<i>rC3 preroll music</i>

Herald: Our next speaker, Alisa Esage, is
an independent vulnerability researcher

and has a notable record of security
research achievements such as this year,

the initiative Silver Bounty Hunter Awards
2018. Alisa is going to present her latest

research on the Qualcomm DIAG protocol,
which is found abundantly in Qualcomm

Hexagon based cellular modems. Alisa,
we're looking forward to your talk now.

Alisa Esage: This is Alisa Esage, you're
attending my presentation about Advanced

Hexagon DIAG at Chaos Communication
Congress 2020 remote experience. My main

interest as advanced vulnerability
researcher is complex systems and hardened

systems. For the last 10 years I have been
researching various classes of software

such as Windows kernel, browsers,
JavaScript engines. And for the last three

years I was focusing mostly on
Hypervisors. The project that I'm

presenting today was a little side project
that I made for distraction a couple years

ago. The name of this talk Advanced
Hexagon DIAG is a bit of an understatement

in the attempt to keep this talk a little
bit low key in the general internet,

because a big part of the talk will
actually be devoted to a general

vulnerability research in basebands. But
the primary focus of this talk is on the

Hexagon DIAG, also known as QCDM Qualcomm
diagnostic manager. This is a proprietary

protocol developed by Qualcomm for use in
their basebands, and it is included on all

Snapdragon SoCs and modem chips produced
by Qualcomm. More than Qualcomm chips run

on custom silicone with a custom
instruction set architecture and named

QDSP6 Hexagon. This is important because
all the DIAG handlers that we will be

dealing with are written in this
instruction set architecture. As usually

with my talks, I have adjusted the
materials of this presentation for various

audiences, for the full spectrum of
audiences, specifically the first part of

the presentation is mostly specialized for
research directors and high level

technical staff. And the last part is more
deep technical. And it would be mostly

interesting to specialized vulnerability
researchers and low level programmers that

somehow are related to this particular
area. Let's start from the top level

overview of cellular technology. This mind
map presents a simplified view of various

types of entities that we'd have to deal
with with respect to basebands. It's not a

complete diagram, of course, but it only
presents the classes of entities that

exist in this space. Also, this mind map
is specific to the clean site equipment,

the user equipment and it completely omits
any server side considerations which are a

world in their own. There exists quite a
large number of cellular protocols on the

planet. From the user perspective, this is
simple. This is usually the shared name

3G, 4G that you see on the mobile screen.
But in reality, this simple name, that

generation name encodes - may encode
several different distinct technologies.

There are a few key points about cellular
protocols that are crucial to understand

before starting to approach this area. The
first one is the concept of a generation.

This is simple. This is simply 1G, 2G and
so on. The generic name of the family of

protocols that are supported in a
particular generation. Generation is

simply a marketing name, for users. It
doesn't really have any strict technical

meaning. And generations represent the
evolution of cellular protocols in time.

The second most important thing about
cellular protocols is the air interface.

This is.. or the protocol, which actually..
this is the lowest level protocol which

defines how exactly the cellular 
signal is digitized and read from the

electromagnetic wave and how exactly the
different players in this field divide the

space. Historically, there existed two
main implementations of this low level

code called TDMA and CDMA. TDMA means time
division multiple access, which basically

divides the entire electromagnetic
spectrum within the radio band into time

slots that are rotated in a round robin
manner by various mobile phones so that

they speak in turns. TDMA was the base for
the GSM technology. And GSM was the main

protocol used on this planet for a long
time. Another low level implementation is

CDMA. It was a little bit more complex
from the beginning. It's decoded as coded

division multiple access. And instead of
dividing the spectrum in time slots and

dividing the protocol in bursts, CDMA uses
random codes that are assigned to mobile

phones so that this code can be used as an
additional randomizing mask against the

modulation protocol. And multiple user
equipments can talk on the same frequency

without interrupting each other. Note here
that CDMA was developed by Qualcomm and it

was mostly used in the United States. So
at the level of 2G, there were two main

protocols, GSM based on the TDMA and the
cdmaOne based on the CDMA. On the third

generation of mobile protocols these two
branches of development were continued. So

GSM evolved into UMTS, while cdmaOne
evolved into CDMA2000. The important point

here is that UMTS has at this point
already adopted the low level air

interface protocol from the CDMA and
eventually at the fourth generation of

protocols these two branches of
development come together to create the

LTE technology and the same for the 5G.
This is a bit important for us as from the

offensive perspective, because first of
all, all of this technologies including

the air interfaces represents separate
bits of code with separate parsing

algorithms within the baseband firmware.
And all of them are usually presented in

each baseband, regardless of which one you
actually use. Does your mobile provider

actually support. Another important and
not obvious thing from the offensive

security perspective here is that because
of this, evolutionary development of the..

protocols are not actually completely
distinct. So if you think about LTE, it is

not a completely different protocol from
GSM, but instead it is based largely on

the same internal structures. And in fact,
if you look at the specifications, some of

them are almost directly relevant. The
specifications of the GSM 2G, some of them

are still directly relevant to some extent
to LTE. This is also important when you

start analyzing protocols from the
offensive perspective. The cellular

protocols are structured in a nested 
way, in layers. Layers is the official

terminology adopted by the specifications
with the exception of level zero. Here I

just edited it for convenience, but it's
in the specifications layer start from one

and proceed to three. From the offensive
perspective, the most interesting is level

three, as you can see from the screenshot
of the specifications, because it encodes

most of the high level protocol data, such
as handling SMS and GSM. This is the part

of the protocol which actually contains
interesting data structures with TLV

values and so on. When people talk about
attack in basebands, they usually mean

attack in baseband over the air. Their OTA
attack vector, which is definitely one of

the most interesting. But let's take a
step back and consider the entire big

picture of the baseband ecosystem. This
diagram presents a unified view of

generalized architecture of a modern
baseband with attack surfaces. First of

all, there are two separate distinct
processors: the AP, application processor,

and the MP, which is mobile processor. It
may be either a DSP or another CPU.

Usually there are two separate processors
and each one of them runs a separate

operating system. In case of the AP, it
may be Android or iOS and the baseband

processor will draw on some sort of real-
time operating system provided by the

mobile vendor. Important point here that
on modern implementations, baseband

actually protected by some sort of secure
execution environment, maybe TrustZone on

Androids or SEPOS on Apple devices. Which
means that the privilege boundary which is

depicted here on the left side is dual
sided. So even if you have kernel access

to the Android kernel, you still are not
supposed to be able to read the memory of

the baseband or somehow intersect with its
operation, at least on the modern

production smartphones. And the same goes
around to the baseband, which is not

supposed to be able to access to application
processor directly. So these two are

mutually distrusting entities that are
separated from each other. And so there

exists privilege boundary, which is -
which represents attack surface. Within

the real-time operating systems, there are
three large attack surfaces. Starting from

right to left: the rightmost gray box
represents the attack surface of the

cellular stacks. This is the code which
actually parses the cellular protocols.

It's usually runs in several distant real-
time operating system tasks. And this part

of the attack surface handles all the
layers of the protocol. There is a huge

amount of parsing that happens here. The
second box represents the various

management protocols. The simplest one to
think about is the AT command protocol. It

is still widely included in all basebands,
and it's even usually exposed in some way

to the application processor. So you can
actually send some AT commands to the

cellular modem. About a bit more interesting
is the vendor specific management

protocols, one of them is the DIAG
protocol. Because the modern basebands are

very complex. So vendors need some sort of
specialized protocol to enable

configuration and diagnostics for the
OEM's. In case of Qualcomm, for example,

DIAG is just one of the many diagnostic
protocols involved. The third box is what

I call the RTOS core, it is various
core level functionality, such as the

code, which implements that interface to
the application processor. On the side of

the application operating system such as
Android, there are also 2 attack surfaces

that are attackable from the baseband. The
first one is the peripheral drivers,

because the basement is a separate part of
peripherals. So it requires some

specialized drivers that handle I/O and
such things. And the second one is the

dark surface represented with various
interface handlers because the baseband

and the main operating system cannot
communicate directly. They use some sort

of a specialized interface to do that. In
case of Qualcomm this is shared memory.

And so this shared memory implementations
are usually quite complex and they

represent an attack surface on the both 
sides. And finally, the third piece of this

diagram is in the lowest part. I have
depicted two grey boxes which are related

to the trusted execution environment.
Because typically a modem runs as a

Trustled in a secure environment. So
technically, the attack surfaces that

exists within TrustZone or related to it
also can be useful for baseband offensive

research. Here we can distinguish at least
two large attack surfaces. The first one

is the secure manager of call handlers, 
which is the core interface that

handles calls from the application
processor to the TrustZone. And the second

one are the Trustlets. They are separate
pieces of code which are executed and

protected by the TrustZone. On this
diagram, I have also added some

information about data codex, I'm not sure
if they are supposed to be in the RTOS

core because these things are directly
accessible from the cellular stacks

usually, especially ASN. 1, which I have
seen some bugs reachable from the over the

air interface. On this diagram, I have
shown some example of vulnerabilities. I

will not discuss them in details here
since it's not the point of the

presentation, but at least the ones from
Baodong, you can find the writeups on

the Internet. To discuss baseband
offensive tools and approaches, I have

narrowed down the previous diagram to just
one attack surface, the over the air

attack surface. This is the attack
surface, which is represented by parsing

implementations of various cellular
protocols inside the baseband operating

system. And this is the attack surface
that we can reach from the air interface.

In order to accomplish that, we need a
transceiver such as software defined radio

or a mobile tester, which is able to talk
the specific cellular protocol that we're

planning to attack. The simplest way to
accomplish this is use some sort of a

software defined radio, such as Ettus
research USRP or blade RF and install open

source implementation of a base station
such as OpenBTS or OpenBSC. The thing to

note here is that the software based
implementations actually lagged behind the

development of technologies.
Implementations of GSM base stations are

very well established and popular, such as
OpenBTS. And in fact, when I tried to

establish BTS with my USRP, it was quite
simple. For UMTS and LTE, there exists less

number of software based implementations
and also there are more constraints on the

hardware. For example, my model of the
USRP does not support UMTS due to resource

constraints. And the most interesting
thing here is that there does not exist

any software based implementation on the
CDMA that you can use to establish a base

station. This is a pseudorandom diagram of
one of the Snapdragon chips. There exists

a huge amount of various models of
Snapdragons. This one I have chosen

pseudorandomly when I was searching for
some sort of visual diagram. Qualcomm used

to include some high level diagrams of the
architecture in their marketing materials

previously. But since they don't do this
anymore. And this particular diagram is

from a technical specification of a
particular model 820. Also this particular

model Snapdragon is... a bit interesting
because it is the first one that included

the artificial intelligence agent, which
is also based on Hexagon. For all

purposes, the main interest here are the
processors. Majority of snapdragons

include quite a long list of processors.
There are at least 4 ARM-based Kryo-CPUs

that actually run the Android operating
system. Then there are the Adreno GPUs and

then there are several Hexagons. On the
most recent models there is not just one

Hexagon processing unit, but several of
them. And they are called respectively to

their purposes. Each one of them, each one
of these Hexagon cores is responsible for

handling a specific functionality. For
example, MDSB handles modem and runs the

real-time operating system. The ADSP
handles media and the CDSP handles

compute. So the Hexagons actually
represent around one half of the

processing power, more than Snapdragons.
There are two key points about the Hexagon

architecture from the hardware
perspective. First of all, it is- Hexagon

is specialized to parallel processing. And
so the first concept is variable size

destruction packets. It means that
several instructions can execute

simultaneously in separate execution
units. It also uses hardware

multithreading for the same purposes. On
the right side of the slide here is some

example of the Hexagon assembly. It is
quite funny at times. This curly brackets

should present the instructions that are
executed simultaneously. And these

instructions must be compactable in order
to be able to use that distant processing

slots. And then there is the funny .new
notation which actually enables the

instructions to use both the old and the
new value of a particular register within

the same instruction cycle. This provides
quite a bit of optimization on the lower

level. For more information, I can direct
you to the Hexagon Specification and

programmers reference manual, which is
available from the Qualcomm website. The

concept of production fusing is quite
common. As I said previously, it's a

common practice from mobile device vendors
to lock down the devices before they enter

the market to prevent modifications and
tinkering. And for the purposes of this

locking down, they usually- there are
several ways how this can be accomplished.

Usually various advanced diagnostic and
debugging functionalities are removed from

either software or hardware or both. It is
quite common that this functionalities are

only removed from software while the
hardware remains here. And in such case,

we will- eventually the researchers will
come up with their own software based

implementation. All this functionality as
in case with some custom iOS kernel

debuggers, for example. In case of
Qualcomm, there was at some point a leaked

internal memo which discusses what exactly
they are doing for production fusing the

devices. In addition to our production
fusing in case of modern Androids, the

baseband runs within the trust zone. And
on my implementation, it is already quite

locked down. It uses a separate component.
The baseband uses a separate component

named the MBA this stands for the modem
basic authenticator. And this entire thing

is run by the subsystem of Android kernel
named PILO, the peripheral image loader.

You can open the source code and
investigate how exactly it looks. And the

purpose of the MBA is to authenticate the
modem firmware so that you would not be

able to inject some arbitrary commands
into the modem firmware and flash it. This

is another side of the hardening, which
makes it very difficult to inject any

arbitrary code into the baseband.
Basically, the only way to do this is

through a software vulnerability. During
this project I have reverse engineered

partially the Hexagon modem firmware from
my implementation, from my Nexus 6b. The

process of reverse engineering is not very
difficult because all you need is to

download the firmware from the website,
Googles website in this case. Then you

need to find the binary which corresponds
to the modem firmware. This binary is

actually a compound binary that must be
divided into separate binaries that

represent specific sections inside the
firmware. And for that purpose we can use

the unified Trustlet script. After you
have split the baseband firmware into separate

sections, you can load them into IDA Pro.
There are several plugins available for

IDA Pro that support Hexagon. I have tried
one of them. I think it was GSMK and it

works quite good for basic reverse
engineering purposes. Notable here is that

some sections of the modem firmware are
compressed and relocated at runtime, so

you would not be able to reverse engineer
them. And unless you can decompress them,

which is also a bit of a challenge because
the Qualcomm uses some internal

compression algorithm for that. For the
reverse engineering the main approach here

is to get started with some root points,
for example, because this is a real time

operating system, we know that it should
have some task structures and task

structures that we can locate. And from
there we can locate some interesting code.

In case of Hexagon this is a bit non-
trivial because, as I said, it doesn't

have any log strings. So even though you
may locate something that looks like a

task struct, but it's not clear which code
does it actually represent. So the first

step here is to apply the log strings that
were removed from the binary by Qshrink. I

think the only way to do it is by using
that msg_hash.txt file from the leaked

sources. This file is not supposed to be
available neither on the mobile devices

nor in some open ecosystem. And after you
have applied these log strings, you will

be able to rename some functions. And
based on these log strings and because the

log strings often contain the names of the
source file, source module from which the

code was built. So it creates opportunity
to understand what exactly this code is

doing. Debugging was completely
unavailable in my case, and I realized

that it would require some couple of
months more work to make it work and the

only way I think, and the best way is to
create a software based debugger similar

to modkit, the publication that I will be
referencing in the references, based on

software vulnerability in either the modem
itself or in some authenticator or in the

trust zone so that we can inject a
software debugger callbacks into the

baseband and connect it to the GDB stop.
This is how the part of the firmware looks

that has log strings stripped out. Here it
already has some names applied using IDA

script. So of course there was no such
names initially, only the hashes. Each one

of these hashes represent a log string
that you can take in from the message hash

file. And here is what you can get after
you have applied the textual messages and

renamed some functions. In this case, you
would be able to find some hundreds of

procedures that are directly related to
the DIAG subsystem. And in a similar way

you can locate various subsystems related
to over the air vectors as well. But

unfortunately, majority of the OTA vectors
are located in the segments that are not

immediately available in the firmware, the
ones that are compressed and relocated.

Meanwhile, I have tried many different
things during this project. The things

that definitely worked is building the MSM
kernel. There is nothing special about

this, just a regular cross-build. Another
commonly well known offensive approach is

firmware downgrades. When you take some
old firmware that contains a well-known

security vulnerability and flash it and
use the bug to create and exploit to

achieve some additional functionality or
introspection into the system. This part

definitely works, downgrades are trivial
both on the entire firmware and a modem as

well as the trust zone. I did try to build
the Qualcomm firmware from the leaked

source codes. I assigned just a few days
to the task since it's not mission-

critical and I have run out of time,
probably was a different version of sorce

codes. But actually, this is not a
critical project because building leaked

firmware is not directly relevant to
finding new bugs in the production

firmware. So I just said it aside for some
later investigation. I have also

investigated the ramdump's ecosystem a
little bit on the software side at least.

And it seems that it's also fused quite
reliably. This is when I remembered about

the Qualcomm DIAG. During the initial
reconnaisance I stumbled on some

whitepapers and slides that mentioned the
Qualcomm diagnostic protocol. And it

seemed like quite a powerful protocol,
specifically with respect to reconfiguring

the baseband. So I decided to, first of
all, to test it in case that it would

actually provide some advanced
introspection functionality and then

probably to use it.. to use the protocol for
enabling log dumps. Qualcomm DIAG or QCDM

is a proprietary protocol developed by
Qualcomm with the purposes of advanced

baseband software configuration and
diagnostics. It is mostly aimed for OEM

developers, not for users. The Qualcomm
DIAG protocol consists of around 200

commands at least in theory. Some of them
are quite powerful on paper such as

downloader mode and read/write memory.
Initially the DIAG was partially reverse

engineered around 2010 and included in the
open source project named Modem Manager.

And then it was also exposed in a
presentation at the Chaos Communication

Congress 2011 by Guillaume Delugré. I
think this presentation popularized it and

this is the one that introduced me to this
protocol. Unfortunately, that presentation

is not really relevant - majority of it -
to modern production phones, but it does

provide a high level overview and a
general expectation of what you will have

to deal with. From the offensive
perspective, the DIAG protocol represents

a local attack vector from the application
processor to the baseband. A common

scenario of how it can be useful is
unlocking mobile phones which are locked

to a particular mobile carrier. If we find
a memory corruption vulnerability in DIAG

protocol, it may be possible to execute a
call directly on the baseband and change

some internal settings. This is usually
accomplished historically through the IT

common handlers, but internal proprietary
protocols are also very convenient for

that. The second scenario how that diag
offensive can be useful is using it for

injecting a software based debugger. If
you can find a bug in DIAG that enables

read/write capability on the baseband, you
can inject some debugging hooks and

eventually connect it to a GDB stop. So it
enables to create a software based

debugger even when GTAG is not available.
What has changed in DIAG in 10 years based

on some cursory investigation that I did.
First of all, the original publication

mentioned Qualcomm baseband based on ARM
and with a Rex operating system. All modern

Qualcomm basements are based on
Hexagon as opposed to ARM. And the Rex

operating system was replaced with Kirt,
which I think is still has some bits of

Rex, but in general it's a different
operating system. Majority of super

powerful commands of DIAG such as
downloader mode and memory read/write were

removed, at least on my device. And also
it does not expose any immediately

available interfaces such as USB channel.
I hear that it's possible to enable the

USB DIAG channel by adding some special
boot properties, but usually it's not, it

wouldn't be available. It shouldn't be
expected to be available on all devices.

So this observations are based on my test
device, Nexus 6b. And this this should be

around medium level of hardening. More
modern devices such as Google pixels, the

modern ones should be expected to be even
more hardened than that. Especially on the

Google side, because they take hardening
very seriously. As opposed to it on the

other side of the spectrum if you think
about some no name modem sticks, these

things can be more open and more easy to
investigate. The DIAG implementation

architecture is relatively simple. This
diagram is based roughly on the same

diagram that I presented in the beginning
of talk. On the left side there is the

Android kernel and on the right side there
is the baseband operating system. DIAG

protocol actually it works in both sides.
It's not only commands that can be sent by

the application processor to the baseband,
but it's also the messages that can be

sent by the baseband to the application
processor. So DIAG comments are not really

comments - they're more like tokens that
also can be used to encode messages. The

green arrows on this slide represents an
example of call flow, of the data flow

originating from the baseband and going to
the application processor. So obviously,

in case of commands there would be a
reverse call flow or data flow. The main

entity inside the operating system,
baseband operating system responsible for

DIAG is the DIAG task. It has a separate
task which handles specifically various

operations related to the DIAG protocol.
The exchange of data between the DIAG task

and other tasks are done through the ring
buffer. So, for example, if some tasks

needs to log something through the DIAG,
it will use specialized logging APIs that

will in turn put logging data into the
ring buffer. The ring buffer will be

drained either on timer or on a software
based interrupt from the caller. And at

this point the data will be wrapped into
DIAG protocol and from there it will go to

sI/O task, this Serial I/O which is
responsible to send in the output to a

specific interface. This is based on the
modem, on the baseband configuration. The

main interface that I was dealing with is
the shared memory, which ends up in the

DIAG shared driver inside the Android
kernel. So in case of sending the commands

from the Android kernel to the baseband,
it will be the reverse flow. First, you

will need to send some- to craft the DIAG
protocol data, send it through the DIAG

shared driver that will write to the
shared memory interface. From there, it

will go to the specialized task in the
basement and eventually end up in the DIAG

task and potentially other responsible
task. On the Android side, DIAG is

represented with the /dev/diag device,
which is implemented with the diagchar,

and diagfwd kernel drivers in the MSM
kernel. The purpose of the DIAG shared

driver is to support the DIAG interface.
It is quite complex in code, but

functionally it's quite simple. It
contains some basic minimum of DIAG

commands that enable configuration of the
interface on the baseband side. And then

it would be able to multiplex the DIAG
channel to either USB or a memory device.

It also contains some IOCTLs for
configuration that can be accessed from

the Android user land. And finally, the
IOCTL filters various DIAG commands that

it considers unnecessary. This is a bit
important because when you will start,

when you'll try to do some tests and send
some arbitrary DIAG comments with the DIAG

interface, you would be required to
rebuild the actual driver to remove this

masking, otherwise your commands will not
make it to the baseband side. At the core,

the DIAG shared driver is based on the SMD
shared memory device interface, which is a

core interface specific to Qualcomm modem.
So this is where DIAG is, diagchar

is on the diagram. The diagchar
driver itself is located in the

application OS's vendor specific drivers.
And then there is some shared memory

implementation in the baseband that
handles this and the DIAG implementation

itself. diagchar driver is quite complex
in code, but the functionality is quite

simple. It does implement a handful of
CTLs that enables some configuration. I

didn't check what exactly this IOCTLs are
responsible for. It exposes the /dev/diag

device which is available for it in the
writing. However, by default, you are not

able to access the DIAG channel based 
on- for this device, because in order to

access it, there is diag_switch_logging
function, which switches the channel that

is used for DIAG communications. On the
screen there are several modes listed, but

in practice only two of them are
supported. The USB mode and the memory

device mode. USB mode is the default, so
which is why if you just open, the

/dev/diag driver, dev/diag device and try
to read something from it, it won't work,

is tied to USB. And in order to
reconfigure it to use the memory device,

you need to send a special IOCTL code.
Notice the procedure named

mask_request_validate, which employs a
quite strict filtering on the DIAG commands

that you try to send through this
interface. So it filters out basically

everything with the exception of some
basic configuration requests. At the core,

DIAG shared driver use the shared memory
device to communicate with the baseband.

The SMD implementation is quite complex.
It exposes SMD Read API, which is used by

DIAG share for reading the data from the
shared memory, one of the APIs. Shared

memory also operates on the abstraction of
channels which are accessed through the

API named smd_named_open_on_edge. So you
can notice here that there are some DIAG

specific channels that can be opened. 
Now, let's take a look at the SMD

implementation. This is a bit important
because a shared memory device represents

a part of the attack surface for
escalation from the modem to the

application processor. This is a very
important attack surface because if you

just achieve code execution on the
baseband, it's mostly useless because it

cannot access the main operating system.
And in order to make it useful, you'll

need to create and exploit chain and add
one more exploit based on that bug with

privilege escalation from the modem to the
application processor. So shared memory

device is one of the attack surfaces for
this. The shared memory device is

implemented as exposed memory region
exposed by the Qualcomm peripheral. The

specialized MSM driver will map it and
here it's the name is smem_ram_phys, the

base of the shared memory region. The
shared memory region operates on the

concept of entries and channels, so it's
partitioned in distant parts that can be

accessed through the procedure,
smem_get_entry and one of these entries is

SMEM_CHANNEL_ALLOC_TBL, which contains the
list of available channels that can be

opened. From there, we can actually open
the channels and use the shared memory

interface. During this initial research
project, it wasn't my goal to research the

entire Qualcomm ecosystem, so while I was
preparing for this talk, I have noticed

some more interesting things in the source
codes, such as, for example, the

specialized driver that handles GTAG
memory region, which is presumably exposed

by some Qualcomm system of chips. In the
drivers this is mostly used read only, and

I suppose that will not really work for
writing, but it's worth checking probably.

And now, finally, let's take a look at the
DIAG protocol itself. One of the first

things that I noticed when researching the
DIAG protocol is that it's actually used

in a few places, not only in libqcdm. A
popular tool named SnoopSnitch can enable

protocol dumps, so there are protocol
dumps on rooted devices. And in order to

accomplish this, it's SnoopSnitch sends an
opaque blob of the commands to the mobile

device through the DIAG interface. This is
blob is not documented. So it got me

curious what exactly these commands are
doing. But before we can look at the dump,

let's understand the protocol. The DIAG
protocol consists of around 200 of commands

or tokens. Some of them are documented in
the open source, but not all of them. So

you can notice on the screenshots, some of
the commands are missing. And one of the

missing commands is actually the token 0x92 
hexadecimal, which represents an encoded hash log

message. The common format is quite
simple. The best pritimitive here is the

DIAG token number 0x7E, it's not really a
delimiter, it's a separate DIAG command

126. It's missing in the open source, as
you can see here. So the DIAG command is

nested. The outer layer consists of this
wrapper of 0x7e hexadecimal bytes. Then

there is the main command and then there
is some variable length data that can

contain even more subcommands. This entire
thing is verified using the CRC and some

bytes are escaped. Specifically, as you
can see on the snippet. One interesting

thing about the DIAG protocol is that it
supports subsystem extensions. Basically,

different subsystems in the baseband can
register their own DIAG system handlers,

arbitrary ones. And there is a special DIAG
command number 75, which simply forwards..

instructs the DIAG system to forward this
command to the respective subsystem. And

then it will be parsed there. There exists
quite a large number of subsystems. Not

all of them are documented, and when I
started investigating this, I noticed that

there actually exists a DIAG subsystem-
subsystem and debugging subsystem. The

later one immediately interested me
because I was hoping that it would enable

some more advanced introspection through
this debugging subsystem. But it turned

out that the debugging subsystem is quite
simple. It only supported one command:

inject crash. So you can send a special
DIAG comment that will inject the crash

into the baseband. I will talk later about
this. Now, let's take a look at specific

examples of the DIAG protocol. This is the
annotated snippet of the blob of commands

from SnoopSnitch. This blob actually
consists of three large logical parts. The

first part is largely irrelevant. It's a
bunch of commands that request various

informations from the baseband, such as
timestamp, version info, build id and so

on. The second batch of commands starts
with a command Number 0x73 hexadecimal.

This is DIAG common log config. This is the
command which enables protocol dumps and

configures them. And third part of this
blob starts with the command number 0x7D

hexadecimal. This is the
CMD_EXT_MESSAGE_CONFIG. This is actually

the command that is supposed to enable
textual message logging, except that in

case of SnoopSnitch it disables all of the
logging altogether. So how do you actually

cellular protocol dumps work? In order to
enable the cellular product dumps, we need

DIAG_CMD_LOG_CONFIG, number 0x73
hexadecimal. It is partially documented in

the libqcdm. The structure of the packet
would contain the code and the subcommand,

that would be set mask in this case. It
also needs an equipment ID, which

corresponds to the specific protocol that
we want to dump. And finally, the masks

that are applied to filter some
parts of the dump. This is relatively

straightforward. And now the second command, DIAG_CMD_EXT_MESSAGE_CONFIG. This

is the one which is supposed to enable
textual message logs. The command format

is undocumented. So let's take a closer
look at it. The command consists of a

subcommand. In this case, it's subcommand
number 4, the set mask. And then there are

two 16 bit integers. SSID start and end.
SSID is subsystem ID, which is not the

same as DIAG subsystems. And the last one
is the mask, so subsystem IDs are used to

filter the messages based on a specific
subsystem, because there is a huge amount

of subsystems in the baseband. And if all
of them start logging, this is a huge

amount of data. So DIAG provides this
capability to filter a little bit, to a

specific subsystem that you're interested
in. The snippet of Python code here is an

example how to enable textual message logging
for all subsystems. You need to set the

mask to all 1s. And this is quite a lot of
logging in my experience. Now for parsing

the incoming log messages, there are two
types of DIAG tokens, both of them are

undocumented. The first one is a legacy
message number 0x79 hexadecimal. This is a

simple ASCII based message that arrives
through the DIAG interface so you can

parse it quite straightforwardly. The
second one is I called it

DIAG_CMD_LOG_HASH, it's number 0x92
hexadecimal. This is the token which

encodes the log messages that contain only
the hashes. This is the one that if you

have the msg_hash.txt file, you can
correspond the hash that was arrived to

this command to the messages provided in
the text file. And you can get the textual

logs. On the lower part of the slide there
are two examples of hexdumps from both

commands. Both of them have a similar
structure. First, there are 4 bytes

that are essential. The first one is the
command itself. And the third byte is

quite interesting is the number of
arguments included. Next there is 64 bit

value of timestamp. Next there is the SSID
value, 16 bit. Some line number, and I'm

not sure what is the next argument. And
finally, after that, there is either ASCII

encoded log string in plain text or hash
of the log string. And optionally there

may be included some arguments, though, in
case of the first legacy command. The

arguments are included before the log
message and in case of the second command

they are included after the MD5 hash in
the log message, at least in my version of

this implementation. And this is the DIAG
packet that enables you to inject a crash

into the baseband, at least in theory.
Because in my case it did not work. And by

not working, I mean that it did simply not
enter the baseband. Normally, I would

expect that on production device it should
just reset the baseband. You will not get

a crash dump or anything like that, just a
reset. So I suppose that it still should

be working on some other devices. So it's
worth of checking. There are a few types of

crashes that you can request in this way.
In order to accomplish this, I needed a

very simple tool with basically two
functions. first, direct easy access to

the DIAG interface, ideally through some
sort of python shell. And second is the

ability to read and parse data with
advanced log strings. For that purpose. I

wrote a simple framework that I named
diagtalk, which is based directly on the

diag interface in the Android kernel and
or with a Python harness. So on the left

side, here is the example of some advanced
parsing with some leaked values. And on

the right side, here is the example of the
advanced message log, which includes the

log strings that were extracted.. that were
stripped out from the firmware. The log is

quite fun, as I expected it to be, it has
a lot of detailed data, such as, for

example, GPS coordinates and various
attempts of the basement to connect to

different channels. And I think it's quite
useful for offensive research purposes,

it's even contained sometimes raw pointers
as you can notice on the screenshot. So in

this project, my conclusion was that
indeed I was reassured that it was the

right choice and Hexagon seems to be a
quite a challenging target, and it would

probably need several more months of work
to even begin to do some serious offensive

work. I also started to think about
writing a software debugger because it

seems to be the most.. probably the most
reliable way to achieve debugging

introspection. And also, I noticed some
blank spaces in the field that may require

future work. For Qualcomm Hexagon
specifically, there is a lot of things

that can be done. For example, you can
take a look at other Qualcomm proprietary

diagnostic protocols of which there are a
few, such as QMI for example, I think they

are lesser known than DIAG protocol. And
then there is a requirement to create a

full system emulation based on QEMU at
least for some chips. And a big problem

about the decompiler, which is a major
obstacle to any serious static analysis in

the code and for the offensive research,
there are 3 large directions. First one is

enabling debugging. There are different
ways for that. For example, software based

debugging or bypassing JTAG fusing, on the
other hand. Next, there are explorations

of the over the air attack vectors. And
the 3rd one is escalation from the baseband

to the application processor. These are
the 3 large offensive research vectors.

And for the basebands in general, there
also exists some interesting directions of

future work. First of all, the OsmocommBB.
It definitely deserves some update a

little bit. It is the only one open source
implementation of a baseband. And it is so

outdated. And there is, and it is based on
some real obscure hardwares. Another

problem here is that there doesn't exist
any software based CDMA implementation.

<i>No sound</i>

Herald: Alisa, thank you very much for
this nice talk. Um, there are some

questions from the audience. So basically
the first one is a little bit of an

icebreaker: Do you use a mobile phone? 
And do you trust it?

Alisa: No, I don't try to use a mobile
phone only for Twitter. Does anyone still

use mobile phones nowadays?
H: <i>laughs</i> Well, no idea. Another

question concerns the other Qualcomm
chips. Did you have a look at the Qualcom

Wi-Fi chips sets?
A: As I mentioned during the talk, I had

only one month. It was like a short
reconnaissance project, so I didn't really

have time to investigate everything. I did
notice that Qualcomm socks have a Wi-Fi

chip, which is also based on Hexagon. And
more than that, it also shares some of the

same low level technical primitives. So
it's definitely worth looking, but I didn't

investigate it in details.
H: OK, OK, thanks. There is also a pretty

technical question here, so instead of
having to go through the rigorous command

checking for the DIAG card driver,
wouldn't it be possible to nmap /dev/mem

into userspace process and send over
commands directly so. Depends a little bit

on what the goal is.
A: OK, so it really depends on your

previous background and your goals. The
point here is that by default, the DIAG

shared ecosystem does not allow to send
arbitrary DIAG commands. So either way,

you will have to hack something. One way
to hack this is to rebuild the actual

driver. So you would be able to send the
commands directly through that DIAG

interface. Another way would be to access
the shared memory directly, for example.

But I think it would be more complex
because the Qualcomm shared memory

implementation is quite complex. So I
think that the easiest way would be

actually to hack the DIAG shared driver
and use the deb. DIAG interface for this.

H: OK, thanks. Thanks. There is one
question which I'm going to read out,

maybe you can make sense of it: is this
typically <i>[unclear]</i> security fall mobile phones?

A: This level of hardening that I
presented, I think is around medium level.

So usually production falls are even more
hardened. If you take a look at things

like Google Pixel5 or the latest iPhones,
they will be even better, hardened than

the one that I discussed.
H: Oh, OK. Yeah, thanks. Thanks then. So it

doesn't look like we have any more
questions left. Anyway, so if you want to

get in contact with Alisa, no problem.
There is the feedback tab below your

video now at the moment, just drop your
questions over there. And that's a way to

get in touch with Alisa. Other than that I
would say we're done for today for this

session. Thank you very, very much Alisa
for this really nice presentation once

again. Applause And I'll transfer now over
to the Herald News Show.

<i>postroll music</i>

Subtitles created by c3subtitles.de
in the year 2021. Join, and help us!