Hello twitter, we're back with the blogging :) In the first post on our brand new research page, Gyorgy Miru (Gym) explains how he has exploited a heap overflow in the Samsung NPU Driver on Galaxy S10 and S20 labs.taszk.io/articles/post/…

New Advisory: CVE-2021-22429 Huawei Buffer Overflow in BootROM USB Stack labs.taszk.io/blog/post/boot…

Achievement unlocked: write a Linux kernel exploitation post in which a bootrom exploit is the throwaway sidebar. After his recent entry on exploiting Samsung's NPU, this follow-up from Gyorgy Miru (Gym) targets Huawei's own NPU driver instead to exploit a P40 Pro labs.taszk.io/articles/post/…

Patching bootroms? It’s a thing! In a follow-up to our Black Hat USA talk, szabolor investigates how Huawei’s OTA update addressed our bootrom vulnerabilities labs.taszk.io/articles/post/…

New Advisory: Use-After-Free in the Android ION Allocator - with commentary by Gyorgy Miru (Gym) on why we are publishing a 0-day (hint: Google's own advertised disclosure policy goals) labs.taszk.io/blog/post/61_a…

For anyone who missed our talk at Black Hat the recording is available now: youtube.com/watch?v=e9gZEH…

Finally, my personal IT security blog is up and running! (Don't expect too much tho, no super original content yet🙂) My fist post is about a tool I found that makes shellcode generation incredibly easy for CTF challenges... latsa99.github.io/posts/shellcra…

I just published my second blog post, which is about my journey through learning Linux kernel exploitation! If you want to start pwning kernel, check it out 😁 #Kernel #Pwn latsa99.github.io/posts/kernel/

Video and slides for “UnZiploc”: labs.taszk.io/articles/post/… In our new OTA exploitation research on Huawei phones we explored remote interfaces to get RCE and escalate to TrustZone using logic bugs only.

Log4Harmony: we've heard that vulns in Android log device drivers are cool, so here are some UAF, race condition, and KASLR leak bugs in Huawei's hwlog from Gyorgy Miru (Gym), reachable from untrusted and isolated app: labs.taszk.io/blog/post/78_h… labs.taszk.io/blog/post/77_h… labs.taszk.io/blog/post/79_h…

FaultyUSB: exploiting a TOCTOU race condition bug in recovery to get root on Huawei devices by emulating a malicious USB flash drive labs.taszk.io/articles/post/…

Can't get enough of Barbenheimer? Get your Basebanheimer fix at Hardwear.io | Samsung and Mediatek baseband over-the-air to Android vulnerability chains: previewing our upcoming talk and training | labs.taszk.io/articles/post/…

MrBeast is a respectable youtuber after all

h0mbre

MOBILE NETWORK ATTACKS: EXPLOITING BASEBANDS AND APPLICATION PROCESSORS by Daniel Komaromy and Laszlo Szapula offensivecon.org/trainings/2024…

Looks like Samsung Mobile Security selected me as the #1 researcher for their 2023 Rewards Program Hall of Fame. Appreciate that, thank you! security.samsungmobile.com/hallOfFameInfo…

Unburdened By What Has Been: Exploiting New Attack Surfaces in Radio Layer 2 for Baseband RCE on Samsung Exynos labs.taszk.io/articles/post/…

𝐃𝐨𝐧'𝐭 𝐁𝐞𝐥𝐢𝐞𝐯𝐞 𝐓𝐡𝐞 𝐇𝐲𝐩𝐞(𝐫𝐯𝐢𝐬𝐨𝐫) Daniel Komaromy & Laszlo Szapula went beyond the manual reverse engineering, built an emulator for the Huawei Hypervisor layer in their Kirin chipsets to expose a vulnerability. Only at Off-By-One Conference 2025! offbyone.sg/conference/dan…

Had fun giving our talk at Troopers. You can still catch Laszlo Szapula and erix7 with the encore presentation at Le Hack this Saturday! Advisories on the blog to follow.

Advisory release for our talk “Eastern Promises: Mobile VRP Lessons for Bug Hunters”, including Huawei Hypervisor and Unisoc TrustZone LPE exploits + 16 Mediatek Baseband IMS vulnerabilities labs.taszk.io/articles/post/…