Scripts, tools, and information to help reverse engineer Samsung's EXYNOS cellular baseband platform, codenamed Shannon. These tools were released for the talk "Emulating Samsung's Shannon Baseband for Security Testing" at Black Hat USA'2020, August 5th.
A Ghidra extension for loading modem.bin
binaries from nearly all known modems to date. All firmware images from https://github.com/grant-h/ShannonFirmware are loaded during CI tests for the loader to ensure its compatibility.
Ghidra post-loading Python scripts that help annotate Shannon modem images. This includes recovering debug strings and auto-naming functions. Use after loading with ShannonLoader.
Raw modem.bin
extraction script into sub parts and others as they are developed.
Scripts and info to parse Back Trace Log (BTL) files. These are included during modem crashes / dumps or via the "CP RAM Logging" functionality. These are compressed log files from the actual running modem.
Information on firmware acquistion and some extracted data dumps.
Here's a quick tutorial to start reversing this firmware with GHIDRA.
- Download the firmware binary of choice. Make sure you have extracted the CP partition from official Samsung firmware and have further extracted the
modem.bin
file. Make sure to unlz4 the binary if it is compressed. - Install the ShannonLoader at the splash screen using File » Install Extensions.... Target the
ShannonLoader.zip
release that is in the latest release tag - Now start a new GHIDRA project and add a new file. Select the
modem.bin
file. You should see that this file's loader is automatically selected as "Samsung Shannon Modem Binary". If you do not see this, make sure that you have loaded the right file and installed the extension properly. Open GHIDRA debug console (bottom right on splash screen) to double check if there are any errors. - Import the file, let the loader finish and once again make sure there were no errors during loading.
- Double click on the imported file to open CodeBrowser and hit no to auto-analysis for now.
- Now run the
ShannonTraceEntry.py
python script from Script Manager under the "Shannon" category. Make sure to either place scripts into your user home directory at~/ghidra_scripts
(Linux) or add the path to them in the manager. This script will identify all trace debugging information before analysis and avoid diassembling data. - Go to Analysis » Auto analyze..., and uncheck the "Non-returning Functions - Discovered" analyzer as this causes broken recovery of the
log_printf
function, leading to broken disassembly throughout the binary. If you do not uncheck this, you will need to restart your import from scratch. - Hit analyze and let GHIDRA churn away until it settles.
- Next optionally run the auto-renamer script,
ShannonRename.py
. This will help you navigate the binary, but remember that the names are heuristically determined, so quality may vary. Functions with the same guessed name will have a numeric prefix appended. - Start reversing!
If you want a quick look around, we exported a GHIDRA project for a 2017 modem image.
- ShannonRE (Comsecuris, REcon 2016) - https://github.com/Comsecuris/shannonRE
- Awesome Baseband Research - https://github.com/lololosys/awesome-baseband-research
The repository's license is MIT. NOTE: The top-level license covers only files that explicitly contain SPDX markings, not the entire repository. For other files, they may not be licensable (e.g. binary dumps, firmware) or may contain other permissive licenses.