added Shizuku support

README.md

@@ -4,17 +4,23 @@ This tool allows most Samsung devices to achieve a `system` shell (UID 1000). It
 
 ## Usage
 
-1. Downgrade the TTS app to the version provided in this repo (this must be done after every reboot).  
-    `adb install -d ./com.samsung.SMT_v3.0.02.2.apk`
-2. Run this command to wait for the reverse shell:  
-    `adb shell nc -l -p 9999`
-3. Install and open the `SMT Shell` app.
+1. Downgrade the TTS app to the version provided in this repo (this must be done after every reboot). `adb install -d ./com.samsung.SMT_v3.0.02.2.apk`
+2. Run this command to wait for the reverse shell: `adb shell nc -l -p 9999`
+3. Install and open the `langpoc` app.
 
-## Licence & Origin
+## Licences & Origin
 
-This project is a fork of [SMT-CVE-2019-16253](https://github.com/flankerhqd/vendor-android-cves/tree/master/SMT-CVE-2019-16253), created by flankerhqd (AKA flanker017). There is also a write-up by flanker [here](https://blog.flanker017.me/text-to-speech-speaks-pwned). Due to the original repo containing multiple unrelated projects, this fork's git history was rewritten using `git filter-repo` so that it only contains the relevant code (and no prebuilt artifacts).
+This project started as a fork of [SMT-CVE-2019-16253](https://github.com/flankerhqd/vendor-android-cves/tree/master/SMT-CVE-2019-16253), created by flankerhqd (AKA flanker017). There is also a write-up by flanker [here](https://blog.flanker017.me/text-to-speech-speaks-pwned). Due to the original repo containing multiple unrelated projects, this fork's git history was rewritten using `git filter-repo` so that it only contains the relevant code (and no prebuilt artifacts).
 
-This repo will continue to use the LGPL license that the original used when this fork was created.
+This repo will continue to use the LGPL license that the original used when this fork was created. Other embedded components are licensed as follows:
+
+### Shizuku - Copyright (c) 2021 RikkaW
+
+Some code was copied or adapted from the [Shizuku API](https://github.com/RikkaApps/Shizuku-API) demo project, which is distributed under the MIT License. Primarily, this includes files in `smtshell/app/src/main/java/com/samsung/SMT/lang/smtshell/shizuku`, and the hidden API class stubs in `smtshell/hidden-api-stub`. A copy of the license can be found [here](https://github.com/RikkaApps/Shizuku-API/blob/master/LICENSE).
+
+### Samsung
+
+This project includes an unmodified Samsung APK, at `./smtshell/app/src/main/assets/com.samsung.SMT_v3.0.02.2.apk`.
 
 ### Changes from the original
 
@@ -23,3 +29,9 @@ Please see the git commit history for a comprehensive list of changes. In brief:
 * Refactored nearly all the code
 * Replaced the reverse shell implementation
 * Updated dependencies and build system to latest versions  
+
+
+RUN git clone https://github.com/corellium/sud.git \
+ && cd sud \
+ && mkdir -p bin \
+ && make CC=/root/sdk/ndk-bundle/toolchains/llvm/prebuilt/linux-x86_64/bin/aarch64-linux-android29-clang

smtshell/app/build.gradle

@@ -4,10 +4,10 @@ android {
     compileSdkVersion 33
     defaultConfig {
         applicationId "com.samsung.SMT.lang.smtshell"
-        minSdkVersion 14 // must be 22 or lower for the exploit to work
+        minSdkVersion 22 // must be 22 or lower for the exploit to work
         targetSdkVersion 33
-        versionCode 2
-        versionName "1.1"
+        versionCode 20230319
+        versionName "1.2"
         testInstrumentationRunner 'androidx.test.runner.AndroidJUnitRunner'
         externalNativeBuild {
             ndkBuild {
@@ -29,6 +29,9 @@ android {
 }
 
 dependencies {
+    implementation "dev.rikka.shizuku:api:13.1.0"
+    implementation "dev.rikka.shizuku:provider:13.1.0"
+    implementation 'org.lsposed.hiddenapibypass:hiddenapibypass:4.3'
     implementation 'androidx.constraintlayout:constraintlayout:2.1.4'
     implementation 'androidx.appcompat:appcompat:1.6.1'
     compileOnly project(':hidden-api-stub')

smtshell/app/src/main/AndroidManifest.xml

@@ -7,14 +7,17 @@
         tools:ignore="QueryAllPackagesPermission" />
     <uses-permission android:name="android.permission.REQUEST_DELETE_PACKAGES" />
 
+    <uses-sdk tools:overrideLibrary="rikka.shizuku.api, rikka.shizuku.shared, rikka.shizuku.aidl, rikka.shizuku.provider" />
+
     <application
         android:allowBackup="true"
         android:icon="@mipmap/ic_launcher"
         android:label="@string/app_name"
         android:roundIcon="@mipmap/ic_launcher_round"
         android:supportsRtl="true"
+        android:name=".SMTShell"
         android:theme="@style/Theme.AppCompat">
-        <activity android:name="com.samsung.SMT.lang.smtshell.MainActivity"
+        <activity android:name=".MainActivity"
             android:exported="true">
             <intent-filter>
                 <action android:name="android.intent.action.MAIN" />
@@ -23,6 +26,9 @@
             </intent-filter>
         </activity>
 
+        <activity android:name=".ConflictActivity"
+            android:exported="false" />
+
         <service
             android:name="com.samsung.SMT.lang.smtshell.MyService"
             android:enabled="true"
@@ -31,6 +37,15 @@
                 <action android:name="com.samsung.SMT.lang.smtshell" />
             </intent-filter>
         </service>
+
+        <provider
+            android:name="rikka.shizuku.ShizukuProvider"
+            android:authorities="${applicationId}.shizuku"
+            android:multiprocess="false"
+            android:enabled="true"
+            android:exported="true"
+            android:permission="android.permission.INTERACT_ACROSS_USERS_FULL" />
+
     </application>
 
 </manifest>

smtshell/app/src/main/java/com/samsung/SMT/lang/smtshell/ConflictActivity.java

@@ -0,0 +1,76 @@
+package com.samsung.SMT.lang.smtshell;
+
+import android.content.Intent;
+import android.net.Uri;
+import android.os.Build;
+import android.os.Bundle;
+import android.widget.ArrayAdapter;
+import android.widget.ListView;
+import android.widget.TextView;
+
+import androidx.annotation.RequiresApi;
+import androidx.appcompat.app.AppCompatActivity;
+
+import java.util.ArrayList;
+
+/**
+ * We need to keep the minSdkVersion at 22 or lower, so use @RequiresApi to use newer stuff.
+ * This only needs to support Android 9.0 (API 28) and higher anyway.
+ */
+@RequiresApi(api = Build.VERSION_CODES.N)
+public class ConflictActivity extends AppCompatActivity {
+
+    private TextView mTextView;
+    private ListView mListView;
+
+    @Override
+    protected void onCreate(Bundle savedInstanceState) {
+        super.onCreate(savedInstanceState);
+        setContentView(R.layout.activity_conflict);
+        mTextView = findViewById(R.id.text);
+        mListView = findViewById(R.id.list);
+        if (resolvePackageConflicts()) {
+            launchMain();
+        }
+    }
+
+    /**
+     * This will fire when we get a response from an uninstall request. No need to check the
+     *  requestCode or resultCode, since we only care about one result for now.
+     */
+    @Override
+    protected void onActivityResult(int requestCode, int resultCode, Intent data) {
+        super.onActivityResult(requestCode, resultCode, data);
+        if (resolvePackageConflicts()) {
+            launchMain();
+        }
+    }
+
+    private void launchMain() {
+        Intent intent = new Intent(this, MainActivity.class);
+        // prevent annoying UX for user, if they tap back
+        intent.addFlags(Intent.FLAG_ACTIVITY_NEW_TASK | Intent.FLAG_ACTIVITY_CLEAR_TASK);
+        startActivity(intent);
+    }
+
+    private boolean resolvePackageConflicts() {
+        ArrayList<String> pkgs = ConflictUtil.getPackageConflicts(this);
+
+        if (pkgs.size() > 0) {
+            mTextView.setText(R.string.app_conflict_prompt);
+            mListView.setAdapter(new ArrayAdapter<>(this, R.layout.pkg_item, pkgs));
+            mListView.setOnItemClickListener((parent, view, position, id) -> {
+                String pkgName = pkgs.get(position);
+                Intent intent = new Intent(Intent.ACTION_DELETE);
+                intent.setData(Uri.parse("package:" + pkgName));
+                startActivityForResult(intent, 0);
+            });
+            return false;
+        } else {
+            mTextView.setText(R.string.no_conflicts);
+            mListView.setAdapter(null);
+            return true;
+        }
+    }
+
+}

smtshell/app/src/main/java/com/samsung/SMT/lang/smtshell/ConflictUtil.java

@@ -0,0 +1,38 @@
+package com.samsung.SMT.lang.smtshell;
+
+import android.content.Context;
+import android.content.Intent;
+import android.content.pm.PackageManager;
+import android.net.Uri;
+import android.os.Build;
+import android.widget.ArrayAdapter;
+
+import androidx.annotation.RequiresApi;
+
+import java.util.ArrayList;
+import java.util.stream.Collectors;
+
+/**
+ * We need to keep the minSdkVersion at 22 or lower, so use @RequiresApi to use newer stuff.
+ * This only needs to support Android 9.0 (API 28) and higher anyway.
+ */
+@RequiresApi(api = Build.VERSION_CODES.N)
+public class ConflictUtil {
+
+    public static ArrayList<String> getPackageConflicts(Context context) {
+        ArrayList<String> pkgs = context.getPackageManager()
+                .getInstalledPackages(PackageManager.MATCH_ALL)
+                .stream()
+                .map(packageInfo -> packageInfo.packageName)
+                .filter(pkgName -> pkgName.startsWith("com.samsung.SMT.lang"))
+                .filter(pkgName -> !pkgName.equals(context.getPackageName()))
+                .collect(Collectors.toCollection(ArrayList::new));
+
+        return pkgs;
+    }
+
+    public static boolean hasConflicts(Context context) {
+        return getPackageConflicts(context).size() > 0;
+    }
+
+}