Companion repository for the Reversing and Exploiting Samsung's Neural Processing Unit article on Longterm Security's blog.
This repository is organised as follows:
binaries/npu_sXX_binary.bin- NPU binaries found in the firmwares of the Samsung Galaxy S20 (
G980FXXS5CTL5) and S10 (G970FXXS9DTK9).
- NPU binaries found in the firmwares of the Samsung Galaxy S20 (
npu_sXX_dump.bin- Dumps of the NPU firmwares from running phones. These are the binaries we used in the blogpost to reverse engineer the NPU.
exploit/- PoCs to get code execution in the NPU and trigger the stack buffer overflow in the Android kernel.
patches/- Kernel patch to re-enable memory dumps of the NPU from the kernel. The Samsung kernel version we used as a base is
G980FXXU5CTL1.
- Kernel patch to re-enable memory dumps of the NPU from the kernel. The Samsung kernel version we used as a base is
reverse/- Files containing our reverse engineered comprehension of the NPU. They detail:
- the initialization of the NPU;
- components such as the heap, events, semaphores, timers, events, etc.;
- tasks and the scheduling algorithm;
- the implementation of the mailbox used to communicate between the NPU and the kernel.
- Files containing our reverse engineered comprehension of the NPU. They detail:
tools/npu_sram_dumper- Tool to dump the NPU from a running phone.
npu_firmware_extractor- Tool to extract the NPU firmware from a boot image.
- Reversing and Exploiting Samsung's Neural Processing Unit (Part 1)
- Longterm Security: https://www.longterm.io/samsung_npu.html
- Impalabs (mirror): https://blog.impalabs.com/2103_reversing-samsung-npu.html
- Reversing and Exploiting Samsung's Neural Processing Unit (Part 2)