Hacker News new | past | comments | ask | show | jobs | submit login
Reverse engineering a Qualcomm baseband processor [pdf] (ccc.de)
88 points by dodders on Dec 30, 2014 | hide | past | favorite | 37 comments

This topic is close to my heart. I spent a few years immersed in the Qualcomm basebands as part of the unrevoked project and personal research. I stared at the ARM code for what must be hundreds of hours.

There are so many vulnerabilities in the baseband that it's not even funny. Even the QCOM secure boot process is full of holes. If a government agency wanted to drop a persistent baseband 'rootkit' on your device with full access to userspace, they could (unless you're using one of the few phones with separate userspace and baseband processors).

The DIAG commands are particularly fun. You can read and write memory on most phones. Some have locked it down to certain areas, but this varies wildly depending on manufacturer.

Law enforcement must be pushing pretty hard to get this capability available to them under a warrant, right? I assume this isn't currently a typical investigatory technique. If there anything holding back someone packaging an exploit?

If you absolutely needed the utility of a smartphone, but also somehow needed to be secure from these attack vectors, I wonder how much it helps to remove the SIM and disconnect the 3G/LTE antenna keeping only WiFi and Bluetooth radios on the smartphone, then carrying a separate LTE/WiFi bridge which is considered an untrusted device.

At least you isolate your microphone, video camera, GPS, and all that personal data. You still give off location but perhaps to a lesser extent.

In some ways forcing a bridge-only mode; it can also extend the life of the mobile. The trade off is mostly just a battery drain and overall hassle of the 2nd device I guess.

There are so many vulnerabilities in the baseband that it's not even funny

Are you saying these are remotely exploitable, as in over-the-air?

It seems only the complexity of the protocols involved are what stops the majority of attackers, and perhaps the illegality of broadcasting on licensed spectrum (although illegality never really stopped anyone...)

I looked at the 3GPP specs before and the amount of complexity in them is overwhelming.

Are you saying these are remotely exploitable, as in over-the-air?

Yes. See my previous post: https://news.ycombinator.com/item?id=8769816

And having separate baseband and userspace processors doesn't protect you, because the baseband processor is usually the master, and the app processor is a slave. In fact, the paper in my previous post exploits an iPhone 4 and HTC dream -- both of which have separate baseband and app processors.

Here's a quote from the first link in my previous post:

The insecurity of baseband software is not by error; it's by design. The standards that govern how these baseband processors and radios work were designed in the '80s, ending up with a complicated codebase written in the '90s - complete with a '90s attitude towards security. For instance, there is barely any exploit mitigation, so exploits are free to run amok. What makes it even worse, is that every baseband processor inherently trusts whatever data it receives from a base station (e.g. in a cell tower). Nothing is checked, everything is automatically trusted.

baseband processor is usually the master, and the app processor is a slave

For the Mediatek platforms I don't think this is true - the AP is the one that boots up first and loads firmware into the baseband, and at least for the MT6589/6582 the AP can enable protection so that the baseband processor(s) can't access anything outside of the configured ranges. You can look at https://github.com/varunchitre15/MT6589_kernel_source/blob/m... which is the code that initialises the baseband modems by loading their firmware (there are two CPUs in the baseband since this is a dual-SIM SoC), and see the enable_mem_access_protection function at line 863. The table there also shows that properly set up, MD0 and MD1 can only access their respective areas and the small amount of shared memory they use to communicate with the AP.

I haven't looked at them in detail but I'm guessing Qualcomm and Infineon's systems are very different from this?

You are very correct. I'm also running a MT6589 (Haipai Noble N7889) on my own nodded android install.

I'm not worried.

My understanding (from when I worked at Qualcomm until 2011) is that the apps processor was master in new chipsets from that time forward.

I only know of many 'local' vulnerabilities, but those include remote exploits of Android that turn into local radio exploits.

Keep in mind that given my skills at the time, I was looking for the "easy" wins like boundary-checks and logic errors rather than what I would consider more advanced ones like double-free, use-after-free etc.

Given what I've seen of the QCOM assembly that faces userspace, I would say the likelihood that there are low-hanging fruit vulnerabilities in the protocol-facing side of the radio code is near 100%.

To answer your question, yes, "the complexity of the protocols" is what is stopping the majority of attackers IMO.

My phone is a HaiPai Noble N7889.

I have complete control over my phone (baseband and userspace), including a nifty tool sanctioned by MediaTek to insert arbitrary AT commands in my processor at will.

I also have the ability to toggle something on the range of 75 GPIO pins. I'm not entirely sure what they do, so I don't play with them. But aside that, I have complete control over every part of the hardware.

The processor that interprets those AT commands run its own operating system, and it runs a huge codebase implementing at the very least the GSM layer 2/3 and the UMTS layer 2/3 protocols. (Here's(http://cgit.osmocom.org/vovida-gsml/tree/) partially leaks of such code for an old GSM only phone, ramping up at about near 200000 lines of C and C++ code)

It sounds like you don't really have access to that and can e.g. change the protocol messages being exchanged by the BTS/NodeB or the mobile switching center.

Would you please elaborate as to how you have complete control over the baseband ?

Would you further provide the name of the mediatek tool ?

The tool is available on the Google play store: Mobileuncle Tools.

Which FLOSS operating system are you running on the baseband?

Its a modified 4.2.1 android with a Chinese patched Google Play install.

I didn't like the samsung-esque install of their base, so I recompiled to what I liked.

Android does not drive baseband, it runs on application processor.

Baseband processor is separate core that runs its own, realtime OS, that handles radio communication. These OS are not opensource.

The application processor talks to baseband via RIL (rild in Android), which is basically a form of IPC via shared memory.

To recapitulate: In your phone, there is another CPU, with closed-source OS full of bugs, connected via air to network and it has full access to RAM of your application processor.

I hope that it's obvious, that it does not matter, what OS runs on the application CPU.

>(unless you're using one of the few phones with separate userspace and baseband processors)

Such as which ones? Or is this something I quick google could bring up?

Openmoko Neo Freerunner (GTA02), Nokia N900 (afaik) though not recent phones. Then there is GTA04 by Goldelico.

There is also a project called Neo900 which aims to do small upgrades to N900 and fence in baseband even more. You will be in control of application CPU and able to monitor baseband activities.

Couldn't tell you nowadays. IIRC Apple still separates baseband and main CPU. The last ones I recall that did this were Palm devices (potentially up to the WebOS ones).

GSM Arena doesn't appear to have this information. You might have to go through iFixit teardowns. It's also possible this isn't something happening today -- I've been out of this arena for some time.

What you want to look for is something like this, where you see both a CPU and a processor like the MDM6600:


Practically all phones have separate application/baseband processors, since the baseband processing has hard realtime constraints; I think what you're more interested in is whether the baseband CPU has direct access to the main memory and CPU, and that's not something that can be discerned physically. Even with physically separate baseband/AP CPUs, the former might have DMA access to main memory.

Off-topic, but I couldn't help pointing out that saying "DMA access to main memory" is even worse than the classic "ATM machine" or "PIN number."

Since we're nitpicking, no it isn't. DMA is a particular method of accessing memory. You can have direct mapped access, cache mediated, PIO, DMA, etc. There can be many different memories, such as expansion cards, where you could DMA to/from, apart from main memory.

Supposedly the Galaxy Nexus has the baseband separate and communicates over a serial connection. An anonymous person passed this info to the Replicant project. I wish there was a way to verify this.

Unfortunately this is almost guaranteed to bring a legal attack from Qualcomm, with or without actual grounds. I've never encountered a more litigious company in my (long) involvement in electronics, or the tech sector in general. Whether Qualcomm employs more engineers or more lawyers is an open research topic.

Are there any opensource baseband phones out there? Does opensource baseband actually exist? So many people think that they have a phone with opensource software but so many components, especially the baseband can give so much control over the phone.

Osmocom is working on Open Source implementations of both basebands and cell towers, along with various other cell network components: see http://osmocom.org/ for the project and http://bb.osmocom.org/ for the baseband in particular.

OsmocomBB is 2G only and it is functional only on calypso based phones, which are extremely old phones, most of which do not work on US GSM frequencies (IIRC there is one that does).

For one there is the Openmoko Neo Freerunner (GTA02) which has a US version. It also has a seperated baseband only connected by some serial and audio lines.

Related question: does anyone know of any no-baseband devices?

I've been unsuccessfully looking for a wifi-only phone, ideally a relatively modern one which comes with an unlocked bootloader and can easily run Cyanogenmod.

Your best bet is probably to use a phablet and a Bluetooth headset for answering if you want to do VoIP.

Actually that’s one of the reasons I’m excited for smartwatches. Headset + BT-only watch + phablet + Internet AP over Wi-Fi/Bluetooth + VoIP over VPN seems like the most elegant solution to the backdoor baseband and general security and privacy issue right now.

Google’s project Ara would be the most elegant, of course. I hope this is the future, but I don’t know.

Can't you just run a regular phone without a sim and with a snipped antenna lead?

This is an excellent suggestion; thank you. I don't think there would be room for a tablet (or "phablet") in the pockets of any of my current pants or jackets.

I wonder how easy it is to identify the cellular antenna vs. the ones for wifi/Bluetooth/NFC/inductive charging, but definitely something to look into.

no-baseband devices

a wifi-only phone

If you're looking for "Android phone without the phone", you'd be better off looking for an Android tablet.

Here's the video of the talk that Guillaume Delugre did on this pdf at 28C3 in 2011.


It's both fascinating and frightening.

So the usual view is that the capabilities we hear of the NSA having (keeping phone on even when it appears to be off, using GPS etc to locate the phone, transmitting microphone in the background, etc) is enabled in the baseband, when it receives coded requests from the network.

It'd be interesting if reverse engineering of the baseband could find those capabilities and see what's really possible and how it works.

Those capabilities are apparently standardised and documented; see these, for example:




33.106, 33.107, and 33.108 on http://www.3gpp.org/DynaReport/status-report.htm also make for some... interesting reading.

No. You are linking to lawful interception documents. That is not handled in the phone or base station but in the core network. You can not use it to track or listen to shut off devices.

If you're wondering, iPhones have used both Qualcomm and Infineon baseband processors: https://theiphonewiki.com/wiki/Baseband_Device

According to a note in this presentation, Ralf-Philipp Weinmann has noted exploits on broadband processors from both.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact