GOOGLE ACCOUNT FRP LOCK BYPASS // GOOGLE PIXEL XL // ANDROID 7.0, 7.1, 7.1.1 NOUGAT
That's right, the new method I discovered for bypassing FRP lock on the newest Nexus 6P updates also works for Google's newest bread and butter, the Google Pixel! The steps are almost identical to the ones used for the Nexus 6P video, though the time it takes is far less!
----YOU WILL NEED----
USB-C OTG Adapter
USB drive formatted to FAT32
Keyboard - optional, just for easier typing
The apks I use for this video can be downloaded via the following link:
This method will NOT work if you are on the latest December 5 2016 security patch unfortunately... All previous updates are supported.
STEPS TO COMPLETE
I did not make any apps used in this video, nor do I claim to. I also did not create, nor find, the dirtycow exploit nor do I claim to. The only thing I take credit for is the implementation of everything together that created the first successfully documented technique for this device.
- Start from a fresh factory restart
- Tap Vision Settings
- Enable TalkBack
- Hold both Volume buttons to enable TalkBack after the tutorial has closed and then swipe on the screen Down + Right.
- Double tap Text-to-Speech Settings then hold both Volume buttons to turn TalkBack off.
- Swipe in from the left edge to display a hidden Settings menu and tap Settings Home.
- Plug in your USB-C OTG adapter and USB drive formatted to FAT32 containing your apk files downloaded from the link above.
- Tap Storage and choose your USB.
- Copy dirtycow, gam6.apk and gam(your-android-version).apk to internal storage by tapping and holding on an item then tapping the 3 dots at the top right and selecting "Copy To" and choose the internal Download folder.
- (Optional) Install Quick-Shortcut-Maker.apk and then open the app. Scroll down to Pixel Launcher and tap to "Try" it. This will put you at the home screen which will prevent any mistakes from spitting you back out into the Setup Wizard.
- Install Terminal-Emulator.apk and then open the app.
- Type the following commands EXACTLY as I have them, one at a time, followed by Enter:
cat /sdcard/Download/dirtycow > dirtycow
cat /sdcard/Download/gam6.apk > gam6.apk
chmod 777 *
./dirtycow /system/priv-app/GoogleLoginService/GoogleLoginService.apk gam6.apk
./dirtycow /system/priv-app/GoogleLoginService/oat/arm64/GoogleLoginService.odex file
- Back out of Terminal Emulator and go back into Settings. Open up the Storage section again and install gam(your-android-version).apk
- Open up Terminal Emulator again and open up a new window. Type the following commands in EXACTLY as I have them, one at a time, followed by Enter:
./dirtycow /data/app/com.google.android.gsf.login-1/base.apk gam6.apk
./dirtycow /data/app/com.google.android.gsf.login-1/oat/arm64/base.odex file
- Back out of Terminal Emulator and open up Settings again. Scroll down and open up the Apps section.
- Scroll down and tap on com.google.android.gsf.login.
- Tap on Disable and choose Yes. THis will prompt if you'd like to uninstall the app. Choose yes, the uninstall will fail, but its okay this is what you want to happen. You'll know if you did it right because the icon for the app will change to a grayed out version.
- Back out and tap on Storage again. Navigate to the internal Download folder and install gam(your-android-version).apk again.
- Back out and open up the Apps section again. Scroll down and tap on com.google.android.gsf.login.
- Tap Disable and choose yes. This will prompt if you'd like to uninstall the app. Choose yes, this time it will fully remove the app by successfully uninstalling it.
- Back out and open up your Download folder once more. This time install gam6.apk. Congratulations, you have successfully downgraded Google Account Manager :)
- Install frp-bypass.apk and tap the 3 dots at the top right and choose web sign-in.
- Sign in with your Google Account.
- Go back into your Download folder and install gam(your-android-version).apk
- Reboot the device.
- Proceed through Setup Wizard as you would normally and instead of it showing the FRP lock screen it will say "Account Added" :)
Please keep in mind that there are MULTIPLE VERSIONS OF DIRTYCOW, download the one that is specific for your device. I have included in the drive an apk that will tell you which type of architecture your device has. Run the app, download the associated version of dirtycow, then change the name of the file once its on your device (unless you like typing really long things multiple times then hey more power to ya). Please do not ask me which one you are supposed to download and please do not comment telling me that it "doesn't work". If it didn't work then its because 1 of 3 things: you are on the December 5 2016 security patch and decided to try it anyways, you aren't using the correct version of dirtycow, or you did something wrong. The method is flawless when applied correctly, just remember that and follow as I show in the video the EXACT same process of steps, one by one, and you'll get it. I have faith in you!
For a further look into dirty-c0w I'd advise everyone to go check out dirtycow.ninja - it's the wiki/github based on the vulnerability.