The LEAs have defined the targets that the partners worked on. The classification of the targets has been done according to several criteria such as non-availability of a forensic solution, device model novelty, number of smartphones on the market, type of protection technology used in the device, etc. The LEAs have classified and prioritized the devices on which EXFILES research focused. This presents devices for which legal investigation were impossible by LEAs.
By developing complementary SW tools for HW attacks, WP3 worked on the global approach of the EXFILES that covers all forensic aspect for decryption of the HD of suspect’s Smartphone. LEA targets have been analysed and their inputs was exploited in the attack scenarios.
It has been investigated the mobile TEEs and common mobile security mechanisms, including ARM TrustZone, remote attestation, secure and trusted boot.
Deep research on the state of the art of all the techniques and tools that take part in the reverse engineering process of mobile phones have been made, including the main fields or categories that play a role on forensic reverse engineering.
A tooling supporting two versions of the QSEE that enables reversing engineering and identifies core functionalities and attack surfaces was developed.
Vulnerability discovery and exploit development, it has been provided solutions for 5 real-world LEA targets. Those solutions have been used in a high number of cases by LEAs resulting in a complete success of the task and the overall WP.
EXFILES worked on applying the different steps of hardware reverse engineering for deprocessing and imaging the smartphone targets: SoCs and SEs. The recent smartphone chips are based on a very small technological node. A public report was produced describing the state of the art in term of methodologies used for deprocessing and imaging the chips.
The ROM of one target has been extracted during the first period. The second period was used to further develop the deprocessing techniques.
The fuse banks of two chips from two target phones have been located, and specific deprocessing methodologies to expose the fuses have been developed. Custom methods based on AI techniques have been established to extract their logical states. The obtained information has been used to derive the encryption keys from one target phone. In addition, a procedure to modify single fuses has been studied and successfully demonstrated.
WP4 also dealt with ROM extractions from SoCs. During the first period, several methods have been evaluated to reach the bit encoding layer of these devices with aggressive nodes. First dump was done and through the development of the techniques, a total of three SoCs could be dumped before the end of the second period.
All the results obtained allowed improving LEAs capabilities regarding encryption.