I’ve been wondering about which level of trust I can apply to a used phone bought from someone else. I can easily unlock the bootloader and flash a brand new Android. However, what about firmware customizations? What if there is something bad that runs before Android boots?
I’m not talking about something that the manufacturer plants in the phone, but something that the user or malware might have done.
It’s more a question of how easy it is to run things on Android beyond the flashed image. Can anyone do it with basic tools, or is this something hard, exploit-related that might be possible on some specific brand?
If the bootloader is locked, all android partitions are verified by android verified boot (AVB) and android bootloader (ABL) is verified by secure boot which is enforced by chipmaker in production SoCs. Devices with Qualcomm Snapdragon SoCs, Qualcomm's Primary Bootloader (PBL) of SoC verifies Xtended Bootloader (XBL), XBL verifies ABL and ABL enforces AVB.
To break this chain of trust, the attacker can exploit a vulnerability somewhere in the chain to bypass signature verification. One can also tamper with PBL on board. While modifying it may be considered feasible in theory, it is not scalable. PBL is burned on CPU die and its public key is stored in eFUSE which make it tamper resistant. Android has infamous fragmentation problem, most android devices never receive timely updates and new vulnerabilities remain unpatched. Some of the critical vulnerabilities in chipmakers' bootloader and android bootloader were found in the past which could be used for persistent malware and bypass of secure boot and AVB.
If your device's bootloader is locked and has been factory reset then it is running stock image otherwise the device would brick on first boot. The device can also run with custom root of trust where AVB key is user generated. This allows user to make its own modifications and re-sign images to enforce custom AVB. You can see the verified boot state of the device in bootloader mode.
Verified | SelfSigned | Unverified | Failed
Answered by defalt on February 21, 2021
Get help from others!