BlueHat IL 2018 – Oran Avraham - eMMC Hacking, Or: How I Fixed Long-Dead Galaxy S3 Phones

Описание: A few years ago Samsung Galaxy S3 devices started dying all around the world (a phenomenon known as "Galaxy S3 Sudden Death"). The faulty hardware was pinpointed to its eMMC chip (made by Samsung). This incident led to the belief that there's a microcontroller in it, and sparked a journey that began in finding a method to obtain the firmware, up until gaining generic code execution ability on every Samsung eMMC chip.

As this was done originally to fix Samsung S3 devices by software-only means, it was not enough. The bootloader inside every S3 (sboot) won't happily run your precious eMMC fixing code. Thus, a vulnerability had to be found. This talk uncovers two vulnerabilities in sboot which led to code execution. But how to talk with an eMMC chip, which is already dead? Well, technically yes, but apparently there's some hidden recovery mode that can be triggered by a power reset to the chip, and the phone's life is spared.

In newer eMMC chips, the firmware is slightly different, as due it its size it must be stored partially on the external NAND, with an overlay mechanism. This talk discusses the process of reversing such firmware, presents a simple Python utility to experiment with Samsung eMMC chips, and further discusses some possible applications, such as low-level NAND forensics, information hiding, and ultimately, installing a rootkit on the eMMC firmware itself.

Speaker Bio:
Oran Avraham is an Israeli Independent Researcher. He is excited about embedded device hacking and the security of such devices. Oran previously worked on openiBoot, an open-source alternative boot-loader to Apple's iBoot for iOS devices. He was mainly responsible for re-implementing the iPhone's Flash Translation Layer (FTL) in order to achieve filesystem I/O ability in openiBoot and Linux. He also found some of the vulnerabilities used to gain code execution on the iPhone's baseband, namely AT+XLOG and AT+FNS vulnerabilities used in "ultrasn0w" unlock utility. In his spare time, Oran is a CTF player. He is one of the founding members of Pasten CTF team. Oran currently works for Medigate.