This series of blog posts aims to describe and explain the internals of a recent addition to Samsung's system-on-chips, namely their Neural Processing Unit. The first part digs into the internals of the NPU and the second one focuses on the exploitation of some vulnerabilities we found in the implementation. If you're interested in reversing a minimal OS, want to understand how Android interacts with peripherals and do exploitation like it's the early 2000's, this series might be for you.
The purpose of this blog post is to provide a comprehensive reference of the inner workings of the Samsung RKP. It enables anyone to start poking at this obscure code that is executing at a high privilege level on their device. In addition, a now-fixed vulnerability that allowed getting code execution in Samsung RKP is revealed. It is a good example of a simple mistake that compromises platform security, as the exploit consists of a single call, which is all it takes to make hypervisor memory writable from the kernel.
Copyright © Impalabs 2021-2022