Secure boot is the process that ensures the critical parts of software (e.g. kernel) running on a device are authorized and have not been tampered with. Many wireless service providers prefer to have a locked down version of their smartphones that can only boot the official kernel, and do not allow loading customized systems developed by users. This results in an arms race between the smartphone vendors and the users that need to load customized kernel.
This talk will present this arms race in terms of 3 rounds of hacks and patches between what we discovered and the patches released from Samsung and how we bypassed the patches again. For each round, we will present the bugs we found in Samsung bootloader, the exploitation to load customized kernel, the patch from Samsung, and how new exploitations bypass the patched bootloader. All the examples are based on different versions of bootloaders from Samsung devices (from Note II to Galaxy S4). We are currently working on extending our exploitations to more mobile devices.