Lauren Weinstein has a good follow up to the mis-reported rootkit story from a month ago. The G2 handset, successor to the early G1 Android phone, included a firmware reset feature that re-installed the stock image if it detected changes, like rooting of the phone. Many after market customizations and improvements rely on rooting, or acquire full software privileges, of Android phones.
Lauren was one of the saner voices at that time, clarify what would have to be true for this vendor “feature” to qualify as an actual rootkit. What T-Mobile and HTC did to the G2 is at most a form of DRM. For it to have been a rootkit, it would have had to allow some user, local or remote, access they would not otherwise have. Attackers leave these kits behind to turn a one time crack into an asset with ongoing value. Weinstein’s objection to the imprecise usage was that it clouded the real issues here.
He also suggested that as dire as this protective measure might have seemed, the dedicate modder community would surmount it like every other challenge vendors and carriers have tried to erect to user’s exercising their owner override.
As it turns out, it was quickly established that the G2 was not using a firmware rewrite system, but rather was employing the protected mode of JEDEC Embedded MMC memory (eMMC). Temporary rooting of the device was possible from early on since the underlying Linux kernel was caching changes related to user root attempts, but the eMMC protection mechanism was preventing those changes from ever being successfully written to flash system memory — so all such changes were lost at the next boot of the phone.
Lauren clearly followed this development quite closely. There are more details, if you are curious, in his blog post. The takeaway is both that this type of enclosure is almost certainly doomed to failure. Choice is a strong enough motivator for someone to come up with a way to open a device to exercise it.