Last month we gave a presentation at REcon about Samsung baseband security. The slides are available here. In the talk, we discuss steps for understanding the proprietary firmware format, reverse engineering the RTOS, figuring out the security architecture, analyzing the attack surface to find vulnerabilities, and, finally, writing an exploit to achieve remote code execution.
During our journey, we found several tricks that often prove useful during the reverse engineering of embedded devices nicely applicable to our usecase. We hope that our collection of custom-built reverse engineering tools will prove valuable for others wanting to build on our research on Shannon, or in the baseband/embedded security space in general. With that, as we promised at REcon, today we are releasing our tools. Hop on over to our github and check them out!
If you have a comment or a question, get in touch or submit a pull request!
Tools Overview
https://github.com/comsecuris/shannonRE
├── 010
│ └── sam.bt [010 template for Shannon's TOC header format]
├── android
│ ├── collect-ramdump.sh [Collect ramdumps using cbd directly, requires root]
│ └── download-dump.sh [Collect ramdumps using the menu, does not require root]
├── idapython
│ ├── loader
│ │ └── sam_modem_ramdump.py [IDA loader for the Shannon MAIN image]
│ ├── misc
│ │ └── clean-IDC.sh [Clean up an IDC by removing {comments, filenames, *_something named labels, deletes}]
│ │ └── typeinfo.idc [Structure definitions for a Shannon idb]
│ └── plugins
│ ├── def_arm32_functions.py [Auto-find more functions by scanning for prologues]
│ ├── find_mcr.py [Find and label all the mcr instructions in an idb]
│ ├── label_functions.py [Label function names automatically using string references]
│ ├── name_msg_handlers.py [Name an L3 task's message handlers in its dispatch table automatically]
│ ├── parse_mpu.py [Parse the modem's MPU config table and pretty print all the configuration rules]
│ ├── pseudocomments.py [Save/Restore pseudocode comments from/to an idb. This is useful because IDCs lack these.]
│ ├── register_map.py [Label the register map inside a modem ramdump]
│ ├── stackscan.py [Identify possible stackframes inside a modem ramdump]
│ └── taskscan.py [Walk the task linked list in a modem ramdump to enumerate and label tasks]
└── modem
├── memdump.py [Dump memory ranges live from the modem]
├── readmem.py [Read memory from a modem address]
├── unpack_modem.py [Split up a modem image into its TOC parts (Boot, Main, etc)]
└── writemem.py [Write memory to a modem address]