Better Mobile App

Galaxy Tab S5e (SM-T720) - Root Instructions (Release 1.0)

This guide is based on the original PewPewK post.
Which, in turn, was inspired by TopJohnWu's 'Samsung (System-as-root)' Magisk Installation Guide
It is an extended walk through aimed at ALL users, meant specifically for the SM-T720 (Tab S5e) BUT specifically meant to:
UNLOCK THE BOOTLOADER
INTRODUCE ROOT
RESTORE STOCK/RELOCK THE BOOTLOADER
Because of the community support, the options available to you have become numerous!
So if you're looking to squeeze EVERY inch out of your tablet, search the thread for suggestions or see the links below:
Go HERE if you are interested in custom recovery (e.g., TWRP).
Go HERE if you are interested in custom ROMs or kernels.
ROOT WARNING
Introducing root and further tampering may lead to unfavorable performance and/or shortened device lifespan.
In extreme circumstances, it may render your device OR specific hardware components unstable or non-functioning.
By following this guide, you ACKNOWLEDGE these risks and release AHE_XDA, XDA and its CONTRIBUTORS of ANY and ALL responsibility.
WARRANTY WARNING
In many states, countries, provinces and territories, introducing root voids device warranty (manufacturer's and/or third-party). Please consult your regional Samsung office, place of purchase or third-party warranty company to determine if these terms are applicable to you.
ALTERNATIVES TO ROOT
If you are looking to maintain warranty and continue access to Samsung-specific features, consider disabling or uninstalling unwanted applications via the Android Debugging Bridge (ADB).
TiTiB, a genius in his own right, has a thread dedicated to the Tab S5e and bloat removal without the cost of warranty.
Visit it HERE and click 'Thanks!' if it helped.

Known Issues (January 31, 2020)
KNOWN ISSUES (January 31, 2020)
Where's Recovery?
Explanation: TWRP (custom recovery) is NOW available. Please visit TeamWin for instructions.
Workaround: Resolved as of August 6, 2019.
Magisk shows as 'Not Installed.'
Explanation: Magisk, due to the changes to the recovery partition in Android Pie & above, will not boot automatically. It requires user intervention.
Workaround: To enable root access, be prepared to hold 'Volume Up' and the 'Power' keys on EVERY BOOT or REBOOT.
WiFi stopped working after installing 'magisk_patched.tar' with Odin.
Explanation: Cause unknown as of January 31, 2020.
Workaround: In some cases, after introducing root ('magisk_patched.tar'), WiFi may stop working. If this happens, do the following:
From the app drawer, go to Settings > Connections > Wi-Fi.
Highlight and select your WiFi network.
Long press the network name and select "Forget Network".
Wait 3 to 5 seconds.
Press and click on the network in which you asked Android to forget.
Re-enter your password.
If entered correctly, WiFi will resume connectivity.
"Your phone is locked because the payment service was uninstalled."
OR
Only official released binaries are allowed to be flashed (vbmeta).
Explanation: To protect against various threats (e.g., compromised data, theft or root), Samsung, as of December 2017, introduced a series of low-level initiatives to LOCK the device should ANY part of Knox be compromised. These initiatives are frequently referred to as 'KG' (KnoxGuard) or 'RMM' (Remote Monitoring and Management).
Further details can be found HERE.
Workaround: A workaround now exists, thanks to @ianmacd, but requires TWRP to be installed followed by the Samsung multi-disabler file.
If you do NOT intend to install TWRP, precautions MUST be taken not to freeze, disable or remove the following files:
'Payment Services' (com.samsung.android.kgclient)
'KnoxGuard' (knoxguard.apk)
In most circumstances, the issue will present itself immediately after the application(s) is frozen, disabled or removed. In rare circumstances, only after a device restart.
PRO-TIP: Do NOT reboot unless absolutely necessary; opt to power down the device.
Should you encounter EITHER error, you will need to boot into 'Download Mode', revert to original factory settings and verify your Google account to avoid an FRP LOCK.
To enter 'Download Mode' and recover from the error:
Connect a USB cable to your Laptop/PC.
With power-off on the device, hold down BOTH 'Volume Up' and 'Volume Down'.
Connect the USB cable to the device, while holding down both volume keys, and press 'Power'.
If done correctly, the device will boot to 'Download Mode'.
My Streaming Service won't log me in, no longer provides HD viewing or doesn't allow offline downloads.
Explanation: Widevine is a digital rights management platform used by major streaming companies to prevent piracy.
Low-level details can be found HERE.
Workaround:
Resolved by @ianmacd and his 'liboemcrypto disabler' via Magisk Manager and/or Custom Recovery (e.g, TWRP) as of April 4, 2018.
NOTE: If you installed TWRP and flashed the Samsung multi-disabler file, this issue is resolved of as December 13, 2019.
If you do NOT intend to install TWRP, log-out and uninstall your streaming application(s). With root introduced and magisk enabled, download 'liboemcrypto' from 'Modules' within Magisk Manager. You will be asked to restart after installing the module. Do this and re-enable Magisk on boot. Sideload your streaming application(s) from a source OUTSIDE the Playstore. Log in and resume streaming.
Items are ADDED and UPDATED as they are discovered, solved or a workaround is introduced. Please message me directly if something is missing.

Requirements & Instructions
HARDWARE & SOFTWARE REQUIREMENTS
Windows Laptop/PC with more than 25GB of available storage space
SM-T720 Tablet (Galaxy Tab S5e)
Samsung USB Type-C Cable (as found in the original packaging)
WIFI connection (and if necessary, login details)
SECTION ONE - LOG-OUT & BACK-UP YOUR DATA
Log out of your Samsung and Google account(s).
Back-up ANY and ALL data as following this guide will result in COMPLETE data loss.
SECTION TWO - DOWNLOAD THE RIGHT UTILITIES
In order to root, you require several utilities.
They are as followed:
Samsung USB Drivers - Provides connectivity between Laptop/PC and your device.
7-Zip - An open-source file archiver.
Odin 3.13.1 - Used to flash original or custom Samsung firmware.
Frija - Downloads the latest available Samsung firmware.
Magisk Manager (APK) - Helps obtain/manage and extend root options. Download the latest .APK (Application Package).
Click on the UNDERLINED NAME of the above utilities to download them to your local Laptop/PC.
PRO-TIP: Create sub-directories, like pictured below, and organize your downloads accordingly:
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
PRO-TIP: Consider a donation to Frija, Magisk or your favorite developers as a token of goodwill and to help ensure future development efforts.
SECTION THREE - DOWNLOAD THE RIGHT FIRMWARE
In order to root or, at a later time, return to original factory settings; you MUST have a local copy of firmware.
This requires knowing our CSC; a three letter code that Samsung devices use to comply with local telecommunication standards and determine device-specific features or updates.
To locate your CSC, perform the following:
On your device, go to 'Settings'
From 'Settings', scroll down to 'About Tablet'.
Press on 'About Tablet' followed by a press on 'Software Information'
Scroll downwards until you see 'Service Provider SW Ver.'
There are three lines.
The third line will read similar to the following:
TUR//
Those three characters (e.g., TUR) represent the CSC code for your region.
PRO-TIP: Your CSC may OR may not be the same as the example; that's expected and perfectly normal.
Open Frija, which you downloaded under 'Section One', and input your model and CSC.
Make sure 'Auto' is selected and click on 'Check Update'.
If the right values are inputted, Frija will look similar to the following:
Click on 'Download' and select a location on your Laptop/PC.
When the download is complete, Frija will verify and decrypt the firmware.
Once finished, Frija will look similar to this example:
PRO-TIP: If you can't get Frija to open or download, right click and select 'Run as administrator'.
SECTION FOUR - UNLOCK THE BOOTLOADER
THIS STEP WILL REMOVE ALL DATA FROM YOUR DEVICE. PLEASE REFER TO 'SECTION ONE' FOR MORE DETAILS.
Power off the device.
Power on your Laptop/PC and login into your Windows account.
Connect the USB cable to your Laptop/PC but NOT to your device.
On the device, hold the 'Volume Up' and 'Volume Down' keys at the SAME time.
Connect the USB Cable from your Laptop/PC to the device.
You MUST hold BOTH keys during AND after inserting the USB Cable to receive the following warning:
PRO-TIP: In SOME cases, you may also need to hold 'POWER' as well.
To continue towards unlocking your bootloader, hold the 'Volume Up' key for approximately 4 to 5 seconds (or until the screen goes black).
After 4 to 5 seconds have passed (or if the screen went black), release the 'Volume Up' key and you will be presented with one last warning:
Press and click on the 'Volume Up' key to finalize your decision.
The device will factory reset and from now on, until the bootloader is re-locked, you will receive this warning:
Leave the device to reinitialize. This will take approximately three minutes. The device will erase itself and you will notice several reboots. Afterwards the only activity you'll see is a pulsing 'SAMSUNG' logo. Eventually you will be presented with the 'Let's Go!' set-up screen. Set the device aside for now.
SECTION FIVE - INSTALLING 7-ZIP
If you correctly followed the first FOUR sections, you now have the required utilities, firmware and an unlocked bootloader.
In order to proceed, you MUST install 7-Zip to extract and manipulate key files required for root.
If you have prior experience with 7-Zip or an alternate compression manager, SKIP this step and proceed to 'SECTION SIX'.
It IS enough to double-click the EXECUTABLE and install it; you need NOT configure anything.
However, for a visual reference, follow this LINK to see 7-Zip in use.
Alternately, for technical support and assistance SPECIFIC to 7-Zip, use this LINK. Search thoroughly before posting.
SECTION SIX - EXTRACTING FIRMWARE
Like the CSC code, mentioned in 'SECTION THREE', the name of your download will differ slightly but 'SM-T720' and 'AP_T720' will be in the file name:
Using 7-Zip, you must extract the following file:
AP_T720XXU1ASF1_CL15813856_QB24038915_REV00_user_low_ship_MULTI_CERT_meta_OS9.tar.md5
From the following ZIP container:
SM-T720_1_20190603182427_gegcc1ebw1_fac.zip
Right click on your ZIP container, navigate to '7-Zip' and, from the sub-menu, select 'Extract Here'.
7-Zip will begin to decompress the necessary files and will result in the following output:
Delete ALL files except for the following:
SM-T720_1_20190603182427_gegcc1ebw1_fac.zip
AP_T720XXU1ASF1_CL15813856_QB24038915_REV00_user_low_ship_MULTI_CERT_meta_OS9.tar.md5
Rename the extension of 'AP_T720XX.....tar.md5' to 'AP_T720XX.....tar' and ignore the warning provided by Windows.
When finished, your folder contents will look similar to this:
The AP file is required for root.
PRO-TIP: Keep the ZIP container should you ever want to revert back to original factory settings. If not, delete it and download again later using Frija.
SECTION SEVEN - ENABLE WIFI, TRANSFER FILES & INSTALL MAGISK MANAGER
In 'SECTION FOUR', the device was left to reinitialize.
This means you have a device that requires set-up:
Do NOT log into your Samsung or Google account. The ONLY thing required is WIFI:
PRO-TIP: WIFI and Magisk work together to help achieve root access, provide updates and for module repository access.
Once you've arrived at the home screen, you need to enable 'Developer Options' to ensure the bootloader is unlocked.
To verify your bootloader is unlocked, perform the following:
On your device, go to 'Settings'.
From 'Settings', scroll down to 'About Tablet'.
Press on 'Software Information'.
Scroll downwards until you see 'Build Number'.
Tap 'Build Number' seven times to enable 'Developer Options'.
Press the back button on the navigation bar to return to 'Settings'.
Underneath 'About Tablet', you will now see 'Developer Options'.
Open this and locate 'OEM Unlocking'.
If you've followed the outlined steps, your screen should match this example:
PRO-TIP: If your screen does NOT match the example, it is possible you are NOT connected to WIFI or you did NOT successfully unlock the bootloader. If all these conditions are true, restart the device and check again. If the issue persists, create a NEW response in the thread.
Now connect the device to your Laptop/PC and, when prompted, 'Allow access to tablet data'.
Using Windows Explorer, copy the following files to the 'Download' folder of your device:
MagiskManager-v7.3.2.apk
AP_T720XXU1ASF1_CL15813856_QB24038915_REV00_user_low_ship_MULTI_CERT_meta_OS9.tar
Due to the size of the AP file, this may take several minutes on a low-end Laptop/PC.
Once the copy is complete, go to your device and double press on 'MagiskManager-v7.3.2.apk' to initiate the install process.
PRO-TIP: Due to changes introduced in Android Oreo, you MUST allow permission to install applications (APKs) not obtained from the PlayStore.
Click on 'Settings' to open the 'Install unknown apps' screen and toggle 'Allow from this source' on.
Press the back button on the navigation bar to allow the installation:
SECTION EIGHT - PATCH YOUR AP FILE
Open your app tray by swiping up and open Magisk Manager.
You will see a RED QUESTION MARK and the following error:
'Magisk is not installed.'
Click on 'Install' and, when prompted by Magisk, select 'Install' again:
Magisk will provide another prompt:
Choose 'Select and Patch a File' to proceed.
Magisk will now prompt for device access:
Click on 'Allow' and the internal Device File Explorer will open to the 'Recent' tab:
Click on the top app bar and select 'Downloads' to find your AP file:
And then:
Once inside the 'Downloads' folder, select your AP file to begin the flash process.
Once the flash process is complete, the status on the top title bar will change from 'Flashing' to 'Done!':
SECTION NINE - RETRIEVAL & DISSECTION
With our AP file patched by Magisk, you must now locate and transfer it back to our Laptop/PC.
If you have not already done so, reconnect the device to your Laptop/PC:
Open Windows Explorer, double-click on 'Tab S5e', double-click again on 'Tablet' and open the 'Downloads' folder:
Under 'Downloads', you will see THREE files:
AP_T720XXU1ASF1_CL15813856_QB24038915_REV00_user_low_ship_MULTI_CERT_meta_OS9.tar
magisk_patched.tar
magisk_install_log_2019-07-10T225845Z
PRO-TIP: 'magisk_install_log' is an output of the AP file patching process. If you encountered ANY errors, keep a copy and raise a question in the thread.
Delete 'AP_T720XX.....tar' and copy 'magisk_patched.tar' back to your Laptop/PC; preferably to the 'FIRMWARE' sub-directory suggested in 'SECTION TWO'.
Due to the size of the 'magisk_patched.tar' file, this may take several minutes on a low-end Laptop/PC.
Once the transfer is complete, let's make room in our 'FIRMWARE' folder by deleting the 'AP_T720XX.....tar' file.
This should leave you with TWO files:
SM-T720_1_20190603182427_gegcc1ebw1_fac.zip
magisk_patched.tar
Move OR delete the 'SM-T720.....fac.zip' container so you can focus exclusively on 'magisk_patched.tar'.
With NO files left except for 'magisk_patched.tar', you must now use 7-Zip again to extract its contents.
PRO-TIP: Refer to 'SECTION FIVE' if you need a refresher on 7-Zip.
Right-click on the 'magisk_patched.tar' container, navigate to '7-Zip' and, from the sub-menu, select 'Extract Here'.
Once all files are extracted, your output will look similar to, if NOT exactly like, this:
Now DELETE these files:
dtbo.img.lz4
magisk_patched.tar
modem.bin.lz4
persist.img.ext4.lz4
system.img.ext4.lz4
userdata.img.ext4.lz4
vendor.img.ext4.lz4
In order to have the following:
meta-data [FOLDER]
boot.img
recovery.img
vbmeta.img
If done correctly, your folder output will look like this:
SECTION TEN - CREATE YOUR TAR
In 'SECTION NINE', you organized the following list of files/folder:
meta-data [FOLDER]
boot.img
recovery.img
vbmeta.img
Using Windows Explorer, navigate to your 'Firmware' folder (or whatever location you used).
Now, using 7-Zip, you need to compress these files into a TAR container.
This means you must select ALL files.
This can be achieved by using CRTL + A on your keyboard or simply by highlighting them all with a left-click:
Right-click on the selected files, navigate to '7-Zip' and, from the sub-menu, select 'Add to archive...':
If done correctly, the following screen will present itself:
Only THREE things MUST be done to complete our TAR:
Change the filename to 'magisk_patched' WITHOUT quotations
Change the 'Archive format' to 'TAR'
Click on 'OK' to confirm your decisions and begin compression:
PRO-TIP: If, for ANY reason, you don't want to keep these files, you can select 'Delete files after compression' before clicking on 'OK'.
With this step complete, you are left with the following output:
SECTION ELEVEN - DOWNLOAD MODE
Using the 'Power' key on your device , select 'Power off':
Disconnect the USB cable or the device will switch to 'Charging Mode':
On your device, hold 'Volume Up' and 'Power' together until the 'Android Recovery' screen appears:
'VOLUME UP' will navigate upwards, 'VOLUME DOWN' will navigate downwards, and 'POWER' will highlight and confirm your choice.
PRO-TIP: You may have to press 'POWER' twice.
Highlight and select 'Reboot to bootloader' to properly put your device into 'Download Mode':
Reconnect the device back to your Laptop/PC.
SECTION TWELVE - ODIN PREPARATION AND FLASH
Now, because recovery is unavailable, you must use Odin to flash your TAR file to introduce root.
In 'SECTION TWO', you downloaded Odin and created a folder for it.
You must now go to that folder, or whatever folder you opted to use, and decompress Odin.
Right-click on the 'Odin3_v3.13.1.zip' container, navigate to '7-Zip' and, from the sub-menu, select 'Extract Here'.
This will create a sub-directory called 'Odin3_v3.13.1'.
Double-click and you will be presented with the following output:
Double-click on 'Odin3 v3.13.1.exe' to launch the application.
You will receive a prompt written in both English and Korean. Click 'OK' to close the warning.
With Odin open, locate and click on the second tab called 'Options' and uncheck 'Auto Reboot':
When you click on the 'AP' button, Windows File Explorer will automatically launch.
As per 'SECTION NINE', and using Windows File Explorer, navigate to the location you created and saved 'magisk_patched.tar'.
Double-click 'magisk_patched.tar' (or alternatively, highlight the file and select 'Open') to have it load into the AP slot:
With all these steps completed and your device connected, STOP and read below:
A green navigation bar on Odin, and a white bar on you device, will appear.
This indicates that key files are being written to your device.
Irregardless of how quick or slow the progress bar is, DO NOT disconnect the device.
The device, no matter if the flash was successful or not, will do NOTHING because you unchecked 'Auto Reboot'.
Wait for 'PASS!' to appear in Odin before you disconnect your device.
If everything was done correctly, Odin will look like this:
Your device, on the other hand, will have the following bar across its screen:
Now disconnect the device, STOP and read below until you feel comfortable enough to execute the instructions:
Hold 'Volume Down' and 'Power' until the screen goes black (also known as a 'Soft Reset').
The moment the screen goes black, continue to hold down 'Power' but QUICKLY switch so now only 'Volume Up' is being held.
Do this until you enter 'Android Recovery'.
As outlined in 'SECTION ELEVEN', use the 'Volume Keys' & 'Power' to navigate the menu.
First select 'Wipe Data/Factory Reset' and, upon completion, choose 'Reboot System Now'.
Your device will reboot several times. This is expected behavior.
If everything was done correctly, your device will reinitialize and require set-up again:
SECTION THIRTEEN - ROOT VERIFICATION
Like 'SECTION SEVEN', you need WIFI to complete set-up but mustn't log into ANY accounts.
Also, like 'SECTION SEVEN', you will need to install Magisk Manager again.
Once the first two steps are complete, power-off the device:
With the device powered off AND disconnected, hold down 'Volume Up' and 'Power' until you see the following warning:
WARNING: From now on, on EVERY BOOT or REBOOT, you MUST do this if you want Magisk enabled.
Release all keys and allow the device to boot.
Once Android is loaded, launch Magisk from your app drawer.
If you are prompted to update, do so but select 'Direct Install (Recommended)' and remember the key sequence on reboot:
Magisk Manager, if set-up properly AND with root enabled, will look like this:
Magisk Manager, if NOT set-up properly OR with root disabled, will look like this:
PRO-TIP: To further validate root, you can use an application like 'Root Checker' to verify:
You may now log into your accounts and finish configuring the device.

Recognition & Sharing Policy
RECOGNITION
This guide, and the required methods and software, would NOT be possible with the efforts of the following individuals:
@topjohnwu
@ianmacd
@LuK1337
@invmini
@CrazyApe
@eragon5779
@PewPewK
A sincere thank you for your time, hard work and, most importantly, determination to explore.
Praise and tribute is also extended to @TiTiB for his editorial skills, testing and much needed feedback.
SHARING POLICY
Do NOT reuse any part of this guide without first asking.
Do NOT reuse any part of this guide without giving credit to those in the 'RECOGNITION' header.
ALL photographs, not screenshots, are the property of myself (AHE_XDA). I spent considerable time capturing and editing each posted photograph. Therefore photographs may NOT be downloaded, copied, reproduced or used anyway without consent.
If there's something you like (styling/format/text/photographs) and want to use, ask.

Return To Stock Instructions
To return to stock and/or relock the bootloader, these are the best instructions available:
https://forum.xda-developers.com/showpost.php?p=79698366&postcount=44
They are originally intended for the Galaxy S10 series but work perfectly for the Tab S5e (SM-T720).
Full credit to @robbo1947.

Very nice how-to!!!
Would've made my first attempts much easier
I made it through the old way, getting all bits and pieces from through the other thread, this saves new comers hours of reading through all info available and getting it done at once.
---------- Post added at 07:25 PM ---------- Previous post was at 07:24 PM ----------
Side note I never used the key combo on rebooting for magisk updates or other stuff, always had root enabled afterwards.

You've done one helluva job @AHE_XDA!! I can't even imagine how long it took to put all of this together. It leaves nothing to be desired. Honestly, I've never seen such a comprehensive guide on xda before. Here's some $$$$$$$$$$ in thanks.
BTW, I'm fully up and running with Magisk and am currently freezing away many apps.

CAUTION: Be very careful when freezing anything Samsung 'billing' related.
I got a bit carried away freezing Samsung stuff and locked it up tighter than a drum.
FYI, before rooting I was disabling every Samsung app I could (including com.sec.android.app.billing) and had no problems. Root really *is* powerful.?
Anyways, if you get in to a predicament like mine and see these screens there is still hope.
Power off> Hold both VOL> Plug in PC-connected USB cable> Press PWR
Might take a few tries, but eventually you should get to DOWNLOAD screen.
Pics are in reverse order. You would see the one on the right first.

@TiTiB
I was able to reproduce your error.
I updated the 'Known Issues' to reflect this.
It is either 'Payment Services' (com.samsung.android.kgclient)' or 'KnoxGuard' (knoxguard.apk) that caused the error.
I can disable, freeze or delete 'Samsung Billing' (com.sec.android.app.billing) without issue.

Thank you for this info! It really helps in my continuing persuit to get rid of as much Samsung stuff as possible, while still retaining OneUI functionality. It gets a bit unnerving freezing stuff when you're several days in to setting up stuff. I'm going slower this time.

@AHE_XDA first of all thanks for this manual, I had never seen more comprehensive here!
Second, I had one attempt to root t725, it was 2 months ago. I done all steps, made patched AP, glashed successfully (only ap, not other 3 files). After reboot I got exactly same messages as described in upper post! Not debloat, but straight from boot with root.
I afraid, gone to download mode and flashing stock. Got it back.
Never tried again.
Have you idea what was wrong?
I want to do again, but afraid a little...
Thanks

ivanox1972 said:
@AHE_XDA first of all thanks for this manual, I had never seen more comprehensive here!
Second, I had one attempt to root t725, it was 2 months ago. I done all steps, made patched AP, glashed successfully (only ap, not other 3 files). After reboot I got exactly same messages as described in upper post! Not debloat, but straight from boot with root.
I afraid, gone to download mode and flashing stock. Got it back.
Never tried again.
Have you idea what was wrong?
I want to do again, but afraid a little...
Thanks
Click to expand...
Click to collapse
After you flash the AP file with Magisk, you don't want to re-install the entire binary with Odin.
You need to dissect its contents, re-compress it and THEN install with Odin.
Take a look at 'Section Ten' on the first page to see what I'm talking about.
Any questions, place them on thread or PM me.

AHE_XDA said:
@TiTiB
I was able to reproduce your error.
I updated the 'Known Issues' to reflect this.
It is either 'Payment Services' (com.samsung.android.kgclient)' or 'KnoxGuard' (knoxguard.apk) that caused the error.
I can disable, freeze or delete 'Samsung Billing' (com.sec.android.app.billing) without issue.
Click to expand...
Click to collapse
Check this-wtf?

TiTiB said:
Check this-wtf?
Click to expand...
Click to collapse
Yes, there is a dependency between the two. With App Inpector, you don't see 'KnoxGuard' explicitly listed but if you use something like 'Root Explorer', you'll find it.
Until we get recovery, like the other Samsung devices on Pie, we simply can't touch these files.

AHE_XDA said:
Yes, there is a dependency between the two. With App Inpector, you don't see 'KnoxGuard' explicitly listed but if you use something like 'Root Explorer', you'll find it.
Until we get recovery, like the other Samsung devices on Pie, we simply can't touch these files.
Click to expand...
Click to collapse
I use MiXplorer and have seen those while 'xploring'. Before rooting, when I was using PackageDisabler, kgclient was one of the disabled packages....uh, so my point is WTF?

@TiTiB
So to make sure we understand each other; you could disable/uninstall it through ADB but a removal of the apk froze the device (along with the error)?

Bixby Is Coming - July Update
In the next build of software for the Tab S5e (July), Bixby will be introduced and fully integrated into the system.
This means nothing for root but means you'll have more to uninstall/disable.
If you don't want or need Bixby, stay on ANY release prior to July.

AHE_XDA said:
@TiTiB
So to make sure we understand each other; you could disable/uninstall it through ADB but a removal of the apk froze the device (along with the error)?
Click to expand...
Click to collapse
I disabled kgclient using Disabler Pro app with no ill effects (before rooting). It's in my 'disabledpackages133-OK.xml', so I assume it was disabled. Perhaps the Disabler app handled it differently or something, idk.
After I rooted, while I was freezing Samsung apps using '3C Toolbox Pro', and I'm *almost* 100% certain Payment Services/kgclient was among them, the tablet locked up. AFAIK, these two actions, using these two apps is effectively the same thing, therefore the 'wtf' statement.
I am curious enough that I'm going to prepare for disaster, then mess around with this package—first, disabling it with the 'CCSWE App Manager (SAMSUNG)' app, then manipulating the package's contents (expecting disaster), then freezing it with 3C Toolbox—I MUST HAVE THE ANSWER!! (TiTiB *does* stand for Tweak it Til it Breaks, after all) ?
It wiil be an hour or two, and, of course, I'll post my results here.

@TiTiB
Whenever you disable or remove a system app without root; the application still exists on the device.
It's never truly gone.
It's only been removed from your profile; usually referred to as user 0 (current user).
A factory reset will bring that application right back.
Introduce root and now, because you have administration access over the entire device, remove the application and it's gone for good (or at least until you flash stock firmware).
Alter them at a root level, freeze/remove/disable, it's likely you're going to see the same error as before.

TiTiB said:
I disabled kgclient using Disabler Pro app with no ill effects (before rooting). It's in my 'disabledpackages133-OK.xml', so I assume it was disabled. Perhaps the Disabler app handled it differently or something, idk.
After I rooted, while I was freezing Samsung apps using '3C Toolbox Pro', and I'm *almost* 100% certain Payment Services/kgclient was among them, the tablet locked up. AFAIK, these two actions, using these two apps is effectively the same thing, therefore the 'wtf' statement.
I am curious enough that I'm going to prepare for disaster, then mess around with this package—first, disabling it with the 'CCSWE App Manager (SAMSUNG)' app, then manipulating the package's contents (expecting disaster), then freezing it with 3C Toolbox—I MUST HAVE THE ANSWER!! (TiTiB *does* stand for Tweak it Til it Breaks, after all)
It wiil be an hour or two, and, of course, I'll post my results here.
Click to expand...
Click to collapse
Sho'nuff, stay away from Samsung Payment/kgclient if rooted.

Captive Portal Mode re-activating automatically / Android10 (Samsung, others too?)

Hi there.
Problem with captive portal mode. Can't disable it, it re-enables itself after reboot.
Samsung S10+, Android 10 (BeyondROM based on Samsung Stock, magisk rooted).
I've addressed this in the BYR thread, but believe it must be Samsung specific, so hoping to reach more S users here.
Basically what I do is:
Code:
su
su
pm disable com.android.captiveportallogin
settings put global captive_portal_detection_enabled 0
settings put global captive_portal_server localhost
settings put global captive_portal_mode 0
I then check that portal_mode is 0, check with TiBackup that the package is frozen - both OK.
Then I reboot. Afterwards portal_mode is again 1.
Doing same via adb or termux makes no difference (wouldn't have expected it to, but tried nevertheless)
I've put a little script in /data/adb/service.d/ along with the AFwall startup leak fix script. My script gets executed, but after the boot is complete, captive_mode is again 1.
From others I learned that their AOSP 10 does not suffer from this using same procedure, so it must be something particular to Samsung. Something must be resetting this during boot.
Any ideas where to start?
Edit: Additional observation: seems it re-enables itself after some time even without reboot, and / or when switching from 4G to WiFi, or when cycling wifi off/on/off.
Oh, and no, i do not want to redirect captive checks to some trusted servers. Would be an option, sure, but now that I'm in this, I wanna solve it, 'cause someone is not playing nice here

Tasker 'Secure Settings' ADB access - How 'safe' is it ??

Ok lets first explain the situation
I've been dabbling with Tasker (Paid for version)- getting some automation depending on certain situations (mainly stuff like 'If I'm @ {location} get volumes set high' or ' If Unread msg then vibrate my Amazefit bip watch' - Nothing too complicated using variables / javascript etc)
One situation I want to attempt though is 'If Gpay app is started - turn on NFC, but when I leave the app - turn NFC off'
Now I already know there are 2 'main' ways I can turn on/off NFC in Tasker.. either use 'AutoInput plugin' or use 'Secure Settings'
- I've tried with Autoinput plugin but the problem is that with the free option, you need to watch an Ad every day to use it but of course I can pay for it (its only a couple of quid)
However you can't Install it & pay for it directly from within the plugin - you need to install yet another App (AutoApps) first - & although this one is free - I just don't like adding more bloat to my phone than necessary. Adding both the plugin & this additional App adds (although only a 'minor' amount) up to 20Mb
The other method is give Tasker 'Secure settings' permission
- So I read the 'What to do to give 'Write Secure Settings Permission' to Tasker' (enable Developer mode > Usb Debugging > Install ADB on PC etc etc) & it looks simple enough,
But (a loooong time ago) I tried other 'hacks' & it ended up disastrously (probably I did something wrong with missing a step or something) & I just want to make sure that it IS as simple as it seems and also ask how safe is it
for example
* If I type in the command in ADB - could something go wrong & could it crash/brick the phone ?
* Is this permanent - ie if I turn off/on phone or if I get an OTA update & phone restarts - will it stay, or will I have to repeat the ADB command each time ?
* Will this 'break' official OTA updates (whether security &/or Android firmware) - I once did a firmware update with a step that used ADB (IIRC) & it broke something that prevented any updates from happening
- official OR manual firmware updates
Any help/advice would be appreciated

Cannon_Foddr said:
* If I type in the command in ADB - could something go wrong & could it crash/brick the phone ?
* Is this permanent - ie if I turn off/on phone or if I get an OTA update & phone restarts - will it stay, or will I have to repeat the ADB command each time ?
* Will this 'break' official OTA updates (whether security &/or Android firmware) - I once did a firmware update with a step that used ADB (IIRC) & it broke something that prevented any updates from happening
- official OR manual firmware updates
Click to expand...
Click to collapse
ADB is the door to your phone's Android. It's a tool not meant to be used by John Doe. Wrongly used you can brick your phone. Hence it's by default disabled.
1. Yes, using ADB you can render your phone absolutely useless. If you e.g. enter
Code:
adb shell rm -rf /
then phone gets totally wiped ( really all gets destroyed, it gets naked ) - you can throw it into electric waste.
2. ADB commands aren't persistent, but their results may be.
3. ADB itself breaks nothing: it's a driver installed on your computer that let you access Android's files and launch Android executables.

Thanks for the reply
I doubt I'll use THAT command.
I forgot to mention what tasker's command is
adb shell pm grant net.dinglisch.android.taskerm android.permission.WRITE_SECURE_SETTINGS
Not 100% sure about your last comment though.
ADB allows access to android files so changing android files could break things, which I'm worried about especially with OTA updates etc. (my last phone stopped getting OTA updates when I rooted it despite using official firmware)
However IF I understand the above command all this does is tell the android operating system ('android') to only give the tasker app (which 'Real' name is 'net.dinglisch.android.taskerm') the rights ('permission') to access the required settings ('WRITE_SECURE_SETTINGS') which the NFC on/off toggle is part of (settings >connected devices > connection preferences> nfc) & 'shouldn' t' affect any other files such as OTA (unless OTA is also part of secure setting?)

@Cannon_Foddr
As I can see you until now haven't understood what ADB is, how it works.
Same probably your understanding of what an OTA is.
Personally never would allow 3rd-party apps ( like Tasker ) to modify sensible system settings: Tasker isn't an open-source app, so you can't control what it does in the last run.
It's simply on you to decide whether Tasker is given that right, or not ...

Can't see why 'open-source' has to do with this
IMHO if Open-source - anyone can release similar apps with added extra hidden code that could spy's on you/steal info etc, but a 'closed sourced' app from a long running developer (tasker been around for 10yrs with over 1mil downloads) must mean people seem to trust him/them & if he was 'dodgy' surely he would've been caught out by now
Anyway the Bottom line seems to be
Safe route: pay for plugin & live with extra bloatware
Or
Risky route: give access to secure system resources, see what happens & keep fingers cross nothing does
Thanks for your replies.. I think I may have to sit down & have a long hard think which route I feel more comfortable with

I have been using Automate for about 4 months now. I granted it WRITE_SECURE_SETTINGS and I have not noticed any modifications in my system. Granted I may have not looked specifically for them but as far as braking the system or disruption of OTAs no issues so far

DennisHarrows said:
I have been using Automate for about 4 months now. I granted it WRITE_SECURE_SETTINGS and I have not noticed any modifications in my system. Granted I may have not looked specifically for them but as far as braking the system or disruption of OTAs no issues so far
Click to expand...
Click to collapse
I assume you had to do something like Taskers command then to grant the secure settings
( "adb shell pm grant net.dinglisch.android.taskerm android.permission.WRITE_SECURE_SETTINGS" )

Cannon_Foddr said:
I assume you had to do something like Taskers command then to grant the secure settings
( "adb shell pm grant net.dinglisch.android.taskerm android.permission.WRITE_SECURE_SETTINGS" )
Click to expand...
Click to collapse
Automate is straight forward, there is a toggle for "modify system settings" needed for some tasks to run and one you run the ADB command, it's done

Samsung stock to no-Google MicroG based privacy reconfigure step by step

This is Niall's guide to reconfiguring stock Samsung S10 Android 10 into a privacy focused MicroG based sytem purged of the stock spyware and annoying and useless stuff, but with the actually useful Samsung Apps such as Camera, and VoLTE remaining fully functional. Don't get me wrong here, LineageOS on the S10 is better in all ways especially in regular security updates, but the current LineageOS camera experience just can't compete with Samsung's deep integration of camera software and hardware. I therefore reluctantly offer this guide as a stopgap until LineageOS gets a better Samsung camera experience.
After completing this guide, you will have only these apps left installed visibly in the launcher:
Aurora Services and Aurora Store (to replace Play Store)
Brave privacy web browser + Bromite privacy web view
Samsung Calendar
Samsung Camera
Samsung Clock
Samsung Contacts
F-Droid
Samsung Gallery
Magisk Manager (root, customisations etc)
Google Maps (retained only due to its great usefulness for public transport)
Samsung Messages (for text messages)
microG Settings
Samsung My Files
OsmAnd (for offline navigation)
Samsung Phone
Samsung Settings
Upon each boot you can choose whether you will have root via Magisk by booting your phone with the correct buttons pressed (Volume Up + Bixby + Power, but released after the boot screen). There is no need to run with root available, per boot, unless you want it.
The principle things removed from stock are:
Samsung AR stuff
Samsung Bixby (apart from QR codes and Routines which are useful)
Google Chrome (it keeps hanging and stalling if used with MicroG, and besides it leaks your browsing habits)
Google GMail
Facebook (all traces)
Google YouTube (you ought to use NewPipe from F-Droid instead)
Samsung App store
Samsung Games home app
Microsoft OneDrive
Samsung Tips
Samsung DexOnPC (it spams you with messages)
Samsung EasySetup (also spams you with messages)
Samsung Edge Panel (the swipey translucent tab which floats above at the top right and gets in the way of taps)
Google Play Store
Google Accounts
Google Services
Samsung Launcher and its Recent Apps, replaced with custom One Plus Launcher and its Recent Apps
Note that this is NOT a deep "debloat", I only removed the bits you can see, which make themselves noticeable, or stuff known to leak your information to others. I left everything else alone, even if on most common "debloat" lists for the S10.
This guide uses Nanodroid, which has a reputation for installing lots of stuff you don't want, which puts a lot of people off using it. As of recently, Nanodroid now offers small, single purpose, packages which you individually combine to get what you want. So no more random ringtones nor backdrops being installed that you don't want!
You should be warned that this conversion leaves your device insecure. OTA updates from Samsung self disable as soon as you modify any system image, so you'll need to manually go retrieve new firmwares and repeat the below instructions (obviously flashing HOME_CSC instead of CSC to not factory reset the device) to stay secure.
Privacy achieved limitations
As with any device with a mobile (cellular) connection, as soon as you see a mobile phone (cell) signal, your position is exposed as they can track you by IMEI. Outside the EU, your historical, and sometimes current, location data is routinely sold for money by your provider to commercial third parties. Within the EU, your mobile provider is not supposed to expose your location to anyone but law enforcement without your explicit permission, but some providers are still catching up with GDPR and still relying on implicit permission buried deep inside EULA text. In any case, as soon as you see a mobile phone tower with your phone you have declared your position, and only airplane mode prevents that. This is unavoidable no matter how you configure any device capable of interacting with mobile phone masts.
Google Maps obviously leaks your location and movements to Google as soon as you open it, so you should prefer to use OsmAnd for offline maps and navigation whenever possible. Equally only Google Maps can route over public transport, knows when buses will arrive etc, so that's why I've kept it. Use judiciously!
MicroG needs to register with Google for push notifications, otherwise stuff like WhatsApp doesn't work. MicroG leaks as little information about you as it can, but ultimately Google can see from where you register including if by wifi alone, and thus determine your coarse location. You may wish to consider a VPN if you wish to obscure your physical location.
As much as you may secure your phone, individual apps you install may leak a great deal about you. For example most apps for tracking ovulation and when you have sex sell your personally identifying data and when you do it to others for money. You personally may not install such apps, but if anyone enters your private information into any phone, then your information is leaked. That information is composed into commercial databases which record everything about everyone. Is this paranoid? Note I said commercial databases. Most western governments are prohibited from mass survellience, so they simply buy the data from private firms which aggregate everything there is to know electronically about you. Amongst the many companies providing such service are Experian (you can request a dump of what they know about you, prepare to be disgusted) and Palantir (legislation hasn't caught up with them yet).
Finally, even if you are always in airplane mode, and all your friends and loved ones are as aware of personal data leakage as you are, ultimately this is a losing fight. Every time a CCTV camera facial recognises you, every time a satellite tracks your car, it's all being aggregated into databases about everyone, and more importantly, whom everyone has relations with. Even the device-less person is recorded, studied, tracked, and inferred from by algorithms. There is only so much any of us can do.
Instructions
Preparation: go find APKs for the following:
Magisk Manager. Rename it to MagiskManager.apk.
You really ought to insert a micro sd card. It makes life vastly easier when wiping the device, and this guide assumes that you have inserted one.
Make sure your bootloader is unlocked and your device has been configured to accept unofficial binaries. You can find instructions for how to do this at https://topjohnwu.github.io/Magisk/install.html#samsung-system-as-root. You will need adb shell working with your device in Developer mode.
In Odin, flash your choice of stock Android 10. Flash all parts, choosing CSC not HOME_CSC for the CSC slot in order to ensure a factory reset. Do NOT skip this complete reset to stock. Boot into stock firmware, enable wifi, and download and install any security updates available.
After updates have installed, enter Settings and MAKE SURE that OneUI is v2.5 or later. I originally wrote this guide in July 2020, but due to a showstopper bug in OneUI before v2.5 I had to sit on releasing this guide to xda-developers until September 2020 when OneUI v2.5 for S10 went public.
It will likely take multiple attempts of holding volume Up, Bixby and Power to boot into Stock Recovery, but keep at it until you get there. In Stock Recovery, reboot into bootloader mode. On Odin, flash AP slot with Ian's TWRP img + disabled vbmeta.img placed into a TAR archive using images and instructions from https://forum.xda-developers.com/ga...ecovery-twrp-3-3-0-galaxy-s10-exynos-t3924856.
Boot into TWRP recovery using Volume Up + Bixby + Power On. This may also take multiple attempts. It may be useful to know, if stuck on the first boot Samsung logo (you don't need to worry about interrupting first boot right now), that holding volume down and power button for long enough will force reboot the device.
In TWRP format data. Do NOT skip this part. This removes Samsung's encryption of the internal sdcard so you can take backups of your data etc in TWRP.
In TWRP install Ian's multidisabler zip available from https://forum.xda-developers.com/ga...ynos/g97xf-multi-disabler-encryption-t3919714. Make SURE you rename it to contain the string "_btfix" before you copy it to the sdcard by MTP (this enables the Bluetooth settings loss fix).
Put into a file called .nanodroid-setup:
Code:
nanodroid_nlpbackend=1001
nanodroid_play=21
nanodroid_gsync=0
This custom .nanodroid-setup adds the install of the radiocells location backend (this uses a downloaded on-device database of mobile phone mast ids to locate you), and prevents the install of the Google Sync Adapters which prevents Google getting your contacts list and calendar.
In TWRP mount Product, System and Vendor.
Do the following from your PC with TWRP still running:
Code:
adb shell
rm /system_root/system/app/ARZone/ARZone.apk
rm /system_root/system/app/BixbyWakeup/BixbyWakeup.apk
rm /system_root/system/app/FBAppManager_NS/FBAppManager_NS.apk
rm /system_root/system/app/Facebook_stub/Facebook_stub.apk
rm /system_root/system/app/YouTube/YouTube.apk
rm /system_root/system/priv-app/Bixby/Bixby.apk
rm /system_root/system/priv-app/BixbyAgentStub/BixbyAgentStub.apk
rm /system_root/system/priv-app/BixbyService/BixbyService.apk
rm /system_root/system/priv-app/GalaxyAppsWidget_Phone_Dream/GalaxyAppsWidget_Phone_Dream.apk
rm /system_root/system/priv-app/GalaxyApps_OPEN/GalaxyApps_OPEN.apk
rm /system_root/system/priv-app/GameHome/GameHome.apk
rm /system_root/system/priv-app/FBInstaller_NS/FBInstaller_NS.apk
rm /system_root/system/priv-app/FBServices/FBServices.apk
rm /system_root/system/priv-app/EasySetup/EasySetup.apk
rm /system_root/system/priv-app/OneDrive_Samsung_v3/OneDrive_Samsung_v3.apk
rm /system_root/system/priv-app/Tips/Tips.apk # stupid Samsung Tips popups
rm /system_root/system/priv-app/DeXonPC/DeXonPC.apk
rm /system_root/system/priv-app/CocktailBarService_v3.2/CocktailBarService_v3.2.apk # Edge panel top right floats
rm /system_root/system/app/Chrome/Chrome.apk
rm /system_root/system/app/ChromeCustomizations/ChromeCustomizations.apk
rm /system_root/system/app/Gmail2/Gmail2.apk
rm /system_root/system/app/GoogleCalendarSyncAdapter/GoogleCalendarSyncAdapter.apk
rm /system_root/system/app/GoogleContactsSyncAdapter/GoogleContactsSyncAdapter.apk
rm /system_root/system/app/GoogleLocationHistory/GoogleLocationHistory.apk
rm /system_root/system/priv-app/SetupWizard/SetupWizard.apk # Without removal never passes initial setup
rm /system_root/system/priv-app/TouchWizHome_2017/TouchWizHome_2017.apk # OneUI launcher
# Stuff replaced by MicroG
rm /system_root/system/priv-app/GmsCore/GmsCore.apk
rm /system_root/system/priv-app/GoogleServicesFramework/GoogleServicesFramework.apk
rm /system_root/system/priv-app/Phonesky/Phonesky.apk
rm /system_root/system/priv-app/Velvet/Velvet.apk
mkdir /system_root/system/app/MagiskManager
exit
adb push MagiskManager.apk /system_root/system/app/MagiskManager/
adb push .nanodroid-setup /external_sd/
All the removed apps free up enough space on the priv-app partition to install the Nanodroid apps coming next, so the above step isn't really avoidable. You also need to repeat it after any firmware upgrade.
In TWRP install exactly these individual packages from https://gitlab.com/Nanolx/NanoDroid:
NanoDroid-BromiteWebView-23.0.1.20201029.zip
NanoDroid-fdroid-23.0.1.20201029.zip
NanoDroid-microG-23.0.1.20201029.zip
NanoDroid-OsmAnd-23.0.1.20201029.zip
NanoDroid-patcher-23.0.1.20201029.zip
(Later, but not earlier, versions will probably work fine too)
Still in TWRP, install the modded One Plus Launcher from https://forum.xda-developers.com/android/apps-games/app-oneplus-launcher-4-6-4-t4140631. You will want the TWRP for ROM edition (NOT GSI!). Note that if you don't want the One Plus Launcher, and are happy with the stock Samsung launcher (which may send telemetry to Samsung), don't delete the TouchWizHome_2017 apk earlier on. If you want a different launcher altogether, be aware that you need one which specifically implements an Android 10 Recents provider. Many popular choices e.g. Nova Launcher, do not.
NOTE: There is a bug in v4.6.5 of the One Plus Launcher TWRP install script which silently fails to install anything into /system. To fix, extract the contents of the zip file. After TWRP install, remount Product, System and Vendor, then do 'adb push TWRP.ROM.OnePlus.4.6.5.RandomAJL\system /'. Then reinstall the ZIP within TWRP to set permissions.
Reboot into System. It will get stuck on the Samsung boot logo for a while, but will eventually open onto the final All Done stage of setup (we earlier removed all the earlier parts of setup). Hit Finish to reach the One Plus Launcher. Enable wifi and connect to your wifi connection.
Once into the device, open the microG settings app. Run the Self-Check, the "System grants signature spoofing" will be unticked. Tap it, grant permission. The item "Play Store (Phonesky) has correct signature" will also be unticked. Tap that, grant permission. Now the self check should report everything is working and having correct signature. Signature spoofing should be working.
Within MicroG settings, enable Google device registration, cloud messaging and safety net. If you don't enable these, any applications you install next will never receive notifications, ever. Enter location modules. Enable Deja Vu, Radiocells and Nominatim backends. The Deja Vu backend doesn't need configuring, it simply records Wifi and mobile phone mast data and your GPS location when available, and builds a database matching wifi and mast data to GPS. Next tap the Radiocells entry, then Configure, then download offline catalog now, choose your country, then choose offline mode. Now your phone can locate itself purely using an offline database of phone masts and wifi. Next tap the Nominatum entry, then Configure, then choose Nominatum API server, and then OSM.
Open OsmAnd~ the app, choose your country, and download your offline map so you can navigate without an internet connection. Open the app, ensure navigation is working.
Enable and enter Developer options in the settings, open the WebView implementation, and set it to Bromite System WebView.
You should now root your device. Copy Ian's TWRP img to the sdcard, then open Magisk Manager with a wifi connection active. Choose install. Then choose Select and Patch file. Patch Ian's TWRP img previously copied. Magisk Manager will output a root patched img into Downloads. Copy that back to the PC. Make a new TAR file of that and the vbmeta disabled image. Flash that in Odin in the AP slot. Boot the device using Volume Up + Bixby + Power, but release as soon as the bootloader warning screen appears. Go back into Magisk Manager, let it do its install and setup. If root ever appears to have got lost or isn't working, check the Magisk Manager, you probably forgot to hold the right keys during boot.
Go to https://nextdns.io/ and create yourself an account and unique id. From Aurora Store, find and install the NextDNS app. Configure the app with the id you got from your account on the website, and tell it to send your device's name. NextDNS acts as if a VPN for your Android device and thus all internet traffic routes through it, but it blackholes DNS lookup for a configurable list of items in your NextDNS account. Via this, you can block a long list of leakage of your personal information, and also optionally block ads on your device. If you log into nextdns.io from time to time, you will no doubt be fairly saddened by how much of your data is attempted to be leaked all the time.
From Aurora Store, find and install the Brave privacy web browser. As we removed Chrome due to it not working well with this modified system (it keeps stalling), you will need a new system web browser in any case and out of the box, Brave blocks all adverts and tracking. If you enter its settings, you can also disable Javascript by default (only enable it per site on a case by case basis, you can enable temporarily per site, or store an exception). Be aware that if you don't enable Brave rewards, the Brave authors silently pocket any BAT tokens your web browsing earns, so you may wish to enable Brave rewards for the very tiny income generated by your attention if you leave Brave ads disabled (it is local browser only, nothing gets enabled online, BAT tokens are conferred by crypto exchange so none of your browsing gets leaked). Personally speaking, I'm quite keen on the idea of me getting paid personally to see adverts as none of my personal browsing history leaves the Brave browser, even if it's pennies a month, so I leave that stuff turned on.
Settings
You probably want a decent set of settings rather than iterating through the Settings app. These are mine obviously, so you can skip these or not. With Developer Mode enabled, do the following:
Code:
adb shell
settings put global display_size_forced 1440,3040
settings put global navigationbar_key_order 1
settings put secure default_display_density_forced 560
settings put secure display_density_forced 560
settings put secure default_display_size_forced 1440,3040
settings put secure package_verifier_state 1
settings put secure screensaver_components
settings put secure selected_input_method_subtype 65538
settings put secure ui_night_mode 2
settings put system hdr_effect 1
settings put system display_night_theme_wallpaper 1
settings put system screen_off_timeout 300000
settings put system aod_servicebox_page_gravity 17
settings put system aod_show_state 1
settings put system aod_tap_to_show_mode 0
settings put system display_night_theme 1
settings put system hearing_diagnosis 1
settings put system hearing_direction 0
settings put system hearing_musiccheck 0
settings put system hearing_parameters 5,5,5,5,5,5,5,5,5,5,5,5
settings put system hearing_revision 0
settings put system hearing_videocheck 0
settings put system lock_clock_adaptive_colors 'fffaeecd;ffd9faeb;fffae7b4;ffc0fae0'
settings put system qs_detail_content_primary_text_color -2500135
settings put system qs_detail_content_secondary_text_color -1710619
settings put system remote_control 0
This is mainly how I like my settings. I want the actual resolution of my fancy device, not some subset (why bother buying a device with better otherwise?). I want dark theming to take advantage of power saving in my fancy AMOLED screen.
Swype keyboard
Enter Settings, General Management, Language and input, On-screen keyboard, then Samsung Keyboard, and then Swipe, Keyboard swipe controls. Enable Swipe to type.
Firmware upgrades
To apply future firmware upgrades, you will need to acquire the latest Samsung firmware for your device from a reputable source. You almost certainly want to take a full backup in Titanium Backup, and copy that backup onto an external sd card to be safe. During flashing in Odin, flash the HOME_CSC, not the CSC, image into the CSC slot. This should preserve all your settings and installed applications. Disable auto rebooting in the Odin options. Then when the flash is done, manually reboot into stock recovery, then back into Download, then flash the root modded Ian's TWRP recovery you made earlier into the AP slot. Reboot into TWRP, and repeat all the steps above.
If you do it right, you'll reboot into your device just as you left it, just with all the components upgraded to latest. If you screwed up, that Titanium Backup you made will be very useful.
Not that I'd recommend running out of date firmware images, but I would say that by far the most common upgrade you'll need to do is latest MicroG because Google bumped the minimum version of Play Services its apps will accept, so for example Google Maps will barf about Play Services being too old. There is a very simple fix for this: don't upgrade Google apps! An older Google Maps works just fine even if it's many months old.
Credits
What this guide achieves wouldn't have been possible without the following hard work from many people creating the components I have reused:
topjohnwu
ianmacd
Christopher Roy Bratusek
RandomAJL
mar-v-in
Whomever makes available Samsung Odin and the other stuff which makes LineageOS and AOSP become ever better for the S10 devices.

Changelog:
15th Nov 2020: Lots of improvements after a month of testing as a daily driver:
Replace Chrome browser with Brave browser to fix browsing hangs, and reduce browsing habits leakage.
Remove GMail as well, stop Google getting more of your info.
Remove Samsung Edge panel, which I had previously missed.
Use latest NanoDroid.
Add paragraph on how to upgrade this with new Samsung firmware releases.
12th Oct 2020: Replaced NextDNS instructions as .xapk's can't be adb installed, and installing from Aurora Store is better anyway.
10th Oct 2020: First release to xda.

Looks like a fantastic guide, thank you!

It's for S10E to?
Sent from my [device_name] using XDA-Developers Legacy app

[email protected] said:
It's for S10E to?
Click to expand...
Click to collapse
I've only tested it on a S10, but because we begin from stock, and the stock Samsung Android 10 images are all basically the same (at least at the level we're working with), the guide should be widely portable to most of the current generation of Samsung Android 10 devices.

How To Guide Dark room (i.e. icebox for bloatware)

Xiaomi, while way better than Huawei in terms of bootloader unlock support etc, still has an issue of bloatware. This is where Dark room comes in. It is a simple app that can run in various modes to disable apps that refuse to be disabled. This would be a nice GUI to disable apps. No more finding package names and uninstalling from adb!
Requirements: another computer or terminal emulator with adb
icebox app:https://www.coolapk.com/apk/web1n.stopapp
You DO NOT need to unlock your bootloader. This can all be done from adb. Just enable it in developer settings.
It supports multiple modes, including shizuku mode.
Be aware that while using device owner mode means it survives restarts, you would have to log out of all accounts on the device including the Xiaomi account, and other users (also called second space) will be deleted. You would have to log back in manually. The app developer has also included a support page for a GUI application which can set device owner (basically it inputs adb commands that delete accounts and then sets device owner)
https://stopapp.https.gs/nonroot.html
Bugs: DO NOT disable critical system apps. You will end up soft bricking your device. System reset is your only option now.