Baseband Exploitation
Amat Cama


31st Jan - 3rd February 2022






Mobile devices have become more complex over the past few years. They feature a number of embedded chips which are tasked with handling things such as Wifi, Bluetooth and cellular communications. These represent attractive targets for security researchers. This training will focus on the cellular chip, also known as the baseband processor. It is generally perceived that a significant amount of knowledge is required to do baseband research and this poses a barrier to entry into this field for some. In this training we will show that baseband exploitation is not particularly different from other more traditional targets. Students will learn the basics of cellular networks and how to identify, analyze and exploit baseband vulnerabilities.

The training will be divided in three parts. The first part will cover the basics of cellular networks from a security standpoint. The second part will cover setting up a cellular network for research purposes. Finally we will cover reverse engineering the targets, identifying and exploiting vulnerabilities.

Students will be required to have some familiarity with reverse engineering and exploiting memory corruption vulnerabilities.

  • Objectives
    • Basic understanding of cellular networks
    • Understanding of the interaction between baseband and base stations
    • Understanding of typical baseband architectures
    • Ability to identify and exploit vulnerabilities in the baseband
    • Reverse engineering embedded firmware
  • Prerequisites
    • Familiarity with the ARM architecture
    • Familiarity with memory corruption vulnerabilities and exploitation
    • Be comfortable with C and ARM assembly
    • Basic reverse engineering skills
  • Hardware
    • Laptop with Ubuntu and USB 3 support

Course agenda

  • Day 1: Introduction to Cellular Networks
    • The GSM protocol
    • The 3G protocol
    • The 4G Protocol
    • The CDMA path of cellular protocols
    • Cellular protocols as an attack surface, motivations and impact
  • Day 2: Research Environment Setup
    • Installing and setting up OpenBSC
    • Programming your own SIM card
    • Installing and setting up srsLTE
    • Testing communications and modifying OpenBSC and srsLTE
  • Day 3: Vulnerability Identification and Exploitation I
    • Extracting the firmware image of the target and loading into Ghidra
    • Identifying the cellular stack code
    • Finding ways to debug the target
    • Triggering an nday GSM vulnerability
    • Triggering an nday LTE vulnerability
  • Day 4: Vulnerability Identification and Exploitation II
    • Exploiting the nday GSM vulnerability from previous day
    • Exploiting the nday LTE vulnerability from previous day
    • Future ideas for identifying vulnerabilities and discussion
    • Exploring possibilities of a compromised baseband


Amat is the founder of Securin Technology, a company offering security consulting and research services, code audits and training. He has previously worked as a Penetration Tester at Virtual Security Research, a Product Security Engineer at Qualcomm and a Senior Security Researcher at Beijing Chaitin Technology Co.. He is a member of the fluoroacetate duo that won Master of Pwn at Pwn2Own Tokyo 2018 and Pwn2Own Vancouver 2019. His main interests are hypervisors, basebands and kernels.

Limited Seats - Remember to reserve your ticket!

register now