Attend XDA's Second Annual Developer Conference, XDA:DevCon 2014!
5,729,749 Members 50,174 Now Online
XDA Developers Android and Mobile Development Forum

Decompiling baseband firmware?

Tip us?
 
funkydaemon
Old
#1  
Junior Member - OP
Thanks Meter 3
Posts: 2
Join Date: Nov 2012
Angry Decompiling baseband firmware?

One thing that bothers me about my Android phone is the opaque, closed-source baseband firmware ("radio" as it's often called here). Since the baseband is interposed between the OS and most hardware functions, its firmware presents a major unknown in the total security of the device.

It's unlikely that the source code for any of this baseband firmware is going to be released, and the open source OsmocomBB baseband is a long way off from supporting Android or the dominant Qualcomm chips. But I would settle for decompiling an existing baseband firmware image, so that I can start to understand some things about it's behavior, and perhaps compile modified versions.

Does anyone know where to begin with this? Many thanks.
 
panaali
Old
#2  
Junior Member
Thanks Meter 0
Posts: 5
Join Date: Feb 2008
I wish somebody participated in this with you. I need it also /
 
idcrisis
Old
(Last edited by idcrisis; 23rd September 2013 at 03:48 AM.)
#3  
Senior Member
Thanks Meter 5481
Posts: 1,244
Join Date: Aug 2010
Quote:
Originally Posted by funkydaemon View Post
One thing that bothers me about my Android phone is the opaque, closed-source baseband firmware ("radio" as it's often called here). Since the baseband is interposed between the OS and most hardware functions, its firmware presents a major unknown in the total security of the device.

It's unlikely that the source code for any of this baseband firmware is going to be released, and the open source OsmocomBB baseband is a long way off from supporting Android or the dominant Qualcomm chips. But I would settle for decompiling an existing baseband firmware image, so that I can start to understand some things about it's behavior, and perhaps compile modified versions.

Does anyone know where to begin with this? Many thanks.
Good idea. Although most probably it'll all be native C code compiled into binary form, not amenable to decompiling.

So you'd probably need a very good debugger and a system call tracing facility in strace.

I guess hell might also break loose because SIM encryption(?), voice encoders(?), network locking(?) and god knows how many of those proprietary tidbits may be sitting in there.

SIM encryption broken leading to duplication of SIMs and leading to smartcard encryption and open source tools to reprogram your credit cards with more money.

That's not hell. That's hell in a hand basket with us enjoying the ride

Keep us posted. It's guys like you who think outside the radio that gave us the TV
 
E:V:A
Old
#4  
E:V:A's Avatar
Recognized Developer
Thanks Meter 1696
Posts: 1,297
Join Date: Dec 2011
Location: -∇ϕ
For Qualcomm based devices you need to decompile Hexagon code.
For other Intel XMM6260 etc based devices suffice IDA (ARM).
In both cases the raw binary blobs may be encrypted, but extractable from running machine.
MSM8960 Info, Architecture and Bootloader(s)
El Grande Partition Table Reference
How to talk to the Modem with AT commands

[REF][ServiceMode] How to make your Samsung perform dog tricks
[REF|R&D|RF] RF/Radio properties of Samsung ServiceMode

Want to know when your phone is getting tracked or tapped?

Help us develop the IMSI Catcher / Spy Detector!
(To be part of the EFF & The Guardian Project toolsets.)
_______________________________
If you like what I do, just click THANKS!
Everything I do is free, altruism is the way!
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
I do not answer support related PM's.

 
S0AndS0
Old
(Last edited by S0AndS0; 14th January 2014 at 07:04 PM.)
#5  
S0AndS0's Avatar
Senior Member
Thanks Meter 71
Posts: 259
Join Date: May 2012

 
DONATE TO ME
I'm working on it, in a fashion, and am writing up a document compiling everything that has been done on cellphone radio hacking. I've not found much on baseband firmware; there's a lot of info out there but it's been tough to find amongst all the other hacking that has similar keywords. Currently most quality info around this subject involve an extra (and depending on desired features; expensive) bit of hardware and two open source software packages with their decencies. As the hardware is currently outside my budget ($300 for the best bang for buck) I'll be working on getting the software to recognize the hardware built in my Android devices. Provided that all goes well I should be able to read and write on the frequencies that the in-built hardware supports and hopefully, as I always get an identical device when getting one, read and write with my backup android device. Be warned if you decide to follow me down this path; there are laws restricting what non-licensed persons/companys can do on certain RF frequencies and this depends on where you live, I'm no expert only a person capable of reading lots of dry informative documents, provided I do achieve direct contact between devices this hack could (and likely will) fry one of my antennas so be warned you'll likely do the same :banghead: so do this on an old device that you don't care about before ever trying on something you use daily. With the warning out of the way lets get down to the quick version.
~~~~~~~~~~~~
Currently all the developing I've found educational has involved the before mentioned "expensive hardware" known as software defined radio, shortened to SDR, go a head and pop open a new tab and Google search either. You'll eventually find that cellphone manufacturers have likely already put these into many devices. You'll also hopefully find the two kickstarters, HackRF ~$300 and bladeRF ~$400, these are likely what I'll be saving up for; HackRF for sure as the next release will likely be able to send and receive at the same time instead of switching quickly between modes. If you dig deep enough you'll find a blog post from a hacker that plugged an Android into a much more expensive SDR and was able to place calls and send/receive text; the blog poster stated something to the effect that this was not a useful hack but I believe that it's a great proof of concept and totally worth another look. However, this hacker has also almost been sewed for some of the demonstrations with this kind of technology involving the capture and description of calls and texts so tread carefully.

The software I mentioned before boil down to GNU Radio and Open BTS; there's dependencies for each but all seem to be installable on Linux running on top of Android. Furthermore I see that someone (I'll edit your name in in a sec Edit: idcrisis ) previous mentioned wanting c or c++ support, GNU Radio uses these languages perhaps I can ask for some help when I get a little further in porting this to run without Linux in the middle so much? I think if we use the GPS to set the time then the signal shouldn't drift to much.

I'm using an app called Debian Kit to give me a flavor of Linux called Squeeze for testing the software. If you choose to try what I'm doing then make use of the readme that the developer wrote or the guide I wrote for general Linux on Android installation and interaction fund in my sig to get started. If you want access to the document I'm compiling then you'll want to PM me at this moment as the chances of hardware frying is high and I'll share a link to Google docs; I'll be releasing a full guide when I've figured out how to avoid damage.

Eventually I hope to port many of the functions in GNU Radio into an app that makes use of internal hardware. Currently I've found a few that make use of hardware plugged into Android through USB "on the go" or "host mode" just search "RTL SDR" in the app store and you'll see'em, but, currently nothing making use of internal hardware. If any are interested in joining forces and helping figure out how to do all this I'd be glad to offer any support I can.

Other things related to cellular antenna hacking other than the above mentioned software and hardware that I'm compiling into the same document. Well this is where we get into the parts I'm hitting the wall on. It looks like I'll have to get into Kernel modification as this is one of the things used to communicate between software and hardware. There's also the flashable files known as radios and I'll be digging further in how these files are modified.

Basically this is a very tough question to answer and has taken many months of reading, searching, and more reading to get this close bit if we all work together I know that we'll be able to modify how the antennas in our devices work.

Edit 01142014- Found a guide on reverse engineering embedded device firmware, the guide is on a router but as the chips in our phones are embedded perhaps the steps are similar
http://www.devttys0.com/2011/05/reve...nksys-wag120n/

Sent from either my SPH-D700 or myTouch3gs or M470BSA
Guide for running Linux on Android that I'm writing:
http://forum.xda-developers.com/show....php?t=2240397
Sent from: SPH-D700 or myTouch3Gs or Sero 7 Pro
Linux Install guide for Android devices that I'm writing:
 
http://forum.xda-developers.com/show....php?t=2240397
Or
https://docs.google.com/document/d/1...?usp=drive_web
And my script pack for installing; Java's JDK, node.js and more to your Linux OS
https://github.com/S0AndS0/Debian-Kit-Mods
Note: if you're new to Linux/scripting/command line; check readme file for instructions.
The Following 2 Users Say Thank You to S0AndS0 For This Useful Post: [ Click to Expand ]
 
E:V:A
Old
#6  
E:V:A's Avatar
Recognized Developer
Thanks Meter 1696
Posts: 1,297
Join Date: Dec 2011
Location: -∇ϕ
^^ NO! The embedded chips in the Linksys routers are MIPS based and not ARM like all our Androids. Very different, although technique is the same.

But thanks, for taking time to check up on all this.
MSM8960 Info, Architecture and Bootloader(s)
El Grande Partition Table Reference
How to talk to the Modem with AT commands

[REF][ServiceMode] How to make your Samsung perform dog tricks
[REF|R&D|RF] RF/Radio properties of Samsung ServiceMode

Want to know when your phone is getting tracked or tapped?

Help us develop the IMSI Catcher / Spy Detector!
(To be part of the EFF & The Guardian Project toolsets.)
_______________________________
If you like what I do, just click THANKS!
Everything I do is free, altruism is the way!
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
I do not answer support related PM's.

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes