GSM-Forum - View Single Post

lordofthepings · 02-05-2018, 16:03

Some time ago I helped a friend, who got swindled on eBay with an RMM locked phone and the seller was not responding. Please note that this fix is "partial" and the tutorial is from my memory so I may be forgetting some details. Therefore, do this at your own risk, you have been warned

The phone was a Galaxy S8+ (SM-G955F) from Telcel Mexico with G955FXXU1AQH3 firmware, it had "FRP Lock" set to "Off" and "OEM Lock" set to "On". Phone could only be flashed with stock or combination firmware and could not be rooted as custom binaries were blocked. I flashed stock firmware from several regions but every time the phone got locked in 10 seconds after reaching the welcome screen. I observed that the phone was locked using an RMM (Remote Mobile Manager) account, because of pending installment balance. If I had the RMM account details tied to this phone, I could go to rmm.samsung.com and unlock it. Since the seller never provided that, I thought of blocking the software that was triggering the lock. In my research, I found that the lock was being triggered by RLC.apk which is located at "/system/priv-app/Rlc/Rlc.apk" in stock firmwares. I followed the steps below to bypass the lock (your situation might be a bit different from mine so follow the below steps at your own risk):

1. Install combination firmware (I used FA70_G955FXXU1AQD1). Once the phone boots up in factory firmware, you will notice that the "USB Debugging" is On but "OEM Unlock" option is missing. Don't worry, we will fix that later.
2. Install RLC.apk v1.1.15 from PC (adb install Rlc.apk)
3. Install Ice Box v3.1.9.1 from PC (adb install com.catchingnow.icebox-3.1.9.1-G-varies-sdk21-vc593.apk)
4. Since we do not have Root permission, set Ice Box as a Device Administrator from PC (adb shell dpm set-device-owner com.catchingnow.icebox/.receiver.DPMReceiver)
5. Restart the phone
6. Open up Ice Box, continue as Device Admin and in the APPS section, "Freeze" the RLC package (Title: Notification, Description: com.samsung.android.rlc). You may need to enable the "Include Hidden" option in Ice Box from the top right corner.
7. Now that RLC is frozen, install stock firmware with "HOME_CSC" so that the two apps we installed do not get erased. I used "AP_G955FXXU1AQH3", "BL_G955FXXU1AQH3", "CP_G955FXXU1AQH3" and "HOME_CSC_OWA_G955FOWA1AQH3" from the Telcel firmware.
8. We are done, remember to keep RLC package frozen.

After step 7, I changed the language to English from Settings and also disabled OEM Lock from "Developer Options". A few observations at this point:

1. The phone is still RMM locked, we have only suppressed the SEM_LOGISTICS PIN Code prompt. You can see "RMM State: Locked" in download mode. Also, if you go to Settings->About Phone->Status, you will notice "Installment payments" section marked as "Outstanding".
2. It is said that "RMM State: Prenormal" automatically goes away if you keep the phone up for 168 hours without rebooting. I do NOT know, if "RMM State: Locked" goes away automatically or not, but I doubt it.
3. Since the RMM state is locked, custom binaries still cannot be flashed for rooting.
4. For TWRP, I got error "custom binary(RECOVERY) Blocked due to remaining installment balance"
5. For Root kernel, I got "custom binary(BOOT) Blocked due to remaining installment balance"
6. Secure Folder could not be setup. I kept getting a KNOX related error but do not remember its text now.
7. I tried to backup the PERSISTENT partition but got Permission Denied error because I did not have root.
8. The command "dd if=/dev/block/platform/11120000.ufs/by-name/PERSISTENT of=/sdcard/PERSISTENT.img" failed.
9. The command "dd if=/dev/block/sda13 of=/sdcard/PERSISTENT.img" failed.
10. I tried to format the PERSISTENT partition but got Permission Denied error because I did not have root.
11. The command "dd if=/dev/zero of=/dev/block/platform/11120000.ufs/by-name/PERSISTENT" failed.
12. The command "dd if=/dev/zero of=/dev/block/sda13" failed.
13. KNOX was not tripped so phone warranty was not void.

The phone had become largely usable so I gave up at this point. If you make more progress, don't forget to share with the community. I'm not an Android Developer and also do not have access to any Flasher Boxes. It took me quite a while to figure this out and to write this tutorial, so do give me credit if I have helped you. Good luck.

02-05-2018, 16:03	#26 (permalink)
lordofthepings Junior Member Join Date: Feb 2018 Posts: 12 Member: 2807768 Status: Offline Thanks Meter: 31	Some time ago I helped a friend, who got swindled on eBay with an RMM locked phone and the seller was not responding. Please note that this fix is "partial" and the tutorial is from my memory so I may be forgetting some details. Therefore, do this at your own risk, you have been warned The phone was a Galaxy S8+ (SM-G955F) from Telcel Mexico with G955FXXU1AQH3 firmware, it had "FRP Lock" set to "Off" and "OEM Lock" set to "On". Phone could only be flashed with stock or combination firmware and could not be rooted as custom binaries were blocked. I flashed stock firmware from several regions but every time the phone got locked in 10 seconds after reaching the welcome screen. I observed that the phone was locked using an RMM (Remote Mobile Manager) account, because of pending installment balance. If I had the RMM account details tied to this phone, I could go to rmm.samsung.com and unlock it. Since the seller never provided that, I thought of blocking the software that was triggering the lock. In my research, I found that the lock was being triggered by RLC.apk which is located at "/system/priv-app/Rlc/Rlc.apk" in stock firmwares. I followed the steps below to bypass the lock (your situation might be a bit different from mine so follow the below steps at your own risk): 1. Install combination firmware (I used FA70_G955FXXU1AQD1). Once the phone boots up in factory firmware, you will notice that the "USB Debugging" is On but "OEM Unlock" option is missing. Don't worry, we will fix that later. 2. Install RLC.apk v1.1.15 from PC (adb install Rlc.apk) 3. Install Ice Box v3.1.9.1 from PC (adb install com.catchingnow.icebox-3.1.9.1-G-varies-sdk21-vc593.apk) 4. Since we do not have Root permission, set Ice Box as a Device Administrator from PC (adb shell dpm set-device-owner com.catchingnow.icebox/.receiver.DPMReceiver) 5. Restart the phone 6. Open up Ice Box, continue as Device Admin and in the APPS section, "Freeze" the RLC package (Title: Notification, Description: com.samsung.android.rlc). You may need to enable the "Include Hidden" option in Ice Box from the top right corner. 7. Now that RLC is frozen, install stock firmware with "HOME_CSC" so that the two apps we installed do not get erased. I used "AP_G955FXXU1AQH3", "BL_G955FXXU1AQH3", "CP_G955FXXU1AQH3" and "HOME_CSC_OWA_G955FOWA1AQH3" from the Telcel firmware. 8. We are done, remember to keep RLC package frozen. After step 7, I changed the language to English from Settings and also disabled OEM Lock from "Developer Options". A few observations at this point: 1. The phone is still RMM locked, we have only suppressed the SEM_LOGISTICS PIN Code prompt. You can see "RMM State: Locked" in download mode. Also, if you go to Settings->About Phone->Status, you will notice "Installment payments" section marked as "Outstanding". 2. It is said that "RMM State: Prenormal" automatically goes away if you keep the phone up for 168 hours without rebooting. I do NOT know, if "RMM State: Locked" goes away automatically or not, but I doubt it. 3. Since the RMM state is locked, custom binaries still cannot be flashed for rooting. 4. For TWRP, I got error "custom binary(RECOVERY) Blocked due to remaining installment balance" 5. For Root kernel, I got "custom binary(BOOT) Blocked due to remaining installment balance" 6. Secure Folder could not be setup. I kept getting a KNOX related error but do not remember its text now. 7. I tried to backup the PERSISTENT partition but got Permission Denied error because I did not have root. 8. The command "dd if=/dev/block/platform/11120000.ufs/by-name/PERSISTENT of=/sdcard/PERSISTENT.img" failed. 9. The command "dd if=/dev/block/sda13 of=/sdcard/PERSISTENT.img" failed. 10. I tried to format the PERSISTENT partition but got Permission Denied error because I did not have root. 11. The command "dd if=/dev/zero of=/dev/block/platform/11120000.ufs/by-name/PERSISTENT" failed. 12. The command "dd if=/dev/zero of=/dev/block/sda13" failed. 13. KNOX was not tripped so phone warranty was not void. The phone had become largely usable so I gave up at this point. If you make more progress, don't forget to share with the community. I'm not an Android Developer and also do not have access to any Flasher Boxes. It took me quite a while to figure this out and to write this tutorial, so do give me credit if I have helped you. Good luck.