
Reverse engineering a Qualcomm baseband processor [pdf] - dodders
http://events.ccc.de/congress/2011/Fahrplan/attachments/2022_11-ccc-qcombbdbg.pdf
======
mmastrac
This topic is close to my heart. I spent a few years immersed in the Qualcomm
basebands as part of the unrevoked project and personal research. I stared at
the ARM code for what must be hundreds of hours.

There are so many vulnerabilities in the baseband that it's not even funny.
Even the QCOM secure boot process is full of holes. If a government agency
wanted to drop a persistent baseband 'rootkit' on your device with full access
to userspace, they could (unless you're using one of the few phones with
separate userspace and baseband processors).

The DIAG commands are particularly fun. You can read and write memory on most
phones. Some have locked it down to certain areas, but this varies wildly
depending on manufacturer.

~~~
kefka
My phone is a HaiPai Noble N7889.

I have complete control over my phone (baseband and userspace), including a
nifty tool sanctioned by MediaTek to insert arbitrary AT commands in my
processor at will.

I also have the ability to toggle something on the range of 75 GPIO pins. I'm
not entirely sure what they do, so I don't play with them. But aside that, I
have complete control over every part of the hardware.

~~~
rsync
Would you please elaborate as to how you have complete control over the
baseband ?

Would you further provide the name of the mediatek tool ?

~~~
kefka
The tool is available on the Google play store: Mobileuncle Tools.

------
CamperBob2
Unfortunately this is almost guaranteed to bring a legal attack from Qualcomm,
with or without actual grounds. I've never encountered a more litigious
company in my (long) involvement in electronics, or the tech sector in
general. Whether Qualcomm employs more engineers or more lawyers is an open
research topic.

------
therealmarv
Are there any opensource baseband phones out there? Does opensource baseband
actually exist? So many people think that they have a phone with opensource
software but so many components, especially the baseband can give so much
control over the phone.

~~~
dpifke
Related question: does anyone know of any no-baseband devices?

I've been unsuccessfully looking for a wifi-only phone, ideally a relatively
modern one which comes with an unlocked bootloader and can easily run
Cyanogenmod.

~~~
jacquesm
Can't you just run a regular phone without a sim and with a snipped antenna
lead?

~~~
dpifke
This is an excellent suggestion; thank you. I don't think there would be room
for a tablet (or "phablet") in the pockets of any of my current pants or
jackets.

I wonder how easy it is to identify the cellular antenna vs. the ones for
wifi/Bluetooth/NFC/inductive charging, but definitely something to look into.

------
jcr
Here's the video of the talk that Guillaume Delugre did on this pdf at 28C3 in
2011.

[http://www.youtube.com/watch?v=e1lYU0VMCoY](http://www.youtube.com/watch?v=e1lYU0VMCoY)

It's both fascinating and frightening.

------
jordanthoms
So the usual view is that the capabilities we hear of the NSA having (keeping
phone on even when it appears to be off, using GPS etc to locate the phone,
transmitting microphone in the background, etc) is enabled in the baseband,
when it receives coded requests from the network.

It'd be interesting if reverse engineering of the baseband could find those
capabilities and see what's really possible and how it works.

~~~
userbinator
Those capabilities are apparently standardised and documented; see these, for
example:

[http://www.3gpp.org/DynaReport/41033.htm](http://www.3gpp.org/DynaReport/41033.htm)

[http://www.3gpp.org/DynaReport/42033.htm](http://www.3gpp.org/DynaReport/42033.htm)

[http://www.3gpp.org/DynaReport/43033.htm](http://www.3gpp.org/DynaReport/43033.htm)

33.106, 33.107, and 33.108 on [http://www.3gpp.org/DynaReport/status-
report.htm](http://www.3gpp.org/DynaReport/status-report.htm) also make for
some... interesting reading.

~~~
kristoffer
No. You are linking to lawful interception documents. That is not handled in
the phone or base station but in the core network. You can not use it to track
or listen to shut off devices.

------
pronoiac
If you're wondering, iPhones have used both Qualcomm and Infineon baseband
processors:
[https://theiphonewiki.com/wiki/Baseband_Device](https://theiphonewiki.com/wiki/Baseband_Device)

According to a note in this presentation, Ralf-Philipp Weinmann has noted
exploits on broadband processors from both.

