Getting A Shell On Any Android Device

If you’re an Evil Customs Agent or other nefarious Three Letter Agency Person, you’re probably very interesting in getting data off people’s phones. Even if the screen is locked, there’s a way around this problem: just use the Android Debug Bridge (ADB), a handy way to get a shell on any Android device with just a USB cable. The ADB can be turned off, though, so what is the Stasi to do if they can’t access your phone over ADB? [Michael Ossmann] and [Kyle Osborn] have the answer that involves a little-known property of USB devices.

USB mini and micro plugs have five pins – power, ground, D+, D-, and an oft-overlooked ID pin. With a particular resistance between this ID pin and ground, the USB multiplexor inside your phone can allow anyone with the proper hardware to access the state of the charger, get an audio signal, mess around with the MP3s on your device, or even get a shell.

To test their theory, [Michael] and [Kyle] rigged up a simple USB plug to UART adapter (seen above) that included a specific value of resistor to enable a shell on their test phone. Amazingly, it worked and the thought of having a secure phone was never had again.

The guys went farther with some proprietary Samsung hardware that could, if they had the service manual, unlock any samsung phone made in the last 15 years. They’re working on building a device that will automagically get a shell on any phone and have built some rather interesting hardware. If you’re interested in helping them out with their project, they have a project site up with all the information to get up to speed on this very ingenious hack.

29 thoughts on “Getting A Shell On Any Android Device

  1. The article title is definitely misleading, and it seems as if Brian didnt read the paper at all. This isnt applicable to ANY android device, only those which use multiplexers ICs on the USB port, and only if they are designed to explicitly allow this. The hack here tested only the Nexus and was able to get to a debugger which had access to an unprivileged shell. I havent played with android much, but if you rooted your device couldnt you just ‘chmod -x adb’ to fix this issue?

    1. Also this isnt applicable to just any Nexus either, from the paper:

      “The Galaxy Nexus was running CyanogenMod [10]. Subsequent tests of
      devices of the same model running different operating systems yielded
      different results. We were unable to gain access to the FIQ debugger on
      a unit with an operating system provided by Verizon. On a unit with an
      operating system provided by Sprint, we were able to access the FIQ
      debugger, but the console command was missing or disabled.”

      So basically if you rooted your device, and installed a poorly configured community ROM you have a security issue, if you use the default install your ok. God damn this post was alarmist.

    2. I agree that the article would be much improved by the deletion of the letter “y” from “any” in the title.

      Don’t trust chmod to save you from this type of vulnerability. There are many ways that an attacker may be able to elevate privilege given something as complex as a shell.

      What I hope people get out of this work is not: “Hey, these guys can get a shell on some phones!” but is instead: “Wow, there are huge, unexplored attack surfaces accessible through multiplexed wired interfaces on all sorts of devices.”

    3. No, this *exact* hack may not be available to every Android device, but this kind of hack is. I can say that every smartphone around have a multiplexer chip installed, or they would not be that smart.
      So even if the used resistance may not work on Motorola phones, another one surely will. If they have access to the support manual for all makers (and there’s just a few), they will be able to attack every and all Android phones out there.
      And I bet NSA have that manuals, don’t you think?

      1. This is the dumbest post i’ve read on here a while. The multiplexer chips aren’t what make phones smart and if you read the paper on the author’s site or my 2nd post you would have seen that this only worked with a poorly configured 3rd party OS.

    4. chmod -x will not necessarily fix the problem. Most roms have the adbd
      (android debug bridge daemon) loaded in ram after boot. It is tied to init.
      So, even if you chmod -x adbd, rebooting the device will bring it back to
      it’s normal state.

    1. That won’t help. Most of them have a service interface in the proprietory sockets that you charged with. The ones that didn’t would have the same interface inside as some pads by the SIM socket. The interfaces are used to reflash the phones or do diagnostics so you have complete access to everything.

  2. Poorly written article that is hard to follow and totally misleading. Typos and words being mixed up making it unclear if you do or don’t need adb enabled. Boo for this poorly written piece of shite.

    1. Just because you dont understand what is being done doesnt mean it is poorly written. It dumb it down for you, abd is disabled on the phone you gain a shell to the phone through the usb port once you have shell access it is just a matter of changing a single value in the phones database in order to enable adb, once adb has been enabled you then use thay access to push programs down to the phone…

      1. It’s adb, not abd. But it’s okay, commenters don’t have to get it right every time. I expect more from the authors of HaD though.

        I understand how it works by reading the original article. I can’t understand the author because his writing is full of typos, missing words etc. Perhaps you’d be better off reading the original article to understand how misleading Brians writeup is.

        1. Granted i didnt read the article but i did watch the talk. The talk was very easy to follow imo and after watching the talk and reading the write up it isnt actually that missleading. Maybe brian just watched the talk and didnt read the article :/

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.