This article was published on May 24, 2013

Security researcher bypasses Samsung Galaxy S4’s secure boot check on AT&T and Verizon phones


Security researcher bypasses Samsung Galaxy S4’s secure boot check on AT&T and Verizon phones

Azimuth security researcher Dan Rosenberg claims to have found a “design flaw” in Samsung’s secure boot system for the Galaxy S4. When exploited, the security hole allows the owner of the device to install another operating system other than the version of Android used by Samsung.

The S4, which has already passed 10 million channel sales one month after launch, comes in a variety of models, most of which include an unlocked bootloader. This means most S4 owners can flash custom kernels and make other modifications to the software on their own devices.

Unfortunately, the AT&T and Verizon versions ship with a locked bootloader, which Rosenberg has detailed and in which he has discovered a vulnerability that lets users bypass it. As a result, S4 users on the two largest carriers in the US could potentially run custom unsigned kernels and recovery images, just like their peers.

Samsung’s secure boot feature only allows kernels with the company’s RSA-2048 digital signature to boot the device. Since it is essentially impossible to crack RSA with 2048-bit keys, at least with the computing power available to most, Rosenberg had to sidestep the security in another fashion.

The security researcher says he reverse engineered Samsung’s code to figure out the memory address where the bootloader will load the kernel to carry out the signature check. He found the memory address can be chosen in such a way that the bootloader’s check_sig() function is overwritten before the loader actually calls it, thus bypassing the need to check whether a valid signature is present or not.

The <3 of EU tech

The latest rumblings from the EU tech scene, a story from our wise ol' founder Boris, and some questionable AI art. It's free, every week, in your inbox. Sign up now!

Rosenberg offers a tool to work around the bootloader’s security system. That being said, it’s not easy an easy process, so we recommend waiting a bit until other hackers build up simpler solutions on top of his work. The FAQ says as much:

This all seems complicated. What about a step-by-step guide?

These tools are primarily intended for developers, who will be able to use them and provide ordinary users with easy ways to flash custom ROMs. Be patient, I’m sure your favorite ROM developer will come up with something for you.

If you’re still interested, head to this thread over at XDA Developers. All the files you need are hosted on GitHub.

Top Image Credit: Greg Wood / Getty Images

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Also tagged with