Okay everyone I have come up with yet another method. This one is demonstrated for android PIE but you can modify it a little and make it work for any version of android I guess.
This guide is written for an audience that has ROOT ACCESS and allows you to configure any type of APN criteria. The need for this guide is VERY VERY VERY real because you have never in your life been more frustrated than not being able to use your device properly all because of Verizons discrimination against its MVNO users by locking down APN's on devices that use Verizons network.
I've written other guides on other forum sections of XDA to get APN's into a phone with this problem but you are never able to completely edit everything how you want it. This is due to the app called "carrier settings" stored in the device that has all the carrier info programed inside the APK that automatically turn off editing APN options when verizon is detected
The simple breakdown of this process is
1. Locate telephony.db
2. copy telephony.db to a backup folder that you create somewhere on your device for safe keeping.
3. Copy telephony.db to your computer
5. open telephony.db using "DB Browser for SQLite" on your PC (I know there are Playstore apps that can edit these databases as well but its a pretty big task to find one that does it right.)
6. Make changes
7. Copy back to phone
8. overwrite the old telephony.db with your new one
9. Reboot phone
Part 1 Steps
1. Use a file explorer on device and navigate to /data/user_de/0/com.android.providers.telephony/databases/
This is the new location of telephony.db
2. Copy "telephony.db" to a backup location for safekeeping and send a copy to your computer.
Part 2 Steps
Open SQLite browser on PC and open the telephony.db file
1. Click on "Browse Data"
2. From there click the drop down next to"table"
Now you will see all your APN's your phone is setup to use. You could just go ahead and change the values of the current apn you are using which is most likely "VZWINTERNET"
3.Double click the field value you want to change
4. type the values you want into the field
5. When done click on "apply"
repeat the editing steps until you get all the values like you want them
6. now click "Write Changes"
7. Now copy the database back to your phone and then place it back into the /data/user_de/0/com.android.providers.telephony/databases/ directory to overwrite the old one
If i helped then give me a like
Picture attached of buttons to click in sqlite pc browser program
This bricked my android install sadly. I wonder what I did wrong.
deskjet390 said:
How I accomplish this on my Pixel XL (and other phones that have locked apn settings)
This is what I have to do because my carriers apns are not in the Pixel XL's database and wrongly detect them as Verizon.
1. First off you need to have root.
2. After root, you need to hook phone into PC and access adb shell with root permissions.
3. After that.... issue this command
Code:
content query --uri content://telephony/carriers/preferapn
This will tell you which APN your phone is using at this current time. I have found it easiest to edit the APN your phone is using already. You then look where it says "_id=SOME NUMBER"
4. Once you know what number your phones APN settings is using then its time to issue the commands to edit that apn Number field
Replace SOME NUMBER with whatever apn number you are editing. Below is the syntax to edit the most usual apn fields. A good thing to do would be to obtain your APN settings and I may be able to help you find out what fields you need to edit
Code:
content update --uri content://telephony/carriers --where "_id=SOME NUMBER" --bind type:s:"default,dun,mms"
content update --uri content://telephony/carriers --where "_id=SOME NUMBER" --bind user:s:"[email protected]"
content update --uri content://telephony/carriers --where "_id=SOME NUMBER" --bind mmsc:s:"http://mms.whateverwirelss.com"
content update --uri content://telephony/carriers --where "_id=SOME NUMBER" --bind mmsport:s:"whateverport"
This is what works for me 100 percent to get the right APNS in a verizon MVNO or Verizon LRA carrier partners apns programmed into whatever device i want to.
Click to expand...
Click to collapse
Follow this instead. Less risky, as you aren't directly editing files ^^
I have a pixel 3a XL on Lineage OS 19.1 and first method worked great. Updated on computer and then transferred back to telephone.db back to phone. Rebooted and mms came right in. I would have preferred just to be able to add the other apns to the apn screen vs mashing the mms info into the one apn that is currently being seen. Not sure if that is possible.
Related
Thanks to @digiblur and @tdunham for their guides on modifying the HiddenMenu.apk! With these guides, I was able to create a HiddenMenu.apk that will enable the PRL Write function on the L720T (Triband) model of the Samsung Galaxy S4.
Prerequisites:
1.) You must be at NG5 for this to work.
2.) You must be rooted for this to work.
3.) You must have a recovery where you can clear cache and Dalvik Cache (such as TWRP or philz)
4.) You must have RootExplorer installed. I will try to create a .zip file for installation via recovery, but for now, you will have to do things a little manually.
5.) You may have to be on a stock-based ROM. AOSP ROMs will NOT work due to the libraries needed. I performed this on the HiddenMenu.apk that was NOT odexed...so if you look at /system/app and find HiddenMenu.apk AND HiddenMenu.odex, this will NOT work. The stock NG5 ROM does NOT have this HiddenMenu.apk odexed, so if you have an unmodified stock ROM, the below directions will work for you.
Directions:
Assuming you are using Root Explorer:
1.) Start by downloading the HiddenMenu.apk attached.
2.) First, backup your current HiddenMenu.apk, just in case you need to go back to it. Do this by copying /system/app/HiddenMenu.apk to your /sdcard directory somewhere.
3.) Copy the attached HiddenMenu.apk into your /system/app directory. It will overwrite the one that is currently there.
4.) Long hold the modified HiddenMenu.apk and select "Permissions". Change the permissions to rw-r--r-- (0644). This will be Owner (check on Read/Write); Group (Check on Read); Others (Check on Read).
5.) We will need to modify one more file under /system/csc. Go into this directory and long hold on sales_code.dat. Open in Text Editor. Change the value in the file from "XAS" to "SPR".
6.) Reboot the phone into TWRP or philz recovery OR turn off the phone and start it by pushing the volume up+home key at the same time until you see text on the screen.
7.) Clear the Dalvik Cache and the Cache on the phone.
8.) Boot the phone and wait for the apps to optimize.
To use the new HiddenMenu:
1.) You need to find a PRL and put that PRL into your /sdcard directory.
2.) Rename the PRL file TEST.prl.
3.) Turn off the mobile data -- Settings/More Networks/Mobile Networks -- uncheck "Mobile Data"
4.) Go into the dialer and dial ##3282# (##DATA#).
5.) Go to the View option
6.) At the bottom will be PRL Write. Select this. Select it again on the next screen.
The phone will reboot and your new PRL will be installed! Make sure you turn back on mobile data.
Notes:
Preferred Roaming Lists (PRL) tells the 1x/3G (CDMA) portion of the phone which networks it can use. The file is just a priority list...the actual "initialization" onto a network is based on agreements with Sprint and that network...so for example, when Verizon and Sprint roaming agreements go away, the priority list for Verizon will discontinue to work (the phone will fail the authorization and go onto the next network in the list). While PRL's work great for areas that have poor Sprint coverage and great coverage with another provider, be aware that Sprint does track roaming and if you abuse this, they could kick you off the network. I do not condone abusing PRLs...use this with care! I use this to force roam the phone if I'm in an area that has very limited Sprint coverage and my phone bounces between Sprint and another carrier. I find a PRL that takes Sprint off the list and the phone automatically finds the other network to lock onto.
THIS WILL NOT WORK WITH LTE...LTE uses a whole method for roaming and to be honest, once the CCA Data Access Hub is completed next year, roaming may hopefully become a thing of the past (Google search for CCA Data Access Hub Sprint).
Hope this helps out some people! I know the L720T has been forgotten by devs. Unfortunately, I'm not at dev state yet, so I can't post in that forum.
The MD5 of the file attached is 7b63ce7c9dcb37c433fc88963520cc2b. Make sure this matches what you download!
Do you have the stock version of the hiddenmenu.apk? I can't find mine
I know some international versions of the S7 have the data toggle in their drag down. Obviously AT&T HAS to remove it to inconvenience their customers......
How do we go about putting it back in? Would it be something like it was on the S5? (see here - http://forum.xda-developers.com/showthread.php?t=2721550)
Currently at work, but I'll be taking a look at this once I'm home.
---
edit - looks like I've found something from a German forum!! http://www.android-hilfe.de/thema/r...ixperience-s7-port-stable-v3-1.759967/page-33
I'm testing this now, hopefully my phone reboots
edit 2 - failure. Maybe someone else can see where I went wrong?
*DISCLOSURE - only follow the below if you are comfortable with messing up your phone. I will not be reliable for your damaged phone, if something does go wrong*
Based on the thread I found in German above, you have to edit "sysui_qs_tiles". For some reason, SQLite Editor cannot find that file, but Settings Database Editor(SDE) by 4A does.
Once SDE has been installed, head to secure, and scroll down until you see "sysui_qs_tiles"(see attached screenshot). When you click to edit it, you'll get a permissions error.
To stop the permissions error, plug phone into computer, open where your ADB is installed, then open an Administrator command prompt there. (start-> type "cmd" -> right click and select administrator, then type "cd c:\adb", or where your ADB is stored) You should do "adb devices" and then see your devices. If you do, paste this "adb shell pm grant by4a.setedit android.permission.WRITE_SECURE_SETTINGS". The next time you click on "sysui_qs_tiles", you'll be able to edit it.
The German thread says to reference this:
Wifi,Location,SilentMode,RotationLock,Bluetooth,MobileData,PowerSaving,AirplaneMode,DormantMode,Flashlight,UltraPowerSaving,WifiHotspot,PersonalMode,AllShareCast,Sync,Aod,SFinder,ScreenCapture
Click to expand...
Click to collapse
I tried inserting MobileData, but when I restart, there is no new MobileData tile (the MobileData addition stays in the "sysui_qs_tiles" though).
Any thoughts?
edit 3 - tried it one more time, and I added the screenshot tile!! Looks promising, but we would need to find the name for the mobiledata tile.
Delete
I am on PK1 and after flashing engboot i didnt like the way my phone ran so I flashed AP file of PK1 and now suddenly I have data toggle. I never even rooted with engboot or did any other adjustments to try and get the toggle.
TL;DR: (story in second post)
As always, everything you do is at your own risk. I'm not responsible for your phone running away or any nuclear wars.
1. Edit the content of /persist/wlan_mac.bin using a file manager with root access (e.g. Solid Explorer) and change the first two lines to your desired MAC. It's a good idea to keep the first 3 bytes (the OUI), or bad things may happen.
2. Using a terminal emulator (e.g. Termux), execute the following commands:
Code:
su
chattr +i /persist/wlan_mac.bin
And done! You may have to switch airplane mode on and off.
I just got my new OnePlus 5T, and of course, one of the first things I want to do is to change my MAC address. I immediately spotted the file:
Code:
/persist/wlan_mac.bin
But even if I hadn't, tools like my overseer can find it automatically for us.
So the file is in a standard directory for Qualcomm chips. Using Solid Explorer (with root access), I modified the file's content to change the first two lines to my desired MAC address. I then switched airplane mode on and off and..... it didn't work? I quickly checked the file content again - it had reverted back. Ouch.
To combat this, I ran my overseer tool, but to no avail. There was no obvious file containing our MAC, only symlinks to this one. I then figured that maybe the system caches the value somewhere, and restores it when I toggle airplane mode (spoiler: it doesn't).
Well, the next attempt is mainstream: write-protect the file (set it to immutable). Using a terminal emulator (e.g. Termux), I executed:
Code:
su
chattr +i /persist/wlan_mac.bin
Airplane mode on and off... and it works! I restarted the phone and verified our success. Now, one last question burdened me. Was the system caching the MAC address? I removed the immutable attribute after the restart (so the new MAC would have been cached) and after I switched airplane mode -- original MAC was restored! So the system is doing something else to stop us.
Anyways, the current method works flawlessly and I shall refrain from digging any further just now.
Good luck!
i did whatever you mentioned here. after i set it to immutable, wifi wasn't working, mac address was 02:00:00:00:00:00 . i couldn't even edit the file because i set it to immutable. so i had to remove the immutation by using -i command. i still wanna know how to change my mac address. please help me out
aneesh12 said:
i did whatever you mentioned here. after i set it to immutable, wifi wasn't working, mac address was 02:00:00:00:00:00 . i couldn't even edit the file because i set it to immutable. so i had to remove the immutation by using -i command. i still wanna know how to change my mac address. please help me out
Click to expand...
Click to collapse
Hey,
You have to edit the file before you set the immutable flag, otherwise you'll get access denied just like you observed. Unless you messed up the content of the file I see no reason you are getting an invalid MAC. Make sure you preserve the first 3 bytes (the OUI) when setting a new MAC.
ViRb3 said:
Hey,
You have to edit the file before you set the immutable flag, otherwise you'll get access denied just like you observed. Unless you messed up the content of the file I see no reason you are getting an invalid MAC. Make sure you preserve the first 3 bytes (the OUI) when setting a new MAC.
Click to expand...
Click to collapse
is there no way to change the whole Mac address(including the OUI)?
aneesh12 said:
is there no way to change the whole Mac address(including the OUI)?
Click to expand...
Click to collapse
Sure you can, as long as you use a valid OUI. While using a made-up OUI won't affect you in the short-term, some (public) hotspots could block you.
okay, by your method, i could change the mac address but not completely, only the last 4 digits. i searched for woan_mac.bin . this is what i found. these files might be causing for you to reverting back to the original mac address after removing the immutation.
I tried to change mac address of my OP5T completely to my laptop's(lenovo thinkpad) mac address
system is reading that address in reverse fashion.
eg. i put Aa:Ba:Ccd:Ee:Ff at the first line of wlan_mac.bin then system is showing Ff:Eed:Cc:Bb:Aa as mac after airplan mod on/off
Part 1 (thanks to a new character limit...)
By now many of you know that the small file on the NST/G which contains web certificates (/system/etc/security/cacerts.bks) is slowly becoming out-of-date. The first important certificate to expire was for Amazon and that crippled the Kindle app until member @tshoulihane worked out a way to update the expired certificate. In 2020, one of the certificates needed to negotiate syncing of books with FBReader expired and I finally took the plunge and figured out how to update the certificate for that. Although @tshoulihane had provided directions in the original post, I was too dense to follow them correctly. Now, as promised, I am providing what I hope is an overly-explicit set of instructions (my specialty) so that anyone can do this, even when I am dead (!).
This guide is for Windows (10, in my case). If you're not using Windows you may be much happier but you'll have to figure this out for yourself. If you are using Windows, you know that we will have to wait for some of that happiness in the next life ;-)
Assembling the tools
jdk-6u45 (download-32 bit, download-64 bit). Oracle now requires a sign-up, etc., to get at these old files, so I have archived them.
bcprov-jdk15on-146.jar (download). This old file is required to make all the magic happen.
Setting up the tools
Install jdk-6u45, using defaults--unless you have some specific reason for changing things. Don't worry if you have other JDK versions installed. They can coexist. Once the JDK is installed, use Windows File Explorer to locate the installation, something like Program Files/Java/jdk1.6.0_45 (that could be Program Files (x86) if you installed the 32-bit version). Find the sub-folder "lib". If there isn't one, create it. Inside that folder create another folder, "ext" (if it doesn't already exist). Place in that folder the jar file you downloaded. So, just to be clear, you should end up with:
(64-bit) Program Files/Java/jdk1.6.0_45/lib/ext/bcprov-jdk15on-146.jar
(32-bit) Program Files (x86)/Java/jdk1.6.0_45/lib/ext/bcprov-jdk15on-146.jar
Looking at cacerts.bks (optional)
If you want to see what the "innards" of your cacerts.bks file looks like copy out /system/etc/security/cacerts.bks from your device to your PC (use some readily accessible directory like "Documents" or "Downloads"--someplace you have rights).
Open a Windows command prompt window. Execute the following:
Code:
cd C:\Program Files\Java\jdk1.6.0_45\bin
[for 32-bit: cd C:\Program Files (x86)\Java\jdk1.6.0_45\bin]
Windows 10 allows you to paste text into the command prompt window. I suggest you copy the following command to a text editor, adjust it to your situation, and paste into the command prompt window. Then hit Enter. The text is perilous to type and you can get very frustrated by small errors.
Code:
keytool.exe -keystore C:\Users\nmyshkin\Documents\cacerts.bks -storetype BKS -provider org.bouncycastle.jce.provider.BouncyCastleProvider -providerpath "C:\Program Files\Java\jdk1.6.0_45\lib\ext\bcprov-jdk15on-146.jar" -storepass changeit -v -list > C:\Users\nmyshkin\Documents\calist.txt
Note that a path which contains spaces requires the use of quotation marks or you will get an error. You would need to replace "nmyshkin\Documents" with whatever path is correct for you.
The resulting text file (calist.txt) contains a list of all of the certificates and information about them, including their expiration dates.
Housekeeping
Some time ago I came across a Honeycomb ROM (last stop before ICS and cacerts which update on the fly) and extracted its cacerts.bks file, reasoning that it would be more up-to-date than our version. This proved to be true (the Amazon certificate, for example, has not yet expired), and there were also many more certificates--not a bad thing. There were also a lot of dead certificates. So for a sort of baseline, I have attached a zipped copy of that file with all the dead stuff removed. It also has a functioning Amazon certificate and the update for FBReader book sync. You're welcome.
The good stuff follows in the next post...
Part 2
How do you remove dead certificates?
Note: ALWAYS keep a backup copy of your cacerts.bks file. If you mess up, you need to be able to go back. Also, before returning an updated cacerts.bks file to your device, you should have made a complete device backup. A faulty cacerts.bks file will cause a bootloop. The only recovery is a forced shutdown (not easy in itself) and a restoration of the nandroid backup with NookManager or similar.
Let's pretend that you have a dead certificate and a check of the calist.txt file created as described above reveals that its "alias" is 27. Certificates sometimes have ridiculously complicated names so in the cacerts.bks file they are often given numerical aliases. Here's how to get rid of one (presumably before you replace it):
Open a command prompt window and execute the following:
Code:
cd C:\Program Files\Java\jdk1.6.0_45\bin
[for 32-bit: cd C:\Program Files (x86)\Java\jdk1.6.0_45\bin]
Copy the text below and adjust the paths for your situation, then copy and paste the result into the command prompt window. Press Enter.
Code:
keytool.exe -keystore C:\Users\nmyshkin\Documents\cacerts.bks -storetype BKS -provider org.bouncycastle.jce.provider.BouncyCastleProvider -providerpath "C:\Program Files\Java\jdk1.6.0_45\lib\ext\bcprov-jdk15on-146.jar" -storepass changeit -v -delete -alias 27
You would need to replace "nmyshkin\Documents", the alias number, and potentially "Program Files" (if you are using 32 bit) to customize the command.
Importing/updating a certificate
Well, this is the "real deal". Someday that Amazon certificate is going to expire again and render the Kindle app useless (assuming Amazon doesn't abandon it first). Or something else may crop up that you'd like to fix (like the FBReader issue I mentioned earlier). To some extent, this may also address website access issues, but most--if not all--of those are more broadly SSL related and that is another kettle of fish altogether.
Importing a certificate is no more difficult than any of the other operations already described (once you have the command written out!). The difficulty is in obtaining the certificate to import! Here is where these instructions get a little squishy because they are initially based on information obtained from your PC's browser (and even its version). I happen to use an up-to-date version of Firefox so that's how I am approaching this. If you use a different browser, you will have to figure out this part on your own, but Googling will doubtless help.
Let's say the Amazon certificate has expired (again...). My first best guess is that the same certificate(s) used on Amazon.com are used for the Kindle app. So I head on over to Amazon.com with Firefox. When I arrive I note that there is a little "lock" symbol just before the "https:...." in the url line. Mousing over this symbol I see "Verfied by: DigiCert Inc." So it's some kind of DigiCert certificate. Clicking on the lock symbol I see site information for Amazon including "Connection Secure" which can be expanded to show "Verified by DigiCert Inc." and at the bottom of that little window is "More information". Clicking there gives me a lot more stuff, but what I want is just the "Security" tab where I can see "View Certificate". Aha! Clicking on that reveals that there are at least two certificates, DigiCert Global CA G2 and DigiCert Global Root G2. I may need only one, but it's safer to have both. Still, I need actual copies of the certificates. In an older version of Firefox you could click on the lock and get to a place where you could export copies of the certificates. No more. That was too easy. Now it's like this:
1. Navigate to the site (Amazon.com) and discover which certificates are used, as described above
2. Open the browser menu to access "Options"
3. Click on "Privacy and Security" in the left-hand menu
4. Scroll down to "Certificates"
5. This takes you to a window in which you want the last option, "Authorities"
5. Scroll to find the certificate(s) discovered by the steps described above.
6. Click on the certificate and then on "Export". Accept the default file type (X.509 Certificate (PEM) (*.crt;*.pem)) and the ".crt" extension. Save.
7. Change the file extension on the saved certificate to ".cer".
OK! Do this for whatever certificate(s) you need. Now it's time to get them into the cacerts.bks file. Make sure the saved certificates are in some directory on your PC for which you have rights (like "Documents" or "Downloads").
Open a command prompt window and execute the following:
Code:
cd C:\Program Files\Java\jdk1.6.0_45\bin
[for 32-bit: cd C:\Program Files (x86)\Java\jdk1.6.0_45\bin]
Copy the text below and adjust the paths for your situation, then copy and paste the result into the command prompt window. Press Enter.
Code:
keytool.exe -storetype BKS -keystore "C:\Users\nmyshkin\Documents\cacerts.bks" -provider org.bouncycastle.jce.provider.BouncyCastleProvider -providerpath "C:\Program Files\Java\jdk1.6.0_45\lib\ext\bcprov-jdk15on-146.jar" -storepass changeit -importcert -alias Amazon -file "C:\Users\nmyshkin\Documents\DigiCertGlobalRootG2.cer"
You would need to replace "nmyshkin\Documents", potentially "Program Files", the alias string or number as well as the certificate file name to customize. The "alias" is a number in our cacerts.bks file, but you can use a string instead. Otherwise, you need to choose a number that is not already used or use the same number(s) for the expired certificate(s) that you previously removed.
You will see a series of things scroll through the window, stopping at a confirmation dialog. You need to enter "yes" to accept the certificate.
Repeat if there are additional certificates to import/update.
The Proof in the Pudding
IF you have done these steps correctly, you should be good to go. You need to move the revised cacerts.bks file back to your NST/G (/system/etc/security/cacerts.bks). Be sure the file permissions are set to rw-r--r--, then reboot. If you get stuck in a bootloop you goofed. Try to interrupt the boot sequence with the power button. Eventually you will succeed and can restore a backup using something like NookManager. Try again
Hi, thank you for all your help as always nmyshkin, my how do i connect it to the nook?
I do all the steps, but I am lost on how to replace the system directory in the nook with the cacert.bks file so that the kindle app could log-in throught the NTGS.
vicus21 said:
Hi, thank you for all your help as always nmyshkin, my how do i connect it to the nook?
I do all the steps, but I am lost on how to replace the system directory in the nook with the cacert.bks file so that the kindle app could log-in throught the NTGS.
Click to expand...
Click to collapse
If you rooted with the updated NookManager, the cacerts.bks file is already updated. No need to do anything else.
As for the Kindle app, there are a few things you should know. When you try to log in you will get an error message. But if you check your email you will see that Amazon has sent you a one-time-password (OTP). Try that.
Here's where it gets a little complicated. If you have two-factor-verification turned on at Amazon, the OTP may fail. At least one XDA member has reported that if he added the OTP to his regular password, he was able to log in.
My most recent experience went something like this:
1. Try to log in. Get OTP via email.
2. Try OTP. It fails.
3. Check Amazon account...hmm..I don't have two-factor-verification (TFV) turned on. What gives?
4. Turn on TFV.
5. Turn off TFV.
6. Try to log in. Get OTP via email.
7. Try OTP. It works!
I don't have TFV turned on (I don't own a smart phone). But Amazon didn't seem to recognize that until I turned it on and then turned if off.
It would be nice if the other member is correct and you just append the OTP to your regular password to log in. Let us know!
****Moderator Note****
A thread on this topic already exists here. Links have been removed from this one.
In Samsung's TTS app, someone discovered an exploit where the app, using it's receiver capabilities, will accept just about any command or information it receives from just about anything. This exploit so far as I know has not yet been patched but does affect a significant number of existing Samsung devices up to present day including the Samsung Galaxy Note 9 (SM-N960U) and probably others. Essentially this exploit allows a user to to run commands as system user (User: 1000) which is essentially one user level below root access. I am hoping this exploit will assist us in finding a root method for this device. In the meantime, as system user, you can run any command in a shell that is available to system. Running root commands will not work. I have not yet explored the extent of this exploit's capabilities, but you can change system props, some of which persist a reboot, probably disable some applications as opposed to uninstalling them per user, have full access to the /data directory and the ability to change anything in /data/system/users/0 at the very least. You need a Windows computer in order to perform these operations. It maybe possible to do through linux, but I did not try. This will also allow Lsposed patch to be installed on the device (a variant of the xposed framework). Though I am not sure it is required this will also allow you to use the dial pad on the device to Launch pretty much every important Samsung secret code that exists. Using Google to search for Samsung secret codes you can find what you need.
NOTE: I did not create this exploit and I do not claim any authorship or ownership over it. I just got it to work on this device. For reference, further reading and additional details and installation methods, please ***Link removed*** The steps below is the easiest and most basic method.
IMPORTANT: changing some of these props and other settings may cause device instability. In some cases a general factory reset will not change these settings back to your factory settings, so if you screw something up you're going to have to download your device's stock firmware and flash your device using odin.
1. Go to the Github repository above and download the zip file and extract it to anywhere you want. If you don't have minimal ADB and fastboot installed, you can get it here. Otherwise you'll need to download Google's platform-tools for Windows.
2. Plug your Note 9 into your PC, making sure ADB is authorized on the device.
3. Navigate to the exploit's folder and open a cmd window inside the folder, or place the folder's files in the platform-tools folder and navigate there and open a cmd window. To do this, click on the folder's window, press and hold down the shift key while right-clicking your mouse and select either "open cmd window here" or "open powershell window". Use adb to push the "samsungTTSVULN2.apk" to /data/local/tmp:
Code:
adb push samsungTTSVULN2.apk /data/local/tmp
.
4. Install "komraids_POC_V1.5.apk" using adb and reboot your Note 9:
Code:
adb install komraids_POC_V1.5.apk and open the app once. Navigate to settings, apps and select the app. Turn off battery optimizations.
adb reboot
5. When your Note 9 is completely rebooted (wait a minute or two after turning it back on, before you unlock your device), return to the exploit's or platform-tools folder and run 'systemshell.exe'. When the box pops up, click on 'start shell' and wait for the process to complete. When finished, click on 'reopen running shell'. You should be user: 1000. Run 'id' in that shell and the user should return as user: 1000. If not successful, navigate to the Github repository for other means of installation. Please note you will have to run this process on your device after every reboot.
With this level of access, you can change some system props, launch hidden activities including some degbug menus in various apps, as well as other things. From the Github repository, some examples of abilities:
Access to most of /efs /efs/imei /efs/sec_efs /efs/FactoryApp - Access to most of /data /data/system /data/user/0/ANY_SYSTEM_APP - The "Insthk" bin becomes useable, - Secure Folder/Separated Apps becomes COMPLETELY compromised if you also install the POC in it (UID 150_system) - start IOTHidden Menu, DM Mode, Service Mode, Multiple Debugging and hidden menus as well as preconfig in system context- Change many protected props, such as: setprop persist.service.adb.root 1, setprop sys.hidden.otatest 1, setprop sys.hiddenmenu.enable 1, setprop persist.sys.knox.device_owner true, setprop persist.sys.usb.qxdm.debug 1, setprop persist.service.adb.enable 1, setprop persist.sys.usb.qxdm.debug 1, setprop persist.rollback.is_test true, setprop sys.oem_unlock_allowed 1.
Click to expand...
Click to collapse
Some props I was able to change which persist upon rebooting:
Code:
persist.service.adb.root 1
setprop sys.hiddenmenu.enable 1
persist.service.adb.enable 1
persist.security.ams.enforcing 0
I am hoping with this access we can figure out a way to use it to our advantage to gain root access. I have only ever had this experience once, where we had gained system level shell access through a debug app accidently left on an Amazon Fire 10 tablet. That access later progressed to root access and from my understanding it is most likely possibility if we can gain this level of access on the device than it is more than likely there is a way to also gain root access. I would very much like any feedback anybody can provide and hopefully we can get further along in this. Please post your modifications and other tricks and hacks in this thread so others can follow along.
@DragonFire1024 Please note that a thread already exists on this topic:
***LOCKED UNTIL FURTHER NOTICE*** System Shell Exploit - ALL Samsung Mobile Devices NO BL UNLOCK REQUIRED.
***MODERATOR ANNOUNCEMENT: THREAD CLOSED*** @K0mraid3 you are hereby required to provide proper credit in your OP as follows: Link the assigned CVE for this exploit as it mentions the author's blog and GitHub, OR Link the original research repo...
forum.xda-developers.com
We do not allow multiple threads on the same topic:
5. Create a thread topic or post a message only once, this includes external links & streaming media.
As a large forum, we don't need unnecessary clutter. You're free to edit your message as you like, so if you do not receive an answer, revisit your message and see if you can describe your problem better. Not everyone is online at the same time so it might take a while before you receive an answer.
You can bump your unanswered question once every 24 hours
Duplicate threads and posts will be removed
Always post in an existing thread if a topic already exists, before creating a new thread.
Use our search function to find the best forum for your device.
Links to an external source are only allowed if relevant to the topic in hand. A description must be included, no copy & pasting from the original source.
Click to expand...
Click to collapse
I am closing this thread.
If you or someone else working on the project would like to have an open thread to discuss this topic, please refer to the original. However, I expect you to read the warnings I have posted, as the exploit covered must be credited to the individual who discovered it.