Abstract

Bug Tales: Life and Death in the Sahara

There has been virtually no public discussion of vulnerabilities within Qualcomm's bootrom. Despite being difficult to research, the PBL is not immune to flaws. For this talk, we focus on an unbounded recursion bug introduced by a new command in the Sahara protocol.

We will walk through exploitation of the memory corruption caused by the recursion and transform it into PC control, culminating in shellcode execution in EL3. From there, we will cover persistence through all layers of the phone's boot stack and demonstrate popping a root shell on a bootloader-locked Pixel phone. Finally, we wrap up with the interesting way this was mitigated on newer chipsets.

Bio

Seamus Burke is a vulnerability researcher and reverse engineer with over 7 years of experience on mobile targets. He has spoken at various security conferences, including Def Con and Shmoocon, and has instructed classes on baseband research. Although he has written exploits for just about every attack surface of a mobile device, he maintains a particular affection for basebands, bootroms, and weird cpu architectures. When not staring at IDA he likes to spend his time wrenching on cars and racing.