How to brick all Samsung phones
Few months ago, I bought a Samsung phone in order to analyse it. After few hours I found an unprotected receiver in the ContainerAgent application.
Analyse
The ContainerAgent application, version 2.7.05001015, contained a broadcast receiver called SwitcherBroadcastReceiver.
As you can see, this receiver is enabled and exported by default. Let’s check the implementation in order to understand how to trigger this receiver.
By looking the onReceive method of the SwitcherBroadcastReceiver, we are able to deduce that:
- This receiver expect com.samsung.android.knox.containeragent.LocalCommandReceiver.ACTION_COMMAND as an action.
- It check the value of an integer extra called com.samsung.android.knox.containeragent.LocalCommandReceiver.EXTRA_COMMAND_ID. This extra can have 2 values: 1001 and 1002.
- It check the value of an integer extra called android.intent.extra.user_handle.
It’s time to construct the intents and understand what are their effects. If the extra ACTION_COMMAND is equal to 1001, the immediateLock method is called with the value…