Rascals are always sociable, and the chief sign that a man has any nobility in his character is the little pleasure he takes in others company. Arthur Schopenhauer

Retreading The AMLogic A113X TrustZone Exploit Process

I started writing this blog post with only a vague plan in mind, before I’d even acquired the device’s BL31 Trustzone image, so I wasn’t sure if I’d finish this post or not! By the end, however, we discover and exploit a slightly different (‘alternative’) vulnerability to the one Blasty did, and thus with a slightly different exploitation technique, cover the in-between steps and reasoning around the reverse engineering process, and build an emulator to help us craft, debug and test our exploit primitives with code coverage as we progress.

Whilst I’d read a lot of many great blog posts on Trustzone attacks in the past, reading and actually doing are different things. In the case of the AMLogic family of SoCs, TrustZone runs as the Secure Monitor in Exception Level 3 (EL3), which is the highest privilege level of the system and will allow us to dump the device’s efuses and bootrom. Retreading The AMLogic A113X TrustZone Exploit Process