Beyond Root: Custom Firmware for Embedded Mobile Chipsets

Conference:  BlackHat USA 2020



The presentation discusses vulnerabilities in Samsung's NFC chips and how they can be exploited to gain access to 13.56 MHz access controls. The speaker also talks about the process of developing custom firmware for proprietary chips and the potential for finding undisclosed vulnerabilities in old chips.
  • Samsung's NFC chips have vulnerabilities that can be exploited to gain access to 13.56 MHz access controls
  • Custom firmware can be developed for proprietary chips to add functionality
  • Undisclosed vulnerabilities in old chips are likely to be present in new chips
The speaker describes how they were able to fully implement My Fair Classic on a Samsung S9 by modifying the firmware and sending nine bit values into eight bit buffers. This allowed them to spoof any 13.56 MHz access control. The vulnerability required root access, but the chip was compromised in ways that made it much more useful than it would be as standard.


Rooting a smartphone is often considered the ultimate method to allow a user to take complete control of their device. Despite this, many smartphones contain hardware which is closed off to any modification. This talk aims to show how this hardware can be reverse engineered in order to bypass its protections and further expand its functionality. Using proprietary NFC Controllers as an example, we will cover analysis of the protocols used by the chips, how the firmware protections could be broken, and how custom firmware could be developed and deployed to the phone with no hardware modifications. This will include methodologies for analysing weaknesses in firmware update protocols, leveraging the Unicorn CPU Emulator to bypass debugging restrictions, and techniques for reverse engineering the hardware capabilities of an unknown chip in order to implement custom features. This will end with demonstration of a smartphone with passive NFC sniffing capabilities and expanded tag emulation functionality.