Man
Professional
- Messages
- 3,070
- Reaction score
- 605
- Points
- 113
Many smartphone users are familiar with such concepts as "linking to an account". Different smartphone vendors have their own mechanisms to protect smartphones from theft: Apple has FMI, Xiaomi has Mi Cloud, and Google has FRP. However, Android has a long-standing vulnerability that allows you to bypass almost any smartphone on a "clean" system, even with a link to a Google account. Recently, a well-known YouTube blogger MaddyMurk wrote to me and offered to give me an AGM H3 armored smartphone with a Google account, which he could not reset. I decided to prepare a detailed article about holes in Android protection and in practice bypass FRP on a smartphone that "hung" on activation. Today we will find out: why Android smartphones are so easy to bypass, what methods exist and why such a practice is impossible on Apple devices. Interested? Waiting for you under the cut!
Back in the 2000s, there was no link to accounts for phones. Devices were stolen left and right: I'm not sure about other countries, but in the CIS, unfortunately, this practice was very well developed. Devices were protected at most by a PIN code, which the phone could request when changing the SIM card, but even this could be bypassed using the so-called "master codes", which were calculated on special sites in various service centers. On some phones, a simple reflash helped - and here, the device was sent back to the used market to be sold to its new owner, absolutely clean and probably reassembled in a new Chinese case. And it doesn't matter that the IMEI of the device has long been listed as stolen!
Sometimes, a kind of protection was provided by the rarity of the phone's hardware platform. For example, the French Sagem, which were quite popular in the Russian Federation in the mid-2000s, were almost never serviced, despite the presence of programmers on the market. Changing the IMEI was often impossible - on Nokia phones, for example, the so-called certificates for activating the radio module and booting the phone are stored in the internal memory. If they were damaged during a crooked firmware update or someone tried to forge them, the phone would no longer turn on without generating a new certificate for money on a special site. At all.
The only exception I know of is Chinese phones on the MediaTek platform (push-button Fly, Explay, etc.) - there, the IMEI can be changed to some other one. At least from the sevens
One of the first and benchmark implementations of linking a smartphone to an account was presented by Apple with the release of the iPhone 4. In addition to logging into a regular iCloud account, the user could enable the Find My iPhone function, which allowed finding the smartphone in case of theft. In addition to searching for a lost device, the enabled FMI requests the username and password when resetting the smartphone to factory settings (or reflashing). And here lies the main trick of the implementation of "apple": all Apple devices that come off the assembly line and pass quality control are entered into a certain database, which stores a bunch of several hardware identifiers: a unique processor ID, which is "burned" at the factory and remains nchanged forever, a unique modem ID (here I can't say exactly what the identifier is - most likely IMEI) and probably something else. If the identifier of at least one module does not match what is stored in the Apple database, the device will hang on an activation error!
There is even an interesting story connected with this: iPhone 4/4s suffered from modem failures, which is why workshops got the hang of replacing them from donor devices, without re-rolling the entire assembly together with the processor and memory. With the arrival of some iOS update, Apple tightened the activation rules and many fully functional iPhones hung on an activation error.
Despite the reference implementation, FMI can be bypassed if the device has a jailbreak, which can be done before access to the main screen (for example, checkra1n). However, the mobile network and calls will not work - to activate the modem, you need a unique token generated by the Apple Albert activation server. However, someone was still able to reverse the mechanism of the activation server and start the modem on "bypassed" devices ...
On Android devices, the situation is completely different: for a long time, the openness of smartphones ruled the roost, which allowed modifying devices as you wish - porting fresh versions of Android, making custom firmware with various goodies and optimizations. For a long time, people did not know what a secure boot (locked bootloader) was and how to use it...
Due to the total openness of Android smartphones, no one really bothered with a serious connection to cloud services: devices with a pin code or graphic key could easily be reset to factory settings via recovery... until the release of Android Lolipop!
In the "five", Google attempted to protect devices from reset via recovery using the FRP mechanism - Factory Reset Protection, which requests a Google account if the device has not been reset using the corresponding item in the settings . The function was implemented extremely simply, without any hardware bindings: on MediaTek and Spreadtrum devices, it was enough to fill a certain section of memory with zeros using a proprietary flasher, and sometimes logging into an account could be bypassed with various operating system bugs. On older versions of Android, you could simply set the property that is responsible for displaying the activation window using adb or a terminal:
The point was that Android at the activation stage simply makes the curtain inactive and hides the virtual home/menu buttons. In fact, applications can send any Intent ("actions" in Android terminology) to the system and open any applications on top of the activation window, without any restrictions. If you restart the activation application, then a full-fledged "home" button and "multitasking" appeared. Thus, with simple manipulations, on Samsung smartphones (the entire A and J series, until 2017) you could go to the browser and then to the settings using the voice assistant, on Asus smartphones with the help of the smart TouchPal keyboard you could open the settings and reset the device to factory settings in a couple of clicks, and in Xiaomi smartphones it was possible to write youtube.com in some text field , hold your finger on it and open the corresponding application, from where you can get to the settings again ... There are really many options!
Recently, a well-known YouTube blogger, MaddyMurk, wrote to me and told me an interesting story: he found an AGM H3 "armored car" that had been lying in the snow and mud for several months, absolutely useless to anyone. Despite the difficult conditions, the device fully justified its armored status and remained completely alive and well! However, the device was hanging on the graphic key and Misha, out of old habit, decided to reset it to factory settings, hoping that the owner had not logged into his Google account. After the reset, the device hung on activation and Misha asked me what could be done with it. As a result, he offered to send the device to me: "maybe you can revive it." In addition to the AGM, Mikhail sent me a bunch of other goodies: several Siemens and Sonics, a bunch of spare parts for the iPhone 4-5, a camera and his own branded cassette with music - for which I thank him.)
However, the material would be incomplete if I did not show in practice how you can bypass a completely unknown device for which there are no guides on bypassing activation - and thus did not show you how "leaky" the protection against theft is in Android with Google services... Let's move on to practice!
After switching on, the system greets us with a proposal to go through the initial setup. After connecting to Wi-Fi, we are greeted by a window asking us to log into an account or enter the graphic key of the previous owner.
Our task: to exit the authorization screen into some application, from where you can open the browser built into the system. There are a lot of options: on some devices, as already mentioned, you can open links by simply selecting them (thus, you need to open YouTube or another site with an associated application in the system). Of those that I noticed: the Google Photos application and YouTube are the best. My smartphone had a hardware camera button on the left, which immediately opened the corresponding application. Hoba: we take a photo of something, click on the photo preview and get to Google Photos!
The device was actively used before me and the protective glass for the cameras was well rubbed - that's why the photo is so blurry.
Now we need to press "share object" and press "search for photo in Google". It is better to photograph something specific: for example, another smartphone or a TV. I took a picture of the video card box and used the lens to find a review of it on YouTube. Of course, Google Search suggested that I open the YouTube app to watch it!
After that, we need to open the side menu, tap on "Settings" and try to open some link: for example, a license for open source software. You need to do this quickly - otherwise YouTube will start complaining that the version is outdated and the smartphone will have to be bypassed again! After that, the smartphone offers us to open a full browser.
Are you already running to download some launcher and open the settings? No way — Google has foreseen this nuance. You won’t be able to install anything from the downloaded — the package manager doesn’t work without activation. At all. Therefore, we go to Chrome settings -> Notifications and tap on the application logo icon. We are already in the settings!
There is no point in resetting the device now: the smartphone will hang on activation again (reset will work on devices with Android up to and including 7). However, there is a funny nuance: if you disable Google services in time, the activation application will simply start to think that we are activating a NEW device without a SIM card and will offer... to skip a step! How funny
Find applications with names like "system settings" (except for the Settings application itself) and disable them all and enable them again: all three navigation buttons will appear at the bottom and the task manager will be available for a more convenient activation process. If your device has some kind of Assistive Touch, it will also work.
Now disable Google services and switch to system settings. Click "Next" and wait a couple of seconds, but do not wait for an error from Google services. We immediately go to the settings and turn Google services back on: as a result, at one point the services will consider that we are “offline” and the treasured “skip login” button will appear. It may not work the first time. After that, the device will completely “forget” the data of the previous owner and we will be able to log into our account without any problems.
If after this you cannot install applications from regular APK packages, then there are two possible solutions: reset the device to factory settings again, or install applications using adb - this option also works quite well:
You can safely log into your Google account.
Now the device is fully functional! You can't do a retrospective about it: the device is relatively fresh, runs on the current version of Android and has pretty good hardware under the hood:
Overall, pretty good specs for a modern budget phone with a nice bonus in the form of armor. If there's one thing the device's "bulletproof vest" has clearly withstood a lot
Maybe one of my readers has lost it?
Today we have looked at some basic principles of protecting various smartphones from theft and hijacking, and also bypassed the poor "Google protection" in practice. However, this is by no means a call to action: bypass only your own smartphones in this way, the accounts for which you have ever lost.
This is not a universal guide and the specific order of actions may differ from the Android version and even from the shell versions. But I explained why activation can be bypassed using OS bugs and described in general principles why Google protection is so bad. What do you think about this?
Source
❯ What types of “bindings” are there?
Back in the 2000s, there was no link to accounts for phones. Devices were stolen left and right: I'm not sure about other countries, but in the CIS, unfortunately, this practice was very well developed. Devices were protected at most by a PIN code, which the phone could request when changing the SIM card, but even this could be bypassed using the so-called "master codes", which were calculated on special sites in various service centers. On some phones, a simple reflash helped - and here, the device was sent back to the used market to be sold to its new owner, absolutely clean and probably reassembled in a new Chinese case. And it doesn't matter that the IMEI of the device has long been listed as stolen!
Sometimes, a kind of protection was provided by the rarity of the phone's hardware platform. For example, the French Sagem, which were quite popular in the Russian Federation in the mid-2000s, were almost never serviced, despite the presence of programmers on the market. Changing the IMEI was often impossible - on Nokia phones, for example, the so-called certificates for activating the radio module and booting the phone are stored in the internal memory. If they were damaged during a crooked firmware update or someone tried to forge them, the phone would no longer turn on without generating a new certificate for money on a special site. At all.
The only exception I know of is Chinese phones on the MediaTek platform (push-button Fly, Explay, etc.) - there, the IMEI can be changed to some other one. At least from the sevens
One of the first and benchmark implementations of linking a smartphone to an account was presented by Apple with the release of the iPhone 4. In addition to logging into a regular iCloud account, the user could enable the Find My iPhone function, which allowed finding the smartphone in case of theft. In addition to searching for a lost device, the enabled FMI requests the username and password when resetting the smartphone to factory settings (or reflashing). And here lies the main trick of the implementation of "apple": all Apple devices that come off the assembly line and pass quality control are entered into a certain database, which stores a bunch of several hardware identifiers: a unique processor ID, which is "burned" at the factory and remains nchanged forever, a unique modem ID (here I can't say exactly what the identifier is - most likely IMEI) and probably something else. If the identifier of at least one module does not match what is stored in the Apple database, the device will hang on an activation error!
There is even an interesting story connected with this: iPhone 4/4s suffered from modem failures, which is why workshops got the hang of replacing them from donor devices, without re-rolling the entire assembly together with the processor and memory. With the arrival of some iOS update, Apple tightened the activation rules and many fully functional iPhones hung on an activation error.
Despite the reference implementation, FMI can be bypassed if the device has a jailbreak, which can be done before access to the main screen (for example, checkra1n). However, the mobile network and calls will not work - to activate the modem, you need a unique token generated by the Apple Albert activation server. However, someone was still able to reverse the mechanism of the activation server and start the modem on "bypassed" devices ...
On Android devices, the situation is completely different: for a long time, the openness of smartphones ruled the roost, which allowed modifying devices as you wish - porting fresh versions of Android, making custom firmware with various goodies and optimizations. For a long time, people did not know what a secure boot (locked bootloader) was and how to use it...
Due to the total openness of Android smartphones, no one really bothered with a serious connection to cloud services: devices with a pin code or graphic key could easily be reset to factory settings via recovery... until the release of Android Lolipop!
In the "five", Google attempted to protect devices from reset via recovery using the FRP mechanism - Factory Reset Protection, which requests a Google account if the device has not been reset using the corresponding item in the settings . The function was implemented extremely simply, without any hardware bindings: on MediaTek and Spreadtrum devices, it was enough to fill a certain section of memory with zeros using a proprietary flasher, and sometimes logging into an account could be bypassed with various operating system bugs. On older versions of Android, you could simply set the property that is responsible for displaying the activation window using adb or a terminal:
Code:
content insert --uri content://settings/secure --bind name:s:user_setup_complete --bind value:s:1The point was that Android at the activation stage simply makes the curtain inactive and hides the virtual home/menu buttons. In fact, applications can send any Intent ("actions" in Android terminology) to the system and open any applications on top of the activation window, without any restrictions. If you restart the activation application, then a full-fledged "home" button and "multitasking" appeared. Thus, with simple manipulations, on Samsung smartphones (the entire A and J series, until 2017) you could go to the browser and then to the settings using the voice assistant, on Asus smartphones with the help of the smart TouchPal keyboard you could open the settings and reset the device to factory settings in a couple of clicks, and in Xiaomi smartphones it was possible to write youtube.com in some text field , hold your finger on it and open the corresponding application, from where you can get to the settings again ... There are really many options!
Recently, a well-known YouTube blogger, MaddyMurk, wrote to me and told me an interesting story: he found an AGM H3 "armored car" that had been lying in the snow and mud for several months, absolutely useless to anyone. Despite the difficult conditions, the device fully justified its armored status and remained completely alive and well! However, the device was hanging on the graphic key and Misha, out of old habit, decided to reset it to factory settings, hoping that the owner had not logged into his Google account. After the reset, the device hung on activation and Misha asked me what could be done with it. As a result, he offered to send the device to me: "maybe you can revive it." In addition to the AGM, Mikhail sent me a bunch of other goodies: several Siemens and Sonics, a bunch of spare parts for the iPhone 4-5, a camera and his own branded cassette with music - for which I thank him.
)However, the material would be incomplete if I did not show in practice how you can bypass a completely unknown device for which there are no guides on bypassing activation - and thus did not show you how "leaky" the protection against theft is in Android with Google services... Let's move on to practice!
❯ Bypassing activation with bugs
After switching on, the system greets us with a proposal to go through the initial setup. After connecting to Wi-Fi, we are greeted by a window asking us to log into an account or enter the graphic key of the previous owner.
Our task: to exit the authorization screen into some application, from where you can open the browser built into the system. There are a lot of options: on some devices, as already mentioned, you can open links by simply selecting them (thus, you need to open YouTube or another site with an associated application in the system). Of those that I noticed: the Google Photos application and YouTube are the best. My smartphone had a hardware camera button on the left, which immediately opened the corresponding application. Hoba: we take a photo of something, click on the photo preview and get to Google Photos!
The device was actively used before me and the protective glass for the cameras was well rubbed - that's why the photo is so blurry.
Now we need to press "share object" and press "search for photo in Google". It is better to photograph something specific: for example, another smartphone or a TV. I took a picture of the video card box and used the lens to find a review of it on YouTube. Of course, Google Search suggested that I open the YouTube app to watch it!
After that, we need to open the side menu, tap on "Settings" and try to open some link: for example, a license for open source software. You need to do this quickly - otherwise YouTube will start complaining that the version is outdated and the smartphone will have to be bypassed again! After that, the smartphone offers us to open a full browser.
Are you already running to download some launcher and open the settings? No way — Google has foreseen this nuance. You won’t be able to install anything from the downloaded — the package manager doesn’t work without activation. At all. Therefore, we go to Chrome settings -> Notifications and tap on the application logo icon. We are already in the settings!
There is no point in resetting the device now: the smartphone will hang on activation again (reset will work on devices with Android up to and including 7). However, there is a funny nuance: if you disable Google services in time, the activation application will simply start to think that we are activating a NEW device without a SIM card and will offer... to skip a step! How funny
Find applications with names like "system settings" (except for the Settings application itself) and disable them all and enable them again: all three navigation buttons will appear at the bottom and the task manager will be available for a more convenient activation process. If your device has some kind of Assistive Touch, it will also work.
Now disable Google services and switch to system settings. Click "Next" and wait a couple of seconds, but do not wait for an error from Google services. We immediately go to the settings and turn Google services back on: as a result, at one point the services will consider that we are “offline” and the treasured “skip login” button will appear. It may not work the first time. After that, the device will completely “forget” the data of the previous owner and we will be able to log into our account without any problems.
If after this you cannot install applications from regular APK packages, then there are two possible solutions: reset the device to factory settings again, or install applications using adb - this option also works quite well:
You can safely log into your Google account.
Now the device is fully functional! You can't do a retrospective about it: the device is relatively fresh, runs on the current version of Android and has pretty good hardware under the hood:
- Chipset: Helio P22 with PowerVR GE8320 GPU, with 8 Cortex-A53 cores, 4 of which operate at a frequency of up to 2 GHz, and the remaining 4 up to 1.5 GHz.
- RAM: 4GB
- Memory: 64GB
- Display: 5.7 IPS-matrix. Not the fastest, of course, but quite good.
- Battery: 5400mAh. Quite energetic.
- OS: Android 11
Overall, pretty good specs for a modern budget phone with a nice bonus in the form of armor. If there's one thing the device's "bulletproof vest" has clearly withstood a lot
Maybe one of my readers has lost it?
❯ Conclusion
Today we have looked at some basic principles of protecting various smartphones from theft and hijacking, and also bypassed the poor "Google protection" in practice. However, this is by no means a call to action: bypass only your own smartphones in this way, the accounts for which you have ever lost.
This is not a universal guide and the specific order of actions may differ from the Android version and even from the shell versions. But I explained why activation can be bypassed using OS bugs and described in general principles why Google protection is so bad. What do you think about this?
Source
