Giters

Ye-Yong-Chi / mate7_TZ_exploit

Huawei mate 7 TrustZone exploit

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

mate7_TZ_exploit

With two vulnerabilities,any installed application is able to execute arbitrary code in TEE of Huawei Mate7 . This source code is a PoC which may read fingerprint image from sensor(FPC1020) on Mate 7.

Official Security Advisories

http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-432799.htm

CVE ID

  • CVE-2015-4421
  • CVE-2015-4422

Details

see whitepaper in ./doc

How to build

ndk-build NDK_DEBUG=1

Usage

Make sure the version of firmware is Mate7-TL10,V100R001CHNC00B123SP03

Unlock your screen,put your finger on touch pad of sensor,and execute p1ng.

The exploit may take a few minutes and print out hex strings of your fingerprint data.

  • ./p1ng

Exploit Linux kernel,TEE_GlobalTask and RTOSck(kernel of TEE). Then call __FPC_readImage to read fingerprint image.

  • ./p1ng physical_addr

dump physical memory from /dev/mem, for debugging only

  • ./p1ng 0 kernel_addr

execute TEE shell code at kernel_addr, for debugging only.

kernel_addr is the address of TEE shellcode.

You can use this option to read fingerprint instantly (otherwise you must wait a few minutes) if you have ran exploit once after the mobile startup.

kernel_addr will be printed out via kmsg at the fist time executing the exploit.

  • ./p1ng 0 0 0

read TEE error log from 0x3FE01400(physical addr), for debugging only

Affected Versions

  • Huawei Ascend Mate 7 : Mate7-TL10,V100R001CHNC00B123SP03 or earlier
  • TEEOS: TrustedCore Release Version 1.26. Sep 17 2014.13:57:39 or earlier

About

Huawei mate 7 TrustZone exploit

Languages

Language:C 97.0%Language:Makefile 1.6%Language:Assembly 1.4%