how to design a baseband debugger
play

How to design a Baseband debugger SSTIC 2020 June the 3rd - PowerPoint PPT Presentation

May 26, 2023 •15 likes •807 views

How to design a Baseband debugger SSTIC 2020 June the 3rd Synacktiv David Berard, Vincent Fargues Table of Contents 1 Introduction Shannon architecture 2 Debugger injection Conclusion 3 6 Debugger development 4 Examples of use 5

  1. How to design a Baseband debugger SSTIC 2020 June the 3rd Synacktiv David Berard, Vincent Fargues

  2. Table of Contents 1 Introduction Shannon architecture 2 Debugger injection Conclusion 3 6 Debugger development 4 Examples of use 5

  3. Table of Contents Who are we Context Introduction 1 Related Work 3/77

  4. Who are we David Berard Vincent Fargues Synacktiv Offensive security company created in 2012 Soon 74 ninjas! 3 poles : pentest, reverse engineering, development 4 sites : Toulouse, Paris, Lyon, Rennes 4/77

  5. Table of Contents Who are we Context Introduction 1 Related Work 5/77

  6. Galaxy s7 Context Smartphones Most targeted devices Many entry points Browser SMS/MMS Instant messaging Wifj/Bluetooth Baseband Target Samsung phone baseband : Shannon 6/77

  7. Context Smartphones Most targeted devices Many entry points Browser SMS/MMS Instant messaging Wifj/Bluetooth Baseband Target Samsung phone baseband : Shannon Galaxy s7 6/77

  8. Table of Contents Who are we Context Introduction 1 Related Work 7/77

  9. Related Work Previous work - Baseband exploitation Breaking Band – reverse engineering and exploiting the Shannon Baseband - Nico Golde and Daniel Komaromy A walk with Shannon - Amat Cama Previous work - Baseband debugging Rétroconception et débogage d’un Baseband Qualcomm - Guillaume Delugré 8/77

  10. Table of Contents 1 Introduction Shannon architecture 2 Debugger injection Conclusion 3 6 Debugger development 4 Examples of use 5

  11. Table of Contents Shannon operating system AP-CP Communications 2 Shannon architecture Boot Dedicated ARM Processor Memory Map 10/77

  12. Dedicated ARM Processor Shannon Communication Processor Developed by Samsung Arm Cortex R7 Used by all non-US Samsung phones Firmware The fjle modem.bin is the code that runs on the Baseband Provided in Samsung Firmware Easy to load in IDA 11/77

  13. Table of Contents Shannon operating system AP-CP Communications 2 Shannon architecture Boot Dedicated ARM Processor Memory Map 12/77

  14. Shannon operating system - Operating system Operating system Real Time OS Many tasks Full mobile phone stack 2G - 5G Communication with Application Processor Communication with SIM cards Remote File System 13/77

  15. Shannon operating system - Tasks Tasks Each task has the same structure Initialization While loop waiting for messages Communication between tasks using a mailbox system 14/77

  16. Shannon operating system - Tasks Mailboxes used for inter-tasks communications 15/77

  17. Table of Contents Shannon operating system AP-CP Communications 2 Shannon architecture Boot Dedicated ARM Processor Memory Map 16/77

  18. AP-CP Communications(1/2) Communications Communications are done with shared memories and mailboxes Mailboxes Each mailbox is used for one way communication Mailbox notifjes the other processor with an interrupt 20 mailboxes are used by the GS7 17/77

  19. AP-CP Communications(2/2) SIPC5 CP and Linux Kernel communicate with a custom protocol called SIPC5 Linux Kernel dispatches to user-space programs with char devices Userland binaries Most of communications are done by 2 binaries cbd : boot and initialization of the Baseband fjrmware rild : Baseband communications, remote fjle system, OEM functionalities 18/77

  20. Table of Contents Shannon operating system AP-CP Communications 2 Shannon architecture Boot Dedicated ARM Processor Memory Map 19/77

  21. Boot(1/6) - Copy of BOOTLOADER part from fmash to physical memory Copy of BOOTLOADER part from fmash to physical memory 20/77

  22. Boot(2/6) - Copy of MAIN part from fmash to physical memory Copy of MAIN part from fmash to physical memory 21/77

  23. Boot(3/6) - Tag memory as Secure Tag memory as Secure 22/77

  24. Boot(4/6) - Verify signature Verify signature 23/77

  25. Boot(5/6) - Confjgure Baseband memory Confjgure Baseband memory 24/77

  26. Boot(6/6) - Start Baseband Processor Start Baseband Processor 25/77

  27. Table of Contents Shannon operating system AP-CP Communications 2 Shannon architecture Boot Dedicated ARM Processor Memory Map 26/77

  28. Memory Map After the Baseband start, some code is copied and the memory layout is as follows Memory Layout 0x00000000 - Bootloader 0x40010000 - Main (Shared with application Processor) 0x04000000 - Tightly Coupled Memory (Not shared) 27/77

  29. Table of Contents 1 Introduction Shannon architecture 2 Debugger injection Conclusion 3 6 Debugger development 4 Examples of use 5

  30. Table of Contents Exploit a 1-day vulnerability Debugger injection Baseband code injection 3 29/77

  31. Exploit a 1-day vulnerability : Secure World Baseband Boot Baseband MAIN memory is marked as secure memory by the EL3 monitor Baseband fjrmware signature is checked by the EL3 monitor Required vulnerability A vulnerability in the Baseband itself : but cannot be used to debug the Baseband initialization and is Baseband fjrmware dependant. A vulnerability in the Secure World which allows to bypass the code signature. This kind of vulnerability is not Baseband fjrmware dependant, and permits to load newer and older Baseband versions on a vulnerable phone. Available vulnerabilities Quarkslab has presented a chain of vulnerabilities at Blackhat-US 2019 that allows to gain code execution at the highest privilege on the AP : EL3 monitor => perfect chain for our objective. 30/77

  32. Exploit a 1-day vulnerability : Exploit chain Samsung S7 TrustZone software architecture 31/77

  33. Exploit a 1-day vulnerability : Step 1 Trusted Application Trivial stack buffer overfmow in SSEM Trusted Application Can be reached from Android Userland (need a favorable SElinux context / rooted phone) TEE Kernel does not implement ASLR This Trusted Application is built without stack cookies Communication between TA and Secure Drivers Trusted Application can communicate with driver with IPC Driver may implement a whitelist of allowed TA 32/77

  34. Exploit a 1-day vulnerability : Step 1 Trusted Application Gaining code execution in the SSEM TA. 33/77

  35. Exploit a 1-day vulnerability : Step 2 Secure Driver Trivial stack buffer overfmow in VALIDATOR Secure Driver Can be reached from the SSEM Trusted Application Drivers are just Trusted Application with access to an extended API TEE kernel does not implement ASLR This Secure Driver is built without stack cookies 34/77

  36. Exploit a 1-day vulnerability : Step 2 Secure Driver Gaining code execution in the VALIDATOR Secure Driver. 35/77

  37. Exploit a 1-day vulnerability : Step 3 TEE Kernel Driver API Driver can map physical addresses in their address space TEE Kernel deny some address ranges to be mapped Physical memory access TEE Kernel forgot to denies itself to be mapped by Secure Drivers .... Exploit in VALIDATOR driver can map the TEE Kernel R/W TEE Kernel code can be live patched from the driver adresses verifjcation in the map syscall is NOP’ed Driver can now map everything 36/77

  38. Exploit a 1-day vulnerability : Step 3 TEE Kernel Patching TEE kernel from VALIDATOR driver 37/77

  39. Exploit a 1-day vulnerability : Step 4 Secure Monitor Secure Monitor patching After TEE Kernel patch, driver can map everything Signature check is disabled Function responsible of marking the Baseband memory secure is NOP’ed 38/77

  40. Exploit a 1-day vulnerability : Step 4 Secure Monitor Patching Secure Monitor from VALIDATOR driver 39/77

  41. Exploit a 1-day vulnerability : Patched but still exploitable Anti-rollback mechanism Vulnerable TA and Secure Driver are still loadable (no anti-rollback) TEE Kernel is still vulnerable on the latest fjrmwares (Galaxy S7) 40/77

  42. Table of Contents Exploit a 1-day vulnerability Debugger injection Baseband code injection 3 41/77

  43. BOOT MAIN NV OFFSET Patch the fjrmware : format Firmware Format : TOC The fjrmware starts with a header that contains information for memory segments : address where the section will be copied in the Baseband memory offset in the fjrmware fjle segment size Segments in original fjrmware 42/77

  44. # stop the CBD service setprop ctl.stop cpboot-daemon # start a new one cbd -d -tss310 -bm -mm -P ../../data/local/tmp/modem.bin Patch the fjrmware : add a segment Patches All the debugger code is injected in a new segment (after the MAIN segment) The debugger code starts with an interruption vector table MAIN segment is modifjed to change interruption handler addresses This patched fjrmware can be loaded since Secure Monitor has been patched to remove the signature check Load the patched fjrmware 43/77

  45. Table of Contents 1 Introduction Shannon architecture 2 Debugger injection Conclusion 3 6 Debugger development 4 Examples of use 5

  46. Table of Contents Communication Breakpoint handling 4 Debugger development GDBServer Architecture Interrupts Handler Improvements 45/77

  47. Architecture 3 main components Debugger server that runs on the Android Userland A Linux driver that provides the debugger server to communicate with the Baseband Injected code in the Baseband that handles exceptions and communications from/to the debugger server. 46/77

  48. Architecture - Overview Communication between different components 47/77

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Gdb debugger Somewhat limited as a debugger, but works in a command line environment (so

Gdb debugger Somewhat limited as a debugger, but works in a command line environment (so

Gdb debugger Somewhat limited as a debugger, but works in a command line environment (so compatible with other stuff this term) Works for C/C++ programs Supports most core debugger features, well examine a few of the most common

261 views • 9 slides
RBS 6000 & Baseband Why Invest in RBS 6000 & Baseband Learning Service ? Better

RBS 6000 & Baseband Why Invest in RBS 6000 & Baseband Learning Service ? Better

RBS 6000 & Baseband Why Invest in RBS 6000 & Baseband Learning Service ? Better controlling and optimizing the network performance Optimal Investment Efficiently building and maintaining competence over system releases

157 views • 12 slides
Baseband Signal Processing Framework Baseband Signal Processing Framework for the OsmocomBB GSM

Baseband Signal Processing Framework Baseband Signal Processing Framework for the OsmocomBB GSM

Baseband Signal Processing Framework Baseband Signal Processing Framework for the OsmocomBB GSM Protocol Stack Harald Krll, Christian Benkeser, Stefan Zwicky, Benjamin Weber, Qiuting Huang Integrated Systems Laboratory, ETH Zurich d S b i h

306 views • 26 slides
1 Host/Target A Big Problem with Debuggers gdb can be used to debug a program on a

1 Host/Target A Big Problem with Debuggers gdb can be used to debug a program on a

Debuggers A very real interactive debugger: gdb Widely used Debugging Runs on everything A classic implementation (with and without Debuggers) Mostly standard debugger technology Design decisions Runs and

274 views • 8 slides
www.frida.re @fridadotre Debugger Debuggee Debugger Debuggee bootstrapper Debugger Debuggee

www.frida.re @fridadotre Debugger Debuggee Debugger Debuggee bootstrapper Debugger Debuggee

Unlocking secrets of proprietary software using www.frida.re @fridadotre Debugger Debuggee Debugger Debuggee bootstrapper Debugger Debuggee bootstrapper-thread bootstrapper Debugger Debuggee bootstrapper-thread bootstrapper

769 views • 35 slides
S oC Design and Test Methodologies for Wireless Communications Baseband Processors Henry Ye

S oC Design and Test Methodologies for Wireless Communications Baseband Processors Henry Ye

S oC Design and Test Methodologies for Wireless Communications Baseband Processors Henry Ye Alcatel-Lucent Hhye@ alcatel-lucent.com WOCC 2007 Overview Evaluation of wireless communication standards. Examples of S oC device used in

388 views • 16 slides
FreeCalypso A fully liberated GSM baseband Mychaela Falconia REcon Montreal 2017 The problem of

FreeCalypso A fully liberated GSM baseband Mychaela Falconia REcon Montreal 2017 The problem of

FreeCalypso A fully liberated GSM baseband Mychaela Falconia REcon Montreal 2017 The problem of the baseband Proprietary baseband/modem/radio processors are an insult to personal computing freedom The problem is even worse for those

1.09k views • 19 slides
All Digital Multi-Gigabit Baseband P. Sandeep M. Seo M. Rodwell U. Madhow ECE Dept, UCSB ECE

All Digital Multi-Gigabit Baseband P. Sandeep M. Seo M. Rodwell U. Madhow ECE Dept, UCSB ECE

Joint Channel and Mismatch Correction for OFDM Reception with Time-interleaved ADCs All Digital Multi-Gigabit Baseband P. Sandeep M. Seo M. Rodwell U. Madhow ECE Dept, UCSB ECE Dept, UCSB All Digital Baseband Digital Baseband

549 views • 31 slides
Visual Debugger for Jupyter Notebooks: Myth or Reality? Elizaveta Shashkova EuroPython 2019

Visual Debugger for Jupyter Notebooks: Myth or Reality? Elizaveta Shashkova EuroPython 2019

Visual Debugger for Jupyter Notebooks: Myth or Reality? Elizaveta Shashkova EuroPython 2019 About Me Software Developer at JetBrains, PyCharm IDE Debugger and Data Science tools @lisa_shashkova 2 Visual Debugger 3

892 views • 68 slides
Multipurpose Baseband Instrument using AsAP Digital Signal Processing Jeremy W. Webb University

Multipurpose Baseband Instrument using AsAP Digital Signal Processing Jeremy W. Webb University

Multipurpose Baseband Instrument Highlights Multipurpose Baseband Instrument IF Multipurpose Baseband Instrument using AsAP Digital Signal Processing Jeremy W. Webb University of California, Davis Electrical & Computer Engineering VLSI

425 views • 21 slides
Complex Baseband Representation Saravanan Vijayakumaran sarva@ee.iitb.ac.in Department of

Complex Baseband Representation Saravanan Vijayakumaran sarva@ee.iitb.ac.in Department of

Complex Baseband Representation Saravanan Vijayakumaran sarva@ee.iitb.ac.in Department of Electrical Engineering Indian Institute of Technology Bombay July 23, 2013 1 / 19 Baseband Signals S ( f ) = 0 , | f | > W | S ( f ) | f W W 2

458 views • 19 slides
The Time Has Come: Linux Graphics Debugger Matt Campbell, Senior Engineer, Graphics Developer

The Time Has Come: Linux Graphics Debugger Matt Campbell, Senior Engineer, Graphics Developer

The Time Has Come: Linux Graphics Debugger Matt Campbell, Senior Engineer, Graphics Developer Tools GAMEWORKS Overview Linux Graphics Debugger Features Agenda Debugging UE4 on Linux Graphics Debugger Thanks to our friends at 2 NVIDIA

598 views • 28 slides
CS 240 Programming in C GNU Debugger (gdb) October 16, 2019 Haoyu Wang UMass Boston CS 240

CS 240 Programming in C GNU Debugger (gdb) October 16, 2019 Haoyu Wang UMass Boston CS 240

CS 240 Programming in C GNU Debugger (gdb) October 16, 2019 Haoyu Wang UMass Boston CS 240 October 16, 2019 1 / 11 GNU Debugger (gdb) A debugger is a program that simulates/runs another program which can help you find where goes wrong of

127 views • 11 slides
Is SDR Mature For Is SDR mature for Mobile Radios ? Mobile Baseband Solutions ? Prof. Dr. Ulrich

Is SDR Mature For Is SDR mature for Mobile Radios ? Mobile Baseband Solutions ? Prof. Dr. Ulrich

Is SDR Mature For Is SDR mature for Mobile Radios ? Mobile Baseband Solutions ? Prof. Dr. Ulrich Ramacher COM IN Our solution : Baseband Processor MuSIC 3-Level Memory Hierarchy - external DRAM/Flash - Shared Memory - Local Memories

393 views • 11 slides
Breaking Band reverse engineering and exploiting the shannon baseband Nico Golde

Breaking Band reverse engineering and exploiting the shannon baseband Nico Golde

Breaking Band reverse engineering and exploiting the shannon baseband Nico Golde <nico@comsecuris.com> @iamnion Daniel Komaromy <daniel@comsecuris.com> @kutyacica Motivation All your baseband Reverse engineering a Baseband

585 views • 55 slides
OsmocomBB A Free Software GSM baseband firmware Harald Welte gnumonks.org gpl-violations.org

OsmocomBB A Free Software GSM baseband firmware Harald Welte gnumonks.org gpl-violations.org

GSM/3G Network Security Introduction Security Problems and the Baseband OsmocomBB Project Summary OsmocomBB A Free Software GSM baseband firmware Harald Welte gnumonks.org gpl-violations.org OpenBSC airprobe.org hmw-consulting.de Linux

621 views • 37 slides
Format String Vulnerabilities Most slides courtesy Wenliang Du @ Syracuse Univ. (with

Format String Vulnerabilities Most slides courtesy Wenliang Du @ Syracuse Univ. (with

Format String Vulnerabilities Most slides courtesy Wenliang Du @ Syracuse Univ. (with modifications) Outline Format String Access optional arguments How printf() works Format string attack How to exploit the

798 views • 35 slides
Get Started with Qt for MCUs 1.0 Qt All in One - Code Once, Deploy Productive Framework

Get Started with Qt for MCUs 1.0 Qt All in One - Code Once, Deploy Productive Framework

Get Started with Qt for MCUs 1.0 Qt All in One - Code Once, Deploy Productive Framework Everywhere development environment Cross-Platform Powerful & Modern Integrated Development Qt Creator IDE Tools Development Framework Design

1.02k views • 22 slides
Program Development Tools lex makefiles vi and gvim ctags source level

Program Development Tools lex makefiles vi and gvim ctags source level

Program Development Tools lex makefiles vi and gvim ctags source level debugging diff and cmp svn gprof Lexical Analyzers A lexical analyzer reads in a stream of characters as input and produces a sequence of

1.24k views • 87 slides
OMPD and a Case Study with STAT Scalable Tools Workshop Ignacio Laguna and Gregory L. Lee August

OMPD and a Case Study with STAT Scalable Tools Workshop Ignacio Laguna and Gregory L. Lee August

OMPD and a Case Study with STAT Scalable Tools Workshop Ignacio Laguna and Gregory L. Lee August 2, 2016 LLNL-PRES-699267 This work was performed under the auspices of the U.S. Department of Energy by Lawrence Livermore National Laboratory

301 views • 12 slides
Consistent Views at Recommended Breakpoints (bis) Alexandre Oliva aoliva@redhat.com

Consistent Views at Recommended Breakpoints (bis) Alexandre Oliva aoliva@redhat.com

1 Consistent Views at Recommended Breakpoints (bis) Alexandre Oliva aoliva@redhat.com http://identi.ca/lxoliva/ http://people.redhat.com/~aoliva/ GNU Tools Cauldron, 2017 Consistent Views at Recommended Breakpoints (bis) Alexandre Oliva 2

378 views • 13 slides
SMB debugging tools the art of hair pulling Aurlien Aptel <aaptel@suse.com> SUSE Who am

SMB debugging tools the art of hair pulling Aurlien Aptel <aaptel@suse.com> SUSE Who am

SMB debugging tools the art of hair pulling Aurlien Aptel <aaptel@suse.com> SUSE Who am I? Aurlien Aptel Work in SUSE, Samba Team Focus on SMB kernel client aka cifs.ko Cifs-utils, Wireshark, Pike, ... 2 What

575 views • 28 slides
An SVM- -based Masquerade Detection based Masquerade Detection An SVM Method with Online Update

An SVM- -based Masquerade Detection based Masquerade Detection An SVM Method with Online Update

An SVM- -based Masquerade Detection based Masquerade Detection An SVM Method with Online Update Using Method with Online Update Using Co- -occurrence Matrix occurrence Matrix Co Liangwen Chen, Masayoshi Chen, Masayoshi Aritsugi Aritsugi

611 views • 27 slides
eBPF Debugging Infrastructure Current Techniques and Additional Proposals Quentin Monnet

eBPF Debugging Infrastructure Current Techniques and Additional Proposals Quentin Monnet

BPF Microconference 2018-11-15 eBPF Debugging Infrastructure Current Techniques and Additional Proposals Quentin Monnet <quentin.monnet@netronome.com> Debugging Infrastructure What do we want to debug, troubleshoot? To achieve

628 views • 13 slides

More recommend