Exploring the MediaTek Baseband

Exploring the MediaTek Baseband
Marco Grassi (@marcograss) – Kira (@0xKira233)

View Slide

About Us
• Members of Tencent KEEN Security Lab (formerly known as KeenTeam)
• Marco (@marcograss):
• My main focus is iOS/Android/macOS and sandboxes. But now shifted to hypervisors, basebands, firmwares etc.
• pwn2own 2016 Mac OS X Team
• Mobile pwn2own 2016 iOS team
• pwn2own 2017 VMWare escape team
• Mobile pwn2own 2017 iOS Wi-Fi + baseband team
• Kira (@0xKira233):
• Security researcher at Tencent KeenLab
• Interested in hypervisors, basebands etc.
• CTF player in AAA / A*0*E, DEFCON 25 & 26

View Slide

About Tencent Keen Security Lab
• Previously known as KeenTeam
• White Hat Security Researchers
• Several times pwn2own winners
• We are based in Shanghai, China
• Our blog is
https://keenlab.tencent.com/en/
• Twitter @keen_lab

View Slide

Agenda
• Previous Research
• Networks (2G-5G)
• 5G
• Baseband Overview
• The MTK Baseband
• Conclusions

View Slide

Previous Research on MediaTek
• “Understanding, Debugging and Attacking the MediaTek
communication processor” - Charles Muiruri , Nitay Artenstein, Anna
Dorfman
• Introduces the MediaTek modem, where it’s popular and internal structure
• “Path of Least Resistance: Cellular Baseband to Application Processor
Escalation on MediaTek Devices” – Comsecuris, György Miru
• Examine the attack surface from the modem to the application processor in
order to escape the modem and compromise the phone, with a bug.
• Not much public research

View Slide

Previous Research on Basebands
• Exploitation of a Modern Smartphone Baseband (Huawei modem) –
Keen Lab
• A Walk With Shannon (Samsung modem) – Amat Cama
• Comsecuris Blogpost (Intel Baseband)

View Slide

How this research started
• In 2019 we got a contract with a vendor to improve the security of
their modem
• Recently we are working on a 5G project with another vendor
• We previously worked on basebands and also a little bit on the
MediaTek modem
• We disclosed to the vendor a bunch of bugs in the modem and they
were fixed
• This talk covers some of our work, and how to bootstrap your own
research on this modem.

View Slide

Why researching the MediaTek platform is
relevant
• “According to research company Statista, Qualcomm had 45%
overall market share in 2018, followed by Apple with 17%, Samsung
with 14%, MediaTek with 11% and Huawei with 8%.Aug 25, 2019”
• MediaTek has a significant market share, especially on budget-mid
price devices
• They implement a lot of components, the SoC, the modem, etc
• In Europe also there are several popular devices using the MediaTek
SoC and Modem.

View Slide

Networks Overview
• A modem (or “baseband”) is a
set of hardware component that
implements a set of
specifications to communicate
with a cellular network.
• Several “generations”
implemented, 2G to 5G usually
Source: ResearchGate

View Slide

Networks overview (cont)
• Old generations, 2G 2.5G
for example, the phone
don’t authenticate the
base station
• Possible to setup a fake
base station and
impersonate
• Send malicious data
(exploit)
• Some newer stacks starting
from 3G the phone
authenticate the BTS
• Not all layers and
components are protected

View Slide

Network Overview (cont)
• Like most well known network
stacks, mobile stacks are also
“layered”
• Complexity often progressively
higher the higher you go on the
stack
• (think like the difference TCP/IP
vs full blown HTTP web app
running on top of it)

View Slide

5G

View Slide

5G, Why 5G?
• 2G/3G/4G the goal was to have cheap phones and cheap call/data
plans, to get everyone connected.
• 4G, high bandwidth, rich media, HD videos, content.
• Now everyone has a smartphone with a data plan, how the carriers
can make more money? There are no more people to sell a
smartphone and a data plan.

View Slide

5G, Why 5G?
• 5G => cheap radios, lot of capacity.
• How carrier can make money?
• Connect everything! Devices, cars, sensors.
• People already connected, now the only way to expand the market is
to connect “THINGS”

View Slide

5G, The big players
• Huawei
• Qualcomm
• Intel
• ZTE
• Ericsson
• Nokia
• Samsung
• …

View Slide

5G, critical infrastructure
• Expected capacity: 1 million connected objects for 1 km2
• In a 4G and lower network, most of the consumer are end users
• In a 5G network?
• Private deployments (in a factory for example, instead of using wires)
• Connect industrial robots
• Fleet of shared cars in a network slice
• Medical equipment/ personal health equipment
• Semaphores/ road traffic management network.
• In a 4g network, reliability is important, but not TOO critical
• In a 5g one, it might be, if you control critical infrastructure.
• Also the connected devices are different in nature.

View Slide

View Slide

5G, not only smartphones
• This talk is mostly focused on
smartphones because now they are
the main consumers of baseband
devices.
• But this is rapidly changes, it can be
readily applied to other areas such as
smart cars, which have a modem of
course.
• Also, the “endpoints” are not the only
attackable target .. Also base stations

View Slide

5G not only smartphones, use cases
• Enhanced Mobile Broadband (eMBB): richer and faster data
consumption for humans, high definition videos, downloads etc.
• Ultra-Reliable Low-Latency Communications (URLLC): MISSION
CRITICAL applications, that cannot afford delays and unreliabilities.
• Massive Machine-Type Communications (mMTC): Big networks of
potentially low power devices. It must support low power consumtion
and high capacity and low cost.

View Slide

5G devices we are currently researching on
• Huawei, recent models, mate30
pro, and portable wifi 5g router
• Samsung Note 10 5g
• Qualcomm devices

View Slide

Opensource 5G base station
• There is no completely ready solution yet
• Eurecom is working on the OpenAir5G and
created a consortium to foster the
development of a opensource 5G stack
• Possible to use it with a SDR such as a USRP
B210
• Still work in progress
• We are actively tracking the progress and we
hope we can use it (and maybe contribute to
it) in the future for our 5G testing, without
having to use closed source testing
equipment

View Slide

Setting up a BTS software, TIPS and TRICKS
• The best solution in our opinion
for now is to use docker on linux
• Can proxy the USB directly
without the overhead of a
virtualized USB 3.0 controller
(latencies are bad for SDR)
• The BTS software expects all kind
of weird requirements, from
linux version, to dependencies,
to the most exotic ones: kernel
changes or modules
docker run -t -i --privileged -v /dev/bus/usb:/dev/bus/usb
ubuntu bash

View Slide

Attacking the baseband in one slide
+ =
Modified Base station software stack
to trigger the exploit
OpenBSC
OpenBTS
srsLTE
…
Software defined Radio, or
equivalent hardware
USRP
BladeRF
CMU200 (Testing
hardware)
Over the air
exploit RCE inside the
phone
baseband

View Slide

A Modern Smartphone Architecture
• A modern smartphone is not a single CPU
executing an OS anymore.
• Several other processors involved in the radio
area:
• Baseband processor
• Wi-Fi and Bluetooth SoC
• The baseband handles the radio
communication with many types of
networks: 2G, 3G, 4G, 5G etc.
• Those radio components can be attacked
remotely Source:
https://googleprojectzero.blogspot.com/2017/04/over-air-
exploiting-broadcoms-wi-fi_4.html

View Slide

A Modern Smartphone Architecture 2
• The AP runs your OS and apps
(Android for example)
• The Baseband runs a RTOS
• They communicate with
• USB
• PCI-e
• Shared Memory
• SDIO
• …
• Separate systems. If you get RCE you
run code on the Baseband, not the AP.
• The Basebands lag behind in terms of
mitigations compared to the AP
• This lack of mitigations is widespread
between all manufacturers.
Source : https://www.evelta.com/introduction-smartphone-
architecture

View Slide

The Baseband
• Necessary components
• RTOS
• TEEOS handlers
• Kernel modules
• Usermode binary / library (RILD) / application
• …
• Most of them are attackable which depends on your target.

View Slide

How to start your research
• Read the previous work, mentioned before
• Download what you can download from the network.
• Leaked source code if any
• Reverse scripts
• Vendor specific code
• …
• Extract the firmware from phone
• Reverse engineering and bug hunting
• 3GPP TS

View Slide

Leaks online
• There is a widely available old version leaked on github, of some
source code, and object files
• Old ARM version
• Might be still useful for bug hunting
• You still need the firmware of the target though
• The object files can be recompiled and linked together to fuzz in a
binary instrumentation environment such as QEMU

View Slide

Architecture of MTK Baseband
• Lots of functional tasks took over by RTOS
• CM / MM / RR / SM / CC , etc
• AT commands to communicate
• Shared memory between AP and CP
• CCCI (Cross Core Communication Interface)
• IPC channel
• /dev/tty[s]
• CCCI FS
• IOCTL

View Slide

Extract the firmware
• Assume you have a rooted device
• Available at /dev/block/by-name/*
• For kernel
• /dev/block/by-name/boot
• Great tool: https://github.com/nforest/droidimg
• For modem
• /dev/block/by-name/md1img
• No encryption at all

View Slide

Extract modem firmware
• Format can be found in the source
• 010 editor template to visualize
• Code named md1rom
• MIPS16e2
• 52.4 MB
• Debug symbol named md1_dbginfo
Source: https://www.mips.com/press/mediatek-selects-mips-for-lte-modems/

View Slide

What is MIPS16e2
• IDA pro failes to disassemble new instructions
• We wrote tools to help reverse
Source: https://s3-eu-west-1.amazonaws.com/downloads-mips/documents/MD01172-2B-MIPS16e2-AFP-01.00.pdf

View Slide

Start to reverse
• Load symbols from dbg file
• Found in the image and sdcard.
• Format can be guessed
• Or explained in detail:
tools/DebuggingSuite/convertAddr2FuncAndFile.pl
• Fix the segments in IDA
• Guess the base? No!
• https://github.com/sgayou/rbasefind
• Find some entrances to audit
• Important functions’ handlers

View Slide

Task example
• MM (Mobility Management) task
• Main function, typical of RTOS
system and modem, endless
while loop, waiting and
dequeuing messages and
handling them.
• It receives messages from other
tasks and invokes mm_main

View Slide

Task example (cont)
• Huge switch cases
depending on the
message ID
• It’s not hard to find
message handlers,
although they are
sometimes deep into
the state machine
• With the
specifications you can
search for the method
names as well

View Slide

Fuzzing the binary
• Target requirements
• Complex enough to fuzz
• No / Very few IPC calls
• Decode / unpack functions catch our attention
• mcd_unpack
• errc_asn1_decoder
• …
• Write a C wrapper to call the target
• Link what we need and compile provided APIs
• AFL QEMU mode to do the fuzzing

View Slide

Crash log
• Log shows in demsg
• Log files store in the sdcard
• Built-in log tool: *#800# --> Logkit
• MTK makes its own format
• Logged by dhl_trace and other similar functions
• Reverse to get more information

View Slide

mcd_unpack
• General message unpack function
• Every message is handled by it first
• BER encoding / TLV, bit stream like processing

View Slide

mcd_unpack
• Crashes collected and reported
• Each msgid has its sequence of
opcodes
• Works like a CPU
• mcd_unpack_MAXBYTES kills
most of memory corruption in
advance
• Restrict the length at the first stage

View Slide

Vulnerability cases
• CEmmNMSrv::decodeEmergencyNumberList
• EMM ATTACH ACCEPT message
• No check on the index
• No check whether the source msg is big enough
• Heap overflow / OOB read
Source: 3GPP TS 24.008 g20

View Slide

Vulnerability cases
• sm_unpack_config_option
• ACTIVATE PDP CONTEXT ACCEPT message
• config_len_arr is an array on the stack
• No check on the length from our message
• Stack overflow
Source: 3GPP TS 24.008 g20

View Slide

Writing POC
• Our environment
• Ubuntu 18.04 docker
• OpenBTS
• USRP B210
• Find the corresponding class
• Modify the WriteBody method
• OpenBTS will do the rest

View Slide

Mitigations (or lack of)
• Lag behind the modern expected baseline
• No stack cookies in functions performing copies with stack
destinations.

View Slide

Thanks
• We would like to thank the vendor we cooperated with and MediaTek
for fast response and friendly atmosphere
• Open to discussion and feedback
• Very positive experience

View Slide

Questions?

View Slide

View Slide

Exploring the MediaTek Baseband

Exploring the MediaTek Baseband

Marco Grassi

More Decks by Marco Grassi

Other Decks in Research

Featured

Transcript