Links

TZ Exploit - CTS

  • Read EL from APX
  • Read EL from UEFI
  • Create Payload

Idea

Write code into TZ mem and jump to it. Hopefully it will execute at EL3.

Tests

Read NS-Bit

https://developer.arm.com/documentation/ddi0406/latest/ page 1697: can only be read from securemode.

Read EL

Read EL from APX

a custom payload will be used to read the Exception Level from in APX mode. I expect it to be 3.
#define CPSR_M_SVC 0x13U
Supervisor mode is the default mode to which a Supervisor Call exception is taken.
payload.c
8KB
Text
FuseeGelee Payload to read EL from APX

Read EL from UEFI

A normal efi App will be used to read the Execption Level from UEFI. I expect it to be 0.
#define CPSR_M_FIQ 0x11U
FIQ mode is the default mode to which an FIQ interrupt is taken.

Creating a payload

We need a relocateable payload since UEFI can give us different load addresses everytime.

Step by Step

Step 1:

Create payload which reads EL and reports back via serial. Read payload from USB/eMMC to memory. Disable TZ protection. copy payload into TZ mem. override TZ with jumps to payload address. If payload reads EL3 continue.

Step 2:

to be continued...