Breaking Secure Boot on Google Nest Hub (2nd Gen) to run Ubuntu

Posted on Wed 15 June 2022 in Article • Tagged with arm, amlogic, bootloader, exploit, nest, secureboot, uboot, ubuntu, usb

In this post, we attack the Nest Hub (2nd Gen), an always-connected smart home display from Google, in order to boot a custom OS.

First, we explore both hardware and software attack surface in search of security vulnerabilities that could permit arbitrary code execution on the device.

Then, using a …

Continue reading

Booting Ubuntu on Google Chromecast With Google TV

Posted on Mon 29 November 2021 in Article • Tagged with arm, amlogic, bootloader, bootrom, chromecast, uboot, ubuntu, usb

In a previous post, we detailed a vulnerability in the Amlogic System-On-Chip bootROM that allows arbitrary code execution at EL3. Since the Chromecast with Google TV (CCwGTV) is one of the devices affected by this issue, it opens the possibility to run a custom OS like Ubuntu.

This post describes …

Continue reading

amlogic-usbdl : unsigned code loader for Amlogic BootROM

Posted on Wed 10 February 2021 in Tool • Tagged with arm, amlogic, chromecast, bootrom, usb, exploit

In previous posts, we explained how to reverse the USB stack in the Exynos bootROM, which led to the discovery of a critical bug. After reproducing this methodology on Amlogic bootROM recently dumped, a similar vulnerability has been discovered in the USB stack that can be exploited to run arbitrary …

Continue reading

Dump Amlogic S905D3 BootROM from Khadas VIM3L board

Posted on Tue 09 February 2021 in Article • Tagged with arm, amlogic, bootloader, bootrom, khadas, vim3l

This post describes how to dump bootROM from Amlogic S905D3 SoC using Khadas VIM3L board. Since this board doesn't use Secure Boot, we can execute custom code in Secure World (a.k.a TrustZone) without exploiting any vulnerability. In addition, the board exposes an UART connector, which is convenient for …

Continue reading

Amlogic S905 SoC: bypassing the (not so) Secure Boot to dump the BootROM

Posted on Wed 05 October 2016 in Article • Tagged with vulnerability, amlogic, arm, security, firmware, trustzone, bootrom, bug

The Amlogic S905 System-On-Chip is an ARM processor designed for video applications. It's widely used in Android/Kodi media boxes. The SoC implements the TrustZone security extensions to run a Trusted Execution Environment (TEE) that enables DRM & other security features :

S905 block diagram
Amlogic S905 System Block Diagram

The SoC contains a Secure …

Continue reading