Question Removing Retail Mode from S21+

Search This thread

Frostyb

Member
Apr 21, 2022
15
0
Hi there, I can help you out! I have some experience with Samsung.

So first off, I take it this is an Exynos model? Snapdragons require the use of a paid service to get an unlock.

It seems you've flashed stock firmware before but it didn't work out due to Knox. Did you flash all the files including the CSC (wipe all data) file? Also, you could try flashing TWRP and that would trip Knox, at which point Knox is disabled due to detecting system modifications or it will try to rollback your modifications.
I'm not sure if its Exynos or Snapdragon.

Yes I flashed the official firmware with CSC file, I have not tried flashing with TWRP yet (unsure what that is to be honest).

In regards to your developer options question, yes I can enable dev options on the phone, but the issue isnt removing the retail mode application, I actually k ow the code to remove that. The main issue is when the device is flashed and you go through the setup stage, as soon as you connect to Wifi (which you cannot skip) Knox immediately kicks in and starts applying settings, and the phone sets up in retail mode without playstore and restrictions on changing settings or privacy sharing.

The crossroads I'm at is somehow bypassing Knox during set up, so that the phone sets up like a regular stock phone. All the work around videos have ways of enabling ADB then running CMD through the PC and removing Knox before it can do anything but I can't do that because in the videos they can connect to wifi and go back a step before Knox kicks in, on my device Knox kicks in immediately after connecting to wifi and you cant stop it.
 

razercortex

Senior Member
Apr 8, 2018
249
92
I'm not sure if its Exynos or Snapdragon.

Yes I flashed the official firmware with CSC file, I have not tried flashing with TWRP yet (unsure what that is to be honest).

In regards to your developer options question, yes I can enable dev options on the phone, but the issue isnt removing the retail mode application, I actually k ow the code to remove that. The main issue is when the device is flashed and you go through the setup stage, as soon as you connect to Wifi (which you cannot skip) Knox immediately kicks in and starts applying settings, and the phone sets up in retail mode without playstore and restrictions on changing settings or privacy sharing.

The crossroads I'm at is somehow bypassing Knox during set up, so that the phone sets up like a regular stock phone. All the work around videos have ways of enabling ADB then running CMD through the PC and removing Knox before it can do anything but I can't do that because in the videos they can connect to wifi and go back a step before Knox kicks in, on my device Knox kicks in immediately after connecting to wifi and you cant stop it.
TWRP is TeamWin Recovery Project (it's a custom recovery). My hypothesis is that Knox will be disabled if it detects custom modifications to the phone, but that's yet to be tested. You can flash it here https://forum.xda-developers.com/t/recovery-unofficial-twrp-for-galaxy-s21-exynos.4241935/, just follow the guide and it should work
 
TWRP is TeamWin Recovery Project (it's a custom recovery). My hypothesis is that Knox will be disabled if it detects custom modifications to the phone, but that's yet to be tested. You can flash it here https://forum.xda-developers.com/t/recovery-unofficial-twrp-for-galaxy-s21-exynos.4241935/, just follow the guide and it should work
Even if it doesn't work, there'll be a chance to root the device using TWRP and with root privileges you can likely remove Knox deployment. Do note that installing TWRP does trip the Knox warranty bit to 0x1 = warranty invalid, tampered with. But that is kind of the goal here, as that might alone disable the deployment.
 
Last edited:

Frostyb

Member
Apr 21, 2022
15
0
TWRP is TeamWin Recovery Project (it's a custom recovery). My hypothesis is that Knox will be disabled if it detects custom modifications to the phone, but that's yet to be tested. You can flash it here https://forum.xda-developers.com/t/recovery-unofficial-twrp-for-galaxy-s21-exynos.4241935/, just follow the guide and it should work
Hmmm Interesting.

Sorry if I seem ignorant but is there any downsides to using this? I know triggering Knox means you lose certain functions of the phone but if I've read up correctly you can get the majority of the functionality back? The biggest one for me would be still being able to use banking apps.

Thanks for the help on this by the way!
 

razercortex

Senior Member
Apr 8, 2018
249
92
Hmmm Interesting.

Sorry if I seem ignorant but is there any downsides to using this? I know triggering Knox means you lose certain functions of the phone but if I've read up correctly you can get the majority of the functionality back? The biggest one for me would be still being able to use banking apps.

Thanks for the help on this by the way!
Most banking apps check Safetynet, not Knox, so as long as Safteynet passes, you should be able to use most banking apps. Even if you couldn't, just use the mobile site ;)
 

razercortex

Senior Member
Apr 8, 2018
249
92
Hmmm Interesting.

Sorry if I seem ignorant but is there any downsides to using this? I know triggering Knox means you lose certain functions of the phone but if I've read up correctly you can get the majority of the functionality back? The biggest one for me would be still being able to use banking apps.

Thanks for the help on this by the way!

Knox is used in Secure Folder, Samsung Pay, Samsung Health, some MDM deployments, Samsung Pass, and that's pretty much all I could think of. If you don't need access to any of these apps (or any others that need Knox untripped), you should be fine. Worst that could happen is you get a new phone, which isn't a problem considering that this phone is unusable in the first place.
 

razercortex

Senior Member
Apr 8, 2018
249
92
I would just recommend you keep your current phone or get a new one for everyday use and I would just keep this one as a spare or development phone for you to fiddle with.
 

Frostyb

Member
Apr 21, 2022
15
0
I would just recommend you keep your current phone or get a new one for everyday use and I would just keep this one as a spare or development phone for you to fiddle with.
See the goal is to make this my new phone if possible haha!

Okay so because I'm a bit ignorant, if I'm understanding that guide correct I need to put the TWRP file in the AP slot in Odin, the other file in USERDATA and leave the other slots blank? And do I do this from a stock firmware yes?

The other part I dont understand is the step "flash magisk apk"...
 

razercortex

Senior Member
Apr 8, 2018
249
92
See the goal is to make this my new phone if possible haha!

Okay so because I'm a bit ignorant, if I'm understanding that guide correct I need to put the TWRP file in the AP slot in Odin, the other file in USERDATA and leave the other slots blank? And do I do this from a stock firmware yes?

The other part I dont understand is the step "flash magisk apk"...
I mean, it's understandable that you want to use this as your new phone, but I'm not sure you'd want to do that...

Regardless, yes, the TWRP file should go in the AP slot, the vbmeta_disabler file in USERDATA. Then, you can reboot to recovery by using the button press.
 

Frostyb

Member
Apr 21, 2022
15
0
I mean, it's understandable that you want to use this as your new phone, but I'm not sure you'd want to do that...

Regardless, yes, the TWRP file should go in the AP slot, the vbmeta_disabler file in USERDATA. Then, you can reboot to recovery by using the button press.
Okay so I have followed all the steps now I just need to flash magisk apk in TWRP but I'm not sure what that means exactly?
 

razercortex

Senior Member
Apr 8, 2018
249
92
It means you need to download the magisk.apk to your phone, rename magisk.apk to magisk.zip, and flash it.
 

Frostyb

Member
Apr 21, 2022
15
0
It means you need to download the magisk.apk to your phone, rename magisk.apk to magisk.zip, and flash it.
Okay so I have successfully flashed the device with TWRP and installed Magisk and have root access. However Samsung Knox still kicked in during set up phase and booted the phone in to retail mode like it did previously. I have tried removing Knox via TWRP by deleting the folder for Knox but it didn't seem to work.
 

Frostyb

Member
Apr 21, 2022
15
0
Check /system in TWRP
I did that, Knox was totally removed from it. I even downloaded Titanium Backup to remove anything related to Knox.

I decided to do the process from the start and take some pictures. This shows me doing a full factory data wipe from inside TWRP -> Deleting the Knox folder inside TWRP (before setting up device) -> device saying its protected by Knox still somehow despite it supposed to have been deleted -> Knox installing its services anyway.

There seems to be something somewhere that is triggering a full redeployment and installation of Knox from cloud servers that I need to locate and get rid of but if it's not in the Knox folder I have no idea where to look.
 

Attachments

  • 20220422_202416.jpg
    20220422_202416.jpg
    1.1 MB · Views: 32
  • 20220422_202908.jpg
    20220422_202908.jpg
    798.5 KB · Views: 29
  • 20220422_202103.jpg
    20220422_202103.jpg
    1.1 MB · Views: 27
  • 20220422_203005.jpg
    20220422_203005.jpg
    842.7 KB · Views: 18
  • 20220422_202934.jpg
    20220422_202934.jpg
    695.6 KB · Views: 18
  • 20220422_202953.jpg
    20220422_202953.jpg
    809.3 KB · Views: 19
  • 20220422_203017.jpg
    20220422_203017.jpg
    916.6 KB · Views: 20
  • 20220422_203022.jpg
    20220422_203022.jpg
    914.4 KB · Views: 21
  • 20220422_203132.jpg
    20220422_203132.jpg
    814 KB · Views: 22
  • 20220422_203147.jpg
    20220422_203147.jpg
    942.7 KB · Views: 32

Frostyb

Member
Apr 21, 2022
15
0
I have indeed tried that already. The problem isn't the retail mode app I actually know the code for that because I work in a store, the problem is the device applies settings upon initial setup that installs Retail mode and applies a bunch of security settings that prevents you from using the device normally (no Play store and certain privacy sharing is disabled). I can actually download apps fine by directly installing the APKs so theoretically I could use the phone in this state although I'm yet to know the exact limitations of limited privacy sharing and such.

I've completely removed Knox using TWRP yeah, and even double checked using an app called Titanium Backup that it's removed, but it doesn't seem to matter. As per the pictures above, when the device begins initial setup, Knox Enrollment Services seems to kick in from the cloud and it applies everything again anyway. It's very strange because the Knox services are still running on a warranty voided device. I need to figure out some way of removing the Enrollment service part, which is what those videos we discussed previously does (they bypass it) however the methods they use doesn't work for my device.

I actually have a youtube guy who says he can get rid of the Enrollment service for 45 USD however he needs to remote access my PC via Teamviewer to do that and as you can imagine, I'm not exactly keen on that idea.
 
I have indeed tried that already. The problem isn't the retail mode app I actually know the code for that because I work in a store, the problem is the device applies settings upon initial setup that installs Retail mode and applies a bunch of security settings that prevents you from using the device normally (no Play store and certain privacy sharing is disabled). I can actually download apps fine by directly installing the APKs so theoretically I could use the phone in this state although I'm yet to know the exact limitations of limited privacy sharing and such.

I've completely removed Knox using TWRP yeah, and even double checked using an app called Titanium Backup that it's removed, but it doesn't seem to matter. As per the pictures above, when the device begins initial setup, Knox Enrollment Services seems to kick in from the cloud and it applies everything again anyway. It's very strange because the Knox services are still running on a warranty voided device. I need to figure out some way of removing the Enrollment service part, which is what those videos we discussed previously does (they bypass it) however the methods they use doesn't work for my device.

I actually have a youtube guy who says he can get rid of the Enrollment service for 45 USD however he needs to remote access my PC via Teamviewer to do that and as you can imagine, I'm not exactly keen on that idea.
Yeah, that (remote control) is quite suspicious. A custom ROM is the only (other) thing I can think of that would help (remove Samsung OS completely), but I don't even know what's available for this device...
 

stringman666

Member
Jul 27, 2018
17
0
Something you might try is downloading the combination firmware for your phone. Flash the combination file. Then remove retail mode. Then flash the proper firmware. No experience with this however. But was told it should work
 

kbeezie

Senior Member
Feb 23, 2010
1,932
394
Grand Rapids, Mi
karlblessing.com
Something you might try is downloading the combination firmware for your phone. Flash the combination file. Then remove retail mode. Then flash the proper firmware. No experience with this however. But was told it should work
Depending on the CSC the unit is made for, could grab the XAA one from Frija and flash over with odin in download mode. Since that'll flash over the system partition which would have had the retail app installed. The retail app itself can be used to remove it, but requires a password which is usually retailer specific.

I've noticed the demos I've installed in the past also have small hardware differences, The A* series tend to be limited to where you can't charge the battery past 60%, but nearly every one of them be it an A71 or an S21FE is going to have a zero'd out IMEI at some of the major retailers, which are usually sent directly from Samsung or their merchandising partner, and are usually either collected, or simply tossed to electronic recycle. So having one with an intact IMEI likely means it was a retail phone from box stock that simply got pulled from inventory and had the retail demo mode installed from the web (like they do with their tablets).

Long story short, find the CSC (can do this with something like Sam/Info or such from play store), use Frija to find the firmware for that model (SM-####) + CSC to download and unpack the firmware. Then use Odin to flash it with the phone in download mode, and it should give you a fresh retail experience on the demo.