Android Hardware Reverse Engineering

Mapping Exynos S-Boot Attack Surface: Dissecting early Bootloader & TrustZone EL2 Interactions

By Antigravity Research Published May 29, 2026 ⏱️ 7 Min Read
Google AdSense Native Placement - Horizontal Top-Post banner

Introduction: The Unseen Guardians of Security

In the intricate world of mobile device security, the bootloader is the first line of defense, a critical component responsible for establishing a chain of trust before the operating system even begins to load. For Samsung devices powered by Exynos SoCs, this secure boot process is primarily orchestrated by what’s commonly referred to as S-Boot. This article delves deep into the architecture of Exynos S-Boot, focusing on its early stages (BL1, BL2) and their critical interactions with TrustZone’s Exception Level 2 (EL2) – the hypervisor layer – to map potential attack surfaces for hardware reverse engineers.

Understanding the Exynos Boot Chain

The boot process on modern ARM-based systems, especially Exynos, is a multi-stage affair designed to ensure the integrity and authenticity of each subsequent stage. This chain of trust starts from the immutable Boot ROM (internal mask ROM) and progresses through several bootloader stages before handing over to the operating system.

The Exynos Secure Boot Stages:

  • Boot ROM (iROM): The first code executed after reset. It verifies and loads BL1. Immutable, serves as the Root of Trust.
  • BL1 (First Stage Bootloader): Loaded by iROM, often responsible for initializing basic hardware, setting up memory, and loading BL2. This is typically where TrustZone is initialized, and the system transitions to a secure state.
  • BL2 (Second Stage Bootloader): Loaded by BL1, more complex. It’s responsible for loading the next stage, typically the Trusted OS (like TEE/TrustZone OS) and the main OS bootloader (U-Boot or similar).
  • BL3x: Subsequent stages, including Trusted OS components (BL31/EL3 monitor, BL32/Trusted OS) and the Non-Secure OS bootloader (BL33).

S-Boot typically encompasses BL1 and BL2, which are crucial for establishing the initial secure environment and verifying critical components before the main OS boots. Vulnerabilities in these stages can lead to complete device compromise, secure boot bypass, or privilege escalation.

Dissecting S-Boot (BL1 & BL2) Architecture

BL1 is minimalistic, primarily focused on memory setup and transitioning the CPU to higher privilege levels (e.g., AArch64, EL3). It’s also responsible for initializing the TrustZone environment, configuring security attributes for memory regions, and preparing for the secure world. A key task is securely loading BL2.

BL2, being larger, handles more complex tasks such as:

  • Initializing more peripherals.
  • Setting up the memory management unit (MMU) for both secure and non-secure worlds.
  • Verifying cryptographic signatures of subsequent boot images (e.g., TEE, kernel).
  • Loading and executing the TrustZone OS and the Non-Secure OS loader.

TrustZone and EL2 Interaction

ARM TrustZone technology partitions the SoC into a Secure World and a Non-Secure World. This separation is enforced by hardware, allowing sensitive operations and data to reside in the Secure World, isolated from the potentially compromised Non-Secure World. Exception Levels (EL) define the privilege state of the CPU, with EL3 being the highest (Secure Monitor), EL2 for hypervisors, and EL1/EL0 for OS/applications.

In the Exynos boot process, after BL1 initializes TrustZone, the system often transitions to EL2. The EL2 monitor (hypervisor) acts as an intermediary, managing resources and mediating communication between EL1 (operating system) and EL3 (secure monitor/Trusted OS). A compromise at EL2 can effectively subvert the isolation guarantees of TrustZone, impacting both secure and non-secure execution. BL1 might configure EL2 before handing control to BL2, which then further refines EL2’s role for loading the full OS.

Reverse Engineering Methodology for S-Boot

The journey to uncover vulnerabilities in S-Boot begins with firmware extraction and static analysis.

1. Firmware Extraction:

Samsung firmware packages (often in ODIN format) contain the bootloader components. Tools like 

binwalk

can be used to extract these. For example, a typical command might look like:

binwalk --signature sboot.bin

Or, for a full firmware package:dd if=firmware.tar.md5 of=sboot.bin bs=1 skip=[offset] count=[size]

Offsets and sizes can be found by analyzing the firmware header or using tools like `heimdall print-pit` if you have a device in download mode.

2. Static Analysis with Disassemblers:

Once extracted, the BL1 and BL2 images (which are raw ARM AArch64 binaries) can be loaded into disassemblers like IDA Pro or Ghidra. Key steps include:

  • Identify Entry Points: Look for reset vectors or known load addresses (often documented in datasheets or derived from prior RE).
  • Memory Mapping: Reconstruct the memory map based on hardware initialization routines. This is crucial for correctly interpreting memory accesses.
  • Function Identification: Use signature matching, cross-references, and manual analysis to identify critical functions such as:
    • Cryptographic routines (RSA, SHA, AES) for signature verification.
    • Peripheral initialization (UART, GPIO, watchdog timers).
    • Secure monitor calls (SMC instructions).
    • Memory management unit (MMU) setup.

Here’s a simplified pseudocode example of a signature verification routine you might encounter in BL2:

int verify_image_signature(uint8_t *image_data, size_t image_size, uint8_t *signature) {    // 1. Hash the image data    uint8_t hash[32]; // SHA256    sha256_calculate(image_data, image_size, hash);    // 2. Decrypt the provided signature with a public key    uint8_t decrypted_hash[32];    rsa_decrypt_signature(signature, decrypted_hash, public_key);    // 3. Compare the calculated hash with the decrypted hash    if (memcmp(hash, decrypted_hash, sizeof(hash)) == 0) {        return 0; // Success    } else {        return -1; // Failure    }}

Key Attack Surfaces in S-Boot & EL2 Interactions

Identifying vulnerabilities requires understanding where the bootloader processes untrusted input or makes critical security decisions.

1. Secure Boot Bypass:

Flaws in the cryptographic verification process are paramount. This could involve:

  • Weak Cryptography: Use of outdated or broken algorithms.
  • Implementation Bugs: Incorrect padding checks, length calculation errors, side-channel vulnerabilities during cryptographic operations.
  • Public Key Management: Ability to replace or bypass the public key used for verification.

2. TrustZone EL2 Vulnerabilities:

The EL2 monitor is a rich target. Issues here can compromise the entire TrustZone isolation:

  • Privilege Escalation: An attacker in EL1 (OS) exploiting a bug to execute code in EL2.
  • Hypervisor Exit Handlers: Vulnerabilities in handling exceptions or system calls from EL1, allowing malicious EL1 code to trick EL2.
  • Memory Management: Incorrect configuration of EL2’s MMU, leading to information leakage or write access to secure memory regions.
  • SMC Handling: Flaws in handling Secure Monitor Calls (SMCs) from EL1, potentially allowing unauthorized access to secure services or manipulation of secure world state.

A simplified ARM64 assembly snippet showing an SMC call and potential EL2 entry:

; In Non-Secure EL1 (OS)SVC_CALL_ID .req #0x12345678  ; Example SVC Call IDMOV X0, SVC_CALL_IDLDR X1, [INPUT_PARAM_ADDR]SMC #0          ; Trigger an SMC exception, trapping to EL3/EL2; In Secure EL2 (Hypervisor/Monitor)handle_smc:    ; Check current EL    MRS X10, CurrentEL    CMP X10, #0x8 ; Check if from EL1 (0x8000000X for EL1)    B.NE invalid_el_origin    ; Read parameters from X0-X7    CMP X0, SVC_CALL_ID    B.EQ handle_specific_svc    ; ... more handler logic

3. Memory Corruption Vulnerabilities:

Common in C/C++ code, even in early bootloaders:

  • Buffer Overflows: Unchecked `memcpy`, `strcpy`, `read` operations when parsing configuration data, boot arguments, or network data (if supported).
  • Integer Overflows/Underflows: Leading to incorrect buffer sizes or memory allocations, creating exploitable conditions.
  • Use-After-Free/Double-Free: Although less common in minimalist bootloaders, complex BL2 components might have dynamic memory management.

4. Peripheral Attacks:

If not properly secured or disabled, physical access to debug interfaces like JTAG or UART can provide a direct attack vector. While S-Boot typically locks down these interfaces early, flaws in the lockdown mechanism could be exploited.

Conclusion

The Exynos S-Boot, comprising BL1 and BL2, forms the bedrock of security for Samsung devices. Its intricate dance with TrustZone’s EL2 monitor dictates the overall system integrity. Reverse engineering these early boot stages requires a deep understanding of ARM architecture, secure boot principles, and meticulous static analysis. Mapping the attack surface involves scrutinizing cryptographic verification, hypervisor interactions, memory handling, and peripheral configurations. Identifying and patching vulnerabilities at this fundamental level is paramount, as a single exploit can unravel the entire chain of trust, leaving the device open to complete compromise.

Android Mobile Specs & Compare Directory

Are you researching mobile hardware properties, processor SoCs, GPU chipsets, or RAM configurations? Access our complete specs catalog to compare up to 5 devices side-by-side!

Compare Devices Specs →
Google AdSense Inline Placement - Content Footer banner
Tags: #Bootloader #Exynos #Hardware Reverse Engineering #S-Boot #TrustZone

Related Technical Guides

Circumventing Anti-Rollback: Advanced Fastboot Protocol Exploits for Downgrading Android Firmware

May 30, 2026

Troubleshooting UART Console Access: Fixing No Output & Garbled Text on Android Devices

May 30, 2026

RE Case Study: Uncovering Crypto Vulnerabilities in Android’s Secure Element (SE) with Side-Channel Tools

May 29, 2026