Tag Archives: FRP

Samsung FRP Bypass – Pie, Oreo, Nougat

Samsung FRP Bypass
Harry Potter appreciated the Note 9’s free wand, but still couldn’t get past the FRP lock.

Presenting my own research into a successful Samsung FRP Bypass – Pie, Oreo, Nougat. This is a straight-forward, universal method to enabling successful Samsung Google Lock Bypass.

What we’re doing here isn’t the bypass itself – there’s been several well-documented & very popular bypasses published, which then have their pathways shut down by Google or Samsung.

This article introduces a vital preparation stage for the actual bypass – re-enabling the much-loved methods that have been neutralised by Android / Samsung security updates. Why re-invent the wheel when you can simply change the tyre?

Following this method of creating & installing custom firmware, allows us to then utilise established FRP bypass procedures before returning the devices to stock firmware once unlocked.

Samsung’s doubled up on the Android security updates by locking the bootloader of their phones, stopping us from simply downgrading to an earlier firmware that still had the FRP vulnerability, unlocking then re-updating. Really, that method was a bit too easy & a bit too obvious – of course Samsung would eventually secure that pathway.

Currently when you update your Android version, say version 6 (Marshmallow) to version 7 (Nougat) your bootloader will have a one-way lock imposed & bootloader version will increase.  You’re now stranded on an upward path, the phone will reject all lower-numbered bootloaders, effectively locking you into your newly-installed Android version or later – no downgrading to earlier versions, specifically to close the window on FRP vulnerabilities.

Identify the bootloader version of the Samsung firmware file by the ninth character as highlighted below: (click to zoom)
Samsung FRP Bypass

And there it is, Samsung’s master plan to render obsolete any & all previously exploited vulnerabilities. You simply cannot drop your bootloader to a lower version than current. (Not that I’m aware of anyway)

Uhmm, yes, that’s all well & good, Samsung Electronics, and it will create a stumbling block for those who simply follow rather than innovate. But I actually listened to what you said, thought it through & used that to solve the puzzle. You told us that you’d locked the bootloader – which is true, you have. You also made no mention of any other version checks – no ongoing assurances that the bootloader matches modem version, for example. You see, the bootloader is only one part of the firmware file – the rest of the files are where the exploitable vulnerabilities lie. Tee hee.

For this article, I’ve used a Samsung Galaxy A7 (2017), model SM-A720F as reference. I could have chosen an A3, J330, A8 or S7 – this method works across the Galaxy range.

Grab yourself a current firmware – you need this for the bootloader file. My provider of choice is Updato.com, the website is fast, easy to navigate, has a comprehensive library of Samsung firmwares & offers great download speeds too. The crippled download speeds of incumbent delivery site Samfirmware.com are the fast-fading memory.

Next, download the earliest version of the target OS you want (I suggest Android 6, RealTerm works on this version). Now you’ve got 2 files like this –  A720FXXU1APLK.tar.md5 – the earliest MM I could find and A720FXXU3CRD3.tar.md5 – because this Galaxy A7 is stuck on Oreo.  Ok, let’s get hacking.

Change the file names – simply delete the .md5 suffix, accept the Windows warning & confirm the deletion. Now we’ve got A720FXXU1APLK.tar and A720FXXU3CRD3.tar.  Anyone with ‘nix experience will recognise the .tar suffix as a standard archive format, although not often seen on Windows systems. It’s time to look inside!

If you haven’t got 7Zip, the excellent freeware archive manager, I suggest you grab it right about now. I suggest you make a project boss folder, place both firmwares in there by themselves – just makes it easier to keep track of progress & identify any errors.

Right click on the firmware tarball, use 7zip to extract the contents of your 2 Samsung firmwares to individual new folders. Next, open up your Marshmallow folder & delete the BL file. Then, in the folder holding your current firmware files, do the opposite action & delete all except the BL file – which you drag into the Marshmallow folder, so now you’ve got Marshmallow firmware with your current bootloader. Samsung did not expect you to do this.

Staying in that folder, hit Ctrl + A to select all the files & right click to add them to a 7zip archive – selecting .tar as the file type. You’re now creating a new hybrid Samsung firmware – the file name doesn’t matter, so long as it’s .tar suffix. Frankenstein.tar will work.

Okay, put your FRP-locked handset into Download mode & connect to your PC with whichever USB cable is required, micro or Type-C. Download the latest Odin & run that.

You can confidently select your new Frankenstein firmware & instruct Odin to upload to the device – because you have the correct bootloader version on board, the rest will obediently install. Thank you Samsung, thank you Odin.

Once installation is complete, the phone will reboot – as a Marshmallow device, complete with identified vulnerabilities that you can exploit in your favourite way – again, I suggest using RealTerm to gain escalated privileges, then hitting Samsung’s App store for ES File Explorer & and using the ubiquitous frpbypass.apk  which you can get from RootJunky’s download site.

This method works with both styles of Samsung firmware, the low-end devices accept Frankenstein’s firmware as easily as the more expensive ones do. Just use your common sense when working your solution out, so long as you retain the correct bootloader, you’re good to go.

If there’s something awry, don’t worry, all that happens is the phone rejects the Odin upload – no damage done. The Galaxy bootloader serves as the gatekeeper – it’s the first file uploaded to the device. If that passes muster, the rest is assumed to be correct – it does not actually check on the other files – allowing us to inject earlier firmware containing the vulnerabilities we need for successful Samsung FRP unlocking, then pr0fit!

Comments are welcome, hit me up below.

Samsung FRP Bypass
Having followed the instructions, Harry Potter was delighted to have cracked the Samsung FRP lock.