Breaking Secure Boot on Google Nest Hub (2nd Gen) to run Ubuntu

Posted on Wed 15 June 2022 in Article • Tagged with arm, amlogic, bootloader, exploit, nest, secureboot, uboot, ubuntu, usb

In this post, we attack the Nest Hub (2nd Gen), an always-connected smart home display from Google, in order to boot a custom OS.

First, we explore both hardware and software attack surface in search of security vulnerabilities that could permit arbitrary code execution on the device.

Then, using a …


Continue reading

Booting Ubuntu on Google Chromecast With Google TV

Posted on Mon 29 November 2021 in Article • Tagged with arm, amlogic, bootloader, bootrom, chromecast, uboot, ubuntu, usb

In a previous post, we detailed a vulnerability in the Amlogic System-On-Chip bootROM that allows arbitrary code execution at EL3. Since the Chromecast with Google TV (CCwGTV) is one of the devices affected by this issue, it opens the possibility to run a custom OS like Ubuntu.

This post describes …


Continue reading

amlogic-usbdl : unsigned code loader for Amlogic BootROM

Posted on Wed 10 February 2021 in Tool • Tagged with arm, amlogic, chromecast, bootrom, usb, exploit

In previous posts, we explained how to reverse the USB stack in the Exynos bootROM, which led to the discovery of a critical bug. After reproducing this methodology on Amlogic bootROM recently dumped, a similar vulnerability has been discovered in the USB stack that can be exploited to run arbitrary …


Continue reading

exynos-usbdl : unsigned code loader for Exynos BootROM

Posted on Wed 17 June 2020 in Tool • Tagged with arm, exynos, samsung, bootrom, usb, exploit

In previous posts, we explained how to dump Exynos bootROM and reverse its USB stack.

These efforts led to the discovery of a bug in the USB stack that can be exploited to run arbitrary code.

The following chipsets are known to be affected by this bug :

  • Exynos 8890
  • Exynos …

Continue reading

Reverse engineer USB stack of Exynos BootROM

Posted on Tue 16 June 2020 in Article • Tagged with arm, exynos, samsung, bootrom, usb, reverse, ghidra

In the previous post, we explained how to dump Exynos bootROM.

Exynos (8895 in this post) bootROM contains a minimal USB stack to load a signed bootloader from an USB host (a.k.a. boot from USB). This post summarizes how this USB stack can be reversed using the Great …


Continue reading

Netgear Nighthawk R7800 : add USB camera support to create a security webcam

Posted on Wed 22 November 2017 in Article • Tagged with kernel, netgear, usb, v4l2

This article explains how to customize Nighthawk X4S firmware to add a security camera feature to this always-online & almost-always-idle device. Alternative firmwares like OpenWRT or LEDE exist, but they don't fully support all stock features yet. So instead this approach is based on modified stock firmware.

Netgear Nighthawk X4S Serious webcam

Main steps are:

  • Customize …

Continue reading

SVE-2016-7930: Multiple buffer overflows in Samsung Galaxy bootloader

Posted on Sun 23 July 2017 in Advisory • Tagged with vulnerability, advisory, samsung, cellebrite, bootloader, exploit, firmware, security, usb, arm, odin

Prequel

On October 21st 2015, mobile forensics company Cellebrite published a video that demonstrates how their solution can dump eMMC of Samsung Galaxy devices :

This video strongly suggests that Samsung Galaxy bootloader can be exploited to execute arbitrary code.

Summary

Several bugs in Samsung Galaxy bootloader allow an attacker with …


Continue reading