Project

General

Profile

Actions

SamsungGalaxyBackdoor » History » Revision 8

« Previous | Revision 8/25 (diff) | Next »
Paul Kocialkowski, 01/29/2014 10:18 PM


Samsung Galaxy Back-door

This page contains a technical description of the back-door found in Samsung Galaxy devices.
For a general description of the issue, please refer to the following statement:

This back-door is present in most proprietary Android systems running on the affected Samsung Galaxy devices, including the ones that are shipped with the devices. However, when Replicant is installed on the device, this back-door is not effective: Replicant does not cooperate with back-doors.

Abstract

We have good reasons to believe that Samsung Galaxy devices running proprietary Android versions come with a back-door that gives remote access to the data stored on the device.
In particular, the proprietary software that is in charge of handling the communications with the modem, using the Samsung IPC protocol, implements a class of requests known as RFS commands, that allows the modem to perform remote I/O operations on the phone's storage.

Disclaimer: We are not security researchers and cannot establish the absolute certainty that the incriminated software actually contains the back-door we describe. However, everything apparently points in that direction and we believe the information at our disposal is relevant enough to constitute basis for us to issue a statement about this presumed back-door. If you have any indication that would prove our statement wrong, do not hesitate contacting us.

Known affected devices

The following table shows which devices are known to contain this back-door as part of the software they ship with.
Please contact us if you know about some other device that could be concerned by this back-door or have more information on one of the listed devices!

Device Incriminated program running as root SELinux enabled libsamsung-ipc support Replicant support
Nexus S (I902x) No Possible with Android 4.2 and later Yes Yes
Galaxy S (I9000) Yes ? Yes Yes
Galaxy S 2 (I9100) No ? Yes Yes
Galaxy Note (N7000) No ? Yes Yes
Galaxy Tab 2 7.0 (P31xx) No ? Yes Yes
Galaxy Tab 2 10.1 (P51xx) No ? Yes Yes
Galaxy S 3 (I9300) No ? Yes Yes
Galaxy Note 2 (N7100) No ? Yes Yes

Analysis

The following analysis was conducted using the libsec-ril.so binary file (the incriminated proprietary software) as extracted from the CyanogenMod 10.1.3 system zip for the Galaxy S 3 (I9300), from location system/lib/libsec-ril.so.

The developers involved in the present analysis did not ever agree to any sort of End User License Agreement that explicitly prohibited the reverse engineering and decompiling operations of the incriminated binary. The reverse engineering operations that lead to these findings originally took place during the development of Samsung-RIL, the free software replacement for the incriminated program. Hence, we believe these operations were conducted for the sole purpose of interoperability and not with the intent of creating a competing product. As the involved developers were based in Europe, we believe the legality of these operations is granted by article 6 of the 1991 EU Computer Programs Directive.

As a first approach, using the strings tool against the incriminated program reveals numerous suspicious command names that appear to be Samsung IPC protocol definitions:

IPC_RFS_READ_FILE
IPC_RFS_WRITE_FILE
IPC_RFS_LSEEK_FILE
IPC_RFS_CLOSE_FILE
IPC_RFS_PUT_FILE
IPC_RFS_GET_FILE
IPC_RFS_RENAME_FILE
IPC_RFS_GET_FILE_INFO
IPC_RFS_UNLINK_FILE
IPC_RFS_MAKE_DIR
IPC_RFS_REMOVE_DIR
IPC_RFS_OPEN_DIR
IPC_RFS_READ_DIR
IPC_RFS_CLOSE_DIR
IPC_RFS_OPEN_FILE
IPC_RFS_FTRUNCATE_FILE
IPC_RFS_GET_HANDLE_INFO
IPC_RFS_CREATE_FILE

The names of these commands make it obvious that they let the modem perform I/O operations.

The strings utility also reveals matching function names that seem to implement the handling of these commands:

RxRFS_GetFile
RxRFS_CreateFile
RxRFS_ReadDirectory
RxRFS_OpenDirectory
RxRFS_RenameFile
RxRFS_Default
RxRFS_OpenFile
RxRFS_ReadFile
RxRFS_FtruncateFile
RxRFS_WriteFile
RxRFS_GetFileInfoByHandle
RxRFS_GetFileInfo
RxRFS_PutFile
RxRFS_LseekFile
RxRFS_CloseFile
RxRFS_DeleteFile
RxRFS_MakeDirectory
RxRFS_CloseDirectory
RxRFS_RemoveDirectory
TxRFS_CfrmCreateFile
TxRFS_CfrmPutFile
TxRFS_CfrmOpenDirectory
TxRFS_CfrmGetFileInfo
TxRFS_CfrmReadDirectory
TxRFS_CfrmRenameFile
TxRFS_CfrmCloseFile
TxRFS_CfrmFtruncateFile
TxRFS_CfrmGetFileInfoByHandle
TxRFS_CfrmDeleteFile
TxRFS_CfrmCloseDirectory
TxRFS_CfrmRemoveDirectory
TxRFS_CfrmMakeDirectory
TxRFS_CfrmGetFile
TxRFS_CfrmReadFile
TxRFS_CfrmWriteFile
TxRFS_CfrmLseekFile
TxRFS_CfrmOpenFile

Taking a closer look at these functions, using the objdump decompiler, reveals that they are actually called from the ipc_recv_rfs function, itself called from process_ipc_notify_message, which appears to handle the received messages from the modem. Hence we can deduct that the incriminated functions are actually called upon modem request:

0003ce20 <ipc_recv_rfs>:
   3ce20:    b538          push    {r3, r4, r5, lr}
   3ce22:    4605          mov    r5, r0
   3ce24:    484b          ldr    r0, [pc, #300]    (3cf54 <ipc_recv_rfs+0x134>)
   3ce26:    460c          mov    r4, r1
   3ce28:    4478          add    r0, pc
   3ce2a:    6800          ldr    r0, [r0, #0]
   3ce2c:    7803          ldrb    r3, [r0, #0]
   3ce2e:    b143          cbz    r3, 3ce42 <ipc_recv_rfs+0x22>
   3ce30:    4949          ldr    r1, [pc, #292]    (3cf58 <ipc_recv_rfs+0x138>)
   3ce32:    2006          movs    r0, #6
   3ce34:    4a49          ldr    r2, [pc, #292]    (3cf5c <ipc_recv_rfs+0x13c>)
   3ce36:    4b4a          ldr    r3, [pc, #296]    (3cf60 <ipc_recv_rfs+0x140>)
   3ce38:    4479          add    r1, pc
   3ce3a:    447a          add    r2, pc
   3ce3c:    447b          add    r3, pc
   3ce3e:    f7df ed30     blx    1c8a0 <RIL_elapsedRealtime-0x9c0>
   3ce42:    2001          movs    r0, #1
   3ce44:    f002 fa5a     bl    3f2fc <get_wakelock>
   3ce48:    7921          ldrb    r1, [r4, #4]
   3ce4a:    1e4a          subs    r2, r1, #1
   3ce4c:    2a14          cmp    r2, #20
   3ce4e:    d876          bhi.n    3cf3e <ipc_recv_rfs+0x11e>
   3ce50:    e8df f002     tbb    [pc, r2]
   3ce54:    100b          asrs    r3, r1, #32
   3ce56:    1a15          subs    r5, r2, r0
   3ce58:    241f          movs    r4, #31
   3ce5a:    2e29          cmp    r6, #41
   3ce5c:    3833          subs    r0, #51
   3ce5e:    423d          tst    r5, r7
   3ce60:    4c47          ldr    r4, [pc, #284]    (3cf80 <ipc_recv_factory+0x18>)
   3ce62:    5651          ldrsb    r1, [r2, r1]
   3ce64:    6560          str    r0, [r4, #84]
   3ce66:    5b6a          ldrh    r2, [r5, r5]
   3ce68:    006f          lsls    r7, r5, #1
   3ce6a:    4628          mov    r0, r5
   3ce6c:    4621          mov    r1, r4
   3ce6e:    f002 faf3     bl    3f458 <RxRFS_NVRead>
   3ce72:    e062          b.n    3cf3a <ipc_recv_rfs+0x11a>
   3ce74:    4628          mov    r0, r5
   3ce76:    4621          mov    r1, r4
   3ce78:    f002 fc1e     bl    3f6b8 <RxRFS_NVWrite>
   3ce7c:    e05d          b.n    3cf3a <ipc_recv_rfs+0x11a>
   3ce7e:    4628          mov    r0, r5
   3ce80:    4621          mov    r1, r4
   3ce82:    f002 fefd     bl    3fc80 <RxRFS_ReadFile>
   3ce86:    e058          b.n    3cf3a <ipc_recv_rfs+0x11a>
   3ce88:    4628          mov    r0, r5
   3ce8a:    4621          mov    r1, r4
   3ce8c:    f002 ffea     bl    3fe64 <RxRFS_WriteFile>
   3ce90:    e053          b.n    3cf3a <ipc_recv_rfs+0x11a>
   3ce92:    4628          mov    r0, r5
   3ce94:    4621          mov    r1, r4
   3ce96:    f003 f8b9     bl    4000c <RxRFS_LseekFile>
   3ce9a:    e04e          b.n    3cf3a <ipc_recv_rfs+0x11a>
   3ce9c:    4628          mov    r0, r5
   3ce9e:    4621          mov    r1, r4
   3cea0:    f003 f96a     bl    40178 <RxRFS_CloseFile>
   3cea4:    e049          b.n    3cf3a <ipc_recv_rfs+0x11a>
   3cea6:    4628          mov    r0, r5
   3cea8:    4621          mov    r1, r4
   3ceaa:    f003 fa09     bl    402c0 <RxRFS_PutFile>
   3ceae:    e044          b.n    3cf3a <ipc_recv_rfs+0x11a>
   3ceb0:    4628          mov    r0, r5
   3ceb2:    4621          mov    r1, r4
   3ceb4:    f003 fb40     bl    40538 <RxRFS_GetFile>
   3ceb8:    e03f          b.n    3cf3a <ipc_recv_rfs+0x11a>
   3ceba:    4628          mov    r0, r5
   3cebc:    4621          mov    r1, r4
   3cebe:    f003 fc61     bl    40784 <RxRFS_RenameFile>
   3cec2:    e03a          b.n    3cf3a <ipc_recv_rfs+0x11a>
   3cec4:    4628          mov    r0, r5
   3cec6:    4621          mov    r1, r4
   3cec8:    f003 fd60     bl    4098c <RxRFS_GetFileInfo>
   3cecc:    e035          b.n    3cf3a <ipc_recv_rfs+0x11a>
   3cece:    4628          mov    r0, r5
   3ced0:    4621          mov    r1, r4
   3ced2:    f003 fe55     bl    40b80 <RxRFS_DeleteFile>
   3ced6:    e030          b.n    3cf3a <ipc_recv_rfs+0x11a>
   3ced8:    4628          mov    r0, r5
   3ceda:    4621          mov    r1, r4
   3cedc:    f003 ff16     bl    40d0c <RxRFS_MakeDirectory>
   3cee0:    e02b          b.n    3cf3a <ipc_recv_rfs+0x11a>
   3cee2:    4628          mov    r0, r5
   3cee4:    4621          mov    r1, r4
   3cee6:    f003 ffc9     bl    40e7c <RxRFS_RemoveDirectory>
   3ceea:    e026          b.n    3cf3a <ipc_recv_rfs+0x11a>
   3ceec:    4628          mov    r0, r5
   3ceee:    4621          mov    r1, r4
   3cef0:    f004 f888     bl    41004 <RxRFS_OpenDirectory>
   3cef4:    e021          b.n    3cf3a <ipc_recv_rfs+0x11a>
   3cef6:    4628          mov    r0, r5
   3cef8:    4621          mov    r1, r4
   3cefa:    f004 f969     bl    411d0 <RxRFS_ReadDirectory>
   3cefe:    e01c          b.n    3cf3a <ipc_recv_rfs+0x11a>
   3cf00:    4628          mov    r0, r5
   3cf02:    4621          mov    r1, r4
   3cf04:    f004 fa96     bl    41434 <RxRFS_CloseDirectory>
   3cf08:    e017          b.n    3cf3a <ipc_recv_rfs+0x11a>
   3cf0a:    4628          mov    r0, r5
   3cf0c:    4621          mov    r1, r4
   3cf0e:    f004 fb31     bl    41574 <RxRFS_CreateFile>
   3cf12:    e012          b.n    3cf3a <ipc_recv_rfs+0x11a>
   3cf14:    4628          mov    r0, r5
   3cf16:    4621          mov    r1, r4
   3cf18:    f004 fbe0     bl    416dc <RxRFS_OpenFile>
   3cf1c:    e00d          b.n    3cf3a <ipc_recv_rfs+0x11a>
   3cf1e:    4628          mov    r0, r5
   3cf20:    4621          mov    r1, r4
   3cf22:    f004 fcf1     bl    41908 <RxRFS_FtruncateFile>
   3cf26:    e008          b.n    3cf3a <ipc_recv_rfs+0x11a>
   3cf28:    4628          mov    r0, r5
   3cf2a:    4621          mov    r1, r4
   3cf2c:    f004 fdaa     bl    41a84 <RxRFS_GetFileInfoByHandle>
   3cf30:    e003          b.n    3cf3a <ipc_recv_rfs+0x11a>
   3cf32:    4628          mov    r0, r5
   3cf34:    4621          mov    r1, r4
   3cf36:    f002 fd63     bl    3fa00 <RxRFS_NVWriteAll>
   3cf3a:    4604          mov    r4, r0
   3cf3c:    e000          b.n    3cf40 <ipc_recv_rfs+0x120>
   3cf3e:    2400          movs    r4, #0
   3cf40:    2000          movs    r0, #0
   3cf42:    f002 f9db     bl    3f2fc <get_wakelock>
   3cf46:    4907          ldr    r1, [pc, #28]    (3cf64 <ipc_recv_rfs+0x144>)
   3cf48:    2000          movs    r0, #0
   3cf4a:    4479          add    r1, pc
   3cf4c:    f7fb f930     bl    381b0 <set_wakelock>
   3cf50:    4620          mov    r0, r4
   3cf52:    bd38          pop    {r3, r4, r5, pc}
   3cf54:    db40          blt.n    3cfd8 <ipc_recv_factory+0x70>
   3cf56:    0006          lsls    r6, r0, #0
   3cf58:    ff9c 0003     vaddl.u16    q0, d12, d3
   3cf5c:    0306          lsls    r6, r0, #12
   3cf5e:    0004          lsls    r4, r0, #0
   3cf60:    6a63          ldr    r3, [r4, #36]
   3cf62:    0005          lsls    r5, r0, #0
   3cf64:    03dd          lsls    r5, r3, #15
   3cf66:    0004          lsls    r4, r0, #0

Taking a closer look at one of these functions, e.g. RxRFS_ReadFile reveals multiple calls to the Procedure Linkage Table (PLT):

0003fc80 <RxRFS_ReadFile>:
   3fc80:    e92d 4ff0     stmdb    sp!, {r4, r5, r6, r7, r8, r9, sl, fp, lr}
   3fc84:    f5ad 5d80     sub.w    sp, sp, #4096    ; 0x1000
   3fc88:    f8df b1a0     ldr.w    fp, [pc, #416]    ; 3fe2c <RxRFS_ReadFile+0x1ac>
   3fc8c:    b08b          sub    sp, #44
   3fc8e:    f8df 81a0     ldr.w    r8, [pc, #416]    ; 3fe30 <RxRFS_ReadFile+0x1b0>
   3fc92:    4682          mov    sl, r0
   3fc94:    44fb          add    fp, pc
   3fc96:    f8db b000     ldr.w    fp, [fp]
   3fc9a:    f50d 5280     add.w    r2, sp, #4096    ; 0x1000
   3fc9e:    44f8          add    r8, pc
   3fca0:    f8d8 8000     ldr.w    r8, [r8]
   3fca4:    3224          adds    r2, #36
   3fca6:    f8db 0000     ldr.w    r0, [fp]
   3fcaa:    460f          mov    r7, r1
   3fcac:    f898 3000     ldrb.w    r3, [r8]
   3fcb0:    6010          str    r0, [r2, #0]
   3fcb2:    b143          cbz    r3, 3fcc6 <RxRFS_ReadFile+0x46>
   3fcb4:    495f          ldr    r1, [pc, #380]    (3fe34 <RxRFS_ReadFile+0x1b4>)
   3fcb6:    2006          movs    r0, #6
   3fcb8:    4a5f          ldr    r2, [pc, #380]    (3fe38 <RxRFS_ReadFile+0x1b8>)
   3fcba:    4b60          ldr    r3, [pc, #384]    (3fe3c <RxRFS_ReadFile+0x1bc>)
   3fcbc:    4479          add    r1, pc
   3fcbe:    447a          add    r2, pc
   3fcc0:    447b          add    r3, pc
   3fcc2:    f7dc edee     blx    1c8a0 <RIL_elapsedRealtime-0x9c0>
   3fcc6:    2400          movs    r4, #0
   3fcc8:    a805          add    r0, sp, #20
   3fcca:    f241 020e     movw    r2, #4110    ; 0x100e
   3fcce:    9403          str    r4, [sp, #12]
   3fcd0:    4621          mov    r1, r4
   3fcd2:    9404          str    r4, [sp, #16]
   3fcd4:    f241 090e     movw    r9, #4110    ; 0x100e
   3fcd8:    f7dc ee18     blx    1c90c <RIL_elapsedRealtime-0x954>
   3fcdc:    2f00          cmp    r7, #0
   3fcde:    f000 8091     beq.w    3fe04 <RxRFS_ReadFile+0x184>
   3fce2:    7939          ldrb    r1, [r7, #4]
   3fce4:    2903          cmp    r1, #3
   3fce6:    f040 808f     bne.w    3fe08 <RxRFS_ReadFile+0x188>
   3fcea:    f44f 2000     mov.w    r0, #524288    ; 0x80000
   3fcee:    f7dc ee4a     blx    1c984 <RIL_elapsedRealtime-0x8dc>
   3fcf2:    4606          mov    r6, r0
   3fcf4:    2800          cmp    r0, #0
   3fcf6:    d04b          beq.n    3fd90 <RxRFS_ReadFile+0x110>
   3fcf8:    4621          mov    r1, r4
   3fcfa:    f44f 2200     mov.w    r2, #524288    ; 0x80000
   3fcfe:    f7dc ee06     blx    1c90c <RIL_elapsedRealtime-0x954>
   3fd02:    4621          mov    r1, r4
   3fd04:    464a          mov    r2, r9
   3fd06:    a805          add    r0, sp, #20
   3fd08:    f7dc ee00     blx    1c90c <RIL_elapsedRealtime-0x954>
   3fd0c:    1db9          adds    r1, r7, #6
   3fd0e:    2204          movs    r2, #4
   3fd10:    a803          add    r0, sp, #12
   3fd12:    f7dc ee74     blx    1c9fc <RIL_elapsedRealtime-0x864>
   3fd16:    2204          movs    r2, #4
   3fd18:    f107 010a     add.w    r1, r7, #10    ; 0xa
   3fd1c:    a804          add    r0, sp, #16
   3fd1e:    f7dc ee6e     blx    1c9fc <RIL_elapsedRealtime-0x864>
   3fd22:    9a04          ldr    r2, [sp, #16]
   3fd24:    9803          ldr    r0, [sp, #12]

For instance, offset 1c90c is part of the PLT, which starts at 1c85c. Hence we believe these calls are linked functions from the libc library, especially I/O-related functions such as (in a general manner) open, close, read, write, etc. That's however just a guess that doesn't offer definite proof it's calling these functions from that library in particular, but it makes that possibility look rather likely.

Areas of work

A more decisive proof of these assumptions could be obtained by crafting a packet requesting I/O operations on the device's storage and looking at whether the incriminated binary proceeds or not.

Notes

Our free software replacement for the incriminated binary is Samsung-RIL which relies on libsamsung-ipc and it is used in Replicant.

The affected devices have modems that use the Samsung IPC protocol, mostly Intel XMM6160 and Intel XMM6260 modems. Note that despite this back-door, the devices using these modems are most likely to have good modem isolation, compared to other devices using Qualcomm platforms. Bear in mind that this back-door is implemented in software and can easily be removed by installing a free replacement for the incriminated software, for instance by installing Replicant. Hence, we don't consider the incriminated devices as bad targets for Replicant because of this back-door.

Updated by Paul Kocialkowski about 11 years ago · 8 revisions locked

Also available in: PDF HTML TXT