Overview
Syllabus
Intro
MBA and Modem images
Modem Secure Boot
TOCTOU Vulnerability Bypass Secure Boot
Debug Server Injection
Qualcomm WLAN Architecture
Example - WIFI List
Firmware
Reverse Engineering - Hint From Qualcomm
Reverse Engineering - Offload Handlers
Sample Offload Handler
The Roadmap
Mitigation Table (WLAN & Modem)
The Vulnerability (CVE-2019-10540)
Data & Address of Overflow
Smart Pointer Around Overflow Memory
Usage Of Smart Pointer
Global Write With Constraint
Control PC & RO
Transform To Arbitrary Write
Run Useful FOP Gadget
Memory Mapping RWX
Copy Shellcode to 0x42420000
Trigger Shellcode
From WLAN to Modem
Map Modem Memory into WLAN
The Attack Surfaces
Memory Management of Qualcomm Multi-Processor
CVE-2019-10538
Deliver the Payload Over-The-Air
Deliver the Payloads Using Pixel2
Demo
Future Works
Taught by
Black Hat