I recently purchased a Nexus 5 off of ebay. Whenever I buy electronics used I like to flash them with stock boot loaders and images. I want to make sure that the person who sent it to me doesn't have a malicious image that exfils data to China (or themselves for that matter).
I searched the web for guides on how to do this. There is a bunch of good info out there, however people often host their own images on http (not httpS) sites and don't provide checksums, which in themselves have less value if not delivered over a secure transport method such as https.
Disclaimer: This is not to slander any site out there providing images and/or walkthroughs. They are probably safe but it never hurts to make sure your "T"s aren't dotted and your "I"s aren't crossed. There's a good amount of great trustworthy info out there that I depend on. I'm somewhat paranoid also.
Background
I started out by reading this post http://www.androidrootz.com/2013/11/how-to-unroot-nexus-5-complete-stock.html which is great. After understanding the process I wanted to get the following from verified sources:
- Boot loader image: Even if your OS is stock/safe if it's loaded by a backdoored boot loader you're still vulnerable. http://en.wikipedia.org/wiki/Rootkit#Bootkits
- Image: You definitely want this coming from a trusted source. It's the OS on-top of which all applications run/data passes through.
- fastboot: you want your install utility to come from a trusted source. Since it's handling the install of the boot loader and the OS you want to be confident it's trustworthy and not backdooring either installation.
Getting Boot loader
First I got my boot loader/images (based on phone model) from:
https://developers.google.com/android/nexus/images
They have their checksums there
I ran shasum on the downloaded file
shasum [file]
It matches what I expected. So I unpack the archive. It contains a number of files one of which will conduct the whole reset process for you: flash-all.sh.
Note: For the extra paranoid out there it is advisable to get your download from one trusted source (over https) and your checksum from another trusted source (over https). In the unlikely chance that the android image page got pwnd the malicious user could change the download archive and the checksum.
Prepping flash script
Make sure the flash-all.sh script is executable
chmod 755 ./flash-all.sh
I edited it so that it looks like the following as we will be running a executable from the local folder
Notice it is ./fastboot instead of fastboot
Getting fastboot
I then got my fastboot executable from https://developer.android.com/sdk/index.html
Under "VIEW ALL DOWNLADS AND SIZES" you will find the md5 checksums. Instead of running "shasum" on my download I ran "md5". It lined up so I unpacked the archive.
I copied the fastboot executable from sdk/platform-tools to the downloaded image/boot loader folder containing the flash-all.sh script
Flashing
Following the steps from androidrootz.com put my phone in fastboot mode
I ran the flash-all.sh script and waited for it to complete. From there I followed steps 9-18 from the androidrootz.com website.
