Blog: Android

Aldi Lifetab also vulnerable to data recovery from memory

Ken Munro 28 Aug 2014

aldiFollowing our investigations in to the security of the Tesco Hudl, we’ve been working on a number of other branded tablets to see if they are vulnerable to similar attacks.

Our expenses claim for second hand tablet purchases from eBay is growing fast; there is a huge, growing pile of tablets in various states of disrepair in the corner of the office!

First on the ‘interesting’ list was the Aldi Lifetab, essentially a rebranded Medion Lifetab E7318, which Aldi sell from time to time for around £80. Quite hard to get hold of used versions though.

Getting it in to flash mode

Our initial investigations, once the migraines from the really awful screen had died down, revealed that the Medion tablets were rebranded Lenovos, which the Internet suggested were based on a MediaTek MT65xx chipset. This looked to have a “read back” mode which could allow us to pull data back, similar to the Rockchip chipset.

To enter flash mode is the same procedure as with the Hudl. Hold down volume up, and use a SIM removal tool or paperclip to press the reset button (shown in the below photo).

flash-mode

We spent about an hour fighting with the Mediatek tools such as the SP Flash Tool (a good description of how to do this is available here) but got nowhere. We just couldn’t get a connection in flash mode.

So, next step was to start dismantling the device. Now we start to feel a bit silly. Guess what was under the cover?

Hey hey, it’s another Rockchip! In fact it’s exactly the same chipset that was found in the Hudl. (We also tested an E7310 as part of this, which had an older chipset in it.)

Back to the trusty rkflashtool. Boom!

[dave@jotunheim rkflashtool]$ sudo ./rkflashtool p
rkflashtool: info: rkflashtool v5.2
rkflashtool: info: Detected RK3188…
rkflashtool: info: interface claimed
rkflashtool: info: reading parameters at offset 0x00000000
rkflashtool: info: rkcrc: 0x4d524150
rkflashtool: info: size: 0x00000243
FIRMWARE_VER:4.1.1
MACHINE_MODEL:LIFETAB_E7316
MACHINE_ID:007
MANUFACTURER:LENOVO
MAGIC: 0x5041524B
ATAG: 0x60000800
MACHINE: 3066
CHECK_MASK: 0x80
KERNEL_IMG: 0x60408000
#RECOVER_KEY: 1,1,0,20,0
CMDLINE:console=ttyFIQ0 androidboot.console=ttyFIQ0 init=/init
initrd=0x62000000,0x00800000 mtdparts=rk29xxnand:
0x00002000@0x00002000(misc),0x00006000@0x00004000(kernel),
0x00008000@0x0000A000(boot),0x00010000@0x00012000(recovery),
0x00020000@0x00022000(backup),0x00100000@0x00042000(cache),
0x00002000@0x00142000(kpanic),0x00200000@0x00144000(system),
-@0x00344000(userdata)

Notice that the tablet is marked as a Lenovo Lifetab E7316. It appears that the Medion version numbers are very strange.

About two hours later we recovered the original users email address and various account details. Seems they liked playing FIFA14. No accounting for taste!

That’s from a factory wiped device – not great, so we wiped it properly and shredded the user’s data for good.

Conclusion

Rockchip are releasing updated firmware that addresses the above issues, but what about all the old tablets out there? We’ve said it before; don’t sell used tablets that you can’t wipe properly, even if the screen is broken. Data can still be recovered.

Retailers – stop selling insecure hardware please. It’s perfectly possible to do cheap and secure, if you specify it early in the design stage.

The coming Android version is apparently going to enable encryption by default, which is great news. Not much good for those older tablets that will start gathering dust soon though…