A Journey Into Hexagon: Dissecting Qualcomm Baseband

Video thumbnail (Frame 0) Video thumbnail (Frame 2718) Video thumbnail (Frame 7857) Video thumbnail (Frame 9546) Video thumbnail (Frame 11171) Video thumbnail (Frame 12847) Video thumbnail (Frame 14717) Video thumbnail (Frame 15800) Video thumbnail (Frame 21172) Video thumbnail (Frame 25024) Video thumbnail (Frame 26275) Video thumbnail (Frame 28094) Video thumbnail (Frame 32198) Video thumbnail (Frame 37102) Video thumbnail (Frame 47589) Video thumbnail (Frame 49722) Video thumbnail (Frame 52672) Video thumbnail (Frame 54017) Video thumbnail (Frame 55047) Video thumbnail (Frame 56297) Video thumbnail (Frame 57369) Video thumbnail (Frame 58746) Video thumbnail (Frame 62860) Video thumbnail (Frame 64072) Video thumbnail (Frame 66246)
Video in TIB AV-Portal: A Journey Into Hexagon: Dissecting Qualcomm Baseband

Formal Metadata

Title
A Journey Into Hexagon: Dissecting Qualcomm Baseband
Title of Series
Author
License
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
2018
Language
English

Content Metadata

Subject Area
Abstract
Mobile phones are quite complicated and feature multiple embedded processors handling wifi, cellular connectivity, bluetooth, and other signal processing in addition to the application processor. Have you ever been curious about how your phone actually makes calls and texts on a low level? Or maybe you want to learn more about the internals of the baseband but have no clue where to start. We will dive into the internals of a qualcomm baseband, tracing it's evolution over the years until its current state. We will discuss the custom, in-house DSP architecture they now run on, and the proprietary RTOS running on it. We will also cover the architecture of the cellular stack, likely places vulnerabilities lie, and exploit mitigations in place. Finally we will cover debugging possibilities, and how to get started analyzing the baseband firmware—how to differentiate between RTOS and cellular functions, how to find C std library functions, and more.
Code Decision theory Cellular automaton Archaeological field survey Bit Stack (abstract data type) Drop (liquid) Evolute Mikroarchitektur Computer architecture Architecture Word Roundness (object) Computing platform Physical system
Standard deviation Android (robot) Complex (psychology) Group action Code 1 (number) Real-time operating system Software bug Different (Kate Ryan album) Videoconferencing Information security Vulnerability (computing) Physical system Area Process (computing) Arm Software developer Bit Message passing Wave Hexagon System programming Interface (computing) Convex hull Remote procedure call Alpha (investment) Link (knot theory) Process (computing) Transformation (genetics) Variety (linguistics) Real number Cellular automaton Web browser Student's t-test Number Internetworking Natural number Energy level Firmware Computer architecture Code division multiple access Standard deviation Cellular automaton Surface Interface (computing) Debugger Interactive television Computer network Coprocessor Exploit (computer security) Inclusion map Kernel (computing) Software Charge carrier Library (computing)
Android (robot) Scheduling (computing) Thread (computing) Constraint (mathematics) Multiplication sign Cellular automaton Mathematical analysis Web browser XML Rule of inference Power (physics) Software bug Architecture Heegaard splitting Hexagon Virtual reality Virtual memory Read-only memory Semiconductor memory Software Operating system Router (computing) Category of being Atomic nucleus Computing platform Modem Physical system Form (programming) Operations research Constraint (mathematics) Process (computing) Intel Real-time operating system Stack (abstract data type) Cartesian coordinate system Flow separation Entire function Computer architecture Category of being System on a chip System programming Interrupt <Informatik> output Speicherschutz Freezing Spacetime Address space
Ocean current Quark Android (robot) Asynchronous Transfer Mode Game controller Thread (computing) Process (computing) Code State of matter Multiplication sign Arm Product (business) Pointer (computer programming) Different (Kate Ryan album) Core dump Software testing Modem Task (computing) Physical system Context awareness Process (computing) Information Block (periodic table) Real number Data storage device Electronic mailing list Stack (abstract data type) System call Flow separation Thread (computing) Single-precision floating-point format Type theory Message passing Pointer (computer programming) Smartphone Task (computing) Buffer overflow Asynchronous Transfer Mode
Standard deviation Existential quantification Scheduling (computing) Thread (computing) Code Texture mapping Multiplication sign Principle of maximum entropy Real-time operating system Parameter (computer programming) Computer programming Software bug Emulator Mathematics Graphical user interface Different (Kate Ryan album) Kernel (computing) Core dump Data conversion Validity (statistics) Curvature Information security Multiplication Physical system Social class Algorithm Process (computing) Arm Channel capacity Real number Digitizing Software developer Physicalism Mikrokernel Parameter (computer programming) Bit Flow separation Thread (computing) Hexagon Emulator Interface (computing) Digital signal processor Information security Speicherschutz Task (computing) Asynchronous Transfer Mode Spacetime Asynchronous Transfer Mode Vapor barrier Service (economics) Process (computing) Line (geometry) Real number Coprocessor Revision control Wechselseitiger Ausschluss Digital signal processing Read-only memory Operating system Energy level Spacetime Interrupt <Informatik> Firmware Form (programming) Modem Capability Maturity Model Validity (statistics) Semaphore line Cartesian coordinate system Mathematics Kernel (computing) Software Logic Function (mathematics) Internetradio Exception handling Address space
Email Structural load Code Multiplication sign Real-time operating system Complete metric space Mereology Stack (abstract data type) Computer programming Blog Different (Kate Ryan album) Memory management Set (mathematics) HTTP cookie Service (economics) Process (computing) Block (periodic table) Structural load Real-time operating system Instance (computer science) Statistics Message passing Tower Different (Kate Ryan album) Interface (computing) Block (periodic table) Task (computing) Modem Game controller Statistics Device driver Web browser Drop (liquid) Login Power (physics) Latent heat Software Computer hardware Energy level Software testing Communications protocol Message passing Address space Task (computing) Modem Serial port Standard deviation Key (cryptography) Information Server (computing) Cellular automaton Memory management Code Client (computing) Stack (abstract data type) Device driver Cartesian coordinate system System call Exploit (computer security) Frame problem Peer-to-peer Exclusive or Kernel (computing) Software Computer hardware Multimedia HTTP cookie Musical ensemble Communications protocol Window Address space
Android (robot) Time zone Software bug Order (biology) Cryptography Oval Programmable read-only memory Core dump Information security Physical system Arm Computer-generated imagery Structural load Moment (mathematics) Bit Price index Flow separation Electronic signature Computer architecture Data management Hexagon Order (biology) output Right angle Digital signal processor Modem Booting Point (geometry) Ocean current Game controller Process (computing) Coprocessor Product (business) Number Power (physics) Computer hardware Configuration space Booting Wireless LAN Modem Time zone Key (cryptography) Computer program American Mathematical Society Coprocessor Cartesian coordinate system Power (physics) Kernel (computing) Integrated development environment Software Computer hardware System on a chip Factory (trading post) Connectivity (graph theory) Key (cryptography) Musical ensemble
Email Android (robot) Thread (computing) Execution unit Client (computing) Parallel port Computer programming Software bug Neuroinformatik Data model Virtual reality Different (Kate Ryan album) Hypermedia Kernel (computing) Core dump Remote procedure call Damping Local ring Exception handling Physical system Arm Structural load Software developer Shared memory Bit Instance (computer science) Computer architecture Message passing Hexagon Ring (mathematics) Order (biology) Genetic programming Quicksort Cycle (graph theory) Digital signal processor Web page Digital signal processor Wrapper (data mining) Cellular automaton Device driver Amsterdam Ordnance Datum Number Hexagon Crash (computing) Computer architecture Cache (computing) Computer hardware Operating system Energy level Data structure Communications protocol Maß <Mathematik> Address space Modem Form (programming) Computer architecture Standard deviation Information Assembly language Server (computing) Interface (computing) Surface Code Client (computing) Line (geometry) Coprocessor Cartesian coordinate system System call Frame problem Compiler Finite difference Function (mathematics) Iteration Musical ensemble Domain name Library (computing) Length Code State of matter Texture mapping Decision theory Multiplication sign 1 (number) Set (mathematics) Parameter (computer programming) PowerPC Mereology Stack (abstract data type) Heegaard splitting Semiconductor memory Shared memory Cuboid Information Endliche Modelltheorie Library (computing) Email Process (computing) Wrapper (data mining) Computer file Virtualization Variable (mathematics) Flow separation Thread (computing) Type theory Interface (computing) output Remote procedure call Data structure Modem Asynchronous Transfer Mode Frame problem Asynchronous Transfer Mode Server (computing) Functional (mathematics) Service (economics) Link (knot theory) Divisor Real number Coprocessor Graph coloring Theory Flow separation Causality Read-only memory Operator (mathematics) Touch typing Spacetime Hydraulic jump Task (computing) Domain name Stack (abstract data type) Device driver Leak Component-based software engineering Cache (computing) Kernel (computing) Pointer (computer programming) Computer hardware Internetradio Communications protocol Computer worm Address space
Standard deviation Complex (psychology) System call Length Multiplication sign Code division multiple access Network-attached storage Software bug Neuroinformatik Heegaard splitting Different (Kate Ryan album) Endliche Modelltheorie Email Link (knot theory) Electric generator Structural load Bit Control flow Flow separation Connected space Type theory Message passing Time evolution Surjective function Game controller Link (knot theory) Real number Cellular automaton Branch (computer science) Zugriffskontrolle IP Internet forum Internetworking Mehrfachzugriff Communications protocol Form (programming) Code division multiple access Standard deviation Assembly language Internettelefonie Weight Cellular automaton WCDMA Division (mathematics) Stack (abstract data type) Line (geometry) System call Algebra Software Personal digital assistant OSI model Communications protocol
Web page Standard deviation Execution unit Service (economics) Standard deviation Implementation Link (knot theory) Complete metric space Mereology Software bug Order (biology) Software Message sequence chart Ring (mathematics) Charge carrier Object-relational mapping Compilation album Self-organization Implementation Conditional-access module
Standard deviation Execution unit Length Cellular automaton 1 (number) Computer network Bit Mathematical analysis Stack (abstract data type) Mereology Variable (mathematics) Software bug Architecture Computer architecture Hexagon Computer configuration Computer configuration System on a chip OSI model Communications protocol output
Functional (mathematics) Patch (Unix) Mathematical analysis Shape (magazine) Formal language Hexagon String (computer science) Physical law Firmware Plug-in (computing) Partition (number theory) Disassembler Computer architecture Plug-in (computing) Information Patch (Unix) Wrapper (data mining) Binary code Code Mathematics Computer configuration Function (mathematics) Order (biology) Object (grammar) Modem Disassembler Firmware
Presentation of a group Serial port INTEGRAL Multiplication sign 1 (number) Set (mathematics) Electronic signature Software bug Duality (mathematics) Mathematics Semiconductor memory Different (Kate Ryan album) Computer configuration Kernel (computing) Formal verification System identification Error message Library (computing) Functional (mathematics) Connected space Electronic signature Frequency Computer configuration Hash function Order (biology) Convex hull Right angle Quicksort Modem Booting Functional (mathematics) Patch (Unix) Computer-generated imagery Flash memory Number Product (business) Programmschleife Read-only memory Natural number String (computer science) Firmware Booting Modem Time zone Standard deviation Graph (mathematics) Assembly language Patch (Unix) Debugger Memory management Counting Binary file Cryptography Exploit (computer security) Inversion (music) Kernel (computing) Function (mathematics) Formal verification Integer Communications protocol Library (computing)
Windows Registry Metre Debugger Multiplication sign Interface (computing) Patch (Unix) Debugger Shared memory Control flow Device driver Parameter (computer programming) System call Connected space Graphical user interface Semiconductor memory Different (Kate Ryan album) Password Charge carrier output Freeware Extension (kinesiology) Plug-in (computing) Modem
Serial port Code State of matter Debugger Patch (Unix) Debugger Computer simulation Bit Primitive (album) Functional (mathematics) Coprocessor Electronic signature Hexagon Computer configuration Hooking Different (Kate Ryan album) Logic Blog Core dump output Right angle Firmware Reading (process) Modem
Open source Code Multiplication sign Cellular automaton 1 (number) Open set Student's t-test Software-defined radio Mereology Software bug Twitter Frequency Causality Different (Kate Ryan album) Computer configuration Implementation Source code Enterprise architecture Standard deviation Duplex (telecommunications) Projective plane Electronic mailing list Limit (category theory) Open set Shareware Computer configuration Software Computer hardware Software testing Musical ensemble Table (information)
all right so I am very excited to hear this talk because it's gonna be given by a kid that is very young very intelligent in fact he's competing in the CTF this weekend which makes him way smarter than the lawyer talking to you right now that's for sure but I'm also excited because this talk in the abstract you can see it actually has some magic words in there how to get started yeah there's a lot of these talks you're gonna see this we can kind of drop you right in the middle and you're picking up just as little bit as you see somebody show off some kind of cool exploit this is gonna be much more of a kind of a 45 minute survey course I understand so sit back and relax and let's give Sheamus a big round of applause all right so I hope you're all here coz you're interested in learning something about how the baseband and your phone works so I guess we'll just get started then so this is kind of a brief agenda for the talk a little bit about me why I think these are an interesting research topic and why I've been working on them for the past several months a little bit about the history and evolution of the platform because I think knowing well certain design decisions and why they were made in the past can really help you when you're looking at disassembly and code and why did they really do that silly thing a little bit about how a modern system on a chip is laid out it's changed a lot since the first cell phones are introduced a little bit about the actual custom CPU architecture that the baseband chips and Qualcomm phones actually run on a brief intro just some cell stuff because not everybody has a huge radio background I know I didn't and then how you actually start analyzing these things so I'm famous
I've been working in information security for about four years now I'm still an undergraduate student actually I go to UMBC in Maryland I was a member there competition team when we went to see CDC a couple years back I'm participating in the CTF here with Spaceballs this weekend I'm really interested in like embedded systems and vulnerability research next plate development and all those kinds of things any girls I like playing with girls all right so my goals for my research and hopefully for what I kind of want some you guys get this talk is what is a base band and how is it really like interact with Android I wanted to find bugs in it that was my main goal and I also wanted to like learn something and have fun so there's been a little bit of prior work in the area the first few real baseband talks came out 2010 2011 and they this was back when the Qualcomm base bands ran on ARM processors so and they used a completely different real-time operating system than they run now so it's a little bit outdated but it's still worth looking through all these old talks and digging up the videos they give a great background introduction to some of this stuff the first which really tackled their new architecture was based by exploitation in 2013 which was given it PAC SEC it was a first talk to really cover hexagon and any details about it whatsoever and that's around when those chips started being introduced into phones 2012-2013 every Qualcomm folds Qualcomm phones since then sold has one of these chips in it and then more recently there was a talk just this past year at CANSEC West which was after I started doing my research and that was a talk which kind of talked about a bug they found in the debugger they built around it some of the cool things they did but it was a lot less of like how do you get started looking for bugs which those have always historically been some of the most useful talks to me when I'm trying to learn something not a walkthrough of exploiting and like this kernel zero-day those are cool and I learned things from them but I also want to find my own so so for those of you who aren't entirely sure what a baseband is it's the main chip in your cell phone which actually communicates with the cellular network on some level it handles the transformation of radio waves into actual ones and zeros and then processes the information inside of those there is a ridiculous number of cellular standards and use around the world and most baseband chips support most if not all of them and fall over in between them because you don't know if you're leaving the country or if you're roaming in between cells different carriers if you're roaming on a different carrier they have things to have differently there's a lot of complexity within these just inherent to the nature of them it's also your phone's main external interface to the rest of the world you know your your data comes over this your internet all your text messages and it's one of the last few attack surfaces where you can actually get truly like remote code execution unauthenticated no user interaction whatsoever along with some of the other firmware on your phone like the Bluetooth and the Wi-Fi you know a lot of exploits have been going the way of he a browser bug and fishing and somebody clicks in a link this you really don't really need much in the way of interaction use need a phone number so that's why I was interesting to me
so I kind of pick Qualcomm to focus on as they had by far the largest market share of the whole baseband market and at least up until recently most of your high-end phones carried the Qualcomm chip of some kind in them you know all your Snapdragon processors and most of your high-end Androids these days the markets spread a little bit more Huawei makes some of their own based bands Samsung makes some with their XE knows chips but the main reason Qualcomm owns a lot of the market is they were the big proponent of the cellular standard called CDMA we just wanted the two big ones they're kind of grouped into two groups so you have gsm and you have CDMA and if this is why phones can be carrier locked because AT&T is GSM and Verizon is CDMA so if you and they have a death grip and all the patents in the United States for CDMA basically so if you want to sell a phone which does that you kind of gotta stick a Qualcomm chip in it for phones and other markets around the world CDMA is more prominently a United States thing so you'll see a little more variety in the chips but they still have more than half the market share so a
little about the history of the platform
these chips and your phones the base bands they run a completely separate operating system separate from Android or iOS so its own self-contained operating system with its own bugs and its own rules so these are something called an artist a real-time embedded operating system they're typically found in lots of like industrial applications power gas-electric things which have strict time constraints and you can't have a process like a browser hanging up and freezing your entire system things need to happen on a schedule and there can't be any kind of interruption to those and you can kind of split our tosses into two separate categories where they either have some form of memory protection or they just don't so there's either some form of virtual memory even if it's not meant for protection purposes or that everything just runs in like a flat your space straight in memory there are tosses we used pretty widely cisco routers use one of them thread x's intel's that runs Intel's modems and some newer Broadcom Wi-Fi chips I just recently learned things like that
so going back to the start of the mobile phones Rex was Qualcomm is real-time executive is the original artist which ran the modem and this is before you had smartphones and Android so this ran your entire phone it was actually designed for the Intel 186 and then as they started growing as a company and the 186 was getting well outdated they actually tried to license a 386 core from Intel and Intel kind of blew them off at the time because they were busy with other things but if they hadn't the cellular market would look pretty different today because this is what drove the switch to arm on all your chips and phones so Intel might very well have started producing like lower power consumption chips and the mobile market might not be all armed if they had rejected call comes off for a way back one but this chip stay ported to arm this are toss sorry they poured it to arm and everything ran in supervisor mode there's no privilege separation if you had any kind of code execution you were king it kind of ran is like one single process and your tasks were just threads in that process so it's very much a product of his times in the early 90s is
the you'll actually still run into this which the reason I'm kind of going through some of the quarks if you buy any kind of like feature phone so like not a smartphone burner phone type of deal a lot of those runs something called Qualcomm brew which is like their binary runtime for wireless I think and that Rex is the core heart of that actually the rest of its piled on top so tasks are your threads basically every task has a pass control block which kind of stores the information about it where your stack pointer currently is what's the priority task because this is nor toss so for tests because a really high priority it's not going to interrupt it the size of your stack every task has its own stack and then when they are suspended to let room for something else happened this is all just saved so if you have any kind of like overflow or code execution you can actually overwrite a different tasks current state from the stack so when it's restored you just took control of something else there's the task control blocks are stored in a doubly linked list similar process in other operating systems is Rachel to dork with things on this system the only problems is it's poorly documented so kind of moving out of the end of the
90s and into the mid 2000s Qualcomm decided to switch away from recs and they didn't actually do it for any security reasons it's just really tricky to debug code when you have no memory protections you don't know whether something's being caused by some of your code overriding some other code you accidentally it's really tricky to bug things so they started looking for solutions if you dig through some of their ancient documentation you can find Rex didn't even do any kind of parameter validation they basically told you whatever you passed our API better be right because we're not going to check it it's great for when you're trying to find bugs sadly they kind of moved away from this to something a little bit more secure so
in the middle like 2005-2006 dish they switched to microkernel called elf 4 which is kind of an academic microkernel came out academia in the 90s I think the way most people have heard of it is something called SEL 4 which was the formally verified version of it which was mathematically proven to be free of certain bug classes but the microkernel itself was freely available different kinds of licenses so this is actually a much more mature operating system you actually have real processes and real threads there's actually a privilege separation barrier the kernel runs in supervisor mode and the actual programs running you your space they were actually going to port l4 to their newest DSP the one they designed in-house and they kind of had a falling out with the company they were working with on this with l4 so they decided to just rewrite their own real time operating system not really necessarily learning from the mistakes for the last time they did that so they took l4 which is much more secure than what they had before and they kind of ruined it by writing an emulation layer for their old artists because they don't want to actually change any of their code base for the modem services this is something you'll see a lot when you're dealing with this kind of firmware is it has to be approved by different licensing bodies and re-evaluated when you make changes and that can be a quiet process to go through so they trying to avoid changing things as much as possible which is why bugs can be long-lived sometimes or there's terrible turnaround times actually getting updates for your base band or your Wi-Fi firmware things like that so they're at this emulation layer so they could take all of their actual modem software and it will keep the same API and things is talking to and transparently converts it on the back end so that doesn't really help you eliminate that many bugs but they at least do run the modem software in user mode now as Davin kernel-space and then moving on from that you know they kind of started developing their own in-house digital signal processor this is the thing which makes Qualcomm chips pretty unique is most other base bands huawei's high silicon samsung shannon baseband they all run on some form of ARM processor and they might have some digital digital signal processing logic to handle like the lower level physical layer conversion but everything actually runs on arm a lot of the actual processing does Qualcomm actually runs everything just on the DSP as opposed to having the DSP handle some of the conversion and then porting passing it over to a different processor so the current one is Curt the Qualcomm real-time OS it used to have a different name I don't know actually what that stood for used to be called blast and there are actually two hexagon cores in most of your phones now they have one which handles the the baseband the broadband radio and they have one which handles audio processing so they actually expose this to application developers you can if you think your algorithm will run better on digital signal processor for some audio tricks you're trying to do you actually have access to there's no limited capacity most the api's are again backwards compatible so they don't have to change as much software so some of the threading stuff changed a little bit blob is pretty much the same it's a priest mature real-time OS as far as real-time OSS go you have mutexes and semaphores same kind of priority based scheduling you see across a lot of these but it does actually have memory protections and the operating system itself handles the virtual to physical mem
so the mitigations are kind of hit and miss on this it is as far ahead of its peers Samsung for instance has an X and has it turned on in some places but not necessarily covering what you would expect it to there is a complete lack of a SLR and this is common in all based bands it's really tricky to port some of this software to actually move around into address space and like the real-time OS loads in the same spot every time the kernel base is the same place and then these things will have hard coded addresses calling each other around so there's no is LR there's plenty of gadgets once you actually have code execution they do have a non executable stack so you can't really write to code you're not supposed to be able to execute data and it does its best to enforce that it does have stack cookies it actually has a special register the frame key register which actually holds some of this stack cookie information in the X or is it and then it's heap protection is more for accidental corruption it kind of just marks whether your blocks are in use or not with a magic value it's not anything super tricky like you see on Windows or some of them are keep calm and keep Ally cares for browsers these days so it's kind of a mixed bag as far as exploitation is concerned there's you can't directly jump to your shellcode but as soon as you actually like get program counter or something like that there's no way SLRs so it's pretty easy to know where things aren't memory and form your own gadgets or use a gadget to write your shellcode into a place you can execute it so a MSS is their actual name for the software stack which runs on the modem you'll see a lot of confusion about this if you ever start doing any research people call won't like say this covers more than actually does but it's the actual modem software different drivers and protocols and everything you really use to talk to a cell tower the lower part of it is pre chipset specific you know which air interface protocol if you actually support you know there is a dozen different cell standards the hardware is all different see of low level different hardware drivers and on the feature phones I mentioned earlier you have like cue chat and cue camera and QMS in all these applications which actually run are part of a MSS on those and they run on the same baseband so there's more than 60 different processes or tasks which this is comprised of you have a watchdog to make sure things don't really timeout you have a sleep timer to save power you have different things for call control and message processing and Diagnostics of those one of the most
important is the actual Diagnostics tasks it provides a client-server infrastructure where you can request information from the modems stack and this is what a lot of Qualcomm is internal tools will talk to so it's a holdover from their old Rex days and it will handle requests over serial or sealed exposed over USB which is more common now when it's a packet based protocol you send information and send stuff back so if you ever get your hands on any of the Qualcomm tools which have been floating around this is how you pull off any kind of over-the-air logs failures debugging information if you manage to turn it on current status if you're trying to like test things over-the-air different statistics on calls or drop drop passes packets and things like that [Music]
so modern systems on a chip are a lot more complicated than they used to be and one of the things you kind of run into is something called a cue fuse at least on Qualcomm devices Samsung's have their own similar depending on the chipset but it's a bank of one-time programmable fuses there is very little public documentation about what controls one but these are one-time once you blow the bit you're not really supposed to be able to change it back and Hardware debugging is disabled and production devices by blowing one of these bits supposedly the factory has a way to re-enable it but I have been able to figure it out and I don't know anyone else who's mentioned being able to figure out either this is how if you ever have a samsung phone they have something called the Knox bit which is blown if you flash an unsigned kernel and they kind of use that toward for void warranty claims sometimes so if you unlock your bootloader and start working with your Android device that's how they tell and that's how they'll deny you if you break it secure boot is heavily based off this the cryptographic keys are burned in and can't be changed the trust zone uses an undefined number of these bits as well [Music]
so in the good old days before more modern Android and iOS devices your you can't hide your baseband processor and your actual application processor and the baseband was actually the first one which booted up and brought up the application processor I didn't had direct DMA if you pop the baseband you kind of just control everything and right to the application processor and the user would never know chips are a lot more complicated now and they have a lot more interconnected subsystems so on a current Qualcomm soft for example you have your modem processor subsystem which is composed of this hexagon DSP and the actual accompanying like hardware ASIC which handles the over-the-air stuff you have your actual application processor set which are more recent devices it's like its own side of a charm cores you have something called rpm which handles power management for the device and this has its own bootloader and boot ROM and it runs its own its own separate arm core you don't really know about it there's an interesting piece of research trying remember the company name I think it was Aleph security and they used a bug and were able to dump some of these other boot loaders so they could dump like the RPM bootloader and you can play with it and see what it does these are all cryptographically verified - before they're actually uploaded to the device your wireless subsystem is its own separate little subsystem it sits on most devices it's a Broadcom chip although Qualcomm has their own Wi-Fi I don't know which phones they put it on then you have your audio subsystem which is another digital signal processor which again is exposed to the user so this is a really simplified boot order it's actually a lot more complicated than that usually you power on the phone that burned in bootloader powers up and it loads a secondary stage bootloader and that loads like the RPM from where to hit a lot of the power on the device and then it loads a second stage which actually loads your trust zone your qse is Qualcomm environment so it loads that and then the trust zone handle floating everything else so all the cryptographic signatures are verified by the trust zone after this point so that loads the application boot layer so that's like a boot or s boot which actually boots your Android kernel for example so that handles loading the kernel and the kernel itself pushes over something called a modem Bhootnath indicator which handles validating the actual modem image which is then pushed over and the moment has its own say a boot loader and then the AMS s software is validated and the modem kinase brought up then after that your wireless and your other DSPs are brought online so the the baseband
and the application processor have to have some way to be able to talk to each other to be able to say hey I want to make a phone call hey you got incoming texts things like that so on most devices there's a form of shared memory interface where one side writes some data on the other side checks periodically and picks it up and processes it and there's actually a common set of API as if we're talking about Android here iOS there's a little different there's a common set of API is on the linux and on the modem side which take care of initializing this allocating this searching for things in it so it is part of the actual like main Ram the baseband chip does not get its own separate Ram and neither do any of these other subsystems they are all actually talking to the same eight or however many gigs of ram you have on your phone and it's just portioned up with each load device wants its own oil piece so the SMD is the shared memory driver which is a more high-level wrapper around some of these low-level api s so you can kind of just have a pipe and shove data into it and then the other side just reads from it it's a little less complicated for driver developers each of your AMS s tasks has its own separate two-way channel over this shared memory interface so your Diagnostics has a set of channels and that's where it patches information remote procedure calls have their own static channels your GPS has your own set of channels this is one if you are main attack surfaces if you're looking to elevate your privileges from the baseband chip itself to the actual application processor they talk back and forth and this is one of the main ways they communicate so if you can find bugs and how messages are being parsed or sent that's how you can kind of jump and try and get code execution on the other side well the other things they also have is the qmi protocol Qualcomm design originally it was kind of designed to supplement the old Hays 80 command set used to program modems with and itself like Qualcomm everything Qualcomm does is a wraparound another older protocol they used to have but it's used to talk to your modem you can configure it send in different commands but you only actually make any hardware decisions based off of this all you can do is kind of influence how different pieces act and again just like the Diagnostics task it's a client-server model it's a variable length packets structure which is interestingly this is where allah are going to be there's a set header and then a different number of payloads you can send and these are all type length value based so the first portion specifies what this is you know if you're trying to set a phone call or you know what you're trying to accomplish and then the next piece is how long is the message and then followed by the actual data so because this was originally coded quite a while ago it's quite possible to find bugs and it just blindly trusts the values you're feeding it for for instance like your length and if it passes that into some sort of copy or it makes parking decisions based on that you can try and get code execution in the kernel on the Android or iOS side so the real kind of new thing about what
Qualcomm has been doing is they designed their own custom in-house DSP it's not really based on anything else so you know if you were here and you heard about the CTF last year where they wrote their own custom architecture with nine bit bytes it's not quite as bad as that but it's not really related to any type of Intel or arm assembly code you usually see it's a general purpose digital signal processor which is really interesting it's not specifically designed to cellular stuff which is why you can handle like audio processing on it as well so there are two on the soft like I mentioned earlier one is dedicated just for your broadband radio the second one is just for audio processing and if you write nap you can actually access this that's its own separate attack service for like breaking out of Sam boxes if you're trying to play audio and things like that because that other audio DSP also has its own artists on it and if you can pop that you kind of get like media server privileges depending on how your Android device is enabled and you've a lot more pillages from there to try and escalate so it's the system so the way the hexagon chip is laid out you have a variable number of Hardware threads depends on the specific iteration the chip but you can say for for general example so kind of like cores on an Intel device and each of those threads shares the l1 and the l2 caches between them the threads don't have separate caches but there are separate caches for instructions and for data and operands just like you have on an arm or a PowerPC chip so you can't even if there was no an X or depth you couldn't just smash the stack and then jump to your shellcode because that's data and won't be in the instruction cache and you'll cause a fault so you actually do have to like dork with cache lines and stuff if you are trying to build an exploit like that on the other early interesting thing is these four Hardware threads are designed for parallel execution so when you compile a program down to hexagons actually the compiler figures out different operations which don't need they don't depend on each other so then it will schedule those just to run at the same time simultaneously across all four threads so this is kind of a high-level how that how its laid out each thread has its own execution unit it pulls instructions those are a packet based so your packet doesn't have to be for instructions it can be three and the execution unit will just not fetch anything for that so you don't have the packets running out of order you can't have a packet with three running on three of the threads and the other threads actually like a packet ahead it'll just kind of spin squeals for a cycle and then pull in the next packet then they have shared instruction and data caches and then shared more high level l2 cache so the architecture is kind of standard as far as embedded devices go you have a bunch of general-purpose registers there 32 bits wide your first six are used to pass arguments to functions when you're looking at the assembly the return value is stored in register 0 and then you have a split between color saved and collie saved just kind of like you do on most other architectures the stack is again pretty standard you have a stack pointer in a frame pointer and you have a link register just like arm for holding return addresses in the stack grows downwards from high-yellow memory it does need to be 8 by the line which is a 1 gotcha when you're writing an exploit and because Qualcomm designed this architecture from scratch they kind of had the freedom to put in a lot of different things they wanted to so they have instructions which will just take care of setting up and tearing down your stack frames as opposed to the compiler wasting a few instructions on it like a client does with Intel and arm so it's pretty standard the the threads in there are tasks are actually stayed on the stack they're pretty far apart but you have a large enough overwrite you can corrupt the state of another thread or another process just like you were able to back in Rex that hasn't really changed besides your kind of standard yeah we have registers we pass arguments in them it works like a computer they add in a couple of really useful things for debugging so you have a system status register which is the first place you should be checking when you get like a ram dump brain kind of crash so this holds the a CID which is the address space ID the crash happened in it'll hold an 8-bit value for the cause of the crash whether it was a like a page fault or you know divide by 0 or your other standard operations and will tell you tell you what of the virtual address registers to look in for more information so there are actually two different bad virtual address registers which hold exception addresses generated so the address of the exception handler when an exception occurs and there's like two separate execution slots for each of those threats which is why there's two registers and then you have an exception linked register which holds the program counter value from when an exception was triggered and so it saves off for you so they actually have a lot of useful debugging information [Music] so this is a little more recently introduced they've been constantly making iterations of this processor so on the most recent ones probably shipping the phones in the last year or so they've introduced something called protection domains which implement Hardware hardware and forced separate address spaces and they did this because they have the capability to run the Wi-Fi subsystem on the same DSP as the broadband radio and they want to keep them very very separate so they can't touch each other and this sounds like a really cool idea in theory except that means your Wi-Fi and your broadband are going to be sharing the same layer one only or two caches I haven't really dug into that but I'm pretty sure you can either get into leaks or really influenced the way the other one is seeing the cache so it's kind of divided there's a kernel mode then they have kind of like a second split after that in between standard users and guests so guest is more like ring ring one or ring two an Intel device as opposed to ring three which is the user so your broadband radio stuff kind of runs in the guest OS mode the artist kernel itself runs in the kernel mode and then your wife I would run user mode and interestingly enough sometimes these stacked checks for like the stack Canaries and stuff aren't actually done in kernel mode only in the user in the guest mode all right so the cellular
stuff is very very complicated I had spent way too much time reading documentation trying to figure this stuff out but after the first generation telephone lines it kind of split into two branches as they were going into wireless so you have GSM which is time division multiple access based and then you have the standard Qualcomm came up with it's just why they really owned a lot of patents to run it which is CDMA which is a code division multiple access I think and those kind of split onto separate branches for like the next 20 years each adding things independently of each other and then LTE is kind of a convergence of the two so over well I'm I suppose I'm left but where you see gsm and cdma that's really like second generation what you think of it a 2g cellular network those did not originally have any ability for data you had no internet you couldn't get your emails so that was kind of act on to vendors within the form of edge and GPRS in the case of GSM networks so that's really what they call 2.5 g once you start digging into like the cellular forums and then it kind of kept on proceeding through 3g and adding more higher speeds trying to make things more efficient less power-hungry and then LTE is kind of where we're at now and they're already discussing the fifth-generation network standards so
just like when you're looking at networking on the computer you have your OSI or your tcp/ip model and things are kind of split up into different layers teleo stack has that as well things are broken up into several different layers and just like with tcp/ip the higher up you go the more complicated things are and there are more bugs think of it kind of like layer 2 you have your Ethernet and you can have like ARP spoofing and stuff and it's really confusing computers about who you are then you go up to IP you have more nonsense you can play with the header ISM like IP fragmentation and reassembly and it's more trying to dork with the actual other end of the connection as opposed to fooling them about who you are so cellular is pretty much the same way you have your physical layer which in this case it's not over a wire it's over the air and then as you go up it gets more complicated there's more things to parse so up at this top level with like the Nats layer and your net protocol stuff is a really good place to hunt for bugs like all your call control signaling happens up there there's loads of messages with like length value and type link value associated with them going down a little bit like radio resource control there's lots of messages in there but typically they're a little more fixed length when you're digging through the standards so there is a load of different ways you can actually make a receive a call to G 3G 2 and 1/2 G over LTE is the real voice call or is it just voice over data call you know voice over LTE is more common now but kind any kind of like VoIP call you can make over the Internet you can also make it over the internet on your phone and the cellular phones typically support all of these because you don't know where in the country or what network you're really going to be on and you can your call type can drop is you're switching in between cells if you've ever been driving your call quality gets bad and it dropped a 2g because you have no cell coverage so all these different ways to do things adds a lot of complexity and these aren't really that simple to begin with
there's a lot more involved in the set up in the teardown and there isn't just like a tcp/ip handshake to be fair only from BTS / - MS is the actual handset part of this the rest of that's actually more in the back of the cellular network but still pretty complicated okay trying
to go through these the best place to start looking for bugs is the standards they don't specify any kind of implementation they just say what should look like it's totally up to the vendor in the carrier and the OEM to work this out 3gpp is the organization which kind of says these are the standards we're going to deal with and that's made up of several different organizations and they all argue and eventually agree on something unlike Wi-Fi or Bluetooth these are freely available you can just go download them which is fantastic the reason nobody does is because they're like 80,000 pages long and they're terrible but they're actually really
useful when you are looking for bugs so you can kind of see it specifies the packet itself what each octet is in the packet and it breaks down to like each bit in that octet and the part you're that's interesting after you think you've found a bug and you're trying to trigger it the more interesting part to look at the start is where it specifies what options you can really add and you so there's a bunch of mandatory and optional ones as you can see and you're interesting all the ones which have variable length options basically elevate your tlv because it's a good chance one of these they screwed up somewhere along the way so how do you
actually want to get started dealing
with this it's their own custom architecture there is no like Ida Pro does not support this natively there are a few plugins for ida pro out of the three of those I found the GS mk1 off of github to be the most intuitive to start with it first it's actually been updated somewhat recently for idea seven the second one down is actually a Python wrapper around the object on patches Qualcomm themself has provided so that's a good place to start for if you want to write your own disassembler because they kind of some of the hard work of parsing the documentation for you I started trying to port that into binary ninja because I wanted the lifting to an immediate language but that's still really gross and no shape to release to anybody unfortunately so
what you actually look at on a device the radio firmware is usually on its own separate partition it varies from device to device you'll have to find a way to pull that off your foot you might have to root your phone in order to get it really varies because the Android ecosystem is so fragmented it's a massive binary this one I just pulled off of my current phone is 300 megabytes and when you load it into Ida it will find 80,000 plus functions and there's no debugging information or anything there is a lot of strings which is useful especially a lot of like debugging information left in those strings but you still have 80,000 functions to dig through with no real a good place to start so I was trying to cut down on the effort so one of my
ideas I had was if I'm looking for exploits I'm gonna be looking for memory copies and string copies now I want to find the memory allocations and deallocations and all that kind of stuff all your standard library functions essentially so I was like those should be called fairly frequently I think given how often and how many different pieces need to parse things so you can real Uzziah Python to kind of count the number of cross references to a function there doesn't actually give you the best metric because like one player of that graph could be called a whole bunch of different times but it's an easy place to start and these things will be called to 3,000 for 4,000 times so you kind of sort that and start at the top of the list and work down and I found memory copies and things like that pretty quickly and they're usually pretty obvious when you're staring at the assembly code a couple like take copy loops and to stub it either end so
how you actually do plug this thing is the problem even developing an Android kernel is really irritating to do if you ever tried it when you're trying to do it on a device you have to do like a serial over UART option and they're like over USB and you've got to patch it and KGB is not fun to deal with this is even more so Qualcomm has some internal tools which use that diag protocol and talk to it we aren't really supposed to have those a few of them have been leaked from different carriers and things like that it's pretty hit or miss some of them don't work on newer phones these phones do support JTAG although on some phones is disabled in production devices but to get that JTAG connection you need to buy it from a company called lager bock and they're the only ones who make it and it's something like north of 10,000 now is way out of my budget although I'm sure it works very well the approach some of the other presentations on the subject have taken is they get memory read right through an exploit and then they kind of build the bugger around that that applies to are you having an exploit to start with rather than using a debugger to help you poke around either ones a good option but the way I took was since the modem firmware is right here I can just patch that and try and make it do what I want and the only problem with that is they are signed so if you make a change you'll fill this in your verification and nothing happens unlike Samsung modems which are encrypted on days Qualcomm doesn't encrypt them so it's easy to dissemble and patch them but you have to get past the signature verification which like I mentioned earlier with the boot order happens in the trust zone so you need a trust owned bug the great thing about base bands is they don't change that often because this firmer has to be recertified so even if you're looking at a phone which is a few years old a lot of it really hasn't changed that much and at least it's a place to start so there's been trust owned bugs going back years and any number of them will work depends on which phone in which tri-state inversion you have but it's only a two byte change into trust own you patch which disables the signature checking so you can use that as an arbitrary right you patch out those bytes and then you can load wherever the hell you want so it does require you to have an unlocked bootloader so that you can compile your own kernel and flash that and the modem has its own set of internal hashes for different segments within it and those still do need to be consistent but that's a little those aren't cryptographic in nature they're just more of an integrity error kind of check and you can fix those up so there is plenty of different CVEs they're all over the place some of them have like full pox you'll need to do that much work to you turn into a trust oh and write to disable things with so you actually need to build the
bugger around this and running a little short on time but to build a debugger you basically need to be able to read and write memory to set breakpoints if you're trying to like break on access to a piece of data you might need to change permissions since really not supposed to be able to write to that and saying registry values is kind of useful too this is a few different ways the base band takes input obviously over-the-air is the main way trying to implement a debugger over the radio is not something I wanted to try you have that shared memory interface again and you could write a kernel driver at a time talk to that but you need something to respond on the other end and that's kind of what that can SciQuest talk did was they implemented the plugin stuff on the other end and they kind of talked back and forth and built a full-featured debugger around it I didn't really want to take the effort to do that and one of the other ways you used to originally talk to a mom was over serial it's free of these pays 80
commands is how you originally used to configure something you could patch it dialing and connection parameters and they say here's the number and make a call and they did it so we've kind of come a long way but these modems still support this and still expose this the different carriers and OMS and vendors add their own command extensions to them some of them do really ridiculous things Samsung has had issues in the past where there are commands to unlock the device so even if it's a passcode lock if you plug it into your computer and talk to the modem you can like unlock it so some of those really aren't that great
so since I can patch the modem firmware and I can patch out the signature checking so I can upload my own I figured this is an already easy way to talk to a device I don't need to write my own stub on the other end and these already have a way to all the input/output - serials already handled for you because there's you know hundred different 80 commands you all that logic is already pre declared for you so I can just hook one of those handlers patch out what it does and replace it with my functionality so I picked a couple different Qualcomm commands which aren't really used frequently I'm not even sure what some of them do but now they do what I want them to do so you can just you make one a read you pass it now you dress you pass the size it's a bit stuff back out same thing with rights and we've trying to change permissions you can turn these primitives into a more feature debugger without actually having to dork with a ton of code on the modem side and I found about this after I put
in all those hard work is that company blogger Bach actually makes a simulator for hexagon so you can upload your RAM dump to this simulator and it will show you the whole processor state and you can like debug it and this is actually really cool and it's actually free like
most enterprise software there's like a free trial you can get and sure like your scripting abilities are kind of limited but you can kind of work with that for not having to pay ten thousand dollars if you actually want to test stuff you need a license to broadcast and tell your frequencies most places in the world otherwise like in America the FCC is really mad at you so you're supposed to have some kind of Faraday cage or do it in your concrete basement and pray they never come knock on your door and I've been really lucky in that software-defined radios have gotten a lot cheaper recently and there's a lot of different ones to choose from and as long as it's full duplex it can transmit and receive at the same time it can support GSM and edge and GPRS and the different things I want to play with I just bought the bleh RF recently because that was the cheapest and I'm a student and I'm poor but the options get way more expensive after that but the bleh RF works great for my purposes I've had zero complaints all I need to do is be full duplex I think the hack RF is cheaper but is not full duplex that won't work a bunch of different open-source projects have come up the apts open BTS the list keeps on growing every year the eight BTS is the one I ended up going with as it's actually really cleanly documented and in the code comments it'll say which part of the standards this came from and which table like these options came from is released across reference when you're trying to root cause a bug and trigger it and yeah I think we're pretty much out of time but I will be hanging around if anybody has questions for me or you can hit me up on Twitter or something I usually respond pretty quickly so yeah [Music]
Feedback