Skip to content

Latest commit

 

History

History
75 lines (50 loc) · 2.34 KB

README.md

File metadata and controls

75 lines (50 loc) · 2.34 KB

qc baseband stuff

mobile stuff / deploying core network + eNodeB

slides on LTE / attack surface nickvsnetworking

  • srsran eNodeB + Open5GS + kamalio :
  • srsran eNodeB + corenet (python core network) :

general stuff / architecture

QDSP 6 architecture hexagon presentation at defcon

decompile

  • download radio.img for pixel devices on google website

  • use qc_image_unpacker to unpack image file

  • mount the modem image file using mount -r modem /mnt/

  • follow the instructions of qc_baseband_scripts repo to assemble modem.bin files

  • use IDA 8.x on debian

  • git clone https://github.com/gsmk/hexagon, install cmake/build-essentials then make

  • load modem.bin in IDA

TODO:

  • IDAPython script to parse msg_hash.txt

debug

old DIAG implem recent study of DIAG

exposing DIAG over USB

  • execute the following stuff on a rooted phone (works with pixel 4)
resetprop ro.bootmode usbradio
resetprop ro.build.type userdebug
setprop sys.usb.config diag,diag_mdm,adb
diag_mdlog
  • apply the following kernel patch to recognize the usb serial interface

logging

basic logging from RIL: adb logcat -b radio to get QC proprietary logging from hexagon :

  • expose DIAG over USB
  • use this implementation
  • use msg_hash.txt provided in the extracted firmware image from Google (see above)

nvram fs (efs) access

  • expose DIAG over USB
  • use QCSuper with --efs-shell and --usb-modem

using AT commands interface via serial

sunfish:/ # cat /dev/smd7 &
sunfish:/ # echo -e 'at+crsm=214,28423,0,0,9,"xxxxxxxxxxxxxxxxxx"\r' > /dev/smd7
sunfish:/ # at+crsm=214,28423,0,0,9,"xxxxxxxxxxxxxxxxxx"
+CRSM: 105,130,""

OK

pysim on phone sim

see this