, you may not promote your Telegram channel on XDA. You may have ONE link to your TG channel in the OP.

    You must meet these conditions to continue to use XDA to share this project.

    As you have ignored my PM and
    previous warning, this thread is now CLOSED to further discussion. All download links relating to this project have been removed. This thread will remain closed until such time that @K0mraid3 is willing to comply with the above conditions.
    6
    Last warning: If you can't keep your bickering to PM and can't treat each other with respect, this thread will be locked. We don't want to do that, as with keeping in the "hacker" spirit of XDA, threads like this are the bread and butter of what we do.
    • ... and Please! keep all your personal bickering via PMs, do not pollute the forum with your personal indifferences.
      If you have a problem with a specific member please contact the Moderators for help, that's what we're here for, but we are not babysitters, we are here to gather, organize and provide useful information for our over priced phones
    That's why we've been removing posts.
    I've been quietly watching this for a while and I agree. I also find it unsettling that admins have removed the post discussing this issue.
    It's not that the questions shouldn't be asked, it's that they shouldn't be asked here. I'm going to start a PM thread involving a few of you so that we can get this straightened out.

    Now, more to the point: If you've used anyone else's source as a basis for your work, you MUST give them credit:
    12.1. Give credits where due - Credits and acknowledgements for using and releasing work which is based on someone else's work are an absolute must. Works reported to have no credits will be taken down until proper acknowledgements are added by the member in question;
    While this might not be considered development under our criteria, Rule 13 still applies as well:
    12.3. Re-releasing other's works as your own is forbidden. The code that you release into the wild must have something beyond minor aesthetic changes that makes it better than the last. As this can be subjective, kang reports will be reviewed on a case by case basis. If you feel that your code has been kanged, please contact the Developer Relations Team (DRT) if you cannot solve the issue amicably via PM. Please understand that you will be asked to provide evidence to substantiate your claim;

    So. Knock it off with the squabbling. Keep this thread on topic. If you have issues with sources or credits or whatever, bring it up to us. If your comment doesn't have directly to do with facilitating this exploit or reporting your progress in your own efforts, keep it out of this thread.
    6
    ***MODERATOR ANNOUNCEMENT: THREAD CLOSED***

    @K0mraid3 you are hereby required to provide proper credit in your OP as follows:
    • Link the assigned CVE for this exploit as it mentions the author's blog and GitHub, OR
    • Link the original research repo as provided by @flanker017
    Further, while you may provide a means for donation, this project must remain free without condition of payment.

    Lastly, as you've been previously warned, you may not promote your Telegram channel on XDA. You may have ONE link to your TG channel in the OP.

    You must meet these conditions to continue to use XDA to share this project.

    As you have ignored my PM and previous warning, this thread is now CLOSED to further discussion. All download links relating to this project have been removed.

    This thread will remain closed until such time that @K0mraid3 is willing to comply with the above conditions.
    6
    ***Moderator Announcement***

    Flaming and disrespect will absolutely not be tolerated. Repeated violations may result in account bans. Compliance with all XDA Forum Rules and Policies is MANDATORY for all members. While you're free to discuss the technical details and merits of this exploit, as well as the wisdom in deferring updates, you WILL treat each other with respect and dignity, and those who fail to do so will no longer be permitted to participate on XDA.

    In addition, keep your posts ON TOPIC.

    If you feel someone's posts violate the Forum Rules, use the Report button and let the moderator staff handle it before it becomes an issue.

    Don't make us get involved again.
    6
    Hi:

    I'm the original author of the SMT research (https://github.com/flankerhqd/vendor-android-cves/tree/master/SMT-CVE-2019-16253) and I have been notified about this thread. My original purpose to share my research is to help the community to better utilize and protect their devices, and to help the vendors to improve device security, and to help other researchers for technical insights. I'm always glad to see this research is given a new life, and helped someone else, and further development are welcome - but it should be legal, non-profit, with proper attribution, and in good faith. Sorry to hear about that the original research has not been properly given credit.

    To prove it's indeed me - same announcement as above can be found on the Github repo's README file.

    Thanks!