Hi there,
right now I'm trying to get some knowledge about the little kernel bootloader and how it's working. I just read an article about exploiting the S4 bootloader: http://blog.azimuthsecurity.com/2013...cure-boot.html
Basically the author describes a method, how to modify the function, which verifies the signature during runtime. As far as i understand it, he modifies a boot image in such a way, that a certain shell script is overwriting the check-function and in the end returns a check passed value.
Then i had a quick look into the little kernel source code to the corresponding position (at least i think, that's the right position:
I'm just wondering if it wouldn't be possible, to overwrite the image_verify function in the same way the author did it in his article?
regards,
scotch
right now I'm trying to get some knowledge about the little kernel bootloader and how it's working. I just read an article about exploiting the S4 bootloader: http://blog.azimuthsecurity.com/2013...cure-boot.html
Basically the author describes a method, how to modify the function, which verifies the signature during runtime. As far as i understand it, he modifies a boot image in such a way, that a certain shell script is overwriting the check-function and in the end returns a check passed value.
Then i had a quick look into the little kernel source code to the corresponding position (at least i think, that's the right position:
Code:
else
{
dprintf(INFO, "Authenticating boot image (%d): start\n", imagesize_actual);
auth_kernel_img = image_verify((unsigned char *)image_addr,
(unsigned char *)(image_addr + imagesize_actual),
imagesize_actual,
CRYPTO_AUTH_ALG_SHA256);
dprintf(INFO, "Authenticating boot image (%d): done\n", imagesize_actual);
if(auth_kernel_img)
{
/* Authorized kernel */
device.is_tampered = 0;
}
}regards,
scotch
xda-developers
He is living evidence that it could be done, if you really want if bad
RépondreSupprimersufficient to act.