Lets take a look at how a 13 year itch in my brain resulted in the discovery of a CVE.
Before going further, here are the required details for CVE references:
- CVE-2025-25730
- Affected Product and Version: Motorola Droid Razr HD (XT926) – Android Version 4.1.2, Build Number 9.8.1Q-94 and Baseband Version less then or equal to VANQUISH_BP_100730.151.64.17P
- Problem Type: Improper Access Control
- Description: The Motorola Droid Razr HD (XT926) Android phone is vulnerable to improper access controls. In this case, by performing certain steps before boot, disabled Developer Options and the requirement for USB Debugging authorization can be bypassed regardless if there is a lock screen set. Resulting in software such as “adb” accessing the phone even if there is a lock screen.
So around 13 years ago I went to throw my shoes down the stairs where I was living and well, I accidently threw my phone with it.
It completely shattered the screen obviously and I ended up getting a new phone. However, I kept that Droid Razr HD. Not just because I loved the device but in case I ever got around to replacing the screen and grabbing whatever was on it.
Well more then a decade later, the day came. And I swapped the screen on, booted it up and it had a pattern lock screen set… I had literally ZERO idea what the pattern was, but as it was so old, and I have literally 5 different devices that can be BadUSB/Rubber Duckys, I figured there’s no way that there’s a limit to the number of attempts…
Well there was, and now it was only prompting for the Google Username and Password that was attached to the device. After spending another few hours going through my password managers I’m confident in the fact that I most definitely tried every possible of my close to 100 Google Accounts and passwords I had at that time. So I either made a google account specifically for that device (unlikely) or when I removed it from my Google account and booted it up over a decade ago and it auto connected to my WiFi, it removed my account from the device? Guess we’ll never know.
So close to accessing my old personal time capsule, ripped away. I could see the Kali Dragon lock screen background (Yes I was that leet) but alas I couldn’t get past it…
Then I accidently ripped it from my desk to the floor when the screen wasn’t screwed in which pulled the cable out of its connector. (I swear this device is cursed). Which meant I had to spend another hour under my microscope with tweezers, attempting to unbend the pins of the connector… Which surprisingly worked.
Now with the screen working again (for the second time after breaking it) I carefully went through my options. I went through and looked for CVEs, of which I found some for another device I own, a Nexus 6P that has NetHunter on it. And one that was applicable, a way to bypass the lock screen via crashing the Emergency Dialer App by copying and pasting asterisks continuously, then opening the camera from the lock screen, then quickly pulling down the curtain and hitting settings. Pasting asterisks to the point where the Emergency Dialer app crash doesn’t take two seconds so again I wasted a few hours on this…
Now this wasn’t discovered until a few years after I was using the phone but lucky me, I’ve always been a fan of privacy and never liked the fact you can activate the camera when the screen was locked, so paranoid me disabled camera access from the lock screen (Thanks me). So that path to access was null.
Finally I accepted my fate that I’d have to boot the device into recovery and reset/reformat it and then attempt to recover the deleted files.
So I turned the device off, then held the power and up volume until I was shown the Recovery Mode menu.
I recognized all of the options but could not for the life of my remember what BP Tools was (which is something I admit lightly as Mobile Pen Tests are one type of engagements I do for a living)
So I booted into BP Tools which brought me to the dreaded lock screen again. Which was odd. But then after a few seconds, I saw the beautiful USB Debugging icon on the top tray. In disbelief, I tried
adb shellAnd to my shock (and horror) I now had a shell on my Droid Razr HD… But then bam, it disappeared, rebooted and wasn’t accessible with ADB anymore.
Took me a second to realize and then a few minutes to Google and confirm, that BP tools just adds a few hidden system apps to do some tests but otherwise it boots into Android. So booting up via BP tools again, it worked and this time I was very careful to not move the device as it seemed the MicroUSB port was starting to fail/loosen up.
And yes!
adb shellWorked again! This time I quickly su’d (I had rooted this device when I daily drove it but NOTE THAT ROOT IS NOT REQUIRED FOR THESE VULNERABILITIES) Deleted the lock screen file, unplugged the microUSB cord, rebooted, and sweet victory, it booted right to the home screen.
To continue my shock and horror, I then navigated to developer options and saw that 1. they were disabled and 2. when I plugged my phone again in when developer options were still disabled adb shell did not work 3. when I did turn on developer options and USB debugging, I was prompted to authorize the connection (as expected).
After spending some time going through the old phone and copying everything from the phone via ADB, I readded a lock screen ( I noted the PIN this time), deleted the adb files from my computer and the phone, disabled developer options and shutdown the phone. I then rebooted via BP tools and… the ADB connection worked again!
So, I gathered my notes, took some screenshots, reported it to Motorola Solutions, who politely told me wrong organization, you need to tell Motorola Mobility… (Oop)
I then reported it to the proper Motorola via their BugCrowd which was an experience in of itself. As no matter how many times I said I don’t want a $ bounty, I know it’s old and out of scope. I just want permission to disclose, it didn’t seem I was going to get that confirmation. They did however confirm that this is legit and was patched around 5 years ago by Qualcomm. So after a few of their security staff said no bounty multiple times, labeled the severity to P5 and didn’t respond to my request to disclose. I tried another route.
I found the proper email to report security issues to which promptly (and surprisingly) got back to me very quickly and professionally with another confirmation that what I was is legit, it has since been patched and that I had permission to request a CVE and disclose.
And that brings us to now. So what did I find in my more then decade old time capsule?
ONE PICTURE I DIDN’T HAVE.
But I did find nostalgia, a refresher on some Android knowledge, a way to attach my name to my first smart phone, and of course, a CVE.
Guess the 13 years was worth it.
Here are the reproduction steps for CVE-2025-25730:
- Ensure that Developer Options are disabled.
2. Turn off the device.
3. Hold Power + Volume Up + Volume Down to boot into the Recovery Mode menu.
4. Use Volume Down to select the “BP Tools” option.
5. When the DROID boot screen appears, insert the MicroUSB cable that’s connected to the ADB host.
6. Wait for the lock screen to appear, whether it be a PIN, Pattern or Google Account Login.
7. Note the Android Debug icon appears
8. The device is now accessible via ADB.
Email confirming vulnerability and permission to disclose
END TRANSMISSION