Motorola 'Factory Mode'

daveribss

Member
Oct 19, 2016
27
2
0
Hello,

I very recently had to remove the FRP lock on a client's Motorola G4 Plus because he had forgot his email and password (EXTREMELY common with old people getting smartphones). I have some experience with dirtycow, Samsung modem commands injection (using Realterm) and other bypass methods. Dirtycow was not working since this phone had security update from December 2016 so I had to use an online service with remote USB support. This service required me to enter Motorola's "Factory Mode" from the boot menu.

My question is: does anyone has experience with this special mode? Is there some literature regarding special commands, COM port settings or else when in this mode, or is everything kept private by the people who provide the service? Any basic information on what it does/how it works?

For what its worth, here's how the process went:
-Connected remotely with USB Redirector
-Booted into bootloader and activated "Factory Mode". Phone boots into OS but seems to operate in a special mode.
-Technician does something. I reboot into bootloader and boot again in factory mode.
-Technician somehow is able to enable ADB in 2nd "Factory Mode" boot. (this was not possible when I had access to Settings menu through "Talkback hack")
-Reboot again in normal mode and FRP seems to be removed. Setup has been bypassed, phone boots directly to Google Now Launcher.

What did he do? What does this "Factory mode" unlocks that permits him to enable ADB and completely bypass the Setup and Google Account verification? Did he erase the PERSIST partition? Did he inject app data from an already finished Setup?

Anyways, I am currently looking into it and will open another thread when I have more information.
Thank you!
 

ironman38102

Senior Member
Sep 9, 2012
3,411
297
223
21
Manama
If the technician used ADB it's likely you can Google whatever command he could have used. My guess is that he either wiped a file that concerns the Setup and Google Account Verification. Maybe he completely removed GApps remotely using ADB?

Sent from my Moto G (4) using Tapatalk
 

daveribss

Member
Oct 19, 2016
27
2
0
If the technician used ADB it's likely you can Google whatever command he could have used. My guess is that he either wiped a file that concerns the Setup and Google Account Verification. Maybe he completely removed GApps remotely using ADB?

Sent from my Moto G (4) using Tapatalk
But these Apps are system apps, which would require ROOT to uninstall... Phone did not seemed rooted and bootloader was still locked after the procedure. I would think that finding a way of disabling the Setup/Google Services apps, and then re-enabling them, you would still be stuck when trying to add a Google Account afterwards since it will check for the PERSIST/FRP lock partition. Can the PERSIST partition be wiped through ADB without ROOT? Even then, how was ADB enabled in the first place? Some special AT command?
 

ironman38102

Senior Member
Sep 9, 2012
3,411
297
223
21
Manama
But these Apps are system apps, which would require ROOT to uninstall... Phone did not seemed rooted and bootloader was still locked after the procedure. I would think that finding a way of disabling the Setup/Google Services apps, and then re-enabling them, you would still be stuck when trying to add a Google Account afterwards since it will check for the PERSIST/FRP lock partition. Can the PERSIST partition be wiped through ADB without ROOT? Even then, how was ADB enabled in the first place? Some special AT command?
Actually now that I think about it, you're right you can't remove GApps without root and you can't wipe Persist partition without root. I suppose he enabled ADB because that Factory Mode maybe has some special sort of commands, but even then what use is ADB when you don't have root?

Sent from my Moto G (4) using Tapatalk
 
Nov 30, 2016
12
0
0
But these Apps are system apps, which would require ROOT to uninstall... Phone did not seemed rooted and bootloader was still locked after the procedure. I would think that finding a way of disabling the Setup/Google Services apps, and then re-enabling them, you would still be stuck when trying to add a Google Account afterwards since it will check for the PERSIST/FRP lock partition. Can the PERSIST partition be wiped through ADB without ROOT? Even then, how was ADB enabled in the first place? Some special AT command?
Just to shed some light, adb does allow you to remove system apps or for that fact google apps without root
 
Our Apps
Get our official app!
The best way to access XDA on your phone
Nav Gestures
Add swipe gestures to any Android
One Handed Mode
Eases uses one hand with your phone