Knoxium

Initial Thoughts

There are a bunch of phones with operator locks at very cheap prices on the Polish online marketplace, Allegro. One warm night, I decided to check what’s going on with the lock. I couldn’t believe that some relatively small Polish operator could modify the software or hardware in any way. The only possibility is that Knox runs some service(s) that locks Samsungs after receiving automatic info from the operator. I bought the first phone for around 80 euros and started diving deeper into it.

Looking for some out-of-the-box solutions, I found an interesting Polish YouTube channel. They have materials like this and this. Unfortunately, the methods presented there are more to promote the author’s business, and he isn’t explaining his methods or sharing them. So I had to figure it out by myself.

Getting Into Debugging Mode, FRP Exploit

The first problem I encountered was that to modify anything in my target, I needed to get access to debugging mode. But how could I do this without unlocking debugging mode manually? I started reading about this, and as it turned out, there’s a security feature called Factory Reset Protection (FRP), which prevents access to debug mode from outside the phone (for example, from the lock screen). Luckily, there’s a great exploit available at samfw dot com.

Experimenting With Processes, Testing, Checking What’s Happening

After bypassing FRP, we can launch ADB and start the actual work from the ADB console. This was the most time-consuming part, as I needed to figure out how to change settings and kill processes without having root permissions. As it turns out, in ADB we can use the package manager to achieve it and find the final combination, which removes the lock while keeping the phone functioning normally.

Final Exploit

After some time, I finally found the combination that worked as expected. The initial thoughts were very helpful, for example, linking ‘KGClient’ with ‘KnoxGuardClient’.

For technical details and the script itself, see my knoxium repository.