Abstract

Bug Tales: Life and Death in the Sahara

There has been virtually no public discussion of vulnerabilities within Qualcomm's bootrom. Despite being difficult to research, the PBL is not immune to flaws. For this talk, we focus on an unbounded recursion bug introduced by a new command in the Sahara protocol.

We will walk through exploitation of the memory corruption caused by the recursion and transform it into PC control, culminating in shellcode execution in EL3. From there, we will cover persistence through all layers of the phone's boot stack and demonstrate popping a root shell on a bootloader-locked Pixel phone. Finally, we wrap up with the interesting way this was mitigated on newer chipsets.

Bio

Aaron Willey is a vulnerability researcher with nearly a decade of experience working on mobile and other targets. Currently, he spends most of his time looking at the non-Android parts of Android phones, including bootroms, bootloaders, basebands, and more. There's a special place in his heart for all the little coprocessors and their firmware living inside modern SoCs - the umpteen different ARM cores, including the venerable ARM926EJ-S that he really hopes actually supports the Jazelle extension; the tiny bespoke cores implementing one-off architectures that are only supported by a barely-functional port of GCC 4.9; and of course that one 8051 lurking in the depths of the on-chip interconnects that serves as the One Root of Trust to Rule Them All.