Reverse engineering a Qualcomm baseband processor [pdf]

This topic is close to my heart. I spent a few years immersed in the Qualcomm basebands as part of the unrevoked project and personal research. I stared at the ARM code for what must be hundreds of hours.<p>There are so many vulnerabilities in the baseband that it&#x27;s not even funny. Even the QCOM secure boot process is full of holes. If a government agency wanted to drop a persistent baseband &#x27;rootkit&#x27; on your device with full access to userspace, they could (unless you&#x27;re using one of the few phones with separate userspace and baseband processors).<p>The DIAG commands are particularly fun. You can read and write memory on most phones. Some have locked it down to certain areas, but this varies wildly depending on manufacturer.

Unfortunately this is almost guaranteed to bring a legal attack from Qualcomm, with or without actual grounds. I&#x27;ve never encountered a more litigious company in my (long) involvement in electronics, or the tech sector in general. Whether Qualcomm employs more engineers or more lawyers is an open research topic.

Are there any opensource baseband phones out there? Does opensource baseband actually exist? So many people think that they have a phone with opensource software but so many components, especially the baseband can give so much control over the phone.

Here&#x27;s the video of the talk that Guillaume Delugre did on this pdf at 28C3 in 2011.<p><a href="http://www.youtube.com/watch?v=e1lYU0VMCoY" rel="nofollow">http:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=e1lYU0VMCoY</a><p>It&#x27;s both fascinating and frightening.

So the usual view is that the capabilities we hear of the NSA having (keeping phone on even when it appears to be off, using GPS etc to locate the phone, transmitting microphone in the background, etc) is enabled in the baseband, when it receives coded requests from the network.<p>It&#x27;d be interesting if reverse engineering of the baseband could find those capabilities and see what&#x27;s really possible and how it works.

If you&#x27;re wondering, iPhones have used both Qualcomm and Infineon baseband processors: <a href="https://theiphonewiki.com/wiki/Baseband_Device" rel="nofollow">https:&#x2F;&#x2F;theiphonewiki.com&#x2F;wiki&#x2F;Baseband_Device</a><p>According to a note in this presentation, Ralf-Philipp Weinmann has noted exploits on broadband processors from both.