TZ Exploit - CTS

• Read EL from APX

• Read EL from UEFI

• Create Payload

Idea

Write code into TZ mem and jump to it. Hopefully it will execute at EL3.

Tests

Read NS-Bit

https://developer.arm.com/documentation/ddi0406/latest/ page 1697: can only be read from securemode.

Read EL

https://stackoverflow.com/questions/31787617/what-is-the-current-execution-mode-exception-level-etc http://lioncash.github.io/ARMBook/the_apsr,_cpsr,_and_the_difference_between_them.html https://www.keil.com/pack/doc/CMSIS/Core_A/html/group__CMSIS__CPSR.html https://www.keil.com/pack/doc/CMSIS/Core_A/html/group__CMSIS__CPSR__M.html

https://developer.arm.com/documentation/ddi0406/latest/ page: 1139

Read EL from APX

a custom payload will be used to read the Exception Level from in APX mode. I expect it to be 3.

#define CPSR_M_SVC 0x13U

Supervisor mode is the default mode to which a Supervisor Call exception is taken.

8KB

payload.c

FuseeGelee Payload to read EL from APX

Read EL from UEFI

A normal efi App will be used to read the Execption Level from UEFI. I expect it to be 0.

#define CPSR_M_FIQ 0x11U

FIQ mode is the default mode to which an FIQ interrupt is taken.

Creating a payload

We need a relocateable payload since UEFI can give us different load addresses everytime.

Therefore we need to use Position independent code: https://stackoverflow.com/questions/6324257/load-time-base-address-cortex-m3-bare-metal https://stackoverflow.com/questions/5311515/gcc-fpic-option

Step by Step

Step 1:

Create payload which reads EL and reports back via serial. Read payload from USB/eMMC to memory. Disable TZ protection. copy payload into TZ mem. override TZ with jumps to payload address. If payload reads EL3 continue.

Step 2:

to be continued...

https://developer.arm.com/documentation/ddi0406/b/System-Level-Architecture/The-System-Level-Programmers--Model/Exceptions/Exception-vectors-and-the-exception-base-address?lang=en