# Breaking Samsung's Root of Trust: Exploiting Samsung S10 Secure Boot - Cheng-Yu Chao {%hackmd @HITCON/r1z4zylVv %} > 從這開始 > Knox - Trusted Boot hardware PBL verify secure boot ... Knox bit(warranty bit) one time fuse cant restore blow the .. sensitive data protection the storage(sensitive data) is encrypted when the device is locked encrypted keys are stored in trustzone sensitive data protectin cont some critical information can only be decrypted .. ARM Tructzone Related Work BH17 - Defeating Samsung KNOX with zero privilege by returnsme BH17 EU - How Samsung Secures your wallet by Tencent LAB EL0 -> secure-EL0 BH19 - Breaking Samsung's ARM Trustzone EL0 -> secure-EL3 what if the device is turned off and we don't .. in this talk outside the box locked phone -> non secure one S-Boot Boot Flow set monitor mode init check boot mode verify boot image boot into kernel ODIN mode flash stock firmware Rollback prevention This stage provide a vulnerability that can attack. vulnerability 1 Odin Request opCode 0x64 Odin mode initial and settings 0x65 flask PIT 0x66 Flag image subOp ... Odin flash image command no check for provided size integer overflow user 0xc00000000 if less the 0x1e00000 otherwise use 0xB00000000 copy to buffer S8 and befor at 0xc0000000 S9 and later at 0x880000000 overflow the physical memory buffer for flash image sboot code segment sboot data stack heap ... Bypass MMU S-Boot code segment at 0xC9000000 but read only USB devices have direct memory access ignores mmu control Cathe incoherency while receiving data the CPU keeps tracking the USB event this code is cached only the heap will not be cached code execution the heap is not cached the code accesses a pointer in the heap ... trigger data-abort as soon as we overwrite heap data with NULL overwrite the error handler code with jump sled pt shellcode infront of the code segment overflow the physical memory filled with null shellcode modified sboot code segment but s9 and later are not exploitable the default buffer is changed to 0x880000000 spent half a year trying to exploit s10 potential exploit path on s10 in s9 and later odin has paralled and compressed download mode it will boot up another 2 cpu cores and set the image buffer to 0x880000000 fallback to normal download if boot cpu failure buffer change ... make cpu boot fail `next_available_cpu()` uart mode cmd - smp_test test boot up a cpu core and shurdown immediately but count of booted cores will not decrease cmd download enter odin mode enter uart mode we need a debug cable to make s-boot detect RID_523K tried typec vdm mode accessory mode pull down pull up ... we reported the bug on 2018 8 patch note samaung security update SVE-2019-15230 potential integer overflow in bootloader the patch size = arg1 if (arg1 <= 0xffffffff) vulnerability 2 aligned size? `qword_C91494B0` odin packet data size we can set packet data size with opcode 0x64 subop 0x05 exploit same ... report it patch node ... vulnerability 3 odin pit flash command opcode = 0x65 pit is very small odin store it to heap buffer with the size 0x2000 `pit_buf` pseudo code receive data this is a pseudocde representation of the receive operation in our test ... we thought this was unexploitable so i stuck to vulnerability 1 how about interrupting the usb remove the reinsert the usb cable the usb_recv returns with ... heap overflow we can overwrite the metadata of heap chunk house of spirit fake chunk no check for double linked list limited overwrite data `*prev + 4 != 0` in arrch64 interger 64 bit code at 0xc90000000 we can not pooint to got function pointer overwrite rip in stack the only chance is to overwrite a return address on stack only 3 function calls fortunately odin cmd buf is the first local variable after code execution in sboot boot the phone we smashed the stack and heap hard to recover call the boot functions one by one skip trustzone related calls we only have EL1 privilige .. load custom kernel after loading the kernel to memory ... exploit set the size of packet data to a big number send odin pit flash command send payload after interrupt the usb_recv() leds to heap overflow send anothe odin ... we got el1 in normal world but the phone is still locked cannnot read sensitive data man in the nonsecure el1 wait for the user to unlock the phone hijack sniff everything between nonsecure world and secure world exposed attacking surface attacking secure world trustlet gatekeeper trustlet samsung pay trustlet keystore trustlet .. many vulnerabilities in the past attack the gatekeeper trustlet to decrypt storage SVE-2019-14575 with this vulnerability we can try all the possible pattern codes in a few hours sensitive data unlocked conclusion even if the data is store in secure world it does not mean it is 100% secure but it is made exploiting complex multiple actions are needed to retrieve the data landing rce local usb exploit social engineering privilege excalation to nonsecure el1 vulnerability ... disclosure timeline ... thank you jeffxx@trapasecurity.com ###### tags: `HITCON2020`,`HITCON`