Database Info

[TUT][ICS] bypass Credential Storage phone lock / install certificates

Hello folks,
idk if anyone of you guys had a hard time with the same annoying 'feature' on ics roms which forces you to set a PIN/password/pattern lock when you try to install enterprise certificates into your credential storage.
As for myself I need some of these certs to log into the WLAN at my university (which is 802.1x protected). But I don't feel the need of locking my phone.
So I exploited this to go around setting a password for the secure lock screen.
-------------------------------------------------------------------------------
Prerequisites are a rooted phone, a root file browser or adb tools and apparently your certificates.
I tested this on AOKP build 38 and 39 on a rooted HTC Sensation XE and will check this on two other devices the upcoming week.
UPDATE: seems to work even easier, I made the changes inline since the previous workaround did not work in every case.
Step 1:
Download the certificates to your SD card and/or install directly via browser/email etc. Do as you are asked and set up a PIN/password/pattern lock. Remember it
Step 2:
now with your root file browser go to /data/misc/ and recursively copy the folders keychain and keystore to a save place.
These are the folders containing the certificate files.
(See [System settings > security > Trusted credentials] for installed certificates)
With adb tools you can for example do this:
Code:
adb shell
su
cp -R /data/misc/keychain /sdcard/certificates/
cp -R /data/misc/keystore /sdcard/certificates/
Step 3:
Go to [System settings > security] and click [Clear credentials] at the bottom of the menu. Now your previously installed certs are wiped and you are free to set the lock method to [none], [slide] or [face lock] again.
Step 4:
Finally fire up your root file browser again, set /system as read/write and copy the in Step 2 backed up directories back to /data/misc/. They are now installed as the before but since CertInstaller.apk does not get involved, noone forces you to lock your phone.
in adb shell:
Code:
cp -R /sdcard/certificates/* /data/misc/
Now you should be able to find your newly added certificates in the System list under [System Settings > Security > Trusted credentials] in the [User] tab and thus be able to log into your desired WLAN.
I hope this helps some people out there. When I get deeper into developing maybe I will find a 'cleaner' method for this.
have a good night,
.eXa

Thank you for sharing! I have been really looking for this kind of hack.
Sadly I can't use it as my certificate has a different structure: it seems to install 3 files in /data/misc/keystore/
The files are 1000_USRCERT_Polimi ; 1000_USRCERT_Polimi and .masterkey
I tried copying these files to the new directory and even changing the file extension but it did not work.
I don't know if this issue is rom or certificate related.. anyway I am using a stock rom on samsung galaxy s3.. perhaps samsung manages differently certificates..
Have you any clue on this? Thank you!

hey, thanks for the reply.
alright, I figured something new, maybe try the updated version of the tutorial and pls tell me if that works for you.
greetings

.eXa said:
hey, thanks for the reply.
alright, I figured something new, maybe try the updated version of the tutorial and pls tell me if that works for you.
greetings
Click to expand...
Click to collapse
You were fast! and I think you made it: I can now select the certificate in the wifi options dialog (so it's correctly installed).. but I can't test the access to the network until monday.. Anyway I am convinced that it made the trick and it was really simple, I must say.
Thank you so much , this will be useful to many people!

Your trick helped me only partially. It allowed me to install the certificates just fine. But as soon as I try to connect to any 802.1x protected Wi-Fi network, the phone bugs me again with setting the screen lock. So I need a workaround for accessing the key storage.

I tried it and sadly it does not work: it asks me a password to activate the credential storage.. only problem is that I never set a password for it so I can't insert it and use the certificate. Too bad but I think it depends on the certificate.. anyway thank you very much for the help provided!

so, back from vacation.
@grgur: in your setup it is the 802.1x wlan that forces you by corporate policy to lock your phone. i am still trying to figure this out, i will try and search the system where stored wlan access points are stored. update will come as i find a solution to this.
@grievous: which version of android are you on? try clearing your credential storage first, then set up the password and then add the certificates. after that proceed with my tutorial.
since i am in the middle of learning for my exams i have really no time to go on with my android studies... it seems like in the long haul someone has to "fix" the app that handles phone lock and device policies. i know who the bad boy is but i am lacking time right now, so hopefully i get this done by the end of august.
i'll keep you up to date with my progress.
greetings

Is there a one-click fix for this yet? Bloody annoying...

Working great on stock rooted JellyBean nexus 7. Muchos grazis!

As soon as i go back to university (politecnico di milano) i will use your suggestion! Has anyone already tried with polimi wifi network?

.eXa said:
@grievous: which version of android are you on? try clearing your credential storage first, then set up the password and then add the certificates. after that proceed with my tutorial.
Click to expand...
Click to collapse
pippodream said:
As soon as i go back to university (politecnico di milano) i will use your suggestion! Has anyone already tried with polimi wifi network?
Click to expand...
Click to collapse
I was using a samsung stock rom 4.0.4 and the tutorial worked but when trying to connect again it asked me for a credential pwd (that I never set). Now I'm on CM10 so there should be no problem. As soon as I get to Polimi I'll try

doesn't work for me (SGS2 AOKP JB)
Hi!
I've tried to apply this solution to my device (SGS2 AOKP JB), but after clearing the credentials and copying back the keystores/keychains the user credentials cannot be found (Trusted credentials > User is empty).
Could anyone please help me with this one?
Thank you in advance.

zsszabolcs said:
Hi!
I've tried to apply this solution to my device (SGS2 AOKP JB), but after clearing the credentials and copying back the keystores/keychains the user credentials cannot be found (Trusted credentials > User is empty).
Could anyone please help me with this one?
Thank you in advance.
Click to expand...
Click to collapse
I have the same problem. And unfortunately I didn't find solution for that.
Wysłane z Android 4.1.2 za pomocą Tapatalk 2

In fact i was really searching for this i will try this tomorrow !

Sadly exchange with client certificate refuses to work after trying this hack It says that it can't found the cert it needs..

I have found the permanent solution !!!
I hope this will solve everyone's problem here.
These are the steps I have done after installing Eduroam certificates from my university:
1. Obviously I have installed CA
2. I had to choose which lock screen style will I use (I only could have choose between pattern, PIN, and password), it doesn't matter which lock screen style you choose between those three.(FYI I have chosen pattern)
3. After that I have failed to swipe my lock pattern correctly 15 times
4. The "Unlock with your Google account / unlock with your PIN/password" screen appeared.
5. Choose the "Unlock with your Google account" and type in your username and password
6. After that the "Choose your lock style" screen appears. DO NOT CHOOSE ANY OF THEM, since swipe still can't be chosen
7. Just press back to exit this menu.
8. Lock your screen and unlock it ---> You have swipe unlock enabled along with the CA certificates !!!

bubr3g said:
I have found the permanent solution !!!
I hope this will solve everyone's problem here.
These are the steps I have done after installing Eduroam certificates from my university:
1. Obviously I have installed CA
2. I had to choose which lock screen style will I use (I only could have choose between pattern, PIN, and password), it doesn't matter which lock screen style you choose between those three.(FYI I have chosen pattern)
3. After that I have failed to swipe my lock pattern correctly 15 times
4. The "Unlock with your Google account / unlock with your PIN/password" screen appeared.
5. Choose the "Unlock with your Google account" and type in your username and password
6. After that the "Choose your lock style" screen appears. DO NOT CHOOSE ANY OF THEM, since swipe still can't be chosen
7. Just press back to exit this menu.
8. Lock your screen and unlock it ---> You have swipe unlock enabled along with the CA certificates !!!
Click to expand...
Click to collapse
It won't work for me. After 10 failures it says that I have to wait 30 seconds for another try. I have Samsung Galaxy SII with Omega v21 (based on Samsung-stock Android 4.2.1).

TrojanPL said:
I have the same problem. And unfortunately I didn't find solution for that.
Wysłane z Android 4.1.2 za pomocą Tapatalk 2
Click to expand...
Click to collapse
Same thing here. Although files are backup up, there is no certificate showing up on the list. It would be great if someone found a solution, this lock is driving me nuts.

Hi, this seems almost too easy, and it's more of a workaround than a solution, but it works:
Try to login to your network
Accept the request to set up the mandatory screen lock and set one up (any kind)
Connect to your network
Go into Android settings/Security and change the screen lock type to None
Your network credentials are now saved and there is no longer a screen lock.

astarothcy said:
Hi, this seems almost too easy, and it's more of a workaround than a solution, but it works:
Try to login to your network
Accept the request to set up the mandatory screen lock and set one up (any kind)
Connect to your network
Go into Android settings/Security and change the screen lock type to None
Your network credentials are now saved and there is no longer a screen lock.
Click to expand...
Click to collapse
The last time I tried this with my CyanogenMod install, removing a pattern/password/pin was not possible because of the certificates. Only after removing the certificates, the screen-lock-type could be changed to a non-pattern/pin/password type.

[Q] Root ZTE Valet Z665c

Does anyone have any information on how to root this phone?
It is a tracfone running Android 4.1 with 1ghz qualcomm cpu.
Thanks.

I'm also looking for someone who might have some pointers on how to root this phone or install KitKat apps from Nexus 5 dump!!!
I know it is a low end phone but there are lots of people in the Tracfone world who are now able to get Android phones and are NEW to the smartphone universe.
Thanks.

I'm thinking of buying this phone. As a low end Android, how does it hold up? And if you want to root it, try Bin4ry's root method here. Just be careful.

Tried Bin4ry on ZTE Valet but it failed to root
I've had the phone a couple of days so far and while I'm by no means a qualified reviewer of smartphones, I do like the ZTE Valet. I'm too cheap to pay the $70-100 USD/month for a post-paid service that I don't need.
After searching the forums and seeing that no one reported trying to root the phone, I took a brave pill and tried the Bin4ry method (v31). I got the same message that many users reported - after rebooting, it fails to mount and copy the necessary files. Both the new standard method and the old method failed. It did no apparent harm to the phone - just didn't work. Here's some details on the phone I have:
Android version 4.1.1
Kernel 3.4.0-perf [email protected]
Thanks for any ideas or advice.

I just picked one up at Kmart for $80 today and am checking things out, trying to see about rooting it. My Hisense Sero 7 Pro tab is rooted and running great with a DoPa custom ROM.

I also purchased one of these and am happy so far. I have a question on the magnetic and rotation sensor. They seem to show up as installed as ak8962 devices but apps like 'my android sensors' don't show any data being returned. are they just not actually installed?
thanks
sam
gberpa said:
I just picked one up at Kmart for $80 today and am checking things out, trying to see about rooting it. My Hisense Sero 7 Pro tab is rooted and running great with a DoPa custom ROM.
Click to expand...
Click to collapse

samcoinc said:
I also purchased one of these and am happy so far. I have a question on the magnetic and rotation sensor. They seem to show up as installed as ak8962 devices but apps like 'my android sensors' don't show any data being returned. are they just not actually installed?
thanks
sam
Click to expand...
Click to collapse
The rotation of the device changes the screen from portrait to landscape and 'maps', 'Gas Buddy' seems to show the right direction for magnetic north. I haven't had much time to check yet. AAMF, I haven't activated or transferred my number to the 'phone' yet as am deciding if is a 'keeper'. So far, I think it is as I can use WiFi and 'turn off' mobile data by option. Now checking things like battery life in standby.. Haven't found an option to shut WiFi when screen is off like in my JB 4.2.1 and HC 3.1 devices. Only seem to be able to turn WiFi on or off or see an option for airplane mode.

I agree - the screen rotates (how - I don't know ) I would assume gas buddy is using GPS to find north.
sam
gberpa said:
The rotation of the device changes the screen from portrait to landscape and 'maps', 'Gas Buddy' seems to show the right direction for magnetic north. I haven't had much time to check yet. AAMF, I haven't activated or transferred my number to the 'phone' yet as am deciding if is a 'keeper'. So far, I think it is as I can use WiFi and 'turn off' mobile data by option. Now checking things like battery life in standby.. Haven't found an option to shut WiFi when screen is off like in my JB 4.2.1 and HC 3.1 devices. Only seem to be able to turn WiFi on or off or see an option for airplane mode.
Click to expand...
Click to collapse

Any update on this?

It isn't looking good so far..
http://androidforums.com/zte-valet/799676-ill-help-find-root-method-if.html
They have tried a bunch of stuff so far.
sam
Unkn0wn0ne said:
Any update on this?
Click to expand...
Click to collapse

samcoinc said:
It isn't looking good so far..
They have tried a bunch of stuff so far.
sam
Click to expand...
Click to collapse
I'm going to get my hands on the phone soon. I'll proceed to attempt to get a recovery or something compiled for it if I can. First, I'd have to dump the rom and kernel which might require root access, but we will see. Once we have a recovery we can port CyanogenMod over to it.
Also I think I know why it's crashing, but I can't be sure until I can test it out myself.

Unkn0wn0ne said:
I'm going to get my hands on the phone soon. I'll proceed to attempt to get a recovery or something compiled for it if I can. First, I'd have to dump the rom and kernel which might require root access, but we will see. Once we have a recovery we can port CyanogenMod over to it.
Also I think I know why it's crashing, but I can't be sure until I can test it out myself.
Click to expand...
Click to collapse
Wish you luck..just got my replacement unit from TracFone after the first one's screen froze.

oooops. Sorry posted in wrong thread.

ZTE Valet Z665c - obtaining temporary root
After trying numerous root methods (Bin4ry, Framaroot, ...), I stumbled on a method of getting temporary root using Cydia Impactor. Cydia Impactor appears to be partially successful. First of all, please note that all credit goes to those involved with Cydia Impactor and the discovery of the original exploits (do a search if you want).
This method might seem a little convoluted, but it works reliably for me. Note that I use a Linux machine so you might have to adapt the steps to work on another platform.
Prerequisites:
1. Menu -> System settings -> Developer options -> USB debugging ->Enabled.
2. Menu -> System settings -> Developer options -> Stay awake ->Enabled (to keep the telnet session from going to sleep).
3. telnet (I am running on Ubuntu, but some sort of telnet program is needed).
4. Cydia Impactor
5. phone is connected to your wifi.
Steps:
1. Run the "Cydia Impactor" to "# drop SuperSU to /system/xbin/su". See what happens.
2. It failed for me giving an error related to not being able to remount /system or not being able to create /system/xbin/su.
3. In Cydia Impactor, run "# start telnetd as system on port 2222". You don't need to bother to telnet in. Just let it finish and then proceed to the next step.
4. In Cydia Impactor, run "# start telnetd as root on port 22". Let it finish.
5. Telnet into your phone from a terminal on your computer: "telnet 192.168.1.117 -l root 22". Note that the ip address is likely different on your network, e.g., 192.168.1.xxx.
6. If everything worked OK, you should be presented with a root prompt ("~ #"). I have busybox (obtained from the Bin4ry exploit download) that I adb pushed to /data/local/tmp. The command "/data/local/tmp/busybox whoami" tells me I am indeed root.
OK - now the bad news for me. I proceed to try to install su but remount fails. If I issue the command:
~ # mount -o rw,remount /system
~ #
A root prompt is returned with no error message suggesting that it successfully remounted /system. Woohoo! But a "mount" command (or cat /proc/mounts) says it is still "ro" or read only. Darn. Does it appear that ZTE has crippled the mount command in some way? Now the question is how to permanently install root? I have poked around and at least was able to make a backup to my sdcard using bzip2
This should at least help as a first step. Others including myself have posted elsewhere on this phone. At this point, I'm not willing to risk flashing anything. I'm a noob so I'm hoping someone who is more familiar with the permissions and that sort of thing can complete the root and post a solution.
Thanks.

Awesome!
These findings are great, I'd be willing to check this out soon. (Linux box is down do to hardware issue. ).
If we can obtain root the remounting issue can definitely be fixed. Also, does busybox have the premissions to run?
Try this:
Code:
mount | grep system
That will give you somewhere within the text the partition that is registered as /system . Then:
Code:
mount -o rw,remount [PARTITION-THAT-COMMAND-RETURNED-HERE-MINUS-BRACKETS] /system
See if that works. But anyways, if it doesn't it can still be rooted! (just temporarily, but it is no longer an 'unrootable' device)
Note: I am not responsible for what happens using those commands.

a little more info in response to your questions
Dear Unkn0wn0ne,
I had messed around with it and also tried something like you suggested, e.g.:
mount -o rw,remount,relatime,data=ordered -t ext4 /dev/block/mmcblk0p19 /system
Also tried it with the "-n" option to avoid a write to mtab although I don't remember seeing mtab while purusing the file system.
Hadn't noticed that busybox was available under /system/bin:
~ # ls -al /system/bin/busybox
-rwxr-xr-x 1 root shell 1075144 Jul 19 11:20 /system/bin/busybox
~ #
Could be that it has a more limited command set than the one I put in /data/local/tmp. A lot of the commands under /system/bin have a symbolic link to toolbox.
Note that the telnet connection needs to be made over wifi and not the one available over usb. I got the ip address from my router's client list.
Oh yes - thanks for the reminder. Forgot to include the disclaimer about harming the phone or voiding the warranty.
Hope it works out well for you. Glad to hear your encouraging remarks.

Awesome!
Alright so that didn't work. This guy over here has a suggestion (he has scene your thread): - I can't publish links so I'll pm the link to you.
Also if busybox is symbolically linked you'd have to tell it specifically to call to the busybox pushed over via adb to: /data/local/tmp/busybox and not the stock.
In this case: /data/loocal/tmp/busybox/mount
Also the disclaimer is a must. There will always be that person that tries to blame it on someone else.
Note: I am not responsible for whatever happens using the information provided in this post.

karmmisht said:
After trying numerous root methods (Bin4ry, Framaroot, ...), I stumbled on a method of getting temporary root using Cydia Impactor. Cydia Impactor appears to be partially successful. First of all, please note that all credit goes to those involved with Cydia Impactor and the discovery of the original exploits (do a search if you want).
This method might seem a little convoluted, but it works reliably for me. Note that I use a Linux machine so you might have to adapt the steps to work on another platform.
This should at least help as a first step. Others including myself have posted elsewhere on this phone. At this point, I'm not willing to risk flashing anything. I'm a noob so I'm hoping someone who is more familiar with the permissions and that sort of thing can complete the root and post a solution.
Thanks.
Click to expand...
Click to collapse
I attempted this myself on my Windows 8 machine. I had to enable telnet, but that was easy. I had to reararange the command to "telnet root 192.168.x.xxx:22" (xxx is my IP). It keeps giving me the error "Connect failed."
Any thoughts out there?

try putty
Ph0enix_216,
I tried to connect from a Windows 7 machine and it works using putty for telnet (www.putty.org, a great program). Be sure to set the Connection->Data->Auto-login name to root.

well the guy in the other thread bricked his it sounds like...
http://androidforums.com/zte-valet/799676-ill-help-find-root-method-if-3.html
They tried to modify the mmcblk0p16 boot image and re-copy it back. It seemed to re-copy but then didn't boot with a verify error.. (I am paraphrasing - and don't really understand what they where doing )
sam
Ph0enix_216 said:
I attempted this myself on my Windows 8 machine. I had to enable telnet, but that was easy. I had to reararange the command to "telnet root 192.168.x.xxx:22" (xxx is my IP). It keeps giving me the error "Connect failed."
Any thoughts out there?
Click to expand...
Click to collapse

[HOW-TO] [GUIDE] Encrypt device with custom rom, knox 1, twrp installed, rooted

This Guide will work on S7 and S7 Edge Variants, probably also on other Samsung Phones. It doesn't matter if you have xposed and/or supersu installed
I did lately try to encrypt my device after installing my rom. So I tried to search on xda but I couldn't find anything useful until now.
After quit some time I finally managed it to get a working encryption, even with custom rom installed (which contains root and xposed). I will present the following steps here to help you folks to get an encrypted device.
Root will work as always after encryption :highfive:
Attention, TWRP can't read /data partition after this guide, that's because twrp doesn't support samsungs encryption at all
Pre requests:
- A working pc with adb installed
- Enough battery (at least 80%)
- Charger in your near field
- Working internet connection
Steps:
1. Go to SuperSU application on your device
2. Head over to the settings Tab
3. Scroll down and hit Full unroot
4. Click continue, when it asks you to install stock boot.img say NO, also NO on restoring stock recovery
5. SuperSU app should disappear
6. Make one full reboot
7. Head over to settings, lock screen and security, set a password
8. Plug in your charger and start encryption
9. Wait until your phone has fully encrypted (this can take quit some time)
10. After your device has successfully encrypted, we want to gain root access again
11. Boot into TWRP recovery
12. You now need a pc with working adb connection
13. Click adb sideload on twrp
14. Download latest super su to your PC, you can get that from here: Beta Thread
15. Open a terminal on your PC
16. Put the supersu.zip in the same direction as your terminal is opened (example: user/home)
17. Type into terminal: adb sideload *supersu_name*.zip
18. Reboot your phone and you have a working, encrypted phone with root installed!
If this guide helped you, please share it and hit thanks as well! :good:

@Tkkg1994
I don't think it could protect your data.
Here is a simple way to steal data from a encrypted phone with unlocked FRP.
Just add this script to ramdisk of kernel.
Code:
#!/system/bin/sh
rm -rf /data/system/lock*
rm -rf /data/system/gatekeep*
And this script will automaticlly remove any screen locks after the data partition is already unlocked by the system after boot.
You may ask:
Could I prevent unauthorized kernel from booting? (by re-enable FRP lock)
No, you can't because systemless install of SuperSU already modify the kernel and you can't boot modified kernel with FRP on.
Could I restore to stock kernel after finish this and then enable FRP?
You will lose your root.
And this way cannot prevent theft from reset your phone and then use it.
So, in a word, any tries to keep your phone safely after root are stupid.
It could only stop those low-IQ theft but it could not stop someone who really concern your data.

Jesse Chan said:
@Tkkg1994
I don't think it could protect your data.
Here is a simple way to steal data from a encrypted phone with unlocked FRP.
Just add this script to ramdisk of kernel.
Code:
#!/system/bin/sh
rm -rf /data/system/lock*
rm -rf /data/system/gatekeep*
And this script will automaticlly remove any screen locks after the data partition is already unlocked by the system after boot.
You may ask:
Could I prevent unauthorized kernel from booting? (by re-enable FRP lock)
No, you can't because systemless install of SuperSU already modify the kernel and you can't boot modified kernel with FRP on.
Could I restore to stock kernel after finish this and then enable FRP?
You will lose your root.
And this way cannot prevent theft from reset your phone and then use it.
So, in a word, any tries to keep your phone safely after root are stupid.
It could only stop those low-IQ theft but it could not stop someone who really concern your data.
Click to expand...
Click to collapse
Some guys need encrypted phones for their work (as some exchange server or email clients only work on encrypted devices)
I know that it is pretty much useless (since we have root access and can pretty much do anything with it)
So basically it brings you some more security but mainly gives those guys who need an encrypted phone for work a chance to have root and encryption together
Sent with my SM-G930F powered by SuperMan

Maybe my remark is stupid but with lollipop the user had to enter the decryption key just before loading the system... So even if the system was rooted, without the key it was impossible to recover the data...
You are saying me that now, in marshmallow Android is storing the key directly in the device ? And if one day there is a small flaw in the kernel all the data could be decrypt...
Thanks for you answer, i'am not an expert in security but i'am really interested in.

Hi,
I installed SuperMan rom without root/xposed and I can't get it to encrypt. It just restart the phone.
is there something else I need to do?

jesec said:
@Tkkg1994
I don't think it could protect your data.
Here is a simple way to steal data from a encrypted phone with unlocked FRP.
Just add this script to ramdisk of kernel.
Code:
#!/system/bin/sh
rm -rf /data/system/lock*
rm -rf /data/system/gatekeep*
And this script will automaticlly remove any screen locks after the data partition is already unlocked by the system after boot.
You may ask:
Could I prevent unauthorized kernel from booting? (by re-enable FRP lock)
No, you can't because systemless install of SuperSU already modify the kernel and you can't boot modified kernel with FRP on.
Could I restore to stock kernel after finish this and then enable FRP?
You will lose your root.
And this way cannot prevent theft from reset your phone and then use it.
So, in a word, any tries to keep your phone safely after root are stupid.
It could only stop those low-IQ theft but it could not stop someone who really concern your data.
Click to expand...
Click to collapse
Even with a locked FRP=1 I have been able to defeat it and gain access to the phone to USE, but never the data. Your script will only remove the locks once the data partition has beenunlocked, you still have not successfully recovered the data.
remixtech said:
Maybe my remark is stupid but with lollipop the user had to enter the decryption key just before loading the system... So even if the system was rooted, without the key it was impossible to recover the data...
You are saying me that now, in marshmallow Android is storing the key directly in the device ? And if one day there is a small flaw in the kernel all the data could be decrypt...
Thanks for you answer, i'am not an expert in security but i'am really interested in.
Click to expand...
Click to collapse
The key is ofc stored on the device, but it is in an encrypted state. ofc if there is a flaw in the kernel, unreported, this can be exploited to remove encryption somehow. Also you could remove the system rom chips and virtual simulate them and try to unlock thousands/millions of times defeating any format on bad password, etc. IF someone wants to access your data, they will. Just like the FBI iphones were opened. Its only a matter of money and time, no encryption is safe forever.

cridtohs said:
Even with a locked FRP=1 I have been able to defeat it and gain access to the phone to USE, but never the data. Your script will only remove the locks once the data partition has beenunlocked, you still have not successfully recovered the data.
The key is ofc stored on the device, but it is in an encrypted state. ofc if there is a flaw in the kernel, unreported, this can be exploited to remove encryption somehow. Also you could remove the system rom chips and virtual simulate them and try to unlock thousands/millions of times defeating any format on bad password, etc. IF someone wants to access your data, they will. Just like the FBI iphones were opened. Its only a matter of money and time, no encryption is safe forever.
Click to expand...
Click to collapse
Admittedly, yes.
It could only remove screen lock AFTER data partition is unlocked.
But in most situations, it could recover data because most people didn't set password as startup password.(What means data partition is already unlocked automatically before UI appear)

jesec said:
Admittedly, yes.
It could only remove screen lock AFTER data partition is unlocked.
But in most situations, it could recover data because most people didn't set password as startup password.(What means data partition is already unlocked automatically before UI appear)
Click to expand...
Click to collapse
how do we make sure that we set a "start up" password then? Is it the same if you use a long pin instead of a password?

|mickey said:
how do we make sure that we set a "start up" password then? Is it the same if you use a long pin instead of a password?
Click to expand...
Click to collapse
in security Lock screen and security there is an option for set pin on startup.
Also as an update to this method, if you had Xposed and magisk root, or if you had supersu and suhide, they need to all be reinstalled. This is the same method as flashing a stock bootloader then re-rooting afterwards. With new TWRP though you do not need to sideload because it has password to decrypt /data and allow flashing of the ramdisk, so you dont HAVE to sideload the supersu, but I suggest following TKK's tutorial exactly for sucess

cridtohs said:
in security Lock screen and security there is an option for set pin on startup.
Also as an update to this method, if you had Xposed and magisk root, or if you had supersu and suhide, they need to all be reinstalled. This is the same method as flashing a stock bootloader then re-rooting afterwards. With new TWRP though you do not need to sideload because it has password to decrypt /data and allow flashing of the ramdisk, so you dont HAVE to sideload the supersu, but I suggest following TKK's tutorial exactly for sucess
Click to expand...
Click to collapse
When you press encrypt you have to set such a password anyway so I don't see your point... You have to set a password, that is requested whenever you start your device... Is that not the same thing your describing?

Can't get encryption to work. The process starts and after a few seconds my phone just reboots.
Tested on several ROMs and Kernels, same result.
Anybody got an idea? I'm clueless...

unique730 said:
Can't get encryption to work. The process starts and after a few seconds my phone just reboots.
Tested on several ROMs and Kernels, same result.
Anybody got an idea? I'm clueless...
Click to expand...
Click to collapse
Same problem here - one more scream for HELP

unique730 said:
Can't get encryption to work. The process starts and after a few seconds my phone just reboots.
Tested on several ROMs and Kernels, same result.
Anybody got an idea? I'm clueless...
Click to expand...
Click to collapse
darkman088 said:
Same problem here - one more scream for HELP
Click to expand...
Click to collapse
When I tested this I had similar issues due to root. You made both a full unroot and followed all steps?
Sent from my SuperMan powered SM-G930F

Tkkg1994 said:
When I tested this I had similar issues due to root. You made both a full unroot and followed all steps?
Sent from my SuperMan powered SM-G930F
Click to expand...
Click to collapse
Hello and thanks for replying.
No, I didn't do a full unroot, because when I was testing this, I hadn't come across this thread And now I am not willing to invest that much time again, just to find out, that it's not working, once again
But I've tried many other strategies, which are very similar, but didn't work:
1) Disable SuperSU from the Application manager
2) Disable SuperSU from the settings of the app
3) Install busybox, boot in safe mode, connect the phone to my laptop, launche adb and enter there pkill -KILL daemonsu - this must be equivalent, as ps | grep daemonsu was not showing anything...
4) Tilting my phone in landscape mode
5) Repeating the attempt to encrypt several times after eachother
6) Many many more useless tips, which I found on the internet
Please kindly advise. Many thanks!
P. S.: HOW COME only the ROM of artas182x has encryption working PERFECTLY and I couldn't manage to encrypt my phone with no other ROM ? For example, I tried Slim ROM, which (if I'm not wrong) is not rooted and again - encryption didn't work, it hung somewhere along the process This is really terrible. Please excuse my total frustration

darkman088 said:
Hello and thanks for replying.
No, I didn't do a full unroot, because when I was testing this, I hadn't come across this thread And now I am not willing to invest that much time again, just to find out, that it's not working, once again
But I've tried many other strategies, which are very similar, but didn't work:
1) Disable SuperSU from the Application manager
2) Disable SuperSU from the settings of the app
3) Install busybox, boot in safe mode, connect the phone to my laptop, launche adb and enter there pkill -KILL daemonsu - this must be equivalent, as ps | grep daemonsu was not showing anything...
4) Tilting my phone in landscape mode
5) Repeating the attempt to encrypt several times after eachother
6) Many many more useless tips, which I found on the internet
Please kindly advise. Many thanks!
P. S.: HOW COME only the ROM of artas182x has encryption working PERFECTLY and I couldn't manage to encrypt my phone with no other ROM ? For example, I tried Slim ROM, which (if I'm not wrong) is not rooted and again - encryption didn't work, it hung somewhere along the process This is really terrible. Please excuse my total frustration
Click to expand...
Click to collapse
Ehm what is artas182x rom? or slim rom? we don't have that on our s7 as far as I know.
This guide may needs some adaptions to work on other devices

Tkkg1994 said:
Ehm what is artas182x rom? or slim rom? we don't have that on our s7 as far as I know.
This guide may needs some adaptions to work on other devices
Click to expand...
Click to collapse
It's a Marshmallow port from Galaxy S5 made by artas182x. I didn't like Slim ROM - it doesn't even have a file maanger
installed with it and when I tried encryption with it, it didn't work
Thank you!

We need someone xposed module to emulate knox 0x0 so that we can use knox again.

Tried with King Nougat V5 custom tom
After encryption finish and boot it keep showing "system ui has closed" error
I cannot type my password
Now doing full wipe

jimmod said:
Tried with King Nougat V5 custom tom
After encryption finish and boot it keep showing "system ui has closed" error
I cannot type my password
Now doing full wipe
Click to expand...
Click to collapse
I assume you have a modded systemUI. Try it with a stock one
Sent from my SuperMan powered SM-G930F

data encryption and root and TWRP toegether - is that working in android nougat ?
I really, really want encyption on my rooted S7 (930FD) incl. TWRP - but before I try this method here I have two questions:
- you are using the "terminal" - means you are using Linux? Or can I do this with windows powershell as well?
- encryption and root incl. TWRP works with Marshmallow MM only or will this work in Nougat as well?

Caterpillar S60 FRP Unlock / Bypass / Removal?

Hello All, Before you ask no the phone is not stolen. I'm a idiot but not a thief. So I wanted this phone for a while and I saw it at a pawn shop while in Oregon on vacation. So I purchased it sorta cheap with the original box cables books the works in mint condition. The phone did not come with the prior users information so I did a Hard Reset from the Boot menu and now it ask for the prior persons info which I obviously don't have. Called Bullitt who informed me that they can't fix it that it is an android issue and to contact google. Which I can't seem to find information for. So tried a few of the unlock methods for other phones on youtube to no avail. Can't return the phone so unless I somehow fix it I'm out $350 bucks. =/ Any help would be appreciated.
Phone Details:
Android Version 6.0.1
08/05/2016 Security Patch
Baseband 025.01
Kernel Version: 3.10.84-perf-gb111a7d
Build Number: LTE_D0201121.0_S60_0.025.01
Solution in post #7

Re: FRP bypass
Sorry to hear. Not too long ago in the past, you could hit google and bypass FRP in minutes on the first attempt. Now, FRP bypass how-to's have become a great ad pusher, and 95% of the info has been patched.
Save yourself multiple headaches, and put your research into learning how to flash a new rom. That info will be much more reliable, you'll get a much better Android version, and frp will be gone.

Hic_Svnt_Dracones said:
Sorry to hear. Not too long ago in the past, you could hit google and bypass FRP in minutes on the first attempt. Now, FRP bypass how-to's have become a great ad pusher, and 95% of the info has been patched.
Save yourself multiple headaches, and put your research into learning how to flash a new rom. That info will be much more reliable, you'll get a much better Android version, and frp will be gone.
Click to expand...
Click to collapse
Thanks for the reply, I actually did try to see if I could just unlock the boot loader and flash a new Nougat Rom to it since it's almost a vanilla version of Android OS but couldn't really find anything along the lines of posts that might break down how to go about unlocking the boot loader. =/

There was a guy here who showed how to overwrite GAM as a user app using DirtyCow. I can confirm it is possible to get a root shell with DirtyCow and replace files in memory on the S60. His FRP bypass looked like it would work for you. Look on youtube, it's about a 15 minute long video.
The version of DirtyCow that worked on my S60, partially, was found here in D1kiy's "Universal Debloater" package. I don't have a Windows machine so I just used those files manually through ADB to replace run-as. There's nothing made specifically for this phone, so you'll have to use your brain and cobble these methods together. Basically, where he goes into the shell and uses the cat command, I would try to create that file and use the "dirtycow64 <file> <location>". You could TRY to install D1kiy's run-as and use "run-as exec cat <file> >> <location>", but I don't know if that will work or not. It didn't work to disable packages on my phone, and it's more steps.
What I'm trying to do is replace my hosts file with a larger one, which of course can't be done directly with DirtyCow. If you get any farther towards real root than removing FRP, please let me know. Good luck!

aff3p said:
There was a guy here who showed how to overwrite GAM as a user app using DirtyCow. I can confirm it is possible to get a root shell with DirtyCow and replace files in memory on the S60. His FRP bypass looked like it would work for you. Look on youtube, it's about a 15 minute long video.
The version of DirtyCow that worked on my S60, partially, was found here in D1kiy's "Universal Debloater" package. I don't have a Windows machine so I just used those files manually through ADB to replace run-as. There's nothing made specifically for this phone, so you'll have to use your brain and cobble these methods together. Basically, where he goes into the shell and uses the cat command, I would try to create that file and use the "dirtycow64 <file> <location>". You could TRY to install D1kiy's run-as and use "run-as exec cat <file> >> <location>", but I don't know if that will work or not. It didn't work to disable packages on my phone, and it's more steps.
What I'm trying to do is replace my hosts file with a larger one, which of course can't be done directly with DirtyCow. If you get any farther towards real root than removing FRP, please let me know. Good luck!
Click to expand...
Click to collapse
Hey Thanks for that info. been trying to get this method to work for the past 4 hours to no avail, but I do see progress. I think I just need to find all the correct files to overwrite. I'll do a write up as soon as I figure out the FRP Removal process.

aff3p said:
There was a guy here who showed how to overwrite GAM as a user app using DirtyCow. I can confirm it is possible to get a root shell with DirtyCow and replace files in memory on the S60. His FRP bypass looked like it would work for you. Look on youtube, it's about a 15 minute long video.
The version of DirtyCow that worked on my S60, partially, was found here in D1kiy's "Universal Debloater" package. I don't have a Windows machine so I just used those files manually through ADB to replace run-as. There's nothing made specifically for this phone, so you'll have to use your brain and cobble these methods together. Basically, where he goes into the shell and uses the cat command, I would try to create that file and use the "dirtycow64 <file> <location>". You could TRY to install D1kiy's run-as and use "run-as exec cat <file> >> <location>", but I don't know if that will work or not. It didn't work to disable packages on my phone, and it's more steps.
What I'm trying to do is replace my hosts file with a larger one, which of course can't be done directly with DirtyCow. If you get any farther towards real root than removing FRP, please let me know. Good luck!
Click to expand...
Click to collapse
Finally after about 30 hours of playing with this Phone I managed to bypass the FRP I will do a write up so others have an easier time.

Solved: Caterpillar S60 FRP Unlock / Bypass / Removal
Must Have:
1. Security update no later then November 2016
2. OTA Cable
3. Download of files https://we.tl/oNjiyfTk57 (None are mine, Credit goes to their developers)
Getting to Settings:
Log into wifi, once at prompt for prior users account info go back to Network setting go down and click on other network setting type anything highlight select all and click the 3 dot menu and select “Assist”
You will be taken to google. Just click no thanks and type settings and select settings.
1. Go to apps and click Android Pay, force stop and disable.
2. Scroll down to Drive and click, force stop and disable.
3. Go to Security and enable unknown sources
4. Go to Storage to access your OTA Cable USB drive you added programs to and hold and select all of them and copy to downloads.
5. Go back to google and type downloads and install all apps except gam6 and dirty cow and click done leaving apex launcher for last which you will open.
6. go to apps in Apex launcher and select Termux
Termux Commands:
1. apt update
2. apt install coreutils debianutils
3. Go back to downloads and hold and select gam6.apk and share to Termux
3. Go back to downloads and hold and select dirtycow.apk and share to Termux
4. Type ls (you should see both files installed)
5. type chmod 777 * (Both files should not be green)
6. back out and go to terminal
Terminal commands
1. cd ~
2. cat /sdcard/Download/dirtycow > dcow
3. cat /sdcard/Download/gam6.apk > gam6.apk
4. touch file
5. echo FFFFFFFF >> file
6. chmod 777 *
7. ./dcow gam6.apk /system/priv-app/GoogleLoginService/GoogleLoginService.apk
8. ./dcow file /system/priv-app/GoogleLoginService/oat/arm64/GoogleLoginService.odex
Back to Termix
1. ./dirtycow /system/priv-app/GoogleLoginService/GoogleLoginService.apk gam6.apk
Go to Setting:
1. Go to Downloads and install gam6.apk
2. Go to Apps and force quit and disable Google Account Manager and reinstall from factory.
3. Go to Downloads again and re-install gam6.apk
4. Go to Apps and force quit and uninstall Google Account Manager
5. Go to Apex and run “Test DPC” set up work account.
6. It should take you to accounts tab after completed. Allow it to sync to your google account
7. Click on the personal account that is not set up above the work account and set it up with your google account information and allow it to sync.
8. Go back to downloads and install gam6.apk again.
9. Go to About this phone and tap Build No. until developer options are opened.
10. Go to developers options and check the OEM Unlocking
11. Power off and restart and you should be in with your account it will prompt you to choose launcher start with google launcher and go to setting.
12. Go to “Back up and reset” and do a Factory Data Reset
13. after Factory Reset you should have FRP Removed.
I posted a wetransfer link for the files should be good for a month if you need them or if the link is taken down PM me. Most of the ideas for this FRP Bypass came from Ghostlyhaks.com I just complied what worked and what didn’t to get FRP Removed. Thanks to @aff3p for giving me a push in the right direction. Also thanks to XDAdevelopers whom I have constantly learned a few tricks from.
Once it is FRP unlocked it will download updates so if you don't want them make sure to block them upon factory reset.

Caterpillar S60 FRP Unlock / Bypass / Removal
hi everybody here is mine experiment Security update March 1,2017
Getting to Settings:
Log into wifi, once at prompt for prior users account info go back to Network setting go down and click on other network setting type anything highlight select all and click the 3 dot menu and select “Assist”
You will be taken to google download es file explorer install it open in settings left side open network and remote manager turn on. in pc ftp client copy files in to the phone
Android_6_G.A.M.apk and testdpc.apk, nova launcher.apk before dowloaded. install testdpc and nova launcher.
1. Go to Downloads and install gam6.apk
2. Go to Apps and force quit and disable Google Account Manager and reinstall from factory.
3. Go to Downloads again and re-install gam6.apk
4. Go to Apps and force quit and uninstall Google Account Manager
5. Go to Apex and run “Test DPC” set up work account.
6. It should take you to accounts tab after completed. Allow it to sync to your google account
7. Click on the personal account that is not set up above the work account and set it up with your google account information and allow it to sync.
8. Go back to downloads and install gam6.apk again.
9. Go to About this phone and tap Build No. until developer options are opened.
10. Go to developers options and check the OEM Unlocking
11. Power off and restart and you should be in with your account it will prompt you to choose launcher start with google launcher and go to setting.
12. Go to “Back up and reset” and do a Factory Data Reset
13. after Factory Reset you should have FRP Removed.
sorry for little copy paste im not good writer

Awesome work @cesarq glad to know it works with the March update too!

YZFNYC said:
Awesome work @cesarq glad to know it works with the March update too!
Click to expand...
Click to collapse
Yes thats why i write people know that working i march update not for how its do you

guys, has anyone figured out yet if this phone is rootable and if there's any way to install Nougat on it? I got 7 days more to return it if not happy with it and camera is just really bad

it work but different way. Thanks you

My friends i found a way to bypass that and is actualy very simple
So i found solution to frp on cat s60 contact me at [email protected] and i tell you how

help with FRP removal
Hello Sirs,
I have just bought a CAT S60 from my carrier as a used handset, and I've ran into this FRP problem too. I could take it back, since I have a 2 weeks guarantee for this, and they would pay me back its price, but since it was a good price, I'd rather keep it.
I've tried the solution above, I've managed to get to the google app, and searched for ES file manager, but when I click on the app, the phone tries to open google play which directs me back to the point where I should enter the previous user's data.
As far as I can tell, my ROM version is after 01. June, 2017. Or at least, I've entered android recovery, and the latest recovery log sais: ro.bootimage.build.date= Thu Jun 1 12:12:51 CST 2017.
Do you have any suggestions?
Thanks in advance
P

Solved
@Calinalex, Thank You very much for the help, worked like a charm.
:highfive:

cat s 60 frp remove SOLUTION FOUND
Much more easy and done in 5 min use instructions in video : So go to youtube and there is cat s60 frp remove , good luck AND PLS IF IT WORKS DONT FORGET TO LIKE THE VIDEO

march 1 2018
hey it work on march too

How do I fix "Pixel is Starting" message that's stuck on screen?

Posted this on Google Pixel forum earlier but haven't had much action there, perhaps it's a better question for this community as would like to figure things out sooner than later as I'm currently without a phone.
Hope all reading are healthy and safe...
Pixel 3 on verizon still on Pie (9) with PQ3A.190801.002 build, which I believe is from August 2019. Have not modified phone at all.
One morning the other day turned phone on and stuck with a "Pixel is starting" message. I can access settings and receive calls, when connected to BT in car can make calls too. Cannot receive messages though receive "You have new messages" notifications, got an alert about a VM that I was able to access.
I realize I can likely do a Factory Reset to fix THOUGH I do not want to go down that path without giving it a go trying to at the very least pull some data off the phone (texts, photos, videos). Yes, everything *should* be backed up...
I tried connecting to computer to see if could recognize as drive and transfer files onto computer (Pixel and MTP USB drivers would not install- tried on two laptops running Win7). I know I should probably be updating to Android 10 and am fine doing so, but would like to recover files first.
I mention some potential solutions below I found by some fellow XDA members when searched this topic before posting and am curious if there is anything I should attempt to do before/instead of possibly going with one of the 2 below.
Thanks SO much in advance,
Matt
Possible easier solution:
From _Ra1n_ on xda forums
"I couldn't fix the "Pixel is starting..." issue. Factory Flashing (after removing -w) QQ1A.191205.008 resulted resulted in being stuck at the "G" screen. I flashed the QQ1A.200105.002 factory image (again with -w removed) and was left in the same "Pixel is starting..." state.
Here is where things get interesting:
Over adb I launched the Settings app:
Code:
adb shell am start -a android.settings.SETTINGS
Next, I went into "Security," which prompted for my PIN, and then removed the screen lock. After doing this, I was able to get into /sdcard in the ADB shell, something that was not possible before.
Back in the settings app, I enabled USB File Transfer and copied all my files & photos off. I was also able to launch apps from within the apps list in Settings. This let me export settings/data from other apps that allowed it.
So it seems that entering your PIN in the Settings app also unlocks the phone!
Possible more complicated solution:
From sic0048 on XDA forums
"Is you bootloader unlocked? If so, you can flash the factory image and remove the "-w" command as suggested above, but if your bootloader is not unlocked this will not be an option. If you are on a locked bootloader, you can sideload an OTA image (which really is a full factory image). This will not wipe your phone or do a factory reset. It will however replace your OS with a clean version. Hopefully that fixes the issue. If not, then you will have to do a factory reset in order to "clean out" the problem."

Can you get into Settings? If so, you should be in pretty good shape. It seems like in the "Pixel is starting..." state, USB File Transfer (ie: MTP mode) only works AFTER the phone is unlocked (fingerprint or PIN). The problem is since the lock screen doesn't load, you can't actually unlock. You have to remove your PIN and/or fingerprint (I set "screen lock" to "None") and USB File Transfer should then work.
You should also be able to launch apps from the app list in Settings.
Link to my thread for reference (just in case someone arrives here from a search): https://forum.xda-developers.com/pixel-3-xl/help/stuck-pixel-starting-boot-t4038847

Yes, I can get into settings and just disabled the lock screen. I don't notice any difference but if you are saying that's what it takes to enable MTP then great. Seems like for MTP to even work requires some futzing in Windows, a known MTP issue I guess? I will have to play around on how to enable MTP and then hopefully device manager will recognize on computer now that lock screen disabled. When connecting to computer I'm alternating between use USB for file transfer both with and withOUT USB debugging on, even using USB for charging only, each time it tries to install drivers for Pixel 3, MTP, occasionally ADB. It's never installed Pixel 3, ADB installed once and MTP actually installed once (after disabling lockscreen) but asked for a restart and then didn't install the next time...
As far as launching apps from the settings, I *can* get into the app list but Android 9 does not give an option to open them (unless I need to do something else that's not currently set-up). I know you said this:
"There should be a "Open" shortcut just below the app icon to the left of "Uninstall" (or "Disable" if it is a built-in app)." But I don't see one. If I can get into my backup app, I can hopefully back up my latest SMS which I'm not sure would be possible by just copying things onto computer, such as photos/videos.
Once I get MTP enabled, should I just be able to access my files by opening my phone as a device or will I need to get into ADB to access?
Thank you for your continued help
Matt
_Ra1n_ said:
Can you get into Settings? If so, you should be in pretty good shape. It seems like in the "Pixel is starting..." state, USB File Transfer (ie: MTP mode) only works AFTER the phone is unlocked (fingerprint or PIN). The problem is since the lock screen doesn't load, you can't actually unlock. You have to remove your PIN and/or fingerprint (I set "screen lock" to "None") and USB File Transfer should then work.
You should also be able to launch apps from the app list in Settings.
Link to my thread for reference (just in case someone arrives here from a search): https://forum.xda-developers.com/pixel-3-xl/help/stuck-pixel-starting-boot-t4038847
Click to expand...
Click to collapse

Matt Spo said:
Seems like for MTP to even work requires some futzing in Windows, a known MTP issue I guess?
Click to expand...
Click to collapse
Honestly, it should "just work." I'm not sure why you're having issues. Did USB File Transfer work before you ran into this problem?
Matt Spo said:
As far as launching apps from the settings, I *can* get into the app list but Android 9 does not give an option to open them (unless I need to do something else that's not currently set-up).
Click to expand...
Click to collapse
Ah, I forgot Android 9 didn't have this! If you're familiar with ADB, you can launch apps by activity. You may be able to launch the Pixel Launcher with: "adb shell am start com.google.android.apps.nexuslauncher/.NexusLauncherActivity"
Matt Spo said:
Once I get MTP enabled, should I just be able to access my files by opening my phone as a device or will I need to get into ADB to access?
Click to expand...
Click to collapse
With USB File Transfer enabled you should be able to just access it like you normally would with it plugged into a computer. I was able to, at least.
Matt Spo said:
Thank you for your continued help
Click to expand...
Click to collapse
Of course!

_Ra1n_ said:
Honestly, it should "just work." I'm not sure why you're having issues. Did USB File Transfer work before you ran into this problem?
Click to expand...
Click to collapse
Never attempted USB file transfer before now!
_Ra1n_ said:
Ah, I forgot Android 9 didn't have this! If you're familiar with ADB, you can launch apps by activity. You may be able to launch the Pixel Launcher with: "adb shell am start com.google.android.apps.nexuslauncher/.NexusLauncherActivity"
Click to expand...
Click to collapse
Sounds good, essentially launching the Pixel Launcher will allow me to see all of my apps on the device and open whatever necessary?
_Ra1n_ said:
With USB File Transfer enabled you should be able to just access it like you normally would with it plugged into a computer. I was able to, at least.
Click to expand...
Click to collapse
Sounds great, just need to get USB File Transfer working on computer (trying on 3 diff ones).
_Ra1n_ said:
Of course!
Click to expand...
Click to collapse

Sorry I'm likely not replying to this in sequence. That adb shell Pixel Launcher did not work, gave a type 3 error, does not exist.
MTP is not installing allowing me to access the phone as a device. Perhaps that's because I'm stuck with "Pixel is Starting" on my screen? I can launch ADB though, just trying to figure out to command to launch Google Photos so I can perform cloud backup from there onto my account. Also, would like to perform backup of SMS/MMS. The app I use "SMS Backup & Restore" gave me a shell command to try to launch a backup but did not work. I'm also trying a program called "backuptrans" which I was able to install on phone via ADB but am still trying to figure out a command that will launch the app so I can possibly use for backup of sms/mms/photos.
I am without root if that matters for anything. I have not given up hope of saving these photos/videos, sms/mms but it's getting frustrating trying various commands each night in ADB to launch apps to no avail.
Thanks,
Matt
_Ra1n_ said:
Honestly, it should "just work." I'm not sure why you're having issues. Did USB File Transfer work before you ran into this problem?
Ah, I forgot Android 9 didn't have this! If you're familiar with ADB, you can launch apps by activity. You may be able to launch the Pixel Launcher with: "adb shell am start com.google.android.apps.nexuslauncher/.NexusLauncherActivity"
With USB File Transfer enabled you should be able to just access it like you normally would with it plugged into a computer. I was able to, at least.
Of course!
Click to expand...
Click to collapse
Matt Spo said:
Never attempted USB file transfer before now!
Sounds good, essentially launching the Pixel Launcher will allow me to see all of my apps on the device and open whatever necessary?
Sounds great, just need to get USB File Transfer working on computer (trying on 3 diff ones).
Click to expand...
Click to collapse

Let's take a few steps back. Does the following adb command list the contents of your internal storage?
Code:
adb shell ls /sdard
If so, everything is certainly still there. You can lookup how to use the "adb pull" command to pull files/folders manually. If not, please post any errors that are returned.
The following command should copy the DCIM folder from internal storage onto your computer (where the camera app stores pictures & videos):
Code:
adb pull /sdcard/DCIM
That will copy the DCIM folder into the directory your currently in. You mentioned you were using Windows 7, the command prompt (C:\some\path>) indicates your current directory.
The following commands should open Google Photos and SMS Backup & Restore, respectively:
Code:
adb shell am start -n com.google.android.apps.photos/.home.HomeActivity
Code:
adb shell am start -n com.riteshsahu.SMSBackupRestore/.activities.IntroActivity

Thanks for your continued help, posted responses below. Also, after a lot of searching someone recommended the app "Backuptrans Data Sync," which apparently can backup all I'm looking to (SMS/MMS/Photos/Videos) and I have since installed the .apk to my phone (provided by developer) via ADB and am trying to figure out the exact ADB command to trigger that to open on my phone so I can attempt a connection to their software on PC via WiFi since I cannot get USB working. Supposed it's activity name is "com.backuptrans.datasync.DataSync"
_Ra1n_ said:
Let's take a few steps back. Does the following adb command list the contents of your internal storage?
Code:
adb shell ls /sdard
That gives me error message "closed"
If so, everything is certainly still there. You can lookup how to use the "adb pull" command to pull files/folders manually. If not, please post any errors that are returned.
The following command should copy the DCIM folder from internal storage onto your computer (where the camera app stores pictures & videos):
Code:
adb pull /sdcard/DCIM
That will copy the DCIM folder into the directory your currently in. You mentioned you were using Windows 7, the command prompt (C:\some\path>) indicates your current directory.
The following commands should open Google Photos and SMS Backup & Restore, respectively:
Code:
adb shell am start -n com.google.android.apps.photos/.home.HomeActivity
Gives type 3 error, activity class does not exist
Code:
adb shell am start -n com.riteshsahu.SMSBackupRestore/.activities.IntroActivity
Click to expand...
Click to collapse
Gives type 3 error, activity class does not exist

Matt Spo said:
Thanks for your continued help, posted responses below.
Click to expand...
Click to collapse
Of course! I just wish we were making progress!
The "error: closed" message suggests you may not be using an up-to-date version of the Android Platform Tools (https://developer.android.com/studio/releases/platform-tools). Does the following command produce the same error?:
Code:
adb shell ls /storage
Are you absolutely sure you removed your PIN/passcode and disabled the lock screen? If you go into Settings > Storage, does the phone display the usage breakdown between (images & video, music & audio, ect) as you'd expect it?
The following ADB command will list every "package" currently on the phone:
Code:
adb shell pm list packages
Without getting into too much detail, every app resides in it's own "package." Locate the package for the app you want to launch and attempt to launch the app with the following command:
Code:
adb shell monkey -p app.package.name -c android.intent.category.LAUNCHER 1
Replacing app.package.name with the package you want to launch. For example, the following command should launch Google Photos:
Code:
adb shell monkey -p com.google.android.apps.photos -c android.intent.category.LAUNCHER 1

_Ra1n_ said:
Let's take a few steps back. Does the following adb command list the contents of your internal storage?
Code:
adb shell ls /sdard
If so, everything is certainly still there. You can lookup how to use the "adb pull" command to pull files/folders manually. If not, please post any errors that are returned.
The following command should copy the DCIM folder from internal storage onto your computer (where the camera app stores pictures & videos):
Code:
adb pull /sdcard/DCIM
That will copy the DCIM folder into the directory your currently in. You mentioned you were using Windows 7, the command prompt (C:\some\path>) indicates your current directory.
The following commands should open Google Photos and SMS Backup & Restore, respectively:
Code:
adb shell am start -n com.google.android.apps.photos/.home.HomeActivity
Code:
adb shell am start -n com.riteshsahu.SMSBackupRestore/.activities.IntroActivity
Click to expand...
Click to collapse
_Ra1n_ said:
Of course! I just wish we were making progress!
The "error: closed" message suggests you may not be using an up-to-date version of the Android Platform Tools (https://developer.android.com/studio/releases/platform-tools). Does the following command produce the same error?:
Code:
adb shell ls /storage
I believe I am using the most current version of Android Platform Tools as I just downloaded it within the last week. As far as the command above receiving same "closed" error, no, I get "emulated self"
Are you absolutely sure you removed your PIN/passcode and disabled the lock screen? If you go into Settings > Storage, does the phone display the usage breakdown between (images & video, music & audio, ect) as you'd expect it?
Definitely disabled the lock-screen and fingerprint. Yes, going into Settings>Storage displays the usage breakdown as I would expect it. Fwiw- in "Security & Location" phone is encrypted.
The following ADB command will list every "package" currently on the phone:
Code:
adb shell pm list packages
Without getting into too much detail, every app resides in it's own "package." Locate the package for the app you want to launch and attempt to launch the app with the following command:
Code:
adb shell monkey -p app.package.name -c android.intent.category.LAUNCHER 1
Replacing app.package.name with the package you want to launch. For example, the following command should launch Google Photos:
Code:
adb shell monkey -p com.google.android.apps.photos -c android.intent.category.LAUNCHER 1
Click to expand...
Click to collapse
Yes, that command does display every package name. Trying to launch Google Photos via monkey command above led to "No Activities Found to Run, Monkey Aborted." Same message when trying to launch SMS Backup & Restore.
I don't believe I previously mentioned it, but device is NOT rooted. Imagine you probably figured that, lol.

Matt Spo said:
I believe I am using the most current version of Android Platform Tools as I just downloaded it within the last week. As far as the command above receiving same "closed" error, no, I get "emulated self"
Click to expand...
Click to collapse
I assume the following command returns the same "closed" error as before, then?:
Code:
adb shell ls /storage/emulated
Matt Spo said:
Definitely disabled the lock-screen and fingerprint. Yes, going into Settings>Storage displays the usage breakdown as I would expect it. Fwiw- in "Security & Location" phone is encrypted.
Click to expand...
Click to collapse
This is expected. All modern phones are encrypted whether or not a PIN is set. The PIN, fingerprint, ect. simply protects the key. This enables the user to set a PIN quickly and allows the PIN to be changed without re-encrypting everything with a new key.
Matt Spo said:
I don't believe I previously mentioned it, but device is NOT rooted. Imagine you probably figured that, lol.
Click to expand...
Click to collapse
In theory, that shouldn't matter. Nothing we've tried so far requires root and I recovered without root when this occurred on my phone.
Clearly your phone is reacting differently than mine did when I ran into this. Other than the Pixel 3 / Pixel 3 XL difference, the only other thing I can think of is that I was on Android 10 not Android 9. Without digging through the source code, Android 10 likely handles the device encryption differently.
Unfortunately I'm not really sure what else to suggest. You may have success updating to Android 10. I doubt it fixes the "Pixel is starting" issue though it may unlock the phone and let you pull data off. I would recommend doing this by sideloading a recent OTA instead of doing a System Update on the phone. If you'd like guidance with this, let me know. Google's page containing all of the OTA images & instructions for sideloading them is: https://developers.google.com/android/ota

_Ra1n_ said:
I assume the following command returns the same "closed" error as before, then?:
Code:
adb shell ls /storage/emulated
"Permission denied" is the error I get when I try that command. Does knowing that change anything regarding your thoughts on the matter?
This is expected. All modern phones are encrypted whether or not a PIN is set. The PIN, fingerprint, ect. simply protects the key. This enables the user to set a PIN quickly and allows the PIN to be changed without re-encrypting everything with a new key.
In theory, that shouldn't matter. Nothing we've tried so far requires root and I recovered without root when this occurred on my phone.
Clearly your phone is reacting differently than mine did when I ran into this. Other than the Pixel 3 / Pixel 3 XL difference, the only other thing I can think of is that I was on Android 10 not Android 9. Without digging through the source code, Android 10 likely handles the device encryption differently.
Unfortunately I'm not really sure what else to suggest. You may have success updating to Android 10. I doubt it fixes the "Pixel is starting" issue though it may unlock the phone and let you pull data off. I would recommend doing this by sideloading a recent OTA instead of doing a System Update on the phone. If you'd like guidance with this, let me know. Google's page containing all of the OTA images & instructions for sideloading them is: https://developers.google.com/android/ota
Click to expand...
Click to collapse
Thank you for that link and for all of your efforts thus far. I messaged google tech support with the issue, I guess before I go the sideloading route to install Android 10, which may or may not help me, I'll see what they say. But I will certainly reach out, privately(?) if I need further assistance.

Matt Spo said:
Thank you for that link and for all of your efforts thus far. I messaged google tech support with the issue, I guess before I go the sideloading route to install Android 10, which may or may not help me, I'll see what they say. But I will certainly reach out, privately(?) if I need further assistance.
Click to expand...
Click to collapse
Yeah, wait until you hear back from Google and see what (if anything) they have to say first.
One random thought I had regarding updating to Android 10: Note that on the Verizon model, since the bootloader is locked, you cannot downgrade (as far as I'm aware, hopefully someone can correct me if I'm wrong). I would first try sideloading QQ1A.200105.002 since that is the version I had success recovering my data on.

_Ra1n_ said:
Yeah, wait until you hear back from Google and see what (if anything) they have to say first.
One random thought I had regarding updating to Android 10: Note that on the Verizon model, since the bootloader is locked, you cannot downgrade (as far as I'm aware, hopefully someone can correct me if I'm wrong). I would first try sideloading QQ1A.200105.002 since that is the version I had success recovering my data on.
Click to expand...
Click to collapse
Sorry for delay, been trying some things in the interim, unfortunately none of which have helped. I have now updated my Computer OS from Win7 to Win10 which helps get drivers recognized, both MTP and ADB (MTP was not working with Win7). Everything seems to be "running" properly. Upon doing some research, it seems like MTP connection for transfer has been disabled, possibly with my latest software update, which I believe is November 2019 (Android Pie). I could not find anyone mentioning that MTP/USB transfer has been RE-enabled with Android 10.
Could that be a reason I am getting the messages I am getting for ADB commands or is that a separate entity, unaffected by MTP mode being disabled by Google? It seems to me, that possibly my best/only option at this point, in order to (hopefully) recover SMS/MMS as well as photos/videos is to sideload updated software? If MTP still not enabled in the sideloaded update you mention, thereby having same results with ADB commands, perhaps I could at least have the option like you initially mentioned of opening the apps via settings, something which is not an option with Pie?
As always, thanks for your continued help. Btw, Google Tech support had no information to help my situation!

Matt Spo said:
I have now updated my Computer OS from Win7 to Win10 which helps get drivers recognized, both MTP and ADB (MTP was not working with Win7). Everything seems to be "running" properly.
Click to expand...
Click to collapse
In theory that should make a difference. MTP has been a standard for quite some time. Not sure what is (or was) causing your driver issues (if any). Out of curiosity, do you have another computer (or a friend/family member's computer) you can try plugging the phone into?
Matt Spo said:
Upon doing some research, it seems like MTP connection for transfer has been disabled, possibly with my latest software update, which I believe is November 2019 (Android Pie). I could not find anyone mentioning that MTP/USB transfer has been RE-enabled with Android 10.
Click to expand...
Click to collapse
Interesting, I hand't heard of this. In developer options, what happens when you set "Default USB configuration" to "File Transfer" and then plug the phone in?
Matt Spo said:
Could that be a reason I am getting the messages I am getting for ADB commands or is that a separate entity, unaffected by MTP mode being disabled by Google? It seems to me, that possibly my best/only option at this point, in order to (hopefully) recover SMS/MMS as well as photos/videos is to sideload updated software?
Click to expand...
Click to collapse
Honestly, I'm starting to think that your issue is either A) different than mine in some way or B) The "Pixel is starting..." bug acts differently on Android 9 and Android 10. What we've learned from ADB is that your phone isn't mounting the internal storage. It is possible that Android 10 mounts (and/or unlocks) the Internal storage earlier in the boot process than Android 9. This may be why I was able to access the data from the "Pixel is starting..." screen but you can not.
Unless you can find someone more knowledgeable that has something better to try, I would update to QQ1A.200105.002 (the Feb 2020 update) since that is where I had luck. Since your device has a locked bootloader, you will not be able to revert back to Android 9 (if that matters at this point). Let me know if you need help with this.
Matt Spo said:
If MTP still not enabled in the sideloaded update you mention, thereby having same results with ADB commands, perhaps I could at least have the option like you initially mentioned of opening the apps via settings, something which is not an option with Pie?
Click to expand...
Click to collapse
At this point, I'd say anything is possible.

_Ra1n_ said:
In theory that should make a difference. MTP has been a standard for quite some time. Not sure what is (or was) causing your driver issues (if any). Out of curiosity, do you have another computer (or a friend/family member's computer) you can try plugging the phone into?
It seems like drivers are working, at least according to device manager. I have tried 3 diff windows 10 computers, all with USB-C->USB-A connections. I might try to find someone with a USB-C port so I can go USB-C->USB-C but given the state of the world right now, tough to go to someone's house or have them let me borrow a computer to test.
Interesting, I hand't heard of this. In developer options, what happens when you set "Default USB configuration" to "File Transfer" and then plug the phone in?
Tried that, nothing happened!
Honestly, I'm starting to think that your issue is either A) different than mine in some way or B) The "Pixel is starting..." bug acts differently on Android 9 and Android 10. What we've learned from ADB is that your phone isn't mounting the internal storage. It is possible that Android 10 mounts (and/or unlocks) the Internal storage earlier in the boot process than Android 9. This may be why I was able to access the data from the "Pixel is starting..." screen but you can not.
I was able to pull up directory of what apps were installed on the phone via ADB, is that different? When you say "access the data" do you mean open the individual apps from the settings menu? If so, you previously mentioned that that might be a new Android 10 option?
Unless you can find someone more knowledgeable that has something better to try, I would update to QQ1A.200105.002 (the Feb 2020 update) since that is where I had luck. Since your device has a locked bootloader, you will not be able to revert back to Android 9 (if that matters at this point). Let me know if you need help with this.
If I were to update to that update you mentioned (the following link lists what you mentioned- 105.002 as the January update, with 205.002 being February update), is it just following the steps here? https://developers.google.com/android/ota OR here https://drive.google.com/file/d/0Bz6x7k-VkpUJMlZ1aEliVnhMOHM/view Do I have to sideload each OTA image in sequence from what I'm currently on until I get to the one you mentioned? Thought I saw mention of that somewhere.
At this point, I'd say anything is possible.
Click to expand...
Click to collapse
Before going with the sideloaded OTA updates, I found the following sites which had a bunch of tips for people who have had recent trouble getting various Pixel phones to mount as drives on CPU, I am going to play around with these tips first, perhaps it's glitchy software update(s)? https://support.google.com/pixelphone/thread/8621523?hl=en&msgid=16913445 AND https://www.reddit.com/r/GooglePixel/comments/58mp7o/pixel_xl_wont_connect_to_windows_10_pc/

Matt Spo said:
I was able to pull up directory of what apps were installed on the phone via ADB, is that different? When you say "access the data" do you mean open the individual apps from the settings menu? If so, you previously mentioned that that might be a new Android 10 option?
Click to expand...
Click to collapse
Yes. Even without a security PIN set, the "internal storage" (where app data is stored, where your photos are stored, ect) is still encrypted. Really your PIN only encrypts the key to unlock the internal storage. This is why you can set a PIN after you've used the phone and have a lot of data stored on it without waiting for the data to be encrypted (and change/remove your PIN without waiting for the data to be decrypted/re-encrypted). When a PIN is not set, the phone (should) automatically unlock the storage with the stored key. (I'm over-simplifying a little bit, of course)
My comment about Android 9/10 differences was a (somewhat educated) guess that Android 10 "unlocks" the "always-encrypted" internal storage at a different time than Android 9. If this "unlock" occurs earlier, the internal storage may be accessible once on the "Pixel is starting..." screen. Unfortunately we're fighting with a bug/glitch; none of this is an exact science.
Matt Spo said:
If I were to update to that update you mentioned (the following link lists what you mentioned- 105.002 as the January update, with 205.002 being February update), is it just following the steps here? ... Do I have to sideload each OTA image in sequence from what I'm currently on until I get to the one you mentioned? Thought I saw mention of that somewhere.
Click to expand...
Click to collapse
Yes, follow the steps on Google's OTA page. No, you do not need to flash the OTAs in sequence. The OTAs available on that page are "Full" OTAs; you can jump straight to any Full OTA as long as it is more recent that the version you're currently on.
Matt Spo said:
Before going with the sideloaded OTA updates, I found the following sites which had a bunch of tips for people who have had recent trouble getting various Pixel phones to mount as drives on CPU, I am going to play around with these tips first, perhaps it's glitchy software update(s)?/
Click to expand...
Click to collapse
If the issue was only an MTP issue, you'd still be able to access the data through ADB, something that it doesn't seem like we've been able to accomplish. Since you've tried multiple computers, I don't think this is related.

_Ra1n_ said:
Yes. Even without a security PIN set, the "internal storage" (where app data is stored, where your photos are stored, ect) is still encrypted. Really your PIN only encrypts the key to unlock the internal storage. This is why you can set a PIN after you've used the phone and have a lot of data stored on it without waiting for the data to be encrypted (and change/remove your PIN without waiting for the data to be decrypted/re-encrypted). When a PIN is not set, the phone (should) automatically unlock the storage with the stored key. (I'm over-simplifying a little bit, of course)
My comment about Android 9/10 differences was a (somewhat educated) guess that Android 10 "unlocks" the "always-encrypted" internal storage at a different time than Android 9. If this "unlock" occurs earlier, the internal storage may be accessible once on the "Pixel is starting..." screen. Unfortunately we're fighting with a bug/glitch; none of this is an exact science.
Yes, follow the steps on Google's OTA page. No, you do not need to flash the OTAs in sequence. The OTAs available on that page are "Full" OTAs; you can jump straight to any Full OTA as long as it is more recent that the version you're currently on.
If the issue was only an MTP issue, you'd still be able to access the data through ADB, something that it doesn't seem like we've been able to accomplish. Since you've tried multiple computers, I don't think this is related.
Click to expand...
Click to collapse
I reached back out to Google Tech. Support since realizing my issue seems to stem from the phone NOT being able to be controlled through connected device (computer) but not being allowed to do so, only allowing connection via "this device." They recommended updating software to most recent version of Android 10, which hopefully fixes that connection problem. I guess my decision is either upgrading to the software version you were on, was it - 105.002 (January) or 205.002 (February)? I saw a discrepancy in previous post between software version # and Month. Perhaps that will allow me to do what I need to do, if not I upgrade to the latest version. If I go straight to the latest version, there's no turning back to trying your software, since bootloader locked. Would you recommend starting with your software update and then potentially moving on to most recent if that doesn't work?
Thank you again for all of your help thus far, seems like this could be the home stretch, exhausted all possible scenarios. If upgrading software doesn't work, seems like I am SoL in hopes of backing up.
Matt

Matt Spo said:
I reached back out to Google Tech. Support since realizing my issue seems to stem from the phone NOT being able to be controlled through connected device (computer) but not being allowed to do so, only allowing connection via "this device." They recommended updating software to most recent version of Android 10, which hopefully fixes that connection problem. I guess my decision is either upgrading to the software version you were on, was it - 105.002 (January) or 205.002 (February)? I saw a discrepancy in previous post between software version # and Month.
Click to expand...
Click to collapse
You're correct; I mistyped that a few posts back. The version I had success recovering on was "QQ1A.200105.002" specifically.
Matt Spo said:
Perhaps that will allow me to do what I need to do, if not I upgrade to the latest version. If I go straight to the latest version, there's no turning back to trying your software, since bootloader locked. Would you recommend starting with your software update and then potentially moving on to most recent if that doesn't work?
Click to expand...
Click to collapse
Correct, if you sideload the most recent update you will not be able to sideload an older update with a locked bootloader. My gut instinct would be to update to the version I had success with because we know it worked at least once. Obviously I can't guarantee it will work for you, but I'm really hoping it does. If it doesn't help, updating to the latest version would be the next step.
Matt Spo said:
Thank you again for all of your help thus far, seems like this could be the home stretch, exhausted all possible scenarios. If upgrading software doesn't work, seems like I am SoL in hopes of backing up.
Click to expand...
Click to collapse
Of course! I'm still hopeful this will work out!
Random aside: @Ditamae ran into the exact same issue as me and seems to have had similar success with recovering data. He responded to my original post about this issue: https://forum.xda-developers.com/showpost.php?p=82567069&postcount=5. He indicated he was on the January 2020 update as well.