***LOCKED UNTIL FURTHER NOTICE*** System Shell Exploit - ALL Samsung Mobile Devices NO BL UNLOCK REQUIRED.

[xdagee]

That is unfortunately not possible. Android Verified Boot prevents custom images from starting when bootloader is locked, and the only way around this would be to sign the images using the manufacturer's secret key.

Oh wow, how heartbreaking. What exactly can be achieved with this exploit, and what are the possibilities of the outcome of the research?

 

[lividhen]

@adfree Having trouble doing this on a galaxy watch 4. Just hangs forever with the latest exe, manual method, and zt64's method. Is there a way to disable battery optimizations on wear os? Not sure if that is the problem i though id ask.

 

[adfree]

@oakieville
@K0mraid3

Dear oakieville.

Please share the adb Commands inside your EXE.

I spent so much time to find alternate steps but fail with Galaxy Watch.

Thanx in advance.

Best Regards

Edit 1.

Files I have downloaded...

Komraids System Shell V4.5.zip
Komraids System Shell V4.4.zip
K0mraids_Shell (2).zip

A

I have realized. APK inside EXE is NOT the same inside ZIP...

Example.... Komraid3s_POC_V1.6.apk is NOT what EXE push to device...


B

For me working EXE shows this... bad visible because Colors... only if I mark text...

samsungTTSVULN2.apk: 1 file pushed, 0 skipped. 1.2 MB/s (15955101 bytes in 12.473s)
Performing Streamed InstallSuccess
Success
start shell
Starting: Intent { cmp=com.samsung.SMT/.gui.DownloadList }

Starting: Intent { cmp=com.samsung.SMT/.gui.DownloadList }
Starting: Intent { cmp=com.samsung.SMT.lang.poc/.MainActivity }

Starting: Intent { cmp=com.samsung.SMT.lang.poc/.MainActivity }

I see 2 lines twice/double...

First I thought is Error... as it is possible to double click so also file pushed double...

C

On non tested working EXE I can see better... but...

ROLLBACK COMPLETE
STARTING SYSTEM SHELL PLEASE WAIT
IF SYSTEM SHELL DID NOT START
 PLEASE REBOOT THE DEVICE AND RETRY

And the other NOT working EXE shows this for me:

samsungTTSVULN2.apk: 1 file pushed, 0 skipped. 1.1 MB/s (15955101 bytes in 14.209s)
Performing Streamed InstallSuccess
Success
start shell
Starting: Intent { cmp=com.samsung.SMT/.gui.DownloadList }

Starting: Intent { cmp=com.samsung.SMT/.gui.DownloadList }
Starting: Intent { cmp=com.samsung.SMT.lang_en_us_m00/.MainActivity }

Starting: Intent { cmp=com.samsung.SMT.lang_en_us_m00/.MainActivity }

com.samsung.SMT.lang_en_us_m00/.MainActivity

With my old blind eyes I can see differences...


D

Conclusion for me...

POC APK differ in EXE...
And also Commands differ...

And I can see some experiments with Port...

Edit 2.

I need this for Galaxy Watch 4 like SM-R860 SM-R870 SM-R875F

EXE work only from this ZIP

Komraids System Shell V4.5.zip

MD5 9961198CE20CDCB3AF4049DEC4404D4E

Edit 3.

Working APK inside working EXE can be found in:

Komraids System Shell V4.4.zip

komraids_POC_V1.5.apk

MD5 2A40F3443260DC955CE100FE0E84962E

Edit 4.

samsungTTSVULN2.apk

MD5 F1244F782A0F16850629ECC90E85D1CE


Edit 5.

"EXE" in both Zips same:

Komraids System Shell V4.4.zip
Komraids System Shell V4.5.zip

MD5 07DFC1042F08965AA7A6C4A282BF48A3

systemshell-v1.3.exe

This is the working 1 for me...

 

[adfree]

After Win 7 ... I can now also confirm Win 10 for this "EXE":

systemshell-v1.3.exe

https://xdaforums.com/t/firmware-an...-csc-change-and.4323469/page-33#post-88085277

I have AVIRA Antivir on both... so folder adb is set to ignore Virus alert...

No idea if I manage this year to check my Windows 11 with other Antivir crap...

Procedure work for Galaxy Watch 4 and Watch 5...


Firmware Version GWA3 /AWA3...

Only as info... (for me)

Best Regards

 

[ForestCat]

Is there any possible way to get this type of exploit to work on a device w/ 6.0.1/Marshmallow? It shows version 201503021 as the installed Samsung-text-to-speech engine. From what I can tell, the vulnerable version requires Android 9+ ?? I need to pull the last OTA download (in /cache, I think) off of this bone-stock SM-N910T device, can't do that without root(or can I?), can't root without obliterating the stored OTA update, then I won't be able to get the OTA again? Needed for VoLTE on this device.

 

[adfree]

Tested successfully EXE with nice Colors on Win 7 Win 10 and Win 11...

With my Galaxy Watch 4... SM-R875F

https://xdaforums.com/t/firmware-an...-csc-change-and.4323469/page-33#post-88095269

No idea if normal that EXE close under Win 11...

No idea if I will test second time...

Only as info... tiny summary for Galaxy Watch 4 and Galaxy Watch 5 user(s).

Best Regards

 

[adfree]

Maybe really something interesting inside...

SM-R875F rooted... for easier switch to system...

Will later try to pull all files and folders for study...

freshul:/ $ su
Permission denied
13|freshul:/ $ su
freshul:/ # cd /data/system
freshul:/data/system # ls -a1l
total 1699
drwxrwxr-x 23 system system         8192 2023-02-05 10:40 .
drwxrwx--x 54 system system         4096 2023-02-05 10:31 ..
drwx------  3 system system         3452 2023-02-05 10:18 .aasa
-rw-------  1 system system           13 2023-02-05 10:25 HWParamTime.bin
-rw-rw----  1 system system        24576 2023-02-05 10:33 LPX_GnssBatchHistory
-rw-------  1 system system            0 2023-02-05 10:20 LPX_GnssBatchHistory-journal
-rw-rw----  1 system system        24576 2023-02-05 10:40 LPX_LowPowerModeHistory
-rw-------  1 system system            0 2023-02-05 10:20 LPX_LowPowerModeHistory-journal
-rw-rw----  1 system system        24576 2023-02-05 10:33 LPX_MobileSettingHistory
-rw-------  1 system system            0 2023-02-05 10:20 LPX_MobileSettingHistory-journal
-rw-rw----  1 system system        24576 2023-02-05 10:33 LPX_ProviderHistory
-rw-------  1 system system            0 2023-02-05 10:20 LPX_ProviderHistory-journal
-rw-rw----  1 system system        24576 2023-02-05 10:33 LPX_SettingHistory
-rw-------  1 system system            0 2023-02-05 10:20 LPX_SettingHistory-journal
-rw-rw----  1 system system        24576 2023-02-05 10:33 LPX_location-history
-rw-------  1 system system            0 2023-02-05 10:20 LPX_location-history-journal
-rw-rw----  1 system system        32768 2023-02-05 10:31 PkgPredictions.db
-rw-------  1 system system            0 2023-02-05 10:18 PkgPredictions.db-journal
drwx------  3 system system         3452 2023-02-05 10:18 appops
-rw-------  1 system system        12902 2023-02-05 10:31 appops.xml
drwx------  2 system system         3452 2023-02-05 10:31 battery-history
drwx------  2 system system         3452 2023-02-05 10:18 battery-saver
-rw-------  1 system system       185980 2023-02-05 10:31 batterystats.bin
-rw-------  1 system system          261 2023-02-05 10:32 cachequota.xml
-rw-------  1 system system          136 2023-02-05 10:22 device_policies.xml
-rw-------  1 system system          367 2023-02-05 10:18 display-manager-state.xml
-rw-------  1 system system          149 2023-02-05 10:23 display_settings.xml
drwx------  2 system system         3452 2023-02-05 10:40 dropbox
-rw-------  1 system system          512 2023-02-05 10:31 entropy.dat
drwx------  3 system system         3452 2023-02-05 10:23 graphicsstats
drwx------  2 system system         3452 2023-02-05 10:17 heapdump
drwx------  2 system system         3452 2023-02-05 10:18 ifw
drwx------  2 system system         3452 2023-02-05 10:18 install_sessions
-rw-------  1 system system           70 2023-02-05 10:31 install_sessions.xml
drwx------  2 system system         3452 2023-02-05 10:18 integrity_rules
drwx------  2 system system         3452 2023-02-05 10:18 integrity_staging
drwx------  2 system system         3452 2023-02-05 10:40 job
-rw-------  1 system system            0 2023-02-05 10:18 last-fstrim
-rw-------  1 system system          484 2023-02-05 10:32 last-header.txt
-rw-rw----  1 system system        20480 2023-02-05 10:32 locksettings.db
-rw-------  1 system system          272 2023-02-05 10:32 log-files.xml
srwxrwxrwx  1 system system            0 2023-02-05 10:31 ndebugsocket
-rw-------  1 system system          292 2023-02-05 10:31 netpolicy.xml
drwx------  2 system system         3452 2023-02-05 10:33 netstats
-rw-rw----  1 system system        28672 2023-02-05 10:33 notification_log.db
-rw-------  1 system system            0 2023-02-05 10:18 notification_log.db-journal
-rw-------  1 system system        23102 2023-02-05 10:40 notification_policy.xml
-rw-------  1 system system         1852 2023-02-05 10:31 overlays.xml
-rw-------  1 system system          358 2023-02-05 10:31 package-cstats.list
-rw-------  1 system system         1227 2023-02-05 10:31 package-dcl.list
-rw-------  1 system system         5185 2023-02-05 10:31 package-dex-usage.list
-rw-------  1 system system         8753 2023-02-05 10:31 package-usage.list
-rw-------  1 system system          536 2023-02-05 10:33 package-watchdog.xml
drwx------  3 system system         3452 2023-02-05 10:31 package_cache
-rw-rw----  1 system system       488363 2023-02-05 10:33 packages-backup2.xml
-rw-r-----  1 system package_info  28675 2023-02-05 10:33 packages.list
-rw-rw----  1 system system       488363 2023-02-05 10:33 packages.xml
-rw-------  1 system system          151 2023-02-05 10:30 predictor-structure
drwx------  2 system system         3452 2023-02-05 10:18 procexitstore
drwx------  2 system system         3452 2023-02-05 10:31 procstats
-rw-rw----  1 system system        45056 2023-02-05 10:31 recoverablekeystore.db
-rw-rw----  1 system system        16384 2023-02-05 10:34 rut.db
-rw-------  1 system system            0 2023-02-05 10:18 rut.db-journal
-rw-------  1 system system           14 2023-02-05 10:30 screen_on_time
drwx------  2 system system         3452 2023-02-05 10:18 sensor_service
-rw-------  1 system system          114 2023-02-05 10:19 shortcut_service.xml
-rw-------  1 system system         1026 2023-02-05 10:30 ssrm_heating.log
drwx------  2 system system         3452 2023-02-05 10:18 stats_pull
drwx------  2 system system         3452 2023-02-05 10:30 sync
drwxrwxr-x  2 system system         3452 2023-02-05 10:31 time
-rwxrwxr--  1 system system         7808 2023-02-05 10:41 uiderrors.txt
srw-rw-rw-  1 system system            0 2023-02-05 10:31 unsolzygotesocket
drwxrwxr-x  4 system system         3452 2023-02-05 10:31 users
-rw-rw----  1 system system        16384 2023-02-05 10:31 watchlist_report.db
-rw-------  1 system system            0 2023-02-05 10:18 watchlist_report.db-journal
-rw-------  1 system system          238 2023-02-05 10:18 watchlist_settings.xml

Edit 1.

freshul:/data/system $ cd ..
freshul:/data $ cp -r system /sdcard/Download
cp: /sdcard/Download: Permission denied
1|freshul:/data $ exit
1|freshul:/data/system # whoami
root
freshul:/data/system # cd ..
freshul:/data # cp -r system /sdcard/Download
cp: /sdcard/Download/system/unsolzygotesocket: Permission denied
cp: /sdcard/Download/system/ndebugsocket: Permission denied

Will check first result...

Edit 2.

D:\Android\adb>adb pull /sdcard/Download .\sys1
/sdcard/Download/: 313 files pulled, 0 skipped. 0.3 MB/s (4691250 bytes in 15.747s)

Edit 3.

Device is in Standalone Mode... later I will try to pair/setup... to see if with Samsung Account and Google Account and the other crap... this snapshot folder appear...

recoverablekeystore.db

Is stupid SQlite Database... at the moment empty...

 

[adfree]

After many failSSS... tiny progress with Combination Firmware WITHOUT eToken.

https://xdaforums.com/t/firmware-an...-csc-change-and.4323469/page-33#post-88100625

Galaxy Watch 4... Rooted SM-R875F...

Only as info... maybe for me...

Best Regards

 

[omaralwardian]

Starting: Intent { cmp=com.samsung.SMT/.gui.DownloadList }
Error: Activity not started, unknown error code -101

??
Samsung Snapdragon S21 Ultra Canada (you mentioned most Samsungs should work)

 

[adfree]

@omaralwardian​

Maybe if you give more details... what you tried and where you fail.

Example...

Windows User? You play with the "EXE" or you tried the manually way or you on Linux or you...

Then maybe also helpfull... to give more infos about your S21...
Firmware Details...

I am for instance from Germany... so I have no device from Canada...

Best Regards

 

[omaralwardian]

@omaralwardian​

Maybe if you give more details... what you tried and where you fail.

Example...

Windows User? You play with the "EXE" or you tried the manually way or you on Linux or you...

Then maybe also helpfull... to give more infos about your S21...
Firmware Details...

I am for instance from Germany... so I have no device from Canada...

Best Regards

Yes, my friend, sorry about that.

So, two different methods I have tried so far. Details:

Product—S21 Ultra 512 GB, 16 GB RAM

MODEL—SM-G998W

Processor—SD 888

CSC - XAC

Windows 10

Android security patch level
January 1, 2023

1.) I downloaded your .zip file from GitHub, and followed those directions, your app opens up, I click on start new shell, the dialogue begins in your app window, eventually the APK opens on my phone (lang.pac) and the shell opens on my PC. The black shell window opens but does not fill with any text. I tried to type something in and nothing happens. Same with your app after the start download command is given, nothing happens. Eventually, the shell window closes, and I cannot open it again without rebooting my phone. The restart shell button basically doesn't work whatsoever. It says fail, reboot the phone almost every time.

2.) I went through the manual process of opening my shell, and pushing your APK, installing the provided APK on my device, after I got to step 5 where I put the download command in which is listed in the steps, that is the message I got and I cannot get any further.

 

[omaralwardian]

Edit: duplicate. Deleted.

 

[adfree]

No panic. Nothing here is my....

I know it is not easy.

Sorry I have no modern Phone like S21...

You have seen this forked Github?

GitHub - zt64/tts-system-shell: Exploit for gaining system shell access using a vulnerability in Samsung TTS

Exploit for gaining system shell access using a vulnerability in Samsung TTS - zt64/tts-system-shell

github.com

Steps​

1. Install the app-release.apk in the latest release
2. Reboot the device
3. Run the script in assets, making sure to also have the apk directory in the same directory as the script.
   • If you're on Linux this is exploit.sh
   • If you're on Windows this is exploit.bat
4. If all goes well, the script should say:
   • /system/bin/sh: can't find tty fd: No such device or address
     /system/bin/sh: warning: won't have full job control
     

Maybe this is easier to handle with your S21.

Hopefully somebody with S21 can help you.

Best Regards

 

[omaralwardian]

No panic. Nothing here is my....

I know it is not easy.

Sorry I have no modern Phone like S21...

You have seen this forked Github?

GitHub - zt64/tts-system-shell: Exploit for gaining system shell access using a vulnerability in Samsung TTS

Exploit for gaining system shell access using a vulnerability in Samsung TTS - zt64/tts-system-shell

github.com

Maybe this is easier to handle with your S21.

Hopefully somebody with S21 can help you.

Best Regards

Hi,

Is there any way you can update your EXE? I think the SMT package you have on the script might be off.

Here is what I have:

Samsung Text-to-Speech
com.samsung.SMT

Actives close which are present in that package:

com.samsung.SMT.gui.DownloadList
com.samsung.SMT.gui.DownloadListEx

 

[world]

Can we use this to get bootloader unlock option on the A205U?

 

[omaralwardian]

@adfree

 

[sunil_suny]

I am getting this error
adb shell pm install -r -d -f -g --full --install-reason 3 --enable-rollback /data/local/tmp/samsungTTSVULN2.apk
Failure [-3005: INSTALL_FAILED_ADP_VERSION_LOCKED]

Samsung F23 5G, India model.

 

[adfree]

@omaralwardian

Sorry. I wasted my time... successfully... only with the EXE file and my Galaxy Watch 4... SM-R875F

Under Windows 7 and Windows 10 and Windows 11 with Avira Antivir...

Looks like this:

https://xdaforums.com/t/firmware-an...-csc-change-and.4323469/page-31#post-88030481

https://xdaforums.com/t/firmware-an...-csc-change-and.4323469/page-33#post-88085277

https://xdaforums.com/t/firmware-an...-csc-change-and.4323469/page-33#post-88095269

I have NO solution for me working without EXE... but I have only GW4 for tests...


Maybe somebody with modern phone can help...

Same for you.

@sunil_suny

I am not 100 % sure if this is "impossible" now on S23...

I read something on telegram group...

Better somebody with S23 can confirm.

I hope somebody will answer.

Best Regards

 

[joenamcoutinho]

is there any way to contact you? I have an A71 with KG LOCKED, it would be interesting to test some commands on it, to see if I can get KG COMPLETED, just like yours

I am also in the same boat. Im wondering if I can somehow root my S22 ultra (KG blocked, KG state: LOCKED) or atleast a way to get the bootloader unlocker. If someone could please help me

 

[sunil_suny]

How to downgrade SMT ?