Samsung Galaxy S4 secure boot bypassed

AT&T & Verizon in the US sell customized models of the Galaxy S4 that make use of the secure boot feature, which only allows kernels possessing company’s digital signature to boot. To this effect, the bootloader checks whether the system that is to be booted possesses a valid RSA-2048 signature or not. Neither it is possible to crack RSA with 2048 bit keys given the computing power available today nor it is possible to create a kernel such that its hash matches a certain value.

Dan Rosenberg didn’t need to attack the crypto as while analyzing the reverse engineered code he found that it is possible to determine the memory address where the bootloader will load the kernel to carry out the signature check. According to Rosenberg the memory address can be chosen in such a way that the bootloader’s check_sig() function is overwritten before the loader actually calls that function. The function is responsible for checking whether a valid signature is present or not.

Using memory manipulation, Rosenberg goes about tidying up the memory a little following which “everything is OK” get returned thus allowing even an unsigned OS to boot.