Bestand wählen
Merken

eMMC hacking, or: how I fixed long-dead Galaxy S3 phones

Zitierlink des Filmsegments
Embed Code

Automatisierte Medienanalyse

Beta
Erkannte Entitäten
Sprachtranskript
so too and
it is and
the and the right so uh once again that morning our next talk next speaker today this morning that is an independent security researcher uh he founded the past and CDF group which some of you might not have heard of any as previously worked on open i boots please give a big round applause 201 of thank you deal with the but it and so I'm going to talk about the alley hacked even the tips so or how we fixed galaxy history devices the 1st introduction about myself what when might I'm I'm on of a hand on 25 years old security researcher based in Asia but might and currently walking at a start up called them mitigate however the stock has no connection to imply whatsoever on I previously walked on open I with which it was on and open source alternative would for at and I was devices so we aim to what clinics when no iPhone 3 G tree GSI from 4 we had some success I also found out of it is in them some doubt that the LEI falling on business which were used to unlock the same free of these devices and also suggest that read that by standing and the plane tonight so that would that class and this is my iconic info if you'll if you want to reach me and you can find them a website and then those electric the username OK so an outline of about this talk I'm going to start with an introduction about the story of how I got tool hack in devices and then we'll talk about that and some songs in the patch which that the use for organics history devices and then they will talk about how I obtained such few more in the few more fat is the institutes in analyzed it I will cover the body itself that there wasn't something basket as free devices and then I'm going to talk about how do we resurrect the devices like break devices and so let's start with an introduction and this phenomenon is called sudden death syndrome and this what that the name that the give it over forums and it started in 2012 something that's history devices and just started dying but no apparent reason you you could use your phone and then 1 day and it will get stuck in if you try to read it it went but anymore and the voice basically a break the on and if you're lucky the fun with within the bootloader so you see on a is going but at 1 mechanics or underwrite and if you're not lucky then it's just a break out you can't you can't use it it can then on if you plug in our USB speak cable using nothing and you can't even charge the battery because the actual charging on mechanism is followed on so that and then the will of the French and foreign so this is an example of somebody said that this is happening to a lot of people I hope some some do something about it and actually they they did but it wasn't like a proper fix and talk about it later so let's talk about
how you diagonals such devices so this is a walking Austria concede the beautiful background and I'm having is followed on and this is a dead 1 the atmosphere is just like you can't do I thing but actually as I said before if you like you see this spring which is are drawn by the boot which has got some some guess what i . would the you this is the last when using an if you're at press a specific combination of keys you get this green which is called knowledge model and we'll talk about it later and so this is my understanding this is my current understanding at on OWL S tree walks around so this is a rough schematic not just a lot of different peripherals that that are in there but of the book of this this is the main CPU which is called Samsung xn us it's a noun based CPU and then you have the institute which is a a a storage device it's to standard storage device for phones on and there's some non flashings out of it so it's not it's 1 package and if your if you inspect the silicon you see an ancestral OK so then some some drop the patch and what happened is that they said to the press that and they just fixed the size of this by the and since the Linux is a GPL licensed they had to publish the source code so the patch was called them soft that's moving around to that you would double 0 and you and failure and it's and it's the the modified underfire responsible for the call responsible for communicating with him and the devices so in order to understand this patch all we have to talk about what is the answer and so
what is the associated basically so it's it's that de-facto and stand a storage for phones are actually nowadays hi and phones are starting to use UFS which is the bus that replaces on and say the more the majority of phones still use and say and it's if you can think about it as as the garden PGA form so it's it's a package that you can solve their own purpose of being and it's basically and as the call it so it uses the exactly the same bus the and as you can see us some company called hard general and made and the APIs be that which have and and even see cheap so that the quantity and you can be they made also an adapter which you can plot and there's no logic to this about their it just turns the even into an as the cut device on it works so In the essentially and and flesh chip with convenient bus which is the same bus and as SD cards so for this reason it and some people also call this an internal as the got or something like that and if I'm going to say college and later in my talk and I'm going to talk about the inner city of so when you when you communicate with the in the best 1 that you use and comments but to the to the God and their 64 commands that they are denoted from command 0 up to 63 and for example you have artcomments 17 which is read single block and comment 24 which is right blocks and each command takes a single 32 bit argument I so you send a command and it has a number and an argument and all the commands are categorized into classes and there's 1 specific interesting class which is class because if you look at the
specification you see that are common 60 up to 63 hours of what the manufacturer so on if something interesting is going to happen it will probably happen with these commands term so let's go back to the patch something said they they fixed on the back right so as to devices student on get briefed anymore and that's the so this but actually not the 1st thing it is at it's core it compares the cards named tool VTU double 0 m which is the heart of a revision of the for the chip and then they compare on a number 2 to the value F 1 and this is actually the film version of the of the stick and then they got a function which is called a and C start movie smart which isn't that interesting so I'm not going to talk about and if all this is on comparisons of true then it will call and insist start will the operation which is the main logic responsible for fixing their the cheap and the thing to note to note about this batch is that I this code runs every time you put the device so every time the event's achieve is followed on his code runs this let's talk about the NMC stop moving operation so this is and I added at the code for brevity it's not to be the exact same patch but this is basically the logic that they use the and this is very interesting that there is 1 strange thing about this function so and see movie raise command array is is redundancy command which on takes 2 arguments but it uses 2 arguments because you proceeded with a different comment so you can give it on 2 arguments and the 1st argument is the start block number to erase and the 2nd argument is the end of block number 2 raise material so the blocks in between so what should happen is that the 1st come close to this function should erase all the blocks starting with faulty 300 Abdul block number for any old 3 b 5 and then write this doesn't make any sense and then the the next God is the that they had like DG ranges overlap and it was very strange so my guess was that this is probably not an command and it is the it is probably something somehow and the next thing tool to note about this function is that you see the 1st 2 calls are MMC movies in the in the last 2 cos also onto the function and the more in the and alan seem obvious and is basically common 62 which is a classic common so it's reserved for due to manufacture and my guess was that I the 1st 2 cause basically enter some secret backdoor mode that some for some some he'd inside the inner city and the last 2 cos I leave this mode so I'm wondering this mode you raise command doesn't do raise anymore it does something else and then I saw that if you inspect the 1st argument you see that the numbers are consecutive on the incrementally for except for the last number but in of the or the 1st the 1st of 5 numbers in but the negative and the next thing so it it looks something like memory addresses right in so if you'll if you look at the 2nd argument I I noticed something very interesting and if I assumed this is our memory data then if you look at it like as as little-endian numbers you see 10 B 5 so it starts with than the 5 and I used to code a lot of arm something and 25 is push in from the and fund is an instruction set on from the OWL specification and its functions and from the start with bush right and so this is an interesting extra fun a n the basically this is my current understanding of volume the walks up so you have this audience a but is not only in and flesh inside of it is also a microcontroller and some so states this is an ARM-based microcontroller which contain something so I thought this batch our might modify their day internal memory of this chip some somehow so what they wanted to do is to examine what what specs does so I just do call this that data that it writes and put it into our binary fine which I call such that being and this is a just use idea tool it's to see what the what is going on there and this is some suspect and so at the bottom you can see the actual come from instructions but if you're not familiar with and you can see also see like say the code a and what they do is basically they call a function and if it returns 0 the chip will going into an infinite loop and and this is interesting because later on I understood it on what was there before dispatch it just it it was just a close to this function in the wasn't this check so they took a single call to a function and turn it into a call to the same function but if it returns 0 just they just go into an infinite loop so my thought was this can't fix anything right because the chip is either going to do the same thing as before or it's going to go into an infinite loop end that the Red sums strands of phones and I so this trend all the way to get access to and use of freezing fed and this is a quote from that show that you can see that that's histories freezing would lock up spring at this point in the ending up with an user reporting them with the pink and Andreas reuses reporting this problem and it keeps freezing every 5 minutes 0 50 + freezes today this is insane right this phone is letters of so I can't use it as my phone if it's if it's freezes every 5 minutes and I had the necessary but then and I know it I started the observing freezes and in my phone as well so the next step that they want to do is obtain the in and units if you were another tool understand how it works so how do you get a few more the 1st way to do it is to right so I can I can write the Inland Seas memory right so I can just write code to random locations and hopefully it will get grandson somehow in in there and just right things different addresses dual lucky guesses and maybe and I will see something on the the bus and then try to to obtain the femur but this is like on a shot in the dark so the next thing that you thought about doing that is to far as different comments like use common 60 61 different class 8 comments on but they didn't want to do destroying my own in the which was still walking so the the last thing that I thought about being is to look for clues so how do you look for clues just google the sum these numbers that some used to enter this out they go mode and I so
different that so this is a patch from a different device and it it's called up patch the femur of certain some some given the parts to fix a body and and it uses the same the same mode as before so notice that the the use of arguments if feces 60 to EC and then it's 10 21 and 4 zeros and this is an important so the use 1021 full zeros right and then they write undervalue ff toward the address for the D 9 6 but then there was something else after afterwards alone so if you continue to read dispatched see distinct this this is a snake that on which is enclosed by if there i which is called test and see fewer patching and they use the same year faces is 62 EC as before but now we use their the arguement 1021 0 0 0 2 the next thing is that the the user's and erase command with the same address as before the but then the they aren't they do I read commands right and I'm I was wondering how this might be some songs way of reading the memory address of the memory of the even city and because the using arrays coming to the same address as before the 2nd argument is full which looks like in like a size and then they read on the award from from the university and so I took this snippet of code and modified into what if i'd it into this snippet of code so which basically just looks overall the addresses on in the address space I I just guessed and how big the address space is and I just read that you a single the with every time and dumped it into a fight and and name I got this thing which looks like a
right and so on the names are ranked the names that you see like our and in my in hot fault impact is these are my names on what what I saw was addresses but this looks like on a farm vector table so I understood that I basically got the femur 1 of my own chip so the next step was to reverse the thing with in order to analyze what the bug is so luckily for made the femur contain strings so I I can use them as part of my reversing process but actually it contains a string of a single strand and it was this spring uh which isn't very useful as fuel I'm trying to reverse a similar 11 the and as it considers a snippet of Almighty reversing process I used a lot of like names on sleep beating somewhere in on never the title thousands to the warlords or our own but I u I basically understood to be the high-level logic of this code and I got to the point which I can't which I can understand most of the femur the so let's talk about the bag and before we talk about it but we have to talk about how what is lazy and see exactly 1 so let's talk about normal storage 1st this is like a hard rights on you have tool operations which you can do you have an a real operation which reads data from the device and then you have a right oppression retreat rights they bind to the back onto the device right this is a pretty normal then you have on and flash storage so if you have an unfair storage you can on the way we depression which still rich data and this is the as before but right abrasion actually turns off bits of it it's a bit was already 0 it to want donated until 1 1 so this is basically a binary mask 2 bits on around on storage and then you have an erase common so you have to you gotta have some some way of fire reversing this process and an eraser operation he raises a holy raise lucky on it all the bits In this marketing tool into 1 into ones but that is a slow operation and there's another problem and there is lots of a limited program erase cycles so if you should something like a thousand or maybe tens of thousand or 100 thousand to raises the block will eventually die and then it's not usable anymore and so something you have tools some software have to do this translation right tool and take this or cold storage and I do an abstraction which we show at that like normal storage so this is called an FTO or flash translation layer this is common and the FDA is responsible for so many things but some examples are out well leveling which is spreading out you raises among different blocks so no single blog gets you raised on a lot of times and then it also does netbook management each block already died then it will remarket internally tool to a different block it actually have on spell blocks and then on it the film or in some sense case is also responsible for the bus communication of some of the so what is the body exactly so when you do write operations on the device on DFT and has to save some major a for itself but because it has to keep track of which how many times this block was erased and so and what is the Internet and is and so on so it has its summated made it that that it saves for itself the and when you do write operation or write operations it as a tool modify this metadata and the actual blood was a miscalculation in this sum code which not always but sometimes make the data corrupt and once it happened it should only happen once if the data got corrupted and this is before substance batch every time you try to power on the event's cheap and the STL will try to pass this data and it's crap so it raise a secure exception up in the different exception handling and they're in some sense case is just an infinite loop and so the device so that if you use it the device and 1 day the metadata gets gets corrupted and then you try to turn it on and on tries to pass the metadata dying it's it's crap so across an exception and then the goes into an infinite loop and you can't access it anymore of and even see is basically essentially dead because it you send commands into it and nothing response because the fear is that 1 is that the software that this it is responsible for entering even comments so some some that was something about these on something like this right before the metadata is about to get corrupted how to the CPU so there's no bike rides so ready for the Baggies about that then just have this appeal and so it never happens In this like sudden death syndrome into southern freezing row so I wanted to fix my own device so a quick recap we got I got the event's if you will by analyzing some batch and they the were had had about causing after corruption once it happened on the chip went with anymore and some batch was to avoid the body happening at all and so the next step is obviously through the that forms right when you want to have had and so the EU gets into a loop that would can't but what happens before it gets into this look so I took a look at the femur and a soul so this memory layout as you can see at address 0 those something that I called the book from and it's it's a wrong you can't write into it there was a on and it is a code and what it does it initializes the even the hard work they to those the feel were from the nand flash chip on and this is strange because if the book from is already there wiII don't white why doesn't it already doing bad as the things that the is responsible to the so I guess was that the femur was tool big to reside wherever the book from resides so they had to like bootstrapping on from the external and such and then it also has its own machinery for and comments which is strange because why it has to do is just load of human rights so my guess is that during their production process on the nand flesh is empty and there's no femur and then when some some produces this who had this chips they ply their mean and there's no favor so the book drum goes into some kind of recovery mode and it takes it exposes an immensely boss and from there you can write your new framework and the boardroom is basically a stripped-down femur there's no Afghan but it looks like that the framework itself and this is my and my current and the thing about how tree walks so inside even see you have on tool silicon dies on the 1st is an on-chip which has a book from which loads perfumer from text and session and with it and so if we could ever talk to the book from this might be interesting because we could maybe some do something interesting the only but the former loading actually succeeds because because the forest impact on the book from will try to load the femur the from is to there it will jump into it and the few more executes and goes into an infinite loop so there's no chance of ever talked talking to the wood from right actually not
but this is not correct because on bulletin and does this function at the dress 70 BC and a timer is being set for of 35 ms and if during this time period some interrupt fires at this is entrapped under 7 I don't know what it is yet no they read as value from and memory-mapped I O my address and they compared to this constant magic but it's this compare comparison is true federal loading escaped and it goes right into this recovery mode I and my guess is that so this is a a schematic of the would process and the right that the last column is the normal but process and if we ever get to the right column that will we really get into all this recovery mode so my guess is that this interrupt number 7 corresponds to some even see comment but and this value that they read from memory map style is probably the MMC argument because it's thirtytwo beats on so deviance is get stuck on boat so this is if the chip is already dead time however right before it gets stuck there a time window and during this time window if you somehow trigger this interrupt and the boot process on is aborted it goes right into in from recovery mode which is interesting but the phone is already dead out and talk to the immensity of so I could have used their how remote like on the so the human the send commands externally but the height I wanted to make the something which software and because I don't know how to do this soldier the DH it's a lot of so the next step is to talk to the MMC-based some kind of magic and then will access the imam book from and then we can repair it from this book from Recovery Mode and so I sent if you're lucky you get this going so this is the forms bootloader this is as would and it it is saved on the situ itself so how how do you get this if the inner city doesn't respond how the for all the main CPU gets to execute this with order and so apparently if you read some some specification you see that that the immensity has to politicians and it's it's not the partitioning the 5 system synsets and what a petition in the EU the sense of and as a boot politician and user a politician in the book but even holds on as in some sense case which is the bootloader for the the main CPU and the user petition holds everything else so it it's stalls on Linux and the so all the Android on 5 system in or the absence etc. so the boot partition has its own metadata and use a petition also has its own metadata I a friend of mine had a brick Destry which does load as well so he gets this spring and I somewhat but he understood that happened is that only the user LSP what you do is a partition that metadata got corrupted so the book partition is still intact and I suspect this is a common scenario because when you write still device usually don't try to the boot partition right to the user petition so if something is about to get corrupted fall the will be in the use of petition and so this is our street breaks down the main will on in tried it to try to access the and asked give me s but in the received pulses of the boot partition our and it will be on returned as would to the main CPU and then S what will try to access the user but if you know that to load Linux and then the MMC Christel past we use a petition metadata it's corrupt so it goes into a loop so as would actually has a device for more upgrade mode that is called dominant mode and as a protocol of use the the phone side is called locking in computer side called ordinate as this is a reference to the knows mythology and there's no way of sending lower-level to common so if you ever saw the screen is uh I'm holding software it's a sofa made by some songs and tool talk with this protocol and in this for the car you can't send my role immensely commands to the immensity so I need to sand on comments the chip but the cold is endeavoring as so obviously the thing that they have to do is to exploit as well and run may only encode but and so this is this is taken from 1 to use the Pete Beckett's Hendler from as much this is on a steep a code they wrote so you can draw these variables and is done and it if it's 1 of between read the something from the USB but the centered and then this will give you in a buffer and and will use this 1 number that you gave it and as an offset to this buffer but it doesn't do any boundary checks above and so this is our air out out of bounds we'd limited right and in the 2nd case are it's not this size from the use the bucket and then increase it into this buffer which is constantly allocated on the heap its size of size up to 4 thousand so but he doesn't do anybody checks above here so this is on the people of low validity right and so eventually I found that this is not actually a zero-day so if you'll take like an estate or a 7 on this to handle it is of fixed but forestry which is an of life on given that is still there so if you have industry it and do that of so let's talk about that some saw that as with people permission so if you wanted to allocate some sizes on and that the heap chose tool to use a chart which is larger than the than the size of the what the collocate but it will split it from the end and was still in stration in a moment and that the thing to note about this heap implementation is that there's no security mitigations at all so it's very basic and so let's say that you wanted to allocate 50 bytes then I the chart that it chose was 100 bytes then it will give you this part which is the bottom 1 and part of the buffer and the buffer did chunk has the has on its size number and size of the parameter and to reduce the size people go to the end so I wanted to achieve right what were In order to exploit as what and the I use exploited this chunks splitting technique so the 1st thing to do was to fake a chunk which I can control of our which some large size so it will get played and then I had to figure out its address and I can do this with the 1st we run everything on the relative read and then the the next step is to make sure this junk is actually selected when you call my look around and then it will try to give you the bottom part of the buffer so which will start from the junk address and then it'll go all the way to the bottom which is having chunk size and then if you go back the size what plot OK right and we want to control this number and we can control this number so if I just on 1001 this equation so if they want to control address they can just use this number as are the chunk size and then will give me this address 1 so the actual in my opinion a boy boring so you can find the spike under this repository and its public so you can just take an aspirin use it of this is the demo of this is done about it and this is an award list as the textbook right of OK so
what if it's really that what if this
happens right but what if they also the boot partition is gone so obviously something has to reload has to talk with the human C and load as good right so there's also another piece of code which is called excess but from and it is it is it resides in the in the main CPU on and what happens normally is that the accessible book from starts and then it load something which I call the 1st but order which is prepended to s book and is assigned and it just verifies the signature of s with and then on jumped into it so just you can just think about it like that it's together with that with as would and then as with armloads the kernel but on the book from has to know that the 1st with enzymes and S. would from somewhere so what is it try to do so we 1st starts with the MC but if this fails goes to the Exxon has become no so I just took a and the 1st Butler and drop them on plastic out but is that didn't fall because on as with with simple in this case but as with what's until SD card mode in which there is no USB protocol so you can't exploit and as a said it is assigned so I can't budget but apparently some people come over and affirming they've been extends our Adam altered both arrived as they found out that there's a development board called Oldroyd X which uses exactly the same Scipio so it's the same book from which is the same signature but it uses different 1st what letter which doesn't do any signature checks about so if you do if you take this 1st bootloader and appended on append to eat a patch test what it will jump at the dispatch has with and then you can just exploit it and run the code and and this is the modified with process so you start with action book from you plugin external is because the external is the card has on Oldroyd x 1st Butler which is signed the soul the book from will jump into it and then on the 1st what order will on jump to the patch test but then it can be exploited and run your shellcode and no hard promoters were part would require the dog only so if the boot partition is still intact the phone noticeable what no and it's stored on you immensely but if it is corrupt the phone uses the the and in a way that I can load as with and then I can explain of an ability to gain code is given as with and the next step is to allow access to the book from then as I said before I I I I need to trigger this interrupt number 7 and send it sent down this argument somehow and so I just be traded over all the possible given the commands which is from 0 to 63 that part of the MMC pointed that Don so the book cross the sun gets there started again and then a quickly sent command X with this argument and I waited some time for the would process tool to finish something that I sent any comments which is supported by the book from Recovery Mode and ice checked if I got a response and I said that this is our for maybe it's going to walk maybe not and then I tried 0 and it stays and I said that it's never going to look and then command 1 walked so this was very exciting for me because this is the 1st time the actually response and up until then on the on the bridge device I tried to aren't sensor several commands the and I never saw as a response in this is the 1st time actually sort response back from the the this will very exciting and the MC would from even has commenced except all of this on but the Lord so let's fix it right this repair the inner
city and so there are 2 revisions of this for the chip the 1st revision user staffing were F 1 which is by and and then the war forms with from a revision F 7 in which the bug never acute so probably some some fix the bugs the fixed the bug in later however visions so my goal was to update the cheap perfume F 7 and format the estimated at soul on corruption is gone no OK so what they did was to write it down to a few more dental and which is a kind of modern and then I had to convince anybody over the Internet to run my code which sends low-level leaves a Akkermans on their own device and thanks to reduce the which was on courage enough to the right tried I got down a dump a few more 7 and 12 you know I just had to write it to them not BMC itself and so this is exaggerated about because they could have used the memory right back door tool write my own code and access the nand flash chip and write a new framework then I found out something simpler I'm so there's another vector which is common 60 and it has to fewer of great modes for some reason sold of the formal model which is C B a B 1 1 60 and supports estimated the former you can send raise command will format of the estimate made of the that and then you can read and write a new framework it will do everything for you the so How do I fix a dead S. 3 just I just just get the data stream now which should be this is important to note that there many that those different revisions of the excess free I'm talking about I G T I E 9 300 which is the interest of but to as with either directly and if the would partitionist impact or by using an external become and then exploit as would try new encode From the shellcode we even seem to boot from Recovery mode and then use common 60 tool format gifted metadata and flesh the new framework at 7 fewer than we put the MMC so the femur load actresses sold the from a Buddhist and then you can write as much to the IMS is would but different then those are the step which is to profit and this means it's the what I'm and so the price of the demo gods that it's going to happen it's going to succeed um so again it's the
OK no so I have a brick device a brick temples purpose of this is the device and that fact that under this battery inside nothing happens it's break I try to get into download want nothing nothing walks on the they have this still is because of which is of which does have some as much as they said before if it now try to the device should put into it yeah OK and so it would seem to something and now I can use them just
go back to the and how can I can plug it into
the was being and as good answers and now I'm going to rule and run a which exists the immensely yeah this refined that's pay for but started distributed instant would promote and i which we write the new framework it should take a couple seconds so all data because it's a but focus on yet so the next thing is going to the store about into the and then and change the boot partition size so those actually would petition that knows the shogun is done and I can just come he was a different SD card which on nodes as with no normally and it goes into has become mode and in this because mode of it will right this would put it would petition so to yeah OK
so this is has become loaded up with think you can see but if I know this has become right and just report device so this is the battery is outside of its the and it should put into them so this is as good soberly mass is fixed thank you
and so found conclusion it if you shout outs out so rebellious animal Clarin right they have had did the on X in this you would 1st look like all right X I walk so on thanks to them I I couldn't I X if it weren't for them I couldn't down would break devices but entropy 512 was involved in the the research beckon 20 something from and buying sobs has the wonderful talk here it's it's a C and some years ago the the and they talked about hiking changes as the gods and the mentioned my research and this motivated me to complete it because it was still in progress so this so this is the reason which operates and talking today so thanks so few so I can basically are some some here is I can fix freaked would just software from and in that and this is just the use case because no you can do interesting are stuff would your audience Egypt 1 in what I think we should do next is to look at new Williams is which I suspect still has the specular because I I tried some some cheap I I could get my hands on and it had this big OK so and uh maybe even the new 1 so so has mode and then there's our UFS which is the boss which are places in see and it is based on scarcity along and something so producers QFs chips so it might be wanting to see if those on a similar but don't around and it's also interesting to look at different vendors of the masses and maybe 1 day right as an open source alternative femur for these devices and so this is question time but you can find the code that they wrote to war experiment with these devices over the following links and you can find the slides in the bottom link on it's already public so go ahead and if you have any questions at the time so thanks have certainly do very much on for a really interesting so talk if you have questions the 2 microphones in the so in 2 on the sides and force question from microphone 2 yeah I really amazing what is an idiot and he or contact with some of this yes so I published my research I I'm making them 2012 2013 sorry Over forums and a I didn't do not use it from a security perspective they wanted to fix on a street that they never responded of on they didn't down context mean anyway I didn't conduct them about the book from on recovery mode because in my opinion it's it's not a security issue but it can be fixed it can be fixed on an the and the regarding the DS which from that is on does no it's only for the text so on not then says no so the way I understand this this is the only way to actually fix some of the films that are broken there right yeah I don't know any other way to do it but in the end microphone number 1 after seeing a real-life FTA do you to use that as these sorry after you've seen the code of a real life FTL I used to assess the thought that it was a very good question so it's OK and that item there's no alternative right so of but we might make something so yeah the given to you have any idea what other devices have this model the and C and will and like support the same um commands that let you access the firmware on other devices that have had bad and see you all areas of the some say that yes to had I similar Bogdan Kindle Fire I think 1 of their villages and some of them got up pictures by Samsung and it's usually was something like this like batch then until a memory every time device what's so the body and never happens I thinking the other and devices the bug was actually fixed they are very aware of any non Samsung devices that have Samsung MMCs in them that might be the same MMC I'm sorry I The other devices that aren't Samsung phones all yeah i are still have some some parts of them yeah are so there's not a lot of human the manufacturers and something is a big benefit from a lot of different forms on devices use some some indices of this is a relevant 1 sensing devices 1 I a thanks play amazing talk and research some 2 questions some that's the Samsung Galaxy Note tool that has some modest the same back from us your fix and use of also applied to that and I'm Mr. a tool to achieve of stem from
the sorts of erasing DFT and the contents of stick out yet so this is a good question so the 1st the 1st question was on that as to who has the same bike ride that denotes tool out note how I don't know but I never had an no no tools OK I have 1 that's is correct that way all the way to think try out of Europe that and now regarding the 2nd question so my code actually for much of the of the image metadata which is on not that good because if you raise this all this information about how many times on every block was raised to a moral proper 6 would be to actually fix the crop that make the data but I haven't got to the point in which I can fully understand the inner workings of the STL so this is my current code your arm welcome to try to improve the foundation the the I like to know what the time frame was from you started to work on the issue told you the 1st fixed 3 yet so I obtained a few more that in 2013 um and I had a walking device and didn't want to do like on big stuff 3 so on ieee assault making this year and then the last year of a friend of mine said that he has a brief history so I said let's try to fix it so I think if you'll and like I'm accumulating the time it's probably going to be like on time from which a wall which a common actively what this was something like a few months from the 4 5 months but it started making like fall for 4 years ago and so any finished the something like a couple of months ago so things do mine and do some social culture for salient undocumented commands yet but I suspect you'll some of them and I actually bought some some some as the gods and the head of controllers made by by Silicon motion but they read over the internet some specific out I think it's on evil close is a plus and have a something controllers which should have the same vector so I'm trying to do I by 1 so but as as as soon as they find out that probably cost about thank you right of thanks for a great talk and so I'm still using Omnis 3 years married they phone so actually have in the few months ago is dead broke down the world of so as FIL salt of some song bootloader there's good what he described and after got stuck at the good screen from DOE RSM my case as well so am much not but also when a flashed on something else lineage US although default something's from were and still got stuck in the really have to really flesh everything and don't work again that somehow sounds really similar to the park you describe but then the way it also doesn't so yeah do you think it's the same thing so ah if it's related my guess would be that but you'll devices have this on memory batch which freezes the immensely in when you use the midwest so what it was before I this infinite look pretty good and at some point in the boot process so the device actually frost before it got to be to to boot and and then when you were fleshed it somehow the internal block mapping that changed and now it doesn't really some freezing but i if you're cheap is out if you that was 0 and it's the Mory's that 1 then you definitely have the the british french yeah number 1 I think so the great work of what question you said you upgrade of the firmware of the amnesty with a new revision add these was actually signed or can you flesh anything on the air in the controller you consent anything of the the idea that a simple myristic which checks if the stock progresses and it looks normal but other than that it just whatever is given so I think thinking you're new appearances which is our human C 5 . 1 there's a mechanism of farm the the Our session new fumarase and I think it should be signed but I don't have an annuity MMCs so the I don't know about the about it but that picture so I have 1 last question them about the some some patch value said that it basically goes into some sort of infinite loop that you think there they might have tried to to do some busy weight or the waiting for something to happen no I think they just on did you just 1 so found they want about to never happen so yes hi my phone throws a lot of times and I waited like of don't the minutes and decoding the linux-kernel doesn't do anything in the coding scheme after what doesn't do anything so my guess is just waits for ever the assume questions so again there postwar unfamiliar with the few helps to
send it to the and I think it would he compares the the PEP
Einfach zusammenhängender Raum
Ebene
Kraftfahrzeugmechatroniker
Web Site
Booten
Freeware
Selbst organisierendes System
Computersicherheit
Stochastische Abhängigkeit
Open Source
Klasse <Mathematik>
Gruppenkeim
Unrundheit
Bildschirmsymbol
Netzwerktopologie
Patch <Software>
Webforum
Rechter Winkel
Kontrollstruktur
Äußere Algebra eines Moduls
Booten
Information
Eigentliche Abbildung
Hacker
Quelle <Physik>
Chipkarte
Bit
Wissensrepräsentation
Subtraktion
Multimedia
Schaltnetz
Klasse <Mathematik>
Zahlenbereich
Patch <Software>
Zentraleinheit
Mathematische Logik
Netzwerktopologie
Bildschirmmaske
Endogene Variable
Speicher <Informatik>
Tropfen
Peripheres Gerät
Schnitt <Graphentheorie>
Umwandlungsenthalpie
Parametersystem
Booten
Systemaufruf
Einfache Genauigkeit
Strömungsrichtung
p-Block
Quellcode
Atomarität <Informatik>
Chipkarte
Patch <Software>
ATM
Grundsätze ordnungsmäßiger Datenverarbeitung
Bus <Informatik>
Ordnung <Mathematik>
Schlüsselverwaltung
Diagonale <Geometrie>
Standardabweichung
Quelle <Physik>
Chipkarte
Gewichtete Summe
Punkt
Adressraum
Snake <Bildverarbeitung>
Versionsverwaltung
Familie <Mathematik>
t-Test
F-Verteilung
Einheit <Mathematik>
Minimum
Gefrieren
Bezeichnungssystem
Array <Informatik>
Umwandlungsenthalpie
ATM
Nichtlinearer Operator
Parametersystem
Lineares Funktional
Physikalischer Effekt
Systemaufruf
Firmware
Strömungsrichtung
Mikrocontroller
p-Block
Atomarität <Informatik>
Ereignishorizont
Twitter <Softwareplattform>
Rechter Winkel
Festspeicher
Grundsätze ordnungsmäßiger Datenverarbeitung
Dualitätstheorie
URL
Aggregatzustand
Subtraktion
Relationentheorie
Klasse <Mathematik>
Gefrieren
Abgeschlossene Menge
Zahlenbereich
Patch <Software>
Mathematische Logik
Term
Code
Loop
Pufferspeicher
Endogene Variable
Spezifisches Volumen
Speicheradresse
Unendlichkeit
Chipkarte
Patch <Software>
Thread
Mereologie
Bus <Informatik>
Speicherabzug
Stapelverarbeitung
Quelle <Physik>
Demo <Programm>
Gewichtete Summe
Schreiben <Datenverarbeitung>
Diskrete Fourier-Transformation
Gleichungssystem
Aggregatzustand
Gebundener Zustand
Netzwerktopologie
Metadaten
Puls <Technik>
Translation <Mathematik>
Kontrollstruktur
Virtuelle Adresse
Multifunktion
Computersicherheit
Ausnahmebehandlung
Störungstheorie
Humanoider Roboter
Biprodukt
Ereignishorizont
Konstante
Randwert
Rechter Winkel
Festspeicher
Heegaard-Zerlegung
Translation <Mathematik>
Ordnung <Mathematik>
Zeichenkette
Tabelle <Informatik>
Lesen <Datenverarbeitung>
Partitionsfunktion
Subtraktion
Patch <Software>
Mathematische Logik
Interrupt <Informatik>
Loop
Flash-Speicher
Variable
Bildschirmmaske
Weg <Topologie>
Skalenniveau
Endogene Variable
Verband <Mathematik>
Videospiel
Zehn
Booten
Protokoll <Datenverarbeitungssystem>
Überlichtgeschwindigkeit
Partitionsfunktion
Unendlichkeit
Programmfehler
Verdeckungsrechnung
Flash-Speicher
Wiederherstellung <Informatik>
Speicherverwaltung
Bit
Punkt
Prozess <Physik>
Web log
Adressraum
Computer
Strategisches Spiel
Eins
Internetworking
Font
Datenmanagement
Schwebung
Minimum
Bildschirmfenster
Umwandlungsenthalpie
ATM
Nichtlinearer Operator
Schnelltaste
Parametersystem
Lineares Funktional
Prozess <Informatik>
Dokumentenserver
Abstraktionsebene
Speicher <Informatik>
Firmware
Plot <Graphische Darstellung>
p-Block
Frequenz
Arithmetisches Mittel
ATM
Speicherverwaltung
Telekommunikation
Metadaten
Gefrieren
Zahlenbereich
Implementierung
Netbook-Computer
E-Mail
Zentraleinheit
ROM <Informatik>
Code
Framework <Informatik>
RFID
Wiederherstellung <Informatik>
Data Mining
Puffer <Netzplantechnik>
Datensatz
Interrupt <Informatik>
Software
Inverser Limes
Booten
Speicher <Informatik>
Optimierung
Implementierung
Touchscreen
Leistung <Physik>
Wald <Graphentheorie>
Validität
Mailing-Liste
Vektorraum
Paarvergleich
Physikalisches System
Programmfehler
Loop
Last
Parametersystem
Mereologie
Dreiecksfreier Graph
Mailbox
Bus <Informatik>
Normalvektor
Stapelverarbeitung
Innerer Punkt
Sichtbarkeitsverfahren
Chipkarte
Prozess <Physik>
Gruppenoperation
Zahlenbereich
Bridge <Kommunikationstechnik>
Code
Whiteboard
Font
Wechselsprung
Code
Endogene Variable
Booten
Softwareentwickler
Softwaretest
Parametersystem
ATM
Prozess <Informatik>
Booten
Protokoll <Datenverarbeitungssystem>
Partitionsfunktion
Elektronische Unterschrift
Speicherbereichsnetzwerk
Quick-Sort
Chipkarte
Patch <Software>
Last
Rechter Winkel
Mereologie
Ablöseblase
Wiederherstellung <Informatik>
Ordnung <Mathematik>
Partitionsfunktion
Chipkarte
Demo <Programm>
Formale Sprache
Versionsverwaltung
Framework <Informatik>
Code
Wiederherstellung <Informatik>
Internetworking
Metadaten
Flash-Speicher
Bildschirmmaske
Datenstrom
Speicherabzug
Booten
Maschinelles Sehen
Schätzwert
Schreiben <Datenverarbeitung>
ATM
Booten
Überlichtgeschwindigkeit
Firmware
Vektorraum
Dateiformat
Programmfehler
Eingebettetes System
Last
Festspeicher
ATM
Grundsätze ordnungsmäßiger Datenverarbeitung
Dateiformat
Wiederherstellung <Informatik>
Speicherabzug
Partitionsfunktion
ATM
Subtraktion
Elektronische Publikation
Booten
Zwei
Ruhmasse
Firmware
Partitionsfunktion
Framework <Informatik>
Chipkarte
ATM
Booten
Verkehrsinformation
Demo <Programm>
Partitionsfunktion
Subtraktion
Mathematisierung
Zahlenbereich
Code
Bildschirmmaske
Informationsmodellierung
Arithmetische Folge
Webforum
Perspektive
Reelle Zahl
Minimum
Äußere Algebra eines Moduls
Booten
Indexberechnung
Überlichtgeschwindigkeit
Demo <Programm>
ATM
Videospiel
Elektronische Publikation
Open Source
Computersicherheit
Güte der Anpassung
Ruhmasse
Firmware
Ähnlichkeitsgeometrie
Binder <Informatik>
Kontextbezogenes System
Programmfehler
Rechenschieber
Flächeninhalt
Forcing
Benutzerschnittstellenverwaltungssystem
Festspeicher
ATM
Mereologie
Grundsätze ordnungsmäßiger Datenverarbeitung
Firmware
Wiederherstellung <Informatik>
Stapelverarbeitung
Gewicht <Mathematik>
Punkt
Rahmenproblem
Existenzaussage
Versionsverwaltung
Gefrieren
Abgeschlossene Menge
Zahlenbereich
Code
Internetworking
Data Mining
Hypermedia
Systemprogrammierung
Metadaten
Loop
Inhalt <Mathematik>
Default
Schreib-Lese-Kopf
Touchscreen
Kraftfahrzeugmechatroniker
Booten
Güte der Anpassung
Pauli-Prinzip
Nummerung
Vektorraum
p-Block
Quick-Sort
Unendlichkeit
Mapping <Computergraphik>
Patch <Software>
Festspeicher
Firmware
Grundsätze ordnungsmäßiger Datenverarbeitung
Gamecontroller
Information
Stapelverarbeitung

Metadaten

Formale Metadaten

Titel eMMC hacking, or: how I fixed long-dead Galaxy S3 phones
Untertitel A journey on how to fix broken proprietary hardware by gaining code execution on it
Serientitel 34th Chaos Communication Congress
Autor Avraham, Oran (oranav)
Lizenz CC-Namensnennung 4.0 International:
Sie dürfen das Werk bzw. den Inhalt zu jedem legalen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen.
DOI 10.5446/34943
Herausgeber Chaos Computer Club e.V.
Erscheinungsjahr 2017
Sprache Englisch

Inhaltliche Metadaten

Fachgebiet Informatik
Abstract How I hacked Sasmung eMMC chips: from an indication that they have a firmware - up until code execution ability on the chip itself, relevant to a countless number of devices. It all started when Samsung Galaxy S3 devices started dying due to a bug in their eMMC firmware. I will cover how I figured out there's a firmware inside the chip, how I obtained it, and my journey to gaining code execution on the chip itself — up until the point in which I could grab a bricked Galaxy S3, and fix it by software-only means.
Schlagwörter Security

Zugehöriges Material

Folgende Ressource ist Begleitmaterial zum Video
Video wird in der folgenden Ressource zitiert

Ähnliche Filme

Loading...
Feedback