I am the black sheep of the company. Everything I run is Linux in some form or another except when required by a client. This includes my phone. When I first heard about Stagefright my heart sank, mostly for all the ribbing I would get for my co-workers, but also because my phone is rooted, more on that later. For the details of what stagefright is I’ll point you androidcentral and wikipedia. For those more security savvy it is CVE-2015-3864, CVE-2015-3828, CVE-2015-1539, CVE-2015-3824, CVE-2015-3829, CVE-2015-3827, CVE-2015-1538. To sum it up, a nefarious person can send you an MMS text and completely own your phone. Thanks to Zimperium for finding the issue AND for creating an android app to tell you if your handset is vulnerable.
I have a Nexus 6 handset that is rooted. With the new update methods I cannot use the OTA update that google kindly provided relatively quickly because the minor differences caused by rooting. The minor differences make the pre update checks fail. Since its a binary patch, if everything isn’t just perfect, for safety, the automatic updater does nothing. Now I have a firmware update notification that won’t go away. Fortunately, after some poking around I figured out what I needed to do. There is a way to override the safety check as long as you haven’t changed too much on the system partition.
Since I’ve rooted my phone, there are several things I have that the average non rooted user will not. The phone is OEM unlocked voiding the warranty. I have a custom recovery module that allows me to perform actions to the phone before the operating system boots. Mostly, you can install applications external to the OS, or backup the OS in entirety while the phone is idle. The most popular application to install externally is super-su. This allows sudo access on your handset overriding carrier restrictions. My personal choice for recovery is opentwrp. Next you need a computer with the android SDK installed. Mostly, you need adb to be able to transfer files on to the internal memory. Next, install the zimperium app that tells you how vulnrable your handset is, then run it. If you are not vulnerable consider stopping here, I loath changing a working system for no reason. Lastly, you need to pick up the appropriate android factory image here: https://developers.google.com/android/nexus/images?hl=en for google branded devices. For other device manufacturers you need to seek out their OTA updates and ymmv with this method.
Before we go forward, this is the standard disclaimer, I am not responsible for you voiding your warranty or bricking your phone. If TWRP, su, and SDK are foreign terms to you, stop. This method worked for me that does not mean it will work for you and I by no means guarantee success.
The basic gist of what we are doing is to update only the operating system, bypassing the consistency check for the system image. When you download the factory image you need to untar it. Then inside the tar file I had to unzip the following zip file: image-shamu-<build>.zip . This contained system.img which is what we are after. All the pieces are ready, now we can start.
First there is the prep work.
- Just in case something happens you have a working point you can go back to. I use titanium backup and/or adb. Typically a full backup takes an hour or so.
- Next start adb and connect your phone via USB to the computer you are using for the update.
- Make sure the developer options are turned on in the phone and accept the computer’s debugging keys on your hand set.
- Ensure that an installable version of supersu is on your handset sdcard, if not, download it perform and adb push and place it on your sdcard.
Now we do the magic!
- Execute an adb reboot bootloader
- Once in the boot loader execute an adb flash system system.img ← this assumes system.img is in the current directory. (You can flash the radio if you want as well.)
- Congratulations, you have updated, but you have also potentially unrooted your phone.
- Execute and adb reboot recovery.
- Use your recovery to install supersu onto the new system image.
- Execute an adb reboot and you should be done.
Android will spend a few minutes optimizing your applications and you will have upgraded your phone. When everything settles out run the zimperioum stagefright app again and you should be less vulnerable. Google could not patch CVE-2015-3864 in time for this release. To guard against this turn off MMS auto download as specified here: https://blog.zimperium.com/how-to-protect-from-stagefright-vulnerability/. This knowledge is useful for two reasons, first to get rid of stagefright, secondly there is rumor of google issuing monthly updates. You don’t want to get caught behind because you are rooted. Happy updating.