C3Subtitles: rc3: Advanced Hexagon Diag
back

Advanced Hexagon Diag

Harnessing diagnostics for baseband vulnerability research

If you suspend your transcription on amara.org, please add a timestamp below to indicate how far you progressed! This will help others to resume your work!

Please do not press “publish” on amara.org to save your progress, use “save draft” instead. Only press “publish” when you're done with quality control.

Video duration
01:06:53
Language
English
Abstract
State-of-the-art report on Qualcomm DIAG diagnostic protocol research, its modern implementation as it appears in Hexagon basebands, advanced harnessing and reverse-engineering on modern off-the-shelf smartphones.

Diag is a proprietary diagnostics and control protocol implemented in omnipresent Qualcomm Hexagon-based cellular modems, such as those built-in Snapdragon SoCs, and named so after the DIAG task in the baseband's RTOS that handles it. Diag presents an interesting non-OTA attack surface via a locally exposed interface channels to both the application processor OS and the USB endpoints, and advanced capabilities for controlling the baseband.

Since Diag was first reverse-engineered around 2010, a lot has changed: mobile basebands are becoming increasingly security-hardened and production-fused, Hexagon architecture is gaining some serious advantages in the competition, and the Diag protocol itself was changed and locked down. Meanwhile, local attack surface in basebands is gaining importance, and so does baseband security and vulnerability research.

In this talk I will present the state-of-the-art on Diag research, based on previously unpublished details about the inner workings of the Diag infrastracture that I reverse-engineered and harnessed for my research purposes, its modern use, and how we can exploit it to talk to the production-fused baseband chip on off-the-shelf modern phones such as Google Pixel, while understanding what exactly we are doing.

Talk ID
11397
Event:
rc3
Day
2
Room
rC2
Start
3 p.m.
Duration
01:00:00
Track
IT-Security
Type of
lecture
Speaker
Alisa Esage
Talk Slug & media link
rc3-11397-advanced_hexagon_diag
100.0% Checking done100.0%
0.0% Syncing done0.0%
0.0% Transcribing done0.0%
0.0% Nothing done yet0.0%