If you suspend your transcription on amara.org, please add a timestamp below to indicate how far you progressed! This will help others to resume your work!
Please do not press “publish” on amara.org to save your progress, use “save draft” instead. Only press “publish” when you're done with quality control.
Diag is a proprietary diagnostics and control protocol implemented in omnipresent Qualcomm Hexagon-based cellular modems, such as those built-in Snapdragon SoCs, and named so after the DIAG task in the baseband's RTOS that handles it. Diag presents an interesting non-OTA attack surface via a locally exposed interface channels to both the application processor OS and the USB endpoints, and advanced capabilities for controlling the baseband.
Since Diag was first reverse-engineered around 2010, a lot has changed: mobile basebands are becoming increasingly security-hardened and production-fused, Hexagon architecture is gaining some serious advantages in the competition, and the Diag protocol itself was changed and locked down. Meanwhile, local attack surface in basebands is gaining importance, and so does baseband security and vulnerability research.
In this talk I will present the state-of-the-art on Diag research, based on previously unpublished details about the inner workings of the Diag infrastracture that I reverse-engineered and harnessed for my research purposes, its modern use, and how we can exploit it to talk to the production-fused baseband chip on off-the-shelf modern phones such as Google Pixel, while understanding what exactly we are doing.