Terrorist Phone Unlocking 101

January 2018
Shahar Tal a.k.a. @jifa, VP Research
Gil Kaminker, Android Research Team Leader

1
Digital evidence
Key to most investigations today.
Mobile devices contain crucial evidence to investigate crime.
Often make or break a case.

2
Cellebrite – for a safer world
We understand and master Digital Intelligence
Support Law Enforcement agencies protecting our communities
We allow extraction, decoding, and advanced analysis of data
We bring truth to light

3
Guess the chart

4
World-wide Smartphone Market Q2 2017
22%

55%
12%

11%
5
Back to basics
Extraction 101

6
Extraction types
Nand Device Partition File Record

MBR Boot Record

sms.db part C sms4

D
pb.db part B sms3 Awake?
A Partition 1 Pic.jpg part A sms1
sms.db part A sms5
C
pb.db part C sms2
B pb.db part A
sms.db part B
F Partition 2
Pic.jpg part C
E Pic.jpg part B

Physical File System Logical

7
The Lock-Screen
The Mobile Forensics
Game-changer (2010)

8
Lock screen adoption
100%
90%
80% 71%
70%
60%
60%
49%
50%
40%
30%
20%
10%
0%
Android 5 (Lollipop) Android 6 (Marshmallow) Android 7 (Nougat)

Source: Google, May 2017

9
Samsung Galaxy S7

The most popular Android phone in USA

How hard could it be?

It’s just one device.
… right?

10
Samsung Galaxy S7

SM-G930W8 SM-G9300 SM-G9308 SM-G930F SM-G930K SM-G930L SM-G930S

SM-G930AZ SM-G930A SM-G930T1 SM-G930R6 SM-G930R7 SM-G930P SM-G930T

SM-G930FD SM-G930R4 SM-G930V SM-G930VL SM-G930U

11
Full Disk Encryption From Android 6.0 CDD:
For device implementations supporting full-
The Mobile Forensics
disk encryption and with Advanced
Game-changer (2015) Encryption Standard (AES) crypto
performance above 50MiB/sec, the full-disk
encryption MUST be enabled by default at
the time the user has completed the out-of-
box setup experience.

12
Encryption adoption
100%
90%
78%
80%
70%
60%
50%
40%
30% 24%
20%
10% 2%
0%
Android 5 (Lollipop) Android 6 (Marshmallow) Android 7 (Nougat)

Source: Google, May 2017

13
Encryption effects
JTAG/ISP/Chip-off methods – out of the window.
“Secure Startup” == requires more work

14
Growing Awareness
Dramatic security improvements
Frequent patching and OS updates

15
1-day Vulnerabilities
Very rare.

16
Extracting the ZTE Zmax Pro

ZTE is the 4th most popular vendor in the US (11.6%)

Zmax Pro was released in July 2016 with Android 6.0

Full-Disk-Encryption out-of-the-box
No known unlocking/extraction solutions

17
Plan
Find a unique feature
Make it extract data
Save the world

18
ZTE Diagnostics mode (DFU)
Pressing Vol+&Vol- on boot enters DFU
Exposing a VCOM connection over USB

Sniffing it reveals a simple binary protocol

Looks like the “hello” packet of the “Sahara” protocol
which is mostly used in Qualcomm’s “EDL” mode

Sahara?
19
What is EDL?
Qualcomm Emergency Download Mode (aka QDLoader 9008)
A rescue mode - exposed when a device can’t boot
• As a VCOM Connection over USB

Can be forced to this mode by technicians

• The “default” way for this is the VOL+&VOL- combo

20
What is EDL?
A permanent mechanism in the PBL

Support for Download mode in the Primary Boot Loader (PBL)

• This requires the PBL to enter Download mode and be ready to process packets over a
serial connection layer if the PBL finds and empty Flash or an issue with the next stage
of the boot loader. The PBL operates in the boot ROM of the MSM™ ASIC or QSD
chipset; therefore, this feature is mandatory with regard to the MSM/QSD version. This
feature cannot be added later in the software.

21
What is EDL?
Support tools available (QPST/QFIL)

22
Regular unbrick/extraction flow
Enter EDL

Upload Programmer

Programmer Actions
Flash partitions Read data

23
A less generic plan

Enter DFU
Upload a programmer
Extract the data
Save the world

24
Zmax Pro - Extraction flow
Enter DFU

Upload Programmer

Programmer Actions
Read data

25
From DFU to EDL
DFU is not enough
Exposes a limited Sahara protocol
• Some features are not accessible
• Can’t Upload a programmer or issue special commands
This code resides in the bootloader (SBL)
From DFU to EDL
From DFU to EDL
A weird command is spotted
A special magic packet in Sahara does something undocumented
From DFU to EDL
A solid plan

Enter DFU
Switch to EDL
Upload a programmer
Extract the data
Save the world

30
Uploading a programmer (“firehose”)
A Programmer is a simple ELF image that is loaded with the Sahara protocol in EDL
After uploaded, the programmer can interact with the eMMC chip

We found programmers that seem HW compatible but none of them worked properly
Maybe it is not that easy to just upload code to a device?

31
Qualcomm Secure Boot
All components are signed ELF images, verified when loaded

PBL (Primary BootLoader) - BootROM

Qualcomm’s SBL​ (Secondary BootLoader)

secure boot
process
Trustzone - QSEE​
(Qualcomm's Secure Execution Environment)

Android​
32
Qualcomm Secure Boot
Root Key Hash (PK_HASH)
Root of the chain of trust
Stored in eFuse
Set by vendors

33
Matching a programmer
We need to find a matching programmer
An original signed programmer for a specific vendor & device
Sahara protocol command mode
Sahara has a special mode to perform actions other than upload
Can also read certificate identifiers from the device
Certificate identifiers
Ensure that the programmer matches the device
PK_HASH (Root Key Hash)
HW_ID (Mapped to a chipset, OEM and model IDs)
Oneplus3 as an example
The programmer is available online for unbrick purposes
The PK_HASH and HW_ID calculated from the programmer match those retrieved from the device

34
Matching a programmer

35
A less generic plan, revisited

Enter DFU
Switch to EDL
Upload a matching programmer
Extract the data
Save the world

36
Zmax Pro - extraction flow
Enter EDL

Upload Programmer

Programmer Actions
Read data

37
Uploading a programmer
No matching signed programmer was found
Qualcomm Secure Boot requires a specifically signed programmer!

38
A more ambitious plan

Enter DFU
Switch to EDL
Run code in SBL
Extract the data
Save the world

39
Sahara state machine

Entry Send hello

packet

Wait_memory_read

Mode MEMORY_DEBUG
Got Hello Mode
Wait_hello_resp Resp Mode? Data_elf_header
IMAGE_TX_PENDING
or IMAGE_TX_COMPLETE
Got Valid Header
Mode COMMAND
Data_elf_prog_hdr
Wait_cmd_exec
Got Valid Program Header
Send Get command, prepare answer
Answer Data_elf_segments
Wait_cmd_exec_data
Got Valid Image

Wait_done

Execute programmer
Bug hunting
The code is *very* well written:
Initializing variables when declared and right before using them
Adding nulls to end of string buffers before using them
No use of dynamic memory
(almost) no use of loops in parsing
Size/length verification
Overflow checks right before using values
Range checks for addresses
The protocol host is the phone, not the PC
Reading only the minimum amount of data needed

41
“Difficult is only in bread.”

“And you eat that too.”

42
But something was missing
We couldn’t find the handlers for PBL
ROM PBL
Sahara
reading the certificate identifiers
in the SBL Sahara implementation SBL
eMMC SBL1
Sahara

eMMC TZ/QSEE

We are looking at the wrong binary!

The transition from DFU to EDL restarts to PBL…

But how do we even get the PBL’s binary?

Good question ;)
A more ambitious plan, level up

Enter DFU
Switch to EDL
Exploit the PBL
Extract the data
Save the world

44
TL;DR
The PBL had an older (less secure) version of the
Sahara implementation

Indeed we were able to find a bug in Sahara

A bug Sahara
45
Run code
Problem
We can’t write to the code section to patch the code
We can’t execute code from the data section

Solution
Write a shellcode to an empty RAM area
Build a ROP chain
Disable XN bit for the shellcode’s page
Jump to shellcode
Zmax Pro - extraction flow

Enter EDL

Upload Programmer

Programmer Actions
Read data
47
A more ambitious plan in reality
Enter DFU
Switch to EDL
Exploit the PBL
Exploit TZ to Retrieve Encryption Key
Extract data
Decrypt data
Save the world
48
Thanks to…
Nadav
Ben & Dror

49
Questions?
Thank you!
Shahar Tal @jifa
Gil Kaminker

50