Posted on Mon 29 November 2021 in Article • Tagged with arm, amlogic, bootloader, bootrom, chromecast, uboot, ubuntu, usb
In a previous post, we detailed a vulnerability in the Amlogic System-On-Chip bootROM that allows arbitrary code execution at EL3. Since the Chromecast with Google TV (CCwGTV) is one of the devices affected by this issue, it opens the possibility to run a custom OS like Ubuntu.
This post describes …
Posted on Wed 10 February 2021 in Tool • Tagged with arm, amlogic, chromecast, bootrom, usb, exploit
In previous posts, we explained how to reverse the USB stack in the Exynos bootROM, which led to the discovery of a critical bug. After reproducing this methodology on Amlogic bootROM recently dumped, a similar vulnerability has been discovered in the USB stack that can be exploited to run arbitrary …
Posted on Tue 09 February 2021 in Article • Tagged with arm, amlogic, bootloader, bootrom, khadas, vim3l
This post describes how to dump bootROM from Amlogic S905D3 SoC using Khadas VIM3L board. Since this board doesn't use Secure Boot, we can execute custom code in Secure World (a.k.a TrustZone) without exploiting any vulnerability. In addition, the board exposes an UART connector, which is convenient for …
Posted on Wed 17 June 2020 in Tool • Tagged with arm, exynos, samsung, bootrom, usb, exploit
In previous posts, we explained how to dump Exynos bootROM and reverse its USB stack.
These efforts led to the discovery of a bug in the USB stack that can be exploited to run arbitrary code.
The following chipsets are known to be affected by this bug :
Posted on Tue 16 June 2020 in Article • Tagged with arm, exynos, samsung, bootrom, usb, reverse, ghidra
In the previous post, we explained how to dump Exynos bootROM.
Exynos (8895 in this post) bootROM contains a minimal USB stack to load a signed bootloader from an USB host (a.k.a. boot from USB). This post summarizes how this USB stack can be reversed using the Great …
Posted on Mon 15 June 2020 in Tool • Tagged with arm, exynos, samsung, bootrom, trustzone, exploit
This post introduces a tool to dump Samsung Galaxy S7 bootROM using known and fixed security vulnerabilities in Trustzone.
The source code is available on GitHub.
We use a Galaxy S7 phone, with ADB access and root privileges.
BootROM code is at address 0x0, in Secure world. The TEE …
Posted on Wed 07 March 2018 in Article • Tagged with arm, exynos, samsung, bootrom, qemu, emulation, bootloader, secureboot
QEMU has support for the SMDKC210 machine, an ARM board based on Exynos 4210 SoC. Peripherals implemented in QEMU for this machine are UART, SDHCI, FIMD, I2C, Interrupt Combiner, GIC, Clock, PMU, RNG, MCT, PWM, RTC.
Samsung Galaxy S2 phone is also based on Exynos 4210, so it should be …
Posted on Wed 05 October 2016 in Article • Tagged with vulnerability, amlogic, arm, security, firmware, trustzone, bootrom, bug
The Amlogic S905
System-On-Chip is an ARM processor designed for video
applications. It's widely used in Android/Kodi media boxes. The SoC
implements the TrustZone security extensions to run a Trusted
Execution Environment (TEE) that enables DRM & other security
features :
|
| Amlogic S905 System Block Diagram |