SlideShare a Scribd company logo

BaseBand Processor

Sajidul Qadir
Sajidul Qadir

QualComm BaseBand Processor

Engineering
1 of 41
Reverse engineering a Qualcomm baseband Guillaume Delugr´e Sogeti / ESEC R&D guillaume(at)security-labs.org 28C3 - Berlin
Analysis of a 3G USB stick REX, the Qualcomm real-time kernel Live debugging on the baseband The baseband world What is a baseband processor? The main chipset of your phone Responsible for handling telecommunications Directly interfaced to hardware (microphone, speakers, . . . ) Includes stacks for telephony protocols Smartphones also include an application processor running a separate OS (e.g. Android, iOS, . . . ) Largest suppliers Qualcomm (HTC phones, iPhone 4S) MediaTek Infineon (iPhone) G. Delugr´e Reverse engineering a Qualcomm baseband 2/41
Analysis of a 3G USB stick REX, the Qualcomm real-time kernel Live debugging on the baseband The baseband world Getting into the baseband world Hacking phones is something hard to reach Quite a closed industry Network side: reading the 3GPP specs is a life achievement System side: Aside from OsmocomBB, everything is closed Yet good reasons to look into basebands Understanding how a phone really works Very big and old code base, good potential for vulnerabilities Unlocking G. Delugr´e Reverse engineering a Qualcomm baseband 3/41
Analysis of a 3G USB stick REX, the Qualcomm real-time kernel Live debugging on the baseband The baseband world Exploitation on baseband Probably not a lot of exploit mitigation techniques Ralf-Philipp Weinmann reported vulnerabilities in Infineon and Qualcomm basebands But exploitation is almost impossible if you don’t know the environment in which you are running Clear lack of litterature About this talk Describe the RTOS used on a Qualcomm baseband Implementation of a debugger G. Delugr´e Reverse engineering a Qualcomm baseband 4/41
Analysis of a 3G USB stick REX, the Qualcomm real-time kernel Live debugging on the baseband Plan 1 Analysis of a 3G USB stick 2 REX, the Qualcomm real-time kernel 3 Live debugging on the baseband G. Delugr´e Reverse engineering a Qualcomm baseband 5/41
Analysis of a 3G USB stick REX, the Qualcomm real-time kernel Live debugging on the baseband Targeted device G. Delugr´e Reverse engineering a Qualcomm baseband 6/41
Analysis of a 3G USB stick REX, the Qualcomm real-time kernel Live debugging on the baseband Targeted device Icon 225 USB 3G stick Qualcomm baseband inside, model MSM6280 Processor ARM926EJ-S (ARMv5) Two proprietary Qualcomm DSPs (audio & modem) Evolution Model dating back to 2008 REX kernel running as OKL4 guest in newer generations G. Delugr´e Reverse engineering a Qualcomm baseband 7/41
Analysis of a 3G USB stick REX, the Qualcomm real-time kernel Live debugging on the baseband 3G USB stick normal operation mode The stick emulates a serial line over USB Communication with the host through standard AT commands Registers to the cellular network, carries packet data over 3G G. Delugr´e Reverse engineering a Qualcomm baseband 8/41
Analysis of a 3G USB stick REX, the Qualcomm real-time kernel Live debugging on the baseband First contact USB stick entry points Plugging the stick creates 3 emulated serial ports 1 AT commands / packet data (multiplexing mode) 2 Packet data (no multiplexing) 3 Channel to a Qualcomm diagnostic task Enabling the diagnostic channel Directly accessible on the Icon 225 stick Might need to send the AT command AT$QCDMG on some models G. Delugr´e Reverse engineering a Qualcomm baseband 9/41
Analysis of a 3G USB stick REX, the Qualcomm real-time kernel Live debugging on the baseband DIAG task protocol Diagnostic protocol Undocumented but simple protocol Partly reversed in ModemManager (libqcdm) Begin-end markers (0x7e) One byte for command type Variable parameters (with escaped 0x7e and 0x7d bytes) 16-bits CRC-CCITT G. Delugr´e Reverse engineering a Qualcomm baseband 10/41
Analysis of a 3G USB stick REX, the Qualcomm real-time kernel Live debugging on the baseband DIAG commands Reading and writing to memory The diagnostic task seems to support a lot of commands Some of them offering direct access to memory Command 0x02 reads a byte in memory Command 0x05 writes a byte in memory Dumping the system memory Dump the primary bootloader at 0xffff0000 Dump the whole system memory from 0 G. Delugr´e Reverse engineering a Qualcomm baseband 11/41
Analysis of a 3G USB stick REX, the Qualcomm real-time kernel Live debugging on the baseband Downloader mode Downloader mode Presence of a subset mode with only two commands available Write data to memory Execute at address Access limited to a small hardcoded memory range Enabled: through command 58 of the diagnostic mode when the system crashes on some HTC phones, VolUp+VolDown+Power during boot (5 vibrations) G. Delugr´e Reverse engineering a Qualcomm baseband 12/41
Analysis of a 3G USB stick REX, the Qualcomm real-time kernel Live debugging on the baseband Live memory snapshot Live memory snapshot PBL does not check QC-SBL signature (not the case anymore) Memory snapshot is 32MB long, entry point at 0x80000 The memory snapshot can be directly analyzed in IDA Pro System characteristics MMU maps direct access to physical pages, first 13MB as read-only All tasks share the same address space Everything is running in ARM supervisor mode Presumably compiled with official ARM toolchain, no SSP ARMv5 does not support XN bit G. Delugr´e Reverse engineering a Qualcomm baseband 13/41
Analysis of a 3G USB stick REX, the Qualcomm real-time kernel Live debugging on the baseband Scheduler IPC Memory management Plan 1 Analysis of a 3G USB stick 2 REX, the Qualcomm real-time kernel 3 Live debugging on the baseband G. Delugr´e Reverse engineering a Qualcomm baseband 14/41
Analysis of a 3G USB stick REX, the Qualcomm real-time kernel Live debugging on the baseband Scheduler IPC Memory management REX The Qualcomm RTOS Qualcomm has developed their own proprietary RT kernel, called REX Operating system is named AMSS The system is made of 69 concurrent tasks Tasks for Hardware management (USB, USIM, DSPs, GPS. . . ) Protocol stacks at each layer (GSM L1, L2, RR, MM. . . ) Necessary reverse engineering The kernel API The C library Softfloat/arithmetic builtins G. Delugr´e Reverse engineering a Qualcomm baseband 15/41
Analysis of a 3G USB stick REX, the Qualcomm real-time kernel Live debugging on the baseband Scheduler IPC Memory management System boot G. Delugr´e Reverse engineering a Qualcomm baseband 16/41
Analysis of a 3G USB stick REX, the Qualcomm real-time kernel Live debugging on the baseband Scheduler IPC Memory management REX tasks REX core tasks SLEEP: Idle task. DPC: Routes APCs across tasks. MAIN: Launches all system tasks, then handles timer events. DOG: Watchdog. Constantly checks that tasks are alive. DS: Data Services task. Unified data gathering task for all protocol layers. CM: Call Manager task. PS: Packet-switched Services. Network stacks at upper layers (TCP/IP, PPP. . . ) DIAG: Provides the diagnostic interface. G. Delugr´e Reverse engineering a Qualcomm baseband 17/41
Analysis of a 3G USB stick REX, the Qualcomm real-time kernel Live debugging on the baseband Scheduler IPC Memory management Plan 1 Analysis of a 3G USB stick 2 REX, the Qualcomm real-time kernel Scheduler IPC Memory management 3 Live debugging on the baseband G. Delugr´e Reverse engineering a Qualcomm baseband 18/41
Analysis of a 3G USB stick REX, the Qualcomm real-time kernel Live debugging on the baseband Scheduler IPC Memory management Main fields of the task structure G. Delugr´e Reverse engineering a Qualcomm baseband 19/41
Analysis of a 3G USB stick REX, the Qualcomm real-time kernel Live debugging on the baseband Scheduler IPC Memory management REX scheduler REX task All tasks share the same address space, ARM supervisor mode Double-chained task list, ordered by priority Context switch Task context saved on the stack Context switch ⇒ stack switch + restore context Synchronization Tasks can wait for a signal (up to 32 signals) Scheduler support for critical sections G. Delugr´e Reverse engineering a Qualcomm baseband 20/41
Analysis of a 3G USB stick REX, the Qualcomm real-time kernel Live debugging on the baseband Scheduler IPC Memory management REX APC/DPC mechanism Asynchronous procedure calls Push a new context on the stack of a task When the task is scheduled, the call is executed Original context is then restored Deferred procedure calls The task DPC Task is dedicated to dispatch APCs High priority task Allows a task to execute code in the context of another task G. Delugr´e Reverse engineering a Qualcomm baseband 21/41
Analysis of a 3G USB stick REX, the Qualcomm real-time kernel Live debugging on the baseband Scheduler IPC Memory management REX Timers Timers Tasks can set a specific action to occur at regular interval Timers are handled by the Main task Timer lists ordered by deadline Timer events Timer actions (non-exclusive) Send a signal to a task Execute an APC Execute a direct routine call (main task context) G. Delugr´e Reverse engineering a Qualcomm baseband 22/41
Analysis of a 3G USB stick REX, the Qualcomm real-time kernel Live debugging on the baseband Scheduler IPC Memory management Plan 1 Analysis of a 3G USB stick 2 REX, the Qualcomm real-time kernel Scheduler IPC Memory management 3 Live debugging on the baseband G. Delugr´e Reverse engineering a Qualcomm baseband 23/41
Analysis of a 3G USB stick REX, the Qualcomm real-time kernel Live debugging on the baseband Scheduler IPC Memory management REX IPC Inter-task communication Tasks primarily communicate through the mean of signals A task is put into a wait state until the right signal is fired Common inter-task communication 1 Task A is waiting for data to process 2 Task B pushes data into a shared FIFO queue 3 Task B sends a signal to task A 4 Task A is scheduled, pop and process the data 5 Optionally, task B sends a signal to task A to acknowledge G. Delugr´e Reverse engineering a Qualcomm baseband 24/41
Analysis of a 3G USB stick REX, the Qualcomm real-time kernel Live debugging on the baseband Scheduler IPC Memory management Data pipes Pipes The DS (Data Services) task implements data pipes Tasks can push and fetch data as a contiguous stream of memory Widely used DS task seems to gather and route data from many layers into pipes Implementation of sockets G. Delugr´e Reverse engineering a Qualcomm baseband 25/41
Analysis of a 3G USB stick REX, the Qualcomm real-time kernel Live debugging on the baseband Scheduler IPC Memory management Plan 1 Analysis of a 3G USB stick 2 REX, the Qualcomm real-time kernel Scheduler IPC Memory management 3 Live debugging on the baseband G. Delugr´e Reverse engineering a Qualcomm baseband 26/41
Analysis of a 3G USB stick REX, the Qualcomm real-time kernel Live debugging on the baseband Scheduler IPC Memory management REX heap Heap Heap structure very simple Chunk metadata: size, free? Tasks generally use their own separate heap Presence of a global system heap, almost unused G. Delugr´e Reverse engineering a Qualcomm baseband 27/41
Analysis of a 3G USB stick REX, the Qualcomm real-time kernel Live debugging on the baseband Code execution Breaking a task Breakpoints and single-step Debugger architecture Plan 1 Analysis of a 3G USB stick 2 REX, the Qualcomm real-time kernel 3 Live debugging on the baseband G. Delugr´e Reverse engineering a Qualcomm baseband 28/41
Analysis of a 3G USB stick REX, the Qualcomm real-time kernel Live debugging on the baseband Code execution Breaking a task Breakpoints and single-step Debugger architecture Plan 1 Analysis of a 3G USB stick 2 REX, the Qualcomm real-time kernel 3 Live debugging on the baseband Code execution Breaking a task Breakpoints and single-step Debugger architecture G. Delugr´e Reverse engineering a Qualcomm baseband 29/41
Analysis of a 3G USB stick REX, the Qualcomm real-time kernel Live debugging on the baseband Code execution Breaking a task Breakpoints and single-step Debugger architecture Code execution Getting code execution Since arbitrary reads/writes are possible, code execution is easily achievable We want to be able to communicate with our injected code Either hook an AT command Or hook a DIAG task command Preferably hook a DIAG command and execute code in the context of the DIAG task This way we can still debug AT command handlers Communication with the payload over USB using the DIAG protocol (reuse of the DIAG task API) G. Delugr´e Reverse engineering a Qualcomm baseband 30/41
Analysis of a 3G USB stick REX, the Qualcomm real-time kernel Live debugging on the baseband Code execution Breaking a task Breakpoints and single-step Debugger architecture Hooking the DIAG task G. Delugr´e Reverse engineering a Qualcomm baseband 31/41
Analysis of a 3G USB stick REX, the Qualcomm real-time kernel Live debugging on the baseband Code execution Breaking a task Breakpoints and single-step Debugger architecture Plan 1 Analysis of a 3G USB stick 2 REX, the Qualcomm real-time kernel 3 Live debugging on the baseband Code execution Breaking a task Breakpoints and single-step Debugger architecture G. Delugr´e Reverse engineering a Qualcomm baseband 32/41
Analysis of a 3G USB stick REX, the Qualcomm real-time kernel Live debugging on the baseband Code execution Breaking a task Breakpoints and single-step Debugger architecture Debugger breaks Stopping a task A task should be stopped when the debugger instructs it to do so after hitting a breakpoint / exception The task has to be unscheduled and resumed on-demand Use the kernel function rex wait to pause the task The signal must be used only by the debugger The task is resumed by setting the debug signal (rex set task signals) The debugger can force a task to stop by sending a DPC G. Delugr´e Reverse engineering a Qualcomm baseband 33/41
Analysis of a 3G USB stick REX, the Qualcomm real-time kernel Live debugging on the baseband Code execution Breaking a task Breakpoints and single-step Debugger architecture Plan 1 Analysis of a 3G USB stick 2 REX, the Qualcomm real-time kernel 3 Live debugging on the baseband Code execution Breaking a task Breakpoints and single-step Debugger architecture G. Delugr´e Reverse engineering a Qualcomm baseband 34/41
Analysis of a 3G USB stick REX, the Qualcomm real-time kernel Live debugging on the baseband Code execution Breaking a task Breakpoints and single-step Debugger architecture Single-step on ARM Single step ARM has no native support for single-step Multiple implementations possible for single-stepping Standard: compute next $pc value, set a BP and continue ⇒ Not multithread safe. Emulated: emulate the instruction in the thread context. ⇒ Needs a full ARM/Thumb emulator. . . Displaced: copy the instruction into a separate buffer, set a BP after it and jump on the buffer ⇒ Needs JIT assembler to perform instruction relocation. Virtualized: Implements separate virtual address space for each task and uses standard method ⇒ Needs to patch the scheduler G. Delugr´e Reverse engineering a Qualcomm baseband 35/41
Analysis of a 3G USB stick REX, the Qualcomm real-time kernel Live debugging on the baseband Code execution Breaking a task Breakpoints and single-step Debugger architecture Plan 1 Analysis of a 3G USB stick 2 REX, the Qualcomm real-time kernel 3 Live debugging on the baseband Code execution Breaking a task Breakpoints and single-step Debugger architecture G. Delugr´e Reverse engineering a Qualcomm baseband 36/41
Analysis of a 3G USB stick REX, the Qualcomm real-time kernel Live debugging on the baseband Code execution Breaking a task Breakpoints and single-step Debugger architecture Debugging architecture Debugger architecture Proxy to bridge GDB requests and the DIAG protocol GDB used in non-stop mode (multithread support) REX tasks are shown as threads to GDB G. Delugr´e Reverse engineering a Qualcomm baseband 37/41
Analysis of a 3G USB stick REX, the Qualcomm real-time kernel Live debugging on the baseband Code execution Breaking a task Breakpoints and single-step Debugger architecture Demo Demo G. Delugr´e Reverse engineering a Qualcomm baseband 38/41
Analysis of a 3G USB stick REX, the Qualcomm real-time kernel Live debugging on the baseband Code execution Breaking a task Breakpoints and single-step Debugger architecture Conclusion Conclusion Baseband systems massively used but still poorly known Icon 225 key uses a non-secure bootloader Those chips are also nice for code execution and analysis More recent versions uses a REX/OKL4 hybrid kernel Interactions with application processor on real phones G. Delugr´e Reverse engineering a Qualcomm baseband 39/41
Analysis of a 3G USB stick REX, the Qualcomm real-time kernel Live debugging on the baseband Code execution Breaking a task Breakpoints and single-step Debugger architecture Baseband related works Related talks R.-P. Weinmann, The Baseband Apocalypse, 27C3 Luis Miras, Baseband playground, Ekoparty 7th edition On the web tjworld.net bb.osmocom.org G. Delugr´e Reverse engineering a Qualcomm baseband 40/41
Analysis of a 3G USB stick REX, the Qualcomm real-time kernel Live debugging on the baseband Code execution Breaking a task Breakpoints and single-step Debugger architecture Thank you for your attention! Questions? G. Delugr´e Reverse engineering a Qualcomm baseband 41/41

Recommended

The Cell Processor
The Cell ProcessorThe Cell Processor
The Cell ProcessorHeiko Joerg Schick
 
Audio in linux embedded
Audio in linux embeddedAudio in linux embedded
Audio in linux embeddedtrx2001
 
Linux Kernel Platform Development: Challenges and Insights
Linux Kernel Platform Development: Challenges and Insights Linux Kernel Platform Development: Challenges and Insights
Linux Kernel Platform Development: Challenges and InsightsGlobalLogic Ukraine
 
Mp So C 18 Apr
Mp So C 18 AprMp So C 18 Apr
Mp So C 18 AprFNian
 
Analysis and subsequent optimization of a microcontroller program
Analysis and subsequent optimization of a microcontroller programAnalysis and subsequent optimization of a microcontroller program
Analysis and subsequent optimization of a microcontroller program1rj
 
Linux Kernel Debugging
Linux Kernel DebuggingLinux Kernel Debugging
Linux Kernel DebuggingGlobalLogic Ukraine
 
Fpga video capturing
Fpga video capturingFpga video capturing
Fpga video capturingshehryar88
 
HKG15-100: What is Linaro working on - core development lightning talks
HKG15-100: What is Linaro working on - core development lightning talksHKG15-100: What is Linaro working on - core development lightning talks
HKG15-100: What is Linaro working on - core development lightning talksLinaro
 

Recommended

The Cell Processor
The Cell ProcessorThe Cell Processor
The Cell ProcessorHeiko Joerg Schick
 
Audio in linux embedded
Audio in linux embeddedAudio in linux embedded
Audio in linux embeddedtrx2001
 
Linux Kernel Platform Development: Challenges and Insights
Linux Kernel Platform Development: Challenges and Insights Linux Kernel Platform Development: Challenges and Insights
Linux Kernel Platform Development: Challenges and InsightsGlobalLogic Ukraine
 
Mp So C 18 Apr
Mp So C 18 AprMp So C 18 Apr
Mp So C 18 AprFNian
 
Analysis and subsequent optimization of a microcontroller program
Analysis and subsequent optimization of a microcontroller programAnalysis and subsequent optimization of a microcontroller program
Analysis and subsequent optimization of a microcontroller program1rj
 
Linux Kernel Debugging
Linux Kernel DebuggingLinux Kernel Debugging
Linux Kernel DebuggingGlobalLogic Ukraine
 
Fpga video capturing
Fpga video capturingFpga video capturing
Fpga video capturingshehryar88
 
HKG15-100: What is Linaro working on - core development lightning talks
HKG15-100: What is Linaro working on - core development lightning talksHKG15-100: What is Linaro working on - core development lightning talks
HKG15-100: What is Linaro working on - core development lightning talksLinaro
 
HKG15-409: ARM Hibernation enablement on SoCs - a case study
HKG15-409: ARM Hibernation enablement on SoCs - a case studyHKG15-409: ARM Hibernation enablement on SoCs - a case study
HKG15-409: ARM Hibernation enablement on SoCs - a case studyLinaro
 
TeksunLab Pegasus Program Details 2014
TeksunLab Pegasus Program Details 2014TeksunLab Pegasus Program Details 2014
TeksunLab Pegasus Program Details 2014Teksun Microsys Pvt. Ltd.
 
Cyclone II FPGA Overview
Cyclone II FPGA OverviewCyclone II FPGA Overview
Cyclone II FPGA OverviewPremier Farnell
 
asap2013-khoa-presentation
asap2013-khoa-presentationasap2013-khoa-presentation
asap2013-khoa-presentationAbhishek Jain
 
Zpd pc bndaq_2sli
Zpd pc bndaq_2sliZpd pc bndaq_2sli
Zpd pc bndaq_2sliSam Sambala
 
Reliability, Availability and Serviceability on Linux
Reliability, Availability and Serviceability on LinuxReliability, Availability and Serviceability on Linux
Reliability, Availability and Serviceability on LinuxSamsung Open Source Group
 
Developing an embedded video application on dual Linux + FPGA architecture
Developing an embedded video application on dual Linux + FPGA architectureDeveloping an embedded video application on dual Linux + FPGA architecture
Developing an embedded video application on dual Linux + FPGA architectureChristian Charreyre
 
The Microarchitecure Of FPGA Based Soft Processor
The Microarchitecure Of FPGA Based Soft ProcessorThe Microarchitecure Of FPGA Based Soft Processor
The Microarchitecure Of FPGA Based Soft ProcessorDeepak Tomar
 
ARM Architecture and Meltdown/Spectre
ARM Architecture and Meltdown/SpectreARM Architecture and Meltdown/Spectre
ARM Architecture and Meltdown/SpectreGlobalLogic Ukraine
 
LAS16-403: GDB Linux Kernel Awareness
LAS16-403: GDB Linux Kernel AwarenessLAS16-403: GDB Linux Kernel Awareness
LAS16-403: GDB Linux Kernel AwarenessLinaro
 
Polyteda Power DRC/LVS July 2016
Polyteda Power DRC/LVS July 2016Polyteda Power DRC/LVS July 2016
Polyteda Power DRC/LVS July 2016Oleksandra Nazola
 
emips_overview_apr08
emips_overview_apr08emips_overview_apr08
emips_overview_apr08Neil Pittman
 
Wonho Park_20151209
Wonho Park_20151209Wonho Park_20151209
Wonho Park_20151209Wonho Park
 
Track B- Advanced ESL verification - Mentor
Track B- Advanced ESL verification - MentorTrack B- Advanced ESL verification - Mentor
Track B- Advanced ESL verification - Mentorchiportal
 
FPGA workshop
FPGA workshopFPGA workshop
FPGA workshopAlex Borisevich
 
U-boot and Android Verified Boot 2.0
U-boot and Android Verified Boot 2.0U-boot and Android Verified Boot 2.0
U-boot and Android Verified Boot 2.0GlobalLogic Ukraine
 
LAS16-100K1: Welcome Keynote
LAS16-100K1: Welcome KeynoteLAS16-100K1: Welcome Keynote
LAS16-100K1: Welcome KeynoteLinaro
 
A-LOOP: AMP system: 2-cores ARM Cortex A9/Linux OS and 4-cores Leon3/Linux OS...
A-LOOP: AMP system: 2-cores ARM Cortex A9/Linux OS and 4-cores Leon3/Linux OS...A-LOOP: AMP system: 2-cores ARM Cortex A9/Linux OS and 4-cores Leon3/Linux OS...
A-LOOP: AMP system: 2-cores ARM Cortex A9/Linux OS and 4-cores Leon3/Linux OS...Vittoriano Muttillo
 
Using Erlang on the RaspberryPi to interact with the physical world
Using Erlang on the RaspberryPi to interact with the physical worldUsing Erlang on the RaspberryPi to interact with the physical world
Using Erlang on the RaspberryPi to interact with the physical worldBrian Chamberlain
 
Nodes and Networks for HPC computing
Nodes and Networks for HPC computingNodes and Networks for HPC computing
Nodes and Networks for HPC computingrinnocente
 
Unit2 arm
Unit2 armUnit2 arm
Unit2 armKarthik Vivek
 
AMP Kynetics - ELC 2018 Portland
AMP Kynetics - ELC 2018 PortlandAMP Kynetics - ELC 2018 Portland
AMP Kynetics - ELC 2018 PortlandKynetics
 

More Related Content

What's hot

HKG15-409: ARM Hibernation enablement on SoCs - a case study
HKG15-409: ARM Hibernation enablement on SoCs - a case studyHKG15-409: ARM Hibernation enablement on SoCs - a case study
HKG15-409: ARM Hibernation enablement on SoCs - a case studyLinaro
 
Cyclone II FPGA Overview
Cyclone II FPGA OverviewCyclone II FPGA Overview
Cyclone II FPGA OverviewPremier Farnell
 
asap2013-khoa-presentation
asap2013-khoa-presentationasap2013-khoa-presentation
asap2013-khoa-presentationAbhishek Jain
 
Zpd pc bndaq_2sli
Zpd pc bndaq_2sliZpd pc bndaq_2sli
Zpd pc bndaq_2sliSam Sambala
 
Reliability, Availability and Serviceability on Linux
Reliability, Availability and Serviceability on LinuxReliability, Availability and Serviceability on Linux
Reliability, Availability and Serviceability on LinuxSamsung Open Source Group
 
Developing an embedded video application on dual Linux + FPGA architecture
Developing an embedded video application on dual Linux + FPGA architectureDeveloping an embedded video application on dual Linux + FPGA architecture
Developing an embedded video application on dual Linux + FPGA architectureChristian Charreyre
 
The Microarchitecure Of FPGA Based Soft Processor
The Microarchitecure Of FPGA Based Soft ProcessorThe Microarchitecure Of FPGA Based Soft Processor
The Microarchitecure Of FPGA Based Soft ProcessorDeepak Tomar
 
ARM Architecture and Meltdown/Spectre
ARM Architecture and Meltdown/SpectreARM Architecture and Meltdown/Spectre
ARM Architecture and Meltdown/SpectreGlobalLogic Ukraine
 
LAS16-403: GDB Linux Kernel Awareness
LAS16-403: GDB Linux Kernel AwarenessLAS16-403: GDB Linux Kernel Awareness
LAS16-403: GDB Linux Kernel AwarenessLinaro
 
Polyteda Power DRC/LVS July 2016
Polyteda Power DRC/LVS July 2016Polyteda Power DRC/LVS July 2016
Polyteda Power DRC/LVS July 2016Oleksandra Nazola
 
emips_overview_apr08
emips_overview_apr08emips_overview_apr08
emips_overview_apr08Neil Pittman
 
Wonho Park_20151209
Wonho Park_20151209Wonho Park_20151209
Wonho Park_20151209Wonho Park
 
Track B- Advanced ESL verification - Mentor
Track B- Advanced ESL verification - MentorTrack B- Advanced ESL verification - Mentor
Track B- Advanced ESL verification - Mentorchiportal
 
U-boot and Android Verified Boot 2.0
U-boot and Android Verified Boot 2.0U-boot and Android Verified Boot 2.0
U-boot and Android Verified Boot 2.0GlobalLogic Ukraine
 
LAS16-100K1: Welcome Keynote
LAS16-100K1: Welcome KeynoteLAS16-100K1: Welcome Keynote
LAS16-100K1: Welcome KeynoteLinaro
 
A-LOOP: AMP system: 2-cores ARM Cortex A9/Linux OS and 4-cores Leon3/Linux OS...
A-LOOP: AMP system: 2-cores ARM Cortex A9/Linux OS and 4-cores Leon3/Linux OS...A-LOOP: AMP system: 2-cores ARM Cortex A9/Linux OS and 4-cores Leon3/Linux OS...
A-LOOP: AMP system: 2-cores ARM Cortex A9/Linux OS and 4-cores Leon3/Linux OS...Vittoriano Muttillo
 
Using Erlang on the RaspberryPi to interact with the physical world
Using Erlang on the RaspberryPi to interact with the physical worldUsing Erlang on the RaspberryPi to interact with the physical world
Using Erlang on the RaspberryPi to interact with the physical worldBrian Chamberlain
 
Nodes and Networks for HPC computing
Nodes and Networks for HPC computingNodes and Networks for HPC computing
Nodes and Networks for HPC computingrinnocente
 

What's hot (20)

HKG15-409: ARM Hibernation enablement on SoCs - a case study
HKG15-409: ARM Hibernation enablement on SoCs - a case studyHKG15-409: ARM Hibernation enablement on SoCs - a case study
HKG15-409: ARM Hibernation enablement on SoCs - a case study
 
TeksunLab Pegasus Program Details 2014
TeksunLab Pegasus Program Details 2014TeksunLab Pegasus Program Details 2014
TeksunLab Pegasus Program Details 2014
 
Cyclone II FPGA Overview
Cyclone II FPGA OverviewCyclone II FPGA Overview
Cyclone II FPGA Overview
 
asap2013-khoa-presentation
asap2013-khoa-presentationasap2013-khoa-presentation
asap2013-khoa-presentation
 
Zpd pc bndaq_2sli
Zpd pc bndaq_2sliZpd pc bndaq_2sli
Zpd pc bndaq_2sli
 
Reliability, Availability and Serviceability on Linux
Reliability, Availability and Serviceability on LinuxReliability, Availability and Serviceability on Linux
Reliability, Availability and Serviceability on Linux
 
Developing an embedded video application on dual Linux + FPGA architecture
Developing an embedded video application on dual Linux + FPGA architectureDeveloping an embedded video application on dual Linux + FPGA architecture
Developing an embedded video application on dual Linux + FPGA architecture
 
The Microarchitecure Of FPGA Based Soft Processor
The Microarchitecure Of FPGA Based Soft ProcessorThe Microarchitecure Of FPGA Based Soft Processor
The Microarchitecure Of FPGA Based Soft Processor
 
ARM Architecture and Meltdown/Spectre
ARM Architecture and Meltdown/SpectreARM Architecture and Meltdown/Spectre
ARM Architecture and Meltdown/Spectre
 
LAS16-403: GDB Linux Kernel Awareness
LAS16-403: GDB Linux Kernel AwarenessLAS16-403: GDB Linux Kernel Awareness
LAS16-403: GDB Linux Kernel Awareness
 
Polyteda Power DRC/LVS July 2016
Polyteda Power DRC/LVS July 2016Polyteda Power DRC/LVS July 2016
Polyteda Power DRC/LVS July 2016
 
emips_overview_apr08
emips_overview_apr08emips_overview_apr08
emips_overview_apr08
 
Wonho Park_20151209
Wonho Park_20151209Wonho Park_20151209
Wonho Park_20151209
 
Track B- Advanced ESL verification - Mentor
Track B- Advanced ESL verification - MentorTrack B- Advanced ESL verification - Mentor
Track B- Advanced ESL verification - Mentor
 
FPGA workshop
FPGA workshopFPGA workshop
FPGA workshop
 
U-boot and Android Verified Boot 2.0
U-boot and Android Verified Boot 2.0U-boot and Android Verified Boot 2.0
U-boot and Android Verified Boot 2.0
 
LAS16-100K1: Welcome Keynote
LAS16-100K1: Welcome KeynoteLAS16-100K1: Welcome Keynote
LAS16-100K1: Welcome Keynote
 
A-LOOP: AMP system: 2-cores ARM Cortex A9/Linux OS and 4-cores Leon3/Linux OS...
A-LOOP: AMP system: 2-cores ARM Cortex A9/Linux OS and 4-cores Leon3/Linux OS...A-LOOP: AMP system: 2-cores ARM Cortex A9/Linux OS and 4-cores Leon3/Linux OS...
A-LOOP: AMP system: 2-cores ARM Cortex A9/Linux OS and 4-cores Leon3/Linux OS...
 
Using Erlang on the RaspberryPi to interact with the physical world
Using Erlang on the RaspberryPi to interact with the physical worldUsing Erlang on the RaspberryPi to interact with the physical world
Using Erlang on the RaspberryPi to interact with the physical world
 
Nodes and Networks for HPC computing
Nodes and Networks for HPC computingNodes and Networks for HPC computing
Nodes and Networks for HPC computing
 

Similar to BaseBand Processor

AMP Kynetics - ELC 2018 Portland
AMP Kynetics - ELC 2018 PortlandAMP Kynetics - ELC 2018 Portland
AMP Kynetics - ELC 2018 PortlandKynetics
 
Asymmetric Multiprocessing - Kynetics ELC 2018 portland
Asymmetric Multiprocessing - Kynetics ELC 2018 portlandAsymmetric Multiprocessing - Kynetics ELC 2018 portland
Asymmetric Multiprocessing - Kynetics ELC 2018 portlandNicola La Gloria
 
Brochure (2016-01-30)
Brochure (2016-01-30)Brochure (2016-01-30)
Brochure (2016-01-30)Jonah McLeod
 
Steps to Build Kernel and Root Filesystem for OMAP5912
Steps to Build Kernel and Root Filesystem for OMAP5912Steps to Build Kernel and Root Filesystem for OMAP5912
Steps to Build Kernel and Root Filesystem for OMAP5912sbmguys
 
Network stack personality in Android phone - netdev 2.2
Network stack personality in Android phone - netdev 2.2Network stack personality in Android phone - netdev 2.2
Network stack personality in Android phone - netdev 2.2Hajime Tazaki
 
Linux 802.11 subsystem and brcmsmac WLAN driver
Linux 802.11 subsystem and brcmsmac WLAN driverLinux 802.11 subsystem and brcmsmac WLAN driver
Linux 802.11 subsystem and brcmsmac WLAN driverMidhun Lohidakshan
 
Linux Porting to a Custom Board
Linux Porting to a Custom BoardLinux Porting to a Custom Board
Linux Porting to a Custom BoardPatrick Bellasi
 
[Pgday.Seoul 2018] PostgreSQL 성능을 위해 개발된 라이브러리 OS 소개 apposha
[Pgday.Seoul 2018] PostgreSQL 성능을 위해 개발된 라이브러리 OS 소개 apposha[Pgday.Seoul 2018] PostgreSQL 성능을 위해 개발된 라이브러리 OS 소개 apposha
[Pgday.Seoul 2018] PostgreSQL 성능을 위해 개발된 라이브러리 OS 소개 apposhaPgDay.Seoul
 
mobile processors introduction..
mobile processors introduction..mobile processors introduction..
mobile processors introduction..Muhammad Sayam
 
Embedded computer system
Embedded computer systemEmbedded computer system
Embedded computer systemGovind Kaintura
 
An AI accelerator ASIC architecture
An AI accelerator ASIC architectureAn AI accelerator ASIC architecture
An AI accelerator ASIC architectureKhanh Le
 
”Bare-Metal Container" presented at HPCC2016
”Bare-Metal Container" presented at HPCC2016”Bare-Metal Container" presented at HPCC2016
”Bare-Metal Container" presented at HPCC2016Kuniyasu Suzaki
 
Eric Theis resume61.1
Eric Theis resume61.1Eric Theis resume61.1
Eric Theis resume61.1Eric Theis
 
underground cable fault location using aruino,gsm&gps
underground cable fault location using aruino,gsm&gps underground cable fault location using aruino,gsm&gps
underground cable fault location using aruino,gsm&gps Mohd Sohail
 

Similar to BaseBand Processor (20)

Unit2 arm
Unit2 armUnit2 arm
Unit2 arm
 
AMP Kynetics - ELC 2018 Portland
AMP Kynetics - ELC 2018 PortlandAMP Kynetics - ELC 2018 Portland
AMP Kynetics - ELC 2018 Portland
 
Asymmetric Multiprocessing - Kynetics ELC 2018 portland
Asymmetric Multiprocessing - Kynetics ELC 2018 portlandAsymmetric Multiprocessing - Kynetics ELC 2018 portland
Asymmetric Multiprocessing - Kynetics ELC 2018 portland
 
Brochure (2016-01-30)
Brochure (2016-01-30)Brochure (2016-01-30)
Brochure (2016-01-30)
 
Steps to Build Kernel and Root Filesystem for OMAP5912
Steps to Build Kernel and Root Filesystem for OMAP5912Steps to Build Kernel and Root Filesystem for OMAP5912
Steps to Build Kernel and Root Filesystem for OMAP5912
 
OMAP
OMAPOMAP
OMAP
 
Presentation
PresentationPresentation
Presentation
 
Network stack personality in Android phone - netdev 2.2
Network stack personality in Android phone - netdev 2.2Network stack personality in Android phone - netdev 2.2
Network stack personality in Android phone - netdev 2.2
 
Linux 802.11 subsystem and brcmsmac WLAN driver
Linux 802.11 subsystem and brcmsmac WLAN driverLinux 802.11 subsystem and brcmsmac WLAN driver
Linux 802.11 subsystem and brcmsmac WLAN driver
 
Linux Porting to a Custom Board
Linux Porting to a Custom BoardLinux Porting to a Custom Board
Linux Porting to a Custom Board
 
SNUG 2009 paper
SNUG 2009 paperSNUG 2009 paper
SNUG 2009 paper
 
[Pgday.Seoul 2018] PostgreSQL 성능을 위해 개발된 라이브러리 OS 소개 apposha
[Pgday.Seoul 2018] PostgreSQL 성능을 위해 개발된 라이브러리 OS 소개 apposha[Pgday.Seoul 2018] PostgreSQL 성능을 위해 개발된 라이브러리 OS 소개 apposha
[Pgday.Seoul 2018] PostgreSQL 성능을 위해 개발된 라이브러리 OS 소개 apposha
 
mobile processors introduction..
mobile processors introduction..mobile processors introduction..
mobile processors introduction..
 
SudheerV_resume_a
SudheerV_resume_aSudheerV_resume_a
SudheerV_resume_a
 
Embedded computer system
Embedded computer systemEmbedded computer system
Embedded computer system
 
An AI accelerator ASIC architecture
An AI accelerator ASIC architectureAn AI accelerator ASIC architecture
An AI accelerator ASIC architecture
 
Fo2410191024
Fo2410191024Fo2410191024
Fo2410191024
 
”Bare-Metal Container" presented at HPCC2016
”Bare-Metal Container" presented at HPCC2016”Bare-Metal Container" presented at HPCC2016
”Bare-Metal Container" presented at HPCC2016
 
Eric Theis resume61.1
Eric Theis resume61.1Eric Theis resume61.1
Eric Theis resume61.1
 
underground cable fault location using aruino,gsm&gps
underground cable fault location using aruino,gsm&gps underground cable fault location using aruino,gsm&gps
underground cable fault location using aruino,gsm&gps
 

Recently uploaded

Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...Christo Ananth
 
Introduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptxIntroduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptxupamatechverse
 
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...Call Girls in Nagpur High Profile
 
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Call Girls in Nagpur High Profile
 
Processing & Properties of Floor and Wall Tiles.pptx
Processing & Properties of Floor and Wall Tiles.pptxProcessing & Properties of Floor and Wall Tiles.pptx
Processing & Properties of Floor and Wall Tiles.pptxpranjaldaimarysona
 
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...Christo Ananth
 
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...Call Girls in Nagpur High Profile
 
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur EscortsCall Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur High Profile
 
UNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and workingUNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and workingrknatarajan
 
AKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdfAKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdfankushspencer015
 
University management System project report..pdf
University management System project report..pdfUniversity management System project report..pdf
University management System project report..pdfKamal Acharya
 
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Bookingdharasingh5698
 
KubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghlyKubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghlysanyuktamishra911
 
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service Nashik
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service NashikCall Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service Nashik
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service NashikCall Girls in Nagpur High Profile
 
UNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its PerformanceUNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its Performancesivaprakash250
 
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...ranjana rawat
 
Online banking management system project.pdf
Online banking management system project.pdfOnline banking management system project.pdf
Online banking management system project.pdfKamal Acharya
 
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...ranjana rawat
 
UNIT-III FMM. DIMENSIONAL ANALYSIS
UNIT-III FMM. DIMENSIONAL ANALYSISUNIT-III FMM. DIMENSIONAL ANALYSIS
UNIT-III FMM. DIMENSIONAL ANALYSISrknatarajan
 

Recently uploaded (20)

Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
 
Introduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptxIntroduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptx
 
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
 
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
 
Processing & Properties of Floor and Wall Tiles.pptx
Processing & Properties of Floor and Wall Tiles.pptxProcessing & Properties of Floor and Wall Tiles.pptx
Processing & Properties of Floor and Wall Tiles.pptx
 
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
 
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
 
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur EscortsCall Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
 
UNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and workingUNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and working
 
AKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdfAKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdf
 
Water Industry Process Automation & Control Monthly - April 2024
Water Industry Process Automation & Control Monthly - April 2024Water Industry Process Automation & Control Monthly - April 2024
Water Industry Process Automation & Control Monthly - April 2024
 
University management System project report..pdf
University management System project report..pdfUniversity management System project report..pdf
University management System project report..pdf
 
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
 
KubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghlyKubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghly
 
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service Nashik
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service NashikCall Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service Nashik
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service Nashik
 
UNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its PerformanceUNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its Performance
 
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
 
Online banking management system project.pdf
Online banking management system project.pdfOnline banking management system project.pdf
Online banking management system project.pdf
 
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
 
UNIT-III FMM. DIMENSIONAL ANALYSIS
UNIT-III FMM. DIMENSIONAL ANALYSISUNIT-III FMM. DIMENSIONAL ANALYSIS
UNIT-III FMM. DIMENSIONAL ANALYSIS
 

BaseBand Processor

  • 1. Reverse engineering a Qualcomm baseband Guillaume Delugr´e Sogeti / ESEC R&D guillaume(at)security-labs.org 28C3 - Berlin
  • 2. Analysis of a 3G USB stick REX, the Qualcomm real-time kernel Live debugging on the baseband The baseband world What is a baseband processor? The main chipset of your phone Responsible for handling telecommunications Directly interfaced to hardware (microphone, speakers, . . . ) Includes stacks for telephony protocols Smartphones also include an application processor running a separate OS (e.g. Android, iOS, . . . ) Largest suppliers Qualcomm (HTC phones, iPhone 4S) MediaTek Infineon (iPhone) G. Delugr´e Reverse engineering a Qualcomm baseband 2/41
  • 3. Analysis of a 3G USB stick REX, the Qualcomm real-time kernel Live debugging on the baseband The baseband world Getting into the baseband world Hacking phones is something hard to reach Quite a closed industry Network side: reading the 3GPP specs is a life achievement System side: Aside from OsmocomBB, everything is closed Yet good reasons to look into basebands Understanding how a phone really works Very big and old code base, good potential for vulnerabilities Unlocking G. Delugr´e Reverse engineering a Qualcomm baseband 3/41
  • 4. Analysis of a 3G USB stick REX, the Qualcomm real-time kernel Live debugging on the baseband The baseband world Exploitation on baseband Probably not a lot of exploit mitigation techniques Ralf-Philipp Weinmann reported vulnerabilities in Infineon and Qualcomm basebands But exploitation is almost impossible if you don’t know the environment in which you are running Clear lack of litterature About this talk Describe the RTOS used on a Qualcomm baseband Implementation of a debugger G. Delugr´e Reverse engineering a Qualcomm baseband 4/41
  • 5. Analysis of a 3G USB stick REX, the Qualcomm real-time kernel Live debugging on the baseband Plan 1 Analysis of a 3G USB stick 2 REX, the Qualcomm real-time kernel 3 Live debugging on the baseband G. Delugr´e Reverse engineering a Qualcomm baseband 5/41
  • 6. Analysis of a 3G USB stick REX, the Qualcomm real-time kernel Live debugging on the baseband Targeted device G. Delugr´e Reverse engineering a Qualcomm baseband 6/41
  • 7. Analysis of a 3G USB stick REX, the Qualcomm real-time kernel Live debugging on the baseband Targeted device Icon 225 USB 3G stick Qualcomm baseband inside, model MSM6280 Processor ARM926EJ-S (ARMv5) Two proprietary Qualcomm DSPs (audio & modem) Evolution Model dating back to 2008 REX kernel running as OKL4 guest in newer generations G. Delugr´e Reverse engineering a Qualcomm baseband 7/41
  • 8. Analysis of a 3G USB stick REX, the Qualcomm real-time kernel Live debugging on the baseband 3G USB stick normal operation mode The stick emulates a serial line over USB Communication with the host through standard AT commands Registers to the cellular network, carries packet data over 3G G. Delugr´e Reverse engineering a Qualcomm baseband 8/41
  • 9. Analysis of a 3G USB stick REX, the Qualcomm real-time kernel Live debugging on the baseband First contact USB stick entry points Plugging the stick creates 3 emulated serial ports 1 AT commands / packet data (multiplexing mode) 2 Packet data (no multiplexing) 3 Channel to a Qualcomm diagnostic task Enabling the diagnostic channel Directly accessible on the Icon 225 stick Might need to send the AT command AT$QCDMG on some models G. Delugr´e Reverse engineering a Qualcomm baseband 9/41
  • 10. Analysis of a 3G USB stick REX, the Qualcomm real-time kernel Live debugging on the baseband DIAG task protocol Diagnostic protocol Undocumented but simple protocol Partly reversed in ModemManager (libqcdm) Begin-end markers (0x7e) One byte for command type Variable parameters (with escaped 0x7e and 0x7d bytes) 16-bits CRC-CCITT G. Delugr´e Reverse engineering a Qualcomm baseband 10/41
  • 11. Analysis of a 3G USB stick REX, the Qualcomm real-time kernel Live debugging on the baseband DIAG commands Reading and writing to memory The diagnostic task seems to support a lot of commands Some of them offering direct access to memory Command 0x02 reads a byte in memory Command 0x05 writes a byte in memory Dumping the system memory Dump the primary bootloader at 0xffff0000 Dump the whole system memory from 0 G. Delugr´e Reverse engineering a Qualcomm baseband 11/41
  • 12. Analysis of a 3G USB stick REX, the Qualcomm real-time kernel Live debugging on the baseband Downloader mode Downloader mode Presence of a subset mode with only two commands available Write data to memory Execute at address Access limited to a small hardcoded memory range Enabled: through command 58 of the diagnostic mode when the system crashes on some HTC phones, VolUp+VolDown+Power during boot (5 vibrations) G. Delugr´e Reverse engineering a Qualcomm baseband 12/41
  • 13. Analysis of a 3G USB stick REX, the Qualcomm real-time kernel Live debugging on the baseband Live memory snapshot Live memory snapshot PBL does not check QC-SBL signature (not the case anymore) Memory snapshot is 32MB long, entry point at 0x80000 The memory snapshot can be directly analyzed in IDA Pro System characteristics MMU maps direct access to physical pages, first 13MB as read-only All tasks share the same address space Everything is running in ARM supervisor mode Presumably compiled with official ARM toolchain, no SSP ARMv5 does not support XN bit G. Delugr´e Reverse engineering a Qualcomm baseband 13/41
  • 14. Analysis of a 3G USB stick REX, the Qualcomm real-time kernel Live debugging on the baseband Scheduler IPC Memory management Plan 1 Analysis of a 3G USB stick 2 REX, the Qualcomm real-time kernel 3 Live debugging on the baseband G. Delugr´e Reverse engineering a Qualcomm baseband 14/41
  • 15. Analysis of a 3G USB stick REX, the Qualcomm real-time kernel Live debugging on the baseband Scheduler IPC Memory management REX The Qualcomm RTOS Qualcomm has developed their own proprietary RT kernel, called REX Operating system is named AMSS The system is made of 69 concurrent tasks Tasks for Hardware management (USB, USIM, DSPs, GPS. . . ) Protocol stacks at each layer (GSM L1, L2, RR, MM. . . ) Necessary reverse engineering The kernel API The C library Softfloat/arithmetic builtins G. Delugr´e Reverse engineering a Qualcomm baseband 15/41
  • 16. Analysis of a 3G USB stick REX, the Qualcomm real-time kernel Live debugging on the baseband Scheduler IPC Memory management System boot G. Delugr´e Reverse engineering a Qualcomm baseband 16/41
  • 17. Analysis of a 3G USB stick REX, the Qualcomm real-time kernel Live debugging on the baseband Scheduler IPC Memory management REX tasks REX core tasks SLEEP: Idle task. DPC: Routes APCs across tasks. MAIN: Launches all system tasks, then handles timer events. DOG: Watchdog. Constantly checks that tasks are alive. DS: Data Services task. Unified data gathering task for all protocol layers. CM: Call Manager task. PS: Packet-switched Services. Network stacks at upper layers (TCP/IP, PPP. . . ) DIAG: Provides the diagnostic interface. G. Delugr´e Reverse engineering a Qualcomm baseband 17/41
  • 18. Analysis of a 3G USB stick REX, the Qualcomm real-time kernel Live debugging on the baseband Scheduler IPC Memory management Plan 1 Analysis of a 3G USB stick 2 REX, the Qualcomm real-time kernel Scheduler IPC Memory management 3 Live debugging on the baseband G. Delugr´e Reverse engineering a Qualcomm baseband 18/41
  • 19. Analysis of a 3G USB stick REX, the Qualcomm real-time kernel Live debugging on the baseband Scheduler IPC Memory management Main fields of the task structure G. Delugr´e Reverse engineering a Qualcomm baseband 19/41
  • 20. Analysis of a 3G USB stick REX, the Qualcomm real-time kernel Live debugging on the baseband Scheduler IPC Memory management REX scheduler REX task All tasks share the same address space, ARM supervisor mode Double-chained task list, ordered by priority Context switch Task context saved on the stack Context switch ⇒ stack switch + restore context Synchronization Tasks can wait for a signal (up to 32 signals) Scheduler support for critical sections G. Delugr´e Reverse engineering a Qualcomm baseband 20/41
  • 21. Analysis of a 3G USB stick REX, the Qualcomm real-time kernel Live debugging on the baseband Scheduler IPC Memory management REX APC/DPC mechanism Asynchronous procedure calls Push a new context on the stack of a task When the task is scheduled, the call is executed Original context is then restored Deferred procedure calls The task DPC Task is dedicated to dispatch APCs High priority task Allows a task to execute code in the context of another task G. Delugr´e Reverse engineering a Qualcomm baseband 21/41
  • 22. Analysis of a 3G USB stick REX, the Qualcomm real-time kernel Live debugging on the baseband Scheduler IPC Memory management REX Timers Timers Tasks can set a specific action to occur at regular interval Timers are handled by the Main task Timer lists ordered by deadline Timer events Timer actions (non-exclusive) Send a signal to a task Execute an APC Execute a direct routine call (main task context) G. Delugr´e Reverse engineering a Qualcomm baseband 22/41
  • 23. Analysis of a 3G USB stick REX, the Qualcomm real-time kernel Live debugging on the baseband Scheduler IPC Memory management Plan 1 Analysis of a 3G USB stick 2 REX, the Qualcomm real-time kernel Scheduler IPC Memory management 3 Live debugging on the baseband G. Delugr´e Reverse engineering a Qualcomm baseband 23/41
  • 24. Analysis of a 3G USB stick REX, the Qualcomm real-time kernel Live debugging on the baseband Scheduler IPC Memory management REX IPC Inter-task communication Tasks primarily communicate through the mean of signals A task is put into a wait state until the right signal is fired Common inter-task communication 1 Task A is waiting for data to process 2 Task B pushes data into a shared FIFO queue 3 Task B sends a signal to task A 4 Task A is scheduled, pop and process the data 5 Optionally, task B sends a signal to task A to acknowledge G. Delugr´e Reverse engineering a Qualcomm baseband 24/41
  • 25. Analysis of a 3G USB stick REX, the Qualcomm real-time kernel Live debugging on the baseband Scheduler IPC Memory management Data pipes Pipes The DS (Data Services) task implements data pipes Tasks can push and fetch data as a contiguous stream of memory Widely used DS task seems to gather and route data from many layers into pipes Implementation of sockets G. Delugr´e Reverse engineering a Qualcomm baseband 25/41
  • 26. Analysis of a 3G USB stick REX, the Qualcomm real-time kernel Live debugging on the baseband Scheduler IPC Memory management Plan 1 Analysis of a 3G USB stick 2 REX, the Qualcomm real-time kernel Scheduler IPC Memory management 3 Live debugging on the baseband G. Delugr´e Reverse engineering a Qualcomm baseband 26/41
  • 27. Analysis of a 3G USB stick REX, the Qualcomm real-time kernel Live debugging on the baseband Scheduler IPC Memory management REX heap Heap Heap structure very simple Chunk metadata: size, free? Tasks generally use their own separate heap Presence of a global system heap, almost unused G. Delugr´e Reverse engineering a Qualcomm baseband 27/41
  • 28. Analysis of a 3G USB stick REX, the Qualcomm real-time kernel Live debugging on the baseband Code execution Breaking a task Breakpoints and single-step Debugger architecture Plan 1 Analysis of a 3G USB stick 2 REX, the Qualcomm real-time kernel 3 Live debugging on the baseband G. Delugr´e Reverse engineering a Qualcomm baseband 28/41
  • 29. Analysis of a 3G USB stick REX, the Qualcomm real-time kernel Live debugging on the baseband Code execution Breaking a task Breakpoints and single-step Debugger architecture Plan 1 Analysis of a 3G USB stick 2 REX, the Qualcomm real-time kernel 3 Live debugging on the baseband Code execution Breaking a task Breakpoints and single-step Debugger architecture G. Delugr´e Reverse engineering a Qualcomm baseband 29/41
  • 30. Analysis of a 3G USB stick REX, the Qualcomm real-time kernel Live debugging on the baseband Code execution Breaking a task Breakpoints and single-step Debugger architecture Code execution Getting code execution Since arbitrary reads/writes are possible, code execution is easily achievable We want to be able to communicate with our injected code Either hook an AT command Or hook a DIAG task command Preferably hook a DIAG command and execute code in the context of the DIAG task This way we can still debug AT command handlers Communication with the payload over USB using the DIAG protocol (reuse of the DIAG task API) G. Delugr´e Reverse engineering a Qualcomm baseband 30/41
  • 31. Analysis of a 3G USB stick REX, the Qualcomm real-time kernel Live debugging on the baseband Code execution Breaking a task Breakpoints and single-step Debugger architecture Hooking the DIAG task G. Delugr´e Reverse engineering a Qualcomm baseband 31/41
  • 32. Analysis of a 3G USB stick REX, the Qualcomm real-time kernel Live debugging on the baseband Code execution Breaking a task Breakpoints and single-step Debugger architecture Plan 1 Analysis of a 3G USB stick 2 REX, the Qualcomm real-time kernel 3 Live debugging on the baseband Code execution Breaking a task Breakpoints and single-step Debugger architecture G. Delugr´e Reverse engineering a Qualcomm baseband 32/41
  • 33. Analysis of a 3G USB stick REX, the Qualcomm real-time kernel Live debugging on the baseband Code execution Breaking a task Breakpoints and single-step Debugger architecture Debugger breaks Stopping a task A task should be stopped when the debugger instructs it to do so after hitting a breakpoint / exception The task has to be unscheduled and resumed on-demand Use the kernel function rex wait to pause the task The signal must be used only by the debugger The task is resumed by setting the debug signal (rex set task signals) The debugger can force a task to stop by sending a DPC G. Delugr´e Reverse engineering a Qualcomm baseband 33/41
  • 34. Analysis of a 3G USB stick REX, the Qualcomm real-time kernel Live debugging on the baseband Code execution Breaking a task Breakpoints and single-step Debugger architecture Plan 1 Analysis of a 3G USB stick 2 REX, the Qualcomm real-time kernel 3 Live debugging on the baseband Code execution Breaking a task Breakpoints and single-step Debugger architecture G. Delugr´e Reverse engineering a Qualcomm baseband 34/41
  • 35. Analysis of a 3G USB stick REX, the Qualcomm real-time kernel Live debugging on the baseband Code execution Breaking a task Breakpoints and single-step Debugger architecture Single-step on ARM Single step ARM has no native support for single-step Multiple implementations possible for single-stepping Standard: compute next $pc value, set a BP and continue ⇒ Not multithread safe. Emulated: emulate the instruction in the thread context. ⇒ Needs a full ARM/Thumb emulator. . . Displaced: copy the instruction into a separate buffer, set a BP after it and jump on the buffer ⇒ Needs JIT assembler to perform instruction relocation. Virtualized: Implements separate virtual address space for each task and uses standard method ⇒ Needs to patch the scheduler G. Delugr´e Reverse engineering a Qualcomm baseband 35/41
  • 36. Analysis of a 3G USB stick REX, the Qualcomm real-time kernel Live debugging on the baseband Code execution Breaking a task Breakpoints and single-step Debugger architecture Plan 1 Analysis of a 3G USB stick 2 REX, the Qualcomm real-time kernel 3 Live debugging on the baseband Code execution Breaking a task Breakpoints and single-step Debugger architecture G. Delugr´e Reverse engineering a Qualcomm baseband 36/41
  • 37. Analysis of a 3G USB stick REX, the Qualcomm real-time kernel Live debugging on the baseband Code execution Breaking a task Breakpoints and single-step Debugger architecture Debugging architecture Debugger architecture Proxy to bridge GDB requests and the DIAG protocol GDB used in non-stop mode (multithread support) REX tasks are shown as threads to GDB G. Delugr´e Reverse engineering a Qualcomm baseband 37/41
  • 38. Analysis of a 3G USB stick REX, the Qualcomm real-time kernel Live debugging on the baseband Code execution Breaking a task Breakpoints and single-step Debugger architecture Demo Demo G. Delugr´e Reverse engineering a Qualcomm baseband 38/41
  • 39. Analysis of a 3G USB stick REX, the Qualcomm real-time kernel Live debugging on the baseband Code execution Breaking a task Breakpoints and single-step Debugger architecture Conclusion Conclusion Baseband systems massively used but still poorly known Icon 225 key uses a non-secure bootloader Those chips are also nice for code execution and analysis More recent versions uses a REX/OKL4 hybrid kernel Interactions with application processor on real phones G. Delugr´e Reverse engineering a Qualcomm baseband 39/41
  • 40. Analysis of a 3G USB stick REX, the Qualcomm real-time kernel Live debugging on the baseband Code execution Breaking a task Breakpoints and single-step Debugger architecture Baseband related works Related talks R.-P. Weinmann, The Baseband Apocalypse, 27C3 Luis Miras, Baseband playground, Ekoparty 7th edition On the web tjworld.net bb.osmocom.org G. Delugr´e Reverse engineering a Qualcomm baseband 40/41
  • 41. Analysis of a 3G USB stick REX, the Qualcomm real-time kernel Live debugging on the baseband Code execution Breaking a task Breakpoints and single-step Debugger architecture Thank you for your attention! Questions? G. Delugr´e Reverse engineering a Qualcomm baseband 41/41