Many smartphone users are familiar with the concept of “linking to an account.” Various smartphone vendors have their own mechanisms to protect smartphones from theft: Apple has FMI, Xiaomi has Mi Cloud, and Google has FRP. However, Android has a long-standing vulnerability that allows it to bypass almost any smartphone on a “clean” system, even those linked to a Google account. Recently, the famous YouTube blogger MaddyMurk wrote to me and offered to give away an AGM H3 smartphone-armored car on a Google account, which he could not reset. I decided to prepare a detailed article about holes in Android security and in practice bypass FRP on a smartphone that was stuck on activation. Today we will find out why Android smartphones are so easy to bypass, what techniques exist, and why this practice is impossible on Apple devices. Interesting? I'm waiting for you under the cut!
What types of “bindings” are there?
Back in the 2000s, there was no link to phone accounts. Devices were stolen left and right: I’m not sure about other countries, but in the CIS, unfortunately, this practice was very well developed. The devices were protected by a maximum PIN code, which the phone could request when changing the SIM card, but even this could be bypassed using the so-called. “master codes”, which were calculated on special sites in various service centers. On some phones, a simple flashing helped - and so, the device was again sent to the used market for sale to its new owner, absolutely clean and probably reassembled into a new Chinese case. And it doesn’t matter that the IMEI of the device has long been listed as stolen!
Sometimes, the rarity of the phone's hardware platform provided a kind of protection. For example, the French Sagem, which were quite popular in the Russian Federation in the mid-2000s, were practically not serviced by anyone, despite the presence of programmers on the market. Changing IMEI was often impossible - on Nokia phones, for example, the so-called. certificates for activating the radio module and booting the phone. If they were damaged during the firmware update process or someone tried to fake them, then the phone would no longer turn on without generating a new certificate for money on a special website. At all.
The only exception that I know of are Chinese phones on the MediaTek platform (Fly, Explay push-button devices, etc.) - there IMEI can easily be changed to something on the left. At least make yourself one out of sevens
One of the first and reference implementations of linking a smartphone to an account was introduced by Apple with the release of the iPhone 4. In addition to logging into a regular iCloud account, the user could enable the Find My iPhone function, which made it possible to find the smartphone in case of theft. In addition to searching for a lost device, enabled FMI requests the user's login and password when resetting the smartphone to factory settings (or flashing it). And here lies the main feature of the Yabloko implementation: all Apple devices that come off the assembly line and have passed quality control are entered into a certain database, where a bunch of several hardware identifiers are stored: a unique processor ID, which is “burned in” at the factory and remains
unchanged forever, a unique modem ID (here I won’t say exactly what the identifier is - most likely IMEI) and probably something else. If the identifier of at least one module does not match what is stored in the Apple database, the device will be stuck with an activation error!
There is even one interesting story connected with this: the iPhone 4/4s suffered from modem dumps, which is why workshops got used to changing them from donor devices, without rolling over the entire assembly along with the processor and memory. With the arrival of some iOS update, Apple tightened the activation rules and many fully functional iPhones were stuck with an activation error.
Despite the reference implementation, FMI can be bypassed if the device has a jailbreak, which can be done before accessing the main screen (for example checkra1n). However, the mobile network and calls will not work - to activate the modem you need a unique token that is generated by the Apple Albert activation server. However, someone was still able to reverse the mechanism of the activation server and start a modem on “bypassed” devices...
On Android devices, the situation is completely different: here, for a long time, the openness of smartphones ruled the roost, which made it possible to modify devices in any way - porting the latest versions of Android, making custom firmware with various goodies and optimizations. For a long time, people didn’t know what a secure boot (locked bootloader) was and what it was used for...
For reasons of total openness of Android smartphones, no one really bothered with a serious connection to cloud services: devices with a PIN code or pattern key got by without any problems factory reset via recovery... before the release of Android Lolipop!
In the top five, Google made an attempt to protect devices from being reset through recovery using the FRP mechanism - Factory Reset Protection, which requests a Google account if the device has not been reset using the corresponding item in the settings . The function was implemented extremely simply, without any hardware connections: on MediaTek and Spreadtrum devices it was enough to fill a certain memory section with zeros using a proprietary flasher, and sometimes logging into the account could be bypassed by various operating system bugs. On older versions of Android, you could use adb or the terminal to simply set the property that is responsible for showing the activation window:
Code:
content insert --uri content://settings/secure --bind name:s:user_setup_complete --bind value:s:1The point was that Android, at the activation stage, simply makes the curtain inactive and hides the virtual home/menu buttons. In fact, applications can send any Intent (“actions” in Android terminology) to the system and open any application on top of the activation window, without any restrictions. If you restarted the activation application, a full-fledged “home” and “multitasking” button appeared. Thus, with simple manipulations, on Samsung smartphones (all A and J series, until 2017) you could go into the browser and then into the settings using the voice assistant; on Asus smartphones, using the TouchPal smart keyboard, you could open the settings and reset the device to factory settings in a couple of clicks, and in Xiaomi smartphones it was possible to write youtube.com in some text field , hold your finger on it and open the corresponding application, from where you can get back to the settings... There are really a lot of options!
Recently, a well-known YouTube blogger, MaddyMurk, wrote to me and told me an interesting story: he found an AGM H3 “armored car” that had been lying around in the snow and mud for several months, absolutely useless to anyone. Despite the difficult conditions, the device fully justified its armored status and remained completely alive and intact! However, the device hung on the graphic key and Misha, out of old memory, decided to reset it to factory settings, in the hope that the owner was not logged into the Google account. After the reset, the device froze on activation and Misha asked me what could be done with it. As a result, he offered to send the device to me: “maybe you can revive it.” In addition to AGM, Mikhail sent me a bunch of other goodies: several Siemens and Soneriks, a bunch of spare parts for iPhone 4-5, a camera and his branded cassette with music - for which I thank him.
)However, the material would be incomplete if I didn’t show in practice how you can bypass a completely unknown device, for which there are no guides on how to bypass activation - and thereby show you how “leaky” the anti-theft protection is for Android with Google services ... Let's move on to practice!
We bypass activation with bugs
After turning on, the system greets us with an offer to go through the initial setup. After connecting to Wi-Fi, we are greeted by a window asking us to log into our account or enter the graphic key of the previous owner.Our task: exit the login screen into some application, from where you can open the browser built into the system. There are a lot of options: on some devices, as already mentioned, you can open links by simply highlighting them (thus, you need to open youtube or another site with an associated application on the system). From what I've noticed, the Google Photos app and YouTube work best. My smartphone had a hardware camera button on the left, which immediately opened the corresponding application. Hoba: we take a photo of something, click on the photo thumbnail and get into Google Photos!
The device was actively used before me and the protective glass for the cameras was well worn - that’s why the photo is so cloudy.
Now we need to click “share object” and click “search photo on Google”. It's better to photograph something specific: for example, another smartphone or TV. I was filming the video card box and using the lens I found a review of it on YouTube. Of course, Google Search suggested I open the YouTube app to watch it!
After this, we need to open the side menu, tap on “Settings” and try to open some link: for example, an open source software license. This needs to be done quickly - otherwise YouTube will start complaining that the version is outdated and the smartphone will have to be updated with a new one! After this, the smartphone prompts us to open a full-fledged browser.
Are you already running to download some launcher and open the settings? This was not the case - Google foresaw this nuance. You will not be able to install anything downloaded - the package manager does not work without activation. At all. Therefore, we go to Chrome settings -> Notifications and tap on the application logo icon. We're already in the settings!
Now there is no point in resetting the device: the smartphone will hang on activation again (the reset will work on devices with Android up to 7 inclusive). However, there is a funny nuance: if you disable Google services in time, the activation application will simply begin to assume that we are activating a NEW device without a SIM card and will offer... to skip the step! How funny
We find applications with names a la “system settings” (except for the Settings application itself) and disable them all and turn them on again: we will have all three navigation buttons at the bottom and the task manager will be available for a more convenient activation process. If your device has some kind of Assistive Touch, that will work too.
Now we disable Google services and switch to system settings. Click “Next” and wait a couple of seconds, but do not wait for the Google services error. We immediately go to the settings and turn Google services back on: as a result, at one point the services will assume that we are “offline” and the treasured “skip login” button will appear. It may not work the first time. After this, the device will completely “forget” the data of the previous owner and we will be able to log into our account without any problems.
If after this you cannot install applications from regular APK packages, then there are two solutions: reset the device to factory settings again, or install applications using adb - this option also works quite well:
You can safely log into your Google Account.
The device is now fully operational! You can’t make a retrospective about it: the device is relatively new, runs on the current version of Android and has very good hardware under the hood:
- Chipset : Helio P22 with PowerVR GE8320 GPU, with 8 Cortex-A53 cores, 4 of which operate at frequencies up to 2GHz, and the remaining 4 up to 1.5GHz.
- RAM : 4GB
- Memory : 64GB
- Display : 5.7 IPS matrix. Not the fastest, of course, but quite okay.
- Battery : 5400mAh. Very cheerful.
- OS : Android 11
In general, very good characteristics for a modern state employee with a pleasant bonus in the form of armor. Surely, the “body armor” of the device has clearly withstood a lot
Perhaps one of my readers lost it at some point?
Conclusion
Today we looked at some basic principles of protecting various smartphones from theft and theft, and also in practice bypassed the poor “Google protection”. However, this is by no means a call to action: in this way, bypass only your own smartphones, the accounts from which you have ever lost.This is not a universal guide and the specific procedure may differ from the Android version and even from the shell versions. But I told you why OS bugs can bypass activation and described in general principles why Google’s protection is so bad. What do you think about this?
