Skip to content
/ fuzzboot Public
forked from alephsecurity/abootool

Simple tool to dynamically discover hidden fastboot OEM commands based on static knowledge

License

MIT license
14 stars 57 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

evilpan/fuzzboot

BranchesTags
 
 

Repository files navigation

fuzzboot

Simple fuzzer for discovering hidden fastboot gems.

Forked from abootool By Roee Hay / Aleph Research, HCL Technologies

Modus Operandi: Based on static knowledge (strings fetched from available bootloader images), dynamically fuzz for hidden fastboot OEM commands.

Appears in the USENIX WOOT '17 paper: fastboot oem vuln: Android Bootloader Vulnerabilities in Vendor Customizations (USENIX WOOT '17)

demo

Usage

  1. Download your favourite OTAs/Factory images and populate with fuzzboot.py -a <dir>. fuzzboot.py -l will then show you the populated images.
  2. Hook your device to the nearest USB port and run fuzzboot.py. It will try to automatically discover the product or OEM. If it fails, it will fuzz the device with all of the available strings. One can force a specific OEM using -e <oem> parameter. When it finishes, the tool prints the discovered positive commands (including ones whose response is a fastboot failure), discovered restricted commands, commands which timed-out, and commands which have triggered various errors.

See fuzzboot.cfg and fuzzboot.py -h for advanced usage.

Explanation of progress bar:

[####......] [012923/030245/+01/R02/T01/E02] [CMD: foobar] [LAST: fdsaf]
  |             |      |    |   |    |   |        |         |
  |             |      |    |   |    |   |        |         `-> Last non-neg CMD
  |             |      |    |   |    |   |        `-----------> Last CMD
  |             |      |    |   |    |   `--------------------> # of CMDs that caused USB errors
  |             |      |    |   |    `------------------------> # of CMDs that caused timeouts
  |             |      |    |   `-----------------------------> # of restricted CMDs
  |             |      |    `---------------------------------> # of positive CMDs
  |             |      `--------------------------------------> Total # of CMDs
  |             `---------------------------------------------> # of tested CMDS
  `-----------------------------------------------------------> % completed

Dependencies

  1. python-adb
  2. android-sdk-tools
  3. Boot.img tools (only required for populating fugu images)

Tips

  1. ADB-authorize your device for automatic-recovery from fastboot reboots.
  2. If you had populated many images, running with -g would improve loading times.
  3. If the device hangs, do not reset fuzzboot, but rather reboot the device (into fastboot). fuzzboot will then proceed automatically.

Tested on

Host environment:

  • Ubuntu 17.04 zesty
  • macOS Mojave 10.14.5

Example

Add device from image file:

$ ./fuzzboot.py add -p ./runtime/aboot.img --raw
INFO: Welcome to fuzzboot
INFO: ./data/unknown-unknown-unknown.json (2600)

About

Simple tool to dynamically discover hidden fastboot OEM commands based on static knowledge

Topics

android bootloader fastboot fuzz

Resources

Readme

License

MIT license
Activity

Stars

14 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Python 100.0%