slides on LTE / attack surface nickvsnetworking
QDSP 6 architecture hexagon presentation at defcon
-
download radio.img for pixel devices on google website
-
use qc_image_unpacker to unpack image file
-
mount the modem image file using
mount -r modem /mnt/
-
follow the instructions of qc_baseband_scripts repo to assemble modem.bin files
-
use IDA 8.x on debian
-
git clone https://github.com/gsmk/hexagon
, install cmake/build-essentials thenmake
-
load modem.bin in IDA
TODO:
- IDAPython script to parse msg_hash.txt
old DIAG implem recent study of DIAG
- execute the following stuff on a rooted phone (works with pixel 4)
resetprop ro.bootmode usbradio
resetprop ro.build.type userdebug
setprop sys.usb.config diag,diag_mdm,adb
diag_mdlog
- apply the following kernel patch to recognize the usb serial interface
basic logging from RIL: adb logcat -b radio
to get QC proprietary logging from hexagon :
- expose DIAG over USB
- use this implementation
- use msg_hash.txt provided in the extracted firmware image from Google (see above)
- expose DIAG over USB
- use QCSuper with
--efs-shell
and--usb-modem
sunfish:/ # cat /dev/smd7 &
sunfish:/ # echo -e 'at+crsm=214,28423,0,0,9,"xxxxxxxxxxxxxxxxxx"\r' > /dev/smd7
sunfish:/ # at+crsm=214,28423,0,0,9,"xxxxxxxxxxxxxxxxxx"
+CRSM: 105,130,""
OK
see this