About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

An Interesting Feature in the Samsung DSP Driver- 419

David Berard - SynacktivPosted 5 Years Ago
  • The DSP (digital signal processing) driver is reached from untrusted applications on Samsung phones; this code is publicly available to review. For some reason, there is an ioctl that can be used to upload custom firmware! With code execution on inside the DSP, what can we do?
  • Once the firmware is uploaded, the location of a pointer (dsp_util_queue_enqueue) can be edited to point to an arbitrary location. However, only a minimal amount of data can be controlled that is written.
  • The uploaded DSP firmware file is not the only file loaded in the DSP address space. The DSP driver contains a custom ELF loader to load additional libraries and link them. Really, a custom loader!?
  • This custom loader does not vet the ELF very well. By using a larger size of one of the ELF fields, memory can be leaked from the kernel to break KASLR and a task struct (which holds many important Android vital fields).
  • As a mitigation, the DSP firmware functionality has been completely removed. On DayZeroSec, they hypothesized that this was leftover test functionality that should not have been there in the first place.
  • In vulnerability hunting, deep reversing can yield bugs quickly! Sometimes, it is about finding the weird functionality that has been overlooked.

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed