Securing the Airwaves: Emulation, Fuzzing, and Reverse Engineering of iPhone Baseband Firmware
The Hexagon baseband, a proprietary Qualcomm component in iPhones and many Android phones, has been a black box in mobile security for a long time. Its opaque nature, high complexity and the lack of full-system emulation capabilities have hindered in-depth analysis, making it a prime target for high-impact exploitation. In this talk, we present the first full system emulation-based fuzzer for Hexagon basebands, enabling targeted fuzzing of the telco stack that is present in everyone’s pocket. Additionally, we provide tooling and documentation around reverse-engineering these firmware blobs.
iPhones and many Android phones use baseband chips made by Qualcomm. These basebands use a proprietary architecture called Hexagon instead of ARM as used in Samsung basebands. Due to the different architecture, standard tooling for hacking Hexagon basebands is not implemented or lacks basic functionality. For this reason, very little research has been made around these basebands.
The baseband firmware implements the complete telecommunication stack of the phone, from 2G to 5G, satellite communications, GPS and more. Looking at the iPhone baseband firmware, with over 100MB of code, the firmware offers a huge attack surface.
Previous research, including BaseSAFE and FirmWire, focuses only on ARM based basebands. Other research such as “In-Depth Analyzing and Fuzzing for Qualcomm Hexagon” by Xiling Gong of Google & Bo Zhang of Tencent Blade Team, used dynamic injection to fuzz the hexagon firmware, but not full-system emulation. As mentioned in their research, emulating Qualcomm Hexagon baseband is challenging. Our research addresses these challenges and makes this capability available to the community.
During this talk, we’ll go step by step into building a full system emulation-based fuzzer for the iPhone baseband firmware starting with a Qualcomm fork of QEMU merged with a LibAFL fork of QEMU. This approach is similar to ARM-based baseband fuzzing tools such as FirmWire but tailored specifically for the Hexagon architecture to address its unique challenges and enabling targeted analysis of this proprietary firmware.
Additionally, we will showcase a demo of our setup, including booting the iPhone baseband firmware, connecting LLDB and setting breakpoints, as well as introspection and fuzzing using LibAFL.
The rough outline of the talk will be:
- Introduction: Why the Hexagon baseband?
- Why focus on the Hexagon baseband?
- Previous work: The state of baseband research
- Why hasn’t Hexagon been fuzzed before?
- Our goal: Building a setup to uncover vulnerabilities in iPhone’s radio stack
- Hexagon baseband: What makes It unique?
- What is the Hexagon baseband?
- Why is it different from other chips?
- Why is emulation so challenging?
- Extracting the firmware blob: First steps
- Emulating the Hexagon baseband
- Our approach: Forking QEMU for full-system emulation
- Overcoming the challenges: Lessons learned
- Fuzzing the baseband firmware (live demo)
- Introducing our fuzzing infrastructure
- Inspecting state and hardware dependencies
- Reversing the firmware with Ghidra: The extra pain
- Crafting a harness: Navigating a 100MB firmware codebase
- Conclusion: Opening up baseband security
- Breaking barriers: Fuzzing the iPhone baseband is now possible
- Free and open-source tools: Empowering the community
- Guidelines for navigating the firmware: Start your own research
- Limitations of our setup and next steps
Takeaway: With our open-source tools, the Hexagon baseband is no longer a black box and vulnerabilities in iPhone’s radio stack are now within reach for researchers worldwide. This leap forward not only advances existing research but equips the global community to systematically uncover and validate flaws in hexagon-based basebands, bridging a critical gap in mobile security exploration.