With two vulnerabilities,any installed application is able to execute arbitrary code in TEE of Huawei Mate7 . This source code is a PoC which may read fingerprint image from sensor(FPC1020) on Mate 7.
http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-432799.htm
- CVE-2015-4421
- CVE-2015-4422
see whitepaper in ./doc
ndk-build NDK_DEBUG=1
Make sure the version of firmware is Mate7-TL10,V100R001CHNC00B123SP03
Unlock your screen,put your finger on touch pad of sensor,and execute p1ng.
The exploit may take a few minutes and print out hex strings of your fingerprint data.
- ./p1ng
Exploit Linux kernel,TEE_GlobalTask and RTOSck(kernel of TEE). Then call __FPC_readImage to read fingerprint image.
- ./p1ng physical_addr
dump physical memory from /dev/mem, for debugging only
- ./p1ng 0 kernel_addr
execute TEE shell code at kernel_addr, for debugging only.
kernel_addr is the address of TEE shellcode.
You can use this option to read fingerprint instantly (otherwise you must wait a few minutes) if you have ran exploit once after the mobile startup.
kernel_addr will be printed out via kmsg at the fist time executing the exploit.
- ./p1ng 0 0 0
read TEE error log from 0x3FE01400(physical addr), for debugging only
- Huawei Ascend Mate 7 : Mate7-TL10,V100R001CHNC00B123SP03 or earlier
- TEEOS: TrustedCore Release Version 1.26. Sep 17 2014.13:57:39 or earlier