![Page 1: Exploiting Samsung S10 S-Boot Breaking Samsung's Root of Trust · Conclusion Even if the data is stored in secure world, it doesn’t mean it’s 100% secure But it’s made exploiting](https://reader034.vdocuments.net/reader034/viewer/2022052613/604bd8aa0f726526c4116759/html5/thumbnails/1.jpg)
Breaking Samsung's Root of Trust: Exploiting Samsung S10 S-Boot
Jeffxx
#BHUSA @BLACKHATEVENTS
![Page 2: Exploiting Samsung S10 S-Boot Breaking Samsung's Root of Trust · Conclusion Even if the data is stored in secure world, it doesn’t mean it’s 100% secure But it’s made exploiting](https://reader034.vdocuments.net/reader034/viewer/2022052613/604bd8aa0f726526c4116759/html5/thumbnails/2.jpg)
Jeff Chao (Jeffxx)◆ Researcher at Trapa Security
◆ Ex-senior Researcher at TeamT5
◆ Member of HITCON CTF Team
◆ Member of Chroot
◆ Focus on Mobile and IoT Vulnerabilities
![Page 3: Exploiting Samsung S10 S-Boot Breaking Samsung's Root of Trust · Conclusion Even if the data is stored in secure world, it doesn’t mean it’s 100% secure But it’s made exploiting](https://reader034.vdocuments.net/reader034/viewer/2022052613/604bd8aa0f726526c4116759/html5/thumbnails/3.jpg)
AGENDA
01
02
03
04
05
Samsung Security Framework - Knox
Related Work
Vulnerabilities in Secure Boot
Demo
After Code Execution on S-boot
![Page 5: Exploiting Samsung S10 S-Boot Breaking Samsung's Root of Trust · Conclusion Even if the data is stored in secure world, it doesn’t mean it’s 100% secure But it’s made exploiting](https://reader034.vdocuments.net/reader034/viewer/2022052613/604bd8aa0f726526c4116759/html5/thumbnails/5.jpg)
Samsung Security Framework Knox
![Page 6: Exploiting Samsung S10 S-Boot Breaking Samsung's Root of Trust · Conclusion Even if the data is stored in secure world, it doesn’t mean it’s 100% secure But it’s made exploiting](https://reader034.vdocuments.net/reader034/viewer/2022052613/604bd8aa0f726526c4116759/html5/thumbnails/6.jpg)
Knox - Root of Trust
![Page 7: Exploiting Samsung S10 S-Boot Breaking Samsung's Root of Trust · Conclusion Even if the data is stored in secure world, it doesn’t mean it’s 100% secure But it’s made exploiting](https://reader034.vdocuments.net/reader034/viewer/2022052613/604bd8aa0f726526c4116759/html5/thumbnails/7.jpg)
Knox – Trusted Boot◆ Hardware PBL
◆ Verify secure boot(S-Boot) & load
◆ S-Boot
◆ Set handler for Monitor mode, drop privilege
◆ Request EL3 to initial TEEOS
◆ Verify & Load Hypervisor (uh.bin)
◆ Verify & Load Kernel (boot.img)
◆ Kernel with DM-Verity
◆ Verify system.img & mount
◆ Verify vendor.img & mount
![Page 8: Exploiting Samsung S10 S-Boot Breaking Samsung's Root of Trust · Conclusion Even if the data is stored in secure world, it doesn’t mean it’s 100% secure But it’s made exploiting](https://reader034.vdocuments.net/reader034/viewer/2022052613/604bd8aa0f726526c4116759/html5/thumbnails/8.jpg)
Knox bit (warranty bit)◆ One-time fuse, can’t restore
◆ Blow the fuse when trying to boot a custom image and prevent further booting
![Page 9: Exploiting Samsung S10 S-Boot Breaking Samsung's Root of Trust · Conclusion Even if the data is stored in secure world, it doesn’t mean it’s 100% secure But it’s made exploiting](https://reader034.vdocuments.net/reader034/viewer/2022052613/604bd8aa0f726526c4116759/html5/thumbnails/9.jpg)
Sensitive Data Protection◆ The storage (Sensitive Data) is encrypted when the device is locked
◆ Encrypted Keys are stored in trustzone
![Page 10: Exploiting Samsung S10 S-Boot Breaking Samsung's Root of Trust · Conclusion Even if the data is stored in secure world, it doesn’t mean it’s 100% secure But it’s made exploiting](https://reader034.vdocuments.net/reader034/viewer/2022052613/604bd8aa0f726526c4116759/html5/thumbnails/10.jpg)
Sensitive Data Protection cont◆ Some critical information can only be decrypted by trustlet
![Page 11: Exploiting Samsung S10 S-Boot Breaking Samsung's Root of Trust · Conclusion Even if the data is stored in secure world, it doesn’t mean it’s 100% secure But it’s made exploiting](https://reader034.vdocuments.net/reader034/viewer/2022052613/604bd8aa0f726526c4116759/html5/thumbnails/11.jpg)
ARM TrustzoneNon-secure World
User Mode
Kernel Mode
Hypervisor Mode
Secure World
User Mode
Kernel Mode
Monitor Mode
EL0
EL1
EL2
EL3
![Page 12: Exploiting Samsung S10 S-Boot Breaking Samsung's Root of Trust · Conclusion Even if the data is stored in secure world, it doesn’t mean it’s 100% secure But it’s made exploiting](https://reader034.vdocuments.net/reader034/viewer/2022052613/604bd8aa0f726526c4116759/html5/thumbnails/12.jpg)
Related Work
![Page 13: Exploiting Samsung S10 S-Boot Breaking Samsung's Root of Trust · Conclusion Even if the data is stored in secure world, it doesn’t mean it’s 100% secure But it’s made exploiting](https://reader034.vdocuments.net/reader034/viewer/2022052613/604bd8aa0f726526c4116759/html5/thumbnails/13.jpg)
BH17 – Defeating Samsung KNOX with zero privilege by returnsme◆ EL0 -> EL1 (kinibi)
Non-secure World
User Mode
Kernel Mode
Hypervisor Mode
Secure World
User Mode
Kernel Mode
Monitor Mode
EL0
EL1
EL2
EL3
![Page 14: Exploiting Samsung S10 S-Boot Breaking Samsung's Root of Trust · Conclusion Even if the data is stored in secure world, it doesn’t mean it’s 100% secure But it’s made exploiting](https://reader034.vdocuments.net/reader034/viewer/2022052613/604bd8aa0f726526c4116759/html5/thumbnails/14.jpg)
BH17 EU - How Samsung Secures Your Wallet by Tencent Lab◆ EL0 -> Secure EL0 (kinibi)
Non-secure World
User Mode
Kernel Mode
Hypervisor Mode
Secure World
User Mode
Kernel Mode
Monitor Mode
EL0
EL1
EL2
EL3
![Page 15: Exploiting Samsung S10 S-Boot Breaking Samsung's Root of Trust · Conclusion Even if the data is stored in secure world, it doesn’t mean it’s 100% secure But it’s made exploiting](https://reader034.vdocuments.net/reader034/viewer/2022052613/604bd8aa0f726526c4116759/html5/thumbnails/15.jpg)
BH19 – Breaking Samsung’s Arm Trustzone◆ EL0 -> Secure-EL3 (kinibi, S8 and before)
Non-secure World
User Mode
Kernel Mode
Hypervisor Mode
Secure World
User Mode
Kerne Mode
Monitor Mode
EL0
EL1
EL2
EL3
![Page 16: Exploiting Samsung S10 S-Boot Breaking Samsung's Root of Trust · Conclusion Even if the data is stored in secure world, it doesn’t mean it’s 100% secure But it’s made exploiting](https://reader034.vdocuments.net/reader034/viewer/2022052613/604bd8aa0f726526c4116759/html5/thumbnails/16.jpg)
What if the device is turned off & we don’t know the passcode?
![Page 17: Exploiting Samsung S10 S-Boot Breaking Samsung's Root of Trust · Conclusion Even if the data is stored in secure world, it doesn’t mean it’s 100% secure But it’s made exploiting](https://reader034.vdocuments.net/reader034/viewer/2022052613/604bd8aa0f726526c4116759/html5/thumbnails/17.jpg)
In this talk◆ out-side the box(locked phone) -> Non-Secure EL1
Non-secure World
User Mode
SVC/Sys/Abort Mode
Hypervisor Mode
Secure World
User Mode
SVC/Sys/Abort Mode
Monitor Mode
EL0
EL1
EL2
EL3
![Page 18: Exploiting Samsung S10 S-Boot Breaking Samsung's Root of Trust · Conclusion Even if the data is stored in secure world, it doesn’t mean it’s 100% secure But it’s made exploiting](https://reader034.vdocuments.net/reader034/viewer/2022052613/604bd8aa0f726526c4116759/html5/thumbnails/18.jpg)
S-Boot Boot Flow
Init
Verify boot image
Boot into kernel
Set monitor mode
Check boot mode ODIN modevolumn down + power
![Page 19: Exploiting Samsung S10 S-Boot Breaking Samsung's Root of Trust · Conclusion Even if the data is stored in secure world, it doesn’t mean it’s 100% secure But it’s made exploiting](https://reader034.vdocuments.net/reader034/viewer/2022052613/604bd8aa0f726526c4116759/html5/thumbnails/19.jpg)
ODIN mode◆ Flash stock firmware
◆ Rollback prevention
![Page 20: Exploiting Samsung S10 S-Boot Breaking Samsung's Root of Trust · Conclusion Even if the data is stored in secure world, it doesn’t mean it’s 100% secure But it’s made exploiting](https://reader034.vdocuments.net/reader034/viewer/2022052613/604bd8aa0f726526c4116759/html5/thumbnails/20.jpg)
Vulnerability I
![Page 21: Exploiting Samsung S10 S-Boot Breaking Samsung's Root of Trust · Conclusion Even if the data is stored in secure world, it doesn’t mean it’s 100% secure But it’s made exploiting](https://reader034.vdocuments.net/reader034/viewer/2022052613/604bd8aa0f726526c4116759/html5/thumbnails/21.jpg)
Odin Request◆ opCode
◆ 0x64 Odin mode initial & settings
◆ 0x65 Flash PIT
◆ 0x66 Flag image
◆ subOp
◆ Depends on opCode
◆ Maybe initialize, set, get …etc
◆ arg1 ~ arg4
◆ assign size or some value
![Page 22: Exploiting Samsung S10 S-Boot Breaking Samsung's Root of Trust · Conclusion Even if the data is stored in secure world, it doesn’t mean it’s 100% secure But it’s made exploiting](https://reader034.vdocuments.net/reader034/viewer/2022052613/604bd8aa0f726526c4116759/html5/thumbnails/22.jpg)
Odin Flash Image Command◆ No check for provided size
◆ Integer overflow
◆ Use 0xC0000000 if less then 0x1e00000
◆ Otherwise use 0xB0000000
◆ Copy to buffer
◆ S8 and before at 0xC0000000
◆ S9 and later at 0x880000000
![Page 23: Exploiting Samsung S10 S-Boot Breaking Samsung's Root of Trust · Conclusion Even if the data is stored in secure world, it doesn’t mean it’s 100% secure But it’s made exploiting](https://reader034.vdocuments.net/reader034/viewer/2022052613/604bd8aa0f726526c4116759/html5/thumbnails/23.jpg)
Overflow the physical memory0xC0000000
0xC9000000
sboot code segment
sboot data segmentstack
heap
heap
buffer for flash image
0xC0000000
0xC9000000
data overwritten
filled with null
![Page 24: Exploiting Samsung S10 S-Boot Breaking Samsung's Root of Trust · Conclusion Even if the data is stored in secure world, it doesn’t mean it’s 100% secure But it’s made exploiting](https://reader034.vdocuments.net/reader034/viewer/2022052613/604bd8aa0f726526c4116759/html5/thumbnails/24.jpg)
Bypass MMU◆ S-Boot code segment at 0xC9000000 but read only
◆ USB devices have direct memory access
◆ Ignores mmu control
![Page 25: Exploiting Samsung S10 S-Boot Breaking Samsung's Root of Trust · Conclusion Even if the data is stored in secure world, it doesn’t mean it’s 100% secure But it’s made exploiting](https://reader034.vdocuments.net/reader034/viewer/2022052613/604bd8aa0f726526c4116759/html5/thumbnails/25.jpg)
Cache Incoherency◆ While receiving data, the CPU keeps tracking the USB event
◆ This code is cached
◆ Only the heap will not be cached
![Page 26: Exploiting Samsung S10 S-Boot Breaking Samsung's Root of Trust · Conclusion Even if the data is stored in secure world, it doesn’t mean it’s 100% secure But it’s made exploiting](https://reader034.vdocuments.net/reader034/viewer/2022052613/604bd8aa0f726526c4116759/html5/thumbnails/26.jpg)
Code Execution◆ The heap is not cached, the code accesses a pointer in the heap…
◆ Trigger data-abort as soon as we overwrite heap data with NULL
◆ Overwrite the error handler code with jump sled
◆ Put shellcode in front of the code segment
![Page 27: Exploiting Samsung S10 S-Boot Breaking Samsung's Root of Trust · Conclusion Even if the data is stored in secure world, it doesn’t mean it’s 100% secure But it’s made exploiting](https://reader034.vdocuments.net/reader034/viewer/2022052613/604bd8aa0f726526c4116759/html5/thumbnails/27.jpg)
Overflow the physical memory0xC0000000
0xC9000000
sboot code segment
sboot data segmentstack
heap
heap
buffer for flash image
modified sboot code segment
filled with null
filled with null
shellcode
0xC0000000
0xC9000000
![Page 28: Exploiting Samsung S10 S-Boot Breaking Samsung's Root of Trust · Conclusion Even if the data is stored in secure world, it doesn’t mean it’s 100% secure But it’s made exploiting](https://reader034.vdocuments.net/reader034/viewer/2022052613/604bd8aa0f726526c4116759/html5/thumbnails/28.jpg)
But◆ S9 and later are not exploitable
◆ The default buffer is changed to 0x880000000
◆ Spent half a year trying to exploit S10
![Page 29: Exploiting Samsung S10 S-Boot Breaking Samsung's Root of Trust · Conclusion Even if the data is stored in secure world, it doesn’t mean it’s 100% secure But it’s made exploiting](https://reader034.vdocuments.net/reader034/viewer/2022052613/604bd8aa0f726526c4116759/html5/thumbnails/29.jpg)
Potential Exploit Path on S10◆ In S9 and later, ODIN has parallel & compressed download mode
◆ It will boot up another 2 cpu, and set the image buffer to 0x880000000
◆ Fallback to normal download if boot cpu failure
◆ Buffer change back to 0xC0000000
![Page 30: Exploiting Samsung S10 S-Boot Breaking Samsung's Root of Trust · Conclusion Even if the data is stored in secure world, it doesn’t mean it’s 100% secure But it’s made exploiting](https://reader034.vdocuments.net/reader034/viewer/2022052613/604bd8aa0f726526c4116759/html5/thumbnails/30.jpg)
Potential Exploit Path on S10◆ Make CPU boot fails
![Page 31: Exploiting Samsung S10 S-Boot Breaking Samsung's Root of Trust · Conclusion Even if the data is stored in secure world, it doesn’t mean it’s 100% secure But it’s made exploiting](https://reader034.vdocuments.net/reader034/viewer/2022052613/604bd8aa0f726526c4116759/html5/thumbnails/31.jpg)
Potential Exploit Path on S10◆ Uart mode
◆ Cmd – smp_test
◆ Test Boot up a cpu core and shutdown immediately
◆ But count of booted cores will not decrease
◆ Cmd – download
◆ Enter Odin mode
![Page 32: Exploiting Samsung S10 S-Boot Breaking Samsung's Root of Trust · Conclusion Even if the data is stored in secure world, it doesn’t mean it’s 100% secure But it’s made exploiting](https://reader034.vdocuments.net/reader034/viewer/2022052613/604bd8aa0f726526c4116759/html5/thumbnails/32.jpg)
Potential Exploit Path on S10◆ Enter Uart Mode
◆ We need a debug cable to make S-Boot detect RID_523K
◆ Tried TypeC VDM mode, accessory mode, pull-down pull-up resistor
◆ All failed
![Page 33: Exploiting Samsung S10 S-Boot Breaking Samsung's Root of Trust · Conclusion Even if the data is stored in secure world, it doesn’t mean it’s 100% secure But it’s made exploiting](https://reader034.vdocuments.net/reader034/viewer/2022052613/604bd8aa0f726526c4116759/html5/thumbnails/33.jpg)
![Page 34: Exploiting Samsung S10 S-Boot Breaking Samsung's Root of Trust · Conclusion Even if the data is stored in secure world, it doesn’t mean it’s 100% secure But it’s made exploiting](https://reader034.vdocuments.net/reader034/viewer/2022052613/604bd8aa0f726526c4116759/html5/thumbnails/34.jpg)
We reported the bug on Aug 2019
![Page 35: Exploiting Samsung S10 S-Boot Breaking Samsung's Root of Trust · Conclusion Even if the data is stored in secure world, it doesn’t mean it’s 100% secure But it’s made exploiting](https://reader034.vdocuments.net/reader034/viewer/2022052613/604bd8aa0f726526c4116759/html5/thumbnails/35.jpg)
![Page 36: Exploiting Samsung S10 S-Boot Breaking Samsung's Root of Trust · Conclusion Even if the data is stored in secure world, it doesn’t mean it’s 100% secure But it’s made exploiting](https://reader034.vdocuments.net/reader034/viewer/2022052613/604bd8aa0f726526c4116759/html5/thumbnails/36.jpg)
Result: Duplicated
![Page 37: Exploiting Samsung S10 S-Boot Breaking Samsung's Root of Trust · Conclusion Even if the data is stored in secure world, it doesn’t mean it’s 100% secure But it’s made exploiting](https://reader034.vdocuments.net/reader034/viewer/2022052613/604bd8aa0f726526c4116759/html5/thumbnails/37.jpg)
![Page 38: Exploiting Samsung S10 S-Boot Breaking Samsung's Root of Trust · Conclusion Even if the data is stored in secure world, it doesn’t mean it’s 100% secure But it’s made exploiting](https://reader034.vdocuments.net/reader034/viewer/2022052613/604bd8aa0f726526c4116759/html5/thumbnails/38.jpg)
Patch Note◆ Samsung Security Update - October 2019
◆ SVE-2019-15230 Potential Integer overflow in Bootloader
![Page 39: Exploiting Samsung S10 S-Boot Breaking Samsung's Root of Trust · Conclusion Even if the data is stored in secure world, it doesn’t mean it’s 100% secure But it’s made exploiting](https://reader034.vdocuments.net/reader034/viewer/2022052613/604bd8aa0f726526c4116759/html5/thumbnails/39.jpg)
The Patch
![Page 40: Exploiting Samsung S10 S-Boot Breaking Samsung's Root of Trust · Conclusion Even if the data is stored in secure world, it doesn’t mean it’s 100% secure But it’s made exploiting](https://reader034.vdocuments.net/reader034/viewer/2022052613/604bd8aa0f726526c4116759/html5/thumbnails/40.jpg)
![Page 41: Exploiting Samsung S10 S-Boot Breaking Samsung's Root of Trust · Conclusion Even if the data is stored in secure world, it doesn’t mean it’s 100% secure But it’s made exploiting](https://reader034.vdocuments.net/reader034/viewer/2022052613/604bd8aa0f726526c4116759/html5/thumbnails/41.jpg)
![Page 42: Exploiting Samsung S10 S-Boot Breaking Samsung's Root of Trust · Conclusion Even if the data is stored in secure world, it doesn’t mean it’s 100% secure But it’s made exploiting](https://reader034.vdocuments.net/reader034/viewer/2022052613/604bd8aa0f726526c4116759/html5/thumbnails/42.jpg)
Vulnerability II
![Page 43: Exploiting Samsung S10 S-Boot Breaking Samsung's Root of Trust · Conclusion Even if the data is stored in secure world, it doesn’t mean it’s 100% secure But it’s made exploiting](https://reader034.vdocuments.net/reader034/viewer/2022052613/604bd8aa0f726526c4116759/html5/thumbnails/43.jpg)
Aligned Size?
![Page 44: Exploiting Samsung S10 S-Boot Breaking Samsung's Root of Trust · Conclusion Even if the data is stored in secure world, it doesn’t mean it’s 100% secure But it’s made exploiting](https://reader034.vdocuments.net/reader034/viewer/2022052613/604bd8aa0f726526c4116759/html5/thumbnails/44.jpg)
Odin - packet data size◆ We can set packet data size with opCode 0x64, subOp 0x05
![Page 45: Exploiting Samsung S10 S-Boot Breaking Samsung's Root of Trust · Conclusion Even if the data is stored in secure world, it doesn’t mean it’s 100% secure But it’s made exploiting](https://reader034.vdocuments.net/reader034/viewer/2022052613/604bd8aa0f726526c4116759/html5/thumbnails/45.jpg)
Exploit◆ Bypass the check
◆ The usb receive size can be larger than 0x10000000 again
◆ Achieve code execution in the same way as the previous vulnerability
![Page 46: Exploiting Samsung S10 S-Boot Breaking Samsung's Root of Trust · Conclusion Even if the data is stored in secure world, it doesn’t mean it’s 100% secure But it’s made exploiting](https://reader034.vdocuments.net/reader034/viewer/2022052613/604bd8aa0f726526c4116759/html5/thumbnails/46.jpg)
I reported the bug immediately
![Page 47: Exploiting Samsung S10 S-Boot Breaking Samsung's Root of Trust · Conclusion Even if the data is stored in secure world, it doesn’t mean it’s 100% secure But it’s made exploiting](https://reader034.vdocuments.net/reader034/viewer/2022052613/604bd8aa0f726526c4116759/html5/thumbnails/47.jpg)
![Page 48: Exploiting Samsung S10 S-Boot Breaking Samsung's Root of Trust · Conclusion Even if the data is stored in secure world, it doesn’t mean it’s 100% secure But it’s made exploiting](https://reader034.vdocuments.net/reader034/viewer/2022052613/604bd8aa0f726526c4116759/html5/thumbnails/48.jpg)
Patch Note◆ Samsung Security Update - Jan 2020
![Page 49: Exploiting Samsung S10 S-Boot Breaking Samsung's Root of Trust · Conclusion Even if the data is stored in secure world, it doesn’t mean it’s 100% secure But it’s made exploiting](https://reader034.vdocuments.net/reader034/viewer/2022052613/604bd8aa0f726526c4116759/html5/thumbnails/49.jpg)
The Patch
![Page 50: Exploiting Samsung S10 S-Boot Breaking Samsung's Root of Trust · Conclusion Even if the data is stored in secure world, it doesn’t mean it’s 100% secure But it’s made exploiting](https://reader034.vdocuments.net/reader034/viewer/2022052613/604bd8aa0f726526c4116759/html5/thumbnails/50.jpg)
![Page 51: Exploiting Samsung S10 S-Boot Breaking Samsung's Root of Trust · Conclusion Even if the data is stored in secure world, it doesn’t mean it’s 100% secure But it’s made exploiting](https://reader034.vdocuments.net/reader034/viewer/2022052613/604bd8aa0f726526c4116759/html5/thumbnails/51.jpg)
![Page 52: Exploiting Samsung S10 S-Boot Breaking Samsung's Root of Trust · Conclusion Even if the data is stored in secure world, it doesn’t mean it’s 100% secure But it’s made exploiting](https://reader034.vdocuments.net/reader034/viewer/2022052613/604bd8aa0f726526c4116759/html5/thumbnails/52.jpg)
Vulnerability III
![Page 53: Exploiting Samsung S10 S-Boot Breaking Samsung's Root of Trust · Conclusion Even if the data is stored in secure world, it doesn’t mean it’s 100% secure But it’s made exploiting](https://reader034.vdocuments.net/reader034/viewer/2022052613/604bd8aa0f726526c4116759/html5/thumbnails/53.jpg)
ODIN – PIT flash command◆ opCode = 0x65
◆ PIT is very small, odin store it to heap buffer
◆ With the size 0x2000
![Page 54: Exploiting Samsung S10 S-Boot Breaking Samsung's Root of Trust · Conclusion Even if the data is stored in secure world, it doesn’t mean it’s 100% secure But it’s made exploiting](https://reader034.vdocuments.net/reader034/viewer/2022052613/604bd8aa0f726526c4116759/html5/thumbnails/54.jpg)
The patch of vulnerability II◆ Size of packet data can be upto 0xFFFFFF
◆ > 0x2000 => heap overflow
![Page 55: Exploiting Samsung S10 S-Boot Breaking Samsung's Root of Trust · Conclusion Even if the data is stored in secure world, it doesn’t mean it’s 100% secure But it’s made exploiting](https://reader034.vdocuments.net/reader034/viewer/2022052613/604bd8aa0f726526c4116759/html5/thumbnails/55.jpg)
Pseudo code - receive data◆ This is a pseudocode representation of the receive operation
◆ In our test, the usb_recv function will receive until the passed size is reached
◆ Even if we send data with a huge interval
![Page 56: Exploiting Samsung S10 S-Boot Breaking Samsung's Root of Trust · Conclusion Even if the data is stored in secure world, it doesn’t mean it’s 100% secure But it’s made exploiting](https://reader034.vdocuments.net/reader034/viewer/2022052613/604bd8aa0f726526c4116759/html5/thumbnails/56.jpg)
We thought this was un-exploitable, so I stuck to
vulnerability I
![Page 57: Exploiting Samsung S10 S-Boot Breaking Samsung's Root of Trust · Conclusion Even if the data is stored in secure world, it doesn’t mean it’s 100% secure But it’s made exploiting](https://reader034.vdocuments.net/reader034/viewer/2022052613/604bd8aa0f726526c4116759/html5/thumbnails/57.jpg)
![Page 58: Exploiting Samsung S10 S-Boot Breaking Samsung's Root of Trust · Conclusion Even if the data is stored in secure world, it doesn’t mean it’s 100% secure But it’s made exploiting](https://reader034.vdocuments.net/reader034/viewer/2022052613/604bd8aa0f726526c4116759/html5/thumbnails/58.jpg)
How About Interrupting the USB◆ Remove and Re-insert the USB cable
◆ the usb_recv returns with insufficient size
![Page 59: Exploiting Samsung S10 S-Boot Breaking Samsung's Root of Trust · Conclusion Even if the data is stored in secure world, it doesn’t mean it’s 100% secure But it’s made exploiting](https://reader034.vdocuments.net/reader034/viewer/2022052613/604bd8aa0f726526c4116759/html5/thumbnails/59.jpg)
Heap overflow◆ We can overwrite the metadata
of heap chunk
◆ House of Spirit
Heap
size unusedprevnext
data
size unusedprevnext
data
size unusedprevnext
data
![Page 60: Exploiting Samsung S10 S-Boot Breaking Samsung's Root of Trust · Conclusion Even if the data is stored in secure world, it doesn’t mean it’s 100% secure But it’s made exploiting](https://reader034.vdocuments.net/reader034/viewer/2022052613/604bd8aa0f726526c4116759/html5/thumbnails/60.jpg)
Fake ChunkNo check for double linked list
faked chunk
size unusedprevnext
data
size unusedprevnext
data
size unusedprevnext
data
![Page 61: Exploiting Samsung S10 S-Boot Breaking Samsung's Root of Trust · Conclusion Even if the data is stored in secure world, it doesn’t mean it’s 100% secure But it’s made exploiting](https://reader034.vdocuments.net/reader034/viewer/2022052613/604bd8aa0f726526c4116759/html5/thumbnails/61.jpg)
Limited Overwrite Data◆ *prev + 4 = 1
◆ It aarch64, integer 64 bit
◆ Code at 0xC9000000
◆ We can not point to
◆ Got
◆ Function pointer
faked chunk
size unusedprevnext
data
size unused = 1prevnext
data
size unusedprevnext
data
Free
![Page 62: Exploiting Samsung S10 S-Boot Breaking Samsung's Root of Trust · Conclusion Even if the data is stored in secure world, it doesn’t mean it’s 100% secure But it’s made exploiting](https://reader034.vdocuments.net/reader034/viewer/2022052613/604bd8aa0f726526c4116759/html5/thumbnails/62.jpg)
Overwrite RIP in stack◆ The only chance is to overwrite a return
address on stack
◆ Only 3 function calls
◆ Fortunately
◆ Odin cmd buf is the first local variable
Stack
SPPC
local variable
local variable
SPPC
local variable
SPPC
Stack
SPPC
local variable
local variable
SPPC
local variable
SPPC
size unusedprevnext
data
size unusedprevnext
data
Odin cmd buf
![Page 63: Exploiting Samsung S10 S-Boot Breaking Samsung's Root of Trust · Conclusion Even if the data is stored in secure world, it doesn’t mean it’s 100% secure But it’s made exploiting](https://reader034.vdocuments.net/reader034/viewer/2022052613/604bd8aa0f726526c4116759/html5/thumbnails/63.jpg)
After Code Execution in S-boot
![Page 64: Exploiting Samsung S10 S-Boot Breaking Samsung's Root of Trust · Conclusion Even if the data is stored in secure world, it doesn’t mean it’s 100% secure But it’s made exploiting](https://reader034.vdocuments.net/reader034/viewer/2022052613/604bd8aa0f726526c4116759/html5/thumbnails/64.jpg)
Boot the phone ◆ We smashed the stack & heap
◆ Hard to recover
◆ Call the boot functions one by one
sboot code segment
sboot data segmentstack
heap
heap
buffer for flash image
modified sboot code
segment
filled with null
filled with null
shellcode
![Page 65: Exploiting Samsung S10 S-Boot Breaking Samsung's Root of Trust · Conclusion Even if the data is stored in secure world, it doesn’t mean it’s 100% secure But it’s made exploiting](https://reader034.vdocuments.net/reader034/viewer/2022052613/604bd8aa0f726526c4116759/html5/thumbnails/65.jpg)
Skip Trustzone related call◆ We only have EL1 privilege
◆ Some smc call to trustzone can not call twice
◆ Skip the smc call and set the related parameter
![Page 66: Exploiting Samsung S10 S-Boot Breaking Samsung's Root of Trust · Conclusion Even if the data is stored in secure world, it doesn’t mean it’s 100% secure But it’s made exploiting](https://reader034.vdocuments.net/reader034/viewer/2022052613/604bd8aa0f726526c4116759/html5/thumbnails/66.jpg)
Load Custom Kernel◆ After loading kernel to memory (the function cmd_load_kernel)
◆ Replace the image with custom one
◆ Booting the kernel (call the function cmd_boot)
![Page 67: Exploiting Samsung S10 S-Boot Breaking Samsung's Root of Trust · Conclusion Even if the data is stored in secure world, it doesn’t mean it’s 100% secure But it’s made exploiting](https://reader034.vdocuments.net/reader034/viewer/2022052613/604bd8aa0f726526c4116759/html5/thumbnails/67.jpg)
Exploit◆ Set the size of packet data to a big number
◆ Send Odin PIT flash command
◆ Send payload after Interrupt the usb_recv(), leads to heap overflow
◆ Send Another Odin command to trigger malloc & free the buffer
◆ Overwrite RIP on stack, jump to shellcode
◆ Re-init heap and stack
◆ Continue booting
◆ Before boot into kernel, replace the boot image
![Page 68: Exploiting Samsung S10 S-Boot Breaking Samsung's Root of Trust · Conclusion Even if the data is stored in secure world, it doesn’t mean it’s 100% secure But it’s made exploiting](https://reader034.vdocuments.net/reader034/viewer/2022052613/604bd8aa0f726526c4116759/html5/thumbnails/68.jpg)
We got el1 in normal world
Non-secure World
User Mode
Kernel Mode
Hypervisor Mode
Secure World
User Mode
Kernel Mode
Monitor Mode
EL0
EL1
EL2
EL3
![Page 69: Exploiting Samsung S10 S-Boot Breaking Samsung's Root of Trust · Conclusion Even if the data is stored in secure world, it doesn’t mean it’s 100% secure But it’s made exploiting](https://reader034.vdocuments.net/reader034/viewer/2022052613/604bd8aa0f726526c4116759/html5/thumbnails/69.jpg)
But the phone is still locked
![Page 70: Exploiting Samsung S10 S-Boot Breaking Samsung's Root of Trust · Conclusion Even if the data is stored in secure world, it doesn’t mean it’s 100% secure But it’s made exploiting](https://reader034.vdocuments.net/reader034/viewer/2022052613/604bd8aa0f726526c4116759/html5/thumbnails/70.jpg)
Can not read sensitive data◆ Storage is still encrypted if we didn’t provide the screen passcode
◆ Encryption key can only be decrypted in the gatekeeper trustlet
◆ Some data in trustlet can not be reached
![Page 71: Exploiting Samsung S10 S-Boot Breaking Samsung's Root of Trust · Conclusion Even if the data is stored in secure world, it doesn’t mean it’s 100% secure But it’s made exploiting](https://reader034.vdocuments.net/reader034/viewer/2022052613/604bd8aa0f726526c4116759/html5/thumbnails/71.jpg)
Man in the Non-secure EL1◆ Wait for the user to unlock the phone
◆ Hijack / Sniff everything between non-secure world and secure world
Non-secure World
User Mode
Kernel Mode
Hypervisor Mode
Secure World
User Mode
Kernel Mode
Monitor Mode
EL0
EL1
EL2
EL3
![Page 72: Exploiting Samsung S10 S-Boot Breaking Samsung's Root of Trust · Conclusion Even if the data is stored in secure world, it doesn’t mean it’s 100% secure But it’s made exploiting](https://reader034.vdocuments.net/reader034/viewer/2022052613/604bd8aa0f726526c4116759/html5/thumbnails/72.jpg)
Exposed Attacking surface◆ Attacking secure world trustlet
◆ Gatekeeper trustlet
◆ Samsung Pay trustlet
◆ Keystore trustlet
◆ …
◆ Many vulnerabilities in the past
Non-secure World
User Mode
Kernel Mode
Hypervisor Mode
Secure World
User Mode
Kernel Mode
Monitor Mode
EL0
EL1
EL2
EL3
![Page 73: Exploiting Samsung S10 S-Boot Breaking Samsung's Root of Trust · Conclusion Even if the data is stored in secure world, it doesn’t mean it’s 100% secure But it’s made exploiting](https://reader034.vdocuments.net/reader034/viewer/2022052613/604bd8aa0f726526c4116759/html5/thumbnails/73.jpg)
Attack the gatekeeper trustlet to decrypt storage◆ SVE-2019-14575
◆ With this vulnerability, we can try all the possible pattern codes in a few hours.
![Page 74: Exploiting Samsung S10 S-Boot Breaking Samsung's Root of Trust · Conclusion Even if the data is stored in secure world, it doesn’t mean it’s 100% secure But it’s made exploiting](https://reader034.vdocuments.net/reader034/viewer/2022052613/604bd8aa0f726526c4116759/html5/thumbnails/74.jpg)
Sensitive Data unlocked
![Page 75: Exploiting Samsung S10 S-Boot Breaking Samsung's Root of Trust · Conclusion Even if the data is stored in secure world, it doesn’t mean it’s 100% secure But it’s made exploiting](https://reader034.vdocuments.net/reader034/viewer/2022052613/604bd8aa0f726526c4116759/html5/thumbnails/75.jpg)
Conclusion◆ Even if the data is stored in secure world, it doesn’t mean it’s 100% secure
◆ But it’s made exploiting complex, multiple actions are needed to retrieve the data
◆ Landing - RCE / Local USB Exploit / Social Engineering
◆ Privilege escalation to non-secure EL1
◆ Vulnerabilities in trustlet to get into secure-world EL0
◆ Privilege escalation from secure-world EL0 to secure-world EL1 or EL3
◆ Without all of this, especially the points in red, the data in the phone is still safe
![Page 76: Exploiting Samsung S10 S-Boot Breaking Samsung's Root of Trust · Conclusion Even if the data is stored in secure world, it doesn’t mean it’s 100% secure But it’s made exploiting](https://reader034.vdocuments.net/reader034/viewer/2022052613/604bd8aa0f726526c4116759/html5/thumbnails/76.jpg)
Disclosure Timeline
◆ 2019-10-02 Report Vulnerability I◆ 2019-10-08 Informed Vulnerability I duplicated◆ 2019-10-11 Report Vulnerability II◆ 2020-01-06 Samsung Patched, SVE-2019-15872◆ 2020-01-21 Report Vulnerability III◆ 2020-05-06 Samsung Patched, SVE-2020-16712