The exploration of baseband security has come a long way in the past decade. Published research has exposed privacy issues in 3GPP protocols from GSM to LTE and traditional memory safety vulnerabilities in implementations of various chipset vendors. Yet, in some ways, we have only scratched the surface.
For one, almost all published memory corruption bugs have been classic TLV parsing vulnerabilities in Layer 3 GSM. For another, previous remote exploitation demonstrations looked at basebands as more code doing typical input parsing without considering the maze of hardware elements that surround them and stayed inside the baseband sandbox.
We have set out to challenge the status quo with our research into the newest iterations of Huawei's Kirin SoCs. After Pwn2Own 2017, Huawei stopped supporting unlocked bootloaders, introduced new firmware encryption for SoC components, and invested heavily in improving code quality from the well-known baseband source leak. In fact, the latest Kirin chipsets that have been the subject of published research are from 2016.
We will cover our journey from unlocking the newest generations of Huawei devices through identifying and exploiting bootloader vulnerabilities to building a debugger and reversing new mitigation improvements of the baseband OS. We will dive into a part of the 3GPP stack that hasn't received much attention before and present our results of reversing Huawei's implementation and finding remotely exploitable vulnerabilities that work differently from previously documented baseband memory corruption bugs.
Finally, we will investigate the ways a baseband interacts with the rest of the SoC. We will show a handful of vulnerabilities that we have found, both in software and hardware, and explain how we exploited them to escape from the baseband and take over not only Android and the Linux kernel, but even TrustZone.