(most of the time, in fuses), to ensure it has not been tampered with.
Implicitely trusted, a hash of its public key is stored in hardware Themselves and using the public key in the bootROM.
The vendor emits a root certificate, keeping the private key for The result is a full chain of trusted components:Īccording to Qualcomm Secure Boot and Image Authentication Technical Overview document, the binary authentication is designed more or less in the following way: While modifying it may be considered feasible in theory, it is not The bootROM, is implicitely trusted, as it is most often stored on a CPUĭie. Finally, we will discuss briefly about the XPU register.Ī secure boot chain is a chain where every stage loads, authenticates After propagating the control to the next stages of the bootchain, we patched the Qualcomm Secure Execution Environment to add a hook giving us a read/write primitive in the highest privileg level E元. This section will also explain the difficulties we encountered with the payload provided by Aleph Security, and how we managed to get around them. These blogposts served as basis for our own work.įirst of all a general overview of the Secure Boot process and especially the one used by Qualcomm is given, then by using Aleph Security's tools, we will dump the Nexus 6P and Nokia 6 bootroms in order to gain code execution in them and inject a small debugger, giving the ability to dump the whole phone from the very beginning. Tools), describing how they took over the Nokia 6 boot chain and wrote aĭebugger. In particular,Īleph Security released a series of 5 blogposts ( aleph aleph2 aleph3 aleph4 aleph5) (alongside Have already worked on studying Qualcomm components. Given how widespread Qualcomm hardware is, as stated above, many people Two different phone models were used to perform this research: a Google study Qualcomm's Secure Monitor and undocumented secure registers such as the "XPU" registers.dump high-level privilege components such as the bootROM or Primary Boot Loader (PBL), the Secondary Boot Loader (SBL) and reverse-engineer them.get the highest privilege level (E元) to execute code.
Internship at Quarkslab to study the boot chains produced by Qualcomm and
From March to September 2019, I had the pleasure to do a six-month
0 kommentar(er)
