h1. AcademicPapers

{{toc}}

h2. Forensics acquisition - Analysis and circumvention of samsung secure boot enforced common criteria mode

Link: https://www.sciencedirect.com/science/article/pii/S1742287618300409
file name: 1-s2.0-S1742287618300409-main.pdf
License: CC BY-NC-ND

h3. Description:

While this paper directly applies to the Galaxy S6 (SM-G920F) and the Galaxy S7 Edge (SM-G935F) witch uses Exynos System On a Chip, some of its findings seem to be directly applicable to the devices supported by Replicant.

The most interesting part is the analysis of some of the bootloader environment variables:
* It analyzes some variables that accessible through the UART. We already have "documentation explained how to access such variables":https://redmine.replicant.us/projects/replicant/wiki/MidasBootloader#Changing-the-kernel-commandline-arguments but many variables aren't documented in the Replicant documentation.
* It also analyzed some variables present in the adv-env.img file inside the PARAM tarball filesystem. That information has already been used in the #2094 bug.

h2. Security Analysis of Android Factory Resets

Link: https://www.cl.cam.ac.uk/~rja14/Papers/fr_most15.pdf
Related bug reports: #2096

h2. A walk with Shannon. Walkthrough of a pwn2own baseband exploit.

Presentation pdf: https://downloads.immunityinc.com/infiltrate2018-slidepacks/amat-cama-a-walk-with-shannon/presentation.pdf
Presentation Video: https://www.youtube.com/watch?v=6bpxrfB9ioo
Target device: unclear, Maybe a Galaxy S6 or Galaxy S8

h3. Description

The device used has shared memory between the SOC running Android and the modem.

There are some interesting points in that presentation:
* Getting code execution in the modem is easy and there are no protection (everything runs with full privileges, no exploit mitigations)
* There is a SYSDUMP menu in the stock distribution that is available when dialing *#9900#. That menu can get modem logs, memory dumps, etc.
* The bootloader is actually involved in getting the modem memory dump
* On that device the modem image is encrypted (In contrast, it's probably not encrypted on devices like the Galaxy SIII)
* The demo uses the same technique described by the [[SamsungGalaxyBackdoor]].
* The presentation also has many information on the setup needed to do the research: which SDR and cellular telephony stacks could be used. In turn this could be useful if we want to do our own research, for instance to see what happen when the modem is in airplane mode, and so on.