Professional Documents
Culture Documents
A walk with Shannon
A walk with Shannon
A walk with Shannon
@amatcama
1
Introduction
Amat Cama
●
Independant Security Researcher.
●
CTF player @ Shellphish.
●
Exploitation and Reverse Engineering.
●
Currently interested in Hypervisors and Baseband security reseach.
Previously
●
Security Consultant - Virtual Security Research.
●
Research Assistant - UCSB Seclab.
●
Product Security Engineer – Qualcomm Inc.
●
Senior Security Researcher - Beijing Chaitin Tech Co., Ltd.
2
Agenda
●
Prior Work.
●
Motivation.
●
Cellular Networks ? Baseband ?
●
The Shannon Baseband.
●
Hunting for Bugs.
●
Demo.
●
Conclusions.
3
Prior Work
4
Prior Work
●
“Breaking Band – reverse engineering and exploiting the shannon
baseband” - Nico Golde and Daniel Komaromy.
●
Very useful talk if you want to do research on the shannon baseband.
Lots of scripts and information that will definitely be of help.
5
Motivation
6
Motivation
●
Because it is fun.
●
Unexplored area of research; great opportunity to learn.
●
Many bugs.
●
Big impact.
●
Pwning a phone just by having it connect to a cellular network
sounds pretty cool.
7
Cellular Networks ?
Baseband ?
8
Cellular Networks ? Baseband ?
9
Cellular Networks ? Baseband ?
10
Cellular Networks ? Baseband ?
2G GSM cdmaOne
2.5G GPRS
IS-95 A/B
2.75G EDGE
3G UMTS CDMA2000
4G LTE
11
Cellular Networks ? Baseband ?
12
Cellular Networks ? Baseband ?
CM – Connection SM – Session
Management Management
RLC/LLC – RLC/LLC –
LAPDm Radio/Logical Link Radio/Logical Link
Control Control
Data Link Layer
MAC – Media MAC – Media
Access Control Access Control
Physical Layer
13
Cellular Networks ? Baseband ?
14
Cellular Networks ? Baseband ?
15
Cellular Networks ? Baseband ?
AP
RAM
CP
16
Cellular Networks ? Baseband ?
CP AP
17
The Shannon Baseband
18
The Shannon Baseband
About Shannon
●
Samsung’s Baseband implementation.
●
Typically ships with phones featuring the Exynos SoC.
●
e.g: most non-US Galaxy phones.
●
A RTOS running on an ARM Cortex R7.
19
The Shannon Baseband
20
The Shannon Baseband
2
1
Page 1 Page 2
21
The Shannon Baseband
22
The Shannon Baseband
23
The Shannon Baseband
24
The Shannon Baseband
Identifying Tasks
●
We need to identify the different tasks run by the RTOS.
●
Start reversing from RESET Exception Vector Handler…
●
Look at the start of the different memory regions and you recognize the
Exception Vector Table in one of them.
●
A linked list contains all the different tasks’ entry points, corresponding
stack frames and task names (very useful).
●
Traverse the list and identify all the tasks.
25
The Shannon Baseband
26
Cellular Networks ? Baseband ?
●
The Tasks (II)
GSM GPRS/EDGE LTE
CM – Connection SM – Session
Management Management
RLC/LLC – RLC/LLC –
LAPDm Radio/Logical Link Radio/Logical Link
Control Control
Data Link Layer
MAC – Media MAC – Media
Access Control Access Control
Physical Layer
27
The Shannon Baseband
Task Entry
Check Mailbox
Process
28
The Shannon Baseband
29
Hunting for Bugs
30
Hunting for Bugs
31
Hunting for Bugs
32
Hunting for Bugs
33
Hunting for Bugs
34
Hunting for Bugs
35
Hunting for Bugs
36
Hunting for Bugs
37
Hunting for Bugs
38
Hunting for Bugs
39
Hunting for Bugs
40
Hunting for Bugs
41
Hunting for Bugs
GPRS/EDGE
SM – Session Management
42
Hunting for Bugs
43
Hunting for Bugs
44
Hunting for Bugs
45
Hunting for Bugs
46
Hunting for Bugs
47
Hunting for Bugs
48
Hunting for Bugs
ACTIVATE PDP
CONTEXT ACCEPT
49
Hunting for Bugs
50
Hunting for Bugs
51
Hunting for Bugs
REQUEST PDP
CONTEXT ACTIVATION
ACTIVATE PDP
CONTEXT ACCEPT
52
Hunting for Bugs
53
Hunting for Bugs
54
Demo
55
Conclusions
56
Conclusions
●
Baseband exploitation isn’t as hard as it is percieved to be.
●
You don’t need to know much about cellular networks in order to exploit them.
●
When will we see the first full remote compromise through baseband ?
●
Many targets out there, Huawei, Intel, Qualcomm...
57
?’s
58