Attacking the Samsung Galaxy A* Boot Chain

So I guess this is where widevine keys and whatnot are stored? Perhaps this is how the piracy scene gets 4k rips.

mdaniel · a year ago

Relevant: https://news.ycombinator.com/item?id=38923033 (Picking the Widevine Locks: Acquiring and Using an L3 CDM; Jan, 2024; 71 comments)

Crosseye_Jack · a year ago

L3 is the weaker security, not using the keys found in secure storage and limited to 720p (on most streaming platforms).

Crosseye_Jack · a year ago

Yeah, a ton of L1 keys/CDM comes from Android devices where their secure storage isn't as secure as planned. For example: Heres a link to a L1 CDM from a ASUS PadFone - https://github.com/widevineleak/ASUS_T00N_E3B35AC8_5492_L1

> Samsung added a custom JPEG parser in Little Kernel that is used to show logos and error messages while booting. The code responsible for loading the JPEG file will place it in a fixed-size structure on the heap. But it never checks the size of the file, causing a heap overflow.

Heh, file format parsers - the GIFt that just keeps on giving

veeti · a year ago

And it's not even the first time Samsung does this:

https://googleprojectzero.blogspot.com/2020/07/mms-exploit-p...

daghamm · a year ago

Are Samsungs "contributions" to LK public? Has nobody reviewed those until now?

The early bootchain components are critical to the security of the device. I am extremly surprised Samsung let a complete noob add code to it.

ragu4u · a year ago