AcademicPapersAndPresentations

Forensics acquisition - Analysis and circumvention of samsung secure boot enforced common criteria mode

Link: https://www.sciencedirect.com/science/article/pii/S1742287618300409
file name: 1-s2.0-S1742287618300409-main.pdf
License: CC BY-NC-ND

Description:

While this paper directly applies to the Galaxy S6 (SM-G920F) and the Galaxy S7 Edge (SM-G935F) witch uses Exynos System On a Chip, some of its findings seem to be directly applicable to the devices supported by Replicant.

The most interesting part is the analysis of some of the bootloader environment variables:

Security Analysis of Android Factory Resets

Link: https://www.cl.cam.ac.uk/~rja14/Papers/fr_most15.pdf
Related bug reports: #2096

A walk with Shannon. Walkthrough of a pwn2own baseband exploit.

Presentation pdf: https://downloads.immunityinc.com/infiltrate2018-slidepacks/amat-cama-a-walk-with-shannon/presentation.pdf
Presentation Video: https://www.youtube.com/watch?v=6bpxrfB9ioo
Target device: unclear, Maybe a Galaxy S6 or Galaxy S8

Description

The device used has shared memory between the SOC running Android and the modem.

There are some interesting points in that presentation:

How to lock the samsung download mode using an undocumented feature of aboot

link: https://ge0n0sis.github.io/posts/2016/05/how-to-lock-the-samsung-download-mode-using-an-undocumented-feature-of-aboot/

The device used seems to use a Qualcomm MSM8974 SOC. What is interesting is that it looks very similar to the "Forensics acquisition - Analysis and circumvention of samsung secure boot enforced common criteria mode" paper, but with another device and SOC.

While the technical information in this research is not directly applicable, it shows that there are systemic trends:

Reversing & Emulating Samsung’s Shannon Baseband

Link: https://hardwear.io/netherlands-2020/speakers/grant-hernandez-and-marius-muench.php
Video: https://www.youtube.com/watch?v=ypxgXNtvlgA

Interesting information: