Posted on Wed 07 March 2018 in Article • Tagged with arm, exynos, samsung, bootrom, qemu, emulation, bootloader, secureboot
QEMU has support for the SMDKC210 machine, an ARM board based on Exynos 4210 SoC. Peripherals implemented in QEMU for this machine are UART, SDHCI, FIMD, I2C, Interrupt Combiner, GIC, Clock, PMU, RNG, MCT, PWM, RTC.
Samsung Galaxy S2 phone is also based on Exynos 4210, so it should be …
Posted on Wed 22 November 2017 in Article • Tagged with kernel, netgear, usb, v4l2
This article explains how to customize Nighthawk X4S firmware to add a security camera feature to this always-online & almost-always-idle device. Alternative firmwares like OpenWRT or LEDE exist, but they don't fully support all stock features yet. So instead this approach is based on modified stock firmware.
Main steps are:
Posted on Sun 23 July 2017 in Advisory • Tagged with vulnerability, advisory, samsung, cellebrite, bootloader, exploit, firmware, security, usb, arm, odin
On October 21st 2015, mobile forensics company Cellebrite published a video that demonstrates how their solution can dump eMMC of Samsung Galaxy devices :
This video strongly suggests that Samsung Galaxy bootloader can be exploited to execute arbitrary code.
Several bugs in Samsung Galaxy bootloader allow an attacker with …
Posted on Wed 05 October 2016 in Article • Tagged with vulnerability, amlogic, arm, security, firmware, trustzone, bootrom, bug
The Amlogic S905
System-On-Chip is an ARM processor designed for video
applications. It's widely used in Android/Kodi media boxes. The SoC
implements the TrustZone security extensions to run a Trusted
Execution Environment (TEE) that enables DRM & other security
features :
|
| Amlogic S905 System Block Diagram |
Posted on Sat 20 February 2016 in Article • Tagged with PLC, dhp-1565, AR7400, openwrt
D-Link 1565 is one of the few routers which integrates a PLC (Power
line Communication) chipset (in this case QCA AR7400).
Unfortunately, OpenWrt does not provide support for this feature
yet.
This post presents configuration steps to enable PLC support in
OpenWrt for this device.
Posted on Thu 25 December 2014 in Article • Tagged with arm, security, qualcomm, firmware, android, nexus, trustzone
This article will first describe how to locate the Monitor mode code in Nexus 5 firmware (hammerhead-ktu84p-factory-35ea0277, bootloader-hammerhead-hhz11k : c32f8bec310c659c1296739b00c6a8ac). Then, we will try to understand what it does (its functionalities). Finally, you will have to find bugs by yourself because I didn't find any...so far !
Note: Terms (Non-)Secure …
Posted on Thu 18 December 2014 in Advisory • Tagged with vulnerability, advisory, arm, security, qualcomm, android, trustzone
Posted on Thu 13 November 2014 in Article • Tagged with mips, smarttv, libupnp, philips, exploit
This post is a translated summary of the article published for my talk at SSTIC 2014 conference (french).
My Philips Smart TV is a Linux box standing there in my living room : that's a sufficient reason to try to get root.
Posted on Fri 16 May 2014 in Tool • Tagged with mips, smarttv, firmware, philips
pflupg-tool is an
unpacking tool for Philips SmartTV firmware (Fusion platform). If
your firmware is encrypted, you have to provide the corresponding
public key (public exponent + modulus).
You can add public keys in pflupg.h file:
#define PUBLIC_KEYS_CNT 2
// { name, public exponent e (hex string), modulus n (hex string)}
static …Posted on Thu 15 May 2014 in Advisory • Tagged with vulnerability, advisory
DirectFB is prone to an out-of-bound write vulnerability since version 1.4.4.
The vulnerability can be triggered remotely without authentication through Voodoo interface (network layer of DirectFB).