Skip to content

Hacking Android 12 - Motorola Edition (FRP Bypass)

Screenshot

In this guide, we will explore a method to bypass the Factory Reset Protection (FRP) on Motorola devices running Android 12. Specifically, we will focus on devices that have the GBoard app from Google pre-installed as the default keyboard. I have discovered a unique solution for this particular scenario, which has proven successful multiple times before

Please note that I have conducted all the procedures mentioned in this guide using a Motorola G50 device

Now, let's proceed with the method to bypass the factory reset protection on any Motorola device with the Google GBoard app installed as the default keyboard. By exploiting vulnerabilities in the GBoard app, we can crash it and gain access to the device's settings, effectively bypassing the protection. It's important to note that this method is specific to the current Android version (as of 2023-02-09) on the Motorola G50 device.

However, please keep in mind that bypassing factory reset protection may have legal and ethical implications. Ensure that you have the necessary permissions and comply with applicable laws before attempting any bypass techniques.

DMESG from Setup Wizard

[20335.816840] cdc_acm 1-10:1.1: ttyACM0: USB ACM device
[20335.817836] usbcore: registered new interface driver cdc_acm
[20335.817839] cdc_acm: USB Abstract Control Model driver for USB modems and ISDN adapters
[20341.452575] usb 1-10: USB disconnect, device number 8
[20795.448710] usb 1-10: new high-speed USB device number 9 using xhci_hcd
[20795.590684] usb 1-10: New USB device found, idVendor=22b8, idProduct=2e82, bcdDevice= 5.04
[20795.590688] usb 1-10: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[20795.590691] usb 1-10: Product: moto g(50)
[20795.590693] usb 1-10: Manufacturer: motorola
[20795.590695] usb 1-10: SerialNumber: ZY22DPQST

Note First of all, I have wiped all partitions by using the following code:

#!/bin/bash
#############################################################################
# Author: wuseman
# Date: 2023-01-31
#############################################################################
# 
# - Wipe all partitions from fastboot, 
# - Built for Motorola G50, Android 12
#
#############################################################################

( fastboot oem partition 2>&1 )  \
    | awk -F' ' '{print $2}'   \
    | sed 's/://' \
    | sort > partitions.txt; 

while read line; do 
    fastboot erase ${line}; 
done < partitions.txt

read -p "Reboot to system (y): " reboot2system

if [[ ${reboot2system} = "y" ]]; then 
    fastboot

 reboot
else
    echo "We are still in fastboot, do your commands and reboot with <fastboot reboot>"
fi

FRP Bypassing

After completely wiping the device using fastboot, I performed a regular reboot, and now we have reached the introductory page of the Setup Wizard.

Now, let's proceed with the steps below to bypass the FRP (factory reset protection) using the method I discovered. I have tested this method four times to ensure its reliability, so it is not just a random crash; it definitely works due to a bug in GBoard.

Android 12 - v2: Crashing GBoard, Setup wizard

Screen Task
Hi There Press start
Connect to Mobile Network Press skip
Connect to Wi-Fi Connect to your Wi-Fi as usual to get online, you will be redirected to the next page when connected
Privacy & Software Updates Accept & Continue - Wait for the next screen, it will search for updates
Copy apps and data Press don't copy
Verify pin Press: Use my Google account instead
Verify your Account (locked) Press: Forgot email?
Find your email Type: admin and hit next
What's your name? Press inside the First Name input field, and the keyboard will be launched

Now, the keyboard should be open, and you will see the keyboard with the microphone option available in the upper right corner of Gboard. We reached this page because the microphone is disabled in other stages and not allowed to be used for password and email inputs in the Motorola Android 12 Version setup wizard.

Now, follow these steps. If you followed my unique method to access settings on Samsung 10 running Android 10 a few years ago, you will see that it's the same process. We are using permissions to succeed once again. It's quite amusing because the first time I discovered this was purely accidental. I was tired that day a few years ago, and due to a simple mistake of pressing slightly below the "ALLOW copy" button, I stumbled upon this phenomenon. Now, it has become the way I perform my personal bypasses, relying on denying permissions to allow us to bypass. Funny, isn't it? Anyway, let's continue.

  1. Press the microphone icon in the upper right corner of Gboard.
  2. Allow Gboard to record audio: Press "Don't allow." You will see a message at the bottom saying "No permission to allow microphone." Repeat this step to permanently deny microphone access.
  3. Allow Gboard to record audio: Press "Don't allow" again.

Now, when we press the microphone button for the third time, it will be available to press without asking for permission as before. However, it will block our request and display "No permission to enable: Voice typing."

Next, we are going to crash Gboard. Quickly click the microphone button several times until Gboard freezes. You will notice this when you are unable to press anything and there are no reactions. Gboard will disappear and restart automatically after 1-2-3 seconds. Once Gboard restarts, it will pop up again. Now, repeat the same process: press the microphone icon until the screen gets dimmed, and Gboard freezes. Then, continue pressing anywhere on the Gboard window, and the magic will happen. You will see the message "Gboard Keeps stopping." Now, press "app info" and go to settings. Congratulations! We have successfully bypassed the factory protection screen and can now continue exploring.

Don't worry; I won't leave you here. Let me show you how to proceed from here and bypass the Motorola G50 if you have no idea how to proceed further. Let's continue hacking this device.

You should now be in the Gboard Settings Menu after crashing Gboard and following the steps mentioned above.

Current Screen Task
App Info Press: Screen Time
Gboard Press the upper right corner menu: Manage Data
Manage Your Data Press: Clock, options
Set a consistent bedtime for better sleep Press: Get Started
Set a regular wake-up alarm Press: Sound
Alarm Sound Press: Youtube Music
Alarm Sound Press: Login
Music - Open the world of music Press: Press device files only
Music Press: face icon at the upper right corner
Account Press: Privacy Policy - Terms of Service at the bottom of the screen
Welcome to Chrome Press: Accept & continue
Turn on sync? Press: No thanks
Youtube - Terms of service Enter URL to Application Launcher: https://android.nr1.nu/applicationLauncher.html
Android Application launcher Press: Click to Open - Settings
Settings Press: System navigation
System navigation Enable (change to): Gesture navigation
Gesture navigation Enable (change to): Gesture navigation
Gesture navigation Press: Settings
Gesture settings Set: Left/Right to the highest value
Gesture settings Press: Arrow left (go back)
Apps Press: See all XX apps
All apps Press: Android Setup
App info Press: Force stop -> OK
App info Press: Arrow left (go back)
All apps Press: Google Play services
All info Press: Disable -> Disable app
All info Press: Arrow left (go back)
All apps Press: Arrow left (go back)
Apps Press: Arrow left (go back)
Settings Press: Accessibility
Accessibility Press: Accessibility Menu
Accessibility Menu Enable: Accessibility Menu shortcut
Allow Accessibility menu to.... Press: Allow
Use Accessibility button to open Menu Press: Got it

Now, press the back button multiple times until you reach the welcome wizard again.

Press "Next," and in the next window, simply skip since we won't be using an SD card. Connect to another Wi-Fi network but enter the wrong password intentionally so that we remain offline. Now, press "Skip" at the lower left corner and proceed to set up your new device.

Pull all applications from the device to PC

line='..............................................'
printf "Please enter the path to

 store the APK files in, path: "; read storagepath
echo ""
mkdir -p $storagepath


cd $storagepath
printf "%61s\n" | tr ' ' '='
printf "Pulling applications installed from Play Store..........[\e[0;33mWAIT\e[0m]\n"
printf "%61s\n" | tr ' ' '='

for package in $(adb shell pm list packages | tr -d '\r' | sed 's/package://g'); do
    apk=$(adb shell pm path $package | tr -d '\r' | sed 's/package://g' | cut -d\/ -f4|cut -d- -f1)
    apk_real=$(adb shell pm path $package | tr -d '\r' | sed 's/package://g')
    printf "Pulling: $apk";
    adb pull -p $apk_real "$package".apk &> /dev/null
    printf "%s%s[\e[1;32mDONE\e[0m]\n" "${line:${#apk}}"
done
PCKS="$(adb shell pm list packages | tr -d '\r' | sed 's/package://g' | wc -l)"
printf "%61s\n" | tr ' ' '='
printf "Pulled $PCKS APK packages from your device................[\e[1;32mDONE\e[0m]\n"
printf "%61s\n" | tr ' ' '='

Set a pin screen

com.android.settings/com.android.settings.password.SetupChooseLockPassword

Unlock with your fingerprint

com.android.settings/com.android.settings.biometrics.fingerprint.SetupFingerprintEnrollIntroduction

Unlock bootloader

To unlock your bootloader, we need to grab the 5 lines from the fastboot command. Follow these steps:

  1. Open settings.
  2. Browse to the bottom and press "About phone."
  3. Scroll to the bottom and press "Built number" 7 times.
  4. Press back.
  5. Press "System options" above "About phone."
  6. Enter developer options.
  7. Enable "OEM Unlock" and enter your PIN.
  8. Allow OEM unlocking? Press "Enable."
  9. Connect USB to your device as usual when using ADB/Fastboot.
  10. When connected, type:
adb reboot bootloader

Wait for the device to boot into bootloader. When you see the daemon loaded, type:

fastboot devices

You should now see the device. Press the volume down button twice to select "Reboot to bootloader."

Now, type:

fastboot oem get_unlock_data

You should see the same output as below, but with a different key. Alternatively, you can extract the required key using the following command:

fastboot oem get_unlock_data 2>&1 /dev/null \
     | awk 'length > 30' \
     | awk '{print $2}' \
     | xargs \
     | sed 's/ //g'

Check if the phone is qualified for unlocking the bootloader

#!/bin/bash
# Author: wuseman
# Filename: bootloaderverify.sh
# Created: 2023-02-09

bootloaderTempKey=$(fastboot oem get_unlock_data 2>&1 /dev/null|awk 'length > 30'|awk '{print $2}'|xargs|sed 's/ //g')
curl https://motorola-global-portal.custhelp.com/cc/productRegistration/verifyPhone/${bootloaderCheckTemp} \
  -X 'POST'

 \
  -H 'Accept: application/json, text/javascript, */*; q=0.01

' \
  -H 'Accept-Language: en-US,en;q=0.9' \
  -H 'Connection: keep-alive' \
  -H 'Content-Length: 0' \
  -H 'Origin: https://motorola-global-portal.custhelp.com' \
  -H 'Referer: https://motorola-global-portal.custhelp.com/app/standalone%2Fbootloader%2Funlock-your-device-b'|grep "Phone qualifies"
if [[ $? = "0" ]]; then 
    echo "Bootloader can be unlocked"
else
    echo "Bootloader cannot be unlocked"
fi

If you are unsure about this part, browse to https://motorola-global-portal.custhelp.com/app/standalone/bootloader/unlock-your-device-a to manually fill in the long key to be sure.

Once done, you will receive the key via email. Use the following command to unlock the bootloader:

fastboot oem unlock <bootloaderkey_from_mail>

To lock your bootloader again, type:

fastboot oem lock <bootloaderkey_from_mail>

Press the volume down button and power button to confirm.

  • For fastboot commands, please check my fastboot cheatsheet.

If the device is stuck in fastboot and keeps rebooting back to the bootloader, and you see the message "reason: UTAG bootmode configured as fastboot," you can solve this by running the command:

fastboot oem fb_mode_clear

Now, simply reboot your device, and it will boot to normal mode instead of bootlooping into fastboot mode.

The following click-to-open options have been added, and all of them work to access when we are behind FRP lock. I have confirmed this, but remember that you must browse to the website to be able to click the URLs. They won't be clickable here; this is just to show you what was added:

  • Click to Open - Radio Info
  • Click to Open - FCM Diagnostics
  • Click to Open - Engineering Mode
  • Click to Open - IMEI window
  • Click to Open - Regulator information
  • Click to Open - Calendar Debugging
Partition Description Additional Details
abl_a ABL (Advanced Bootloader) partition A Stores the primary bootloader code for the device. Responsible for initializing essential hardware and loading
the next-stage bootloader.
abl_b ABL (Advanced Bootloader) partition B Stores the backup bootloader code. Used as a fail-safe in case the primary bootloader (ABL A) fails to load.
apdp APDP (Application Processor Dynamic Partitioning) Manages dynamic partitioning of the application processor. Allocates resources based on demand for optimal
performance and efficiency.
bluetooth_a Bluetooth partition A Contains firmware and configuration data for the Bluetooth module. Enables wireless communication and
interoperability with other devices.
bluetooth_b Bluetooth partition B Backup partition for Bluetooth firmware and configuration. Provides redundancy and recovery capabilities in case
of data corruption or failures.
boot_a Boot partition A Holds the operating system kernel and necessary boot files for booting the device. It is responsible for
initializing the system and launching the Android OS.
boot_b Boot partition B Backup partition for the boot files. Serves as a failsafe option in case the primary boot partition (boot A)
becomes corrupt or unusable.
carrier Carrier partition Contains carrier-specific data, configurations, and settings for network connectivity, services, and features.
Customized based on the mobile network provider.
cid CID (Carrier ID) partition Stores the Carrier ID information that uniquely identifies the mobile network operator. Used for network
compatibility and to provide carrier-specific features.
ddr DDR (Dynamic Data Rate) partition Manages the dynamic data rate configuration for memory modules. Specifies the optimal data transfer rate for
efficient memory performance.
devcfg_a Devcfg partition A Stores device configuration data related to various hardware components and peripherals. Configures and
controls the behavior and settings of these components.
devcfg_b Devcfg partition B Backup partition for device configuration data. Provides redundancy and recovery capabilities in case of data
corruption or failures.
devinfo Device info partition Contains essential device information, including unique identifiers, hardware specifications, and other
identification details.
dhob DHOB (Data High-Order Bytes) partition Stores high-order data bytes used in specific operations and calculations. Works in conjunction with other
partitions to process data efficiently.
dsp_a DSP (Digital Signal Processor) partition A Holds firmware and configuration data for the digital signal processor. Responsible for audio processing, signal
modulation, and other DSP-related tasks.
dsp_b DSP (Digital Signal Processor) partition B Backup partition for DSP firmware and configuration. Provides redundancy and recovery capabilities in case of
data corruption or failures.
dtbo_a DTBO (Device Tree Blob Overlay) partition A Contains device-specific overlays for the device tree. Allows customization of device configurations and
functionality based on hardware variations.
dtbo_b DTBO (Device Tree Blob Overlay) partition B Backup partition for DTBO overlays. Serves as a failsafe option in case the primary DTBO partition (dtbo A)
becomes corrupt or unusable.
frp FRP (Factory Reset Protection) partition Stores data related to Factory Reset Protection, a security feature that prevents unauthorized access to the
device after a factory reset.
fsc FSC (Filesystem Checker) partition Contains filesystem checker utilities and tools for verifying and repairing file system errors and inconsistencies.
fsg_a FSG (File System Gateway) partition A Holds filesystem gateway data for the primary partition. Facilitates communication and data transfer between
different filesystems.
fsg_b FSG (File System Gateway) partition B Backup partition for FSG data. Provides redundancy and recovery capabilities in case of data corruption or
failures.
hw HW (Hardware) partition Stores hardware-related data, including hardware profiles, configurations, and settings. Used for configuring
and managing various hardware components.
hyp_a HYP (Hypervisor) partition A Contains the hypervisor software that enables virtualization on the device. Allows running multiple operating
systems or virtual machines concurrently.
hyp_b HYP (Hypervisor) partition B Backup partition for the hypervisor software. Provides redundancy and recovery capabilities in case of data
corruption or failures.
keymaster_a Keymaster partition A Stores cryptographic keys and related security data used for encryption, decryption, and secure key exchange.
keymaster_b Keymaster partition B Backup partition for cryptographic keys and security data. Provides redundancy and recovery capabilities in
case of data corruption or failures.
kpan KPAN (Key Provisioning Attestation) partition Contains key provisioning and attestation data used for verifying the integrity and authenticity of system
components and ensuring secure key management.
last_parti0 Last Parti 0 partition Reserved partition with specific use cases defined by the device manufacturer. May vary depending on the device
and system requirements.
last_parti2 Last Parti 2 partition Reserved partition with specific use cases defined by the device manufacturer. May vary depending on the device
and system requirements.
last_parti3 Last Parti 3 partition Reserved partition with specific use cases defined by the device manufacturer. May vary depending on the device
and system requirements.
last_parti4 Last Parti 4 partition Reserved partition with specific use cases defined by the device manufacturer. May vary depending on the device
and system requirements.
last_parti5 Last Parti 5 partition Reserved partition with specific use cases defined by the device manufacturer. May vary depending on the device
and system requirements.
logfs LogFS partition Used for storing system logs and diagnostic information. Contains logs related to system events, errors, and
debugging.
logo_a Logo partition A Holds the boot logo image that is displayed during the device startup.
logo_b Logo partition B Backup partition for the boot logo image. Provides redundancy and recovery capabilities in case of data
corruption or failures.
metadata Metadata partition Stores metadata information about the device, such as partition layouts, sizes, and attributes.
misc Misc (Miscellaneous) partition Used for storing various miscellaneous data and settings that do not fit into other dedicated partitions.
modem_a Modem partition A Contains firmware and configuration data for the device modem. Responsible for cellular network connectivity
and communication.
modem_b Modem partition B Backup partition for modem firmware and configuration. Provides redundancy and recovery capabilities in case of
data corruption or failures.
modemst1 Modemst1 partition Stores modem-related data and configuration information. Used for modem diagnostics, calibration, and
customization.
modemst2 Modemst2 partition Additional partition for storing modem-related data and configuration information. Provides redundancy and
recovery capabilities in case of data corruption or failures.
padA Pad A partition Reserved partition with specific use cases defined by the device manufacturer. May vary depending on the device
and system requirements.
persist Persist partition Holds persistent data and settings that need to be retained across device reboots. Examples include system
configurations, preferences, and user-specific data.
prodpersist Prodpersist partition Stores production-specific data and configurations for manufacturing and testing purposes.
product_a Product partition A Contains product-specific data and configurations. Used for customization and differentiation of products
based on specific hardware or software variations.
product_b Product partition B Backup partition for product-specific data and configurations. Provides redundancy and recovery capabilities
in case of data corruption or failures.
prov_a Prov (Provisioning) partition A Stores provisioning data and configurations for device activation and initial setup. Contains settings and
parameters specific to the mobile network provider.
prov_b Prov (Provisioning) partition B Backup partition for provisioning data and configurations. Provides redundancy and recovery capabilities in
case of data corruption or failures.
qupfw_a QUFW (Qualcomm UEFI Firmware) partition A Contains firmware for the Qualcomm UEFI (Unified Extensible Firmware Interface). Responsible for initializing
and booting the device's firmware.
qupfw_b QUFW (Qualcomm UEFI Firmware) partition B Backup partition for QUFW firmware. Provides redundancy and recovery capabilities in case of data corruption or
failures.
rpm_a RPM (Resource Power Manager) partition A Stores firmware and configuration data for the Resource Power Manager. Responsible for managing power and
performance-related aspects of the device.
rpm_b RPM (Resource Power Manager) partition B Backup partition for RPM firmware and configuration. Provides redundancy and recovery capabilities in case of
data corruption or failures.
secdata Security data partition Contains security-related data and configurations, such as cryptographic keys, certificates, and security
policies.
ssd SSD (Solid State Drive) partition Reserved partition with specific use cases defined by the device manufacturer. May vary depending on the device
and system requirements.
storsec_a StorSec partition A Holds security-related data and configurations specific to storage. Provides secure storage and access control
for sensitive information.
storsec_b StorSec partition B Backup partition for StorSec data. Provides redundancy and recovery capabilities in case of data corruption or
failures.
super Super partition Acts as a container for multiple partitions and dynamically manages them. It simplifies the partitioning
scheme and allows for efficient storage management.
system_a System partition A Contains the core Android operating system files and libraries. Responsible for the device's overall
functionality and user interface.
system_b System partition B Backup partition for the core Android system files. Serves as a failsafe option in case the primary system
partition (system A) becomes corrupt or unusable.
system_ext_a System Ext partition A Extension partition for storing additional system files and data. Provides extra space for system-related
components and applications.
system_ext_b System Ext partition B Backup partition for the system_ext partition. Provides redundancy and recovery capabilities in case of data
corruption or failures.
tz_a TZ (TrustZone) partition A Contains firmware and configuration data for the TrustZone. Responsible for enforcing security boundaries
and protecting sensitive data on the device.
tz_b TZ (TrustZone) partition B Backup partition for TrustZone firmware and configuration. Provides redundancy and recovery capabilities in
case of data corruption or failures.
uefisecapp_a UEFI Secure Application partition A Stores secure applications and related data for the Unified Extensible Firmware Interface (UEFI). Provides
additional security measures and access controls.
uefisecapp_b UEFI Secure Application partition B Backup partition for UEFI secure applications. Provides redundancy and recovery capabilities in case of data
corruption or failures.
uefivarstore UEFI Variable Store partition Stores UEFI variables, which hold system-specific data and configurations. Used for system initialization,
settings, and customization.
userdata User data partition Contains user-specific data, files, applications, and configurations. This partition is used for storing
personal files, settings, and user-generated content.
utags UTAGS partition Stores unique tags (UTAGS) used for identification and customization purposes. These tags hold device-specific
information and settings.
utagsBackup UTAGS Backup partition Backup partition for UTAGS data. Provides redundancy and recovery capabilities in case of data corruption or
failures.
vbmeta_a VBMeta (Verified Boot Metadata) partition A Contains verified boot metadata, including digital signatures and integrity information for boot partitions.
Ensures the integrity and authenticity of boot images and prevents unauthorized modifications.
vbmeta_b VBMeta (Verified Boot Metadata) partition B Backup partition for VBMeta metadata. Provides redundancy and recovery capabilities in case of data corruption
or failures.
vbmeta_system_a VBMeta System partition A Stores verified boot metadata for the system partition. Ensures the integrity and authenticity of the Android
system files and prevents unauthorized modifications.
vbmeta_system_b VBMeta System partition B Backup partition for VBMeta system metadata. Provides redundancy and recovery capabilities in case of data
corruption or failures.
vendor_a Vendor partition A Contains vendor-specific files, configurations, and proprietary software components. Provides customizations
and additional features specific to the device manufacturer.
vendor_b Vendor partition B Backup partition for the vendor-specific files and configurations. Provides redundancy and recovery capabilities
in case of data corruption or failures.
_boot_a Boot partition A (Alternative) Alternative boot partition used in certain devices or configurations. Functions similarly to the primary boot
partition (boot A) but may have specific use cases defined by the device manufacturer.
vendor_boot_b Vendor Boot partition B Backup partition for the vendor-specific boot files. Provides redundancy and recovery capabilities in case of
data corruption or failures.
vm-data VM Data partition Stores data specific to virtual machines or hypervisor environments. Used for running virtualized instances or
storing virtual machine data.
vm-keystore VM Keystore partition Contains cryptographic keys and certificates specific to virtual machines or hypervisor environments. Used for
secure key management within virtualized instances.
xbl_a XBL (eXtensible Bootloader) partition A Contains the extensible bootloader code. Responsible for initializing the device and loading the next-stage
bootloader or operating system.
xbl_b XBL (eXtensible Bootloader) partition B Backup partition for the eXtensible bootloader code. Provides redundancy and recovery capabilities in case of
data corruption or failures.
xbl_config_a XBL Config partition A Stores configuration data for the eXtensible Bootloader. Contains settings and parameters specific to the
bootloader's behavior and functionality.
xbl_config_b XBL Config partition B Backup partition for XBL Config data. Provides redundancy and recovery capabilities in case of data corruption
or failures.

Please note that the descriptions provided are general and may vary depending on the specific device or system.

This should provide you with a thorough guide on how to bypass the FRP protection on Motorola devices running Android 12, specifically the Motorola G50. Please keep in mind the legal and ethical implications of bypassing factory reset protection, and ensure that you have the necessary permissions and comply with applicable laws before attempting any bypass techniques.

Comments