当前位置:首页 > 报告详情

攻击三星 Galaxy A_ 启动链及其他.pdf

上传人: 竿*** 编号:981604 2025-11-29 87页 7.16MB

1、Maxime Rossi BellomDamiano MelottiRaphal NeveuGabrielle VialaAttacking Samsung Galaxy A*Boot Chain,and Beyond2Who we areDamiano Melotti DamianoMelottiEx security researcher QuarkslabInterested in low-level mobile security and fuzzingMaxime Rossi Bellom max_r_bSecurity researcherand R&D leader Quarks

2、labWorking on mobile and embedded software securityRaphal NeveuSecurity researcher QuarkslabWorking on low-level mobile securityGabrielle Viala pwissenlitSecurity researcherand R&D leader QuarkslabPlaying with low-level stuff4Samsung Galaxy A225FCheap(300)Mediatek SoC MT6769VMain OS:AndroidMix of Me

3、diatek and Samsung codeTrustzone OS:TEEGRISSecure Boot Bypass using MTKClient1making debugging easierOur Device1:https:/ Secure Boot Process6Mediatek Secure Boot Process7Little Kernel(LK)Open-source OS2Common as bootloader in the Android worldAllows to boot Android or other modes(Recovery)Implements

4、 Android Verified Boot v2Verification of Android imagesInvolving boot and vbmeta partitionsAnti-rollback2:https:/ modified LK to include:The Odin recovery protocolKnox Security BitEtcAnd a JPEG parser/rendererThis version is closed sourceLittle Kernel by Samsung9Why Targeting the JPEG Loader/ParserJ

5、PEGs are placed in a TAR archive in the up_param partitionThe archive is signed but the signature is not checked at bootAnyone able to write the flash can modify these JPEGsParsing JPEG is known to be hard(cf.LogoFail3)3:https:/www.binarly.io/blog/inside-the-logofail-poc-from-integer-overflow-to-arb

6、itrary-code-execution10Why Targeting the JPEG Loader/ParserJPEGs are placed in a TAR archive in the up_param partitionThe archive is signed but the signature is not checked at bootAnyone able to write the flash can modify these JPEGsParsing JPEG is known to be hard(cf.LogoFail3)How are these JPEGs l

word格式文档无特别注明外均可编辑修改,预览文件经过压缩,下载原文更清晰!
三个皮匠报告文库所有资源均是客户上传分享,仅供网友学习交流,未经上传用户书面授权,请勿作商用。
根据报告的内容,全文主要探讨了针对三星Galaxy A225F设备的安全研究,包括以下关键点: 1. **研究团队**:Maxime Rossi Bellom, Damiano Melotti, Raphaël Neveu, Gabrielle Viala,来自Quarkslab。 2. **目标设备**:三星Galaxy A225F,搭载MediaTek SoC MT6769V,运行Android系统。 3. **安全漏洞**: - **JPEG加载器解析漏洞**:利用JPEG解析中的堆溢出漏洞,可导致代码执行。 - **Odin认证绕过**:可绕过Odin的认证机制,允许在eMMC中写入任何分区。 - **ARM Trusted Firmware(ATF)漏洞**:通过SMC调用泄露ATF内存,可映射任意物理地址。 4. **影响**:这些漏洞可能导致设备被完全控制,包括低/中端三星设备。 5. **结论**:所有漏洞已修复,但研究揭示了设备安全性的潜在风险。
手机安全漏洞揭秘** 安全漏洞如何被利用** 手机安全漏洞的修复之路**
客服
商务合作
小程序
服务号
折叠