TBA

More talks to come. Reviewed by a peer-review board of practising researchers. Click any talk for details — share the link with a colleague.











The Google Pixel 10 features the new Tensor G5 SoC, which uses the PowerVR GPU instead of the Mali GPU. However, the PowerVR GPU is far from new. Numerous bugs have been discovered in PowerVR driver over the past few years[1][2]. Is it possible to find exploitable vulnerabilities and root the Pixel 10 within a limited timeframe? I decided to find out.
In this talk, I will first provide an overview of the PowerVR GPU. I will then walk through my methodology for identifying logic bugs under tight time constraints. Next, I will detail the black-box approach for uncovering a limited write primitive. Finally, I will detail how to turn the limited write primitive into arbitrary read/write access to kernel physical memory.
During the presentation, I will give an exploit demonstration of rooting a Google Pixel 10 device. In summary, the exploitation ideas presented in this talk have not been covered in previous public presentations.
[1] https://blackhat.com/us-22/briefings/schedule/index.html#android-universal-root-exploiting-mobile-gpu--command-queue-drivers-27239
[2] https://project-zero.issues.chromium.org/issues?q=status:(open%20%7C%20closed%20%7C%20fixed)%20powervr

Yong Wang(@ThomasKing2014) is a Senior Security Researcher. He was a speaker at several security conferences including Black Hat(Asia, Europe, USA), HITB Amsterdam, Zer0Con, POC, CanSecWest, MOSEC and QPSS. Over the years, he has reported several vulnerabilities, and one of them was nominated for Pwnie Award 2019.