Hacking Android 12 - Motorola Edition (FRP Bypass)

In this guide, we will explore a method to bypass the Factory Reset Protection (FRP) on Motorola devices running Android 12. Specifically, we will focus on devices that have the GBoard app from Google pre-installed as the default keyboard. I have discovered a unique solution for this particular scenario, which has proven successful multiple times before

Please note that I have conducted all the procedures mentioned in this guide using a Motorola G50 device

Now, let's proceed with the method to bypass the factory reset protection on any Motorola device with the Google GBoard app installed as the default keyboard. By exploiting vulnerabilities in the GBoard app, we can crash it and gain access to the device's settings, effectively bypassing the protection. It's important to note that this method is specific to the current Android version (as of 2023-02-09) on the Motorola G50 device.

However, please keep in mind that bypassing factory reset protection may have legal and ethical implications. Ensure that you have the necessary permissions and comply with applicable laws before attempting any bypass techniques.

[20335.816840] cdc_acm 1-10:1.1: ttyACM0: USB ACM device
[20335.817836] usbcore: registered new interface driver cdc_acm
[20335.817839] cdc_acm: USB Abstract Control Model driver for USB modems and ISDN adapters
[20341.452575] usb 1-10: USB disconnect, device number 8
[20795.448710] usb 1-10: new high-speed USB device number 9 using xhci_hcd
[20795.590684] usb 1-10: New USB device found, idVendor=22b8, idProduct=2e82, bcdDevice= 5.04
[20795.590688] usb 1-10: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[20795.590691] usb 1-10: Product: moto g(50)
[20795.590693] usb 1-10: Manufacturer: motorola
[20795.590695] usb 1-10: SerialNumber: ZY22DPQST

#!/bin/bash
#############################################################################
# Author: wuseman
# Date: 2023-01-31
#############################################################################
# 
# - Wipe all partitions from fastboot, 
# - Built for Motorola G50, Android 12
#
#############################################################################

( fastboot oem partition 2>&1 )  \
    | awk -F' ' '{print $2}'   \
    | sed 's/://' \
    | sort > partitions.txt; 

while read line; do 
    fastboot erase ${line}; 
done < partitions.txt

read -p "Reboot to system (y): " reboot2system

if [[ ${reboot2system} = "y" ]]; then 
    fastboot

 reboot
else
    echo "We are still in fastboot, do your commands and reboot with <fastboot reboot>"
fi

FRP Bypassing

After completely wiping the device using fastboot, I performed a regular reboot, and now we have reached the introductory page of the Setup Wizard.

Now, let's proceed with the steps below to bypass the FRP (factory reset protection) using the method I discovered. I have tested this method four times to ensure its reliability, so it is not just a random crash; it definitely works due to a bug in GBoard.

Android 12 - v2: Crashing GBoard, Setup wizard

Now, the keyboard should be open, and you will see the keyboard with the microphone option available in the upper right corner of Gboard. We reached this page because the microphone is disabled in other stages and not allowed to be used for password and email inputs in the Motorola Android 12 Version setup wizard.

Now, follow these steps. If you followed my unique method to access settings on Samsung 10 running Android 10 a few years ago, you will see that it's the same process. We are using permissions to succeed once again. It's quite amusing because the first time I discovered this was purely accidental. I was tired that day a few years ago, and due to a simple mistake of pressing slightly below the "ALLOW copy" button, I stumbled upon this phenomenon. Now, it has become the way I perform my personal bypasses, relying on denying permissions to allow us to bypass. Funny, isn't it? Anyway, let's continue.

1. Press the microphone icon in the upper right corner of Gboard.
2. Allow Gboard to record audio: Press "Don't allow." You will see a message at the bottom saying "No permission to allow microphone." Repeat this step to permanently deny microphone access.
3. Allow Gboard to record audio: Press "Don't allow" again.

Now, when we press the microphone button for the third time, it will be available to press without asking for permission as before. However, it will block our request and display "No permission to enable: Voice typing."

Next, we are going to crash Gboard. Quickly click the microphone button several times until Gboard freezes. You will notice this when you are unable to press anything and there are no reactions. Gboard will disappear and restart automatically after 1-2-3 seconds. Once Gboard restarts, it will pop up again. Now, repeat the same process: press the microphone icon until the screen gets dimmed, and Gboard freezes. Then, continue pressing anywhere on the Gboard window, and the magic will happen. You will see the message "Gboard Keeps stopping." Now, press "app info" and go to settings. Congratulations! We have successfully bypassed the factory protection screen and can now continue exploring.

Don't worry; I won't leave you here. Let me show you how to proceed from here and bypass the Motorola G50 if you have no idea how to proceed further. Let's continue hacking this device.

You should now be in the Gboard Settings Menu after crashing Gboard and following the steps mentioned above.

Now, press the back button multiple times until you reach the welcome wizard again.

Press "Next," and in the next window, simply skip since we won't be using an SD card. Connect to another Wi-Fi network but enter the wrong password intentionally so that we remain offline. Now, press "Skip" at the lower left corner and proceed to set up your new device.

line='..............................................'
printf "Please enter the path to

 store the APK files in, path: "; read storagepath
echo ""
mkdir -p $storagepath


cd $storagepath
printf "%61s\n" | tr ' ' '='
printf "Pulling applications installed from Play Store..........[\e[0;33mWAIT\e[0m]\n"
printf "%61s\n" | tr ' ' '='

for package in $(adb shell pm list packages | tr -d '\r' | sed 's/package://g'); do
    apk=$(adb shell pm path $package | tr -d '\r' | sed 's/package://g' | cut -d\/ -f4|cut -d- -f1)
    apk_real=$(adb shell pm path $package | tr -d '\r' | sed 's/package://g')
    printf "Pulling: $apk";
    adb pull -p $apk_real "$package".apk &> /dev/null
    printf "%s%s[\e[1;32mDONE\e[0m]\n" "${line:${#apk}}"
done
PCKS="$(adb shell pm list packages | tr -d '\r' | sed 's/package://g' | wc -l)"
printf "%61s\n" | tr ' ' '='
printf "Pulled $PCKS APK packages from your device................[\e[1;32mDONE\e[0m]\n"
printf "%61s\n" | tr ' ' '='

com.android.settings/com.android.settings.password.SetupChooseLockPassword

com.android.settings/com.android.settings.biometrics.fingerprint.SetupFingerprintEnrollIntroduction

Unlock bootloader

To unlock your bootloader, we need to grab the 5 lines from the fastboot command. Follow these steps:

1. Open settings.
2. Browse to the bottom and press "About phone."
3. Scroll to the bottom and press "Built number" 7 times.
4. Press back.
5. Press "System options" above "About phone."
6. Enter developer options.
7. Enable "OEM Unlock" and enter your PIN.
8. Allow OEM unlocking? Press "Enable."
9. Connect USB to your device as usual when using ADB/Fastboot.
10. When connected, type:

adb reboot bootloader

Wait for the device to boot into bootloader. When you see the daemon loaded, type:

fastboot devices

You should now see the device. Press the volume down button twice to select "Reboot to bootloader."

Now, type:

fastboot oem get_unlock_data

You should see the same output as below, but with a different key. Alternatively, you can extract the required key using the following command:

fastboot oem get_unlock_data 2>&1 /dev/null \
     | awk 'length > 30' \
     | awk '{print $2}' \
     | xargs \
     | sed 's/ //g'

#!/bin/bash
# Author: wuseman
# Filename: bootloaderverify.sh
# Created: 2023-02-09

bootloaderTempKey=$(fastboot oem get_unlock_data 2>&1 /dev/null|awk 'length > 30'|awk '{print $2}'|xargs|sed 's/ //g')
curl https://motorola-global-portal.custhelp.com/cc/productRegistration/verifyPhone/${bootloaderCheckTemp} \
  -X 'POST'

 \
  -H 'Accept: application/json, text/javascript, */*; q=0.01

' \
  -H 'Accept-Language: en-US,en;q=0.9' \
  -H 'Connection: keep-alive' \
  -H 'Content-Length: 0' \
  -H 'Origin: https://motorola-global-portal.custhelp.com' \
  -H 'Referer: https://motorola-global-portal.custhelp.com/app/standalone%2Fbootloader%2Funlock-your-device-b'|grep "Phone qualifies"
if [[ $? = "0" ]]; then 
    echo "Bootloader can be unlocked"
else
    echo "Bootloader cannot be unlocked"
fi

If you are unsure about this part, browse to https://motorola-global-portal.custhelp.com/app/standalone/bootloader/unlock-your-device-a to manually fill in the long key to be sure.

Once done, you will receive the key via email. Use the following command to unlock the bootloader:

fastboot oem unlock <bootloaderkey_from_mail>

To lock your bootloader again, type:

fastboot oem lock <bootloaderkey_from_mail>

Press the volume down button and power button to confirm.

• For fastboot commands, please check my fastboot cheatsheet.

If the device is stuck in fastboot and keeps rebooting back to the bootloader, and you see the message "reason: UTAG bootmode configured as fastboot," you can solve this by running the command:

fastboot oem fb_mode_clear

Now, simply reboot your device, and it will boot to normal mode instead of bootlooping into fastboot mode.

The following click-to-open options have been added, and all of them work to access when we are behind FRP lock. I have confirmed this, but remember that you must browse to the website to be able to click the URLs. They won't be clickable here; this is just to show you what was added:

• Click to Open - Radio Info
• Click to Open - FCM Diagnostics
• Click to Open - Engineering Mode
• Click to Open - IMEI window
• Click to Open - Regulator information
• Click to Open - Calendar Debugging