Analysis of Qualcomm Secure Boot Chains

Qualcomm is the market-dominant hardware vendor for non-Apple smartphones. Considering the [SoCs] they produce are predominant, it has become increasingly interesting to reverse-engineer and take over their boot chain in order to get a hold onto the highest-privileged components while they are executing. Ultimately, the objective is to be able to experiment with closed-source and/or undocumented components such as hardware registers or Trusted Execution Environment Software.

more ...

Vulnerabilities in High Assurance Boot of NXP i.MX microprocessors

This blog post provides details about two vulnerabilities found by Quarkslab's researchers Guillaume Delugré and Kévin Szkudłapski in the secure boot feature of the i.MX family of application processors built by NXP Semiconductors.

The bugs allow an attacker to subvert the secure boot process to bypass code signature verification and load and execute arbitrary code on i.MX application processors that have the High Assurance Boot feature enabled. These bugs affect 12 i.MX processor families.

The vulnerabilities were discovered and reported to the vendor in September 2016 and the technical details included in this blogpost were disclosed in a joint Quarkslab-NXP presentation at the Qualcomm Mobile Security Summit 2017 in May 19th, 2017. National computer emergency response teams (CERTs) from 4 countries were informed about the issues in March, 2017.

NXP has issued an Engineering Bulletin and two Errata documents (EB00854, ERR010872 and ERR0108873 respectively) providing a brief description of both vulnerabilities, the list of affected processor models along with resolution plans and possible mitigations.

In the rest of the blogpost we describe the relevant features in i.MX processors and the vulnerabilities affecting them.

more ...