If you've recently updated your Nexus device from Jelly Bean to KitKat, there's a chance you're already being notified of an OTA update to KRT16S. If you're wondering what's changed, the collected list of source commits has been posted by Al Sutton. Most of the tweaks are pretty minor, including an improvement to the backup service, a few updated APNs for assorted carriers, and code to handle rare issues with the 3G Nexus 7 (2012) radio. However, there is one emergency fix for a serious bug that could result in the loss of access to encrypted disks on a device upgrading from 4.3 to 4.4.
One of the numerous security improvements included with KitKat is a new Key Derivation Function (KDF) called Scrypt. The change makes brute force attacks more expensive, helping to ensure full-disk encryption is extremely difficult to break. Naturally, devices protected by the older method of full-disk encryption are being upgraded to use Scrypt as part of the update. Unfortunately, this upgrade process suffered from a pretty serious oversight. While users were asked for the passphrase used to secure their devices, no verification check was performed before the conversion began. If users entered an incorrect passphrase, the upgrade could effectively scramble the cryptographic keys and leave an owner's data inaccessible.
The fix (e41ab11) was submitted 5 days ago, only 2 days after the first OTAs began rolling out to both Nexus 7s and the Nexus 10. This issue prompted a halt to the rollout of KRT16O, explaining why many people were left waiting longer than expected for KitKat.
Here is a summary of the remaining changes:
- The backup service now has registration occurring dynamically. (c46c4a6)
- It appears there were some issues with the tilapia (2012 GSM Nexus 7) radio, which the developers solved by forcing a restart of the radio after provisioning (2575df8).
- Mako (Nexus 4) received an updated prebuilt kernel (6a0177d) and a few tweaks to the APNs for several carriers (753ddc7, 59e4a0c, 0af7ccb, 962c235). Update: The change to the kernel was an updated WLAN driver (6aa1c72) - Thanks, deltatux.
The update isn't particularly exciting, but it might save a few people from a pretty serious catastrophe. The Nexus 5 almost certainly won't be receiving this OTA because it never could have used the earlier form of full-disk encryption, therefore it would never need to go through the upgrade process. Otherwise, all of the factory images have been updated to build KRT16S and no more devices are receiving OTAs for KRT16O. If you've already updated, an OTA for the latest version should be rolling out to you soon.