Featured

It’s a Hack! Part Deux

In today’s hack, we take a look at a slightly newer tablet than last time, and find out just how much more difficult it is to crack open an Android 7.1 “Nougat” device than it was just 2 major-OS-versions ago.

Spoiler-alert: I did NOT actually end up successfully removing the FRP lock. Instead, I insisted that the owner try harder to find the appropriate Google account info for the device. Which they did, thank God. I am currently waiting on them to set aside some time to walk through the remaining recovery steps.

N.
samsung tablet frp bypass quote easy-way
Spoiler-alert #2: THERE IS NO “EASY WAY”.

So instead of actually hacking (removing the FRP lock), this is simply a link-dump and giving credit to the sources that helped me get it back to a usable state.

Brief Overview

Now, you may be wondering, how is this useful? Well, dear reader, allow me to explain.

  • Scenario A: You need to factory-reset your tablet, but it’s been borked/bricked by some strange 3rd-party firmware or a bad update.
  • Scenario B: Like me, you’ve managed to use Odin to flash it to “factory binary” firmware (kinda like diagnostic/debug mode), but you forgot to store a backup of the actual firmware first (the one that a normal human can use).

As a reminder, the standard startup-button-combos are as follows:

  1. Recovery mode (standard): hold Home, Volume Up, and Power.
  2. Odin mode (aka firmware download/re-flash): hold Home, Volume Down, and Power.

We’ll talk about #2 first. This has a nice warning screen about how tech-y it is, so you can “abort mission” by pressing Volume Down if you made a mistake coming here. Otherwise, you hit Volume Up, and continue into “Odin mode”. From there, you use the Odin program on your PC to flash the firmware. Obviously, you need to have the tablet connected to the PC with a standard USB cable.

Recovery mode, #1, also looks kinda techy, with the black background and orange & blue text in a sort of old-school Matrix-y way, but it’s really not complicated. You have options like ‘Wipe data/factory reset’, ‘Wipe cache partition’, and ‘Reboot system now’. You navigate up and down with the Volume Up & Down buttons, and make a selection with the Power button.

What do you mean, Theoretically?

Again, I was not successful in actually removing the FRP lock (which was the goal and outcome of the previous post on this topic, albeit with the older tablet). But in theory, if you needed to go that route, this is a decent place to start from. Because if you make a mistake or “brick” the tablet, restoring the stock firmware should get you back to square 1, where you can try ‘hacking’ at it again.

Lesson 1

Always always always. ALWAYS. ALWAYS. Correctly sign out of and wipe your devices when you’re done with them (giving them away, throwing them out, selling them, etc). It never gets any easier trying to recover that stuff or work-around it to “break into” a device that you’ve turned into an expensive paperweight by forgetting your owner-login info.

This means, while your tablet is still on and accessible to you (i.e. you can unlock it, use it, get into Settings, etc.) — use the Settings menu to do the wipe/reset!! It varies slightly between devices, but it’s generally under Security somewhere. Just Google “<your device name> factory reset”.

Lesson 2

Get your account recovery options up-to-date and keep them that way. Same for your loved ones and relatives. Spouse, parents, etc. By setting up and maintaining proper account recovery options (alternate emails, phone numbers, 2-factor authentication), you can be reasonably secure and still able to work on someone else’s behalf in terms of device ownership and recovery.

If you’re not sure what I mean, drop me a line on Facebook, Twitter, or right here in the comments.

That’s all for now folks! Stay safe out there.

Featured

It’s a Hack! (Android tablet edition)

Recently I inherited an older Android tablet from a friend. It’s a Sprint AQT100, to be precise. It runs Android 5.1, aka “Lollipop”. For those of you unfamiliar with Android OS version history, that’s 5 major versions behind current, version 10 (in which they stopped publicly proclaiming them with cute dessert names and just stuck with the major #).

sprint slate 10 tablet
It’s an older tablet, sir, but it checks out.

However, like most old tech, it could still be useful given a little TLC and appropriately leveled expectations. Being that this thing is a bit light in the hardware department (1GB memory, 1.1GHz CPU), it’s not going to be playing the latest games or watching 4K Youtube. But for basic web browsing, ebook reading, note-taking, and email-checking, it should suffice.

The first things I did were a) fully charge it, and b) remove the old SIM card, via a little pop-off panel on the rear top left. Under this same panel is a micro-SD slot, in case I ever want more than the native 16GB* of storage.

*Actually works out to just under 10GB of usable storage, due to the space taken by the Android OS itself. This is universally true on all mobile devices.

The next and most important thing I did, as I do with all inherited/obtained/gifted devices, was factory-reset. On this device, and similar tablets from the past several years, if you don’t know the PIN or password, you can boot into “recovery mode” with a combination of button-holds while powering on.

Aside: I linked to a helpful article that walks you through recovery-mode-boot and factory-reset. It’s quite simple: Fully power off the device. Then, hold the power and volume-up buttons to power it back on and into “recovery mode”. To navigate the old-school-console-style menu (which definitely looks like something a hacker would use), use the volume up & down buttons to scroll up and down, and use the power button as the ‘Enter’ or ‘OK’ button.

Now, the problem was, this device was not fully wiped nor disconnected from the original owner’s Google account. Much like modern iDevices have the “iCloud activation lock”, it seems that Google devices have a similar lock, what they’ve called ‘FRP’ – Factory Reset Protection. The idea here is, if the device is lost or stolen, we want to make it more difficult for the finders-keepers or thieves to wipe it clean and call it their own. So even after using the hardware-button-driven approach to reboot to recovery mode and perform a factory reset, the device still requires the Google credentials of “a previously registered account”.

In this case, the previous owner was not reachable by any means. So I started the requisite Googling. I came across a lot of Youtube videos that involved various tricks like “disconnecting your internet right after it transitions from this screen to the next” (during the setup process), or using a computer with the Android SDK and an ‘OTG’ cable, or downloading mysterious APKs (those are Android app installer packages) from random strangers’ Google drives; and I just thought, wow, there’s gotta be a better way. And of course, there was.

Before I dive way down deep into the rabbit-hole, the brief summary overview goes something like this:

  • Open the camera from the lock screen, take a picture, and Share it to an app like Maps where you can go view a boring legal disclosures doc.
  • Use the built-in “Web Search” functionality that pops up when you select text in a document, to open the device’s native web browser to get to the Settings menus.
  • Use Protected Apps to launch Chrome to download and install two APKs.
  • Use the APKs to fire up a new Google Login screen that bypasses the FRP one.

So it’s really not that complicated, from a broad perspective, but as they say, “the Devil’s in the details”. Which is why I’m writing this!

Ready? Hold your nose and take a deep breath…

Enter this helpful post on the XDA Developers forum. Now, it’s not quite the whole picture, but the thing he calls out importantly is the fact that you need to go to “Protected Apps” to be able to launch Chrome once you’ve gotten past the Settings part and enabled ‘install from unknown sources’. You should definitely read the post, but I’ll bring you my excruciatingly detailed commentary here.

  1. After factory-reset (via the buttons method earlier), walk through the setup process until you get past the “connect to a WiFi network’ stage. Yes, you DO need to connect to WiFi so you can download stuff.
  2. Lock the screen. On most devices, this simply means tapping the power/sleep/wake button. On some devices, you’ll want to wait about 10 seconds before attempting to turn it back on (with the same button) for the next step, because there’s often a setting to “leave it unlocked for X seconds” for your convenience.
  3. Turn the screen back on (using that same button of course), and you should see the lock screen.
  4. This screen should have a camera icon near the lower-right. On my Slate tablet, I had to swipe it from right to left to open the camera. So, open the camera.
  5. Now that the camera is open, take a photo of anything (or nothing). Tap the photo’s thumbnail in the lower right corner after it’s taken.
  6. Hit the ‘Share’ button (it looks like a sideways-V with dots). Tap the ‘Maps’ app to share the photo via Maps (lord knows why you’d ever do this in real life…)
    • Similar steps (7-11) may work in context of another sharing app, but as most tutorials recommended Maps, I stuck with it, and had success.
  7. You’ll be asked for an account, but at this point you can ‘Cancel’ the sharing action and the Maps app should remain open.
  8. In the upper-left corner there should be a “hamburger” menu icon (three horizontal lines); tap that and tap Settings.
  9. Go to Terms & Privacy, then to Terms (possibly called Terms & Conditions).
  10. Hold your finger over a word in the boring legalese until it’s selected/highlighted.
    • Who’d a thunk that silly stuff would actually come in handy someday? =P
  11. You should get a pop-up at the top of the screen with options like ‘Copy’, ‘Share’, and ‘Web Search’. Tap on the latter, ‘Web Search’.
    • The point of all that was to get the device’s default web browser to open up. Because, unlike in, say, Chrome, your device’s native browser should allow you to navigate to its device Settings screen.
  12. So now, in the web browser, tap inside the address bar, delete whatever’s in there, and just type in ‘settings’. You should get at least one option that pops up below it, as a ‘suggestion’ — the ‘Settings’ screen. You will probably also see ‘Google Settings’, but you don’t need that right now.
  13. If you’ve been using Android devices, the Settings screen should be pretty familiar to you. Go to ‘Security’ (which is under the ‘Personal’ grouping), and enable ‘Unknown sources’ under ‘Device administration’.
    • This allows installation of apps from unknown sources, which is what we’re about to do. But DON’T PANIC! These are legitimate, community-vetted, well-known and respected sources. They won’t steal your cookies and mine all your private information. 😉
  14. Now hit the ‘back’ button in the upper left to return to the main Settings screen. (NOT the back button at the bottom navigation-bar of your device — that would be sad, because you’d probably have to repeat some of these steps.)
  15. Go to ‘Apps’ (under the ‘Device’ grouping). It will show you, by default, your ‘Downloaded’ apps. Don’t care. Go to the top right and tap the 3-vertical-dots icon (it’s a context menu).
  16. Tap ‘Protected apps‘. You will have to set a protection PIN or pattern — do so.
  17. Here, you’re presented with a screen that lists your main apps, one of which should be Chrome. Tap it once to check the box (that it will now be a ‘protected app’).
  18. Now, the line for Chrome should have a new icon on the far-right, which looks like a box with a diagonal arrow pointing up & right. THAT’s what we want, because that will launch the Chrome browser (as opposed to the native one), which will allow us to one-click-install our APKs (Android apps).
    • This is where a lot of the other online tutorials failed, because they assumed that you could just launch Chrome from the MAIN apps screens (like the ‘downloaded’ or ‘installed’ lists).
  19. And now we switch tutorials, to this lovely guy, at Step 14 to be precise.
    • More specifically, when you search the web for “Google Account Manager” and “QuickShortcutMaker”, you will want to make sure you download them from a good source. My personal preference is APKMirror.
    • When you search for Google Account Manager, make sure you also include the Android OS version you’re running. Mine was, as mentioned, 5.1. If you aren’t sure how to find this info, go back to the Settings screen and find the ‘About tablet’ (or ‘About phone’) section.
    • QuickShortcutMaker 2.4.0, which I will now abbreviate as ‘QSM’, should work regardless of OS version, but it probably hasn’t been tested on the absolute newest (9 and 10) because it’s not actively maintained by the developer. That’s ok, we won’t use it for very long, and we’ll get rid of it as soon as we’re unlocked.
  20. First, download the Google Account Manager APK. Chrome will prompt you on what to do with the file. Obviously, ‘Open’ it. This will get it installed. You don’t need to open the app itself, so just cancel/back to the Chrome browser screen you were on before.
  21. Then download the QuickShortcutMaker APK and do the same thing – ‘Open’ it and let it install. But this time, after it’s done, Open the App itself too, if prompted! If not, that’s ok. You can back-out to the Settings screens from before (Step 15-18) and go to the Protected Apps screen to enable QSM and then to launch it using that arrow-in-a-square icon.
  22. Here’s the real fun. On QSM’s ‘Activities’ screen, instead of typing in what they tell you, just type in “Type Email and Password”.
    • Pay attention to the fine-print below it — you do NOT want the one that says ‘Edu’, because that’s a slightly different flavor of setup than you standard personal device.
    • The one you want says, in full, com.google.android.gsf.login/com.google.android.gsf.login.LoginActivity
  23. QSM will take you to the next screen where it wants you to ‘Create this shortcut’ with certain properties. Don’t worry about all that; just hit the ‘Preview this action’ button to actually launch the action.
  24. Finally, FINALLY, you should have a screen that prompts you to enter your own Google Account credentials.
  25. Once that’s done, restart the device. It should resume setup from where it left off before, bypassing the “Enter a previously registered account” nonsense.

Phew! That was a lot of steps. But it’s really not as hard as it all sounds. I promise. And it’s less tricky than trying to shut off your whole internet at the exact moment a screen passes by (which I tried to no avail), or buying a cable and downloading a bunch of junk to your PC.

Good luck! Hope this helps someone out there.

Speaking of legal nonsense, it should go without saying that this is NOT ethically responsible unless you are the legitimate owner of the device in question. But you’re a smart reader, and you knew that already, didn’t ya?

N.