Forensics acquisition - Analysis and circumvention of samsung secure boot enforced common criteria mode

file name: 1-s2.0-S1742287618300409-main.pdf
License: CC BY-NC-ND


While this paper directly applies to the Galaxy S6 (SM-G920F) and the Galaxy S7 Edge (SM-G935F) witch uses Exynos System On a Chip, some of its findings seem to be directly applicable to the devices supported by Replicant.

The most interesting part is the analysis of some of the bootloader environment variables:
  • It analyzes some variables that accessible through the UART. We already have documentation explained how to access such variables but many variables aren't documented in the Replicant documentation.
  • It also analyzed some variables present in the adv-env.img file inside the PARAM tarball filesystem. That information has already been used in the #2094 bug.

Security Analysis of Android Factory Resets

Related bug reports: #2096

A walk with Shannon. Walkthrough of a pwn2own baseband exploit.

Presentation pdf:
Presentation Video:
Target device: unclear, Maybe a Galaxy S6 or Galaxy S8


The device used has shared memory between the SOC running Android and the modem.

There are some interesting points in that presentation:
  • Getting code execution in the modem is easy and there are no protection (everything runs with full privileges, no exploit mitigations)
  • There is a SYSDUMP menu in the stock distribution that is available when dialing *#9900#. That menu can get modem logs, memory dumps, etc.
  • The bootloader is actually involved in getting the modem memory dump
  • On that device the modem image is encrypted (In contrast, it's probably not encrypted on devices like the Galaxy SIII)
  • The demo probably the same issue described in the SamsungGalaxyBackdoor wiki page: The researcher uses an exploit to execute code in the modem through the cellular network and then that code, which is running in the modem writes "PWNED" to /data/log/err in Android by using the RFS protocol.
  • The presentation also has many information on the setup needed to do the research: which SDR and cellular telephony stacks could be used. In turn this could be useful if we want to do our own research, for instance to see what happen when the modem is in airplane mode, and so on.

Updated by Denis 'GNUtoo' Carikli 22 days ago · 11 revisions