Nice work!

I've verified that this also works on an old 1st-gen CDMA Moto E (XT830C, locked to Tracfone/Verizon, running KitKat 4.4.4), so it's likely that all Moto G and E models from the beginning are affected.

For the XT830C, SCRATCH_ADDR is 0x0E000000, or 0x10000000 after adding the 32M pad. I extracted the stock initrd from factory firmware using abootimg, replaced the adbd binary with yours (from athene-xt1622-mpj24.139-63 - this surprisingly runs fine on KitKat) and set SElinux to Permissive mode by hex-editing strings in the the stock init binary, replacing "%s/enforce" with "%s/disable" (on the assumption this was used to write into /sys/fs/selinux). This works perfectly to get a root shell via adb:

root@condor_cdma:/ # id
uid=0(root) gid=0(root) groups=1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats) context=u:r:shell:s0

root@condor_cdma:/ # getenforce
Permissive

Unfortunately, the /system mmc partition is write-protected at some lower hardware level, perhaps by the locked bootloader before a kernel is loaded. Remounting it read-write and adding files for SuperSU appears to work at first, but the writes fail with I/O errors.

root@condor_cdma:/storage/sdcard1/supersu # mount -o remount,rw /system
root@condor_cdma:/storage/sdcard1/supersu # cp arm/su /system/xbin
root@condor_cdma:/storage/sdcard1/supersu # sync

root@condor_cdma:/storage/sdcard1/supersu # dmesg |grep -A99 re-mount
<6>[ 2331.972829,0] EXT4-fs (mmcblk0p34): re-mounted. Opts: (null)
<3>[ 2334.376863,0] end_request: I/O error, dev mmcblk0, sector 1442264
<3>[ 2334.377587,0] end_request: I/O error, dev mmcblk0, sector 1443288
<3>[ 2334.378020,0] end_request: I/O error, dev mmcblk0, sector 1444312
<3>[ 2334.378672,0] end_request: I/O error, dev mmcblk0, sector 1445336

Some sort of system-less root method, taking advantage of the altered initrd would probably still be possible, but of course the initrd would need to be reuploaded on every boot cycle.

Thanks for the detailed report!:)
Added it to the repository https://github.com/alephsec... and advisory.

Verified on XT1021:

jbutler@HAL-2017:~/Android/Sdk/platform-tools$ adb devices -l
List of devices attached
ZX1PB227BV device usb:3-1 product:condor_cricket model:XT1021 device:condor_umts

jbutler@HAL-2017:~/Android/Sdk/platform-tools$ adb shell id
uid=0(root) gid=0(root) groups=1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats) context=u:r:shell:s0
jbutler@HAL-2017:~/Android/Sdk/platform-tools$ adb shell
root@condor_umts:/ #

is this correct looks off to me ida 5.0 "seg000:001A794E 0000001B C target_get_scratch_address"
moto g5 plus

xt1033, xt1040, xt1068, xt1069
Scratch Address: 0x11000000
Padding: 64MB
https://github.com/leosol/i...

Hi. I'm a little confused on what these commands do:

fastboot oem config fsg-id "a initrd=0xA2100000,1588598"

Looks like a parameter telling the kernel where to load the initrd, but what does the `a` mean?

fastboot flash aleph initroot-cedric.cpio.gz

Does it matter what the partition name is? How does fastboot know to write to 0xA2100000? Can I backup the data at 0xA2100000 somehow?

I'm also not clear on whether this persists across reboots or not. Some comments seem to imply it does and some seem to imply it don't. If it doesn't persist, is it the initrd that doesn't persist or the fsg-id or both?

Thanks,
Jayen

anyone please help me to root moto g5 plus amazon xt1687 :( i can't create cpio.gz... how to create it? and how to get padding?

Good work i wonder i have issue with change baseband with xt1609 I have one phone
M8916_20250106.08.05.23R HARPIA_NA_CUST they working with gsm network i have same phone they have issue gsm i want to bypass baseband change carrier M8916_20250106.08.05.23R HARPIA_VZW_CUST

Hi, great work !

It's working on my Moto G 1st gen (XT1032, falcon_retfr-user 5.1 LPBS23.13-56-2 2 release-keys). I patched init and adbd the same way that you did. SCRATCH_ADDR is 0x11000000, I used a 64MB padding (0x4000000).

Hey :) nice work!! Would you mind uploading your initramfs image somewhere?

Thanks! I've added your report to both the github repo and the advisory :)

Hi, I have a G5 Plus Amazon Prime edition running NPN25.137-33 which is vulnerable to this exploit. Amazon won't upgrade my software and they won't allow Moto to give out bootloader unlock codes even if I pay the Amazon Prime subsidy to remove ads. Would it be possible to use this exploit to boot to LineageOS? Many many years ago I had a Droid 3 with a locked bootloader and it was possible to kexec into CyanogenMod.

Note that Motorola has started deploying an OTA update for at least the G5 Plus XT1687, build number NPNS25.137-35-5, which brings the phone's security patch level up to May 1, 2017, and closes this vulnerability. I accepted the update last night on my XT1687, which is on the "retus" (Retail US) software channel, and verified that passing extra kernel parameters via 'fastboot oem config' no longer works:

root@imp:~# fastboot oem config fsg-id "a baz=0"
...
FAILED (remote failure)
finished. total time: 0.004s

So, anyone hoping to use this exploit to gain root access on a G5 Plus not eligible for bootloader unlocking, such as one of the Amazon Prime ad-ware models, will probably want to refuse this OTA update. If your phone's root partition has already been modified, the update will refuse to install itself due to a failed checksum on the first 16MB of that partition. This probably applies to 'recovery' and 'system' as well; I restored my /system to stock without checking first whether it was actually necessary. It didn't complain about my having a custom boot screen in the 'logo' partition, but proceeded to overwrite that during installation.

Did the stuff above ended up in a boot loop (XT-1625). How to recover from that ? Any help is appreciated.

Get back into 'fastboot mode' and run:
fastboot oem config fsg-id ""

Thanks.Figured it out on my own.

The Security Affairs blog writes [1] that this could be exploited by a local malicious application. Can you comment on that? Your PoC is based on a computer with fastboot/adb and so this attack needs physical access to the phone (or connecting the phone to a compromised PC for charging).

[1]: http://securityaffairs.co/w...

It requires physical access (or connecting a phone with enabled ADB to a compromised ADB authorized PC).

Hello,I've trouble with finding SCRATCH_ADDR, how do I do? I'm having an XT1072 (Moto G2 LTE)
EDIT: Found the address in a github repo, thanks anyway :D

Have you managed to exploit the vulnerability on XT1072?

I managed to add random initrd values and force-crash the device (actually it reboots cyclically), while I'm still looking to load a custom initrd without crashing, even add a padding doesn't fix that. So still in development

EDIT: Noticed that fastboot flash gives "permission denied" instead of "invalid partition name"

It might be possible, but there is a technical difficulty with that because the 'fsg-id' utag is only injected into the kernel command line by ABOOT if its size <= 32 bytes. In addition, I couldn't find any other utags which are injected on my Moto devices to overcome this limitation. Unlike Nexus 6 (which has no sd card...), the 'carrier' utag is not regarded (probably overridden by 'ro.carrier'). It's not possible to change the 'console' utag too.

I hope the fix OTA comes quickly to carrier ROMs.