Uncategorized

aboot-parser: Android bootloader parser

Script to parse Android bootloader (aboot) images, extract certificates and verify image signature. May not work on aboot from latest devices. Signature verification follows the ‘Secure Boot and Image Authentication Technical Overview’ whitepaper by Qualcomm. Cf.  https://www.qualcomm.com/documents/secure-boot-and-image-authentication-technical-overview/ Aboot header format as described in  http://newandroidbook.com/Articles/aboot.html See above article for more details about aboot. Inspired by https://github.com/kayrus/kc_s701_break_free
[…]

https://github.com/nelenkov/aboot-parser

Standard
Uncategorized

Qualcomm Secure Boot whitepaper released

This whitepaper provides an in-depth look at our signed ELF images format, the process of loading and authenticating those images, certificate chain contents, and supported signature algorithms.

https://www.qualcomm.com/documents/secure-boot-and-image-authentication-technical-overview

https://www.qualcomm.com/news/onq/2017/01/17/secure-boot-and-image-authentication-mobile-tech

Standard
Uncategorized

QualComm TrustZone MasterKeys extracted?

Kindly pointed out by a reader of the blog, laginimaineb has some more research going on for QualComm TrustZone, sounds non-trivial:

[Grr, when I paste an URL of a Twitter tweet, WordPress usually renders it, today, it is not, maybe it will before it posts it, unsure. I’ve extracted the text from the Tweets in case it does not.]

Just managed to extract the Qualcomm KeyMaster keys directly from TrustZone! Writeup coming soon 🙂 (1/2)

And wrote a script to decrypt all keystore keys. This can also be used to bruteforce the FDE passphrase off the device! (2/2)

This specifically is done on the Nexus 6, but I’ve also dabbled w/ the Nexus 5 and Moto X 2nd Gen

https://mobile.twitter.com/laginimaineb/status/737051964857561093
https://mobile.twitter.com/laginimaineb/status/737052350674817024
https://mobile.twitter.com/laginimaineb/status/737185999760052224
https://mobile.twitter.com/laginimaineb/status/737186295655596032
https://mobile.twitter.com/laginimaineb/status/737188674371215360

More info:
https://mobile.twitter.com/laginimaineb
http://bits-please.blogspot.co.il/2016/05/qsee-privilege-escalation-vulnerability.html
http://bits-please.blogspot.co.il/2016/05/qsee-privilege-escalation-vulnerability.html
http://bits-please.blogspot.com/

Standard
Uncategorized

Qualcomm QSEE

There are some interesting developments in Qualcomm’s Secure Execution Environment (QSEE).

http://bits-please.blogspot.co.il/2016/05/war-of-worlds-hijacking-linux-kernel.html
http://bits-please.blogspot.com/2016/05/qsee-privilege-escalation-vulnerability.html

Standard
Uncategorized

Motorola bootlocker unlocking

Unlocking the Motorola Bootloader

In this blog post, we’ll explore the Motorola bootloader on recent Qualcomm Snapdragon devices. Our goal will be to unlock the bootloader of a Moto X (2nd Gen), by using the TrustZone kernel code execution vulnerability from the previous blog posts. Note that although we will show the complete unlocking process for this specific device, it should be general enough to work at-least for most modern Motorola devices. […]

Full post:
http://bits-please.blogspot.com/2016/02/unlocking-motorola-bootloader.html

Standard
Uncategorized

Linaro’s 96Boards initiative

Earlier this year, ARM’s Linaro created 96Boards.org.

The 96Boards initiative is designed to offer a single software and hardware community across multiple vendor boards supporting a range of different features. A fixed set of minimum functions including USB, SD, HDMI and standardized low speed and high speed peripheral connectors are provided. Vendors may add customized hardware and feature sets provided the minimum functions are available. We expect this to extend the platform life, increase the market for add-on hardware, and accelerate open source upstreaming of support for new SoC features. The 96Boards standard specification and this website are maintained by the Linaro Community Board Group (LCG). Linaro is a collaborative software engineering organization focused on the ARM architecture. Corporate members of Linaro provide funding and engineers plus direction through various steering committees and resources are split into semi-autonomous groups with their own members.

There are currently two 96Boards specifications for low-cost ARMv7-A and ARMv8-A development boards:
* The Consumer Edition (CE) targets the mobile, embedded and digital home segments.
* The Enterprise Edition (EE) targets the networking and server segments.

They have 3 boards listed currently:
* DragonBoard 410c: Board based on Qualcomm Snapdragon™ 410 processor
* The HiKey Board: Board based on HiSilicon Kirin 6220 processor
* 96Boards UART Serial Adapter: a USB to UART interface to be used with any 96Boards Consumer or Enterprise Edition board.

https://www.96boards.org/ce-specification
https://www.96boards.org/ee-specification
https://www.96boards.org/products/

Marcin Juszkiewicz has a good blog post on 96boards as well:
http://marcin.juszkiewicz.com.pl/2015/06/26/96boards-goes-enterprise/

ARM Devices has a video discussing adding 96boards hardware targets to LAVA, the CI server by Linaro for embedded device testing.
http://armdevices.net/2015/02/18/lava-lab-to-integrate-hikey-from-96boards-org/

Standard
Uncategorized

Qualcomm Snapdragon updates

Qualcomm announces ARM-based Snapdragon 430 and 617, and Snapdragon 820 with X12 LTE modem:

Over the past several weeks, we have been revealing details about the incredible features of the Qualcomm Snapdragon 820 processor. And today we are revealing the final piece of the puzzle. The Snapdragon 820 is the most powerful mobile processor we’ve ever made. […]

Qualcomm Technologies is building up the Snapdragon line-up with two new products and several firsts. The Qualcomm Snapdragon 617 and 430 processors are designed to deliver high-end performance and experiences in affordable, high- and mid-tier devices. […]

https://www.qualcomm.com/news/snapdragon/2015/09/14/snapdragon-617-and-430-build-mid-tier-high-end-features
https://www.qualcomm.com/news/snapdragon/2015/09/14/snapdragon-820-countdown-breakthrough-lte-and-wi-fi-x12-lte-modem

Standard