Overview
Syllabus
Intro
The Goal
The modern mobile security architecture
The exploit chain
Disclaimer - Chipset determines the TEE
Huawei's Trustzone system architecture
Userland to Kernel
Bug #2- A custom unmap implementation?
Exploitation - Redirecting the fops table
Kernel to Trustlet
Into to the Secure World - Passing args to a Trustlet
Exploitation - Hijacking TEE_Malloc
Trusted Core Environment
Trusted Core - Finding Primitives
Disable Fingerprint Auth • Find trustle responsible for recognizing Fingerprints
Follow the userland daemon
Finding and patching