A Journey Into Hexagon: Dissecting a Qualcomm Baseband

Conference:  Defcon 26



The presentation discusses the architecture and features of Qualcomm's Hexagon processor and how it can be exploited for debugging and testing purposes.
  • Qualcomm's Hexagon processor has a unique architecture that allows for efficient stack frame management and useful debugging features.
  • Protection domains have been introduced to separate address spaces, but can lead to cache issues.
  • Qualcomm commands can be used to patch modem firmware and create a feature debugger without extensive code modification.
  • Software-defined radios have become cheaper and more accessible for testing purposes.
  • Open-source projects like OpenBTS provide clean documentation and cross-referencing for debugging.
The speaker mentions that they were able to patch modem firmware and upload their own functionality using Qualcomm commands. They also note that software-defined radios have become more affordable, and they were able to use the bleh RF for their testing purposes.


Mobile phones are quite complicated and feature multiple embedded processors handling wifi, cellular connectivity, bluetooth, and other signal processing in addition to the application processor. Have you ever been curious about how your phone actually makes calls and texts on a low level? Or maybe you want to learn more about the internals of the baseband but have no clue where to start. We will dive into the internals of a qualcomm baseband, tracing it's evolution over the years until its current state. We will discuss the custom, in-house DSP architecture they now run on, and the proprietary RTOS running on it. We will also cover the architecture of the cellular stack, likely places vulnerabilities lie, and exploit mitigations in place. Finally we will cover debugging possibilities, and how to get started analyzing the baseband firmware—how to differentiate between RTOS and cellular functions, how to find C std library functions, and more.



Post a comment