Nexus 9 Android Builds before N4F27B contains a firmware injection vulnerability via I2C bus through a SAR sensor driver flashing flaw. This vulnerability requires access to the I2C bus, which is available via the USB fastboot interface and HBOOT interface, which is exposed via the headphone jack.
09cb9ce7a0b1f5b948804b87b863cd8f524662124754065615cd2d56ab103125