This post introduces a tool to dump Samsung Galaxy S7 bootROM using known and fixed security vulnerabilities in Trustzone. The source code is available on GitHub. Procedure We use a Galaxy S7 phone, with ADB access and root privileges. BootROM code is at address 0x0, in Secure world. The TEE …| fred's notes
The Amlogic S905 System-On-Chip is an ARM processor designed for video applications. It's widely used in Android/Kodi media boxes. The SoC implements the TrustZone security extensions to run a Trusted Execution Environment (TEE) that enables DRM & other security features : Amlogic S905 System Block Diagram The SoC contains a Secure …| fred's notes
This article will first describe how to locate the Monitor mode code in Nexus 5 firmware (hammerhead-ktu84p-factory-35ea0277, bootloader-hammerhead-hhz11k : c32f8bec310c659c1296739b00c6a8ac). Then, we will try to understand what it does (its functionalities). Finally, you will have to find bugs by yourself because I didn't find any...so far ! Note: Terms (Non-)Secure …| fred's notes
Summary Qualcomm TrustZone is prone to an integer signedness bug that may allow to write NULL words to barely controllable locations in memory. The vulnerability can be triggered from Non-Secure World through the TrustZone call "tzbsp_smmu_fault_regs_dump". This issue has been discovered in Samsung Galaxy S5 firmware, but other devices can …| fred's notes