Breaking Secure Boot on Google Nest Hub (2nd Gen) to run Ubuntu

Posted on Wed 15 June 2022 in Article • Tagged with arm, amlogic, bootloader, exploit, nest, secureboot, uboot, ubuntu, usb

In this post, we attack the Nest Hub (2nd Gen), an always-connected smart home display from Google, in order to boot a custom OS.

First, we explore both hardware and software attack surface in search of security vulnerabilities that could permit arbitrary code execution on the device.

Then, using a …


Continue reading

Booting Ubuntu on Google Chromecast With Google TV

Posted on Mon 29 November 2021 in Article • Tagged with arm, amlogic, bootloader, bootrom, chromecast, uboot, ubuntu, usb

In a previous post, we detailed a vulnerability in the Amlogic System-On-Chip bootROM that allows arbitrary code execution at EL3. Since the Chromecast with Google TV (CCwGTV) is one of the devices affected by this issue, it opens the possibility to run a custom OS like Ubuntu.

This post describes …


Continue reading

amlogic-usbdl : unsigned code loader for Amlogic BootROM

Posted on Wed 10 February 2021 in Tool • Tagged with arm, amlogic, chromecast, bootrom, usb, exploit

In previous posts, we explained how to reverse the USB stack in the Exynos bootROM, which led to the discovery of a critical bug. After reproducing this methodology on Amlogic bootROM recently dumped, a similar vulnerability has been discovered in the USB stack that can be exploited to run arbitrary …


Continue reading

Dump Amlogic S905D3 BootROM from Khadas VIM3L board

Posted on Tue 09 February 2021 in Article • Tagged with arm, amlogic, bootloader, bootrom, khadas, vim3l

This post describes how to dump bootROM from Amlogic S905D3 SoC using Khadas VIM3L board. Since this board doesn't use Secure Boot, we can execute custom code in Secure World (a.k.a TrustZone) without exploiting any vulnerability. In addition, the board exposes an UART connector, which is convenient for …


Continue reading

SVE-2019-13963 : Remote stack overflow in Samsung baseband caused by malformed IMMEDIATE ASSIGNMENT message

Posted on Mon 07 December 2020 in Advisory • Tagged with vulnerability, advisory, samsung, shannon, baseband, security, arm

Description

When Samsung Shannon baseband receives message IMMEDIATE ASSIGNMENT (9.1.18 in GSM/04.08) from network, the length of the Mobile Allocation IE (GSM/04.08 10.5.2.21) is not properly checked.

GSM/04.08 IMMEDIATE ASSIGNMENT message

Mobile allocation data is directly copied to a buffer on the stack without checking …


Continue reading

Remote stack overflow in Samsung baseband caused by malformed GMM ATTACH ACCEPT message

Posted on Mon 30 November 2020 in Advisory • Tagged with vulnerability, advisory, samsung, shannon, baseband, security, arm

Description

When Samsung Shannon baseband receives message GMM ATTACH ACCEPT (9.4.2 in TS 24.008) from network, the minimum length for MS Identity IE (10.5.1.4) is not properly checked.

TS 24.008 GMM ATTACH ACCEPT message

MS Identity (IEI 0x23) length is decremented without prior check. If this value is zero, a …


Continue reading

Remote stack overflow in Samsung baseband caused by malformed P-TMSI REALLOCATION COMMAND

Posted on Mon 23 November 2020 in Advisory • Tagged with vulnerability, advisory, samsung, shannon, baseband, security, arm

Description

When Samsung Shannon baseband receives message P-TMSI REALLOCATION COMMAND (9.4.7 in TS 24.008) from network, the length of the Mobile Identity IE (10.5.1.4) is not properly checked.

TS 24.008 P-TMSI REALLOCATION COMMAND message

Mobile identity data is directly copied to a stack buffer without prior size check. This stack …


Continue reading

exynos-usbdl : unsigned code loader for Exynos BootROM

Posted on Wed 17 June 2020 in Tool • Tagged with arm, exynos, samsung, bootrom, usb, exploit

In previous posts, we explained how to dump Exynos bootROM and reverse its USB stack.

These efforts led to the discovery of a bug in the USB stack that can be exploited to run arbitrary code.

The following chipsets are known to be affected by this bug :

  • Exynos 8890
  • Exynos …

Continue reading

Reverse engineer USB stack of Exynos BootROM

Posted on Tue 16 June 2020 in Article • Tagged with arm, exynos, samsung, bootrom, usb, reverse, ghidra

In the previous post, we explained how to dump Exynos bootROM.

Exynos (8895 in this post) bootROM contains a minimal USB stack to load a signed bootloader from an USB host (a.k.a. boot from USB). This post summarizes how this USB stack can be reversed using the Great …


Continue reading

exynos8890-bootrom-dump : dump Exynos 8890 bootROM from Samsung Galaxy S7

Posted on Mon 15 June 2020 in Tool • Tagged with arm, exynos, samsung, bootrom, trustzone, exploit

This post introduces a tool to dump Samsung Galaxy S7 bootROM using known and fixed security vulnerabilities in Trustzone.

The source code is available on GitHub.

Collect bootroms

Procedure

We use a Galaxy S7 phone, with ADB access and root privileges.

BootROM code is at address 0x0, in Secure world. The TEE …


Continue reading