Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Mobile Station Modem (MSM) is a series of different SoCs made by Qualcomm. This is the part of the phone that decoders SMS and radio messages, making it an interesting target for attackers. Besides the remote interface, there is an interface on the device that can talk to the chip as well: the Qualcomm MSM Interface (QMI).

The MSM is managed by a Qualcomm real-time OS (QuRT) that is not possible to dump, even on a rooted device. QuRT is managed by TrustZone as well. In order to have access to the OS, a vulnerability needs to be found in the QTEE or the Linux kernel. The purpose of this paper is attacking the MSM data service to patch QuRT on newer SoCs.

QMI communication is a client-server model in the QMI wire format. QMI ports are exposed to the Linux-running application CPU core inside the chip. QMI offers support for a multitude of services, such as the wireless data service (WDS), Device Management Service (DMS) and about 40 more. OEMs also add their own services to the chip as well.

To know where to fuzz, they found the IPC handlers and reversed the structures to know HOW to call them. They used QEMU in order to emulate the modem to find the vulnerability. This feedback based fuzzing (very little instrumentation).

After throwing random inputs to the service for a while, AFL found a heap overflow in the voice service. This vulnerability is simply a lack of bounds checking on the amount of fields are allowed to be used, which results in the linear heap overflow.

Overall, the vulnerability hunting of this interface was not the hard part: the setup was. By creating a realistic way to test this interface, it become much easier to find the vulnerability in the blackbox setting. The authors believe this vulnerability could have been used to dynamically patch the application processor and the modem itself.