Iskuri

Extremely excited to announce that I will be speaking at @BlackHatEvents #BHAsia this year, with my talk surrounding exploitation of smartphone Boot ROMs, and what can be achieved on a target by compromising the boot chain! #practical-attacks-against-smartphone-boot-roms-50532" target="_blank" rel="nofollow noopener">blackhat.com/asia-26/briefi…

@ghidraninja @cybergibbons @travisgoodspeed @nostarch Thanks! The NXP PN553 NFC chip.

@Iskuri1 @cybergibbons @travisgoodspeed @nostarch Congratulations!! Which one is about your work?

When I got started with hardware hacking etc @travisgoodspeed was (and is) one of my heroes. Now there’s a chapter in his new (awesome) book on a vuln I found. Feels awesome. Thanks Travis for all your contributions to our community. Also, you should buy his book!

@cybergibbons @ghidraninja @travisgoodspeed @nostarch One of my proudest achievements.

@ghidraninja @travisgoodspeed @nostarch @Iskuri1 also has a chapter!

@travisgoodspeed Can't go wrong with a Kingst LA1010 if you want something low price with decent software.

A friend needs a cheap logic analyzer and won't invest in a quality one. What are the cool kids using instead of Sigrok these days? (Open or closed, must reliably decode UART traffic on at least two channels at 115200.)

PSA: If you do fuzzing research, don't even bother trying to beat AFL++. Just start your evaluation when the ensemble of other existing fuzzers has thoroughly plateaued (I.e. 100h+). Go find problems that can't be solved rn. Don't try to get another 1% gain in the first 48h.

@travisgoodspeed I believe this mechanism was also vulnerable to TOCTOU on the original Gameboy, you could display a custom logo if you altered the memory on the cartridge after the first comparison.

The Game Boy copy protection is just that the trademarked Nintendo logo must appear at 0x104 in the cartridge memory. There's no copy protection chip like the NES, SNES and N64. Is there a list of unlicensed games somewhere, or were these counterfeits of licensed games?

Wrote an article about turning a ThinkPad X1 Carbon 6th Gen laptop into a programmable USB device by enabling the xDCI controller 😯 Now I can emulate USB devices from the laptop without external hardware, including via Raw Gadget or even Facedancer 😁 xairy.io/articles/think…

CVE-2024-22012 In TBD of TBD, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution pr… cve.org/CVERecord?id=C…

One of my favourite bug bounty programs from the past year!

My DEF CON talk for this year is now on the media server: media.defcon.org/DEF%20CON%2031…

@herrmann1001 Sadly, this attack is a couple of years old, but was still a fun exercise at the time!

Bookmark this one :)

I loved the exploitation required for this one, however this will always be my greatest bootloader hacking achievement: github.com/Iskuri/Samsung… youtube.com/watch?v=aLe-xW…

Also, here is my exploit for the PN553, an NFC chip from a series which was found an insane number of phones at the time of analysis: github.com/Iskuri/PN553-S… this version purely dumps the BootROM from the chip, and could be adapted to most non-updated PN series chips.

@olemoudi Great points, thanks for summarising! The only thing I would add is that devices are still vulnerable to cold boot attacks (RAM dump on reboot) if you compromise the bootloader, even if it isn't unlocked, so there is still some risk of forensic attacks.

8- Despite all of the above, bootloader unlocking typically wipes device data so stolen devices should still be safe 9- despite #8, some devices might have vulns serious enough to allow kernel write before execution all in all, thanks to @Iskuri1 for sharing the research

Interesting case studies of device security Some conclusions I gathered: 1- some OEM do not even provide bootloader unlocking capability 2- a vulnerability is sometimes needed to take full control of the device 3- vulns are hard to find (source code not always available) 4...

@SecurityJon Thanks, Jon! Yeah this one was more focused on the issues post-exploitation and the issues with it than anything else.

@Iskuri1 That was a good read, nice to see both what did, and didn’t work in the slides!

I massively enjoyed doing this talk at both conferences, there was great feedback and met some interesting people! Feel free to give the slides a read!

Both my DEF CON and Black Hat talks went really well! It has been a fantastic week!

As the DEF CON media server has uploaded my slides, I can confirm that the talk I am doing tomorrow will be a two parter, with the second part being a secure boot compromise of Exynos-based Samsung smartphonss!

Finished my first in-person Blackhat talk! It was an amazing crowd and had some great questions! #BHUSA