CopperheadOS's OpenBSD malloc port uncovered a use-after-free in Android's fancy new over-the-air update sorcery: https://android-review.googlesource.com/#/c/196090/ .
@CopperheadSec Do you know of a good description of how the new updater works? Is it the same as the ChromiumOS one?
-
-
@CopperheadSec Also, good job! -
@BRIAN_____ It's not really a new updater, it's just a new way of passing the zip to the recovery where it gets verified and then installed. -
@BRIAN_____ It used to be done by downloading or copying it to /cache/recovery/, setting up /cache/recovery/command and reboot to recovery. -
@BRIAN_____ A full over-the-air update (i.e. not an incremental one from a specific version) is very large (250-400M) as it has everything. -
@BRIAN_____ So the cache partition has to be very large. The Nexus 5 had a 700M cache. The Nexus 6 and Nexus 9 dropped it down to 256M. -
@BRIAN_____ The Nexus 5X only has 96M and the Nexus 6P has 100M. In terms of the update process itself, they moved to block-based OTAs. -
@BRIAN_____ They used to be file-based with metadata applied afterwards, but Android adopted verified boot so need fully consistent images. -
@BRIAN_____ All of the over-the-air updates from Google are incremental and they force you to install the updates in order. No full OTAs. - 4 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.