Bypassing screen lock and decrypting physical dumps of Huawei devices based on Android OS v. 9 and 10.

Huawei is one of the three largest mobile device manufacturers. Huawei’s global smartphone market share was 3.3% in 2012 and as of 2019 has risen to 19%, which is quite impressive.

Huawei devices are based on processors from various manufacturers including MediaTek and Qualcomm. However, the most popular, and flagship models, are based on the Huawei-developed processor family named Kirin. Kirin processors are being developed by HiSilicon company, which is an internal subsidiary of Huawei.

Huawei is the exclusive customer and consumer of Kirin processors. There are several processor lines, and the 900 series is considered to be the most powerful one. Every 4th quarter, during their annual event Huawei announces the next generation of the 900 series chipset and a new flagship phone model based on it. The newest SoC is Kirin 990 and Huawei Mate 30 Pro is the phone that is based on it. Last year’s flagship phone models Huawei P30/P30 Pro/Mate 20 Pro are based on the Kirin 980 chipset. Simpler models, such as models from Lite and Nova lines, as well as many smartphones under the Honor brand, are based on 800, 700, 600 series chipsets.

Huawei takes the security of their phones seriously. Usage of their own processors, customized OS, and their own UI shell allow Huawei to implement their own tamper-resistant solutions. One of them is HKIP (Huawei Kernel Integrity Protection) mechanism, which works at the Hypervisor level. It protects integrity of the kernel at the hardware level at all times, which assists in resisting many exploits utilized on many popular smartphones from other manufacturers that are also based on Android.

At the same time, Huawei is one of the first to use the security mechanisms offered by the new versions of Android OS. Starting in 2016, most Kirin smartphones have been using a file-based encryption (FBE) (900 series – C 960 series), while many Android devices from other manufacturers still exploit a less secure full-disk encryption (FDE). FBE poses additional difficulties regarding device decryption. For instance, to successfully decrypt the device data, the screen lock password that is used to protect encryption keys must be known.

However, there is another side to Huawei’s own security solutions – which happen to house certain vulnerabilities. These vulnerabilities can allow for a full physical dump and, in some cases, the ability to decrypt them. Some instances are currently supported by some of our competitors. One competitor claims to support Huawei devices based on 659, 960, 970 and 980 processors with Android OS 8 and 9. Furthermore, this same company conducts a partial extraction of file system which is possible even if the screen lock password is not known. Basically, the unencrypted files that are available even before the password is entered are extracted (a physical dump contains encrypted files that do not need a password to be accessed, which are extracted within the BFU (Before First Unlock) extraction as well as initially unencrypted data). Also, it should be noted that password bruteforce and support of the models based on the 990 processor is not included in their solution either.  This decryption requires the customer to contact their custom advanced service to send them the phone for extraction. 

At Oxygen Forensics, we have developed our very own solution to the problem. Instead of logically extracting files one by one after applying our novel approach, we extract and decrypt the entire physical dump. It is worth noting that it is impossible to fully decrypt the physical dump without knowing the lock screen password. Therefore, together with the physical dump we extract metadata that allows us to perform an offline bruteforce with the assistance of external computing power. In addition, bruteforce module built into our solution allows our users to recover and find a password within our solution. Currently we support data extraction and decryption from Huawei smartphones based on 710, 710f, 970 and 980 processors, such as Huawei P30 Lite, Honor 9X, Huawei Y9s, Honor 10, Huawei P20 Pro, Huawei P30, Huawei Mate 20 Pro, and others. In total, more than 50 models are supported in our first release. The list of supported processors is expected to grow with future releases.

Leave a Reply

Your email address will not be published. Required fields are marked *