Is it possible to inject code into RAM using physical access? For example desolder the RAM chips, solder something between the original RAM chip and the phone motherboard, and use that to directly access RAM chip content and inject code into the kernel or some privilege processes physically. Maybe it can work like a proxy and intercept the kernel RAM content when the phone boots up, and adds the shell into the kernel memory area. Is this technically possible? In theory content in RAM is not encrypted and that is why cold boot attack is possible, and RAM chips can be accessed and altered directly using physical access. If we can inject and run a root shell into phones we can root phones in a way that cannot be patched by software upgrade, and this will also not breaks Google Safety net or similar things.
Asked
Active
Viewed 56 times
0
-
Most likely this is possible. It sounds like a research project. The kind of thing a team of 3 people could spend 6 months on, then write a scientific paper about, if someone else hasn't already done that. – user253751 Apr 20 '22 at 10:44
-
1You might find it useful to research how modchips work for game consoles, as the idea is similar. – user253751 Apr 20 '22 at 10:48
-
It may be possible, but as even low consumption phone processors can have internal memory cache, it would be more robust to desolder the processor and plug a hardware emulator. That is the way we used to develop and debug small integrated circuit cards in previous century... – Serge Ballesta Apr 20 '22 at 12:04
-
Hardware emulator will upset the Safety Net, since trust execution environment is exactly designed to prevent someone using emulator to trick software to run outside the secure enclave. – userdatagram Apr 21 '22 at 00:39