RE//verse Training - Practical Baseband Exploitation with Pedro Ribeiro and Nitay Artenstein

Regular price $4,800.00 Sale


Badge Info

Baseband exploitation is often considered the cream of the offensive security field. In the last decade, only a handful of such exploits were publicly released. As a result, many researchers view the ability to silently achieve code execution on a victim’s device by emulating a GSM (2G), 3G, LTE (4G), or 5G base station as a difficult objective.

In reality, baseband exploitation is not that challenging! By following a simple list of steps, a baseband platform can be quickly unlocked for research, debugging and exploitation.

 

  • TRAINING DATES: February 24 - February 27, 2025
  • CONFERENCE DATES: February 28 - March 1, 2025
  • LOCATION: Caribe Royale, Orlando, FL
  • NOTE: Conference admission purchased separately. Conference ticket sales start Monday, September 23rd, at 12pm ET.


In this course, students will learn our systematic approach to baseband security research: from setting up a fake base station using SDR and open-source BTS software, to obtaining and analysing mobile phone firmware and crash dumps, modifying BTS code to trigger bugs and deliver a payload, and finally reverse engineering radio protocols, hunting for vulnerabilities and exploiting them.

By the end of this heavily hands-on course, students will become familiar with two extremely common baseband platforms, Shannon and MediaTek, gain the skills to debug these and other baseband platforms, and learn about previously discovered bugs in basebands, and how they have been exploited.

Each student will be provided with a Software Defined Radio (SDR) board to emulate a base station, and a modern mobile phone to serve as a target.

KEY LEARNING OBJECTIVES

  • Understanding communication processors at the architecture level
  • Extracting baseband firmware for a device
  • Understanding, loading, and analysing the RTOS baseband firmware
  • Navigating and understanding 3GPP protocols
  • Understanding 2G, 3G, 4G and 5G attack surfaces
  • Reverse engineering the code - methods and tricks
  • Bug hunting - methods, tips, and previously discovered bugs
  • Exploitation tricks in the baseband

AGENDA

Session 1: Introduction, initial analysis and debugging

Introduction to communication processors (CP):

  • The evolution and challenges of communication systems
  • Baseband processors: An architecture overview
  • CP architectures: Broadcom, Qualcomm, MediaTek, Samsung, Intel

Code extraction and initial analysis:

  • Challenges of baseband code extraction
  • Getting the firmware
  • Initial analysis: Parsing the firmware header
  • Loading into IDA: Base addresses and program segmentation

Understanding baseband Real Time Operating Systems (RTOS):

  • Data structures and IPC
  • Memory permissions and mappings
  • Mapping the attack surface
  • Identifying functions and symbols in the code and writing a function mapping script
  • Extracting debug strings and parsing them to name functions in the IDB

Debugging:

  • Obtaining memory dumps
  • Getting RWX permissions
  • Building a debugger

Session 2: Cellular protocols and static analysis

Introduction to 2G, 3G, 4G and 5G:

  • Guide to the relevant 3GPP protocols
  • Working with the specifications
  • Determining the protocol attack surface
  • Real time packet captures, analyzing a sample PCAP

Shannon: Static analysis and an architecture overview:

  • Tasks, memory management and code structure
  • Debugging functionality
  • Samsung IPC: Talking to the Application Processor
  • The Platform Abstraction Layer and the HAL

MediaTek: A comparison with Shannon:

  • Nucleus OS: implementation in MediaTek
  • Debugging the MediaTek baseband
  • Interaction with the AP

Setting up a rogue BTS:

  • Getting started with BTS source code
  • Making phone calls and sending SMS over your own network

Session 3: Finding bugs in Shannon and MediaTek

2G and 3G sub-protocols:

  • Reverse engineering of a protocol handler in Shannon and in MediaTek
  • Adapting BTS source code to run with GPRS and a primer on the protocol
  • Vulnerability research in 4G and 5G:
  • Getting the environment up and running
  • Working with mutual authentication
  • Enumerating pre-authentication attack surfaces

Finding Shannon bugs:

  • Enumerating Over-The-Air (OTA) radio packet parsers
  • Guiding the students towards finding a Shannon bug presented at Pwn2Own 2018
  • Guiding the students towards finding a recent Shannon bug that was silently patched

Finding MediaTek bugs:

  • Guiding the students towards finding a GPRS bug in MediaTek
  • Analysing the bug using the adapted hooking framework
  • Opening related attack surfaces in MediaTek

Session 4: Exploiting a Shannon n-day

Modifying BTS source code code to deliver the exploit payload

Exploit primitives:

  • Restoring execution after a Shannon stack overflow - resuming the message parsing loop
  • Exploiting heap overflows in Shannon OS
  • Analysing the stack and heap for secondary exploitation primitives
  • Challenges/exploit mitigations

Achieving code execution:

  • Developing a proof of concept (PoC)
  • Using ROP for a full exploit
  • Loading the initial shellcode stub into global memory
  • Building a custom bridgehead - receiving the main payload over the air
  • Second stage: Modifying the system's behaviour in order to capture traffic or escalate to the AP

Baseband emulation for vulnerability research

Escalating to the Application Processor (AP) and Android - an introduction

Pre-requisites

  • C and Python
  • Good reverse engineering knowledge
  • Recommended: Familiarity with ARM assembly

Hardware Requirements

  • A laptop with a minimum of 8 CPU threads, 16GB RAM and two USB 3 (USB-A) ports (Mx / ARM Mac currently not supported, Intel Mac are OK) 
  • Windows: minimum of Intel 12th generation CPU or AMD equivalent 
  • Linux / MacOS: minimum of Intel 11th generation CPU or AMD equivalent
  • 40 GB free hard disk space

Software Requirements

  • IDA Pro with ARM Architecture MANDATORY (version 7.6 SP1 or higher)
  • Hex-Rays 32-bit ARM Decompiler OPTIONAL BUT HIGHLY RECOMMENDED
  • Linux / Windows / Mac OS desktop operating systems
  • VMWare (all platforms) or KVM (Linux only, if you prefer it to VMWare) MANDATORY
  • - Administrator / root access MANDATORY

Bio

Pedro Ribeiro (@pedrib1337) is a vulnerability researcher and reverse engineer with over 16 years of experience. Pedro has found and exploited hundreds of vulnerabilities in software, hardware and firmware. He has over 160 CVE ID attributed to his name (most of which related to remote code execution vulnerabilities) and has authored over 60 Metasploit modules which have been released publicly. He also regularly competes in Pwn2Own as part of the Flashback Team, winning the coveted Master of Pwn in 2020. 

Besides his public vulnerability research activities, he is the founder and director of a penetration testing and reverse engineering consultancy based in London (Agile Information Security), with a variety of clients worldwide.

More information about Pedro's publicly disclosed vulnerabilities can be found at github.com/pedrib/PoC. Flashback Team's YouTube channel can be found at youtube.com/@FlashbackTeam.

 

Nitay Artenstein (@nitayart) is a senior security researcher and the leader of an international research group. He has been a speaker at various security conferences, including Black Hat and Recon, and has conducted training sessions in Linux kernel exploitation and baseband research. He suffers from a severe addiction to IDA Pro (at least until he gets used to Ghidra’s GUI), and generally gets a kick out of digging around where he’s not supposed to.