Forensics acquisition - Analysis and circumvention of samsung secure boot enforced common criteria mode

file name: 1-s2.0-S1742287618300409-main.pdf
License: CC BY-NC-ND


While this paper directly applies to the Galaxy S6 (SM-G920F) and the Galaxy S7 Edge (SM-G935F) witch uses Exynos System On a Chip, some of its findings seem to be directly applicable to the devices supported by Replicant.

The most interesting part is the analysis of some of the bootloader environment variables:
  • It analyzes some variables that accessible through the UART. We already have documentation explained how to access such variables but many variables aren't documented in the Replicant documentation.
  • It also analyzed some variables present in the adv-env.img file inside the PARAM tarball filesystem. That information has already been used in the #2094 bug.

Security Analysis of Android Factory Resets

Related bug reports: #2096

A walk with Shannon. Walkthrough of a pwn2own baseband exploit.

Presentation pdf:
Presentation Video:
Target device: unclear, Maybe a Galaxy S6 or Galaxy S8


The device used has shared memory between the SOC running Android and the modem.

There are some interesting points in that presentation:
  • Getting code execution in the modem is easy and there are no protection (everything runs with full privileges, no exploit mitigations)
  • There is a SYSDUMP menu in the stock distribution that is available when dialing *#9900#. That menu can get modem logs, memory dumps, etc.
  • The bootloader is actually involved in getting the modem memory dump
  • On that device the modem image is encrypted (In contrast, it's probably not encrypted on devices like the Galaxy SIII)
  • The demo probably the same issue described in the SamsungGalaxyBackdoor wiki page: The researcher uses an exploit to execute code in the modem through the cellular network and then that code, which is running in the modem writes "PWNED" to /data/log/err in Android by using the RFS protocol.
  • The presentation also has many information on the setup needed to do the research: which SDR and cellular telephony stacks could be used. In turn this could be useful if we want to do our own research, for instance to see what happen when the modem is in airplane mode, and so on.

How to lock the samsung download mode using an undocumented feature of aboot


The device used seems to use a Qualcomm MSM8974 SOC. What is interesting is that it looks very similar to the "Forensics acquisition - Analysis and circumvention of samsung secure boot enforced common criteria mode" paper, but with another device and SOC.

While the technical information in this research is not directly applicable, it shows that there are systemic trends:
  • MDM is probably there in most Samsung smartphones
  • MDM settings are also encrypted in the PARAM partition
  • The PARAM partitions settings can be changed from userspace and here the code is implemented in libraries.

Reversing & Emulating Samsung’s Shannon Baseband


Interesting information:
  • TOC (modem partition table) explained at 15 min 15seconds. Maybe they have more infos about the entry ID.
  • "Shannon OS" name: At 23 min 07 seconds, we have the modem boot logs that contain [ACPM] Shannon OS [_ShannonOs_3.2_R8_AC5], and we have no such string inside the GT-I9300 RADIO partition.

Updated by Denis 'GNUtoo' Carikli over 1 year ago · 14 revisions

Also available in: PDF HTML TXT