Description

When Samsung Shannon baseband receives message IMMEDIATE ASSIGNMENT (9.1.18 in GSM/04.08) from network, the length of the Mobile Allocation IE (GSM/04.08 10.5.2.21) is not properly checked.

Mobile allocation data is directly copied to a buffer on the stack without checking …

Description

When Samsung Shannon baseband receives message GMM ATTACH ACCEPT (9.4.2 in TS 24.008) from network, the minimum length for MS Identity IE (10.5.1.4) is not properly checked.

MS Identity (IEI 0x23) length is decremented without prior check. If this value is zero, a …

Description

When Samsung Shannon baseband receives message P-TMSI REALLOCATION COMMAND (9.4.7 in TS 24.008) from network, the length of the Mobile Identity IE (10.5.1.4) is not properly checked.

Mobile identity data is directly copied to a stack buffer without prior size check. This stack …

Prequel

On October 21st 2015, mobile forensics company Cellebrite published a video that demonstrates how their solution can dump eMMC of Samsung Galaxy devices :

This video strongly suggests that Samsung Galaxy bootloader can be exploited to execute arbitrary code.

Summary

Several bugs in Samsung Galaxy bootloader allow an attacker with …

The Amlogic S905 System-On-Chip is an ARM processor designed for video applications. It's widely used in Android/Kodi media boxes. The SoC implements the TrustZone security extensions to run a Trusted Execution Environment (TEE) that enables DRM & other security features :

Amlogic S905 System Block Diagram

This article will first describe how to locate the Monitor mode code in Nexus 5 firmware (hammerhead-ktu84p-factory-35ea0277, bootloader-hammerhead-hhz11k : c32f8bec310c659c1296739b00c6a8ac). Then, we will try to understand what it does (its functionalities). Finally, you will have to find bugs by yourself because I didn't find any...so far !

Note: Terms (Non-)Secure …

Summary