During our previous research on Android File-Based encryption, we studied the boot chain of some Samsung devices based on Mediatek system on chips. Our objective was to exploit a known boot ROM vulnerability to bypass the secure boot and ultimately retrieve the required ingredients to brute force the user credentials. Once we became familiar with this boot chain, we decided to take a closer look at a component coming later in the process: the Little Kernel bootloader (LK, also called BL3-3)....

By: Maxime Rossi Bellom & Raphael Neveu Additional Contributors: Damiano Melotti & Gabrielle Viala

Full Abstract and Presentation Materials: blackhat.com/us-24/briefings/schedule/#attacking-samsung-galaxy-a-boot-chain-and-beyond-38526