tl;dr: Samsung is a bunch of crap company that doesn't inform their customers about serious limitations on their Wearables lineup. Great hardware, dog poo software.
So, what's this about: Samsung omits a bunch of crucial information for consumers anywhere on the Galaxy Watch product pages - at least on those for the Galaxy Watch 4, Galaxy Watch 5 or Galaxy Watch 6.
They omit on the product pages, the pages that should inform a consumer about requirements and limitations, that:
- unless you're rooted, the companion phone actually must be a phone, tablets and even phablets like the Galaxy Tab Active 3 are not supported. (If you're rooted, you can patch that away. Just follow along for the guide)
- only certain wearables support being paired to a companion phone not being a Samsung device
- rooted devices lose access to Samsung Health / Samsung Health
Elsewhere, they claim that:
- Samsung Health data is "backed by ... Knox", whose tripping (as part of rooting one's Samsung device) should lead to Samsung Health being "rendered inaccessible"
- you need a Samsung Galaxy smartphone to be able to use Samsung Health Monitor and Samsung Health sleep tracking
Note that, although I have not verified any of this for anything but the Watch 4, this is all also valid for the Fit armband, Buds/IconX earbuds and the new, rumored Galaxy Ring as they share the Manager app and its anti-tablet/modification measures as well as the Samsung Health/Health Monitor apps and their anti-rooting measures.
All of this is pure and utter bull dung, which I'll show how to bypass here if you've been foolish enough to buy a Samsung Wearable to be used on a rooted phone. Nothing that Samsung does here is necessary from a technical viewpoint, it's in my opinion a pure and simple a cash grab to prevent people only using their tablet lineup (in my case, a Samsung Galaxy Tab Active 3) as a watch controller, instead they have to buy an expensive Galaxy smartphone, and it's a massive annoyance for those who like to actually own their device (aka root them).
To follow along, you'll need:
- a macOS, Linux or Windows with WSL machine (personally, I run a MacBook Air with M2)
- VSCode and APKLab
- Android Studio, at least
adb, installed.adbmust be available on the terminal /$PATH curlavailable on the terminal /$PATH- a rooted phone, preferably some recent Samsung. Rooting must be done using Magisk, USB adb connection must work.
- the Magisk modules frida and frida-inject
fridainstalled and available on$PATH, see here. The version should match the one inmagisk-frida.- The target phone must be connected to
adb, either via USB cable or via WifiAdb.
To be able to download the APKs from Samsung (I cannot and will not provide them for copyright reasons), you will need:
- a random 16-digit hex number. This will be used as a replacement for ANDROID_ID. You can use any random generator you like, I used this online generator.
- your target device's API level. Find it out using
adb shell getprop ro.build.version.sdk. - a Samsung device name we're going to spoof. There must be an official Samsung firmware with the API level from #2 available. If you have a recent Android device, chances are you have Android 12 aka API level 31, so you can spoof
SM-G990Baka Galaxy S21 FE. For best compatibility, if it's a Samsung that's just been rooted, determine it usingadb shell getprop getprop ro.product.vendor.model. - a valid combination of MNC and MCC (country + operator, see this list and the matching Samsung CSC. Ideally, these should match your current country and provider, the CSC should be the one Samsung uses for unbranded devices in your country. If in doubt, use MCC
262(Germany), MNC01(Deutsche Telekom AG) and CSCDBT(Germany unbranded). To use the values from your device, runadb shell getprop gsm.operator.numeric, the first three digits are the MCC, the last two the MNC. For Samsung devices, to obtain the CSC, runadb shell getprop ril.matchedcsc.
Now, combine that into an URL pattern: https://vas.samsungapps.com/earth/stub/stubDownload.as?deviceId=<device name, default SM-G990B>&mcc=<MCC, default 262>&mnc=<MNC, default 01>&csc=<CSC, default DBT>&sdkVer=<Android API level, default 31>&abiType=<ABI type, either default 64 or 32>&extuk=<ANDROID_ID>&appId=<APP_ID>. If in doubt or the above was too complex, use https://vas.samsungapps.com/earth/stub/stubDownload.as?deviceId=SM-G990B&mcc=262&mnc=01&csc=DBT&sdkVer=31&abiType=64&extuk=e982a4183204d42a&appId=<APP_ID>.
The first application you install will be the Galaxy Wearable application (aka "manager"). It will walk you through pairing your Wearable with your phone via Bluetooth, onboard it to your Samsung and Google accounts which, to their credit, do not seem to be necessary for basic operation, and set up the eSIM for the LTE-capable models (Side rant: It is completely beyond me why at least the LTE capable models require a phone for operation at all. They can work perfectly fine without one.). Once the initial setup is completed, you can configure the clock faces and behavior of the wearable in this app.
Behind the scenes, the Wearable application will set up a shared user com.samsung.accessory.wmanager because that is how it communicates with the plugins, and a bunch of permissions that apps like Health and Health Monitor can use to bind to communications facilities with wearables. As part of the onboarding process, it scans for nearby Bluetooth devices and uses a rule matching engine to determine if the device is a Samsung Wearable and which communication plugin it needs to download from the Samsung app store servers. Then, as it's paired to the device, it will download and install the communication plugin and use its services to run the setup process that differs for each device generation. If it is already installed, it will not attempt to install the plugin again.
There are, at the moment, at least two companion apps: Samsung Health, an app that tracks data from the step counter, pulse/oxymeter, GPS, sleep quality and other sensors to aggregate that data, and Samsung Health Monitor that you can use to calibrate and store ECG and blood pressure sensor data.
For each of the following app ID's, take the VAS url template constructed above, replace APP_ID by the app ID (or click the link below if you're fine with German APKs and Android API level 31), open the URL, and download the link in "downloadURI":
- Galaxy Wearable: com.samsung.android.app.watchmanager
- Samsung Health: com.sec.android.app.shealth
- Samsung Health Monitor: com.samsung.android.shealthmonitor
You will also need the plugin(s) for your Wearable device(s). (For posterity: run grep WearableDeviceRule com.samsung.android.app.watchmanager/java_src/p109l3/C3483a.java on the watchmanager APK once decompiled with APKLab)
- Samsung Gear Fit Plug-in: com.samsung.android.gearfit2plugin
- Samsung Galaxy Fit Plug-in: com.samsung.android.modenplugin
- Samsung Galaxy Fit 2 Plug-in: com.samsung.android.neatplugin
- Samsung Galaxy Fit 3 Plug-in: com.samsung.android.fit3plugin
- Samsung Circle Plug-in: com.samsung.android.neckletplugin
- Samsung Gear IconX Plug-in: com.samsung.accessory.triathlonmgr
- Samsung Gear IconX (2018) Plug-in: com.samsung.accessory.beansmgr
- Samsung Galaxy Buds Plug-in: com.samsung.accessory.fridaymgr
- Samsung Galaxy Buds+ Plug-in: com.samsung.accessory.popcornmgr
- Samsung Galaxy Buds Live Plug-in: com.samsung.accessory.neobeanmgr
- Samsung Galaxy Buds Pro Plug-in: com.samsung.accessory.atticmgr
- Samsung Galaxy Buds 2 Plug-in: com.samsung.accessory.berrymgr
- Samsung Galaxy Buds 2 Pro Plug-in: com.samsung.accessory.zenithmgr
- Samsung Galaxy Buds FE Plug-in: com.samsung.accessory.pearlmgr
- Samsung Gear 1 Plug-in: com.samsung.android.gear1plugin
- Samsung Gear S Plug-in: com.samsung.android.gearoplugin
- Samsung Gear S 2 Plug-in: com.samsung.android.gear2plugin
- Samsung Watch Active Plug-in: com.samsung.android.gearpplugin
- Samsung Watch Active 2 Plug-in: com.samsung.android.gearrplugin
- Samsung Galaxy Watch Plug-in: com.samsung.android.geargplugin
- Samsung Galaxy Watch 3 Plug-in: com.samsung.android.gearnplugin
- Samsung Galaxy Watch 4 Plug-in: com.samsung.android.waterplugin
- Samsung Galaxy Watch 5 Plug-in: com.samsung.android.heartplugin
- Samsung Galaxy Watch 6 Plug-in: com.samsung.wearable.watch6plugin
- Samsung Ring Wearable Plug-in: com.samsung.android.ringplugin
Then, use adb install /path/to/app.apk on each of the APKs. You will at least need the Manager and the device plugin app - but no matter what, install the Manager app first and then the others.
The Manager application has a few safeguards hindering us from using a Wearable on tablets and rooted devices:
- The setup wizard will not offer you to pass beyond pairing if you are using a tablet, based on a check in
SetupWizardWelcomeActivity::wearableListener::onPaired:
We bypass these using the attached script com.samsung.android.app.watchmanager.js in Frida. To do this, save the script somewhere, open a Terminal in that folder, and run frida -U -l com.samsung.android.app.watchmanager.js -f com.samsung.android.app.watchmanager. That spawns the app and loops every 5ms to check if the PathClassLoader has already initialized. Upon recognizing that, it overrides Samsung's nuisance functions to always return a positive (for us) value.
Note: One might argue I should use Java.perform. However, that has proven to be a bit unreliable for frida-inject, and an issue has been filed.
Obviously, this patch requires the user to run the app in tethered mode. To bypass this, we use frida-inject:
- Place the script on the phone:
adb push com.samsung.android.app.watchmanager.js /sdcard - Obtain a root shell:
adb shell, followed bysu - Create the directory where
frida-injectexpects scripts:mkdir -p /data/misc/user/0/frida-inject - Copy the script over there:
cp /sdcard/com.samsung.android.app.watchmanager.js /data/misc/user/0/frida-inject/
Upon that, we have the most important thing done.