Risk Management

Fastboot, Flashing, and Recovery Images

Listing 3 shows – in a fast-forward overview – how to flash the device with the free and lean CyanogenMod 10.2. You can do this without Windows and the snazzy installer specially written for this purpose: If you are working on Linux, first upload the image you downloaded from the CyanogenMod website [11] to the smartphone by typing adb push. Then, grab the basic Google apps (e.g., the Play Store) that are not included in the image. To unlock the bootloader (fastboot oem unlock) and flash a recovery system (fastboot flash recovery <file>) we used fastboot; its options are shown in Listing 3.

01 [root@pc]# adb push cm-10.2-grouper.zip /sdcard/Download/cm.zip
02 [root@pc]# adb push gapps-jb-20130301-signed.zip /sdcard/Download/gapps.zip
03 [root@pc]# fastboot --help
04 usage: fastboot [ <option> ] <command>
05
06 commands:
07   update <filename>                reflash device from update.zip
08   flashall                         flash boot + recovery + system
09   flash <partition> [ <filename> ] write a file to a flash partition
10   erase <partition>                erase a flash partition
11   format <partition>               format a flash partition
12   getvar <variable>                display a bootloader variable
13   boot <kernel> [ <ramdisk> ]      download and boot kernel
14   flash:raw boot <kernel> [ <ramdisk> ]  create bootimage and flash it
15   devices                          list all connected devices
16   continue                         continue with autoboot
17   reboot                           reboot device normally
18   reboot-bootloader                reboot device into bootloader
19   help                             show this help message
20 options:
21   -w                  erase userdata and cache (and format if supported by partition type)
22   -u                  do not first erase partition before formatting
23   -s <specific device>  specify device serial number or path to device port
24   -l                  with "devices", lists device paths
25   -p <product>        specify product name
26   -c <cmdline>        override kernel commandline
27   -i <vendor id>      specify a custom USB vendor id
28   -b <base_addr>      specify a custom kernel base address. default: 0x10000000
29   -n <page size>      specify the nand page size. default: 2048
30   -S <size>[K|M|G]    automatically sparse files greater than size.  0 to disable
31
32 [root@pc]# fastboot oem unlock
33 [root@pc]# fastboot flash recovery recovery-clockwork-touch-6.0.2.3-grouper.img
34 [root@pc]# adb reboot bootloader
35 [...]

If all of this works, adb reboot boots the Android device in its plain vanilla state. To save yourself the work of pushing files, check out the sideload ADB option, with which you can directly load files from your PC to the device. Fastboot is no exception: Often, root privileges are required on the PC. To check whether the tool finds the device, you can type fastboot devices. Just because adb devices works does not automatically mean that Fastboot recognizes the device.

Android Reboot from Linux

After rebooting Android, the next task is to select the images you pushed onto the smartphone or tablet and boot from them. Many devices require a wipe of the partitions and caches beforehand – recovery mode provides menu items; you can select them with volume +/- and Off buttons. The Android operating system then initializes. By now, at the latest, all the data previously on the device is deleted. After completing the configuration and restoring your backup, you should now  – hopefully  – have the desired original, and more secure, state.

Deep Analysis

In the worst case, admins need to investigate an Android device that is probably compromised – or at least its unusual behavior gives reason to suspect a compromise. If you discover suspicious traces with the tools described previously, you will certainly want more details about who infected the tablet – how and when – in addition to reverting to a safe initial state. Popular Linux tools like Sleuth Kit [12] are also useful for Android.

Each operating system stores its configuration details in a typical form; Linux uses readable configuration files, Windows uses the Registry, and Android mainly uses SQLite databases, which are also popular with many desktop programs, such as Firefox. It does not matter whether you run Firefox on Windows, Linux, or OS X, the history is always found in places.sqlite; only the storage location varies. Google's Android browser stores its history in a file called browser.db.