Tuesday, February 28, 2017

Exploiting Android S-Boot: Getting Arbitrary Code Exec in the Samsung Bootloader (1/2)

Nitay Artenstein (@nitayart) and Gilad Goldman (@gnull00)

Samsung's Secure Bootloader (S-Boot) for Android lies at the heart of Samsung's chain of trust concept. An attacker who compromises S-Boot could potentially load an untrusted kernel and system image, therefore bypassing most of the phone's security mechanisms.

This is a well-known attack vector: It's often used by the Android rooting and modding community, but our guess is that it's way more popular with law enforcement and government agencies.

All the more interesting, then, that S-Boot on contains several memory corruption bugs, one of which could be used to reach full code execution within the bootloader.

We can currently confirm the existence of the vulnerability only on Exynos chipsets. It seems universal to approximately 90% of the Samsung Exynos ROMs running on S5, S6 and S7. The very newest ROMs for S7 (February 2017) appear to include a fix for this bug, but we'll confirm this in a few days.

There's a lot of ground to cover, so we'll break up this write-up into two posts. In this post we'll focus on some S-Boot internals, then explore the bootloader's attack surface and get basic debugging capabilities. We'll end the post with the discovery of an especially interesting attack surface. In the next post we'll disclose the actual vulnerability and how we exploited it to get code execution in S-Boot.

We won't go into much detail on the basics of reversing S-Boot, such as how to load it into IDA or find the base address. Fernand Lone Sang (@_kamino_) is about to publish a great article exactly about that and I'll put a link for it here when it's out. If you need any help beyond that, just DM me and I'd be glad to give you a hand if I can.

Understanding S-Boot

The boot stages on Samsung phones

The Android boot process on Samsung begins with code running in the Boot ROM, which verifies the integrity of the next-stage bootloader using the OEM public key, known on Samsung devices as the Samsung Secure Boot Key (SSBK). It then loads two separate processes into memory: One is S-Boot itself, and the other is the TrustZone TEE (Trusted Execution Environment), running in the so-called "Secure world".

The two processes work in tandem. The TEE OS, which in the Exynos case is Trustonic (formerly MobiCore), is called from S-Boot to verify that images are properly signed before they're loaded or flashed. Therefore, a compromise in either S-Boot or the TEE will mean a potential compromise of the whole system.

S-Boot itself is divided in two: The first stage bootloader, BL1, is called from the Boot ROM and initializes the low-level system primitives. BL2, which BL1 jumps into after verifying its signature, is already a minimal OS on its own, complete with driver support for USB, display and I/O.

Since we were interested in finding a bug that will let us subvert the boot process, we decided to look for it as close to the actual kernel booting as possible. That's because we knew we'd already have an initialized system at our disposal, making further operations such as disk I/O - which we'll need to do to flash our custom image - rather trivial. So we decided to jump into BL2 and ignore BL1 at this stage (although we're sure it'll be fascinating to reverse it at a later stage).

At this stage we didn't have any debugging capabilities at all, just the sboot.bin blob that comes together with the standard Samsung Exynos image. So we opened the blob in IDA and honed in on BL2.

A typical function in BL2. Notice the quantity of strings

This was pretty easy: knowing that BL1 is mainly responsible for low-level initialization, while BL2 is almost a full-featured OS, we concluded that functions belonging to BL2 will be necessarily bigger and with more debug strings and references to other functions. Once we determined where BL2 was, we used some old reversing tricks to determine the base address of the image in memory.

From a high level, BL2 has several interesting responsibilities, including but not limited to:

  1. Booting the kernel

  2. Flashing a new firmware image

  3. Displaying a basic user interface during firmware updates

  4. Debugging (if we're lucky)

On bootloaders, the mechanism to load a new firmware image is usually the best attack surface to start with, since it involves direct input from the attacker as well as fairly complicated logic. So that's where we set our sights first.

Odin, the Samsung flashing client. A 90s era beauty

Into Odin

Anyone who's had any research experience with Samsung's Android phones knows Odin, the venerable but somewhat clumsy piece of software which flashes firmware ROMs to the device's storage.

On the device side, flashing new firmware involves first switching the phone to Download Mode, which is implemented in S-Boot, by pushing a three-key combination, then connecting it via USB to the host which is running the Odin client. The Odin client then sends the selected firmware image to an Odin server running on the device. You can't just flash any image, of course, and on locked Samsungs the bootloader will reject firmware that is not signed by Samsung.

Download mode. Locked bootloaders reject unsigned images

On the bootloader side, Odin utilizes a fairly comprehensive protocol in the bootloader to receive and transfer data over USB. So that's where we first concentrated our efforts.

If you want to follow along with our analysis, the ROM version we're using here is G930FXXU1APF2. That's a Samsung Galaxy S7. Go ahead and download it from Sam Mobile

The key function in the Odin handler code, which handles almost all of the Odin protocol, is process_packet (at address 0x8F00A0A4). And we're immediately faced with a bug as soon as we read the function:

The beginning of process_packet

As you can see, the Odin protocol looks at the packet ID and chooses the relevant branch of the code. Packet ID 0x65 tells Odin that we're about to do an operation related to a PIT file (PITs contain partitioning information, read more about them at this XDA thread).

When the code runs into ID 0x65, it can either read out the current PIT file to a buffer or write a new one to the special partition which holds the PIT data. If the second byte of the packet is 1, Odin goes ahead and copies the current PIT to a buffer which will then be transferred to the Odin client. The client needs this to determine whether the new firmware fits within the current partitioning scheme.

But where does the buffer to which the PIT is copied (
xfer_data.pit_buf) get initialized? Apparently, it only gets allocated in this case:

The allocated of pit_buf

Meaning you have to first send an initialization packet (ID 0x64) before the buffer gets allocated. If you don't, the buffer just points to 0. And if you try to copy the PIT before the buffer gets allocated, the code just goes ahead and tries to copy to 0: a classic null-pointer dereference.

This bug is similar to many other bugs that we found in Odin, in that it crashes the bootloader but is probably not exploitable. In this case, since we're on an ARM64 architecture, the address 0 is just not mapped and any attempt to copy to it results in instant panic. Things aren't so bad on ARM32 architectures, since the address 0 could contain the Exception Vector Table (EVT) which could be overwritten. The problem with this is that we still don't control what we write, since we don't control the PIT data.

But this bug does give us something else. What do we get on the screen when we trigger the bug and crash the bootloader?

Inside Upload Mode

Dumping Memory

A quick look at the code reveals that the bootloader exception handler prints the above output to screen, then enters something that's referred to as "Upload Mode". That's an interesting development: Upload Mode is a semi-secret bootloader mode that's been puzzling the modding community for years. Some users report getting it after especially bad kernel panics; others say that it comes up because of PMIC issues. Now we also know that we enter it during bootloader exceptions.

Looking at the code, we see that Upload Mode is implemented as an inline function in usbd3_rdx_process (at address 0x8F028C1C). We've edited and simplified the code a bit for clarity.

mode_switch = p_board_info->mode_switch;

if ( mode_switch & UPLOAD_MODE )
  if ( !transaction_data.response_buffer )
    transaction_data.response_buffer = (char *)malloc(0x80000);

    if ( !transaction_data.response_buffer )
      printf("%s: buffer allocation failed.\n", "usbd3_rdx_process");
      goto INFINITE_LOOP;
  if ( !strcmp(packet_buf, "PoWeRdOwN") )
    goto POWERDOWN;
  if ( !strcmp(packet_buf, "PrEaMbLe") )
    memcpy(transaction_data.response_buffer, "AcKnOwLeDgMeNt", 15);
  if ( !strcmp(packet_buf, "PrObE") )
    memcpy(transaction_data.response_buffer, log_location_buf, log_location_buf_size);
  dump_start_addr = strtol(packet_buf, NULL, 16);
  dump_end_addr = strtol(packet_buf + 9, NULL, 16);
  (some length checks)
  memcpy(transaction_data.response_buffer, dump_start_addr,   dump_end_addr - dump_start_addr);

This is a fairly basic protocol to dump memory from the device. After sending a sequence of initialization packets, you simply send a dump start address and a dump end address, and you get back the dump over USB.

This is extremely useful for debugging and reversing purposes, since we can dump a memory image after a crash, look at the registers and the stack and generally get an idea of what's going on. We can, of course, also dump the full range of memory to aid us with reversing. We'll see that this ability will become useful in the second part of this write-up.

Since we haven't been able to find a public tool which dumps RAM over Upload Mode, we've written up one of our own. Feel free to experiment with it.

Fuzzing Odin

At this stage we went back into the Odin protocol, hopefully to find an exploitable bug. One of the things we automatically do when diving into new attack surfaces is to write raw, basic fuzzers as we go along to help find some easy wins.

This proved a bit harder to do with S-Boot, because it uses a proprietary protocol over CDC ACM (a form of serial) and it's pretty hard and frustrating to get to work with correctly. The small details are hard to get right: For instance, you have to send in an empty packet after every standard packet, some packets need to be 1024 bytes even if they only contain only 4 bytes of real data, etc. Writing a packet fuzzer from scratch was too slow for our time limits.

That's where Benjamin Dobell's awesome Heimdall comes in. Heimdall is an open-source implementation of the Odin client protocol which takes care of all the annoying bits of talking to the Odin bootloader code, so we used this as a basis for a basic fuzzer and just extended it a bit.

We've added a command line option called "fuzz", which just takes a bunch of raw packets that you can pre-generate with some Python code, then sends them to the device in sequence while taking care of the low-level details. You can get it here.

We got some interesting crashes in Odin using this approach, but none that seemed exploitable at first glance. We were about to go deeper into Odin when we decided that we want to spend some time on extending our debugging capabilities. And this is when we made an interesting discovery.

The UART Console

Searching through the binary, we found a set of suggestive string pointers at 0x8F08BD78:

The possible command list

These looked like pairs of command names and descriptions, possibly some kind of terminal interface left open for diagnostic purposes - quite a common find in other embedded projects that we've done, but not one that we expected here.

Assuming that there's some sort of serial interface which will enable us to connect to this terminal, we found out that members of XDA have already been here before.

It turns out that Samsung have been leaving a UART terminal open via the bootloader, through which they have exposed some low level commands for service and diagnostics. Some of these commands enable you to boot the kernel with special parameters, write or read from storage and trigger various USB modes.

However, since the original XDA publication in 2012, there have been no public reports of anyone getting input to these terminals, leaving many researchers to assume that this interface has been cut off. This was an assumption we wanted to test.

After some further reading, and especially based on Michael Ossmann and Kyle Osborn's Black Hat presentation from 2013, we realized that Samsung phones, as well as all of Google's Nexus phones, feature a multiplexer IC (MUIC) that is placed between the USB connector and the USB controller. By detecting the resistance between the ID and ground pins on the USB connector, the multiplexer switches different connection paths on the device.

Two such paths that are openly documented are normal USB and USB OTG. Another mode, which isn't mentioned in any public documentation, is UART.

The Samsung Anyway
We then set to work on getting a connection to this undocumented UART terminal. Our first port of call was the Samsung Anyway Jig, a device that Samsung is pretty secretive about. It's used by Samsung engineers and it's rather hard to get one, although they do show up on eBay every once in a while.

Apparently, the Anyway does nothing more than set several predefined resistance levels to the ID pin and breaks out the D+/D- lines to a DSUB connector which can then be connected to a PC via a serial-to-USB adapter.

Getting a used Anyway on eBay, we tested various combinations of switches to try and get the MUIC to switch to UART terminal mode. This did work on older Samsung phones, but we only succeeded with getting input - we got logs from the bootloader and kernel, but we didn't actually get a terminal.

At this stage we decided to build our own makeshift UART cable, similar to what Joshua Drake did with the Nexus 4 UART cable
We collected various scraps of data from XDA regarding ID pin resistor values and corresponding manufacturer’s modes. We also got some hints from the kernel DTS files. This is what we came up with:

Our makeshift jig

Since we wanted control over a range of resistances, we used a variable resistor which we would set to the desired value (measured using a multimeter) and connect to the S7.

Our jig is quite simple: an RS232-to-USB has its TX/RX lines connected to the D+/D- USB lines of the micro USB connector and the ID pin is connected to the ground pin via the variable resistor.

It turned out that the correct resistance value is 619K ohm. When set to that resistance, we'd get some output when booting up the device. But that still didn't seem to do the trick, since the output would go silent after a few lines - and we still couldn't get a terminal.

The initial UART output. Logs went silent after ifconn_com_to_open
Digging deeper to find the source of the problem, we had a look at the function we labeled get_initial_uart_str (0x8F006ECC). It appeared that the UART console was only started if this function returned non-null:

From this, and especially from LABEL_9, we can see that the bootloader is expecting a sequence of at least four carriage returns before it enters console mode.

The way was now clear: By mashing the 'enter' key on startup while the jig is connected, as well as pushing the volume down and power button at the same time, we managed to clear both the ifconn_com_to_open check and the terminal check.

And, finally, we got our reward:

As you can see, the console already exposes some pretty interesting commands. But we're keeping the real fun for our next post. 


  1. Very impressive work, well done! waiting for your next post :)

  2. Nice work. We've been doing similar experiments with Samsung Wave some years ago. Regarding the upload mode, we've done also tool for that. It can be found in Samsung Wave forum on XDA somewhere around 2011. With the bootloader we had, there were some special addresses you could ask for in upload mode that had special meaning. Did you look for similar behavior?

    1. Hi. Yeah, Upload Mode puts the log and some other diagnostic data in special addresses, and there's a command which gives back an index of those addresses. My focus was on understanding the firmware and developing an exploit, so once I got the ability to read an arbitrary memory address I didn't dig deeper. But I probably should. I looked around XDA for your code and couldn't find it, mind posting a link here or sending it over to me by DM?

    2. Hi can you link me to your post on xda

  3. Kamino's article is here:

  4. Great work.
    I tried to downgrade my sboot (dd if=sboot5.1 of=/dev/block/sdb) and phone is completely dead, pc does not recognize any device, not even exynos7420 serial device (first time that happen)
    I build uart before i saw your article, but i got only some tabs or space when i connect phone.
    ALso tried with my friend S4 but, can't enter sbl, i see only log in terminal.
    Is any chance for reviving my device? Maybe uart does not work, i don't know does tx works...
    Do you first plug uart or press volum - and power on device?
    Thanks for your work and sorry for my questions :)

    1. google Sd_card method, you short a testpoint to a resistor next to the screen cable, you then power up using power button and it alternately boots the scard.

    2. Not sure it is possible because s6 edge does not have sd card. Also can't find backup of working G925A (AT&T), asked on many forums, but no one answered....
      Are you sure it can be done, with usb-otg?
      Thanks for reply :)

  5. This comment has been removed by a blog administrator.

  6. This comment has been removed by a blog administrator.

  7. This comment has been removed by a blog administrator.

  8. This comment has been removed by a blog administrator.

  9. Wow! it's looking awesome but also this is so careful activity. it needs perfect guide to do it. Thanks for sharing this amazing guide. Really It's an awesome blog.
    #Mobile App Development in California

  10. Great! I wonder to know if the jig you made can be used with Samsung S5/S6?

  11. This is great! When will part two come out?

  12. Great approach,looking for part 2

  13. I thought haven’t read such distinctive material anywhere else on-line.www.sosav.co.uk

  14. This comment has been removed by the author.

  15. I believe that it is best to use private investigation brisbane to solve the case of cyber stalking or any form of cyber crimes as such. It is somehow noted that this is most prevalent among youngsters and teenagers. Come in touch with http://www.graingerinvestigations.com.au/ No one can as good as the investigation detective brisbane in Internet crime cases.

  16. for Sharing....do you have any idea about where get UFS Sector/size ? for ufs erase_normal and ufs erase_boot.... example ufs_erase normal 316928 512

  17. When is number 2 coming? Id like to see what can be done inside aboot!

  18. Thanks for posting your valuable thoughts with us & our readers. Please keep continue writing on this blog.
    Bulk SMS Service Provider

  19. While marketing can be tricky, it is the content that makes the site important. If you provide informative content that serves the needs of your visitors, word will spread.
    private investigation brisbane
    Private detective Ipswich
    Private investigator Brisbane
    Private detective Brisbane
    investigation detective brisbane
    top private investigator
    brisbane private detective

  20. It is our need that you put it here in your post as much useful that all can take it as a good thing from your site. Thank you.
    digital marketing company in india


  21. In the last few months we've seen a lot of Health Care Reform rules and regulations being introduced by the Health and Human Services Department. Every time that happens, the media gets hold of it and all kinds of articles are written in the Wall Street Journal, the New York Times, and the TV network news programs talk about it. All the analysts start talking about the pros and cons, and what it means to businesses and individuals. Health is God

  22. Nutra Trials defines personal characteristics of different health products including skincare, weight loss, muscle and male enhancement. The study presented here is briefly described for reader convenience and to deliver them assurance with health standards. The best possible answers are given here regarding the selection of an ideal supplement or cream or serum that possibly remains to be safe for health and do not cause any side effects.

  23. It is a great job, I like your posts and wish you all the best. and I hope you continue this job well.
    NutraT line

  24. This is a great post ! it was very informative. I look forward in reading more of your work. Also, I made sure to bookmark your website so I can come back later. I enjoyed every moment of reading it..
    kim kardashian sex tape
    porn sex video hd
    mia khalifa sex video
    sunny leone sexy movie

  25. Free Download Samsung Mobile USB Drivers For Windows XP / 7 / 8 / 8.1 / VISTA / MAC https://www.yluvm.com/2018/10/download-samsung-usb-drivers.html

  26. Wow! amazing post. Thanks for the such good type of article. Supplement Doctor suggest most advanced and latest Health & Wellness Products Daily Basis. Everyone Collects more info about their favourite Supplements. https://supplement-doctor.com/

  27. Hello, I am thomus jons thank you for this informative post. That is a great job. Wish you more success.Thank you so much and for you all the best. Takes Down

  28. Times For Health is Online Health & Wellness Program! I came on the your post and i got so information here. Thanks for the valuable post. https://www.timesforhealth.com/

  29. Hey Nice Blog!! Thanks For Sharing!!!Wonderful blog & good post.Its really helpful for me, waiting for a more new post. Keep Blogging!
    samsung mobile service center in coimbatore
    lenovo mobile service center in coimbatore

  30. TecSmash is your ultimate source of Technology news and Make Money Online product reviews. We research and review all Tech, MMO, Biz Opp and IM products.

  31. Income designers.com is the number one destination to find genuine make money online programs and services incomedesigners

  32. HealRun is a health news blog we provide the latest news about health, Drugs and latest Diseases and conditions. We update our users with health tips and health products reviews. If you want to know any information about health or health product (Side Effects & Benefits) Feel Free To ask HealRun Support Team.

  33. Here is our FB SociCake Review, in which I have revealed the good, bad and ugly about Mario Browns FB SociCake Facebook Marketing Tool. fb socicake review

  34. Supplements For Fitness People with preexisting health problems who take thermogenic drugs may experience severe reactions such as seizures, heart attack, coma and even death.

  35. Pilpedia is supplying 100 percent original and accurate information at each moment of time around our site and merchandise, and the intent is to improve the usage of good and pure health supplement. For More Info please visit Pilpedia online store.

  36. Vital Keto : Je m'attends à ce que ça vous aide. Je ne peux pas croire que nous avons oublié cela plus tôt, mais votre perte de poids ne fait pas vraiment cela pour vous.

    Visitez-nous : Vital Keto

    Vous pouvez également visiter : bit.ly/2QNfWny


  37. Renewal Derm: As a matter of fact, let's start. It was a troublesome pill to swallow. I thought it was a Skin care enigma. For starters, it'd be sensible if you had Skin care as a result of Maybe this has additional than one meaning. I conjointly sent an e-mail touching on Skin care. Apprentice saved my ass this afternoon. That isn't a vital part. These are the vital things you must be doing with Skin care.


  38. Genodrive : It's all the Testosterone booster insight that you wish. Male Enhancement provides an abstract solution to the easy downside of Male Enhancement. This is the truth of things. You'll be able to go from novice to professional quick. It's the inside track on Testosterone booster. The Male Enhancement path you choose will have a robust impact. It's typically required on behalf of me to outline things just a touch.

    BUY NOW HERE : https://www.nutrifitweb.com/genodrive/

    Read More : https://www.smore.com/q9b6t-viralis-rx

  39. Nulante Cream :I am inclined typically to believe this because it considerations Skin care because the last four and half years of my life have been filled with chaos. I was instructed by many totally different experienced folks earlier. Skin care offers delight to everyone.