http://security.samsungmobile.com/smrupdate.html
SVE-2016-7930: Multiple Buffer Overflow in Qualcomm Bootloader
Severity: Critical
Affected versions: Galaxy S5 with Qualcomm AP chipset
Reported on: December 20, 2016
Disclosure status: Privately disclosed.
A buffer overflow vulnerability exist in Qualcomm bootloader.
The patch prevents buffer overflow by removing the problematic source code.
Click to expand...
Click to collapse
On the samsung security blog, one of the listed patches for the march update mentions a buffer overflow vulnerability in the bootloader. This is documented proof of a vulnerability that could potentially be used to unlock the bootloader for CID11 S5's. Now, it is possible for people to just dig around in the bootloader (if anyone with the expertise is interested), or, alternatively, it is possible that the person responsible for reporting the bug might release the information. The Samsung blog lists his name as Frédéric Basse, and his blog is here: http://www.fredericb.info/ Historically, he tends to publicly release information after the vulnerability has been patched.
EDIT:
Based on the timing of some commits to the Heimdall source code, it seems very likely that the exploit involves T-Flash mode (also available in ODIN), which permits flashing firmware to an SD-card instead of the internal storage. This is corroborated by the fact that the samsung blog mentions the removal of source code that leads to the exploit. I highly suspect the next released bootloader update will not have T-Flash included. It seems likely that the bootloader does a poor job of checking the size of data (or allocates memory poorly?) before it is loaded into a memory buffer before being written to the SD-card. See below the link to the commits made by Frédéric Basse.
https://github.com/Benjamin-Dobell/Heimdall/pull/389
Nice find! Would be a good thing if it could be used to gain an unlock for cid 11
Sent from my Nexus 6 using Tapatalk
klabit87 said:
Nice find! Would be a good thing if it could be used to gain an unlock for cid 11
Sent from my Nexus 6 using Tapatalk
Click to expand...
Click to collapse
I found some more information, this might even be enough to work with (for someone with far more expertise than I).
Let's do it! I plan on keeping this phone for a while. I would love to have my cid11 fully unlocked.
I'm not that experienced with this particular architecture but an old GS5 was given to me and I'm interested in assisting. Most of my experience with development is theoretical and PC. Perhaps we should make a discord on it for more efficient communication.
Deleted.
I have subscribed to this thread in hopes that someone will be able to figure this out. I don't have any expertice in this, but since I have that stupid locked bootloader, I'm extremely interested to see if someone can figure this out. I am willing to test, if you can come up with ways in which to test and try.
Will keep an eye on this.
I have been out of the loop since I got root on 6.0 w CID 11 through a race condition bug. The problem is persisting root and integrity after reboot.
With something like this maybe bootloader unlock will solve all the problems!
If bug hunter releases a report I will take a look.
Report has been released: https://www.sstic.org/media/SSTIC20...ticle-attacking_samsung_secure_boot-basse.pdf
AptLogic said:
Report has been released: https://www.sstic.org/media/SSTIC20...ticle-attacking_samsung_secure_boot-basse.pdf
Click to expand...
Click to collapse
So AptLogic (from what i understood by reading that mumbo jumbo) is that there is hope to unlock the bootloader by using twrp which will be installed on sd card beacuse there won't be any verification done, after that it is possible to dump the internal memory and reverse engineer the bootloader and whatever is needed to hopefully unlock the bootloader on cid11 devices? (I believe it was somewhat similar for the cid15)
Can swap_root -f edit on sd pivot_root or flash back? And does %s = root or "nice" command ?
Sorry to bother you @GeTex , but do you think these would help with CID-11 and AT&T?
https://www.sstic.org/media/SSTIC20...ticle-attacking_samsung_secure_boot-basse.pdf
https://seclab.cs.ucsb.edu/media/uploads/papers/bootstomp.pdf
https://github.com/ucsb-seclab/BootStomp
Hi all, see link below
https://www.armis.com/blueborne/#devices
A new vulnerability has been identified in Android OS which allows a hacker to take control of a device through Bluetooth. The vulnerability has been patched in the Sep 9 security update from Google but it has not rolled out to the Z Play yet , so until then please avoid using bluetooth wherever a third person can gain access to your device.
Below is the link to the app on the Google play store which can be used to check if your device is vulnerable (I have the unlocked Z Play on Aug 1 security patch, retin channel and it is vulnerable)
https://play.google.com/store/apps/details?id=com.armis.blueborne_detector
Vulnerability has been fixed in September security patch.
I just did a scan with the BlueBorne Vulnerability Scanner on all my devices, my s5 neo is vulnerable for the exploit (my s6 too).
I'm on stock 6.0.1 MMB29K.G903FXXU1BQC1 , security patch level is july 1st 2017 . Is there a way to patch the exploit myself via adb? I need bluetooth for various headsets, so never using bluetooth again is no option.
I do hope to get some kind of official security patch in the next ?? months, but as the s5 and s5 plus were already served with security patches I'm not sure, no love for the s5 neo I guess
Both Samsung and T-mobile have been a complete waste of time trying to figure this out - hoping you guys can help
I have a Galaxy S10+ on T-mobile SM-G975U
I just got blocked from my work email with the error listed that I do not have the latest August Security Patch
I hit 'download and install' on the update screen a bunch of times, but each time it tells me:
'Your software is up to date - Security patch July 1, 2019' - See attached screenshot
Looking on tmobiles website, I see 2 pages documenting the latest updates pushed for August:
S10: https://support.t-mobile.com/docs/DOC-39499
S10+: https://support.t-mobile.com/docs/DOC-39465
Note, on those pages the baseband versions are as follows:
S10: G975USQS2ASGC
S10+: G975USQS1ASGC
Looking on my phone at current software version, it's showing the baseband version is "G975USQS1ASGC" - Which is noted as the S10 baseband on t-mobiles website
My phone is also saying I have the July security patch installed (see attached screenshots)
Any ideas as to what the hell is going on?
According to Samsung they haven't actually pushed out the August security patch for the S10+ - http://doc.samsungmobile.com/SM-G975U/SPR/doc.html
T-mobile's website apparently is inaccurate
You are up to date. The release was in august for july patch. Now there is going to be a august patch soon since their was a exploit found. That's maybe why your work email is refusing to work.
August patch should be out shortly. It is available to install from firmware.science to load via SD card and they usually get it shortly before it's sent out by TMobile.
I had this problem back on the s8 it is fine there are no problems but if you want to fix it then you have to flash with Odin (you just lose all your data KNOX IS NOT TRIPPED)
Just a friendly reminder that the March Security Patch Update is out n' about for the 5G Unlocked Model or SM-N986U1. I think this one was primarily a Security Patch Update but did notice the "2" ahead of the trailing last 4 characters in the build number = 2DUC1, indicating a revision to the bootloader. We all understand the significance of this change and what it brings. If your running "stock" oem firmware as I am, the bootloader update from a Iprior "1" to a "2", with the 2DUC1 March Update reminds us there's no more going "backwards" to prior builds or Odin your way back to android 10...just say NO! lol
Stay covid-19 safe everybody!