***LOCKED UNTIL FURTHER NOTICE*** System Shell Exploit - ALL Samsung Mobile Devices NO BL UNLOCK REQUIRED.

[franzzzV6]

Not work on my s23 europe

 

[franzzzV6]

samsungTTSVULN2.apk: 1 file pushed, 0 skipped. 62.5 MB/s (15955101 bytes in 0.243s)
Performing Streamed InstallSuccess
Failure [-3005: INSTALL_FAILED_ADP_VERSION_LOCKED]
ROLLBACK FAILED

 

[adfree]

System Shell Exploit still working on Galaxy Watch 4 with February Firmware Update GWB1...

Tested with SM-R860:

Notify Update

Looks Security Patch is same like in older GWA3... January...


I have NO idea nor read real feedback if Firmware Update kills System Shell Exploit...

Something like BEFORE it runs... now after Firmware Update XYZ not.

Oh forgotten. GW4 is still Android 11 crap...

Best Regards

 

[dwkindig]

Any idea why the easy mode EXE would be complaining it can't find AdbWinApi.dll? I've got the platform-tools files copied into the same folder as the EXE, but it seems like the EXE is not looking in its own directory for the DLL. Is there a specific place it is trying to look? (Windows 11 Insider, btw.)

 

[adfree]

@dwkindig​

If you follow @oakieville post here and/or on Telegram Group...

Because he creates these wonderfull colored EXEs...

A
Last ehm latest EXE is all in 1 package...

ALL files inside EXE...
Means both APKs AND ADB Files...

B
He packed and crypted and packed and crypted... so Antivirus Programs detect """something""" inside this magic EXE...

B.1
"he" wrote IMHO he unpack temporary ADB Files and/or all files into """temp""" folder...


So it could be your Antivirus let you execute the "EXE" but kills/block/stop or whatever doing with the temporary extracted files...

I NEVER found what he meant with temp...


I have tested successfully under Win 7 and Win 10 and Win 11...

With Avira Antivir... by disable adb folder for Virus Scanning...

I have NEVER seen this missing DLL Bug ehm Feature...


I have only successfully tested with Avira...

McAfee for instance no idea... I have uninstalled this ... and replaced with Avira...

I posted few times my summary...

Maybe IMHO it makes sense to give more details... maybe you can "replace" EXE with other solution posted here...

For me only the EXE work... but I am playing only with Watch.


Best Regards

Edit 1.

Here how it looks on my Windows 11 Notebook...

Firmware and Combination Firmware and FOTA Delta and CSC change and...

Looks like it could be harder since Tizen... A Stock Firmware for netOdin/Odin not available yet... B Combination Firmware not available yet C FOTA Delta File for study I have...

forum.xda-developers.com

Few posts earlier Win 10... and Win 7...

So it is no matter of Windows Version... It depends on your Antivirus "Settings"...

 

[darenfy]

I've successfully run and gotten a system shell on the device, thanks a lot.

What makes me very curious is how you got your SamsungTTSVULN2.apk.

I also try to get one available. There are no historical versions of apps in the Samsung App Store; installations of historical versions of apps from third-party app markets return INSTALL_FAILED_REJECTED_BY_BUILDTYPE.
I even manually extract the old version SamsungTTS.apk on ancient Samsung phones and install on new Samsung phones, but it still returns INSTALL_FAILED_REJECTED_BY_BUILDTYPE, which confuses me

 

[Sgtoster]

So I just want to be able to overclock my CPU and GPU. Will this allow me to do that?

 

[imatary]

This Exploit Posted in 2019, Did you mentioned the developer who publish it 3 years ago??

At least change the classes names !!!!!!!!

 

[gaelikitten]

This Exploit Posted in 2019, Did you mentioned the developer who publish it 3 years ago??

At least change the classes names !!!!!!!!

Someone pointed this out in the telegram channel for this and they just deleted it. Would be nice if credit was given where it was due.

You can see this very clearly if you take a look at the binary libmstring.so that is distributed with the POC, it still has the quirky comments in it from flanker017's write-up of this exploit. It isn't much to ask for a simple thanks to him as well, as clearly without this look at this CVE we wouldn't be talking about this issue.

It's all still there. And yet, not a mention of his work. I know plagiarism isn't really something people care about online, but if I were a security researcher I would want to make sure that those who worked on this are given their just attribution.
There are shoutouts on the first post in this thread, and not a single person on that list should be any higher than flanker017. It would be one thing if you had based your exploit on his work, but considering it launched as a repackaging of his work, he should be given credit.
It's awesome what people are managing to figure out with this exploit. It's great. But without the foundation laid out by flanker017 we wouldn't be posting in this thread today.

 

[wr3cckl3ss1]

Someone pointed this out in the telegram channel for this and they just deleted it. Would be nice if credit was given where it was due.

You can see this very clearly if you take a look at the binary libmstring.so that is distributed with the POC, it still has the quirky comments in it from flanker017's write-up of this exploit. It isn't much to ask for a simple thanks to him as well, as clearly without this look at this CVE we wouldn't be talking about this issue.

It's all still there. And yet, not a mention of his work. I know plagiarism isn't really something people care about online, but if I were a security researcher I would want to make sure that those who worked on this are given their just attribution.
There are shoutouts on the first post in this thread, and not a single person on that list should be any higher than flanker017. It would be one thing if you had based your exploit on his work, but considering it launched as a repackaging of his work, he should be given credit.
It's awesome what people are managing to figure out with this exploit. It's great. But without the foundation laid out by flanker017 we wouldn't be posting in this thread today.

Be rest assured that credit will be formally made. As many of us..have busy lives and things have got a bit busier. Things get missed and we're only human. But I'll make sure the right information is posted and also make sure...to give credit where it's needed. I'll pass the world on to k0mraid3. Thanks.....

 

[adeelraj230]

Be rest assured that credit will be formally made. As many of us..have busy lives and things have got a bit busier. Things get missed and we're only human. But I'll make sure the right information is posted and also make sure...to give credit where it's needed. I'll pass the world on to k0mraid3. Thanks.....

Waiting for your FleetKey(aka S22 Snapdragon root) any update?

 

[Mem_0]

So magical. I have successfully changed the CSC on my S906N

can u share the steps after starting the shell exploit?

 

[Mem_0]

So magical. I have successfully changed the CSC on my S906N

Me too, a huge thanks <3

 

[mohitgalaxy3]

Me too, a huge thanks <3

Looks like you have already changed csc. Good.

 

[adfree]

New day, new attempt to "replace" 1 day in 2023 the EXE for my Galaxy Watch 4...


The "new" idea in my tiny brain is to split Batch Files instead wholeIn1...

First attempt... then I will check "second" Button in beautiful colored EXE...

D:\Android\adbLEAK>A_install_AND_push_2APKs_v1.bat

D:\Android\adbLEAK>adb push .\apk4exploit\samsungTTSVULN2.apk /data/local/tmp
.\apk4exploit\samsungTTSVULN2.apk: 1 file pushed, 0 skipped. 3.3 MB/s (15955101 bytes in 4.605s)

D:\Android\adbLEAK>adb install .\apk4exploit\komraids_POC_V1.5.apk
Performing Streamed Install
Success

D:\Android\adbLEAK>pause
Drücken Sie eine beliebige Taste . . .

Later if something successfull I can upload...

For now only for my tiny brain and Windows...

Interesting 1...

/data/local/tmp

This tmp folder is not self cleaning... so you can safe for looong time...

Because over this s hitty WiFi in Galaxy Watch 4... to prevent to transfer "huge" files tooo often...

Edit 1.

Could be the Rollback Command not included in second EXE Button...

Edit 2.
Memo to me... EXE 2Button with my Batch A not success...

Will create second Batch with Rollback and chmod... maybe mandatory... who knows...

freshbs:/ $ cd /data/local/tmp
freshbs:/data/local/tmp $ ls -a1l
total 15606
drwxrwx--x 2 shell shell     3452 2023-02-17 06:00 .
drwxr-x--x 4 root  root      3452 2023-01-29 05:09 ..
-rw-rw-rw- 1 shell shell 15955101 2023-01-18 19:11 samsungTTSVULN2.apk
freshbs:/data/local/tmp $ chmod 777 samsungTTSVULN2.apk
freshbs:/data/local/tmp $ ls -a1l
total 15606
drwxrwx--x 2 shell shell     3452 2023-02-17 06:00 .
drwxr-x--x 4 root  root      3452 2023-01-29 05:09 ..
-rwxrwxrwx 1 shell shell 15955101 2023-01-18 19:11 samsungTTSVULN2.apk

Edit 3.

Batch 2...

D:\Android\adbLEAK>adb shell chmod 777 /data/local/tmp/samsungTTSVULN2.apk

D:\Android\adbLEAK>adb shell pm install -r -d -f -g --full --install-reason 3 --enable-rollback /data/local/tmp/samsungTTSVULN2.apk
Success

D:\Android\adbLEAK>pause
Drücken Sie eine beliebige Taste . . .

Edit 4.

chmod seems not mandatory...

Still no success...

 

[omaralwardian]

After installing 2.0.3 and providing permission to the escalation app and running the app, everything runs fine except for when I go to the custom command option and type in the provisions to set the camera2API which require SAF.

This is what it says.

@adfree @K0mraid3

Edit:

All the other functions work fine however.

 

[subevilx]

After installing 2.0.3 and providing permission to the escalation app and running the app, everything runs fine except for when I go to the custom command option and type in the provisions to set the camera2API which require SAF.

This is what it says.

@adfree @K0mraid3
View attachment 5843605


Edit:

All the other functions work fine however.

View attachment 5843607
View attachment 5843609

where di u download this from?

 

[kienns1996]

where di u download this from?

Samsung Toolkit - Unlock more. - Apps on Google Play

Provides advanced tools to unlock your Samsung phone's full potential.

play.google.com

 

[kiranambati]

@K0mraid3 @adfree

Can you please help me with the issue I am facing?
Device : Galaxy watch 5 pro
I have tried all the steps given in manual way. but not able to get to the shell. it is stuck at

nc -lp 9999

Here is the screenshot

As mentioned I ran am start -n com.samsung.SMT/.gui.DownloadList in another shell

am start -n com.samsung.SMT/.gui.DownloadList

Which opened language installation screen on my watch

Can you please guide me where is the mistake?
I want to change CSC code of the watch.
please let me know if you need anymore details

TIA

 

[Sands207]

@K0mraid3 @adfree

Can you please help me with the issue I am facing?
Device : Galaxy watch 5 pro
I have tried all the steps given in manual way. but not able to get to the shell. it is stuck at

nc -lp 9999

Here is the screenshot
View attachment 5844451

As mentioned I ran am start -n com.samsung.SMT/.gui.DownloadList in another shell

am start -n com.samsung.SMT/.gui.DownloadList
View attachment 5844461

Which opened language installation screen on my watch

View attachment 5844463

Can you please guide me where is the mistake?
I want to change CSC code of the watch.
please let me know if you need anymore details

TIA

You do know you can change the csc without this tool right?