Come comment on this article: Top ten Android phones of all time
Devices with Qualcomm chipsets have a Primary Bootloader (PBL) which typically boots the Android system, but also houses an alternative boot mode known as EDL mode. EDL mode is Qualcomm’s Emergency Download Mode and allows an Original Equipment Manufacturer (OEM) to force flash software on a device. This cannot be modified (read-only mode) and has full control over the device’s storage. Many OEMs including OnePlus and Xiaomi have released tools (known as programmers) which utilize EDL mode and a protocol known as Firehose to unbrick a device, while other tools from companies such as Nokia have leaked. Firehose can utilize a number of commands to flash devices, along with the ability to examine the data within a device’s memory. Security researchers Roee Hay (@roeehay) and Noam Hadad from Aleph Research have discovered critical device vulnerabilities using this mode, which effectively grants an attacker full device access.
It’s important to note that this exploit requires physical access to the device, but it’s still incredibly dangerous and likely cannot be patched. The attackers utilized the level of access granted to the EDL mode to bypass secure-boot on a Nokia 6, defeating the chain of trust and gaining full code execution across every part of the boot sequence including the Android OS itself. It is theorized to work the same way on other devices, and the researchers also managed to unlock and root multiple Xiaomi devices without any data loss.
What devices are affected by this exploit?
Firstly, the devices which are affected.
List of devices affected.
- LG G4
- Nokia 6 (d1c)
- Nokia 5
- Nexus 6 (shamu)
- Nexus 6P (angler)
- Moto G4 Plus
- OnePlus 5 (cheeseburger)
- OnePlus 3T
- OnePlus 3
- OnePlus 2
- OnePlus X
- OnePlus One
- ZTE Axon 7
- ZUK Z1
- ZUK Z2
- Xiaomi Note 5A (ugglite)
- Xiaomi Note 5 Prime (ugg)
- Xiaomi Note 4 (mido)
- Xiaomi Note 3 (jason)
- Xiaomi Note 2 (scorpion)
- Xiaomi Mix (lithium)
- Xiaomi Mix 2 (chiron)
- Xiaomi Mi 6 (sagit)
- Xiaomi Mi 5s (capricorn)
- Xiaomi Mi 5s Plus (natrium)
- Xiaomi Mi 5x (tiffany)
- Xiaomi Mi 5 (gemini)
- Xiaomi Mi 3 (cancro)
- Xiaomi Mi A1 (tissot)
- Xiaomi Mi Max2 (oxygen)
- Xiaomi Redmi Note 3 (kenzo)
- Xiaomi Redmi 5A (riva)
- Xiaomi Redmi 4A (rosy)
Exploiting an Android Phone
The Boot Sequence of a Typical Android Qualcomm Phone
It is important to first understand the boot sequence of a typical Android device before explaining how it can be exploited. The Software Bootloader (SBL) is a digitally signed bootloader which is checked for authenticity before being loaded into imem. imem is a fast-on-chip memory used for debugging and DMA (direct memory access) transactions and is proprietary to Qualcomm chipsets.
Some devices have an eXtensible Bootloader (XBL) instead of an SBL, but the boot process is pretty much the same. The SBL or XBL then launches ABOOT, which implements fastboot. Following this, TrustZone (hardware-based security) is also loaded. TrustZone checks the authenticity of ABOOT by way of a hardware-based root certificate. The SBL (or XBL, in some cases) is designed to reject an incorrectly signed (or unsigned) ABOOT.
Once authenticated, ABOOT then checks /boot and /recovery for authenticity before launching the Linux kernel. Some system preparations are done, and then code execution is transferred over to the kernel. ABOOT is commonly known as the “Android Bootloader,” and when we unlock the bootloader of a device, we are disabling this authenticity check in ABOOT.
Accessing EDL Mode
While some devices have a simple hardware combination (or worse, a simple proprietary fastboot command present in many Xiaomi devices), others, such as Nokia devices, need to short pins known as “test points” present on the device’s main board. It also used to be possible, before the December 2017 security patch, to simply run “adb reboot edl” on many devices (including the Nexus 6 and 6P) and enter EDL mode. This has since been fixed.
Other devices can also use what’s known as a “deep flash” cable, which is a special cable with certain pins shorted to tell the system to instead boot into EDL mode. Old Xiaomi devices can utilize this method, along with the Nokia 5 and Nokia 6. Other devices will also boot into EDL mode when they fail to verify the SBL.
Utilizing EDL Mode to Gain Full Access on a OnePlus 3/3T
EDL Mode can be utilized in a number of ways on a device, mostly for unbricking devices by force flashing them. As explained above, it should theoretically be safe for anybody to access this mode, as the worse case scenario is that ABOOT will reject software that isn’t officially signed by the manufacturer. While this is true, it’s actually possible to gain complete control over a OnePlus 3 or 3T and its files in a proof of concept exploit shown by the researchers.
This will be done through two very dangerous commands which OnePlus left accessible in an older version of ABOOT (the Android bootloader), in order to unlock the device’s bootloader (without a warning being shown to the user on boot) and disable dm_verity. dm_verity is also known as verified boot and is part of a safe boot-up sequence on an Android device. The two commands are as follows.
fastboot oem disable_dm_verity
fastboot oem 4F500301/2
Observe the simple, 4 step process below which utilises the Firehose protocol.
- First, boot the device into EDL mode. This can either be done through adb on OxygenOS 5.0 or lower or by using a simple hardware key combination.
- Download an old system image of below OxygenOS 4.0.2.
- Flash aboot.bin through firehose (remember that aboot.bin implements fastboot, as we mentioned earlier)
- You will now be able to disable secure boot and unlock the bootloader without wiping the device simply by using the two fastboot commands above.
If you remember, OnePlus was previously found to have left two dangerous fastboot commands nearly a year ago, one which unlocked the bootloader and one which disabled secure boot. While it’s true that an attacker can not install malicious software on the device, they can downgrade the device to have older, vulnerable to attack software. Simply by running the above fastboot commands, an attacker can have full access to the device.
And that’s it, the bootloader is unlocked, secure boot is switched off and there is absolutely no data loss. If an attacker wished to take this a step further, they could flash a malicious custom kernel which enables root access to the device which the user would never know about.
Firehose works through the Qualcomm Sahara protocol, which accepts an OEM-signed programmer and is how the above attack would be carried out. When connected to a device, it acts as an SBL over USB. Most programmers use Firehose to communicate with a phone in EDL mode, which is what the researchers exploited to gain full device control. The researchers also used this to unlock a Xiaomi device simply by flashing a modified image which unlocked the bootloader. They then flashed a custom kernel which gave root access and launched SELinux in permissive and also extracted the encrypted userdata image from the device.
It is unknown why OEMs release these programmers from Qualcomm. Nokia, LG, Motorola, and Google programmers leaked rather than being released, yet the researchers managed to break the entire chain of trust on the Nokia 6 and gain full device access through similar methods of exploitation. They are confident the attack can be ported to any device which supports these programmers. If possible, OEMs should make use of hardware qFuses which prevent software rollbacks, by blowing when the device hardware is rolled back and can warn a user that it has taken place. Those interested can take a look at the full research paper below and can read the full Nokia exploitation too.
Source: Aleph Research
Remember the OnePlus One? Chances are, anyone who owned the phone remembers it fondly for a number of reasons (if you need a refresher, check out my OnePlus One review).
In 2015, flagship smartphones started around $600, much like today. Samsung had just released the Galaxy S5, a premium device with what many considered to be a less than premium design and overall experience.
Seemingly out of nowhere, OnePlus burst onto the scene. It stirred up a lot of news after many of its members broke off from a big Chinese manufacturer, Oppo, to form the young company. That notoriety, and an aggressive guerilla marketing campaign, brought the company a ton of eyeballs when it announced a device it called the ‘flagship killer.
The OnePlus One ticked a lot of ‘flagship’ boxes. It had a Snapdragon 801 SoC, a high quality display, an above average battery, and an accessible version of Android. OnePlus managed to go above and beyond with a larger storage option and an extra gigabyte of RAM than its biggest Android competitor: the Galaxy S5. If a company that no one had ever heard of could out-spec Samsung for less money, it was worth paying attention to.
The phone had a fairly unique design too. Baby Skin white (which is still a weird name), Sandstone Black and replacement shells added even more uniqueness and gave the phone a measure of personalization. It wasn’t without its issues, like the beleaguered invite system, but it was clear how much people wanted this phone once it was revealed it didn’t also have a premium price.
The base model cost $299, with the 64 GB storage option priced at $349. Normally these kinds of prices meant getting something closer to a feature handset than a flagship. It meant users who were okay with sacrificing some of the more specialty features that Samsung or LG phones included could get a premium experience at almost half the price.
Don’t forget that the phone got cut down another $50 too, making it one of the most affordable flagship phones of all time.
So, why are we bringing this up? With the recent leak of a new OnePlus device, we wanted to look back at the company’s original flagship and see where it came from. Also, a couple of pieces came out on Android Authority recently which dive into a problem OnePlus tried to address back in 2015 with the One: rising smartphone prices.
The average smartphone price has gone up by 7% in the past year. That doesn’t sound like a lot, but remember the ‘average’ price is lowered by the midrange and the lower end markets. In just the flagship market, we’ve seen prices get close to (or even surpass) the $1000 mark with phones like the iPhone X and Samsung Galaxy Note 8. While it can be argued from both of those companies that there are additional features which justify the prices, it’s still a lot of money.
Robert Triggs posits that these high price are one way for companies to create the premium mindset; that people perceive a really high price tag as an obvious indicator of the phone’s continued evolution. While there might be a lot of different opinions on this notion, it’s hard to argue with when phones like the Pixel 2 XL continue to sell out despite its price. Users demand the best, and some are okay with inflated prices to feel like they’ve got it, justified or not.
The OnePlus One sat in defiance of that notion— it provided a similar flagship experience to everyone at an affordable price. Though it definitely wasn’t the absolute best overall phone(for example, the camera could have used a bit of work), it was easy to excuse some of the issues because of its value for money.
Hardly any phones that came after it had the appeal of the One because even OnePlus had to start raising its prices. Perhaps to cover production costs or to just keep up with consumer perceptions of “advancement”. Now, the company that made its bones by bucking the trend of expensive phones, increasingly seems to be adopting the “if you can’t beat em, join em” mantra. OnePlus certainly never killed any flagships, and the company may become exactly what it once fought.
$1000 smartphones can be a troubling idea, one that has already become reality a few times this year. And with the rising price of even mid-range devices, it is admittedly tough to see even Android One phones fail to get below $350. Android One, remember, is a line of smartphones that is supposed to have the most minimal version of Android combined with basic hardware to deliver a reliable daily experience, albeit with managed expectations.
We’ve seen one intriguing offering from Xiaomi, and one somewhat questionably priced offering from Motorola in the Moto X4. HTC now has an Android One version of the U11 Life too. But are the days of low-priced flagship killers over?
It might not happen for even a couple of years, but eventually we will be due for another shake up. The upcoming release from OnePlus may not be it – that ship seems to have sailed already – but maybe one day the company can recapture the hype that an affordable flagship like the One received. Or maybe that task will fall to someone else.
While the OnePlus One was far from perfect it served its purpose. It let customers know there were solid alternatives to just spending more money. It reminded OEMs that there was an underserved clientele they were ignoring. The OnePlus One may even have been a catalyst for the steady improvement of cheaper phones since its debut, though we haven’t seen a device since that shares the idea of the One so purely. Consumers still want good cheap phones, it’s just a matter of who’s willing to step up to the plate and provide them.
If you were a previous OnePlus One owner, you may look back with some fond memories on the phone that you patiently (or impatiently) waited for an invite to purchase. After this year’s slew of very expensive devices, we don’t blame you.
The OnePlus One will always be remembered as controversy’s love child; the device that pushed OnePlus into the headlines for quite a few reasons and not all of them were positive either. But despite all the questionable tactics of the past, there is no denying that the One was a legendary device. Because of its fairly open hardware, its $299 starting price in 2014 and some beastly specifications that punched above the price at the time, the OnePlus One quickly became an enthusiast’s choice when looking for a device with great value.
Just as we have predicted time and time again, the OnePlus One continues to be a flashaholic’s best friend multiple years later, and has received its first builds of unofficial AOSP based on Android 8.0 Oreo. This experimental build comes to us courtesy of XDA Senior Member Agent_fabulous and team, and offers users of the aged device a chance to try out the latest Android version available right now.
The working feature list for the ROM includes key functionality like WiFi, Bluetooth, RIL, audio and video playback, NFC and more. But because of its early and experimental nature, a few key aspects like the camera and camcorder are disabled while others like the graphics and 3D rendering are considered a work-in-progress. There’s also an issue with AOSP and its support for hardware navigation keys, because of which both the on-screen navigation bar and the hardware keys are enabled.
The ROM is fairly stable for an early build, but many would agree that it is not exactly something one would recommend using as a daily driver on the OnePlus One/bacon in its current state. That however, does not take away from the fact that you can enjoy the sweetest Android dessert right now on the flagship killer of 2014.
Do you still use the OnePlus One as your daily driver? Have you tried out Android Oreo on your OnePlus One? Let us know in the comments below!Unofficial AOSP Oreo Builds for the OnePlus One
The OnePlus One is a classic. While the phone has not reached the levels of community excellence that vintage devices like the HTC HD2 did, it is seemingly on track to accomplish that status. The OnePlus One is among one of the few modern Android devices that balances specifications with a very strong developer community presence that refuses to let the phone die.
If you are still rocking the OnePlus One in 2017 and rely on the community work to run your phone, there’s some good news coming your way. XDA Recognized Developer Sultanxda has finally updated his unofficial LineageOS ROM to Android 7.1 Nougat.
Sultanxda is recognized as one of the pioneers of development on the OnePlus One, and especially credited towards unleashing the latent camera capabilities on the device. His work began with unlocking 1080p video recording on the front camera on the OnePlus One, and then moving it up to 1440p. He also brought 4K video recording capabilities to the device on OxygenOS. So Sultanxda’s work is well respected in the OnePlus community in XDA and outside too.
Sultanxda’s unofficial LineageOS 14.1 based on Android 7.1.2 Nougat features his custom kernel and camera HAL, similar to previous iterations of his ROM. This allows the OnePlus One to record slow-mo videos as well as timelapses at 1080p 60fps. There’s also 4K video recording capabilities in his ROM. The ROM does feature OxygenOS’s camera libraries with 4K camcorder support through his custom HAL, as this fixes a few issues with Cyanogen/Lineage’s camera libraries.
Since this is the first release, there is no OMS support yet in the ROM as implied in the thread.
For downloads, installation instructions and more information on the features, head on over to the Unofficial LineageOS 14.1 forum thread.
Have you flashed the ROM on your OnePlus One? Have you tried any of Sultanxda’s work in the past? Let us know your experiences in the comments below!