Taiwan’s MediaTek has been the global smartphone chip leader since Q3 2020. MediaTek SoCs are embedded in approximately 37% of all smartphones and IoT devices in the world, including high-end phones from Xiaomi, Oppo, Realme, Vivo and more.
Modern MediaTek SoCs, including the latest Dimensity series, contain a special audio DSP to improve media performance and reduce CPU usage. In this study, we reverse-engineered the MediaTek audio DSP firmware and the proprietary Android API that is responsible for communication with the audio processor. We discovered several vulnerabilities in the DSP RTOS and Android HAL that are accessible from the Android user space. The issues we found could lead to LPE from an Android application.
The MediaTek audio DSP has a custom Tensilica Xtensa microprocessor architecture. The Tensilica processor platform allows chip manufacturers to extend the base Xtensa instruction set with custom instructions to optimize particular algorithms and prevent them from being copied. This fact made MediaTek DSP a unique and challenging target for security research.
Slava Makkaveev is a Security Researcher at Check Point Research. Holds a PhD in Computer Science. Slava has found himself in the security field more than ten years ago and since that gained vast experience in reverse engineering and vulnerability research. Recently Slava has taken a particularly strong interest in mobile platforms and firmware security. Slava was a speaker at DEF CON 25/26/28/29, CanSecWest, REcon, HITB and others.