• Home

  • Documents

  • SamDunk - theroot.ninjatheroot.ninja/disclosures/SAMDUNK_1.0-03262016.pdf · SamDunk Sunday, March...
8
SamDunk Sunday, March 27, 2016 1 eMMC backdoor leading to bootloader unlock on Samsung Galaxy Devices Discovered and documented by Sean Beaupre (beaups) Affected products This vulnerability affects certain bootloader-locked Qualcomm based Samsung Galaxy products containing Samsung eMMC. Tested and confirmed to unlock the bootloader of the Verizon Samsung Galaxy S5. While possibly every device containing a Samsung eMMC controller is vulnerable to the attack described below, it’s usefulness as a bootloader unlock is likely limited to select Samsung Galaxy devices. Samsung’s unlock mechanism Manufacturers employ a wide variety of methods and mechanisms to determine and control a device’s bootloader lock status. Motorola uses TrustZone protected fuses, HTC uses data in a write protected region of eMMC, and some LG devices use a signed blob in the boot (kernel) partition. There are likely many other methods, but the concept is the same: only allow the unlock status to be changed via a controlled and deliberate method. Additionally, when unlocking the bootloader of most devices, the user’s data partition is wiped to ensure that the unlock wasn’t performed in attempt to maliciously gain access to a user’s data. In some cases, like most devices built for use on the Verizon network, the ability for a user to unlock the bootloader is blocked entirely. One such device was the Galaxy S5 used for this research. The Galaxy S5 (and probably some/many other Galaxy devices) uses a unique mechanism for determining a device’s unlock/dev status. As Researched and discovered by @ryanbg (http://forum.xda-developers.com/member.php?u=766721): A blob in the aboot partition image is read and decrypted. Then, the device’s eMMC CID is hashed and compared to the value of the decrypted blob. If they match, the device is considered unlocked. Basically, at some point in the manufacturing process, when a device is configured to be a “dev- edition” device, Samsung hashes the device’s eMMC CID, pads it, signs (or encrypts?) it with their private key, and places that signed data in the device’s aboot partition. At every boot, aboot is able to verify that the device is actually a dev-edition device. What is an eMMC CID? According to eMMC documentation: The Device IDentification (CID) register is 128 bits wide. It contains the Device identification information used during the Device identification phase (e•MMC protocol). Every individual flash or I/O Device shall have an unique identification number. Every type of

SamDunk - theroot.ninjatheroot.ninja/disclosures/SAMDUNK_1.0-03262016.pdf · SamDunk Sunday, March 27, 2016 1 eMMC backdoor leading to bootloader unlock on Samsung Galaxy Devices

Embed Size (px)

Citation preview

Page 1: SamDunk - theroot.ninjatheroot.ninja/disclosures/SAMDUNK_1.0-03262016.pdf · SamDunk Sunday, March 27, 2016 1 eMMC backdoor leading to bootloader unlock on Samsung Galaxy Devices

SamDunk

Sunday,March27,2016 1

eMMCbackdoorleadingtobootloaderunlockonSamsungGalaxyDevicesDiscoveredanddocumentedbySeanBeaupre(beaups)

AffectedproductsThisvulnerabilityaffectscertainbootloader-lockedQualcommbasedSamsungGalaxyproductscontainingSamsungeMMC.TestedandconfirmedtounlockthebootloaderoftheVerizonSamsungGalaxyS5.WhilepossiblyeverydevicecontainingaSamsungeMMCcontrollerisvulnerabletotheattackdescribedbelow,it’susefulnessasabootloaderunlockislikelylimitedtoselectSamsungGalaxydevices.

Samsung’sunlockmechanismManufacturersemployawidevarietyofmethodsandmechanismstodetermineandcontroladevice’sbootloaderlockstatus.MotorolausesTrustZoneprotectedfuses,HTCusesdatainawriteprotectedregionofeMMC,andsomeLGdevicesuseasignedblobintheboot(kernel)partition.Therearelikelymanyothermethods,buttheconceptisthesame:onlyallowtheunlockstatustobechangedviaacontrolledanddeliberatemethod.Additionally,whenunlockingthebootloaderofmostdevices,theuser’sdatapartitioniswipedtoensurethattheunlockwasn’tperformedinattempttomaliciouslygainaccesstoauser’sdata.Insomecases,likemostdevicesbuiltforuseontheVerizonnetwork,theabilityforausertounlockthebootloaderisblockedentirely.OnesuchdevicewastheGalaxyS5usedforthisresearch.TheGalaxyS5(andprobablysome/manyotherGalaxydevices)usesauniquemechanismfordeterminingadevice’sunlock/devstatus.AsResearchedanddiscoveredby@ryanbg(http://forum.xda-developers.com/member.php?u=766721):

Ablob in theabootpartition image is readanddecrypted. Then, thedevice’seMMCCIDishashedandcomparedtothevalueofthedecryptedblob.Iftheymatch,thedeviceisconsideredunlocked.

Basically,atsomepointinthemanufacturingprocess,whenadeviceisconfiguredtobea“dev-edition”device,Samsunghashesthedevice’seMMCCID,padsit,signs(orencrypts?)itwiththeirprivatekey,andplacesthatsigneddatainthedevice’sabootpartition.Ateveryboot,abootisabletoverifythatthedeviceisactuallyadev-editiondevice.WhatisaneMMCCID?AccordingtoeMMCdocumentation:

“The Device IDentification (CID) register is 128 bits wide. It contains the Device identification information used during the Device identification phase (e•MMC protocol). Every individual flash or I/O Device shall have an unique identification number. Every type of

Page 2: SamDunk - theroot.ninjatheroot.ninja/disclosures/SAMDUNK_1.0-03262016.pdf · SamDunk Sunday, March 27, 2016 1 eMMC backdoor leading to bootloader unlock on Samsung Galaxy Devices

SamDunk

Sunday,March27,2016 2

e•MMC Device shall have a unique identification number.”

Great!WecansimplychangetheeMMCCIDtomatchonefromafactorydev-editiondevice,andthenflashtheabootpartition(containingthehashedandsignedCIDblob)fromthesamedev-editiondevice.Except,elsewhereintheeMMCdocumentation:

“Programming of the Device identification register. This command shall be issued only once. The Device contains hardware to prevent this operation after the first programming. Normally this command is reserved for the manufacturer.”

Effectively, the CID is a serial number programmed at the factory and, according to the eMMC standard, is only programmable once. What “hardware” prevents the CID from being reprogrammed? Is it really stored in some OTP region? The fact that an eMMC contains mass amounts of non-volatile reprogrammable NAND memory should make any researcher skeptical that it is truly “write-once”.

EntervendorcommandsGenerallyspeaking,vendorcommandsarecommands/codes/instructionsthatdon’tappearinanyofficialstandardsandallowahost/user/factory/softwaretointeractwithadeviceinanon-standardway.SpecificallyforSamsungeMMC,aspecial(mostly)undocumentedCMD62inconjunctionwithsome“secret”argumentsareused.SomeofSamsung’svendorcommandswerepubliclyreleasedbySamsungduetoasoftwaredefectintheireMMCcontrollerfirmware.Samsungneededthelinux/androidkerneltobeabletopatchtheeMMCfirmwareinrealtime,andthushadtoreleaseanddocumentsomeoftheirproprietaryeMMCvendorcommands:https://android.googlesource.com/kernel/omap/+/3c57a612f12b069bbc863ec0c74a26850d76a9e8%5E!Samsungprovidedacriticalfunctionforenablingfurtherresearch:mmc_movi_read_cmd.Withasimpleloopofthisfunction,weareabletodumptheentirerunningfirmwareandramoftheeMMCcontroller.

Page 3: SamDunk - theroot.ninjatheroot.ninja/disclosures/SAMDUNK_1.0-03262016.pdf · SamDunk Sunday, March 27, 2016 1 eMMC backdoor leading to bootloader unlock on Samsung Galaxy Devices

SamDunk

Sunday,March27,2016 3

FindingsomethingusefulThefirststepwastofindwhatfunctioninSamsung’sfirmwarehandledahost’sPROGRAM_CIDrequest.Aquick(andquitelucky,asmosteMMCcommandsuseafunctionpointertable)searchfortheimmediatevalue26(eMMCcommand26isPROGRAM_CID)revealsthis:

Page 4: SamDunk - theroot.ninjatheroot.ninja/disclosures/SAMDUNK_1.0-03262016.pdf · SamDunk Sunday, March 27, 2016 1 eMMC backdoor leading to bootloader unlock on Samsung Galaxy Devices

SamDunk

Sunday,March27,2016 4

Somebasicsetupisdone,thentheopcodeischeckedtodecidewhetherornotthehostistryingtoprogramtheCSDregisterortheCIDregister.SincewearetryingtoreprogramtheCIDregister,let’slookattheprogram_cidfunctioncalledwhenR0=0x1A(26):

Page 5: SamDunk - theroot.ninjatheroot.ninja/disclosures/SAMDUNK_1.0-03262016.pdf · SamDunk Sunday, March 27, 2016 1 eMMC backdoor leading to bootloader unlock on Samsung Galaxy Devices

SamDunk

Sunday,March27,2016 5

Thefunctionread_security_registerisimportantandverysimple:

Itsimplyreadsavaluefromram,storesitinthecaller’spointer,andreturns.Backtotheprogram_cidfunction:

Page 6: SamDunk - theroot.ninjatheroot.ninja/disclosures/SAMDUNK_1.0-03262016.pdf · SamDunk Sunday, March 27, 2016 1 eMMC backdoor leading to bootloader unlock on Samsung Galaxy Devices

SamDunk

Sunday,March27,2016 6

Thesecurityregisterisreadandbit0istested.Ifbit0isclear,abranchistakentoloc_4AC84,andultimatelytheCIDprogrammingfails.Ifbit0==1,thefunctioncontinues:

1.) Bit0iscleared,andthesecurityregisterisupdatedwiththenewvalue2.) TheCIDisprogrammed

Surelythis“security_register”can’tbethe“hardware to prevent this operation after the first programming” as described in the eMMC spcifications; it is simply a dword in the controller’s RAM. How can we get bit 0 set in the security_register? A quick refs search to write_security_register answers this question quickly:

vendor_security_functions()isarealmess:

Page 7: SamDunk - theroot.ninjatheroot.ninja/disclosures/SAMDUNK_1.0-03262016.pdf · SamDunk Sunday, March 27, 2016 1 eMMC backdoor leading to bootloader unlock on Samsung Galaxy Devices

SamDunk

Sunday,March27,2016 7

Weneedtofindacalltowrite_security_registerwithavalueof1,toallowustoreprogramtheCID.Zoomingin:

Bingo:

Youcanseeveryclearly,thesecurityregisterisread,bit0isset,andthesecurityregisterisupdated,enablingprogrammingoftheCID.Workingbackwardsthroughthe~100argumentcalculationsinthevendorcommandhandler,I’llsimplystatethattheargvaluethatneedstobepassedwiththeCMD62is0xEF50.Issuingthevendorcommandwithargument0xEFAC62ECfollowedbythevendorcommandwithargument0xEF50isSamsung’sbackdoortoallowreprogrammingoftheeMMCCID.

Page 8: SamDunk - theroot.ninjatheroot.ninja/disclosures/SAMDUNK_1.0-03262016.pdf · SamDunk Sunday, March 27, 2016 1 eMMC backdoor leading to bootloader unlock on Samsung Galaxy Devices

SamDunk

Sunday,March27,2016 8

DoingthedeedI’vepushedcodetogithubtochangetheCIDinSamsungeMMCusingthebackdoordescribedabove:https://github.com/beaups/SamsungCIDCaveats(important):

1.) ItisgenerallyabadideatodomuchwithSamsungvendorcodesfromuserspace,asyoucannottakealockontheeMMC.Theprogram_cidbackdoorappearstobequitesafe,butdoNOTtrytoupdatethecodetodooperationssuchasreading/writingcontrollermemory.You’llwanttodothatwithakernelmodule.You’vebeenwarned.

2.) Whilethecodewillchangethedevice’sCID,youwillneedtocheck(afterreboot)toseethattheCIDchanged“perfectly”.Insomeinstances,afewbitsarekeptfromtheoriginalCID.Ifthathappens,youwillneedtowriteakernelmodule,dumpthecontrollermemory,findthecurrentCIDinthecontroller’smemory,patchitto0,andprogramtheCIDagain.

3.) IhavenotresearchedwhatelseSamsung/Android/bootloaders/apps/etc.mightusethedevice’sCIDfor.ChangeyourCIDatyourownrisk.

4.) Ifyourgoalistoturnyourdeviceintoadev-editiondevice,YOUwillneedtofindthedev-editionabootimageandthecorrespondingCID.Further,youshouldonlyattempttoflashanyabootthroughODIN.IfODINrejectstheflash,you’vedonesomethingwrong.

5.) OnlyUID0haswriteaccesstommcblk0,whichisneededtoissuethenecessaryIOCTLs.

6.) DonotPM,email,call,orotherwisestalkmelookingforsupport,supportingfiles,oranythingelse.


PROGRAMMATORE BOOTLAODER Bootloader programmerdownload.micronovasrl.com/micronova/bootloader/MAN... · 2017. 6. 14. · BootLoader pag. 8 di 15 ITA O 5. Gestione del BootLoader In

PROGRAMMATORE BOOTLAODER Bootloader programmerdownload.micronovasrl.com/micronova/bootloader/MAN... · 2017. 6. 14. · BootLoader pag. 8 di 15 ITA O 5. Gestione del BootLoader In

Documents
EMMC promotion

EMMC promotion

Education
RDN/Generic BackDoor!bs: Remove RDN/Generic BackDoor!bs

RDN/Generic BackDoor!bs: Remove RDN/Generic BackDoor!bs

Technology
Marketing through backdoor

Marketing through backdoor

Marketing
TCP/32764 backdoor

TCP/32764 backdoor

Documents
Project1:( Bootloader(€¦ · Loading(the(Bootloader(• Found(bootable(storage(volume:(- HDD,(USB,(Floppy(- Load(bootloader(Loading the Bootloader Found bootable storage volume:

Project1:( Bootloader(€¦ · Loading(the(Bootloader(• Found(bootable(storage(volume:(- HDD,(USB,(Floppy(- Load(bootloader(Loading the Bootloader Found bootable storage volume:

Documents
Lindenis Tech. Ltd.files.lindeni.org/lindenis-v536/Documents/... · nwe-emmc-ds 9 ndq2-emmc-d6 9 ndq4-emmc-d5 9 ndq3-emmc-d1 9 ndq7-emmc-d3 9 ndq1-emmc-d2 9 ndq5-emmc-d0 9 ndq0-emmc-d7

Lindenis Tech. Ltd.files.lindeni.org/lindenis-v536/Documents/... · nwe-emmc-ds 9 ndq2-emmc-d6 9 ndq4-emmc-d5 9 ndq3-emmc-d1 9 ndq7-emmc-d3 9 ndq1-emmc-d2 9 ndq5-emmc-d0 9 ndq0-emmc-d7

Documents
IMMERSE GAMERS WITH PHENOMENAL …...2016/04/08  · High speed of eMMC 5.1 eMMC eMMC 5.1 is faster than eMMC 5.0. Featured Products With its Command Queue feature, eMMC improved cache

IMMERSE GAMERS WITH PHENOMENAL …...2016/04/08  · High speed of eMMC 5.1 eMMC eMMC 5.1 is faster than eMMC 5.0. Featured Products With its Command Queue feature, eMMC improved cache

Documents
Keystone Bootloader

Keystone Bootloader

Documents
Backdoor Jobs_ - Chennai - CVs - Backdoor Jobs Sap Bangalore

Backdoor Jobs_ - Chennai - CVs - Backdoor Jobs Sap Bangalore

Documents
Backdoor Freebsd

Backdoor Freebsd

Documents
Backdoor Coding: Analisi di una semplice backdoor e prime applicazioni

Backdoor Coding: Analisi di una semplice backdoor e prime applicazioni

Science
Backdoor Encryptions Aff

Backdoor Encryptions Aff

Documents
EMMC: Promotion

EMMC: Promotion

Travel
WMI Backdoor

WMI Backdoor

Documents
Backdoor Hacking

Backdoor Hacking

Documents
Backdoor Listing

Backdoor Listing

Documents
Secure and exible boot with U-Boot bootloader · Secure and exible boot with U-Boot bootloader ... exible boot with U-Boot bootloader. Tip: Other boot media I SD/eSD/MMC/eMMC:

Secure and exible boot with U-Boot bootloader · Secure and exible boot with U-Boot bootloader ... exible boot with U-Boot bootloader. Tip: Other boot media I SD/eSD/MMC/eMMC:

Documents
EMMC - iMechanica

EMMC - iMechanica

Documents
KTAG V2.23 Support ECU List - cartool.co.uk · bdm mpc5xx bdm hc12 bdm bootloader mitsubishi bootloader st10fxxx bootloader tricore bootloader m32r jtag mpc5xxx jtag renesas nec 76f00xx

KTAG V2.23 Support ECU List - cartool.co.uk · bdm mpc5xx bdm hc12 bdm bootloader mitsubishi bootloader st10fxxx bootloader tricore bootloader m32r jtag mpc5xxx jtag renesas nec 76f00xx

Documents
USB Bootloader for the MC9S08JM60 - NXP … · Tutorial for Bootloader Implementation USB Bootloader for the MC9S08JM60, Rev. 1 Freescale Semiconductor 7 NOTE If using the bootloader

USB Bootloader for the MC9S08JM60 - NXP … · Tutorial for Bootloader Implementation USB Bootloader for the MC9S08JM60, Rev. 1 Freescale Semiconductor 7 NOTE If using the bootloader

Documents
eMMC NANDriveâ„¢ - Greenliant

eMMC NANDriveâ„¢ - Greenliant

Documents
ARM Bootloader

ARM Bootloader

Documents
EMMC sponsors opportunities

EMMC sponsors opportunities

Documents
01 - Backdoor

01 - Backdoor

Documents
Bootloader Porting

Bootloader Porting

Documents
Graph Backdoor - usenix.org

Graph Backdoor - usenix.org

Documents
FreeScale Bootloader

FreeScale Bootloader

Documents
BootLoader OS

BootLoader OS

Documents
eMMC NCEMAM8B-16G Specification · Introduction FORESEE eMMC is an embedded storage solution designed in the BGA package. The FORESEE eMMC consists of NAND flash and eMMC controller

eMMC NCEMAM8B-16G Specification · Introduction FORESEE eMMC is an embedded storage solution designed in the BGA package. The FORESEE eMMC consists of NAND flash and eMMC controller

Documents