Skip to content

halal-beef/houston-pub

BranchesTags

Repository files navigation

houston

Exploit for Exynos devices to gain ACE in BootROM context.

Caution

The code for this exploit was previously stolen and used in an AI vibecoded tool made by Creeeeger. Be extremely careful when using his stuff, it might be broken and cause harm to your device.

How does this even work

A length parameter left unchecked in the USB Control Request code allows iRAM to be dumped, modified and resent to the device, allowing for code execution.

Known vulnerable SoCs

Caution

An SoC being vulnerable does not mean payloads and support are available for it.

  • Exynos9810
  • Exynos9820
  • Exynos9830
  • Exynos8825
  • Exynos9925

There probably are many more.

Notice for non Exynos990 users

There is another tool made by a great friend VDavid003, which supports more platforms.

Usage

usage: houston.py [-h] -p PAYLOAD [-d] [-o OUTPUT] [-c]

Exploit for Exynos devices to gain ACE in BootROM context.

options:
  -h, --help            show this help message and exit
  -p, --payload PAYLOAD
                        Path to the payload to launch
  -d, --debug           Debug Mode
  -o, --output OUTPUT   Path to where to save payload output to
  -c, --console-output  Show output to console

Credits

Thanks to these teams and people we have houston!

  • Chimera Tool First discovery of the exploit circa 2021-2022. They provide the most advanced Exynos servicing capabilities in the market to a broad amount of devices, and that is thanks to this specific exploit, and many more.
  • CVE-2024-56426 This is the CVE houston is based off as we know.
  • Christopher Wade Reported CVE-2024-56426 to Samsung
  • kethily-daniel Gave me access to the tool for USB packet tracing to extract samples.
  • BotchedRPR Helped with the initial research and creation of carte2.
  • VDavid003 Helped me reverse engineer the PoC via the packet dumps and personally tested on his devices.
  • halal-beef Initial USB packet dumps and analysis of the PoC during the research lifecycle.
  • R0rt1z2 Huge help, even in payload creation, some stuff was based off his project, kaeru.
  • AntiEngineer Huge help, gave knowledge and hints about ARM and is all around a great friend.
  • AA Vulnerability inspiration, first use outside of Chimera. Someone I knew who conducted research on this exploit.

About

We had a problem - and now, publicly, a solution :)

Resources

Readme

License

GPL-2.0 license
Activity

Stars

91 stars

Watchers

0 watching

Forks

5 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors 1

Languages