Some of the most critical and proprietary pieces of software on modern phones today is the cellular baseband firmware running on a dedicated baseband processor. Beyond a few standout talks, blogs, and academic papers, little information exists about how basebands work and how to tear them apart. To shed more light into this dark corner of mobile telephony, we spent many months reversing and developed an emulator as the basis for a dynamic analysis platform for Samsung's "Shannon" baseband.
This talk provides in-depth insights about our findings during reverse engineering the baseband and provides detailed information about its inner working. We also dissect the firmware file format to examine the proprietary ARMv7-R RTOS, ShannonOS, detail interfaces to the application processor, and highlight key peripherals for the baseband.
Besides these mostly undocumented technical details, a key highlight of our work is how we facilitated off-device dynamic analysis of the baseband firmware. While previous approaches relied on injecting debugging stubs on the device by (ab-)using vulnerabilities, we followed a fundamentally approach by creating an emulator.
We critically review the decisions to take when creating such an emulator, and present our solution which is based on avatar2 and PANDA. The resulting platform emulator allows us to quickly prototype missing peripherals in Python, expose debugging information via hooks, and diagnose the root cause of crashes. With this tools at hand, we are capable of booting and running baseband firmware images for several generations of Samsung Galaxy phones and can accurately emulate and debug low-level components such as the RTOS, CPU interrupts, and task rescheduling.
Last but not least, we combine the insights gained from reverse engineering and the capabilities gained from emulating and present a firmware modification kit for emulated Shannon baseband images. The modkit allows us to write tasks for the RTOS in C, and inject them during runtime. We further showcase our main application of this modkit: in-memory fuzzing from within the emulated baseband itself, which allowed us to discover vulnerabilities in the firmware.
Grant Hernandez is a researcher specializing in mobile and firmware vulnerabilities. He recently defended his Ph.D. from the University of Florida while working with the Florida Institute of Cyber Security (FICS). After graduation he joined Qualcomm's Product Security Initiative (QPSI) team.
Marius is a postdoctoral researcher at the Systems and Network Security Group at VU Amsterdam (VUSec). He received his PhD from EURECOM where he systematically tackled challenges for dynamic binary firmware analysis. He is the lead author and maintainer of the avatar2 framework and enjoys spending his free time playing CTF competitions with his team Tasteless.