martinmullins
commented
7 years ago I have also seen some other things going through aboot:
- The fastboot cmd buffer doesn't seem vulnerable
- Not 100% sure on the screen buffer and update_cmd line buffer.
- Apparently "Wifi Flash" boot mode exists.
- I can see the UART option is one of three logging facilities: RAM, UART and screen.
- Maybe the RAM logs could be extracted post boot from init-root?
- I tried increasing the log level for the screen output using a UTAG but im pretty sure the screen buffer denies a higher log level, it did stop all screen logging.
- I haven't found any kind of buffer overflow yet setting large UTAGS.
- I can mess with UTAGS that drive the default screen logs for fastboot. This is one massive buffer.
Do you think it is a stupid idea to try and modify the partitions (mainly utags so far) to cause code execution in the boot-loader?
Hey,
Great work on creating a persistent root!
I have written a way to decompile, modify and then encode utags. https://github.com/m-mullins/utags_moto I have had success in modifying a bunch of utags that aboot uses. I feel like this could be an attack vector.
The other thing I have seen is maybe we can modify the FDT (flat device tree) that aboot uses as well. Similarly to utags there is a kernel driver/library provided my motorolla.
Regards Marty.