By Roee Hay / Aleph Research, HCL Technologies
YasinS, Apr 17, 2016: Hello people, I flashed android 6 on my oneplus 2 and wanted to root my phone with this tutorial but when I boot in to fastboot mode and type in.cmd 'Fastboot oem unlock' it says: OKAY 0.002s finished. Total time: 0.004s' But nothing happens on my phone, it still on fastboot mode.
Simple fuzzer for discovering hidden fastboot gems.
Modus Operandi: Based on static knowledge (strings fetched from available bootloader images), dynamically fuzz for hidden fastboot OEM commands.
Appears in the USENIX WOOT '17 paper: fastboot oem vuln: Android Bootloader Vulnerabilities in Vendor Customizations (USENIX WOOT `17)
Usage
- Download your favourite OTAs/Factory images and populate with
abootool.py -a <dir>
.abootool.py -l
will then show you the populated images. - Hook your device to the nearest USB port and run
abootool.py
. It will try to automatically discover the product or OEM. If it fails, it will fuzz the device with all of the available strings.One can force a specific OEM using-e <oem>
parameter.When it finishes, the tool prints the discovered positive commands (including ones whose response is a fastboot failure), discovered restricted commands, commands which timed-out, and commands which have triggered various errors.
See abootool.cfg
and abootool.py -h
for advanced usage.
Explanation of progress bar:
Dependencies
- Boot.img tools (only required for populating
fugu
images)
Tips
- ADB-authorize your device for automatic-recovery from fastboot reboots.
- If you had populated many images, running with
-g
would improve loading times. - If the device hangs, do not reset
abootool
, but rather reboot the device (intofastboot
).abootool
will then proceed automatically.
Tested on
Host environment:Ubuntu 17.04 zesty
Devices:TBA
Example
Running on Nexus 6P angler
:
List populated images: