Skip to content

Index

---=== All Models Works And Are Vulnerable IF Android 12 Is Installed ===---

(Latest Security Patch from: 2022-02-01)

⚠ Patched from 2022-04-01: you must find your way around, go go hack or die! I dont have any android device anymore so I cant try, if I will get one - I'll update this post!

Security patch version for my device

No worries, I got you covered with a newer version (they are fast but not fast enough so I decided to share this wiki to the public - This hack works perfect for all Samsung devices with latest securit patch (2022-02-01) while the wiki is created it works awesome still (2022-02-21),.This method does NOT work on Android 11 so you have an Android 11 FPR locked device so you can upgrade to the latest firmware from Samsung)


  • I never report vulnerabilities to companies, they make their money if you are one of my followers here at @Github and want to report anything to the idiots feel feel free, I will succeed again and again and again so for me personally it does not matter BUT it may cause other users so think twice before contacting the companies, they have enough developers to figure out things on their own and be happy as long as it works! My old screenshot method wich I found some idiot reported this vulnerability was patched fast unfortunately, but for whose benefit? Not to ours, just for the greedy companies out there.

Now let's hack!

1) Power on your device with Android 12 installed

2) Press start at welcome screen

3) Press End user license agreement and move on

4) Select wifi network

Connect to the wifi

5) Press volume up + power button

6) Draw your finger from bottom left to right then up

7) Allow talkback record audio: Choose only this time

8) Remove always show this message in the popup window

9) Now press on: use voice commands

10) Allow talkback record audio: Choose only this time

11) Say slowly: Google Assistant

12) Bixby will start

13) Login to your samsung account

14) Accept agreements

15) Press cancel when bixy asking for a faster way to sign in

16) Press start

17) Say: Open Google Chrome

18) Press Accept and Continue

19) Press no thanks on turn on sync

20) Browse to Nr1

21) Scroll down to "Alliance Shield X(Galaxy Store)"

22) Install "Alliance Shield X(Galaxy Store)" from samsung store

23) Once done, open Alliance Shield X Application

24) Press Next in welcome window

25) Press Next again in permission window

26) Press Next in privacy promise window

27) Press on Got It on getting started

28) Login on your account

29) Enter DEVICE Name, I tried this hack with a SM-G975F + SM-G985F

30) Enable Device Admin in device setup screen

31) Press activate in the activate device admin application

32) Press Next

33) Enable knox in samsung knox window, press next (dont remember exactly right now)

34) Press continue in "Knox License Activation"

35) You should see "Know license validation completed"

36) Press next

37) Press finish in import window

38) Press app manager in upper left corner

40) Press service mode

41) Press activities

42) Press service mode

43) Press open in the popup window

44) Choose MTP+ADB and press OK

45) Accept the adb request on your phone

Now via your PC we gonna use adb to execute:

content insert --uri content://settings/secure --bind name:s:user_setup_complete --bind value:s:1

For all who is interested more deeply, logcat gives us:

02-20 23:25:40.306   936  8470 D RestrictionPolicy: isSettingsChangesAllowedAsUser, userId 0 : true
02-20 23:25:40.306   936  8470 D SettingsProvider: ret = 1
02-20 23:25:40.318   936  8470 I GenerationRegistry: mBackingStore.isClosed() : false
02-20 23:25:40.320  5655  5655 I AODSettingsHelper: content://settings/secure/user_setup_complete changed
02-20 23:25:40.322  5655  5655 I AODSettingsHelper: mKey=user_setup_complete, mIntValue=1, mStringValue=null
02-20 23:25:40.322  5655  5655 I AODSettingsHelper: onChange() COMPLETED elapsed= 2
02-20 23:25:40.322  5655  5655 I AODSettingsHelper: **#### onSettingsValueChanged for content://settings/secure/user_setup_complete
02-20 23:25:40.322  5655  5655 I AODSettingsHelper: **#### onSettingsValueChanged callbackList == null
02-20 23:25:40.323   936  1133 D PackageManager: SetupWizardFinished: true
02-20 23:25:40.323 17664 17664 D hw-ProcessState: Binder ioctl to enable oneway spam detection failed: Invalid argument
02-20 23:25:40.325 17664 17664 D AndroidRuntime: Shutting down VM
02-20 23:25:40.344  5655  5655 I AODSettingsHelper: content://settings/secure/user_setup_complete changed
02-20 23:25:40.346  5655  5655 I AODSettingsHelper: mKey=user_setup_complete, mIntValue=1, mStringValue=null
02-20 23:25:40.346  5655  5655 I AODSettingsHelper: onChange() COMPLETED elapsed= 1
02-20 23:25:40.346  5655  5655 I AODSettingsHelper: **#### onSettingsValueChanged for content://settings/secure/user_setup_complete
02-20 23:25:40.346  5655  5655 I AODSettingsHelper: **#### onSettingsValueChanged callbackList == null
02-20 23:25:40.346  5655  5655 D DeviceProvisionedControllerImpl: Setting change: content://settings/secure/user_set

Back to mobile device

46) Press volume up + power

47) Draw your finger from bottom left to right then up

48) Say slowly: Open Settings

49) When bixby launches, press volume up + power again to turn off talkback settings

50) Press record button

51) Now say: Open Account Settings

52) Press add account

53) Add your google account

You are now signing in without any issues

54) And you're in!! :)

  • As you might notice, you are now signed in.

ITS NOT DONE!!! DONT JUST RUSH INTO A FACTORY RESE OR SOMETHING, CONTINUE READING..

55) Lets head back to welcome screen, turn back as many times as it neededed to get there

56) You can now press next, accept license and policies and wifi should already be fixed so press next and you will now see, nothing...

58) IT STOPS! You wont be able to continue, DON'T PANIC!

59) ...Once again, lets get bixby started :)

60) Press volume up + vpower`

61) Draw your finger from bottom left to right then up

62) Say Google Assistant and when bixby launches, press volume up + power to turn off talkback settings

63) When you hear the beep, slowly say: Open Settings

64) Go to "Apps" sections wich has been locked all the time until we added our google account as you probably tried already, settings application crashing when pressing on it but now its unlocked:

65) Scroll to One UI Home application, open it

66) Press: Set Home Screen

67) Select: One UI Home and when you press on it System UI will launch and you bypassing the earlier setup wizard

68) And it results in below scren when you press on one ui':

  • You have just hacked samsung's latest security patch and there are a thousand reasons why i do not use cell phones ;)

Welcome Screen

Since adb shell is still open, clear all samsung applications so we can take control over lock settings without any bruteforcing:

cmd package list packages|cut -d: -f2|egrep samsung > /storage/self/primary/clear.txt 
sed 's/^/pm clear --user 0 /g' /storage/self/primary/clear.txt  > /storage/self/primary/clear_script.sh 
sh -x /storage/self/primary/clear_script.sh 
cmd package list packages|cut -d: -f2|egrep google > /storage/self/primary/clear_google_apps.txt 
sed 's/^/pm clear --user 0 /g' /storage/self/primary/clear.txt  > /storage/self/primary/clear_google_apps.sh
sh -x /storage/self/primary/clear_script.sh 

Your lock settings is NOT disabled if you are using an FRP locked Device, however you can confirm this with cmd:

cmd lock_settings get-disabled

cmd lock_settings is the new way we used locksettings in past (you probably seen my wbruter script wich is very old and slow nowdays, use cmd instead) and since lock_settings was introduced in cmd we simply can use below to disable lock screen without any hacking:

cmd lock_settings set-disabled true 

Since we still love ADB and working in cli rather then GUI (at least that's me) set your pin code with:

cmd locksettings --set-pin XXXX XXX

And for GUI fantasts, open settings and browse to Biometrics and Security either with below command or via your homescreen

am start -a android.settings.SETTINGS

Add your fingerprint and face recogntion and set your pin

You have just hacked the latest Security Patch from Samsung (2022-02-01)

Send me an email or contact me on ÍRC:

  • iRC: wuseman@Libera

Enter Libera's network via your own client 'chat.libera.chat:+6697 or use their new web client here.

  • Mail: wuseman@nr1.nu

This tutorial is licensed under the GNU General Public License v3.0 - See the LICENSE.md file for details - Feel free to copy this wiki but if you do, please share an url to this original post. Thanks alot!

  • Happy Hacking and Never Give up!

Last update: August 10, 2022
Created: August 10, 2022