At the recently concluded Chaos Communication Congress 28C3 “behind enemy lines” conference in Berlin, Germany, Guillaume Delugré presented this talk on reverse-engineering a Qualcomm baseband.
Despite their wide presence in our lives, baseband chips are still nowadays poorly known and understood from a system point of view. Some presentations have highlighted vulnerabilities in GSM stacks across various models of basebands (cf. 27c3: All your baseband are belong to us by R-P. Weinmann). However none of them actually focused on the details of how a baseband operating system really works. This is the focus of our presentation. From the study of a simple 3G USB stick equipped with a Qualcomm baseband, we will discuss how to dump the volatile memory, reverse-engineer the proprietary RTOS, and ultimately execute and debug code while trying to preserve the real-time system constraints.
For more information from this talk or to download the slides in PDF, visit the 28C3 website.