Analysis of Qualcomm Secure Boot Chains

Qualcomm is the market-dominant hardware vendor for non-Apple smartphones. Considering the [SoCs] they produce are predominant, it has become increasingly interesting to reverse-engineer and take over their boot chain in order to get a hold onto the highest-privileged components while they are executing. Ultimately, the objective is to be able to experiment with closed-source and/or undocumented components such as hardware registers or Trusted Execution Environment Software.

Introduction

From March to September 2019, I had the pleasure to do a six-month internship at Quarkslab to study the boot chains produced by Qualcomm and complete the following tasks:

  • get the highest privilege level (EL3) to execute code;
  • dump high-level privilege components such as the bootROM or Primary Boot Loader (PBL), the Secondary Boot Loader (SBL) and reverse-engineer them;
  • take over the boot chain;
  • study Qualcomm's Secure Monitor and undocumented secure registers such as the "XPU" registers.

Two different phone models were used to perform this research: a Google Nexus 6P and a Nokia 6.

Given how widespread Qualcomm hardware is, as stated above, many people have already worked on studying Qualcomm components. In particular, Aleph Security released a series of 5 blogposts (aleph aleph2 aleph3 aleph4 aleph5) (alongside tools), describing how they took over the Nokia 6 boot chain and wrote a debugger. These blogposts served as basis for our own work.

First of all a general overview of the Secure Boot process and especially the one used by Qualcomm is given, then by using Aleph Security's tools, we will dump the Nexus 6P and Nokia 6 bootroms in order to gain code execution in them and inject a small debugger, giving the ability to dump the whole phone from the very beginning. This section will also explain the difficulties we encountered with the payload provided by Aleph Security, and how we managed to get around them. After propagating the control to the next stages of the bootchain, we patched the Qualcomm Secure Execution Environment to add a hook giving us a read/write primitive in the highest privileg level EL3. Finally, we will discuss briefly about the XPU register.

Context

Armv8 Exception Levels

Armv8 systems have multiple privilege levels, called exception levels or ELs, ranging from EL0 to EL3. The lower the exception level number is, the less privileges it has. Additionally, with the software and hardware isolation provided by the TrustZone technology, Armv8 distinguishes between the Non-Secure and Secure exception levels.

Armv8.4 and later revisions add the previously missing Secure EL2 exception level.

Secure Boot

General Overview

A secure boot chain is a chain where every stage loads, authenticates (with e.g. RSA) and then executes the next one. The very first stage, the bootROM, is implicitely trusted, as it is most often stored on a CPU die. While modifying it may be considered feasible in theory, it is not scalable. The result is a full chain of trusted components:

According to Qualcomm Secure Boot and Image Authentication Technical Overview document [QualcommSB], the binary authentication is designed more or less in the following way:

The vendor emits a root certificate, keeping the private key for themselves and using the public key in the bootROM. As it has to be implicitely trusted, a hash of its public key is stored in hardware (most of the time, in fuses), to ensure it has not been tampered with.

This certificate can sign another certificate (and so on...), or directly authenticate a signature. The end result is a certificate chain where different parties can sign various sub-components of the system.

Qualcomm's Secure Boot chain

Design

The Qualcomm secure boot chain, on non-Samsung devices, is designed as follows:

  • the bootROM, also called PBL (Primary Boot Loader), is the first component to be executed by the CPU;
  • the next component, the SBL (Secondary Boot Loader), used to be divided in SBL1, SBL2 and SBL3 in older hardware revisions:
    • this is now the XBL (eXtended Boot Loader);
  • the SBL loads the Secure Monitor, QSEE (now QTEE), and executes it in EL3. It also loads aboot (now ABL, both standing for Android Boot Loader) and has it executed in EL1;
  • aboot (or ABL) loads either the regular OS, or a recovery version of it; it can also communicate with a PC via USB using the fastboot protocol.

EDL

More importantly, the PBL (bootROM) can execute a recovery mode, called Emergency Download Mode (EDL), if one of the following conditions is met:

  • the SBL is corrupt and/or its version is invalid;
  • specific testpoints have been shortened on the board;
  • the system reboots and specifies that the bootROM needs to transition to EDL mode (implementation details vary from one SoC to another).

When going to EDL, the bootROM waits for the PC to send commands. Among these commands, a particularly interesting one is used to send a signed image over USB. To alleviate this task, Aleph Security created a tool named firehorse.

On older telephone models, EDL images ("programmers") have interesting properties, among which are:

  • some signed images are available on the internet depending on the phone model;
  • programmers execute in EL3;
  • they have arbitrary read and write commands (peek and poke).

Exploiting the Nexus 6P

The Google Nexus6P, codenamed angler, is a phone co-developed by Google and Huawei released in late 2015. Its SoC is a MSM8994.

Accessing EDL Mode

Accessing EDL mode is fairly trivial on this phone. It is sufficient to downgrade the phone to a version older than December 2017 — which is trivial because Google themselves give you the needed images and instructions [OTA] — and root it. Once rooted, one simply needs to execute the following commands to access the EDL mode:

echo 1 > /sys/module/msm_poweroff/parameters/enable_edl
adb reboot edl

Dumping the BootROM (PBL)

Once the device has entered EDL mode, it identifies itself as Qualcomm HS-USB 9008 and the bootROM waits for commands.

It is then necessary for the PC to communicate with the phone to send the signed EDL image. Using Aleph's tool, firehorse, which is a wrapper for Qualcomm's official tools, the command is:

firehorse -c COM3 -t angler fw hello

Assuming the phone is mapped to COM3, and that the EDL image (or programmer) is at its correct location.

Knowing the address of the bootROM thanks to Aleph blogposts, it is trivial to dump the bootROM (PBL):

firehorse -c COM3 -t angler fw peek 0xFC010000 0x20000 pbl.bin

In any case, the bootROM is mirrored at physical address 0 too.

Gaining Code Execution

Once we can communicate with the EDL programmer, it is possible to use the poke command to write at any address as explained in the Aleph's third blogpost aleph3. With the powerfull primitive, it's possible to inject code directly on the stack.

However, on Aarch64 EDL programmers, SCTLR_EL3.WXN is a protection mitigating such attempts.

One way this can be worked around is by using ROP (return-oriented programming), which is what Aleph tried to do. However, their ROP chain did not seem to work during our tests and we decided to try a different approach by modifying page table entries. By mapping the 1GB region containing our code as read-only, we can subsequently make our code executable. Moreover, since the virtual address range is otherwise unused, no TLB (Translation lookaside buffer) flush is required. Using the firehorse code base, this gives:

addr = 0xFC100000
path = r"hooks.bin"
target = t.get()
ttbr0 = target.page_table_base
FH_FW.upload64(addr, path)
I("uploaded payload")

FH_FW.poke64(ttbr0, 0xC0000611) # AP=0b10, read only; map 1GB from 0xC0000000 to VA 0
FH_FW.poke64(target.saved_lr_addr, addr + 4 - 0xC0000000) # jump to our code at addr

We've tried disabling SCTLR_EL3.WXN as soon as we gained code execution. Unfortunately, this did not work; we thus had to disable the MMU with the following gadget:

.text:00000000F803DF38             loc_F803DF38                            ; CODE XREF: write_sctlr+C↑j
.text:00000000F803DF38 01 10 1E D5                 MSR             SCTLR_EL3, X1
.text:00000000F803DF3C
.text:00000000F803DF3C             locret_F803DF3C                         ; CODE XREF: write_sctlr+14↑j
.text:00000000F803DF3C C0 03 5F D6                 RET

With this done, we can now try to take over the Nexus 6P boot chain.

Taking Over the Bootchain: First Attempts

Given that, on the Google Nexus 6P, the bootROM is executing Aarch32 code (i.e. 32-bit) while the EDL is a 64-bit image, it immediately comes to mind that we need to reset the CPU back into Aarch32 mode.

We thus tried to write the reset address to the same hardware register that is used by the bootROM to set the 64-bit entry address, 0xF900D07C, then use the standard Armv8 register, RMR_EL3, to actually reset the CPU.

However, after a few tests, it turned out that this doesn't work:

  • the bootROM is mirrored at the physical address 0; this probably means that the Aarch32 reset vector is hardcoded at address 0;
  • just resetting the CPU without trying to change the entry address doesn't work either; this may indicate some weird hardware issue.

Reversing the Nexus 6P BootROM

The execution of the bootROM, also called PBL, starts at address 0xFC010000, which directly jumps to 0xFC010050, then 0xFC010054. This corresponds to the following code:

RAM:FC010754 50 0F 0D EE                 MCR             TPIDRURW, R0
RAM:FC010758 90 1F 0D EE                 MCR             TPIDRPRW, R1
RAM:FC01075C B0 0F 10 EE                 MRC             R0, MPIDR
RAM:FC010760 0F 00 00 E2                 AND             R0, R0, #0xF
RAM:FC010764 00 00 50 E3                 CMP             R0, #0
RAM:FC010768 5B 00 00 1A                 BNE             loc_FC0108DC
RAM:FC01076C 48 03 9F E5                 LDR             R0, =0xFC010000
RAM:FC010770 10 0F 0C EE                 MCR             VBAR, R0
RAM:FC010774 44 13 9F E5                 LDR             R1, =0xFC400204
RAM:FC010778 00 00 91 E5                 LDR             R0, [R1]
RAM:FC01077C 01 00 80 E3                 ORR             R0, R0, #1
RAM:FC010780 00 00 81 E5                 STR             R0, [R1]
RAM:FC010784 38 13 9F E5                 LDR             R1, =0xFC400208
RAM:FC010788 00 00 91 E5                 LDR             R0, [R1]
RAM:FC01078C 01 00 80 E3                 ORR             R0, R0, #1
RAM:FC010790 00 00 81 E5                 STR             R0, [R1]

The bootROM starts by setting per-thread registers (seemingly used as scratch registers here) TPIDRURW and TPIDRPRW to the contents of r0 and r1. This is used for improper reset.

The bootROM checks if the core ID of the processor executing the code is 0, if not, it jumps to an inifinite loop.

It then sets the exception vector base to 0xFC010000, and sets some miscellaneous hardware registers.

Next is the boot procedure selection.

It begins with:

RAM:FC010794 2C 03 9F E5                 LDR             R0, =0xFC401780
RAM:FC010798 00 00 90 E5                 LDR             R0, [R0]
RAM:FC01079C 02 08 10 E3                 TST             R0, #0x20000
RAM:FC0107A0 0C 00 00 0A                 BEQ             loc_FC0107D8
RAM:FC0107A4 20 03 9F E5                 LDR             R0, =0xFC4BE0F0
RAM:FC0107A8 00 00 90 E5                 LDR             R0, [R0]
RAM:FC0107AC D1 15 00 E3                 MOV             R1, #0x5D1
RAM:FC0107B0 01 00 50 E1                 CMP             R0, R1
RAM:FC0107B4 03 00 00 0A                 BEQ             loc_FC0107C8
RAM:FC0107B8 10 03 9F E5                 LDR             R0, =0xFC4017C0
RAM:FC0107BC 00 00 90 E5                 LDR             R0, [R0]
RAM:FC0107C0 01 00 10 E3                 TST             R0, #1
RAM:FC0107C4 03 00 00 0A                 BEQ             loc_FC0107D8
RAM:FC0107C8
RAM:FC0107C8             loc_FC0107C8                            ; CODE XREF: _init+60↑j
RAM:FC0107C8 04 03 9F E5                 LDR             R0, =sub_FC010040
RAM:FC0107CC A3 00 00 EB                 BL              SetVbar
RAM:FC0107D0 00 03 9F E5                 LDR             R0, =0xFE800000 ; func
RAM:FC0107D4 71 2E 00 EB                 BL              resetToAa64

It means that if:

((*(vu32 *)0xFC401780 & 0x20000) && (*(vu32 *)0xFC4BE0F0 == 0x5D1 || (*(vu32 *)0xFC4017C0 & 1) == 1))

that is, with the two reset methods, if mask 0x20000 was set in the secure register at 0xFC401780 (by default, it isn’t), then the bootROM sets the exception table to infinite loops and immediately resets to 0xFE800000 in Aarch64 mode. This seems to be called improper reset.

All 3 involved registers are writable (or in the case of HWIO_GCC_RESET_STATUS_ADDR, one can trigger a watchdog reset).

Then:

RAM:FC0107D8 FC 02 9F E5                 LDR             R0, =0xFC102080
RAM:FC0107DC D3 F0 21 E3                 MSR             CPSR_c, #0xD3
RAM:FC0107E0 00 D0 A0 E1                 MOV             SP, R0
RAM:FC0107E4 DB F0 21 E3                 MSR             CPSR_c, #0xDB
RAM:FC0107E8 00 D0 A0 E1                 MOV             SP, R0
RAM:FC0107EC D7 F0 21 E3                 MSR             CPSR_c, #0xD7
RAM:FC0107F0 00 D0 A0 E1                 MOV             SP, R0
RAM:FC0107F4 D3 F0 21 E3                 MSR             CPSR_c, #0xD3
RAM:FC0107F8 00 C0 A0 E3                 MOV             R12, #0
RAM:FC0107FC 0C 30 A0 E1                 MOV             R3, R12
;                       ............................... boilerplate ..................................

meaning that in any other case than the above, the stacks for each Aarch32 execution mode are set, and r3 to r12 are set to 0.

Furthermore,

RAM:FC010860 78 02 9F E5                 LDR             R0, =0xFC4BE034
RAM:FC010864 00 10 90 E5                 LDR             R1, [R0]
RAM:FC010868 40 00 11 E3                 TST             R1, #0x40
RAM:FC01086C 02 00 00 1A                 BNE             loc_FC01087C
RAM:FC010870 6C 02 9F E5                 LDR             R0, =sub_FC010060
RAM:FC010874 79 00 00 EB                 BL              SetVbar
RAM:FC010878 68 F2 9F E5                 LDR             PC, =0xFC100000

if (0xFC4BE034 & 0x40) is true, then the bootROM sets the exception vector table to infinite loops then jumps to 0xFC100000. The concerned register is read-only, it's probably a fuse register (the used register seems to be fuse-related and is involved in determining whether secure boot is enabled).

Finally,

RAM:FC01087C             loc_FC01087C                            ; CODE XREF: _init+118↑j
RAM:FC01087C E7 40 00 EB                 BL              initsysregs
RAM:FC010880 64 02 9F E5                 LDR             R0, =main
RAM:FC010884 10 FF 2F E1                 BX              R0      ; main

The boot process continues: further system registers are initialized, after which the code jumps to the main function.

The main function, after some miscellaneous initializations, executes a list of functions, passing the same singleton instance to all the functions. There are many functions, but the most notable ones decide whether or not to go to EDL mode:

  • if the EDL test points are shortened, go to EDL;
  • if some fuses have specific bit sets, go to EDL;
  • if the three words at 0xFE87FFE0, written by the Android kernel, are 0x322A4F99 0xC67E4350 0x77777777, go to EDL.

Taking Over the Boot Chain: Second Attempt with a Mini-Debugger

As seen above, by writing 0x5D1 to 0xFC4BE0F0 and setting 0x20000 to 0xFC401780 & 0x20000, then resetting the system, we gain early EL3 Aarch64 code execution.

There is, however, no way to obtain EL3 Aarch32 code execution, needed to reexecute the bootROM (which is Aarch32 code).

However, we made the following considerations about the Armv8 architecture:

  • higher Aarch64 exception levels can set lower exception levels to execute in Aarch32 mode;
  • virtually all system registers in Aarch32 are encoded the same way regardless of the exception levels;
  • self-debug of secure exception levels is easier if one exception level above s-EL1 is Aarch64.

Therefore, we came up with the idea of executing the Nexus 6P bootROM in secure EL1 mode. This allows us to enable debug exceptions in secure EL1 and thus to put hardware breakpoints on the bootROM. This requires the following steps.

First setup s-EL1 as Aarch32:

// Clear NS bit, next exception level is a32, enable smc
mrs     x0, scr_el3
bic     x0, x0, #(1 << 10)
bic     x0, x0, #(1 << 7)
bic     x0, x0, #1
msr     scr_el3, x0

then enable debugging capabilities, and make it so that s-EL1 handles s-EL1 debug exceptions:

// Disable OS lock
mov     x0, xzr
msr     osdlr_el1, x0
msr     oslar_el1, x0

// Disable any kind of EL2 trapping
msr     mdcr_el2, x0

// Enable secure breakpoints
mrs     x0, mdcr_el3
bic     x0, x0, #(1 << 16)
orr     x0, x0, #(3 << 14)
msr     mdcr_el3, x0

// SPIDDis=0, MDBGen=1, KDE=1
mrs     x0, mdscr_el1
bic     x0, x0, #(1 << 16)
orr     x0, x0, #(1 << 15)
orr     x0, x0, #(1 << 13)
msr     mdscr_el1, x0

Then the code jumps to Aarch32 code which sets up the hardware breakpoints and finally executes the bootROM (which special care to ensure exception vectors base isn't being replaced).

The breakpoints serve the following purposes:

  • let our Aarch32 code continue to be executed (remove NX bits from MMU table attributes, prevent VBAR from being ever replaced);
  • make it appear that secure boot is disabled;
  • jump back to EL3 using an smc instruction, to then execute the SBL.

The breakpoints are set and handled once they are hit.

We got the following results:

  • bootROM normal bootpath works perfectly well with that approach, control is transferred back to EL3 when expected;
  • however, for some unknown hardware reason, the system is not able to jump to the SBL at all!
  • trying to debug the EDL path leads to similar issues.

In short, the approach works but unresolved issues remain to this day.

Exploiting the Nokia 6

Given that our work on the Nexus 6P got stale, we decided to try with another phone: a Nokia 6. Its bootROM and EDL programmer (which can be found on the Internet) both run in Aarch32 and, as such, shouldn't have the hardware issues the Nexus 6P had.

The Nokia6 was released in January 2017 and its SoC is a MSM8937.

Accessing EDL Mode

As opposed to the Nexus 6P, it is much harder to access the EDL mode on the Nokia 6:

  • there is no easy way to access it, e.g. no adb reboot edl;
  • there was a way to make SBL reboot into EDL via an USB cable with the D+ pin shortened, but we "accidentally" updated the phone to 9.0;
  • there isn't any official way to "unlock the phone's bootloader", which would have helped in corrupting the SBL partition.

In the end, my line manager Guillaume Heilles (a.k.a zours) agreed with opening the phone to shorten the EDL test points:

The steps were the following:

  • diffusing hot air on the surface of the telephone to melt the glue around the screen (this took over 30 minutes);
  • removing around 18 screws to access the board;
  • temporary solder to see if EDL mode could be accessed;
  • final solder where the EDL testpoints are linked through a push-button switch; if the switch is activated, the circuit closes and the testpoints are shortened, causing the bootROM to take the EDL boot path.

He also probed the board for UART pins (UART is extensively being used by the SBL), but, unfortunately, it seems like the UART port was removed on the phone we used.

Gaining Code Execution

This is extremely easy, even more so than on the Nexus 6P, because the pages at 0x08000000 are RWX. We thus uploaded the payload at this address and changed the return address (located at 0x0805CFDC).

Taking Over the Boot Chain

Once code execution is achieved, it is easy enough to take over the boot chain since both the bootROM and the programmer are Aarch32 code.

Taking Over the BootROM (PBL)

The bootROM is located and executes at address 0x00100000.

We adopted an approach similar to Aleph's here:

  • copy the bootROM in a buffer;
  • patch the copy;
  • remap the copy using the copy (the copy having appropriate patches to keep the address translation valid);
  • run the copy.

The patches are the following:

  • keeping the address translation mapping valid, ensuring the execution of the copy;
  • deactivating the testpoint check, so that the bootROM doesn't try to go to EDL over and over again;
  • injecting the SBL hook in the main function list.

Taking Over the SBL (secondary boot loader)

With the SBL hook injected into the bootROM copy, we made the following patches to the SBL:

  • deactivating secure boot (image verification and authentication) at the SBL level;
  • injecting the next QSEE (secure monitor) and aboot (Android bootloader) hooks;

Patching QSEE and Aboot, and Communicating with the PC

Once we have taken over the SBL, we can patch the Secure Monitor and aboot as they are loaded.

For QSEE, we added a hook on the "synchronous exception from lower Aarch32 exception level" exception vector. This allowed us to add an arbitrary EL3 read/write primitive accessed through the smc instruction.

On aboot side, the patches are the following:

  • implement a new fastboot command which exposes the abovementioned read/write primitive to the PC;
  • make it believe secure boot is disabled. This has the nice side-effect to make the bootloader unlockable with no unlock key needed.

The end result is that we can read/write EL3 memory from fastboot while the system is running:

Studying the XPU Registers

Since we can now read/write EL3 memory, it is now finally possible to interact with the XPU registers, for which there is no public documentation whatsoever.

A particular function of the secure monitor, referencing "ERROR:MPU Partition overlapping found!", is the XPU fault handler and contains a lot of debug strings and information about the XPU registers.

List of hardware devices having XPU Units

The first thing that is easily noticeable is a big array of structure instances containing the names and addresses of the various XPU units on the Nokia 6.

The list is the following:

  • IPA_BAM_NDP, base XPU regs address at 0x7902000
  • IPA at 0x38000
  • A5X_XPU at 0x1C61000
  • Q6PCNOC_CFG at 0x32000
  • SDC1_SDCC_ICE at 0x7806000
  • LPASS_TOP at 0xC064000
  • TLMM at 0x1300000
  • TCU at 0x34000
  • QDSP at 0x37000
  • IMEM_MPU at 0x53000
  • GPS at 0x36000
  • MCDMA at 0x35000
  • BOOT_ROM at 0x1FF000
  • VENUS0 at 0x1DF0000
  • TCSR_REGS at 0x1936000
  • SEC_CTRL_APU at 0xAE000
  • RPM_APU at 0x287000
  • MSS at 0x4000000
  • MPM2 at 0x4A7000
  • CLK_CTL at 0x1880000
  • SNOC_CFG at 0x2D000
  • PCNOC_CFG at 0x2E000
  • PMIC_ARB at 0x200E000
  • WCSS_APU at 0xA21F000
  • DEHR at 0x4B0000
  • CRYPTO0_BAM at 0x702000
  • BAM_BLSP2_DMA at 0x7AC2000
  • BAM_BLSP1_DMA at 0x7882000
  • BIMC_MPU_0 at 0x44A000

XPU Register Structure

By looking at the function tables in the Secure Monitor pertaining to XPU registers, then reversing them, we have discovered most of the structure that all XPU units share.

Each XPU unit has the same kind of registers. Control registers make up the first 0x200 bytes, then there is a variable number of protection region registers set (each set being 0x80 bytes in size).

There are 3 sets of control registers (each being 0x80 in size), in this order: secure, nonsecure, and "MSS self-auth" (which purpose is still unknown to us). The first controls accesses made by the Secure World (including to the registers themselves), and the second accesses made by the Normal World.

typedef struct XpuControlRegisterSet {
    // Some regs are only in the secure block,
    // some others only in the nonsec block (like UMR_*, REV_*), some in both...
    u32 CR;                 // 0. "Control register"?
    u32 WDR;                // 4
    u32 PRTN_RACR_SHADOW0;  // 8. only for some types of devices (like BootROM)
    u32 unk_0c;
    u32 PRTN_START_SHADOW0; // 0x10. same
    u32 unk_14;
    u32 PRTN_END_SHADOW0;   // 0x18. same
    u32 unk_1c;
    u32 RPU_ACR0;           // 0x20
    unk_24, unk_28, unk_2c, unk_30, unk_34, unk_38, unk_3c;

    /* ============Error registers============ */
    u64 EAR0;               // 0x40
    u32 ESR;                // 0x48
    u32 ESRRESTORE;         // 0x4C
    u32 ESYNR0;             // 0x50
    u32 ESYNR1;             // 0x54
    u32 ESYNR2;             // 0x58
    /* =========End of error registers========= */

    u32 unk_5c;
    u32 UMR_RACR;           // 0x60
    u32 UMR_WACR;           // 0x64
    u32 unk_68, unk_6c;
    u32 UMR_CNTL;           // 0x70. nonsec only
    u32 IDR0;               // 0x74. sec only? "Interrupt Description Register 0"?
    u32 IDR1;               // 0x78. sec only? "Interrupt Description Register 0"?
    u32 REV;                // 0x7c
} XpuControlRegisterSet;

typedef struct XpuProtectionRegisterSet {
    u32 RACR0;              // 0x00
    u32 unk_4[7];
    u32 WACR0;              // 0x20
    u32 unk_24[7];
    u64 START0;             // 0x40
    u64 END0;               // 0x48
    u32 SCR;                // 0x50
    u32 MCR;                // 0x54
    u32 CNTL0;              // 0x58, only on some. Bit31: mpu partition disabled
    u32 CNTL1;              // 0x5C, same
    u32 unk_60[8];
} XpuProtectionRegisterSet;

An exhaustive list of all the XPU and their role can be found in the Annex section section of this blogpost.

Other XPU Findings

We can see in the annex that the control register has a reset deassert bit. One question that immediately comes to mind: if we keep an XPU unit in reset (e.g. the bootROM one), can we now do any kind of access to the affected unit?

The results are the following:

  • clearing the bit in the secure CR instance renders the XPU registers for the unit inaccessible;
  • clearing the bit in the non-secure CR instance makes all accesses from the normal-world stop causing faults, but data is read as 0, writes are ignored.

This means the XPU registers are only one mean to secure peripherals and/or memory, all of which can be protected by other technology like TrustZone isolation.

Conclusion and Acknowledgments

In a nutshell, I had the opportunity to work on two phones and gain a great understanding of the Qualcomm ecosystem overall.

Even though the work on the Nexus 6P stalled, I still had the opportunity to find interesting methods; on the Nokia 6, I have managed to read/write any memory while the system is running.

I would like to thank my internship tutors, Joffrey Guilbon (patate), Maxime Peterlin (lyte) and Alexandre Adamski (neat) for their precious help and guidance throughout my internship; as well as Guillaume Heilles (zours) for having "modded" the Nokia 6 phone I used.

I would also like to thank all my colleagues for the warm welcome I received, and for proofreading this article.

Bibliography

[aleph]Aleph Security, "Exploiting Qualcomm EDL Programmers (1): Gaining Access & PBL Internals", https://alephsecurity.com/2018/01/22/qualcomm-edl-1/
[aleph2]Aleph Security, "Exploiting Qualcomm EDL Programmers (2): Storage-based Attacks & Rooting", https://alephsecurity.com/2018/01/22/qualcomm-edl-2/
[aleph3]Aleph Security, "Exploiting Qualcomm EDL Programmers (3): Memory-based Attacks & PBL Extraction", https://alephsecurity.com/2018/01/22/qualcomm-edl-3/
[aleph4]Aleph Security, "Exploiting Qualcomm EDL Programmers (4): Runtime Debugger", https://alephsecurity.com/2018/01/22/qualcomm-edl-4/
[aleph5]Aleph Security, "Exploiting Qualcomm EDL Programmers (5): Breaking Nokia 6's Secure Boot", https://alephsecurity.com/2018/01/22/qualcomm-edl-5/
[ROP]Return-oriented programming, https://en.wikipedia.org/wiki/Return-oriented_programming
[TLB]Translation lookaside buffer, https://en.wikipedia.org/wiki/Translation_lookaside_buffer
[Nokia6]Nokia 6 wikipedia page, https://en.wikipedia.org/wiki/Nokia_6
[Nexus6P]Nexus 6P wikipedia page, https://en.wikipedia.org/wiki/Nexus_6P
[QualcommSB]Qualcomm, Secure Boot and Image Authentication Technical Overview, https://www.qualcomm.com/media/documents/files/secure-boot-and-image-authentication-technical-overview-v1-0.pdf
[SoCs]System on Chip, integrated circuit integrating all the basic components a system needs: CPU, memory, many peripherals, etc.
[OTA]Full OTA Images for Nexus and Pixel Devices, https://developers.google.com/android/ota
[firehorse]https://github.com/alephsecurity/firehorse

Annex

XPU Registers Description

Legend:

  • S = "Secure"
  • NS = "Non Secure"
  • RESn = "Reset to n"

CR: Control Register, offset 0x00

Bits Description
31-17 RES0, RO
16 S: RES0, RO NS: ? RW
15-11 RES0, RO
10-9 ?
8 Enables something
7 RES0, RO
6 S: ? NS: RES0, RO
5 S: RES1, RO NS: RES0, RO
4 RES1, RO
3-1 ?
0 Reset deassert

Writing 0 to the "XPU unit enable" bit of the secure version of the register (SCR) causes access faults when later accessing the register for this XPU unit, even if the access was made from the Secure World.

EAR0: Error Address Register 0, offset 0x40

Contains the physical address of the fault.

ESR: Error Status Register, offset 0x48

Bits Description
31 "Multiple" fault
30-4 RES0, RO (?)
3 ?
2 ?
1 "Client" fault
0 "Config" fault

ESRRESTORE: Error Status Register Restore (?), offset 0x4C

Used to acknowledge and clear errors. Writes to this registers are copied to ESR (maybe?).

ESYNR0: Error Synthesis Register 0, offset 0x50

Bits Description
31-24 TID
23-16 VMID
15-13 BID
12-8 PID
7-0 Master ID
0 "Config" fault

ESYNR1: Error Synthesis Register 1, offset 0x54

Bits Description
31 ERROR_DCD fault
30 ERROR_AC fault
29 Addr. read-allocate flag
28 Addr. burst flag
27 Addr. "exclusive" flag
26 Addr. write flag
25 Addr. "full" flag
24 Addr. read "BEADNDXEN" flag
23 Addr. out-of-order flag
22 ?
21-19 "pReqPriority"
18-16 "Size"
15 Addr. "MSS SELF AUTH" flag
14-8 "Length"
7 Addr. "instruction" flag
6 Addr. prot. is NS flag
5 Addr. private flag
4 Addr. inner-shared flag
3 Addr. shared flag
2-0 Memory type

ESYNR2: Error Synthesis Register 2, offset 0x58

Bits Description
31-4 ?, RES0?
3 Save/restore in progress
2 MSA region match
1 Secure region match
0 Nonsecure region match

IDR0: Interrupt Description Register 0, offset 0x74

?

IDR1: Interrupt Description Register 1, offset 0x78

Bits Description
31-11 ?
10 0 for faults
9-0 ?

Comments