TEE basics
-
Introduction to Trusted Execution Environment: ARM's TrustZone
-
Introduction to TEE (original title: TEEを中心とするCPUセキュリティ機能の動向 )
-
Attacking the ARM's TrustZone
-
Secure initialization of TEEs: when secure boot falls short (EuskalHack 2017)
-
Amlogic S905 SoC: bypassing the (not so) Secure Boot to dump the BootROM
-
Boomerang: Exploiting the Semantic Gap in Trusted Execution Environments (A.Machiry) 2017
Motorola
- Unlocking the Motorola Bootloader (10/02/2016)
Huawei
-
Exploiting Trustzone on Android (BH-US 2015) by Di Shen(@returnsme)
-
EL3 Tour : Get the Ultimate Privilege of Android Phone (Infiltrate19)
-
Nailgun: Break the privilege isolation in ARM devices (PoC #2 only)
QSEE
-
Reflections on Trusting TrustZone (2014)
-
Getting arbitrary code execution in TrustZone's kernel from any context (28/03/2015)
-
Exploring Qualcomm's TrustZone implementation (04/08/2015)
-
Full TrustZone exploit for MSM8974 (10/08/2015)
-
TrustZone Kernel Privilege Escalation (CVE-2016-2431)
-
War of the Worlds - Hijacking the Linux Kernel from QSEE
-
QSEE privilege escalation vulnerability and exploit (CVE-2015-6639)
-
Exploring Qualcomm's Secure Execution Environment (26/04/2016)
-
Android privilege escalation to mediaserver from zero permissions (CVE-2014-7920 + CVE-2014-7921)
-
Trust Issues: Exploiting TrustZone TEEs (24 July 2017)
-
Breaking Bad. Reviewing Qualcomm ARM64 TZ and HW-enabled Secure Boot on Android (4-9.x)
-
Technical Advisory: Private Key Extraction from Qualcomm Hardware-backed Keystores CVE-2018-11976 (NCC)
-
Qualcomm TrustZone Integer Signedness bug (12/2014)
-
The road to Qualcomm TrustZone apps fuzzing (RECON Montreal 2019)
Samsung
Kinibi & MobiCore
-
Unbox Your Phone: Parts I, II & III
- https://medium.com/taszksec/unbox-your-phone-part-i-331bbf44c30c
- https://medium.com/taszksec/unbox-your-phone-part-ii-ae66e779b1d6
- https://medium.com/taszksec/unbox-your-phone-part-iii-7436ffaff7c7
- https://github.com/puppykitten/tbase
- https://github.com/puppykitten/tbase/blob/master/unboxyourphone_ekoparty.pdf
-
KINIBI TEE: Trusted Application Exploitation (2018-12-10)
-
Reverse Engineering Samsung S6 SBOOT - Part I & II
-
TEE Exploitation on Samsung Exynos devices by Eloi Sanfelix: Parts I, II, III, IV
-
Breaking Samsung's ARM TrustZone (BlackHat USA 2019)
TEEGRIS
- Reverse-engineering Samsung Exynos 9820 bootloader and TZ by @astarasikov
TEE Videos
-
Ekoparty-13 (2017) Daniel Komaromy - Unbox Your Phone - Exploring and Breaking Samsung's TrustZone SandBoxes
-
Daniel Komaromy - Enter The Snapdragon (2014-10-11)
-
BSides DC 2018 & DerbiCon VIII - On the nose: Bypassing Huaweis Fingerprint Authentication by Exploiting the TrustZone by Nick Stephens
-
BH US 2015 - Fingerprints On Mobile Devices: Abusing And Leaking
-
No ConName 2015 - (Un)Trusted Execution Environments by Pau Oliva
- video: audio Spanish only https://vimeo.com/150787883
- slides: https://t.co/vFATxEa7sy
Tools
Emulate
-
QEMU Support for Exynos9820 S-Boot
-
Emulating Exynos 4210 BootROM in QEMU