what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Google Nexus 9 Build N4F27B Cypress SAR Firmware Injection

Google Nexus 9 Build N4F27B Cypress SAR Firmware Injection
Posted May 5, 2017
Authored by Roee Hay | Site alephsecurity.com

Nexus 9 Android Builds before N4F27B contains a firmware injection vulnerability via I2C bus through a SAR sensor driver flashing flaw. This vulnerability requires access to the I2C bus, which is available via the USB fastboot interface and HBOOT interface, which is exposed via the headphone jack.

tags | advisory
advisories | CVE-2017-0563
SHA-256 | 09cb9ce7a0b1f5b948804b87b863cd8f524662124754065615cd2d56ab103125

Google Nexus 9 Build N4F27B Cypress SAR Firmware Injection

Change Mirror Download
Title:
====
Google Nexus 9 Cypress SAR Firmware Injection via I2C

Identifier:
========
CVE-2017-0563

Product:
=======
Google Nexus 9

Vulnerable Version:
================
Nexus 9 Android Builds before N4F27B - May 2017, i.e. before bootloader 3.50.0.0143.

Mitigation:
=========
Install N4F27B or later (bootloader version 3.50.0.0143).

Technical Details:
==============
The Nexus 9 device contains a sensor SoC manufactured by Cypress. The sensor is managed by a driver available under drivers/input/touchscreen/cy8c_sar.c. The driver uses the sensor's data in order to regulate the radiation level emitted by the device.

The sensor communicates with the application processor via I2C bus #1, which also provides a firmware update interface. During the platform boot, the driver samples the SoC's firmware's version via chip address 0x5{c,d}, register 0x6. If it is different than the one available under /vendor/firmware/sar{0,1}.img, it initiates with a firmware flashing process (via I2C chip address 0x6{0,1}). It seems though that the firmware is not signed by Cypress, thus anyone having access to the I2C bus, can reflash the firmware of the SoC.

On Nexus 9 before build N4F27B, the I2C buses could be accessed by an unauthorized bootloader attacker:

1. Via the USB fastboot interface, accessible by the fastboot oem {i2cr, i2cw, i2crNoAddr, i2cwNoAddr} commands.
2. Via the HBOOT interface, available through UART (exposed by the headphones jack).

These vectors are especially significant because theoretically they can be used by either a physical attacker (rebooting the device into fastboot) or by malicious chargers / headphones. For example, a malicious charger connected to an ADB-enabled device may reboot the device into fastboot if the user authorizes the charger. As for headphones, on builds before N4F26T they could reboot the device into HBOOT by issuing 'reboot oem-42' on the FIQ debugger prompt [3].

Full details can be found on our vulnerability report [1].

Patch:
=====
Google patched the vulnerability on build N4F27B / bootloader 3.50.0.0143 by restricting access to the I2C buses - The I2C related bootloader commands are no longer available.
Please note that although Google published the advisory on the April 2017 Security Bulletin [4], the patch has been included only since the April 5 2017 Security Patch Level, where the April Nexus 9 image (N4F26X) has the April 1 2017 Security Patch Level, hence it does not contain the patched bootloader.

References:
==========
[1] Aleph Research Vulnerability Report. https://alephsecurity.com/vulns/aleph-2017009
[2] PoC. https://github.com/alephsecurity/PoCs/tree/master/CVE-2017-0563
[3] Attacking Nexus 9 with Malicious Headphones. https://alephsecurity.com/2017/03/08/nexus9-fiq-debugger/
[4] Google's Security Bulletin (April 2017). https://source.android.com/security/bulletin/2017-04-01#eop-in-htc-touchscreen-driver


::DISCLAIMER::
----------------------------------------------------------------------------------------------------------------------------------------------------

The contents of this e-mail and any attachment(s) are confidential and intended for the named recipient(s) only.
E-mail transmission is not guaranteed to be secure or error-free as information could be intercepted, corrupted,
lost, destroyed, arrive late or incomplete, or may contain viruses in transmission. The e mail and its contents
(with or without referred errors) shall therefore not attach any liability on the originator or HCL or its affiliates.
Views or opinions, if any, presented in this email are solely those of the author and may not necessarily reflect the
views or opinions of HCL or its affiliates. Any form of reproduction, dissemination, copying, disclosure, modification,
distribution and / or publication of this message without the prior written consent of authorized representative of
HCL is strictly prohibited. If you have received this email in error please delete it and notify the sender immediately.
Before opening any email and/or attachments, please check them for viruses and other defects.

----------------------------------------------------------------------------------------------------------------------------------------------------



Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close