For this research, we investigated the security behind the "device binding" encryption on Android, on a Mediatek phone where a trusted execution environment (TEE) is used for security.

The talk is about how we reversed the Mediatek bootchain and the third party TEE (Trustonic's Kinibi, used on most Mediatek phones), but also Mediatek proprietary USB flashing protocol. This allowed us to establish exactly what the TEE uses as cryptographic root and what it does with it. This means that, from this root, we can cryptographically derive everything that needs a device binding in the TEE: flash decryption keys (metadata & FBE keys), PIN encryption mechanism and the Android Keystore.

We still need to get this root, and we found out the following vulnerability: we can just ask the phone for all the data required to derive the cryptographic root with the Mediatek flashing protocol via USB, without any authentication. This impacts most Mediatek phones with a TEE.

Now, we also need an initial read of the (encrypted) flash for getting the data, which we can always do the hard way by opening the phone and reading the flash with special tooling, or for some models we can find "download agents" (DAs) which are Mediatek flash software addons that can readback the flash (which is supposedly harmless since it is encrypted).

Since we found a DA for our research phone, we were able to develop a PoC that, with only a USB access and a few minutes, is able to compute the cryptographic root, decrypt the flash, bruteforce the user PIN and access all the data of the phone.