Beyond Root: Custom Firmware for Embedded Mobile Chipsets

The presentation discusses the vulnerabilities and patches made to Samsung's proprietary chips, and the potential for developing custom firmware for embedded devices like phones.

• The vulnerability required root access, but once compromised, the chip could be used for more than just mobile payments.
• Custom firmware development for proprietary chips can be challenging but rewarding, and can expand the functionality of embedded devices.
• Bootloader vulnerabilities are increasingly common and can remain for years.
• Undisclosed vulnerabilities in old chips are likely to be present in new ones.
• An anecdote is given about modifying a Samsung phone's chip to fully implement My Fair Classic, allowing for spoofing of 13.56 MHz access controls.
• Other examples of custom firmware development include adding Wi-Fi monitor mode to Broadcom chipsets and extra debugging functionality to Bluetooth chipsets.

The speaker modified a Samsung phone's chip to fully implement My Fair Classic, allowing for spoofing of 13.56 MHz access controls. This could be used to gain access to a wide range of systems, and was more subtle than using a dedicated attack tool like a Proxmark or antenna. The vulnerability required root access, but once compromised, the chip could be used for more than just mobile payments.

Rooting a smartphone is often considered the ultimate method to allow a user to take complete control of their device. Despite this, many smartphones contain hardware which is closed off to any modification. This talk aims to show how this hardware can be reverse engineered in order to bypass its protections and further expand its functionality. Using proprietary NFC Controllers as an example, we will cover analysis of the protocols used by the chips, how the firmware protections could be broken, and how custom firmware could be developed and deployed to the phone with no hardware modifications. This will include methodologies for analyzing weaknesses in firmware update protocols, leveraging the Unicorn CPU Emulator to bypass debugging restrictions, and techniques for reverse engineering the hardware capabilities of an unknown chip in order to implement custom features. This will end with demonstration of a smartphone with passive NFC sniffing capabilities and expanded tag emulation functionality.