28C3: Reverse engineering a Qualcomm baseband

Posted on Sunday, January 15th, 2012 in reversed, RF, talks, wireless by the machinegeek

At the recently concluded Chaos Communication Congress 28C3 “behind enemy lines” conference in Berlin, Germany, Guillaume Delugré presented this talk on reverse-engineering a Qualcomm baseband.

Despite their wide presence in our lives, baseband chips are still nowadays poorly known and understood from a system point of view. Some presentations have highlighted vulnerabilities in GSM stacks across various models of basebands (cf. 27c3: All your baseband are belong to us by R-P. Weinmann). However none of them actually focused on the details of how a baseband operating system really works. This is the focus of our presentation. From the study of a simple 3G USB stick equipped with a Qualcomm baseband, we will discuss how to dump the volatile memory, reverse-engineer the proprietary RTOS, and ultimately execute and debug code while trying to preserve the real-time system constraints.

For more information from this talk or to download the slides in PDF, visit the 28C3 website.

This entry was posted on Sunday, January 15th, 2012 at 5:06 am and is filed under reversed, RF, talks, wireless. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.

Leave a Reply

Notify me of followup comments via e-mail. You can also subscribe without commenting.

Recent Comments

  • KH: Using an alkaline coin cell down to 1.0V or under is a very bad idea anyway, unless you as the designer or manufacturer don't care...
  • KH: Farnell says TS1001 is no longer stocked. Not on RS. Digikey says it's obsolete. That said, there are a lot of nanoamp-class parts on sale...
  • Peter: Sunday--
  • Chris Brightly: Best of luck to all, including the wayward prototypers yet to post!
  • Wolfi: o/