Twitter | Search | |
laginimaineb
Just managed to extract the Qualcomm KeyMaster keys directly from TrustZone! Writeup coming soon :) (1/2)
Reply Retweet Like More
laginimaineb 29 May 16
Replying to @laginimaineb
And wrote a script to decrypt all keystore keys. This can also be used to bruteforce the FDE passphrase off the device! (2/2)
Reply Retweet Like
D. Jared Domínguez 29 May 16
pretty much
Reply Retweet Like
Chandler 29 May 16
fricking hacker!
Reply Retweet Like
Yanai Moyal 29 May 16
Replying to @laginimaineb
strange the master key is not protected by TZ HW
Reply Retweet Like
Yanai Moyal 29 May 16
Replying to @laginimaineb
by the way, on which smartphone you do your TZ security research?
Reply Retweet Like
laginimaineb 30 May 16
Replying to @int10h
Yes, that one and another one to elevate to TZ kernel. They're both part of my TZ research
Reply Retweet Like
laginimaineb 30 May 16
Replying to @yanaimoyal
This specifically is done on the Nexus 6, but I've also dabbled w/ the Nexus 5 and Moto X 2nd Gen
Reply Retweet Like
Paul Crowley 30 May 16
Replying to @laginimaineb
Very interesting work, thanks! Curious if you've had a go at attacking the non-QC Nexus 9?
Reply Retweet Like
laginimaineb 30 May 16
Replying to @ciphergoth
I would love to do some non-QC research - I was thinking more along the lines of MobiCore or SE
Reply Retweet Like
͏ 30 May 16
Replying to @laginimaineb
Holy fuck! Congrats!
Reply Retweet Like
Jonathan Guerin 30 May 16
Replying to @laginimaineb
you extracted the KEK, or you were able to simply decrypt all keys in the store? Nice work, btw!
Reply Retweet Like
Mathew Solnik 30 May 16
might I suggest SEP? It’s getting lonely out here -
Reply Retweet Like
laginimaineb 31 May 16
Replying to @msolnik @ciphergoth
Sounds like a plan :) Does anyone have iboot keys from 5S or higher? Also, really looking forward to your talk!
Reply Retweet Like
laginimaineb 31 May 16
Replying to @kop48
KEK
Reply Retweet Like
laginimaineb 31 May 16
Replying to @pent0thal
Thanks!
Reply Retweet Like
Jonathan Guerin 31 May 16
Replying to @laginimaineb
oh wow, nice work mate! Looking forward to the blog post.
Reply Retweet Like
Mathew Solnik 31 May 16
you can dump iBoot out of physical memory post boot - no need to decrypt
Reply Retweet Like
laginimaineb 31 May 16
Replying to @msolnik @ciphergoth
Isn't SEP firmware encrypted w/ the firmware key? I thought you needed an iBoot exploit to access the AES Engine
Reply Retweet Like