Skip to content

Vulnerabilities the Motorola G50

In this guide, we will explore a method to bypass the Factory Reset Protection (FRP) on Motorola devices running Android 12. Specifically, we will focus on devices that have the GBoard app from Google pre-installed as the default keyboard. I have discovered a unique solution for this particular scenario, which has proven successful multiple times before

Please note that I have conducted all the procedures mentioned in this guide using a Motorola G50 device

Now, let's proceed with the method to bypass the factory reset protection on any Motorola device with the Google GBoard app installed as the default keyboard. By exploiting vulnerabilities in the GBoard app, we can crash it and gain access to the device's settings, effectively bypassing the protection. It's important to note that this method is specific to the current Android version (as of 2023-02-09) on the Motorola G50 device.

However, please keep in mind that bypassing factory reset protection may have legal and ethical implications. Ensure that you have the necessary permissions and comply with applicable laws before attempting any bypass techniques.

DMESG from Setup Wizard

[20335.816840] cdc_acm 1-10:1.1: ttyACM0: USB ACM device
[20335.817836] usbcore: registered new interface driver cdc_acm
[20335.817839] cdc_acm: USB Abstract Control Model driver for USB modems and ISDN adapters
[20341.452575] usb 1-10: USB disconnect, device number 8
[20795.448710] usb 1-10: new high-speed USB device number 9 using xhci_hcd
[20795.590684] usb 1-10: New USB device found, idVendor=22b8, idProduct=2e82, bcdDevice= 5.04
[20795.590688] usb 1-10: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[20795.590691] usb 1-10: Product: moto g(50)
[20795.590693] usb 1-10: Manufacturer: motorola
[20795.590695] usb 1-10: SerialNumber: ZY22DPQST

Note First of all, I have wiped all partitions by using the following code:

#!/bin/bash
#############################################################################
# Date: 2023-01-31
#############################################################################
# 
# - Wipe all partitions from fastboot, 
# - Built for Motorola G50, Android 12
#
#############################################################################

( fastboot oem partition 2>&1 )  \
    | awk -F' ' '{print $2}'   \
    | sed 's/://' \
    | sort > partitions.txt; 

while read line; do 
    fastboot erase ${line}; 
done < partitions.txt

read -p "Reboot to system (y): " reboot2system

if [[ ${reboot2system} = "y" ]]; then 
    fastboot

 reboot
else
    echo "We are still in fastboot, do your commands and reboot with <fastboot reboot>"
fi

FRP Bypassing

After completely wiping the device using fastboot, I performed a regular reboot, and now we have reached the introductory page of the Setup Wizard.

Now, let's proceed with the steps below to bypass the FRP (factory reset protection) using the method I discovered. I have tested this method four times to ensure its reliability, so it is not just a random crash; it definitely works due to a bug in GBoard.

Android 12 - v2: Crashing GBoard, Setup wizard

Screen Task
Hi There Press start
Connect to Mobile Network Press skip
Connect to Wi-Fi Connect to your Wi-Fi as usual to get online, you will be redirected to the next page when connected
Privacy & Software Updates Accept & Continue - Wait for the next screen, it will search for updates
Copy apps and data Press don't copy
Verify pin Press: Use my Google account instead
Verify your Account (locked) Press: Forgot email?
Find your email Type: admin and hit next
What's your name? Press inside the First Name input field, and the keyboard will be launched

Now, the keyboard should be open, and you will see the keyboard with the microphone option available in the upper right corner of Gboard. We reached this page because the microphone is disabled in other stages and not allowed to be used for password and email inputs in the Motorola Android 12 Version setup wizard.

Now, follow these steps. If you followed my unique method to access settings on Samsung 10 running Android 10 a few years ago, you will see that it's the same process. We are using permissions to succeed once again. It's quite amusing because the first time I discovered this was purely accidental. I was tired that day a few years ago, and due to a simple mistake of pressing slightly below the "ALLOW copy" button, I stumbled upon this phenomenon. Now, it has become the way I perform my personal bypasses, relying on denying permissions to allow us to bypass. Funny, isn't it? Anyway, let's continue.

  1. Press the microphone icon in the upper right corner of Gboard.
  2. Allow Gboard to record audio: Press "Don't allow." You will see a message at the bottom saying "No permission to allow microphone." Repeat this step to permanently deny microphone access.
  3. Allow Gboard to record audio: Press "Don't allow" again.

Now, when we press the microphone button for the third time, it will be available to press without asking for permission as before. However, it will block our request and display "No permission to enable: Voice typing."

Next, we are going to crash Gboard. Quickly click the microphone button several times until Gboard freezes. You will notice this when you are unable to press anything and there are no reactions. Gboard will disappear and restart automatically after 1-2-3 seconds. Once Gboard restarts, it will pop up again. Now, repeat the same process: press the microphone icon until the screen gets dimmed, and Gboard freezes. Then, continue pressing anywhere on the Gboard window, and the magic will happen. You will see the message "Gboard Keeps stopping." Now, press "app info" and go to settings. Congratulations! We have successfully bypassed the factory protection screen and can now continue exploring.

Don't worry; I won't leave you here. Let me show you how to proceed from here and bypass the Motorola G50 if you have no idea how to proceed further. Let's continue hacking this device.

You should now be in the Gboard Settings Menu after crashing Gboard and following the steps mentioned above.

Current Screen Task
App Info Press: Screen Time
Gboard Press the upper right corner menu: Manage Data
Manage Your Data Press: Clock, options
Set a consistent bedtime for better sleep Press: Get Started
Set a regular wake-up alarm Press: Sound
Alarm Sound Press: Youtube Music
Alarm Sound Press: Login
Music - Open the world of music Press: Press device files only
Music Press: face icon at the upper right corner
Account Press: Privacy Policy - Terms of Service at the bottom of the screen
Welcome to Chrome Press: Accept & continue
Turn on sync? Press: No thanks
Youtube - Terms of service Enter URL to Application Launcher: https://android.nr1.nu/applicationLauncher.html
Android Application launcher Press: Click to Open - Settings
Settings Press: System navigation
System navigation Enable (change to): Gesture navigation
Gesture navigation Enable (change to): Gesture navigation
Gesture navigation Press: Settings
Gesture settings Set: Left/Right to the highest value
Gesture settings Press: Arrow left (go back)
Apps Press: See all XX apps
All apps Press: Android Setup
App info Press: Force stop -> OK
App info Press: Arrow left (go back)
All apps Press: Google Play services
All info Press: Disable -> Disable app
All info Press: Arrow left (go back)
All apps Press: Arrow left (go back)
Apps Press: Arrow left (go back)
Settings Press: Accessibility
Accessibility Press: Accessibility Menu
Accessibility Menu Enable: Accessibility Menu shortcut
Allow Accessibility menu to.... Press: Allow
Use Accessibility button to open Menu Press: Got it

Now, press the back button multiple times until you reach the welcome wizard again.

Press "Next," and in the next window, simply skip since we won't be using an SD card. Connect to another Wi-Fi network but enter the wrong password intentionally so that we remain offline. Now, press "Skip" at the lower left corner and proceed to set up your new device.

Pull all applications from the device to PC

line='..............................................'
printf "Please enter the path to

 store the APK files in, path: "; read storagepath
echo ""
mkdir -p $storagepath


cd $storagepath
printf "%61s\n" | tr ' ' '='
printf "Pulling applications installed from Play Store..........[\e[0;33mWAIT\e[0m]\n"
printf "%61s\n" | tr ' ' '='

for package in $(adb shell pm list packages | tr -d '\r' | sed 's/package://g'); do
    apk=$(adb shell pm path $package | tr -d '\r' | sed 's/package://g' | cut -d\/ -f4|cut -d- -f1)
    apk_real=$(adb shell pm path $package | tr -d '\r' | sed 's/package://g')
    printf "Pulling: $apk";
    adb pull -p $apk_real "$package".apk &> /dev/null
    printf "%s%s[\e[1;32mDONE\e[0m]\n" "${line:${#apk}}"
done
PCKS="$(adb shell pm list packages | tr -d '\r' | sed 's/package://g' | wc -l)"
printf "%61s\n" | tr ' ' '='
printf "Pulled $PCKS APK packages from your device................[\e[1;32mDONE\e[0m]\n"
printf "%61s\n" | tr ' ' '='

Set a pin screen

com.android.settings/com.android.settings.password.SetupChooseLockPassword

Unlock with your fingerprint

com.android.settings/com.android.settings.biometrics.fingerprint.SetupFingerprintEnrollIntroduction

Unlock bootloader

To unlock your bootloader, we need to grab the 5 lines from the fastboot command. Follow these steps:

  1. Open settings.
  2. Browse to the bottom and press "About phone."
  3. Scroll to the bottom and press "Built number" 7 times.
  4. Press back.
  5. Press "System options" above "About phone."
  6. Enter developer options.
  7. Enable "OEM Unlock" and enter your PIN.
  8. Allow OEM unlocking? Press "Enable."
  9. Connect USB to your device as usual when using ADB/Fastboot.
  10. When connected, type:
adb reboot bootloader

Wait for the device to boot into bootloader. When you see the daemon loaded, type:

fastboot devices

You should now see the device. Press the volume down button twice to select "Reboot to bootloader."

Now, type:

fastboot oem get_unlock_data

You should see the same output as below, but with a different key. Alternatively, you can extract the required key using the following command:

fastboot oem get_unlock_data 2>&1 /dev/null \
     | awk 'length > 30' \
     | awk '{print $2}' \
     | xargs \
     | sed 's/ //g'

Check if the phone is qualified for unlocking the bootloader

#!/bin/bash
# Filename: bootloaderverify.sh
# Created: 2023-02-09

bootloaderTempKey=$(fastboot oem get_unlock_data 2>&1 /dev/null|awk 'length > 30'|awk '{print $2}'|xargs|sed 's/ //g')
curl https://motorola-global-portal.custhelp.com/cc/productRegistration/verifyPhone/${bootloaderCheckTemp} \
  -X 'POST'  \
  -H 'Accept: application/json, text/javascript, */*; q=0.01' \
  -H 'Accept-Language: en-US,en;q=0.9' \
  -H 'Connection: keep-alive' \
  -H 'Content-Length: 0' \
  -H 'Origin: https://motorola-global-portal.custhelp.com' \
  -H 'Referer: https://motorola-global-portal.custhelp.com/app/standalone%2Fbootloader%2Funlock-your-device-b'|grep "Phone qualifies"
if [[ $? = "0" ]]; then 
    echo "Bootloader can be unlocked"
else
    echo "Bootloader cannot be unlocked"
fi

If you are unsure about this part, browse to https://motorola-global-portal.custhelp.com/app/standalone/bootloader/unlock-your-device-a to manually fill in the long key to be sure.

Once done, you will receive the key via email. Use the following command to unlock the bootloader:

fastboot oem unlock <bootloaderkey_from_mail>

To lock your bootloader again, type:

fastboot oem lock <bootloaderkey_from_mail>

Press the volume down button and power button to confirm.

  • For fastboot commands, please check my fastboot cheatsheet.

If the device is stuck in fastboot and keeps rebooting back to the bootloader, and you see the message "reason: UTAG bootmode configured as fastboot," you can solve this by running the command:

fastboot oem fb_mode_clear

Now, simply reboot your device, and it will boot to normal mode instead of bootlooping into fastboot mode.

The following click-to-open options have been added, and all of them work to access when we are behind FRP lock. I have confirmed this, but remember that you must browse to the website to be able to click the URLs. They won't be clickable here; this is just to show you what was added:

  • Click to Open - Radio Info
  • Click to Open - FCM Diagnostics
  • Click to Open - Engineering Mode
  • Click to Open - IMEI window
  • Click to Open - Regulator information
  • Click to Open - Calendar Debugging