Vamwe vekare mazuva Checkpoint vaongorori vakaburitswa nhau dzekuti vaona kusakwana kutatu (CVE-2021-0661, CVE-2021-0662, CVE-2021-0663) mune firmware yeMediaTek DSP chips, pamwe nekusagadzikana muodhiyo yekugadzirisa layer yeMediaTek Audio HAL (CVE-2021-0673). Muchiitiko chekubudirira kwekushandiswa kwekusagadzikana, anorwisa anogona kuronga kuterera kwemushandisi kubva kune isiri-yakasarudzika application yeAroid platform.
Uye 2021, MediaTek inokwana 37% yekutakura machipisi akakosha e smartphones uye SoCs (Maererano nedzimwe dhata, muchikamu chechipiri cha2021, mugove weMediaTek pakati pevagadziri veDSP machipisi emafoni aive makumi mana nematatu%).
Pakati pezvimwe zvinhu, MediaTek DSP machipi Iwo anoshandiswa mune mureza mafoni eXiaomi, Oppo, Realme uye Vivo. MediaTek machipisi, akavakirwa paTensilica Xtensa microprocessor, anoshandiswa muma smartphones kuita mashandiro akadai seruzha, mufananidzo uye vhidhiyo kugadzirisa, mukombuta yeaugmented reality system, kuona komputa uye kudzidza muchina, pamwe nekushandisa kuchaja.
Reverse Engineering Firmware yeDSP Chips kubva kuMediaTek yakavakirwa paFreeRTOS papuratifomu yakaratidza nzira dzakasiyana dzekumhanyisa kodhi padivi re firmware uye kuwana kutonga pamusoro peDSP mashandiro nekutumira zvikumbiro zvakashongedzwa kubva kune zvisiri-zvakasarudzika zvikumbiro zvepuratifomu yeAroid.
Mienzaniso inoshanda yekurwiswa yakaratidzwa paXiaomi Redmi Note 9 5G ine MediaTek MT6853 SoC (Dimensity 800U). Izvo zvinocherechedzwa kuti maOEM akatowana zvigadziriso zvekusagadzikana muMediaTek's Gumiguru firmware update.
Chinangwa chekutsvagisa kwedu ndechekutsvaga nzira yekurwisa iyo Android odhiyo DSP. Chekutanga, isu tinofanirwa kunzwisisa kuti Android inoshanda sei pane application processor (AP) inotaurirana sei neodhiyo processor. Zviripachena, panofanira kunge paine mutongi anomirira zvikumbiro kubva kuAndroid mushandisi nzvimbo uyezve kushandisa imwe mhando yeinterprocessor kutaurirana (IPC) inoendesa izvi zvikumbiro kuDSP kuti igadziriswe.
Isu takashandisa yakadzika midzi Xiaomi Redmi Note 9 5G smartphone yakavakirwa paMT6853 (Dimensity 800U) chipset sechinhu chekuyedza. The operating system is MIUI Global 12.5.2.0 (Android 11 RP1A.200720.011).
Sezvo kuchingove nevatyairi vashoma vane hukama nemedia vakaiswa pachigadzirwa, hazvina kunetsa kuwana mutyairi ane chekuita nekutaurirana pakati peAP neDSP.
Pakati pekurwiswa kunogona kuitwa nekuita kodhi yayo padanho reiyo firmware yeDSP chip:
- Svika yekudzora sisitimu yekupfuura uye ropafadzo yekuwedzera: kusingaonekwe kutorwa kwedata senge mafoto, mavhidhiyo, kufona zvakarekodhwa, data kubva maikorofoni, GPS, nezvimwe.
- Kuramba sevhisi uye zviito zvakashata: vhara kuwana ruzivo, dzima kudzivirira kwekupisa panguva yekuchaja nekukurumidza.
- Viga Zviitiko Zvakaipa - Gadzira zvisingaonekwe uye zvisingadzimiki zvinhu zvakashata zvinomhanya padanho re firmware.
- Batanidza ma tag kuti usore mushandisi, sekuwedzera ma tag asina kujeka pamufananidzo kana vhidhiyo uye wobatanidza iyo data yakatumirwa kumushandisi.
Tsanangudzo yekusagadzikana muMediaTek Audio HAL haisati yaburitswa, asi lsemamwe matatu kusasimba muDSP firmware zvinokonzerwa necheki isiriyo yemupendero paunenge uchigadzira mameseji ePI (Inter-Processor Interrupt) inotumirwa nemutyairi weaudio_ipi kuDSP.
Matambudziko aya anoita kuti zvikwanisike kukonzera bhafa inodzorwa ichifashukira muvabati vanopihwa neiyo firmware, umo ruzivo nezve saizi ye data yakatumirwa yakatorwa kubva kumunda mukati meIPI packet, pasina kuonesa saizi chaiyo yakagoverwa mundangariro yakagovaniswa. .
Kuti tiwane mutongi panguva yekuedza, tinoshandisa zvakananga ioctls mafoni kana iyo /vendor/lib/hw/audio.primary.mt6853.so raibhurari, iyo isingasvikike kune yakajairwa Android apps. Zvisinei, vatsvakurudzi vakawana mhinduro yekutumira mirairo maererano nekushandiswa kwekugadzirisa maitiro anowanikwa kune wechitatu-party application.
Iwo akatarwa maparamita anogona kuchinjwa nekufonera iyo Android AudioManager sevhisi kurwisa maraibhurari eMediaTek Aurisys HAL (libfvaudio.so), ayo anopa mafoni ekudyidzana neDSP. Kuvhara mhinduro iyi, MediaTek yakabvisa kugona kushandisa iyo PARAM_FILE kuraira kuburikidza neAudioManager.
Finalmente kana iwe uchifarira kuziva zvakawanda nezvazvo, unogona kutarisa ruzivo Mune inotevera chinongedzo.