The New Rise of Mobile Network and Baseband

The New Rise of Mobile Network
and Baseband
Marco Grassi (@marcograss)

View Slide

About Me
• Member of Tencent KEEN Security Lab (formerly known as KeenTeam)
• Marco (@marcograss):
• My main focus was iOS/Android/macOS and sandboxes. But recently shifted
to hypervisors, basebands, firmwares etc.
• pwn2own 2016 Mac OS X Team
• Mobile pwn2own 2016 iOS team
• pwn2own 2017 VMWare escape team
• Mobile pwn2own 2017 iOS Wifi + baseband team (pwned Huawei baseband
RCE)

View Slide

About Tencent Keen Security Lab
• Previously known as KeenTeam
• White Hat Security Researchers
• Several times pwn2own winners
• We are based in Shanghai, China
• Our blog is
https://keenlab.tencent.com/en/
• Twitter @keen_lab

View Slide

Agenda
• 5G
• Intel Baseband (iPhone)
• Huawei Baseband (p30)
• Conclusions

View Slide

5G

View Slide

5G, Why 5G?
• 2G/3G/4G the goal was to have cheap phones and cheap call/data
plans, to get everyone connected.
• 4G, high bandwidth, rich media, HD videos, content.
• Now everyone has a smartphone with a data plan, how the carriers
can make more money? There are no more people to sell a
smartphone and a data plan.

View Slide

5G, Why 5G?
• 5G => cheap radios, lot of capacity.
• How carrier can make money?
• Connect everything! Devices, cars, sensors.
• People already connected, now the only way to expand the market is
to connect “THINGS”

View Slide

5G, The big players
• Huawei
• Qualcomm
• Intel recently announced they dropped out of 5G for the iPhone
baseband?
• ZTE
• Ericsson
• Nokia
• Samsung
• …

View Slide

5G, critical infrastructure
• Expected capacity: 1 million connected objects for 1 km2
• In a 4G and lower network, most of the consumer are end users
• In a 5G network?
• Private deployments (in a factory for example, instead of using wires)
• Connect industrial robots
• Fleet of shared cars in a network slice
• Medical equipment/ personal health equipment
• Semaphores/ road traffic management network.
• In a 4g network, reliability is important, but not TOO critical
• In a 5g one, it might be, if you control critical infrastructure.
• Also the connected devices are different in nature.

View Slide

View Slide

5G, not only smartphones
• This talk is mostly focused on
smartphones because now they are
the main consumers of baseband
devices.
• But this is rapidly changes, it can be
readily applied to other areas such as
smart cars, which have a modem of
course.
• Also, the “endpoints” are not the only
attackable target .. Also base stations

View Slide

5G not only smartphones, use cases
• Enhanced Mobile Broadband (eMBB): richer and faster data
consumption for humans, high definition videos, downloads etc.
• Ultra-Reliable Low-Latency Communications (URLLC): MISSION
CRITICAL applications, that cannot afford delays and unreliabilities.
• Massive Machine-Type Communications (mMTC): Big networks of
potentially low power devices. It must support low power consumtion
and high capacity and low cost.

View Slide

Before switching to the baseband part, a few
words about the base station
• Traditional attacks are focused on the mobile/modem endpoint
• What about the Base Station?
• If a Rogue Base Station can attack a Mobile phone, then a Rogue radio
or Rogue mobile phone can attack the Base Station (opposite way)
• The impact is much higher since it affects all the devices managed by
that cell, (or more, core network)

View Slide

Asymmetry of attack
• Attacking a device on a network 3G or
newer is more difficult because the device
authenticate the network, and we don’t
have the keys as attacker. (except if we
don’t downgrade to a 2G network)
• On the other hands, if we want to attack a
network (base station and core network),
we can simply buy a sim card and we can!
• Not much research on this… yet…
• Little to no research in this area. So it
might be fruitful
• Equipment for research is not easy to
obtain, but can be found.
• 2nd hand BTS and core networks can be
purchased

View Slide

How to attack a base station in one slide
+ =
Modified mobile terminal software
stack
srsUE
Modified baseband software
C118 osmocom project.
…
Software defined Radio, or
hardware, such as
Motorola c118
Or a smartphone with code
injected inside the modem
+ SIM CARD
Over the air
exploit RCE inside the
base station or
core network.

View Slide

BASEBANDS

View Slide

Basebands: The challenges
• A Baseband includes a piece of software generally running on a
separate CPU implementing a rtOS and radio stacks.
• Closed Source (Except source code leaks)
• No debug/introspection capabilities out of the box
• Extensive reverse engineering work required
• Knowledge of the Specifications is a must

View Slide

INTEL BASEBAND

View Slide

An alternative story
• The Application Processor side of the iPhone is getting more and
more mitigations and security scrutiny.
• Recently, PAC, and more and more auditing.
• There are several other paths of least resistance.
• The Baseband is one of them
• Can become a 0 clicks entry point
• Basebands are VERY complex.
•Complexity is an enemy of the vendor, but a friend of
the attacker.

View Slide

The Intel Baseband: Intro
• We will not cover the baseband basics for time constraints, you can
find them in other talks, most notably:
• Amat Cama, A walk With Shannon (Samsung)
• Comsecuris, Breaking Band (Samsung)
• Keen Lab, Exploitation of a Modern Smartphone Baseband (Huawei)
• Charles Nitay Anna, The Baseband Basics (Multiple)
• Guy – From Zero to Infinity (Intel)
• Comsecuris - There's Life in the Old Dog Yet (blogpost on iphone intel
baseband)
• The iPhone XR has the Intel (x-gold) XMM7560 model

View Slide

Attacking the baseband in one slide
+ =
Modified Base station software stack
to trigger the exploit
OpenBSC
OpenBTS
srsLTE
…
Software defined Radio, or
equivalent hardware
USRP
BladeRF
CMU200 (Testing
hardware)
Over the air
exploit RCE inside the
phone
baseband

View Slide

Getting the baseband
• Grab the ipsw link of your choice, for example iPhone XR
• Shameless plug, save time by grabbing
https://github.com/marcograss/partialzip
• You can download single files from inside the huge ipsw, saving
time/bandwidth
• Use “list” command to find the baseband firmware, for example
“Firmware/ICE18-1.03.08.Release.bbfw”
• Use the download command to get just that file (~40mb instead of 3-
4gb)
• You are welcome.

View Slide

The bbfw
• The bbfw is just a zip file
• Extract and it’s composed of several ELFs
• SYS_SW.elf is where the main os/stack is located
• It says ELF for ARM… but it’s Intel.. (from iPhone XS and XR, before it
was ARM)
• Patch the elf header to make it Intel arch (010 Editor with the ELF
template is a good choice), load into IDA Pro

View Slide

Reversing the firmware
• I prefer to use the ARM version of the firmware because IDA Pro
handles it better
• It has several disadvantages compared to the x86 ones,
• It’s the older baseband model
• Lack of some network support such as CDMA
• Baseband reversing is not straightforward… You can check the talk
“Breaking Band” by Comsecuris, it’s basically a continuous wash and
rinse, until you have a usable IDB
• More challenging on Intel IMO since less strings than Samsung
Shannon

View Slide

Reversing the firmware
• Around 120k functions
• First thing to do is to find alloc /
free variants, and Rtos APIs
• Not too hard to find
• You can then find init functions
of the tasks. And the handler
functions of the threads
• Hint: UtaOsThreadCreate

View Slide

“Important” threads
• There are descriptions in
memory for the threads
that handle the juicy radio
stuff where you want to find
the RCEs.
• Stuff like GMM, GRR,
mobility management,
EMM etc are there.
• You need a good knowledge
of the specs to choose what
to go after..

View Slide

Threads
• Like most of the
basebands/rtos they
constantly wait for some
messages, dequeue them
and then handle them
(including the radio
messages)
• Lot of messages are intra
tasks, not all are relevant for
over the air content

View Slide

Memcpy_s
• Like Qualcomm and Huawei,
they have some “secure”
version of memcpy, checking
bounds on destinations and
source (if properly specified)

View Slide

Message
handling
Messages between tasks and over the air are usually described
programmatically in arrays with id and handlers

View Slide

Message
handling
The task routine will find the
correct handler and invoke it

View Slide

How to get more debugging info from
baseband
• Go to https://developer.apple.com/bug-reporting/profiles-and-logs/
• Download and install the “Baseband.mobileconfig” profile for iOS
• Reboot the device
• You can trigger also a sysdiagnose by holding both volume and the
top button
• Get some (very) basics information on baseband crash. (task, address
of abort, …)

View Slide

Escaping the baseband (example)
Target 2:
CommCenter
Target 1:
Kernel
Baseband where you
have code exec
PCI-E
UserClient
etc.
You have several places where you can trigger a second bug on the Application Processor from the baseband
Kernel
CommCenter
Others
(Keep in mind that at this point you will still have to face PAC, since we will go on the
Application Processor)
Application Processor

View Slide

Intel Baseband Application Processor
interface on iPhone XS/XR (Kernel)
• Relevant IOKIT classes and components that we can gather from ioreg:
• Connected over pci-e (baseband-pcie) is a IOPCIDevice
• Has 2 IODeviceMemory, one of 0x1000 and one of 0x100
• AppleBasebandPCI
• Baseband (IOPlatformDevice)
• Has a interesting “function-coredump”
• AppleBasebandD101
• AppleBasebandPCIICEControl
• AppleBasebandPCIRTIDevice
• AppleBasebandPCIRTIInterface
• AppleBasebandPCIPDPADAMSkywalk
• Others… Not enough space… But you can see there is a lot of «meat»

View Slide

Intel Baseband Application Processor
interface on iPhone XS/XR (Usermode)
• AppleBasebandUserClient
• Used by «CommCenter» but also by «locationd» to communicate
with the kernel

View Slide

CommCenter
• Usermode launchdeamon related to the modem
• Huge binary, 24mb plus libraries
• Runs as “_wireless” user
• It has a couple of “helpers” CommCenterMobileHelper,
CommCenterRootHelper
• “CommCenter is a 30 mb binary, even with PAC I bet you can find the
right primitives” - qwerty

View Slide

How to make your research easier
• Researching on iPhone often
requires a jailbreak on the latest
version…
• You can do some of the research on
older models, or wait in 2019 for
Intel to push some new Android
models with the new XMM
• Asus Zenfone 2 (Android,old as fuck)
• Some Sierra Wireless Modules

View Slide

The future (guesses)
• ASLR will soon come to all mainstream basebands, making the bar for
RCE higher, and this could be in theory implemented right now
• Intel CET or ARM64 PAC in the future when new SoC come out?

View Slide

HUAWEI

View Slide

Huawei p30 baseband
• The phone is based on kirin 980
• The baseband load address appears to be 0x20000000
• Ram size should be 0x9B00000
• The architecture is ARM like in the past years
• “sec_balong_modem.bin” in modem.fw, the stuff prefixed with sec_
is encrypted
• You can load it in IDA Pro fairly easy (if you can get the decrypted
firmware OFC)

View Slide

Huawei baseband
new mitigations
• “MODEM_SANITIZER”
kernel configuration
• Seems not set at the
moment on the p30
• If enabled it hints that stack
cookies + modem ASLR it’s
deployed.
• balong_product_co
nfig_drv.mk
• New Kirin 980

View Slide

Sanitizers?
• v_blkMem.h
• ASAN tracking has a pid
• Maybe used to track
baseband tasks memory?
• Hard to say without their
debug builds, have to
speculate.

View Slide

ASLR is coming? Crumbs
in the baseband Huawei
p30 code
• Calls are indirect
• Register load with target is
split in 2
• In future add ASLR offset to
upper bits?
• IDA resolves those
• Just speculations

View Slide

Stack cookies Huawei
• Stack canary introduced in
selected functions

View Slide

Huawei baseband new mitigations
• For sure when enabled those 2 mitigations significantly higher the bar
for exploitation
• For example, some stack overflow are dead with the stack cookies, or
need an additional cookie leaks
• ASLR requires an infoleak as well maybe
• If it’s implemented properly. Often mistakes are made especially in
the first implementations.

View Slide

Significant code efforts, but only on new
models…
• The code in the p30 went under lot
more scrutiny and rewrite
(NEWNAS)
• Many bugs were fixed actually
• Sadly Huawei ships very old builds
on phones that are still updated,
even more than 1 year old builds of
the modem.
• Only the latest model is constantly
updated.
• AFAIK the baseband modem
doesn’t affect the Android “Security
Patch Level”, but I might be wrong.

View Slide

Few words about the
leaked source code
• Weirdly, still widely available
online after several years.
• Most of the bugs you find in
the source code are likely
dead, the source code is old.
• Still extremely useful for
starting RE.
• That’s how we find our
pwn2own RCE (auditing)
• You can probably still find
bugs this way.

View Slide

Conclusions
• 5G will bring more modems around, baseband research will be more
relevant in the future.
• Vendors are trying to increase the mitigations in the baseband,
Huawei especially is putting significant efforts.
• The area of research of Base Station and Core Network memory
corruption attacks still remains open because of the high entry barrier.
• Security By Obscurity in 2019 rarely works.. Even Apple is giving up on
encrypting firmwares, but Huawei now is encrypting as much as
possible.
• Like with Apple, researchers will find ways to get the firmwares.

View Slide

Acknowledgements
• Friend who want to stay anonymous
• 陈良
• Keen Lab

View Slide

Questions?

View Slide

View Slide

The New Rise of Mobile Network and Baseband

The New Rise of Mobile Network and Baseband

Marco Grassi

More Decks by Marco Grassi

Other Decks in Research

Featured

Transcript