Marco Grassi and Kira

Exploring the MediaTek Baseband


Cellular communications and baseband have always been obscure and not publicly explored topics, until the very last couple of years where more public research has surfaced. The Cellular modem are an interesting remote attack surface and they lack often of modern mitigations, making them an attractive target for a "0-click" compromise over the air.

In this talk after a brief introduction of the main cellular network technologies (2G to 5G) and how to setup one, to get everyone up to speed. Then we will explore the MediaTek baseband processor and its firmware, which has been covered less in the past public research.


Marco Grassi (@marcograss) is currently a Senior Security Researcher of the KeenLab of Tencent (previously known as Keen Team). He is part of the team that won the "Mobile Master of Pwn" title in Tokyo for Mobile Pwn2Own 2016, working on iOS. He was also one of the main contributors at Desktop Pwn2Own 2016 for the Safari target with sandbox escape to root. He is a member of the team who won the title of "Master Of Pwn" at Pwn2Own 2016. He found a VMWare escape at Desktop Pwn2Own 2017, and baseband RCE and wifi iOS at Mobile Pwn2Own 2017 where we were awarded "Master Of Pwn" for the third time. He has spoken at several international security conferences such as Black Hat USA, DEF CON, Infiltrate, CanSecWest, ZeroNights, Codegate, HITB and ShakaCon.


Kira(Xingyu Chen) is a security researcher at Tencent Keenlab. He has a lot of interests in security fields, virtualization and baseband in particular. He plays CTF in team eee & A*0*E, which participated in DEFCON 25 & 26. He has made a VirtualBox escape (together with Marco Grassi) and a QEMU escape.