The adversary can change the
androidboot.mode kernel command line argument which eventually causes Android to enable hidden USB interfaces with extra functionality.
It turns out that under the Nexus 6P/6 device’s fastboot UI (which an unauthenticated physical attacker can boot into), two proprietary
menu items exist. These menu items instruct, even on a locked bootloader, to change the androidboot.mode argument to either bp-tools or hw/mot-factory. An attacker with ADB access, such as PC malware or a malicious charger connected to an ADB-enabled device, can also change the
bootmode permanently, by issuing the following commands:
adb reboot bootloader fastboot oem config bootmode bp-tools (N6) fastboot oem bp-tools-on (N6, option 2) fastboot oem enable-bp-tools (N6P) fastboot reboot
Similarly, in order to boot with hw/mot-factory, the attacker can issue:
adb reboot bootloader fastboot oem config bootmode factory (N6) fastboot oem enable-hw-factory (N6P) fastboot reboot