Nitay Artenstein

Talk Title

The Art of Bootloader Unlocking: Exploiting Samsung Sboot

Abstract

In recent years, OEMs and network operators have stepped up efforts to prevent the rooting of Android phones. Owners of locked phones often find that, after paying hundreds of dollars for the latest model, their devices are impossible to root or modify and that they're locked to one particular network operator.

The Samsung Bootloader, or sboot, is the mysterious piece of software that's responsible for enforcing this draconian limitation. sboot is the gatekeeper of a vast majority of Samsung Android devices, and yet its functionality and internals are shrouded in secrecy. While some Android bootloaders did receive some love by the research community, sboot remains unexplored and unexploited. Until now.

In this research, we will dive into the secrets and protective mechanisms of sboot; find out exactly what it's doing to prevent your device from modifications; and look at anti-tamper mechanisms such as the Warranty Bit. We will then delve into the obscure protocols that keep the bootloader going, enumerate through the surprisingly large attack surface that it presents - and find a memory corruption vulnerability that allows us to dig deeper into sboot than Samsung ever intended.

Speaker Bio

Nitay Artenstein is a freelance security researcher in the fields of reverse engineering, exploit development and vulnerability research. His fields of interest include Windows kernel exploitation, reverse engineering embedded systems and bug hunting in the Linux kernel. For the past two years he has been working mainly on exploiting Android devices. He suffers from a severe addiction to IDA Pro (at least until radare come up with a decent decompiler), and generally gets a kick out of digging around where he's not supposed to.