EL3 Tour: Get The Ultimate Privilege
of Android Phone
Guanxing Wen
2019
Bio
✤
Senior Security Researcher at Pangu
✤
Exploitation and Reversing Engineering
✤
Recently
✤
Firmware, Bootloader, Kernel
✤
Previously
✤
Adobe Flash
Agenda
✤
ARMv8 Privilege mode
✤
Post-startup architecture of Huawei P20
✤
Hunt EL3 Vulnerabilities
✤
Execute shellcode in EL3
✤
Face ID Bypass
ARMv8 Privilege Mode
Linux Kernel
Hypervisor
Trusted Firmware (No limits: Physical Memory, TTBR0_ELx, VBAR_ELx, …)
Trusted Kernel
Application
Framework
Libraries
Services
Trusted App
EL0
EL1
EL2
EL3
Normal World Secure World
Huawei P20