Breaking Secure Boot on Google Nest Hub (2nd Gen) to run Ubuntu

Posted on Wed 15 June 2022 in Article • Tagged with arm, amlogic, bootloader, exploit, nest, secureboot, uboot, ubuntu, usb

In this post, we attack the Nest Hub (2nd Gen), an always-connected smart home display from Google, in order to boot a custom OS.

First, we explore both hardware and software attack surface in search of security vulnerabilities that could permit arbitrary code execution on the device.

Then, using a …


Continue reading

amlogic-usbdl : unsigned code loader for Amlogic BootROM

Posted on Wed 10 February 2021 in Tool • Tagged with arm, amlogic, chromecast, bootrom, usb, exploit

In previous posts, we explained how to reverse the USB stack in the Exynos bootROM, which led to the discovery of a critical bug. After reproducing this methodology on Amlogic bootROM recently dumped, a similar vulnerability has been discovered in the USB stack that can be exploited to run arbitrary …


Continue reading

exynos-usbdl : unsigned code loader for Exynos BootROM

Posted on Wed 17 June 2020 in Tool • Tagged with arm, exynos, samsung, bootrom, usb, exploit

In previous posts, we explained how to dump Exynos bootROM and reverse its USB stack.

These efforts led to the discovery of a bug in the USB stack that can be exploited to run arbitrary code.

The following chipsets are known to be affected by this bug :

  • Exynos 8890
  • Exynos …

Continue reading

exynos8890-bootrom-dump : dump Exynos 8890 bootROM from Samsung Galaxy S7

Posted on Mon 15 June 2020 in Tool • Tagged with arm, exynos, samsung, bootrom, trustzone, exploit

This post introduces a tool to dump Samsung Galaxy S7 bootROM using known and fixed security vulnerabilities in Trustzone.

The source code is available on GitHub.

Collect bootroms

Procedure

We use a Galaxy S7 phone, with ADB access and root privileges.

BootROM code is at address 0x0, in Secure world. The TEE …


Continue reading

SVE-2016-7930: Multiple buffer overflows in Samsung Galaxy bootloader

Posted on Sun 23 July 2017 in Advisory • Tagged with vulnerability, advisory, samsung, cellebrite, bootloader, exploit, firmware, security, usb, arm, odin

Prequel

On October 21st 2015, mobile forensics company Cellebrite published a video that demonstrates how their solution can dump eMMC of Samsung Galaxy devices :

This video strongly suggests that Samsung Galaxy bootloader can be exploited to execute arbitrary code.

Summary

Several bugs in Samsung Galaxy bootloader allow an attacker with …


Continue reading

Exploitation of Philips Smart TV

Posted on Thu 13 November 2014 in Article • Tagged with mips, smarttv, libupnp, philips, exploit

This post is a translated summary of the article published for my talk at SSTIC 2014 conference (french).

My Philips Smart TV is a Linux box standing there in my living room : that's a sufficient reason to try to get root.

Debug serial port

Internet hackers have already discovered a …


Continue reading