Reverse-engineering a Qualcomm baseband
Despite their wide presence in our lives, baseband chips are still nowadays
poorly known and understood from a system point of view. Some presentations
have hilighted vulnerabilities in GSM stacks across various models of
basebands (cf. 27c3: _All your baseband are belong to us_ by R-P. Weinmann).
However none of them actually focused on the details of how a baseband
operating system really works. This is the focus of our presentation. From
the study of a simple 3G USB stick equipped with a Qualcomm baseband, we will
discuss how to dump the volatile memory, reverse-engineer the proprietary
RTOS, and ultimately execute and debug code while trying to preserve the
real-time system constraints.