So I bought a new HTC Nexus One (brown with US warranty) last week and it came with a custom Vodafone UK ROM with Android Kernel Version: 2.16.405.1 CL223106 release-keys. Unfortunately, this particular firmware prohibits any OTA updates or even manual updates and it was a nightmare trying to track down the problem. Luckily I fell upon this user comment on Amazon’s website which led me to this page explaining the upgrade process which calls for a 5 stage process to get to Android version 2.3.3 which allows you to run the 2.3.4 update.
So to summarize, the upgrade process goes something like this where each stage took about 5-30 minutes (depending on download time).
- Downgrade to 2.2 build FRG33 using passimg.zip method
- Upgrade to 2.2.1 build FRG83
- Upgrade to 2.2.1 build FRG83D
- Upgrade to 2.2.2 build FRG83G
- Upgrade to 2.3.3 build GRI40
- Upgrade to 2.3.4 (Google announcement here)
With an upgrade procedure this onerous, no wonder so few devices are running newer versions of the Android Operating System. The result is that there is an immense level of Android fragmentation leaving 99% of the devices vulnerable to a serious security flaw in the ClientLogin API. ClientLogin was apparently designed without any encryption such that AuthTokens are transmitted in the clear.
The market share for non-vulnerable versions of Android OS might be a little better than 1% now but not much better according to Google’s statistics.
Image credit: Google