image image

Marius Muench & Fabian Freyer

Reverse-Engineering, Emulation, and Dynamic Testing of Cellular Baseband Firmware


Trainer: Marius Muench & Fabian Freyer

Date: 30th May to 1st June 2023

Time: 9:00am to 5:00pm PDT

Venue: Santa Clara Marriott

Training Level: Intermediate to Advanced


Please note: the training ticket does not include access to the conference. Similarly, the conference ticket does not grant access to the trainings. If you have any questions, reach out to us.

Training Objectives:

The training teaches the structure of typical cellular baseband firmware using the example of Samsung’s Shannon baseband. We cover how basebands communicate internally, how to reverse engineer them, and how to find security vulnerabilities through emulation and fuzzing.

The training uses firmware binaries from real phones. While most of the training is centered around static and dynamic off-device testing, such as reverse engineering and emulation, participants also get the chance to interact with real phones and obtain insights about over-the-air testing.


What to Expect? | Key Learning Objectives:

Participants will gain hands-on experience on baseband firmware in modern smartphones. They will learn the general structure of a baseband RTOS, by the example of the Shannon baseband. Together, we will dump the firmware from the device, take a deep dive into the binary, find common patterns and reverse engineer protocol parsers. Equipped with the gained knowledge about the firmware, students will learn how to rehost selected parsers. Using rust basics learnt in this training, students will iteratively extend provided skeleton code for an emulator to understand common rehosting tasks. Students will then learn how to use the emulator they built as a harness for AFL++ and rediscover CVE-2020-25279, a critical vulnerability in the 2G Call Control implementation. Finally, we will discuss how to set up a fake base station using commercially available Software Defined Radios and Faraday cages for over-the-air replication of discovered crash cases.


Training Detailed Description:

The training is divided into three parts:

Day 1: Obtaining and Reverse Engineering the Firmware:
  • Accessing a device's bootloader
  • Dumping firmware
  • Loading firmware into ghidra
  • Anatomy of a baseband RTOS
  • Identifying interesting functions and parsers
Day 2: Rehosting and Fuzzing the Firmware
  • Intro to Rust fundamentals used in this training
  • Using unicorn to emulate embedded firmware
  • Hooking of emulation roadblocks
  • Harnessing and providing input to the baseband
  • Fuzzer setup
Day 3:Understanding the Crashes & Over-the-Air Replication
  • Crash analysis
  • Coverage visualization
  • Crash deduplication
  • Fake base station setup
  • Modification of base station source code for over-the-air replication

Who Should Attend? | Target Audience:

  • Security Researchers
  • Baseband Firmware Developers
  • Hardware Hackers

What to Bring? | Software and Hardware Requirements:

  • Own laptop running Windows / Linux / macOS - Linux preferred
  • Up and running Visual Studio Code + Docker setup to work through exercises(Dockerfile and setup guide will be provided before the training).
  • Download and install Ghidra (using other RE tools will be harder, since we rely on existing loaders in this training).

What to Bring? | Prerequisite Knowledge and Skills:

  • Experience with reverse engineering
  • A general idea of what basebands are
  • Strong background in Python and/or C are a plus

Resources Provided at the Training | Deliverables:

  • lab manual
  • solutions and scripts discussed and developed during the class
  • during the lab: access to phone, SDR, Faraday cages, and other hardware required for in-class experiments

ABOUT THE TRAINERS

Marius is a postdoctoral researcher at Vrije Universiteit Amsterdam. His research interests cover (in-)security of embedded systems, binary & microarchitectural exploitation, and defenses. He obtained his PhD from Sorbonne University in cooperation with EURECOM. He developed and maintains avatar2, a framework for analyzing embedded systems firmware. Among others, he used the framework within the FirmWire project for emulating Samsung’s Shannon and MediaTek’s MTK baseband firmware, yielding to the discovery of several critical vulnerabilities.

Fabian has been working freelance in the IT Security Industry for several years, performing security assessments, code audits, and doing vulnerability research. With a background in physics and long-time experience playing CTF, Fabian focuses on low-level static reverse engineering and binary exploitation. He likes scripting reverse engineering tasks and developing plugins for reverse engineering tools. Fabian has presented some of his reverse engineering work at Hardwear.io, Recon, and Black Hat.