|
发表于 2021-6-27 09:45:07
|
显示全部楼层
本帖最后由 monkeynav 于 2021-6-27 09:50 编辑
生产商不具有直接的root shell。厂家可以获得root权限,但是升级过程不需要。android只需要下载升级包放在特定位置。
android手机升级的机制:每隔一定时间下载厂家服务器的一个小文件,里面是版本号等信息。如果下载的文件与本机固件不一致,则去下载对应的升级包。
手机需要先关机,由recovery读取升级包,校验正确才能写入到system分区。写入完成之后,再启动系统。
升级程序与后门的区别:
升级程序只能下载升级包,它的行为是有限的几种。
后门则是任何时候接受指令,做任何动作。
特斯拉是OpenVPN+SSH,随时在线的remote shell。随时可以遥控汽车做任何事情。
微信支付宝也是类似套路。国内版本apk可以远程下载加载任何插件,神不知鬼不觉,拍照录音都不在话下。iOS严禁此类行为,360试图绕过appstore限制,被苹果永久下架。
参考阅读1
fun fact: a jenkins pipeline once caused almost the entire fleet to reboot loop for about an hour.
model s and x use openvpn to talk to their backend. inside that backend there are metadata services that feed info to the system, one of those things being a ~20MB+ (generated by the worst erp system) json payload that describes supercharger shit for the map in the touchscreen. somebody was smart enough to do automated linting but forgot to validate against the custom parser the car runs which caused a segfault in the qt app that runs the ui, which in turn for a variety of reasons forces a reboot of that component. I think we clocked about 15 seconds before it read the file and faulted after boot. it was doing that for an hour before everyone panicked and got me and qa on the phone to fix it. i wrote a quick python/fabric script that ssh’d to as many cars as possible at a time to rm the file.
参考阅读2
https://www.pentestpartners.com/ ... are-update-process/
|
|