Twitter | Search | |
laginimaineb
Just managed to extract the Qualcomm KeyMaster keys directly from TrustZone! Writeup coming soon :) (1/2)
Reply Retweet Like More
laginimaineb 29 May 16
Replying to @laginimaineb
And wrote a script to decrypt all keystore keys. This can also be used to bruteforce the FDE passphrase off the device! (2/2)
Reply Retweet Like
Lee Hutchinson 29 May 16
Reply Retweet Like
D. Jared Domínguez 29 May 16
pretty much
Reply Retweet Like
Chandler 29 May 16
fricking hacker!
Reply Retweet Like
Yanai Moyal 29 May 16
Replying to @laginimaineb
strange the master key is not protected by TZ HW
Reply Retweet Like
Yanai Moyal 29 May 16
Replying to @laginimaineb
by the way, on which smartphone you do your TZ security research?
Reply Retweet Like
laginimaineb 30 May 16
Replying to @int10h
Yes, that one and another one to elevate to TZ kernel. They're both part of my TZ research
Reply Retweet Like
laginimaineb 30 May 16
Replying to @yanaimoyal
This specifically is done on the Nexus 6, but I've also dabbled w/ the Nexus 5 and Moto X 2nd Gen
Reply Retweet Like
Paul Crowley 30 May 16
Replying to @laginimaineb
Very interesting work, thanks! Curious if you've had a go at attacking the non-QC Nexus 9?
Reply Retweet Like
laginimaineb 30 May 16
Replying to @ciphergoth
I would love to do some non-QC research - I was thinking more along the lines of MobiCore or SE
Reply Retweet Like
͏ 30 May 16
Replying to @laginimaineb
Holy fuck! Congrats!
Reply Retweet Like
Jonathan Guerin 30 May 16
Replying to @laginimaineb
you extracted the KEK, or you were able to simply decrypt all keys in the store? Nice work, btw!
Reply Retweet Like
Mathew Solnik 30 May 16
might I suggest SEP? It’s getting lonely out here -
Reply Retweet Like
laginimaineb 31 May 16
Replying to @msolnik @ciphergoth
Sounds like a plan :) Does anyone have iboot keys from 5S or higher? Also, really looking forward to your talk!
Reply Retweet Like
laginimaineb 31 May 16
Replying to @kop48
KEK
Reply Retweet Like
laginimaineb 31 May 16
Replying to @pent0thal
Thanks!
Reply Retweet Like
Jonathan Guerin 31 May 16
Replying to @laginimaineb
oh wow, nice work mate! Looking forward to the blog post.
Reply Retweet Like
Mathew Solnik 31 May 16
you can dump iBoot out of physical memory post boot - no need to decrypt
Reply Retweet Like
laginimaineb 31 May 16
Replying to @msolnik @ciphergoth
Isn't SEP firmware encrypted w/ the firmware key? I thought you needed an iBoot exploit to access the AES Engine
Reply Retweet Like