Originally presented at ekoparty 2011.
The Baseband Playground
Baseband processors control access to the radio hardware on cell phones. There has been published security research and presentations on remotely attacking baseband processors. This talk will take a different approach and focus on code injection into the baseband from the application processor. This is the same method that many unlocks (ultrasn0w) use to bypass carrier restrictions. Interestingly, these unlocks (exploits) can also be used to load your own code onto the baseband. This enables the patching of existing GSM code and other phone functionality :)
This talk will cover baseband architecture, setting up a development environment, injecting custom code into the baseband using a variety of exploits, and interesting areas for modification. The case study for the talk will be an iPhone baseband running the Nucleus RTOS, but the concepts will be applicable to other basebands and OS.