An gano raunin 3 a cikin firmware akan kwakwalwan kwamfuta na MediaTek DSP

Darkcrizt

4 minti

Wasu da suka gabata kwanaki aka saki masu binciken Checkpoint labarai cewa sun gano lahani guda uku (CVE-2021-0661, CVE-2021-0662, CVE-2021-0663) a cikin firmware na MediaTek DSP kwakwalwan kwamfuta, da kuma rauni a cikin tsarin sarrafa sauti na MediaTek Audio HAL (CVE-2021-0673). Idan aka sami nasarar cin gajiyar raunin, maharin na iya tsara sauraron mai amfani daga aikace-aikacen da ba shi da gata don dandamalin Android.

A 2021, MediaTek ya kai kusan 37% na kaya na musamman kwakwalwan kwamfuta don wayoyin salula na zamani da kuma SoCs (Bisa ga sauran bayanan, a cikin kwata na biyu na 2021, rabon MediaTek tsakanin masu kera kwakwalwan DSP na wayoyin hannu shine 43%).

Daga cikin wasu abubuwa, MediaTek DSP kwakwalwan kwamfuta Ana amfani da su a cikin manyan wayoyin hannu na Xiaomi, Oppo, Realme da Vivo. MediaTek kwakwalwan kwamfuta, dangane da Tensilica Xtensa microprocessor, ana amfani da su a cikin wayowin komai da ruwan don yin ayyuka kamar sauti, hoto da sarrafa bidiyo, a cikin ƙididdigewa don ingantaccen tsarin gaskiya, hangen nesa na kwamfuta da koyon injin, da kuma aiwatar da caji da sauri.

Reverse Engineering Firmware don DSP Chips daga MediaTek bisa tsarin FreeRTOS ya bayyana hanyoyi daban-daban don gudanar da lamba a gefen firmware kuma samun iko akan ayyukan DSP ta hanyar aika buƙatun ƙira na musamman daga aikace-aikacen da ba su da gata don dandalin Android.

An nuna misalai na zahiri na harin akan Xiaomi Redmi Note 9 5G sanye take da MediaTek MT6853 SoC (Dimensity 800U). An lura cewa OEMs sun riga sun sami gyare-gyaren rauni a cikin sabunta firmware na MediaTek na Oktoba.

Manufar binciken mu shine mu nemo hanyar kai wa Android Audio DSP hari. Da farko, muna buƙatar fahimtar yadda Android ke gudana akan aikace-aikacen aikace-aikacen (AP) yana sadarwa tare da na'urar sarrafa sauti. Babu shakka, dole ne a sami mai sarrafawa wanda ke jiran buƙatu daga sararin mai amfani da Android sannan ta amfani da wani nau'in sadarwar interprocessor (IPC) yana tura waɗannan buƙatun ga DSP don sarrafawa.

Mun yi amfani da kafuwar Xiaomi Redmi Note 9 5G smartphone dangane da MT6853 (Dimensity 800U) chipset azaman na'urar gwaji. Tsarin aiki shine MIUI Global 12.5.2.0 (Android 11 RP1A.200720.011).

Da yake akwai ƴan direbobi masu alaƙa da kafofin watsa labarai da aka nuna akan na'urar, bai yi wahala a sami direban da ke da alhakin sadarwa tsakanin AP da DSP ba.

Daga cikin hare-haren da za a iya aiwatarwa ta hanyar aiwatar da lambar sa a matakin firmware na guntu DSP:

  • Keɓancewar tsarin sarrafawa da haɓaka gata: kama bayanai marasa ganuwa kamar hotuna, bidiyo, rikodin kira, bayanai daga makirufo, GPS, da sauransu.
  • Ƙin sabis da munanan ayyuka: toshe damar samun bayanai, kashe kariya mai zafi yayin caji mai sauri.
  • Ɓoye Ayyukan ƙeta - Ƙirƙiri gabaɗaya ganuwa da ɓarna na ɓarna waɗanda ke gudana a matakin firmware.
  • Haɗa tags don ɗan leƙen asiri akan mai amfani, kamar ƙara alamar tagulla zuwa hoto ko bidiyo sannan haɗa bayanan da aka buga zuwa mai amfani.

Har yanzu ba a bayyana cikakkun bayanai game da rauni a cikin MediaTek Audio HAL ba, amma la matsayin wasu lahani guda uku a cikin DSP firmware binciken gefen kuskure ne ya haifar da shi lokacin sarrafa saƙonnin IPI (Inter-Processor Interrupt) direban audio_ipi mai jiwuwa ya aika zuwa DSP.

Wadannan matsalolin suna ba da damar haifar da buffer mai sarrafawa a cikin ma'aikatan da aka samar da firmware, inda aka ɗauki bayanin game da girman bayanan da aka watsa daga filin da ke cikin fakitin IPI, ba tare da tabbatar da ainihin girman da aka ware a cikin ƙwaƙwalwar ajiyar da aka raba ba. .

Don samun dama ga mai sarrafawa yayin gwaje-gwaje, muna amfani da kiran ioctls kai tsaye ko ɗakin karatu /vendor/lib/hw/audio.primary.mt6853.so, waɗanda ba su isa ga aikace-aikacen Android na yau da kullun. Duk da haka, masu binciken sun sami mafita don aika umarni dangane da amfani da zaɓuɓɓukan gyara da ake samu ga aikace-aikacen ɓangare na uku.

Ana iya canza ƙayyadaddun sigogi ta hanyar kiran sabis ɗin Android AudioManager don kai hari kan ɗakunan karatu na MediaTek Aurisys HAL (libfvaudio.so), waɗanda ke ba da kira don yin hulɗa tare da DSP. Don toshe wannan maganin, MediaTek ya cire ikon amfani da umarnin PARAM_FILE ta hanyar AudioManager.

Finalmente idan kuna sha'awar ƙarin sani game da shi, zaka iya duba bayanan A cikin mahaɗin mai zuwa.


Bar tsokaci

Your email address ba za a buga. Bukata filayen suna alama da *

*

*

  1. Alhakin bayanai: AB Internet Networks 2008 SL
  2. Manufar bayanan: Sarrafa SPAM, sarrafa sharhi.
  3. Halacci: Yarda da yarda
  4. Sadarwar bayanan: Ba za a sanar da wasu bayanan ga wasu kamfanoni ba sai ta hanyar wajibcin doka.
  5. Ajiye bayanai: Bayanin yanar gizo wanda Occentus Networks (EU) suka dauki nauyi
  6. Hakkoki: A kowane lokaci zaka iyakance, dawo da share bayanan ka.