Researcher bypasses Galaxy S4's security boot check

A security researcher has bypassed the secure boot check of the Galaxy S4, Samsung's hot-selling flagship phone, potentially allowing users to install apps or another operating system to the device.

 

Security researcher Dan Rosenberg pulled off the feat on Galaxy S4 devices from Verizon and AT&T, which had locked bootloaders, tech site The Next Web reported.

 

"(Rosenberg) says he reverse-engineered Samsung’s code to figure out the memory address where the bootloader will load the kernel to carry out the signature check. He found the memory address can be chosen in such a way that the bootloader’s ... function is overwritten before the loader actually calls it, thus bypassing the need to check whether a valid signature is present or not," it said.

 

It said Rosenberg claimed to have found a “design flaw” in the S4's secure boot system.

 

However, The Next Web also noted most models of the S4 include an unlocked bootloader, meaning most S4 owners can "flash custom kernels and make other modifications to the software on their own devices."

 

As a result, S4 users on the two largest carriers in the US could potentially run custom unsigned kernels and recovery images, just like their peers.

 

Samsung’s secure boot feature only allows kernels with the company’s RSA-2048 digital signature to boot the device. Since it is essentially impossible to crack RSA with 2048-bit keys, at least with the computing power available to most, Rosenberg had to sidestep the security in another fashion.

 

The Next Web said Rosenberg has offered a tool to exploit the supposed design flaw, but added the process may be complicated.

 

It added these tools are "primarily intended for developers, who will be able to use them and provide ordinary users with easy ways to flash custom ROMs." — TJD, GMA News