BootStomp - 6 seeds and 1 sink reveals 12 Entry Points (Nvidia Tegra K1)
@Mich-C
BootStomp
A test on Nvidia Tegra K1 with 6 seeds and 1 sink reveals 12 Entry Points, performing 7 loops and returning 1 zero-day bug in under 25 minutes (see Table 2, eight attached images at the bottom, read the Redini PDF).
"The particular vulnerabilities found consisted mostly of memory corruption and privilege escalation bugs, including a part of NVIDIA’s bootloader code that could end up becoming user-accessible under the right OS conditions, as one example. Essentially, most of the vulnerabilities would either unlock the bootloader, preventing it from enforcing key security policies, or hand over control of key processes to the user privilege level. Tests were inconclusive on MediaTek hardware due to the bootloader’s unique structure, while an older Qualcomm bootloader fell victim to a known old bug, and the NVIDIA bootloader was only found to be vulnerable to the aforementioned privilege escalation bug. "
"NVIDIA’s Tegra-based devices ship with a bootloader known as hboot. This bootloader is very similar to Qualcomm’s, in that it runs at EL1, and implements only the fastboot functionality at this stage. BOOTSTOMP also discovered a vulnerability in NVIDIA’s hboot. hboot operates at EL1, meaning that it has equivalent privilege on the hardware as the Linux kernel, although it exists earlier in the Chain of Trust, and therefore its compromise can lead to an attacker gaining persistence. We have reported the vulnerability to NVIDIA, and we are working with them on a fix. Our tool did not identify any path to non-volatile storage for the NVIDIA’s or MediaTek’s bootloaders. Upon manual investigation, we discovered that these two bootloaders both make use of memory-mapped I/O to write the value, which could map to anything from the flash to special tamper-resistant hardware. Thus, we cannot exclude the presence of vulnerabilities."
https://forum.xda-developers.com/showpost.php?p=74517016&postcount=63
---------- Post added at 11:38 PM ---------- Previous post was at 11:25 PM ----------
Hi all,
I got a Toshiba Excite Write AT10PE-A105. As far as I see, the only difference to your LE is the screen, which has different (corning) glass and a stylus and the extended Memory of 32GB. However I am desperately looking for a newer ROM since the latest Toshiba android is 4.3 which is no longer supported by apps, which I would like to use.
Unfortunately I do not understand most of your discussion but with your help I might be able to contribute with information on my version of that hardware?
Peter
Thanks!
You must instal the latest version of
Device Info HW app by Andrey Efremov (ANDR7E).
https://play.google.com/store/apps/details?id=ru.andr7e.deviceinfohw
Give us a screenshot of
partitions with names, please.
Thanks for finding android roms that shouldn't be too hard to port to our device. But in our stock recovery there is no option to flash anything other than "update" that must be digitally signed otherwise it gets rejected (tried myself). So flashing even a patch to remove/modify sealime functionality is impossible afaik. We need to get rid of sealime for good some way or another, otherwise there is no point in porting roms that can't be flashed.
"Basically if sealime does NOT return null, the kernel proceeds." - if that is true then finding a way to edit part of memory that holds return value of sealime loading function would allow us to proceed with sealime turned off and do whatever we please. But we probably would need help as I can't handle this alone
Android version Kingo root did not give me the ability to root my tablet.
Only the PC version allows me to root my tablet.
Today i Uploaded the Device Information to the Device Info HW App (by Audrey Efremov) Database
The QV1030 Kernel was published on the Gigaset Webpage.
Please can someone give us the detailed tuto to install a new rom and root this tablet
Has anyone here obtained root on this device using kingoroot?
Any good news? Or it's over now?
Tried various methods today, sadly none of them worked for mine... shame toshiba locks it so damn hard!
@Mich-C is going to help us but he does not own this device.
BootStomp is going to be tested on his android devices. Then he will write a script that could auto-diagnose the
bootloader vulnerabilities of any device. Thereafter, we can test his
script on Toshiba Excite Pro. This is a much needed
first step to defeat Toshiba's Sealime protection (like a military
reconaissance mission). After gathering this information the
second step to fully defeat Toshiba's Sealime will be prepared.
NOTE - Mich-C is busy with a project for Takee 1 at the moment. He will test
BootStomp and
DR.CHECKER : A Soundy Vulnerability Detection Tool for Linux Kernel Drivers, as soon as possible.
https://github.com/ucsb-seclab/dr_checker
