Modern consumer networking devices rely on layered hardware and software defenses to isolate trusted execution environments from the operating system. Research into the Google Wifi Pro router, built on Qualcomm's IPQ5018 system-on-chip, demonstrates how these assumptions break down when software exploitation is combined with electromagnetic fault injection. By chaining a bootloader weakness with carefully timed faults, it becomes possible to escalate from persistent root access to Secure Monitor control. Manipulating hardware memory protection units enables direct modification of secure memory from non-secure userspace, collapsing trust boundaries that normally separate execution levels.

In this session, led by Cristofaro Mune, co-founder and security researcher at Raelize, you will learn:

• Chaining bootloader exploitation with electromagnetic fault injection;
• Achieving Secure Monitor memory access from non-secure userspace;
• Weaknesses in hardware-enforced memory protection configurations.