This page lists resources that I’ve found helpful in the past.
-  Working with Ghidra’s P-Code to Identify Vulnerable Function Calls
- Describes working with Ghidra’s IL called P-Code.
-  Software Reverse Engineering with Ghidra
- A video series that walks through reverse engineering C++ binaries in Ghidra.
-  Reverse Engineering Samsung S6 SBOOT
- A series by Quarkslab that describes how to reverse engineer Samsung’s SBOOT bootloader.
-  Reverse Engineering Android’s Aboot
- Describes how to reverse engineering bootloaders on the Nexus 5, Galaxy S5, and Fire HDX.
Rooting via Unlocked Bootloader
-  Android Rooting: An Arms Race between Evasion and Detection
- The history of Android rooting tools, how they work, and how apps are detecting them.
-  A Samsung RKP Compendium
- Pretty much lifts Samsung’s hypervisor (called uh) to C and walks through it. It also describes a patched vulnerabities to get EL2 read/write.
-  Defeating Samsung KNOX with Zero Privilege
- Describes bypassing Samsung’s KNOX mitigations using CVE-2016-6787.
-  Exploiting a Single Instruction Race Condition in Binder
- Describes how they exploited a race condition in Binder (CVE-2020-0423) to achieve LPE.
-  Android Kernel Exploitation (Free Workshop)
- A free workshop that walks readers through exploiting CVE-2019-2215, a.k.a. Bad Binder, on an Android VM.
-  Exploiting Uses of Uninitialized Stack Variables in Linux Kernels to Leak Kernel Pointers
- Describes a method for computing a kernel stack leak’s offset. Introduces a primitive to spray pointers onto the kernel stack using a small BPF program. Describes how to leak pointers with very small leaks (e.g. 4 byte leaks on 64-bit kernels).