I Built a Script That Tests If Your Android Kernel Can Stop You From Bricking Your Phone

Last week I watched someone in a Telegram group brick their phone. They were messing with partitions, thought they knew what they were doing, and boom. Dead phone.

That got me thinking. What if we could test partition protection before it matters? What if there was a way to poke at your device and confirm that the safety nets actually work?

So I wrote this thing.

The Problem Nobody Talks About

Android phones have these things called LSM hooks — Linux Security Modules. They're supposed to block writes to critical partitions. Your bootloader, your modem firmware, all that stuff you really don't want to touch.

But here's the thing: how do you know they're actually working?

You don't. Not until you try to write something bad and either get blocked (good) or brick your phone (very bad).

That's a terrible testing strategy.

What This Script Actually Does

The idea is simple. We try to write one byte — just one — to each partition. If the kernel blocks it, great. If the kernel lets it through, we immediately roll it back and tell you something's wrong.

Let me walk you through the code.

Setup and Colors

#!/system/bin/sh

ESC_G="\033[32m"
ESC_R="\033[31m"
ESC_Y="\033[33m"
ESC_N="\033[0m"
ESC_M="\033[35m"

echo "===== LSM Protected Partition Self-Check ====="
date

BYNAME_DIR="/dev/block/by-name"
[ ! -d "$BYNAME_DIR" ] && { echo "Cannot find $BYNAME_DIR, exiting"; exit 1; }

Pretty standard stuff. Set up some color codes for terminal output. Green for pass, red for fail, yellow for skip. Then check if the block device directory exists. If it doesn't, we're not on a standard Android setup and there's nothing to test.

The Exclusion List

is_excluded() {
  local name="$1"
  case "$name" in
    boot*|init_boot*|vendor_boot*|userdata*|metadata*|cache*|misc*|dtbo*)
      return 0 ;;
    *) return 1 ;;
  esac
}

Some partitions we don't touch. Period. Boot partitions could brick you instantly. Userdata is your actual files. Metadata and cache are filesystem critical. Even with rollback, I'm not risking these.

Deduplication Tracking

SEEN_DEVICES=""

seen_has() {
  case " $SEEN_DEVICES " in
    *" $1 "*) return 0 ;;
    *) return 1 ;;
  esac
}

seen_add() {
  SEEN_DEVICES="$SEEN_DEVICES $1"
}

The names in by-name are symlinks. Sometimes multiple names point to the same physical device. We track what we've already tested so we don't hit the same partition twice.

The Main Loop

FAIL=0
COUNT=0

for link in "$BYNAME_DIR"/*; do
  [ -L "$link" ] || continue
  BNAME="$(basename "$link")"

  if is_excluded "$BNAME"; then
    printf "${ESC_Y}[SKIP] Excluding high-risk partition: %s${ESC_N}\n" "$BNAME"
    continue
  fi

  REALDEV="$(readlink -f "$link" 2>/dev/null)"
  if [ -z "$REALDEV" ] || [ ! -e "$REALDEV" ]; then
    printf "${ESC_Y}[SKIP] Cannot resolve real device: %s${ESC_N}\n" "$BNAME"
    continue
  fi
  
  if seen_has "$REALDEV"; then
    printf "${ESC_Y}[SKIP] Already tested this device: %s -> %s${ESC_N}\n" "$BNAME" "$REALDEV"
    continue
  fi
  seen_add "$REALDEV"

Loop through every symlink in the by-name directory. Skip if it's excluded or if we've already tested that physical device. Resolve the symlink to get the actual block device path.

The Actual Test

  echo "---- Testing ${BNAME} -> ${REALDEV} ----"
  COUNT=$((COUNT+1))

  PRE="$(dd if="$REALDEV" bs=1 count=1 2>/dev/null | od -An -tx1 2>/dev/null | tr -d ' \n')"
  [ -z "$PRE" ] && PRE="--"
  echo "  First byte (before write): $PRE"

  DD_OUT="$(dd if=/dev/zero of="$REALDEV" bs=1 count=1 2>&1 </dev/null)"
  RC=$?
  echo "$DD_OUT" | head -n2 | sed 's/^/  dd: /'
  echo "  dd return code: $RC"

  POST="$(dd if="$REALDEV" bs=1 count=1 2>/dev/null | od -An -tx1 2>/dev/null | tr -d ' \n')"
  [ -z "$POST" ] && POST="--"
  echo "  First byte (after write): $POST"

This is the core. Read one byte, save it as hex. Try to write a zero byte. Check the return code. Read the byte again.

If the kernel's LSM hooks are working, the write fails and the byte stays the same.

Pass or Fail Logic

  if [ "$RC" -ne 0 ] && [ "$PRE" = "$POST" ]; then
    printf "${ESC_G}  [PASS] Blocked (no actual write occurred)${ESC_N}\n"
    continue
  fi

  printf "${ESC_R}  [FAIL] Suspicious: return code=%s, content changed: %s -> %s${ESC_N}\n" "$RC" "$PRE" "$POST"

Simple check. Non-zero return code AND byte unchanged means protection works. Anything else is a problem.

The Rollback

  if [ "$PRE" = "--" ]; then
    printf "${ESC_Y}  [WARN] Couldn't read original byte, cannot rollback; please check manually${ESC_N}\n"
    FAIL=1
    break
  fi

  printf "  Attempting to rollback first byte to 0x%s ...\n" "$PRE"
  printf "\\x$PRE" | dd if=/proc/self/fd/0 of="$REALDEV" bs=1 count=1 conv=notrunc 2>/dev/null

  NOW="$(dd if="$REALDEV" bs=1 count=1 2>/dev/null | od -An -tx1 2>/dev/null | tr -d ' \n')"
  [ -z "$NOW" ] && NOW="--"
  echo "  First byte after rollback: $NOW"

  if [ "$NOW" = "$PRE" ]; then
    printf "${ESC_M}  [ROLLBACK-OK] Restored original byte 0x%s${ESC_N}\n" "$PRE"
  else
    printf "${ESC_R}  [ROLLBACK-FAIL] Could not restore first byte (expected %s, got %s)${ESC_N}\n" "$PRE" "$NOW"
  fi

  FAIL=1
  break
done

If something went wrong, we try to put the original byte back. Write it, verify it took. Either way we mark this as a failure and stop testing — no point continuing if protection is broken.

Final Report

echo
echo "==== Last 10 baseband_guard log entries ===="
dmesg | grep baseband_guard | tail -n 10

echo
if [ "$FAIL" -eq 0 ]; then
  if [ "$COUNT" -gt 0 ]; then
    printf "${ESC_G}==== Self-check: PASS (tested %s partitions, all verified, no actual writes)====${ESC_N}\n\n" "$COUNT"
  else
    printf "${ESC_Y}==== Self-check: SKIP (no testable partitions found)====${ESC_N}\n\n"
  fi
else
  printf "${ESC_R}==== Self-check: FAIL (anomaly detected; attempted rollback at that point)====${ESC_N}\n"
fi

printf "Green ${ESC_G}[PASS]${ESC_N} = Successfully blocked\n"
printf "Yellow ${ESC_Y}[SKIP]${ESC_N} = Excluded/duplicate/unresolvable, can be ignored\n"
printf "Red ${ESC_R}[FAIL]${ESC_N} = Anomaly detected (rollback attempted)\n"
printf "If you see red ${ESC_R}[FAIL]${ESC_N} please screenshot and report to the author\n\n"
printf "QiuDaoYu: https://t.me/qdykernel\n"

Dump some kernel logs that might be relevant. Print a summary. Tell the user what the colors mean and where to report bugs.

If you run this and get all green, you're good. Your kernel actually does what it says.

If you see red, screenshot it and send it to whoever made your kernel. That's a bug they need to know about.

What's the sketchiest thing you've done to your phone that you got away with?