Overview
Syllabus
Intro
Bringing Security in System Design
What is Titan M?
Research Status and Goals
Specification
Memory Layout
Titan M Operating System
EC Tasks
Firmware Boot
Firmware Update
Firmware Rescue
Firmware Security Measures
Communication with Android
Static Analysis: Ghidra Loader
Dynamic Analysis: Sniffing Communication
Sniffing Communication: Command Parsing
Dynamic Analysis: Sending Commands
Dynamic Analysis: Sending Custom Commands
Hardware Reverse: Finding SPI
Hardware Reverse: Guessing Pinout
Hardware Reverse: Tracing SPI
Taking Control of SPI
First O-day: Out of Bounds Read
Second O-day: Downgrade Issue
Looking for a known Vulnerability
Post Exploitation
Fuzzing Titan M
Remarks
Conclusion
Taught by
Black Hat