Skip to content

HexHive/beanpod_fiasco

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
jni
jni
 
 
magiskpls
magiskpls
 
 
shellcode/c-based
shellcode/c-based
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
run.sh
run.sh
 
 

Repository files navigation

Beanpod TEE Pwn

The following is a basic exploit for the keyinstall TA, which maps the secure monitors memory into the TA's address space. Tested on the xiaomi redmi note 11s 5G, V816.0.4.0.TGLEUXM.

This work was presented at CCC 2025 "Not To Be Trusted - A Fiasco in Android TEEs".

Howto

  1. Root a Redmi Note 11s 5G with fw version V816.0.4.0.TGLEUXM using magisk
  2. upload the keyinstall folder to /data/adb/modules and reboot
  3. verifiy the TA has been rolled back: md5sum /vendor/thh/ta/08110000000000000000000000000000.ta -> d10747208958e96a2b1bacd2ccfacc57 /vendor/thh/ta/08110000000000000000000000000000.ta
  4. run the poc `ANDROID_NDK=$(path to ndk) DEVICE_ID=$(adb device-id) make opal
  5. check the kernel log to see if the exploit worked dmesg | grep TZ_LOG

About

No description, website, or topics provided.

Resources

Readme
Activity
Custom properties

Stars

11 stars

Watchers

0 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages