After extracting an image from an Innotab last night using the methods we blogged about yesterday, we mounted it and had a look.
Here’s the /data directory mounted on a Linux VM
Looking at the system/packages list and things get a whole lot scarier
The format below is:
package UID debugflag path
As you can see highlighted, virtually all the com.vtech.* apps have the debugflag enabled.
This means that with an ADB connection you don’t actually need root to read their sandbox or manipulate them.
We covered the significance of this a while back here:
https://www.pentestpartners.com/blog/android-debug-mode-and-apps-a-cautionary-tale/
What will we find next??
