Topic created on: May 7, 2009 16:04 CDT by MohammadHosein  .
hey ,
anybody ever heard of any successful attempt on reverse engineering a commercially available cellphone's Baseband ?what i need is simply some initial hints to start on an easy target and goal is being able to control the GSM Stack of the phone via software , e.g controlling signaling messages .
if you choose a windowsmobile omap based phone, see pdadb, experimenting is very easy, the baseband and application processor share a 4M memory area, in which the code is loaded. and also contains some of the data sections of the baseband cpu.
so you can modify the baseband code while it is running.
if you search this area for a known cellid, you will also find stuff like the 6 nearest cells info. channel lists etc.
this buffer also contains the ipc buffers used for data and atcmd request/response queue's
model | ---sharedmem--- | ---ipc buf--- | gsmdata | ---gsmcode--- |
| app virt | app phys | app virt | bb phys | | app virt | bb phys |
typhoon | 8f180000 | 11d80000 | 8f180000 | 01000000 | 8f18c000 | 8f200000 | 00000000 |
startrek | 8a100000 | 13c00000 | 8a400000 | 01000000 | 8a410000 | 8a100000 | 00000000 |
herald | 8a000000 | 13c00000 | 8a300000 | 01000000 | 8a310000 | 8a000000 | 00000000 |
the htc viva is like the herald
app virt : the application virtual address
app phys : the application physical address
bb phys : the baseband physical address
when you load the gsmcode in ida, you first have to find the ram initialization code,
which relocates several chunks of the binary to higher addresses.
this is the idc script i used to do this for the startrek gsm version 4.1.13.28_02.67.30 rom:
auto l, d,ea; ea=0x2000;
SegCreate(0X800000,0X880000,0X0,1,1,2);
SegRename(0X800000,"RAM");
SegCreate(0X1000000,0X1100000,0X0,1,1,2);
SegRename(0X1000000,"RAM");
memset(0x800000, 0, 0x80e000-0x800000);
memset(0x1048000,0, 0x10d0000-0x1048000);
memcpy(0x811004, 0x281008, 0x8444C4-0x811004);
while (1) {
l=Dword(ea); d=Dword(ea+4);
if (l==0) { break;}
Message("%08lx: %08lx-%08lx -> %08lx-%08lx l=%08lx\n", ea, ea+8, ea+8+l, d, d+l, l);
memcpy(d, ea+8, l);
ea= ea+l+8;
if (ea&3) { ea=ea+ 4-(ea&3); }
}
MakeDword(0x2000); OpNum(0x2000);
MakeArray(0x2000, (ea+8-0x2000)/4);
SegBounds(0, 0, 0x256A5C, 1);
//MakeDword(0x281008); OpNum(0x281008);
//MakeArray(0x281008, (0x8444C4-0x811004)/4);
also helpful is the 'devenv iso' downloadable from http://sourceforge.net/projects/plabs, it contains source code for an older version of the baseband code running on the omap baseband cpu.
|
Note: Registration is required to post to the forums.
|
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}