Android bootable recovery mode is a self-contained alternative boot mode that loads a tiny Linux environment onto a mobile device. While most stock devices are shipped with recoveries that fairly limited in nature, their use can be greatly extended with a little bit of effort. In this presentation, I will show you how to build your own custom recovery for your Android device. This can be used towards a number of interesting security related goals such as: penetration testing, forensics, data acquisition, bypassing security controls, modifying software, Android development and in some cases provides a direct exploitation route into a device. Using a variety of commonly available tools, attendees will learn how to deconstruct and inspect a number of different boot and recovery software implementations and rapidly begin compiling their own custom tools.
The intent is for an attendee to understand the scope and capabilities of Android bootable firmware and learn how to rapidly develop their own custom software for a variety of different purposes. Additionally, it teaches attendees how to look for flaws in bootable firmware which help undermine the security of Android devices. Security research, vulnerability testing, data acquisition and modification, bypassing security controls and platform testing are all intended goals and uses of a custom Android recovery firmware. By the end of the talk, an attendee should have acquired enough knowledge to start making useful tools for security's many needs.
1. android recovery
How To Make Android’s
Bootable Recovery
Work For You
Drew Suarez
SHAKACON 2015
2. android recovery
Nice to meet you, I’m Drew.
• Security Consultant for Matasano/NCC Group
• Focus in mobile security/research
• Built Android firmware for dozens of devices
• CyanogenMod Project / Wiki
• “Cool guy” Internet handle: utkanos
3. android recovery
What’s this all about then?
• Why do I need this?
• Bootable recovery
• Device mapping
• Firmware inspection
• Flashing your images
4. android recovery
What is Android recovery?
• Stock recovery mode:
minimal mode on Android devices that boots a
Linux environment with tools to install/recover/
repair Android
used primarily to install signed OTA updates and
reset userdata/cache
ADB (Android Debug Bridge) access (sometimes)
very limited in scope/usefulness
5. android recovery
What is Android recovery?
• Custom recoveries:
provide root access / useful binaries
allow for easy backup of essential firmware
scriptable installation of custom Android firmware
6. android recovery
Why is this significant?
• Custom recoveries provide a means to investigate,
modify and test new firmware
• Full control over device
In many cases….
7. android recovery
Why do I need this?
• Penetration testing
• Forensics or data acquisition
• Bypassing security controls
• Useful for Android testing/development
8. android recovery
Got it… so how do I make one?
• Map the device topology out in full
• Get the kernel source (or prebuilt*)
• Build Android device configuration
15. android recovery
Recovery: Parts and Structure
• Initial ramdisk/ramfs
Loads a temporary root filesystem into memory
Files needed specifically for recovery mode operation
init binary/scripts, binaries, images and firmware
Can be rebuilt or modified to include more tools and
features and extended functionality
16. android recovery
Recovery: Parts and Structure
• recovery.fstab (<=Android 4.2.2):
Maps block devices and their filesystems to mount points
Resides typically in etc/ or res/ in ramdisk
• fstab.(platform) (>=Android 4.3):
Ex: fstab.qcom, fstab.msm8974
Slightly different mapping order
18. android recovery
Device Mapping
• Stock firmware (boot or recovery)
variety of sites/places to source OEM firmware
to source
pull from a rooted device (via dd)
• Uses
troubleshooting / recon
device topology
19. android recovery
Device Mapping
• Kernel source
A must-have for initramfs style recoveries
Useful for making smaller kernels for
devices with limited recovery space
Can be modified for your specific needs
20. android recovery
Device Mapping
• /system/build.prop
Contains parameters used for setting
various different options in Android
We want the device specific board
codename information
• /proc/emmc or /proc/mtd, /proc/partitions
• /proc/config.gz and ikconfig
22. android recovery
Standard Android boot image
utkanos@leviathan /amnesiac/android/recovery/dlx $ od -c recovery.img |more
0000000 A N D R O I D ! 310 t S 0 0 200 ` 200
0000020 341 P ' 0 0 200 240 201 0 0 0 0 0 0 P 201
0000040 0 001 ` 200 0 b 0 0 0 0 0 0 0 0 0 0
0000060 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0000100 c o n s o l e = t t y H S L 0 ,
0000120 1 1 5 2 0 0 , n 8 a n d r o i
0000140 d b o o t . h a r d w a r e = d
0000160 l x u s e r _ d e b u g = 3 1
0000200 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
25. android recovery
Firmware Exploration
• Our goal is to get the ramdisk and a
working prebuilt kernel (zImage)
• The ramdisk contains init scripts, custom
scripts and binaries we want
• Very useful for finding flaws to exploit
devices
26. android recovery
Why are init scripts so important?
• Great source for bugs
symlink attacks
overly permissive permissions
debug functionality
• Contain services and their parameters
helpful for making recovery run properly
31. android recovery
What else in the ramdisk is interesting?
• watchdog daemons
• necessary kernel objects
• stand alone binaries
• special commands
32. android recovery
What if I can't figure something out?
• If lacking firmware, attempt to look at the
device by hand using adb shell
• Use output of mount to identify key
partitions
• Look at sizes in /proc/partitions and make
educated guesses for firmware locations
34. android recovery
Build a device config
• Android build system
Based on “meal ordering” concept
Each device is a unique “combo meal”
Combos can inherit from one another
We need to build a new combo!
35. android recovery
Build a device config
• CyanogenMod (or other) Android source [4]
• Linux or OSX
• All the info gathered earlier
36. android recovery
Build a device config
• Utilize the mkvendor.sh script in the
Android source
mkvendor takes 3 parameters and builds a
skeleton bare bones device config
ex: $> mkvendor.sh samsung hltetmo
recovery_hltetmo.img
37. android recovery
Build a device config
• mkvendor output is almost always
incomplete/wrong, fix it!
BoardConfig.mk
recovery.fstab/fstab.platform
device_(codename).mk
38. android recovery
BoardConfig.mk
• Contains essential information about your
device’s board, CPU, various hardware and
device specific oddities
• Requires the most modification and is
continuously evolving the further in the
process you get
• For the scope of this talk, only the bare
necessities to build a recovery are covered
40. android recovery
device_(codename).mk
• Contains instructions about what packages
to build and where to copy specific files or
properties during your build
• Use this file to insert necessary or additional
files into the ramdisk during compile time
• Essential for including OEM specific oddities,
specific binaries or scripts required for
recovery operation
41. android recovery
Build it!
• Use lunch to load in your new device combo
$> source build/envsetup.sh
$> lunch YOURDEVICE-eng
$> make recoveryimage
42. android recovery
Flash it!
• Once you’re ready to boot the recovery, use
one of the following common methods
based on your specific use case
dd (requires root, see init portion of talk )
flash_image (mtd typically)
ODIN/Heimdall (Samsung)
fastboot (various OEMs)
laf
44. android recovery
Download Mode (Samsung)
• Download Mode is a Samsung specific boot
loader interface shipped on all of their
Android devices. It requires specific naming
on images you wish to flash!
• Internally, Samsung uses a tool called ODIN
to interact with the device and flash firmware
This is a Windows only, closed source
application :(
46. android recovery
Download Mode
• ODIN requires ustar formatted tar archives
containing the firmware desired. Here’s
how to make one:
$> tar -H ustar -c recovery.img > recovery.tar
$> md5sum -t recovery.tar >> recovery.tar
$> mv recovery.tar recovery.tar.md5
47. android recovery
Download Mode (Samsung)
• Heimdall is an open source, cross-platform
tool created from reversing ODIN
• Capable of writing raw images
• More flexible and useful than ODIN
48. android recovery
Download Mode (Samsung)
• Overly permissive! Most devices allow
direct write access aside from a handful of
US carrier protected models
• Newer protections exist but are
inconsistently applied
49. android recovery
fastboot mode
• Found on Nexus, HTC, Sony and many
other OEMs.
• Great for testing an image without having
to write it to local storage (fastboot boot)
• Unlocking the bootloader to use fastboot
most often but not always erases userdata
partition!
50. android recovery
unless…
• issues with lk (little kernel) boot loader used on many devices:
“Fastboot boot command bypasses signature verification
(CVE-2014-4325)” [5]
“Incomplete signature parsing during boot image
authentication leads to signature forgery (CVE-2014-0973)” [6]
“Improper partitions bounds checking when flashing sparse
images (CVE-2015-0567)” [7]
• Download mode
• laf
• Numerous other exploits…
51. android recovery
LG’s laf/download
• Bootable partition named la found on many
LG devices (including the Nexus 5(!))
• Communication via Send_Command binary
(Windows)
ported to other platforms via python
• Root shell (backdoor)
53. android recovery
FROST / forensics [9]
• Forensic Recovery Of Scrambled Telephones is a custom
recovery (based on ClockworkMod) for retrieval of encryption
keys, PIN codes and content stored in RAM
“Cold boot” attack (uses actual freezer to slow down the
degradation of RAM content)
Rate of decay drops enough to be useful around 10 °C
• Uses aeskeyfind ‘live’ or via memory dump on PC to search for
AES keys
54. android recovery
New Protections…
• init contexts
• Protections like Knox/Secure Boot on more and
more models
• TrustZone wrapping of device key
• Increased SELinux presence and system protections
like blocking view into /dev
55. android recovery
Getting started
• Github is your friend!
• Many sites host stock firmware for Android
devices
samfirmware.com
xda-developers.com forums
56. android recovery
Getting started
• Setting up your build environment:
CyanogenMod wiki has a step by step
walkthrough and additional resources for
development and hacking
• Review links in the references section
• Stay up on Android security via droidsec
57. android recovery
References
[1] https://github.com/CyanogenMod/android_system_core/tree/cm-11.0/mkbootimg
[2] https://github.com/xiaolu/mkbootimg_tools
[3] From material Copyright 2014 Jon Sawyer - Applied Cybersecurity LLC used with kind permission
[4] https://github.com/CyanogenMod/ , https://github.com/CyanogenMod/android_bootable_recovery ,
https://github.com/TeamWin/Team-Win-Recovery-Project
[5] https://www.codeaurora.org/projects/security-advisories/fastboot-boot-command-bypasses-
signature-verification-cve-2014-4325
[6] https://www.codeaurora.org/projects/security-advisories/incomplete-signature-parsing-during-boot-
image-authentication-leads-to-signature-forgery-cve-2014-0973
[7] https://www.codeaurora.org/projects/security-advisories/lk-improper-partition-bounds-checking-
when-flashing-sparse-images-cve
[8] Courtesy of Fuzion24 (@Fuzion24)
[9] https://www1.informatik.uni-erlangen.de/frost
58. android recovery
Thank you! Questions?
Drew Suarez // matasano security
@utkan0s on twitter
https://github.com/utkanos
utkanos on freenode (#droidsec)
utkanos at gmail dot com