* We managed to unlock & root various Android Bootloaders, such as Xiaomi Note 5A, using a storage-based attack only. * We obtained the RPM & Modem PBLs of Nexus 6P (MSM8994). * We obtained and reverse-engineered the PBL of various Qualcomm-based chipsets (MSM8994/MSM8917/MSM8937/MSM8953/MSM8974) using the Firehose programmers and our research framework. * We created firehorse, a publicly available research framework for Firehose-based programmers, capable of debugging/tracing the programmer (and the rest of the bootloader chain, including the Boot ROM itself, on some devices). * We describe the Qualcomm EDL (Firehose) and Sahara Protocols. We achieve code execution in the PBL (or more accurately, in a PBL clone), allowing us to defeat the chain of trust, gaining code execution in every part of the bootloader chain, including TrustZone, and the High Level OS (Android) itself. We end with a complete Secure-Boot bypass attack for Nokia 6 MSM8937, that uses our exploit framework. We then present our exploit framework, firehorse, which implements a runtime debugger for firehose programmers (Part 4). In Part 3 we exploit a hidden functionality of Firehose programmers in order to execute code with highest privileges (E元) in some devices, allowing us, for example, to dump the Boot ROM (PBL) of various SoCs.
Part 3, Part 4 & Part 5 are dedicated for the main focus of our research – memory based attacks. In Part 2, we discuss storage-based attacks exploiting a functionality of EDL programmers – we will see a few concrete examples such as unlocking the Xiaomi Note 5A (codename ugglite) bootloader in order to install and load a malicious boot image thus breaking the chain-of-trust. The first part presents some internals of the PBL, EDL, Qualcomm Sahara and programmers, focusing on Firehose. In this 5-part blog post we discuss the security implications of the leaked programmers. Xiaomi) also publish them on their official forums. While the reason of their public availability is unknown, our best guess is that these programmers are often leaked from OEM device repair labs. To make any use of this mode, users must get hold of OEM-signed programmers, which seem to be publicly available for various such devices.
All of these guides make use of Emergency Download Mode (EDL), an alternate boot-mode of the Qualcomm Boot ROM (Primary Bootloader). There are many guides across the Internet for ‘unbricking’ Qualcomm-based mobile devices. Multiple Qualcomm based mobile devices affected (5-part blog post) Įxploiting Qualcomm EDL Programmers (1): Gaining Access & PBL Internals Exploiting Qualcomm EDL Programmers: Memory & Storage based attacks allowing PBL extraction, rooting, secure boot bypassing & bootloader chain debugging/tracing.
0 kommentar(er)
