image image

Dominik Maier & Marius Muench

Reverse-Engineering, Emulation, and Dynamic Testing of Cellular Baseband Firmware calender

Trainers: Dominik Maier & Marius Muench

Date: 25th - 27th Oct 2021

Time: 9:00am to 5:00pm CEST

Venue: NH Den Haag Hotel, The Netherlands

Training Level: Intermediate to Advance

Note: Regarding COVID-19 safety, will seek to ensure a safe event, as the health and safety of our exhibitors, delegates, speakers, and staff will always be our number one priority. will follow all applicable health regulations required by the local (GGD) and government (RIVM and VWA) authorities.

Training Objectives:

The training teaches the structure of typical cellular baseband firmware on the example of Samsung’s Shannon baseband. We cover how basebands communicate internally, how to reverse engineer them, and how to find security vulnerabilities through emulation and fuzzing.

The training uses firmware binaries from real phones. While most of the training is centered around static and dynamic off-device testing, such as reverse engineering and emulation, participants also get the chance to interact with the phones over the air.

What to Expect? | Key Learning Objectives:

Participants will gain hands-on experience on baseband firmware in modern smartphones. They will learn the general structure of a baseband RTOS, by the example of the Shannon baseband. Together, we will dump the firmware from the device, take a deep dive into the binary, find common patterns and reverse engineer protocol parsers.

Equipped with the gained knowledge about the firmware, students will learn how to rehost selected parsers and fuzz-test them using AFL++. Lastly, we will set up a fake base station using commercially available Software Defined Radios.

Module Outlines:

Part 1: Obtaining and Reverse Engineering the Firmware:
  • accessing a device's bootloader
  • dumping firmware
  • loading firmware into ghidra
  • anatomy of a baseband rtos
  • identifying interesting functions and parsers
Part 2: Rehosting and Fuzzing the Firmware
  • harnessing and emulation
  • fuzzer setup
  • crash triaging
Part 3: Over The Air communication / Fake Base Station setup
  • configuring a fake base station
  • hardware setup
  • providing input to the phone over-the-air

Who Should Attend? | Target Audience:

  • Security Researchers
  • Baseband Firmware Developers
  • Hardware Hackers

What to Bring? | Software and Hardware Requirements:

  • own laptop running Windows / Linux / macOS - Linux preferred
  • download and install Ghidra (using other RE tools will be harder, as we use existing loaders during this training

Resources Provided at the Training | Deliverables:

  • lab manual
  • solutions and scripts discussed and developed during the class
  • during the lab: access to phone and software defined radio


Dominik Maier is one of the maintainers of AFL++, a renowned fork of the fuzzer AFL. He works as Program Manager Security and pursues his PhD at TU Berlin. His BaseSAFE framework to fuzz basebands received a nomination for most innovative research at the 2020 Pwnie Awards. He previously conducted research at FAU Erlangen-Nuremberg (Germany), NECST-lab of Politecnico di Milano (Italy) and at SecLab UC Santa Barbara, CA (USA). He works on security development projects, consulting and pentesting. In his spare-time he likes to travel and participate in CTFs with ENOFLAG.

Marius Muench is a postdoctoral researcher at Vrije Universiteit Amsterdam. His research interests cover (in-)security of embedded systems, binary & microarchitectural exploitation, and defenses. He obtained his PhD from Sorbonne University in cooperation with EURECOM. He developed and maintains avatar2, a framework for analyzing embedded systems firmware. Among others, he used the framework for emulating baseband firmware, and helped to uncover critical vulnerabilities in Samsung’s Shannon baseband.