GOOGLE ACCOUNT FRP LOCK BYPASS // HUAWEI NEXUS 6P // ANDROID 7.0.1, 7.1, 7.1.1 NOUGAT

This video demonstrates the usage of the Linux kernel privilege escalation exploit "dirty-c0w" on an Android device. Using the exploit I show you just how powerful it can be when used against FRP on a Nexus 6P running the October 5th, 2016 security patch. I do not claim to have made any of the tools used in this bypass.

This method works universally between all android phones and works on every Android version including the most recent 7.1.1. The only devices that cannot use this method are ones that have been updated to support the most recent December 5, 2016 security patches, so as long as your device does NOT say December 5, 2016 under security patches then you qualify!

The apks I use for this video can be found at this link...

https://ghostlyhaks.com/$downloads/APKs.zip

STEPS

  1. Start from a fresh factory restart
  2. Tap Vision Settings
  3. Enable TalkBack
  4. Hold both Volume buttons to enable TalkBack after the tutorial has closed and then swipe on the screen Down + Right.
  5. Double tap Text-to-Speech Settings then hold both Volume buttons to turn TalkBack off.
  6. Swipe in from the left edge to display a hidden Settings menu and tap Settings Home.
  7. Plug in your USB-C OTG adapter and USB drive formatted to FAT32 containing your apk files downloaded from the link above.
  8. Tap Storage and choose your USB.
  9. Copy dirtycow, gam6.apk and gam(your-android-version).apk to internal storage by tapping and holding on an item then tapping the 3 dots at the top right and selecting "Copy To" and choose the internal Download folder.
  10. (Optional) Install Quick-Shortcut-Maker.apk and then open the app. Scroll down to Pixel Launcher and tap to "Try" it. This will put you at the home screen which will prevent any mistakes from spitting you back out into the Setup Wizard.
  11. Install Terminal-Emulator.apk and then open the app.
  12. Type the following commands EXACTLY as I have them, one at a time, followed by Enter:

    cd ~

    cat /sdcard/Download/dirtycow > dirtycow

    cat /sdcard/Download/gam6.apk > gam6.apk

    touch file

    chmod 777 *

    ./dirtycow /system/priv-app/GoogleLoginService/GoogleLoginService.apk gam6.apk

    ./dirtycow /system/priv-app/GoogleLoginService/oat/arm64/GoogleLoginService.odex file

  13. Back out of Terminal Emulator and go back into Settings. Open up the Storage section again and install gam(your-android-version).apk
  14. Open up Terminal Emulator again and open up a new window. Type the following commands in EXACTLY as I have them, one at a time, followed by Enter:

    cd ~

    ./dirtycow /data/app/com.google.android.gsf.login-1/base.apk gam6.apk

    ./dirtycow /data/app/com.google.android.gsf.login-1/oat/arm64/base.odex file

  15. Back out of Terminal Emulator and open up Settings again. Scroll down and open up the Apps section.
  16. Scroll down and tap on com.google.android.gsf.login.
  17. Tap on Disable and choose Yes. THis will prompt if you'd like to uninstall the app. Choose yes, the uninstall will fail, but its okay this is what you want to happen. You'll know if you did it right because the icon for the app will change to a grayed out version.
  18. Back out and tap on Storage again. Navigate to the internal Download folder and install gam(your-android-version).apk again.
  19. Back out and open up the Apps section again. Scroll down and tap on com.google.android.gsf.login.
  20. Tap Disable and choose yes. This will prompt if you'd like to uninstall the app. Choose yes, this time it will fully remove the app by successfully uninstalling it.
  21. Back out and open up your Download folder once more. This time install gam6.apk. Congratulations, you have successfully downgraded Google Account Manager :)
  22. Install frp-bypass.apk and tap the 3 dots at the top right and choose web sign-in.
  23. Sign in with your Google Account.
  24. Go back into your Download folder and install gam(your-android-version).apk
  25. Reboot the device.
  26. Proceed through Setup Wizard as you would normally and instead of it showing the FRP lock screen it will say "Account Added" :)

Please keep in mind that there are MULTIPLE VERSIONS OF DIRTYCOW, download the one that is specific for your device. I have included in the drive an apk that will tell you which type of architecture your device has. Run the app, download the associated version of dirtycow, then change the name of the file once its on your device (unless you like typing really long things multiple times then hey more power to ya). Please do not ask me which one you are supposed to download and please do not comment telling me that it "doesn't work". If it didn't work then its because 1 of 3 things: you are on the December 5 2016 security patch and decided to try it anyways, you aren't using the correct version of dirtycow, or you did something wrong. The method is flawless when applied correctly, just remember that and follow as I show in the video the EXACT same process of steps, one by one, and you'll get it. I have faith in you!


For a further look into dirty-c0w I'd advise everyone to go check out dirtycow.ninja - it's the wiki/github based on the vulnerability.