1、Maxime Rossi BellomDamiano MelottiRaphal NeveuGabrielle VialaAttacking Samsung Galaxy A*Boot Chain,and Beyond2Who we areDamiano Melotti DamianoMelottiEx security researcher QuarkslabInterested in low-level mobile security and fuzzingMaxime Rossi Bellom max_r_bSecurity researcherand R&D leader Quarks
2、labWorking on mobile and embedded software securityRaphal NeveuSecurity researcher QuarkslabWorking on low-level mobile securityGabrielle Viala pwissenlitSecurity researcherand R&D leader QuarkslabPlaying with low-level stuff4Samsung Galaxy A225FCheap(300)Mediatek SoC MT6769VMain OS:AndroidMix of Me
3、diatek and Samsung codeTrustzone OS:TEEGRISSecure Boot Bypass using MTKClient1making debugging easierOur Device1:https:/ Secure Boot Process6Mediatek Secure Boot Process7Little Kernel(LK)Open-source OS2Common as bootloader in the Android worldAllows to boot Android or other modes(Recovery)Implements
4、 Android Verified Boot v2Verification of Android imagesInvolving boot and vbmeta partitionsAnti-rollback2:https:/ modified LK to include:The Odin recovery protocolKnox Security BitEtcAnd a JPEG parser/rendererThis version is closed sourceLittle Kernel by Samsung9Why Targeting the JPEG Loader/ParserJ
5、PEGs are placed in a TAR archive in the up_param partitionThe archive is signed but the signature is not checked at bootAnyone able to write the flash can modify these JPEGsParsing JPEG is known to be hard(cf.LogoFail3)3:https:/www.binarly.io/blog/inside-the-logofail-poc-from-integer-overflow-to-arb
6、itrary-code-execution10Why Targeting the JPEG Loader/ParserJPEGs are placed in a TAR archive in the up_param partitionThe archive is signed but the signature is not checked at bootAnyone able to write the flash can modify these JPEGsParsing JPEG is known to be hard(cf.LogoFail3)How are these JPEGs l