Explore the intricacies of baseband processor security testing in this Black Hat conference talk. Dive into the development of an emulation environment for Samsung's "Shannon" baseband, combining avatar2 and PANDA frameworks to create a flexible platform for vulnerability research. Learn about the challenges of exploring baseband attack surfaces, including over-the-air testing limitations and debugging difficulties. Discover how the speakers address these issues through their custom emulation environment, ShannonEE. Gain insights into reverse engineering techniques, boot modes, memory structures, and fuzzing methodologies specific to baseband processors. Witness practical demonstrations, including a rediscovery of the "Call of Death" vulnerability. Understand the importance of baseband security in modern mobile phones and cellular networks, covering protocols from 2G to 5G. Conclude with a discussion on future work and potential applications of this emulation approach in enhancing mobile device security.
Overview
Syllabus
Introduction
About me
Agenda
What is a Baseband
Why Basebands
Samsung Baseband
Baseband Emulator
How did we get here
Crashes
Root
Debugging
Scaling
Reverse Engineering
Boot modes
Samsung kernel
Memory structure
Block diagram
Next step
Choosing a framework
Boot UART
UART debugging
Snapshots
The Problem
PiPanda
PAL
The Banner
Fuzzing
Triforce AFL
Target AFL Tasks
GSM Session Management
Fuzz Single
Demo
Rediscovery
Call of Death
Experimental Setup
Calling Demo
Logcat
Wrap Up
Future Work
Release Schedule
Thank You
Questions
Taught by
Black Hat
