Join Us!

Notifications
Clear all

Let's talk about bypassing Samsung screen lock with FRP:ON  

  RSS
mshibo
(@mshibo)
Junior Member

So, I recently had that case (Samsung J105H, Pattern Lock, FRP ON) the client needs the data from the phone.
So, I went to Google and surprisingly, I could easily find a very easy solution for it.
It's a modified (I believe) one-package firmware that after you flash via Odin everything will be as it was but with no lock screen at all.
Here is the topic for it https://the-hellteam.com/2017/12/28/%D9%81%D9%83-%D9%82%D9%81%D9%84-%D8%A7%D9%84%D8%B4%D8%A7%D8%B4%D8%A9-sm-j105h-%D8%A8%D8%AF%D9%88%D9%86-%D8%AD%D8%B0%D9%81-%D8%A7%D9%84%D8%A8%D9%8A%D8%A7%D9%86%D8%A7%D8%AA-frpon-%D8%A8%D8%AF%D9%88/
So, we all know that you can't flash any modified images to the phone with FRP ON since the bootloader will check the signature and then refuse those images. Now we want to understand this process more and see if it's applicable to more Samsung devices.

Quote
Posted : 03/05/2018 2:40 pm
UnallocatedClusters
(@unallocatedclusters)
Senior Member

Did you test the solution? What were the results?

ReplyQuote
Posted : 03/05/2018 2:57 pm
mshibo
(@mshibo)
Junior Member

I tested it myself and it's 100% working. After flashing the firmware, I found no lock screen but there was like a side effect, the background was all black and I noticed some lag and FC msgs, but it isn't a problem since I could access the data on the phone which is the main purpose.

ReplyQuote
Posted : 03/05/2018 3:16 pm
mcman
(@mcman)
Active Member

Sounds like you flashed a trusted boot image to the device which is a pretty common method to bypass bootloader locked devices. The boot image is likely signed (aka trusted) by Samsung which allows the phone to recognize it as trusted avoiding the problem with regular recovery images which are not signed. If you do some digging around engineering boot images you should probably find a lot of info.

Jamie

ReplyQuote
Posted : 03/05/2018 3:40 pm
Thomass30
(@thomass30)
Active Member

This topic is very interesting. I would love to get more info about it.

I have Samsung J5-SM-J510FN with pattern lock screen and FRP Lock On.
I cant flash TWRP because of that.

ReplyQuote
Posted : 03/05/2018 7:54 pm
passcodeunlock
(@passcodeunlock)
Senior Member

Engineering boot images usually work, but it matters a lot if the sources for getting them are reliable or not.

In case of a "mistake" your data is gone, so I don't recommend this only to people who really know what they are doing!!!

ReplyQuote
Posted : 03/05/2018 8:11 pm
mcman
(@mcman)
Active Member

Engineering boot images usually work, but it matters a lot if the sources for getting them are reliable or not.

In case of a "mistake" your data is gone, so I don't recommend this only to people who really know what they are doing!!!

Agree completely, lots of questionable sources and not something I would just throw on a phone that is considered evidence before testing on another device.

Jamie

ReplyQuote
Posted : 03/05/2018 8:30 pm
qassam22222
(@qassam22222)
Active Member

read about sboot.img …. u can bypass it by flashing sboot.img or by Z3x box )
but be careful when u flashing sboot.img it's very dangerous ur phone maybe dead )
sorry i dont have time to write full details I am travelling to russia ….
good luck

ReplyQuote
Posted : 03/05/2018 9:00 pm
mshibo
(@mshibo)
Junior Member

Engineering boot images usually work, but it matters a lot if the sources for getting them are reliable or not.

In case of a "mistake" your data is gone, so I don't recommend this only to people who really know what they are doing!!!

Agree completely, lots of questionable sources and not something I would just throw on a phone that is considered evidence before testing on another device.

Jamie

I totally agree too and if I'm going to do so, I always prefer to test with another device for example and make sure everything is ok first.

ReplyQuote
Posted : 03/05/2018 11:29 pm
mshibo
(@mshibo)
Junior Member

read about sboot.img …. u can bypass it by flashing sboot.img or by Z3x box )
but be careful when u flashing sboot.img it's very dangerous ur phone maybe dead )
sorry i dont have time to write full details I am travelling to russia ….
good luck

Well, sboot method is kinda old now and it has been patched in a lot of devices and even for most of old devices too as they've got new updates with new security too. I used it before and it was working well but now I believe it's useless.

Good luck to you in whatever you're doing in Russia. It's a beautiful country and maybe I'll meet you there after one year as I'm moving there 😉

ReplyQuote
Posted : 03/05/2018 11:31 pm
Thomass30
(@thomass30)
Active Member

@mshibo
What is the difference between that " one-package firmware " that you flashed and standard firmware dependent on the device model ? Is it some modified firmware or what ?

ReplyQuote
Posted : 04/05/2018 7:22 am
arcaine2
(@arcaine2)
Active Member

Well, sboot method is kinda old now and it has been patched in a lot of devices and even for most of old devices too as they've got new updates with new security too. I used it before and it was working well but now I believe it's useless.

There 2 different issues here. Flashing older sboot would allow to use some bootloader exploit but not much beside it. It's also limited by the "binary" version since S6 which is why it's not possible to downgrade it too much but also lowers a chance to brick the device.

Flashing patched boot would allow disabling or remove usercode, enable adb and do any other nice stuff but there is FRP and engineering boot images usually only have ADB enabled (still requires authorization) and are sometimes rooted, but do not remove usercode from my experience.

This is actually weird that flashing this firmware that contain boot, recovery and system image removes the code. I checked it with the same stock firmware version, unpacked all 3 images and both boot.img and recovery.img are same as in stock firmware so it's not even an engineering rom. system.img differs (so FRP should block writing it, right?) but once unpacked there seems to be couple changes in build.prop only and those are insignificant. They changed codename, all_codenames, security_patch, and model strings to their team name (same as website address). Nothing else was changed from what i see. If it works, then it seems to be some kind of bug rather than a solution that can be used on different models or variants.

There is a box/tool (BMT PRO) that is supposedly able to patch firmware to remove usercode on couple new Samsung phones (A3 2016, J7 2016 and 2017, S7 etc) despite FRP on, OEM unlocking off and without tripping Knox. No idea if or how well it works.

ReplyQuote
Posted : 05/05/2018 10:26 pm
RolfGutmann
(@rolfgutmann)
Community Legend

I ask myself on what assumptions I would eTrust. This post is an obstacle I know, but nobody wants to face the problem of eTrust.

Its not only my problem. Its alls problem. But pushed-aside. I want to solve it.

ReplyQuote
Posted : 07/05/2018 10:34 am
Share: