exynos-usbdl : unsigned code loader for Exynos BootROM

Posted on Wed 17 June 2020 in Tool • Tagged with arm, exynos, samsung, bootrom, usb, exploit

In previous posts, we explained how to dump Exynos bootROM and reverse its USB stack.

These efforts led to the discovery of a bug in the USB stack that can be exploited to run arbitrary code.

The following chipsets are known to be affected by this bug :

  • Exynos 8890
  • Exynos …

Continue reading

Reverse engineer USB stack of Exynos BootROM

Posted on Tue 16 June 2020 in Article • Tagged with arm, exynos, samsung, bootrom, usb, reverse, ghidra

In the previous post, we explained how to dump Exynos bootROM.

Exynos (8895 in this post) bootROM contains a minimal USB stack to load a signed bootloader from an USB host (a.k.a. boot from USB). This post summarizes how this USB stack can be reversed using the Great …


Continue reading

exynos8890-bootrom-dump : dump Exynos 8890 bootROM from Samsung Galaxy S7

Posted on Mon 15 June 2020 in Tool • Tagged with arm, exynos, samsung, bootrom, trustzone, exploit

This post introduces a tool to dump Samsung Galaxy S7 bootROM using known and fixed security vulnerabilities in Trustzone.

The source code is available on GitHub.

Collect bootroms

Procedure

We use a Galaxy S7 phone, with ADB access and root privileges.

BootROM code is at address 0x0, in Secure world. The TEE …


Continue reading

Emulating Exynos 4210 BootROM in QEMU

Posted on Wed 07 March 2018 in Article • Tagged with arm, exynos, samsung, bootrom, qemu, emulation, bootloader, secureboot

QEMU has support for the SMDKC210 machine, an ARM board based on Exynos 4210 SoC. Peripherals implemented in QEMU for this machine are UART, SDHCI, FIMD, I2C, Interrupt Combiner, GIC, Clock, PMU, RNG, MCT, PWM, RTC.

Samsung Galaxy S2 phone is also based on Exynos 4210, so it should be …


Continue reading

Netgear Nighthawk R7800 : add USB camera support to create a security webcam

Posted on Wed 22 November 2017 in Article • Tagged with kernel, netgear, usb, v4l2

This article explains how to customize Nighthawk X4S firmware to add a security camera feature to this always-online & almost-always-idle device. Alternative firmwares like OpenWRT or LEDE exist, but they don't fully support all stock features yet. So instead this approach is based on modified stock firmware.

Netgear Nighthawk X4S Serious webcam

Main steps are:

  • Customize …

Continue reading

SVE-2016-7930: Multiple buffer overflows in Samsung Galaxy bootloader

Posted on Sun 23 July 2017 in Advisory • Tagged with vulnerability, advisory, samsung, cellebrite, bootloader, exploit, firmware, security, usb, arm, odin

Prequel

On October 21st 2015, mobile forensics company Cellebrite published a video that demonstrates how their solution can dump eMMC of Samsung Galaxy devices :

This video strongly suggests that Samsung Galaxy bootloader can be exploited to execute arbitrary code.

Summary

Several bugs in Samsung Galaxy bootloader allow an attacker with …


Continue reading

Amlogic S905 SoC: bypassing the (not so) Secure Boot to dump the BootROM

Posted on Wed 05 October 2016 in Article • Tagged with vulnerability, amlogic, arm, security, firmware, trustzone, bootrom, bug

The Amlogic S905 System-On-Chip is an ARM processor designed for video applications. It's widely used in Android/Kodi media boxes. The SoC implements the TrustZone security extensions to run a Trusted Execution Environment (TEE) that enables DRM & other security features :

S905 block diagram
Amlogic S905 System Block Diagram

The SoC contains a Secure …


Continue reading

PowerLine (PLC) support in OpenWrt for D-Link DHP-1565

Posted on Sat 20 February 2016 in Article • Tagged with PLC, dhp-1565, AR7400, openwrt

D-Link 1565 is one of the few routers which integrates a PLC (Power line Communication) chipset (in this case QCA AR7400). Unfortunately, OpenWrt does not provide support for this feature yet.

This post presents configuration steps to enable PLC support in OpenWrt for this device.

Hardware configuration

By digging into …


Continue reading

Analysis of Nexus 5 Monitor mode

Posted on Thu 25 December 2014 in Article • Tagged with arm, security, qualcomm, firmware, android, nexus, trustzone

This article will first describe how to locate the Monitor mode code in Nexus 5 firmware (hammerhead-ktu84p-factory-35ea0277, bootloader-hammerhead-hhz11k : c32f8bec310c659c1296739b00c6a8ac). Then, we will try to understand what it does (its functionalities). Finally, you will have to find bugs by yourself because I didn't find any...so far !

Note: Terms (Non-)Secure …


Continue reading

[QPSIIR-80] Qualcomm TrustZone Integer Signedness bug

Posted on Thu 18 December 2014 in Advisory • Tagged with vulnerability, advisory, arm, security, qualcomm, android, trustzone

Summary

Qualcomm TrustZone is prone to an integer signedness bug that may allow to write NULL words to barely controllable locations in memory.

The vulnerability can be triggered from Non-Secure World through the TrustZone call "tzbsp_smmu_fault_regs_dump".

This issue has been discovered in Samsung Galaxy S5 firmware, but other devices can …

Continue reading