init

Author: 0xricksanchez

.config

@@ -0,0 +1,2 @@
+expl.bin
+tags

.gitignore

@@ -0,0 +1,39 @@
+FROM ubuntu:20.04
+LABEL org.opencontainers.image.authors="[email protected]"
+
+ENV DEBIAN_FRONTEND=noninteractive
+ENV TERM="xterm"
+ENV FORCE_UNSAFE_CONFIGURE=1 
+
+
+RUN apt-get update && \
+    apt-get -y install neovim make cmake build-essential git wget cpio python3 unzip file rsync bc libncurses-dev python-is-python3
+
+COPY .config /in/.config
+COPY Makefile.patch /in/Makefile.patch
+
+# Install buildroot
+WORKDIR /build
+RUN git clone git://git.buildroot.net/buildroot && \
+    cd buildroot && \
+    git checkout 2018.08.x && \
+    cp /in/.config .config && \ 
+    make toolchain
+
+ENV PATH=$PATH:/build/buildroot/output/host/usr/bin
+
+COPY make.sh /in/make.sh
+# Fetch Caraboot-ipq
+WORKDIR /build
+RUN git clone https://github.com/8devices/Caraboot-ipq.git && \
+    cd Caraboot-ipq && \
+    git checkout 8dev/jalapeno && \
+    cp /in/make.sh make.sh && \
+    chmod +x make.sh && \
+    patch -p1 < /in/Makefile.patch
+
+WORKDIR /build/Caraboot-ipq
+
+# Entrypoint
+CMD ["/bin/bash"]
+

Dockerfile

@@ -0,0 +1,24 @@
+diff --git a/examples/standalone/Makefile b/examples/standalone/Makefile
+index baaa2fbe4d..1b1ac155ad 100644
+--- a/examples/standalone/Makefile
++++ b/examples/standalone/Makefile
+@@ -63,7 +63,9 @@ LIBCOBJS = stubs.o
+ LIBOBJS	= $(addprefix $(obj),$(LIBAOBJS) $(LIBCOBJS))
+ 
+ SRCS	:= $(COBJS:.o=.c) $(LIBCOBJS:.o=.c) $(LIBAOBJS:.o=.S)
+-OBJS	:= $(addprefix $(obj),$(COBJS))
++
++CACHE_OBJS :=  /build/Caraboot-ipq/arch/arm/cpu/armv7/cache_v7.o
++OBJS	:= $(addprefix $(obj),$(COBJS)) $(CACHE_OBJS)
+ ELF	:= $(addprefix $(obj),$(ELF))
+ BIN	:= $(addprefix $(obj),$(BIN))
+ SREC	:= $(addprefix $(obj),$(SREC))
+@@ -97,7 +99,7 @@ $(LIB):	$(obj).depend $(LIBOBJS)
+ $(ELF):
+ $(obj)%:	$(obj)%.o $(LIB)
+ 		$(LD) $(LDFLAGS) -g -Ttext $(CONFIG_STANDALONE_LOAD_ADDR) \
+-			-o $@ -e $(SYM_PREFIX)$(notdir $(<:.o=)) $< $(LIB) \
++			-o $@ -e $(SYM_PREFIX)$(notdir $(<:.o=)) $< $(LIB) $(CACHE_OBJS) \
+ 			-L$(gcclibdir) -lgcc
+ 
+ $(SREC):

Makefile.patch

@@ -0,0 +1,48 @@
+# QSEE Exploit PoC
+
+## Overview
+
+This repository contains a Proof of Concept (PoC) that demonstrates an exploit of the Qualcomm Secure Execution Environment (QSEE) in ARM TrustZone. The exploit allows for arbitrary code execution with TrustZone privileges on supported devices. The PoC was developed on a LinkSys AC2200 router. However the general idea of this exploit seems to be working on any Qualcomm IPQ40XX chipsets.
+
+**Disclaimer**: This research is based on public knowledge and is implemented for educational purposes to understand QSEE/TrustZone vulnerabilities. The original research was conducted by [raelize](https://raelize.com/blog/qualcomm-ipq40xx-an-unexpected-cup-of-tee/), which I highly recommend checking out.
+
+## Features
+
+- Exploitation of QSEE vulnerabilities
+- Demonstration of arbitrary code execution from TrustZone
+- SVC (Supervisor Call) enumeration
+- Visualization of secure memory ranges
+
+## Prerequisites
+
+- Docker
+
+## Building the Exploit
+
+The exploit code is located in `hello-world.c` and is compiled as a standalone executable using the [Caraboot](https://github.com/8devices/Caraboot-ipq) stack.
+The exploit should be compilable with any other stack that allows building an ARMv7 32-bit little-endian standalone applications and links against U-Boot.
+
+```sh
+docker build -t ipq40xx_expl . -f Dockerfile
+./run.sh
+```
+
+_Note_: The `./run.sh` mounts the host directory `/srv/tftp/` to `/out` inside the container. If you do not have that directory modify the script, because that host location is used to store the compiled exploit.
+
+## Showcase
+
+- SVC enum:
+
+![svc_enum](./imgs/strat0.png)
+
+- Secure ranges visualization:
+
+![srange_vis](./imgs/strat1.png)
+
+- Code execution PoC:
+
+![code_exec](./imgs/strat2.png)
+
+## Disclaimer
+
+This project is for educational and research purposes only. The authors are not responsible for any misuse or damage caused by this software. Always obtain proper authorization before testing on any systems you do not own or have explicit permission to test.