In a previous post, we detailed a vulnerability in the Amlogic System-On-Chip bootROM that allows arbitrary code execution at EL3. Since the Chromecast with Google TV (CCwGTV) is one of the devices affected by this issue, it opens the possibility to run a custom OS like Ubuntu. This post describes …| fred's notes
In previous posts, we explained how to reverse the USB stack in the Exynos bootROM, which led to the discovery of a critical bug. After reproducing this methodology on Amlogic bootROM recently dumped, a similar vulnerability has been discovered in the USB stack that can be exploited to run arbitrary …| fred's notes
This post describes how to dump bootROM from Amlogic S905D3 SoC using Khadas VIM3L board. Since this board doesn't use Secure Boot, we can execute custom code in Secure World (a.k.a TrustZone) without exploiting any vulnerability. In addition, the board exposes an UART connector, which is convenient for …| fred's notes
Description When Samsung Shannon baseband receives message IMMEDIATE ASSIGNMENT (9.1.18 in GSM/04.08) from network, the length of the Mobile Allocation IE (GSM/04.08 10.5.2.21) is not properly checked. Mobile allocation data is directly copied to a buffer on the stack without checking …| fred's notes
Description When Samsung Shannon baseband receives message GMM ATTACH ACCEPT (9.4.2 in TS 24.008) from network, the minimum length for MS Identity IE (10.5.1.4) is not properly checked. MS Identity (IEI 0x23) length is decremented without prior check. If this value is zero, a …| fred's notes
Description When Samsung Shannon baseband receives message P-TMSI REALLOCATION COMMAND (9.4.7 in TS 24.008) from network, the length of the Mobile Identity IE (10.5.1.4) is not properly checked. Mobile identity data is directly copied to a stack buffer without prior size check. This stack …| fred's notes
In previous posts, we explained how to dump Exynos bootROM and reverse its USB stack. These efforts led to the discovery of a bug in the USB stack that can be exploited to run arbitrary code. The following chipsets are known to be affected by this bug : Exynos 8890 Exynos …| fred's notes
In the previous post, we explained how to dump Exynos bootROM. Exynos (8895 in this post) bootROM contains a minimal USB stack to load a signed bootloader from an USB host (a.k.a. boot from USB). This post summarizes how this USB stack can be reversed using the Great …| fred's notes
This post introduces a tool to dump Samsung Galaxy S7 bootROM using known and fixed security vulnerabilities in Trustzone. The source code is available on GitHub. Procedure We use a Galaxy S7 phone, with ADB access and root privileges. BootROM code is at address 0x0, in Secure world. The TEE …| fred's notes
QEMU has support for the SMDKC210 machine, an ARM board based on Exynos 4210 SoC. Peripherals implemented in QEMU for this machine are UART, SDHCI, FIMD, I2C, Interrupt Combiner, GIC, Clock, PMU, RNG, MCT, PWM, RTC. Samsung Galaxy S2 phone is also based on Exynos 4210, so it should be …| fred's notes
This article explains how to customize Nighthawk X4S firmware to add a security camera feature to this always-online & almost-always-idle device. Alternative firmwares like OpenWRT or LEDE exist, but they don't fully support all stock features yet. So instead this approach is based on modified stock firmware. Main steps are: Customize …| fred's notes
Prequel On October 21st 2015, mobile forensics company Cellebrite published a video that demonstrates how their solution can dump eMMC of Samsung Galaxy devices : This video strongly suggests that Samsung Galaxy bootloader can be exploited to execute arbitrary code. Summary Several bugs in Samsung Galaxy bootloader allow an attacker with …| fred's notes
The Amlogic S905 System-On-Chip is an ARM processor designed for video applications. It's widely used in Android/Kodi media boxes. The SoC implements the TrustZone security extensions to run a Trusted Execution Environment (TEE) that enables DRM & other security features : Amlogic S905 System Block Diagram The SoC contains a Secure …| fred's notes
D-Link 1565 is one of the few routers which integrates a PLC (Power line Communication) chipset (in this case QCA AR7400). Unfortunately, OpenWrt does not provide support for this feature yet. This post presents configuration steps to enable PLC support in OpenWrt for this device. Hardware configuration By digging into …| fred's notes
This article will first describe how to locate the Monitor mode code in Nexus 5 firmware (hammerhead-ktu84p-factory-35ea0277, bootloader-hammerhead-hhz11k : c32f8bec310c659c1296739b00c6a8ac). Then, we will try to understand what it does (its functionalities). Finally, you will have to find bugs by yourself because I didn't find any...so far ! Note: Terms (Non-)Secure …| fred's notes
Summary Qualcomm TrustZone is prone to an integer signedness bug that may allow to write NULL words to barely controllable locations in memory. The vulnerability can be triggered from Non-Secure World through the TrustZone call "tzbsp_smmu_fault_regs_dump". This issue has been discovered in Samsung Galaxy S5 firmware, but other devices can …| fred's notes
This post is a translated summary of the article published for my talk at SSTIC 2014 conference (french). My Philips Smart TV is a Linux box standing there in my living room : that's a sufficient reason to try to get root. Debug serial port Internet hackers have already discovered a …| fred's notes
pflupg-tool is an unpacking tool for Philips SmartTV firmware (Fusion platform). If your firmware is encrypted, you have to provide the corresponding public key (public exponent + modulus). You can add public keys in pflupg.h file: #define PUBLIC_KEYS_CNT 2 // { name, public exponent e (hex string), modulus n (hex string)} static …| fred's notes
Summary DirectFB is prone to an out-of-bound write vulnerability since version 1.4.4. The vulnerability can be triggered remotely without authentication through Voodoo interface (network layer of DirectFB). Details An attacker can choose to overflow in the heap or the stack. CVSS Version 2 Metrics Access Vector: Network exploitable …| fred's notes
Summary DirectFB is prone to an integer signedness vulnerability since version 1.4.13. The vulnerability can be triggered remotely without authentication through Voodoo interface (network layer of DirectFB). Details This integer coercion error may lead to a stack overflow. CVSS Version 2 Metrics Access Vector: Network exploitable Access Complexity …| fred's notes
Voodoo is the network layer of DirectFB. dfb-wireshark-dissector is a Wireshark plugin to dissect this protocol.Main features are :Both packet & raw modes are supported ;FLZ decompression ;Instance ID resolution.Source code can be found on Github.| fred's notes
In January 2013, Rapid7 published a great paper describing several vulnerabilities in the most common UPnP libraries. Six months later, many devices based on these libraries have not been updated and are still exposed. For example, the Axis M1011 camera contains a vulnerable version of libupnp, which can lead to …| fred's notes
Huawei E587 3G Mobile Hotspot, version 11.203.27, is prone to two vulnerabilities in WebUI; an XSS and a command injection. The combination of both allows an attacker (with a little help from the victim) to remotely execute code on the device with root privileges, by sending a specifically …| fred's notes
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [CVE-2013-2612] Huawei E587 3G Mobile Hotspot Command Injection ________________________________________________________________________ Summary: Huawei E587 3G Mobile Hotspot, version 11.203.27, is prone to a command injection vulnerability in the Web UI. Successful exploitation allows unauthenticated attackers to execute arbitrary commands with root privileges. ________________________________________________________________________ Details …| fred's notes
Summary Foscam firmware <= 11.37.2.48 is prone to a path traversal vulnerability in the embedded web interface. The unauthenticated attacker can access to the entire filesystem and steal web & wifi credentials. Details GET //../proc/kcore HTTP/1.0 CVSS Version 2 Metrics Access Vector: Network exploitable Access Complexity …| fred's notes
Summary LemonLDAP-NG <=1.2.2 is prone to a security vulnerability involving XML signature wrapping in authentication process. Successful exploits may allow unauthenticated attackers to construct specially crafted messages that can be successfully verified and contain arbitrary content. This may lead to authentication bypass. Details Due to a bad use …| fred's notes