Smartphone Hardening: Motorola

Installing the LineageOS distribution on a Nexus 6 as a base for hardening has become very easy and takes only a few minutes w/ adb and fastboot (part of the android-sdk) already installed on your POSIX machine.

  • Enable USB Debugging in the phone settings
  • Connect device and check by running adb devices -l
  • Reboot into bootloader: adb reboot bootloader
  • Again, check connectivity: fastboot devices -l
  • Unlock the bootloader:
fastboot oem unlock
(bootloader) slot-count: not found
(bootloader) slot-suffixes: not found
(bootloader) slot-suffixes: not found
(bootloader) Please select 'YES' on screen if you want to continue...
(bootloader) Unlocking bootloader...
(bootloader) Unlock completed! Wait to reboot
  • Flash recovery:
fastboot flash recovery twrp-3.3.1-0-shamu.img
 (bootloader) slot-count: not found                 
 (bootloader) slot-suffixes: not found                                  
 (bootloader) slot-suffixes: not found                        
 (bootloader) has-slot:recovery: not found
 target reported max download size of 536870912 bytes
 sending 'recovery' (11887 KB)…                                  
 OKAY [  0.393s]                                                   
 writing 'recovery'…                                             
 OKAY [  0.171s]                            
 finished. total time: 0.564s 
  • Select Recovery Mode and reboot into TWRP
  • Backup existing ROM (system partition) onto USB-OTG
  • Install LOS: Wipe/Factory Reset, then install – e.g. using adb sideload – a) LOS b) OpenGapps c) addonsu

Note about encryption: When running LOS 15.1 and TWRP 3.2.3, encrypting the device results in a completely unstable O/S. When running LOS 16.0 and TWRP 3.3.1, encrypting the device works, resulting in a usable O/S. However, TWRP is still not accepting the FDE password thus unable to mount /data.

So, after having flashed the device, now is the time for further hardening of the device by installing a local firewall ruleset like AFWall+, VPN software like WireGuard, Firefox Klar/Focus, K-9 Mail, OpenKeychain, SnoopSnitch etc. and creating a backup using TWRP.

Also, sort of circumventing the previously mentioned encryption problem would be easily possible and can be achieved by first creating a fresh TWRP backup and subsequentially encrypting the device. Think of this becoming handy right before travelling abroad, but remember that afterwards you should a) WIPE the device using TWRP (w/o unlocking data) and then b) reflash the last backup to be able to create fresh backups from time to time.