Breaking Secure Bootloaders

Explore techniques for breaking secure bootloaders in this Black Hat conference talk. Dive into common Android bootloader protection mechanisms and learn how to analyze unlock procedures using USBPCAP. Discover methods for implementing Fastboot and identifying potential bootloader weaknesses. Examine unknown memory analysis techniques and understand the process of unlocking bootloaders by bypassing RSA checks. Investigate bootloader firmware update protocols specific to NXP chips, including hashing processes and signature verification. Learn how to bypass signature verification by modifying hashes and writing them to specific memory locations. Gain insights into repairing firmware using working config dumps and hashing techniques.

Intro
Common Android Bootloader Protection Analysis of an unlock on the phone was performed using USBPCAP
Implementing Fastboot Easy to implement using standard USB libraries
Identifying A Potential Bootloader Weakness The "flash" command usually only flashes partitions on unlocked bootloaders
Unknown Memory Analysis Most opcodes, while valid operations, would not be the same as in the bootloader
Unlocking The Bootloader To unlock the bootloader, it was necessary to jump to the code after the RSA check
Patching Bootloader Unlock A single branch instruction was identified, which sent an error response or unlocked the bootloader, depending on whether the signature was accurate
Bootloader Firmware Update Protocol Unique to NXP chips
Hashing Process The first command contains a version number, SHA-256 hash, and signature of the hash
Bypassing Signature Verification Modified hashes could be written in the right portion of memory
Repairing the Firmware Using a dump of the working config, the new config could be hashed and written