44CON 2014 - I gave a talk about robots and hardware!, Josh Thomas ”…and therein lies the Android problem…” Vendors, service providers, handset manufacturers, an insane number of different devices, patch stagnation, lack of updates, blah, blah, blah. We get it, and honestly it’s starting to be a tad boring. So why would you want to sit through yet another Android talk? You don’t, and I don’t want to give that talk anyway. Instead, let us spend some time talking about the roots of all smartphones: The hardware design, the system on chip internals, the problematic linux kernels. Let’s chat about design reuse and how to take advantage of lazy electronic engineers. Let’s converse about generational design flaws and how they can be exploited. In short, let’s talk about breaking a bunch of expensive toys. This talk will cover multiple handset manufacturers internal PCB designs, a fair bit of Qualcomm exploration, some witty banter about the fossil-esque linux kernel we drag about daily and probably some childish poking at the trusted boot process

1. I gave a talk
about robots
and hardware!
A story of Research by: !
Josh “m0nk” Thomas / @m0nk_dot!
44CON 2014

2. this hour, your talking head is…
✤ Josh “m0nk” Thomas!
✤ @m0nk_dot !
✤ Partner and Chief Breaking Officer @ Atredis Partners!
✤ Recovering software developer (AI / Crypto / Mobile “stuff”)!
✤ Atredis Partners!
✤ Focused and targeted security firm!
✤ Specializing in advanced hardware and software assessments!
✤ Mobile and embedded systems!
✤ Societal infrastructure!
✤ Black boxes!
✤ Advanced malware and rootkit analysis!
✤ Handcrafted artisanal and deep bespoke research

3. @m0nk_dot likes to put
trite commentary in
front of pretty pictures

4. story arc
✤ preface[0] = “Tongue Tied by many nights of NDA curiosity”!
✤ preface[1] = “What is the point / Where is the squishy?”!
✤ history lesson [0] = “The story of Wang and the Bed”!
✤ story[0] = “Hardware Design”!
✤ story[1] = “Iteration”!
✤ story [2] = “SoC, Bootloaders and trust chains”

5. I haz NDA?
✤ I hate this, but it is sadly worth mentioning!
✤ … and you thought open source licenses were annoying!
✤ Words I can say:!
✤ Sony!
✤ HTC!
✤ LG!
✤ I can sometimes say the words:!
✤ Nokia!
✤ Qualcomm!
✤ BlackBerry!
✤ Words I cannot say:

6. Why to care?

7. Why Hit
Hardware?
✤ Hard to get Code Exec /
Control!
✤ Forensic OS Dumps!
✤ Crypto Keys & Boot Settings
What to look
for?
✤ JTAG & Debug Access!
✤ Direct NAND Access!
✤ Bootloader Access &
Manipulation

8. Functionality aside, why is
hardware interesting
✤ Pretty!
✤ It is just as raw as source code, ASM or IDA!
✤ A concrete example of how much a company cares / what level of
effort should be expected to break it!
✤ Not normally “patchable” / LOOOOOOOONG shelf life

9. history lesson [0]: could be true?
The story of Wang and the Bed
…had a kid, scada-curious, , talked about StuxNet, met at the pub…
proof that I am not a EE and that some people are just damn cool

12. story[0]
All hardware has a story to tell
stick with me here… I promise the following
has a point and is more that “vacation pics”

13. What Simple Looks Like:
MasterLock dialSpeed

15. What Complex Looks Like:
Microsoft Xbox 360

17. Traces I Love:
Samsung ChromeBook (Daisy)

19. Ol’ Grand Dad:
Qualcomm Dragon Board

21. The Godfather Phone:
Qualcomm Snapdragon 8974 Dev Platform

27. One Sided Conversation / Traces I Hate:
Motorola Moto X

30. Grumble Grumble RF Shields:
BlackBerry Z30

34. Hidden for a Reason:
HTC One

37. Advanced Game:
Apple iPhone 5S

40. XXX:
BlackBerry Z10

43. XXX:
Nokia Lumia 635

49. Speaking of…
Microsoft Surface RT (V1)

53. Squares and NAND:
Sony Arc S

56. Squares and Burner:
Sony Xperia Z

59. XXX:
LG Nexus 5

65. Old School:
LG Nexus 4

68. Not a Monster:
Samsung Galaxy Note 3

72. Oddly Normal:
Samsung Galaxy 4

75. Lessons Learned
✤ Motorola tends to make one sided boards that are very simple and
masked!
✤ Samsung likes uber dense complexity and non-euclidean shapes!
✤ Sony is just kinda boring and square!
✤ BlackBerry and Nokia internals look oddly identical!
✤ No one is a dense as Apple!
✤ Microsoft should QA a bit more!
✤ The new style is to hide Qualcomm below the NAND

76. story[1]
Background Complete:
Exploring Iterative Design with Amazon Prime

77. Catching Fire - An Evolution
✤ Amazon has released 7 iterations of the Kindle Fire platform since late 2011:!
✤ Kindle Fire (1st Generation - 11/15/2011)!
✤ Kindle Fire (2nd Generation - 09/14/2012)!
✤ Kindle Fire HD 7" (1st Generation - 09/14/2012)!
✤ Kindle Fire HD 8.9" (1st Generation - 11/20/2012) (also has a cellular variant)!
✤ Kindle Fire HD 7" (2nd Generation - 10/02/2013)!
✤ Kindle Fire HDX 7" (3rd Generation - 10/18/2013) (also has a cellular variant)!
✤ Kindle Fire HDX 8.9" (3rd Generation - 11/07/2013) (also has a cellular variant)!
✤ Fire Phone (released 07/25/2014).

81. Amazon Fire V1

82. Amazon Fire V2

83. Amazon Fire V1

84. Amazon Fire V2

85. Amazon Fire HD V1

86. Amazon Fire HD V2

87. Amazon Fire HDX V1

88. Amazon Fire HDX V1

89. story[2]:
SoC, Bootloaders and trust chains

91. TEE on the MSM8960 SoC
✤ Hosts a collection of Trusted Execution Environments!
✤ Krait Core 0 (Trust Zone)!
✤ The ARM7 based RPM (Resource and Power Management System)!
✤ The Modem System (assume this is the Hexagon Baseband
platform)!
✤ The SPS (Smart Peripheral System)

92. Hardware of Note
✤ eFuses / QFPROM hold a lot of data (covered later)!
✤ The SoC reuses the ARM7 and ARM9 cores for different functions
depending on the current processing needs!
✤ Hardware hosts 2 discrete “Crypto Engine” processors in hardware!
✤ CE1 is hardware latched to fuses for the the Primary Hardware Key !
✤ CE2 is hardware latched to fuses for the User Hardware Key!
✤ Assumed to be the ARM9 cores

93. A Glance at the Boot Chain before
the “Bootloader”

95. The Secure Boot 3.0 Process
Interesting tidbits
✤ RPM PBL starts executing at physical address 0x00!
✤ Multitude of Bootloader options here specifying where to look for
more code to execute!
✤ All Authentication pre TZ load uses the Crypto Engine 1 (CE1) & the
Primary Hardware Key (PHK) from the eFuse block!
✤ (Supposedly) Debuggable via “proprietary” tools!
✤ Highly eFuse controlled!
✤ Supports an “Emergency Download Mode” upon crash

96. Things are getting fused

97. How Fuses Work
✤ Total of 16kb block of eFuses / QFPROM on MSM8960!
✤ 4kb mapped and easily accessible:!
✤ QFPROM BASE PHYSICAL: 0x00700000!
✤ QFPROM SHADOW BASE: 0x00706000!
✤ Can be read whenever / Written Once!
✤ To write, need to hold voltage for $TIME_PERIOD

99. Interesting QFPROM
✤ A 256-bit Primary Hardware Key (PHK used by CE1)!
✤ A 256-bit Secondary Hardware Key (SHK used by CE2)!
✤ A 128-bit OEM Customer key!
✤ A 2048-bit Customer private key!
✤ Fuses to disable debug / JTAG!
✤ Fuses to reenable debug / JTAG!
✤ Possible large swaths of unmapped free space

100. <insert POC||GTFO source here>

101. There is no conclusion, only Zuul
thanks for letting me talk…
any questions?