Emulation and Fuzzing for Baseband Firmware // Tobias Scharnowski, Marius Muench
In-Person | Nov 3-6 | 4 Days
BOOK NOWABSTRACT
Over the 4 days of this training, you will learn how to reverse engineer baseband firmware, create fuzzing harnesses, and find bugs via fuzzing!
We will dissect and reverse engineer firmware running in modern smartphones on the example of Samsung Shannon-based firmware. After learning about the general structure of a baseband RTOS, we will look into how different cellular generations from 2G to 5G are implemented, and how to identify promising attack surfaces.
Equipped with the gained knowledge, you will then learn how to rehost selected parsers using Unicorn and Python. Over time, we will iteratively extend a provided skeleton code for an emulator to understand common rehosting tasks and create a base harness for fuzzing.
Afterwards, we will use AFL++ for fuzzing and rediscover a recent bug affecting, among others, Google Pixel phones. To replicate discovered crashes over the air, we will set up a fake base station using commercially available Software Defined Radios and Faraday cages. Finally, we will look into Baseband FirmWire, a state-of-the-art emulation framework for baseband firmware and compare its capabilities to our created fuzzing harnesses.
Emulation and Fuzzing for Baseband Firmware // Tobias Scharnowski, Marius Muench
In-Person | Nov 3-6 | 4 Days
INTENDED AUDIENCE
- Security Researchers
- Baseband Firmware Developers
- Cellular Communication Enthusiasts
KEY LEARNING OBJECTIVES
Students of this training will learn how to approach reverse engineering of baseband firmware. They will get hands-on knowledge on how to write emulation and fuzzing harnesses, and how to find, triage, and replicate bugs.
Knowledge Prequisites
- Basic knowledge in Python
- Being comfortable with using command-line tools
- Previous experience with firmware analysis, reverse engineering, or fuzzing is a plus, but not strictly required
Hardware Requirements
Students should bring their own laptop with:
- At least 16GB of RAM
- At least 50 GB of available disk space
- One free and usable USB port
- Recommendation: Native Linux OS (Ubuntu 24.04 or above) on x86_64
Software Requirements
- Visual Studio Code
- Docker
- Ghidra
Students will be provided with a detailed setup guide before the training.
YOUR INSTRUCTORS: Tobias Scharnowski and Marius Muench
Tobias Scharnowski is a systems security researcher at CISPA. He focuses on automated firmware security analysis techniques. Besides academia, he is a CTF RE/pwning veteran and repeat Pwn2Own participant. At Pwn2Own, he demonstrated RCE on 10 targets in the automotive and industrial automation domains. This included an exploit of the core DNP3 implementation, the protocol that powers the US electric grid.
Marius Muench is an assistant professor at the University of Birmingham. His research interests cover (in-)security of embedded systems, binary & microarchitectural exploitation, and defenses. He obtained his PhD from Sorbonne University in cooperation with EURECOM and worked as postdoctoral researcher at the Vrije Universiteit Amsterdam. He developed and maintains avatar2, a framework for analyzing embedded systems firmware, and FirmWire, an emulation and fuzzing platform for cellular basebands. Throughout his career, Marius publicly shared his findings and presented at venues such as Black Hat, REcon, and Hardwear.io.
- https://twitter.com/nsinusr
- @nsr@infosec.exchange
- https://www.linkedin.com/in/marius-muench-801aa580
- https://github.com/FirmWire/FirmWire & https://github.com/avatartwo/avatar2
COUNTERMEASURE25: 60+ days before the event 75% of fees refunded; 45-60 days before event 50% refunded, less than 45 days 0% refunded. Course changes are allowed up to 14 days before event start (some restrictions will apply). Attendee changes can be accommodated up to 14 days prior to the event.
Note: In the event of a class cancellation, Ringzer0 will endeavor to offer transfer to another training at no additional charge.
