a walk with shannon
play

A walk with Shannon Walkthrough of a pwn2own baseband exploit. - PowerPoint PPT Presentation

Dec 17, 2022 •139 likes •725 views

A walk with Shannon Walkthrough of a pwn2own baseband exploit. @amatcama 1 Introduction Amat Cama Independant Security Researcher. CTF player @ Shellphish. Exploitation and Reverse Engineering. Currently interested in

  1. A walk with Shannon Walkthrough of a pwn2own baseband exploit. @amatcama 1

  2. Introduction Amat Cama ● Independant Security Researcher. ● CTF player @ Shellphish. ● Exploitation and Reverse Engineering. ● Currently interested in Hypervisors and Baseband security reseach. Previously ● Security Consultant - Virtual Security Research . ● Research Assistant - UCSB Seclab . ● Product Security Engineer – Qualcomm Inc. ● Senior Security Researcher - Beijing Chaitin Tech Co., Ltd . 2

  3. Agenda Agenda ● Prior Work. ● Motivation. ● Cellular Networks ? Baseband ? ● The Shannon Baseband. ● Hunting for Bugs. ● Demo. ● Conclusions. 3

  4. Prior Work 4

  5. Prior Work ● “ Breaking Band – reverse engineering and exploiting the shannon baseband ” - Nico Golde and Daniel Komaromy. ● Very useful talk if you want to do research on the shannon baseband. Lots of scripts and information that will definitely be of help. 5

  6. Motivation 6

  7. Motivation ● Because it is fun. ● Unexplored area of research; great opportunity to learn. ● Many bugs. ● Big impact. ● Pwning a phone just by having it connect to a cellular network sounds pretty cool. 7

  8. Cellular Networks ? Baseband ? 8

  9. Cellular Networks ? Baseband ? What is a Cellular Network ? ● Mobile communication network. ● “Cells” are land areas covered by a base transciever station ( BTS ) . ● To cover a large area, the cells are used in junction: A Cellular Network . ● Technically could be any kind of network, today mostly Mobile Phone Network . 9

  10. Cellular Networks ? Baseband ? The technologies and standards (I) ● A number of technologies and standards developped. ● Different generations with improving speeds and capacity. ● Competing technologies for different generations. 10

  11. Cellular Networks ? Baseband ? The technologies and standards (II) ● Mainly two branches: GSM branch and CDMA branch 2G GSM cdmaOne 2.5G GPRS IS-95 A/B 2.75G EDGE 3G UMTS CDMA2000 4G LTE 11

  12. Cellular Networks ? Baseband ? The technologies and standards (III) ● 3GPP is a collaboration agreement with a number of telecommunication standard bodies. ● Provides maintenance and development of the GSM Technical Specifications (TS) ➔ GSM ➔ GPRS / EDGE ➔ UMTS ➔ LTE ● Is Comprised of bodies such as the European Telecommunications Standards Institute (ETSI). ● The technical standards provide detailed information on the structure of messages exchanged. 12

  13. Cellular Networks ? Baseband ? The Protocol Stack GSM GPRS/EDGE LTE CM – Connection CM – Connection CM – Connection CM – Connection SM – Session Management Management Management Management Management MM – Mobility MM – Mobility MM – Mobility MM – Mobility IP – Internet NAS – Non- GMM – GPRS Mobility Management Management Management Management Protocol Access Spectrum Management Network Layer RR – Radio RR – Radio GRR – GPRS RRC – Radio Radio Resource Resource Resource Resource Management Management Management Control SNDCP – Subnetwork PDCP – Packet Data Dependent Convergence Protcol Convergence Protcol RLC/LLC – RLC/LLC – LAPDm Radio/Logical Link Radio/Logical Link Control Control Data Link Layer MAC – Media MAC – Media Access Control Access Control Physical Layer 13

  14. Cellular Networks ? Baseband ? The Baseband (I) ● Component of the phone in charge of handling communication with the mobile network. ● Deals with low level radio signal processing. ● Supports a number of standards (GSM, 3G, 4G, 5G, cdmaOne, CDMA2000, ...). ● Basically the main “interface” to the mobile network. 14

  15. Cellular Networks ? Baseband ? The Baseband (II) ● A number of different implementations. ● Qualcomm owns most of the market. ● Qualcomm: Galaxy, iPhone, OnePlus, Pixel, Xperia, HTC, LG, ASUS, Motorola, ... ● Huawei: Mate 10, P20, Honor 9, ... ● Samsung : Galaxy S6, S7, S8, S9, ... ● Intel: iphone X, iphone 8, ... 15

  16. Cellular Networks ? Baseband ? The Baseband (III) ● The most common architecture today: baseband firmware runs on a dedicated chip; the cellular processor ( CP ) . ● This chip is tasked with all of the radio processing. ● The code is generally written in low level languages such as C/C++. ● A communication interface between CP and AP (Application Processor) such as shared memory, serial or interrupts. AP RAM CP 16

  17. Cellular Networks ? Baseband ? The Baseband (IV) ● Getting code execution on the CP doesn’t necessarily result in owning the whole device. ● A number of attacks can be performed: ➔ Redirect/Intercept phone calls. ➔ Redirect/Intercept SMS. ➔ Modify Internet traffic. ➔ ... ● A step further; attack the AP through the IPC mechanisms and gain full control of the device. AP CP 17

  18. The Shannon Baseband 18

  19. The Shannon Baseband About Shannon ● Samsung’s Baseband implementation. ● Typically ships with phones featuring the Exynos SoC. ● e.g: most non-US Galaxy phones. ● A RTOS running on an ARM Cortex R7. 19

  20. The Shannon Baseband Obtaining the code (I) ● The modem firmware can be obtained from the phone’s firmware images. ● However it is encrypted and doesn’t seem to be an easy way to decrypt it. ● Luckily it is possible to make the phone generate modem RAM dumps. ● Dialing the code *#9900# brings up the SYSDUMP menu. 20

  21. The Shannon Baseband Obtaining the code (II) 4 2 1 3 21 Page 1 Page 2

  22. The Shannon Baseband Obtaining the code (III) ● Tap on the `DEBUG LEVEL ENABLED/` option and set it to `High`. The phone will reboot. ● Reopen the SYSDUMP menu, scroll down and tap on the `CP RAM LOGGING` option and set it to `On`. The phone will reboot. ● Reopen the SYSDUMP menu and scroll all the way down, tap the `RUN FORCED CP CRASH DUMP` option. The phone will reboot and go into the ram upload mode. Hold the power and volume down button for 10 seconds to turn the phone off and then power it back on. ● Reopen the SYSMDUMP menu and tap the `COPY TO SDCARD(INCLUDE CP RAMDUMP)` option. ● Now in the folder `/sdcard/log` of the device, we have the log files including the ram dump. Largest file in the folder and has a name of the following format `cpcrash_dump_YYYYMMDD_HHSS.log` 22

  23. The Shannon Baseband Obtaining the code (IV) 23

  24. The Shannon Baseband Loading Code in IDA ● The CP Boot Daemon (/sbin/cbd) handles powering on the modem and processing RAM dumps amongst other things. ● Boot code can be found at the start of the encrypted modem image in the firmware packages. ● By reversing the cbd and boot, we can translate the file offsets of the RAM dump to virtual addresses: 0x40000000 0x8000000 0x4000000 0x20000 0x4800000 0x4000 0x3E00 0x200 24

  25. The Shannon Baseband Identifying Tasks ● We need to identify the different tasks run by the RTOS. ● Start reversing from RESET Exception Vector Handler… ● Look at the start of the different memory regions and you recognize the Exception Vector Table in one of them. ● A linked list contains all the different tasks’ entry points, corresponding stack frames and task names (very useful). ● Traverse the list and identify all the tasks. 25

  26. The Shannon Baseband The Tasks (I) ● We end up with a list of tasks with different names, some of them self- explanatory, some of them misleading, some of them hard to understand. ● MM ( M obility M anagement ?) ● LLC ● SMS_SAP ● GRR ● SS ● SAEL3 ● SNDCP ● CC ( C all C ontrol ?) ● SM ( S ession M anagement ?) ● LLC ● ... 26

  27. Cellular Networks ? Baseband ? ● The Tasks (II) GSM GPRS/EDGE LTE CM – Connection CM – Connection CM – Connection CM – Connection SM – Session Management Management Management Management Management MM – Mobility MM – Mobility MM – Mobility MM – Mobility IP – Internet NAS – Non- GMM – GPRS Mobility Management Management Management Management Protocol Access Spectrum Management Network Layer RR – Radio RR – Radio GRR – GPRS RRC – Radio Radio Resource Resource Resource Resource Management Management Management Control SNDCP – Subnetwork PDCP – Packet Data Dependent Convergence Protcol Convergence Protcol RLC/LLC – RLC/LLC – LAPDm Radio/Logical Link Radio/Logical Link Control Control Data Link Layer MAC – Media MAC – Media Access Control Access Control Physical Layer 27

  28. The Shannon Baseband The Tasks (III) ● Different tasks are used for different components and layers of the protocol stacks. ● Tasks communicate with each other using a mailbox system. ● Tasks are pretty much while loops waiting to process messages (from other tasks). Task Entry Check Mailbox Process Post Message in Mailbox’ 28

  29. The Shannon Baseband The Tasks (IV) ● Pick a task and start reversing. ● The Code is pretty generous in that it contains a lot of strings. 29

  30. Hunting for Bugs 30

  31. Hunting for Bugs Setting up an environment (I) ● The goal is to be able to send arbitrary data the the baseband. ● Need to operate our own cellular network. ● Can be achieved with a Software Defined Radio ( SDR ) . ● The Mobile Network Stack / Standard is implemented in software that runs on our computers. ● The SDR (device) is a general purpose transciever that supports different frequencies. 31

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The Winter Walk at Wisley The Winter Walk at Wisley The Winter Walk at Wisley The Winter Walk at

The Winter Walk at Wisley The Winter Walk at Wisley The Winter Walk at Wisley The Winter Walk at

The Winter Walk at Wisley The Winter Walk at Wisley The Winter Walk at Wisley The Winter Walk at Wisley The Winter Walk at Wisley The Winter Walk at Wisley Daphne bholua Chimonanthus praecox Luteus Edgeworthia chrysantha grandiflora

487 views • 27 slides
Be Inspired. Get Connected. Walk MS. Be Inspired. Get Connected. Walk MS. OBJECTIVES

Be Inspired. Get Connected. Walk MS. Be Inspired. Get Connected. Walk MS. OBJECTIVES

Be Inspired. Get Connected. Walk MS. Be Inspired. Get Connected. Walk MS. OBJECTIVES Identify ways to make an impact through Walk MS. Be equipped to demonstrate boldness and enthusiasm when asking friends and family to join you in

407 views • 29 slides
Mid Shannon Wilderness Park The potential future of the Longford bogs Mid Shannon Potential 22

Mid Shannon Wilderness Park The potential future of the Longford bogs Mid Shannon Potential 22

Mid Shannon Wilderness Park The potential future of the Longford bogs Mid Shannon Potential 22 Longford Tourism Projects-Mid Shannon Wilderness Park Mid Shannon Trail Longford Shannon Greenway Our National Goal

601 views • 20 slides
Monitoring US Military and CIA use of Shannon Airport www.shannonwatch.org John Lannon Shannon

Monitoring US Military and CIA use of Shannon Airport www.shannonwatch.org John Lannon Shannon

Monitoring US Military and CIA use of Shannon Airport www.shannonwatch.org John Lannon Shannon a Civilian Airport? Facilitating US war activities in Afghanistan and Iraq An important node in the US renditions network Munitions

450 views • 18 slides
Onelight.com Training Series Connecting the Pyramids and the Crystal Cities the ISIS Walk 2 The

Onelight.com Training Series Connecting the Pyramids and the Crystal Cities the ISIS Walk 2 The

Onelight.com Training Series Connecting the Pyramids and the Crystal Cities the ISIS Walk 2 The ISIS Walk The ISIS Walk 3 the ISIS Walk guide hyperspace package We will be introducing the ISIS Walk DVD this Fall 2010 with the option

912 views • 35 slides
Sin: to miss the mark. Walk the talk. Sin: to miss the mark. Walk the talk. The Mark: the

Sin: to miss the mark. Walk the talk. Sin: to miss the mark. Walk the talk. The Mark: the

Sin: to miss the mark. Walk the talk. Sin: to miss the mark. Walk the talk. The Mark: the standard of holiness established by God and evidenced by Jesus. We can never live deeply until we Walk the talk. deal with our sin. The ethical test

662 views • 26 slides
Roslindale Village Walk Assessment Walk Assessment Introduce all participants Discuss basics of

Roslindale Village Walk Assessment Walk Assessment Introduce all participants Discuss basics of

Roslindale Village Walk Assessment Walk Assessment Introduce all participants Discuss basics of walking infrastructure Walk through Roslindale Village Discuss observations and recommend improvements Next Steps: Review report/submit comments

375 views • 19 slides
Morphology: The Study of Word Structure How words are put together out of smaller pieces that

Morphology: The Study of Word Structure How words are put together out of smaller pieces that

Morphology: The Study of Word Structure How words are put together out of smaller pieces that linguists call morphemes , the minimal units of linguistic form and meaning. 1 / 41 dog, dog+s, bull+dog walk, walk+s, walk+ed, walk+ing,

806 views • 41 slides
NUTRITION, THE GUT AND MENTAL HEALTH SCOTT SHANNON, MD FAACAP MARY RONDEAU, ND, RH(AHG)

NUTRITION, THE GUT AND MENTAL HEALTH SCOTT SHANNON, MD FAACAP MARY RONDEAU, ND, RH(AHG)

NUTRITION, THE GUT AND MENTAL HEALTH SCOTT SHANNON, MD FAACAP MARY RONDEAU, ND, RH(AHG) DISCLOSURES Dr Shannon has published two textbooks on integrative mental health and two on parenting. Dr. Shannon is a PI/researcher on The Phase

1.1k views • 60 slides
Giving Ireland Wings The Development of the Shannon Aviation &

Giving Ireland Wings The Development of the Shannon Aviation &

Giving Ireland Wings The Development of the Shannon Aviation & Aerospace Cluster as Smart Specialisation 01 October 2015 History Shannon Airport dates from the 1940s

640 views • 15 slides
Rethink the Walk Bridge Rethink the Walk Bridge About Us Norwalk Harbor Keeper is a 501 (C) (3)

Rethink the Walk Bridge Rethink the Walk Bridge About Us Norwalk Harbor Keeper is a 501 (C) (3)

Rethink the Walk Bridge Rethink the Walk Bridge About Us Norwalk Harbor Keeper is a 501 (C) (3) non-profit organization. Its members are City of Norwalk residents. Its purpose is to advocate for clean and accessible waterways in and around

621 views • 13 slides
Shannon et la thorie de linformation 16 avril 2018 Olivier Rioul

Shannon et la thorie de linformation 16 avril 2018 Olivier Rioul

Shannon et la thorie de linformation 16 avril 2018 Olivier Rioul <olivier.rioul@telecom-paristech.fr> Do you Know Claude Shannon? the most important man... youve never heard of 2 / 70 Olivier Rioul Shannon and

908 views • 71 slides
" Walk k fo for Hope 11 th Annual Albany Capital District Walk for Pancreatic Cancer

" Walk k fo for Hope 11 th Annual Albany Capital District Walk for Pancreatic Cancer

" Walk k fo for Hope 11 th Annual Albany Capital District Walk for Pancreatic Cancer Research Sunday, Sept. 7, 2014 Elm Avenue Town Park Delmar, New York 12054 Local Sponsorship Opportunities Sponsorship contact: Shari Piper Email:

164 views • 14 slides
John Finley Walk ADA Ramps Located at East 82nd and East 83rd Streets, John Finley Walk Borough

John Finley Walk ADA Ramps Located at East 82nd and East 83rd Streets, John Finley Walk Borough

John Finley Walk ADA Ramps Located at East 82nd and East 83rd Streets, John Finley Walk Borough of Manhattan Community Board 8 Presentation May 3, 2017 Parks Capital Design GOALS Provide disabled accessibility to the John Finley Walk

370 views • 16 slides
LEASE EXTENSIONS PRESENTATION TO OWNERS OF MARINERS WALK MARINERS WALK AGM 30 th JULY 2012

LEASE EXTENSIONS PRESENTATION TO OWNERS OF MARINERS WALK MARINERS WALK AGM 30 th JULY 2012

LEASE EXTENSIONS PRESENTATION TO OWNERS OF MARINERS WALK MARINERS WALK AGM 30 th JULY 2012 David Robson MA(Oxon) MSc MRICS Tom Merralls (LLB) Solicitor Why should I extend my lease? Valuation and legal services How do we progress

622 views • 23 slides
Shannon decomposition Claude Shannon mathematician / electrical engineer (1916 2001) William

Shannon decomposition Claude Shannon mathematician / electrical engineer (1916 2001) William

Shannon decomposition Claude Shannon mathematician / electrical engineer (1916 2001) William Sandqvist william@kth.se (Ex 8.6) Show how a 4-to-1 multiplexer can be used as a "function generator" for example to generate the OR

773 views • 73 slides
Oklahoma Department of Corrections Office of the Inspector General CONTRABAND CELLULAR

Oklahoma Department of Corrections Office of the Inspector General CONTRABAND CELLULAR

Oklahoma Department of Corrections Office of the Inspector General CONTRABAND CELLULAR TELEPHONES October 21, 2019 Inspector General Biography Mr. Anderson is a native Oklahoman with 28 years of law enforcement experience. Mr. Anderson is a

182 views • 14 slides
An Introduction to Legal Epidemiology as a Tool to Study Public Health Law A Mini-Course for

An Introduction to Legal Epidemiology as a Tool to Study Public Health Law A Mini-Course for

An Introduction to Legal Epidemiology as a Tool to Study Public Health Law A Mini-Course for Public Health Practitioners and Academics CDC-PHLP Disclaimer These course materials are for instructional use only and are not intended as a

737 views • 72 slides
Copart Informational Supplement April 2016 Safe Harbor This presentation contains forward-

Copart Informational Supplement April 2016 Safe Harbor This presentation contains forward-

Copart Informational Supplement April 2016 Safe Harbor This presentation contains forward- looking statements that are based on managements current expectations and beliefs and are subject to a number of risks, uncertainties and assumptions

724 views • 51 slides
Energy Transition towards a Cellular Smart Grid Community Grid Edge Flexibility & Power

Energy Transition towards a Cellular Smart Grid Community Grid Edge Flexibility & Power

GridSens & Smart Grid II Meeting Strathclyde 3 Feb 2016 Energy Transition towards a Cellular Smart Grid Community Grid Edge Flexibility & Power Quality Empowering Energy Citizens Building Regulated Smart

628 views • 46 slides
Cellcom Israel 1 FORWARD LOOKING STATEMENTS The following information contains, or may be

Cellcom Israel 1 FORWARD LOOKING STATEMENTS The following information contains, or may be

Cellcom Israel 1 FORWARD LOOKING STATEMENTS The following information contains, or may be deemed to contain forward-looking statements (as defined in the U.S. Private Securities Litigation Reform Act of 1995 and the Israeli Securities Law,

498 views • 21 slides
Friday, August 9, 2019 Purpose Welcome Meet the school staff Share important

Friday, August 9, 2019 Purpose Welcome Meet the school staff Share important

B 3 : Believe in Benteens Brilliance! Frederick Wilson Benteen Elementary Friday, August 9, 2019 Purpose Welcome Meet the school staff Share important information about the school Learn about programs and initiatives for the

903 views • 40 slides
MESO-SCALE MODELLING OF SHOCK WAVE PROPAGATION IN A CELLULAR GLASS PARTICLE REINFORCED

MESO-SCALE MODELLING OF SHOCK WAVE PROPAGATION IN A CELLULAR GLASS PARTICLE REINFORCED

18 TH INTERNATIONAL CONFERENCE ON COMPOSITE MATERIALS MESO-SCALE MODELLING OF SHOCK WAVE PROPAGATION IN A CELLULAR GLASS PARTICLE REINFORCED THERMOPLASTIC COMPOSITE K.A. Brown*, R. Brooks and O. Awoyemi Division of Materials, Mechanics and

408 views • 6 slides
E L Consumer Consumer P Protection Protection M Project Project A S Nicole Gordillo,

E L Consumer Consumer P Protection Protection M Project Project A S Nicole Gordillo,

E L Consumer Consumer P Protection Protection M Project Project A S Nicole Gordillo, Tyler Ballesteros, Simone Singh, & Jackson McDonough E 47 U.S. Code 227 The Telephone Consumer Protection Act (TCPA) is a federal

431 views • 21 slides

More recommend