How To Tame Your Unicorn - Exploring and Exploiting Zero-Click Remote Interfaces of Modern Huawei Smartphones

The presentation discusses the exploitation of vulnerabilities in Huawei's Kirin 980 and 990 chipsets, and how they were able to gain arbitrary code execution and control of the platform.

• The presentation details the Hadry Sandbag vulnerability in the bootroom bootstrap code of the Kirin 980 and 990 chipsets.
• The exploit allowed for arbitrary code execution on the LPMCU and ER-3 level on the ACPU.
• The team was able to turn the arbitrary write primitive into code execution by overwriting the push-return address on stack.
• The team also found a way to dump the plaintext x loader or bootstrap code.
• Huawei has been improving the modem's security, including adding ASLR in the Kirin 990 chipset.
• The team had to reverse engineer and patch some functionality in the trisome to enable the ASLR shift.
• The team was able to use the type of primitives for the remote to gain complete control of the platform.

The team was able to exploit the Hadry Sandbag vulnerability in three simple steps, which allowed for arbitrary code execution. They were also able to dump the plaintext x loader or bootstrap code, but it took about seven hours to complete. The team had to reverse engineer and patch some functionality in the trisome to enable the ASLR shift, which was added by Huawei to improve the modem's security.

The exploration of baseband security has come a long way in the past decade. Published research has exposed privacy issues in 3GPP protocols from GSM to LTE and traditional memory safety vulnerabilities in implementations of various chipset vendors. Yet, in some ways, we have only scratched the surface.For one, almost all published memory corruption bugs have been classic TLV parsing vulnerabilities in Layer 3 GSM. For another, previous remote exploitation demonstrations looked at basebands as more code doing typical input parsing without considering the maze of hardware elements that surround them and stayed inside the baseband sandbox.We have set out to challenge the status quo with our research into the newest iterations of Huawei's Kirin SoCs. After Pwn2Own 2017, Huawei stopped supporting unlocked bootloaders, introduced new firmware encryption for SoC components, and invested heavily in improving code quality from the well-known baseband source leak. In fact, the latest Kirin chipsets that have been the subject of published research are from 2016.We will cover our journey from unlocking the newest generations of Huawei devices through identifying and exploiting bootloader vulnerabilities to building a debugger and reversing new mitigation improvements of the baseband OS. We will dive into a part of the 3GPP stack that hasn't received much attention before and present our results of reversing Huawei's implementation and finding remotely exploitable vulnerabilities that work differently from previously documented baseband memory corruption bugs.Finally, we will investigate the ways a baseband interacts with the rest of the SoC. We will show a handful of vulnerabilities that we have found, both in software and hardware, and explain how we exploited them to escape from the baseband and take over not only Android and the Linux kernel, but even TrustZone.