Dissecting modern (3G/4G) cellular modems

Presented at TROOPERS17 (2017), March 20, 2017, 2:30 p.m. (Unknown duration).

Let's have a detailed look at some modern 3G/4G cellular modems and see what we can find out about their internals using undocumented debug interfaces and software or hardware based hacking techniques.

Cellular modems are not only present in smartphones, tablets and laptops, but these days also in many M2M and internet-of-toilets (IoT) applications. Long gone are the days where those modules were GSM/GPRS/EDGE only with ancient ARM7TMDI or ARM926EJS cores and a relatively small-sized firmware in the range of kilobytes to very few megabytes, like on the famous OsmocomBB supported phones.

Modern cellular modems re-use the cellular chipsets of smartphones one or two generations ago, like the MDM9615 used in the iPhone 5. As those chipsets contain plenty of processors and are quite sophisticated SoCs on their own, one can even find (undocumented) Linux or Android in some modems, which of course makes them a very attractive target for further exploration or running your own code inside the modem.

We will give a short overview about the current market of cellular modems, the major chipset suppliers and chipset families and then pick one or two examples and show the methods used for reverse engineering them to a point where they can be used for much more than the AT command or QMI interface officially documented/supported by the manufacturer. This includes the execution of custom code inside modems, as well as protocol tracing of the air-interface. We'll also look at the FOTA (Firmware Update Over The Air) features, and perform a security analysis of our findings.

This talk understands itself following the tradition of various baseband processor related talks at many CCC events of the past decade, including 25C3: Anatomy of smartphone hardware and 28C3: Reverse-engineering a Qualcomm baseband.


Presenters:

  • Harald Welte
    Harald Welte is communications security consultalt for more than a decade. He was co-author of tne netfilter/iptables packet filter in the Linux kernel and has since then been involved in a variety of Free Software based implementations of protocol stacks for RFID, GSM, GPRS, and TETRA. His main interest is to look at security of communication systems beyond the IP-centric mainstream. Besides his consulting work, he is the general manager of Sysmocom GmbH, providing custom tailored communications solutions to customers world-wide.

Links:

Similar Presentations: