D
Deleted-471350
Guest
A few months ago since the TSEC SMMU bypass possibility was revealed, I started working on that as a fun CTF exercise. Two days later I got it working and could not believe how easy and simple it was to extract the 6.2.0 TSEC root key.
This time I'm trying to see if TSEC can be cracked for any firmware, by going after the TSEC code authentication and csecrets.
I've already made strides, and managed to:
- Dump all csecrets with ACL mask 0x13
- Access to many priviledged instructions in Heavy Secure (HS) mode, such as csigenc, etc.
- Discovered there is some kind of ROM inside TSEC that performs authentication entry and potentially vulnerable
- Discovered some flaws and oddities that are useful in a chain of attack but don't wish to divulge here in public
But I'm starting to feel like it would be more beneficial to have some collaboration going and bounce ideas.
So that's the reason I'm posting here. To gauge if anyone else is interested in working on the same goal and to get some collaboration going, maybe on Discord or something similar.
This might not be the right forum to do so, so if not, let me know where the right place would be.
Thanks!
This time I'm trying to see if TSEC can be cracked for any firmware, by going after the TSEC code authentication and csecrets.
I've already made strides, and managed to:
- Dump all csecrets with ACL mask 0x13
- Access to many priviledged instructions in Heavy Secure (HS) mode, such as csigenc, etc.
- Discovered there is some kind of ROM inside TSEC that performs authentication entry and potentially vulnerable
- Discovered some flaws and oddities that are useful in a chain of attack but don't wish to divulge here in public
But I'm starting to feel like it would be more beneficial to have some collaboration going and bounce ideas.
So that's the reason I'm posting here. To gauge if anyone else is interested in working on the same goal and to get some collaboration going, maybe on Discord or something similar.
This might not be the right forum to do so, so if not, let me know where the right place would be.
Thanks!