Exploiting Qualcomm WLAN and Modem Over The Air
Offered By: Black Hat via YouTube
Course Description
Overview
Syllabus
Intro
MBA and Modem images
Modem Secure Boot
TOCTOU Vulnerability Bypass Secure Boot
Debug Server Injection
Qualcomm WLAN Architecture
Example - WIFI List
Firmware
Reverse Engineering - Hint From Qualcomm
Reverse Engineering - Offload Handlers
Sample Offload Handler
The Roadmap
Mitigation Table (WLAN & Modem)
The Vulnerability (CVE-2019-10540)
Data & Address of Overflow
Smart Pointer Around Overflow Memory
Usage Of Smart Pointer
Global Write With Constraint
Control PC & RO
Transform To Arbitrary Write
Run Useful FOP Gadget
Memory Mapping RWX
Copy Shellcode to 0x42420000
Trigger Shellcode
From WLAN to Modem
Map Modem Memory into WLAN
The Attack Surfaces
Memory Management of Qualcomm Multi-Processor
CVE-2019-10538
Deliver the Payload Over-The-Air
Deliver the Payloads Using Pixel2
Demo
Future Works
Taught by
Black Hat
Related Courses
Siglent SSA3032X Spectrum Analyzer Review and ExperimentsAfrotechmods via YouTube Owning the Smart Home with Logitech Harmony Hub
Security BSides San Francisco via YouTube Malware Detection and Firmware Analysis Lab
Bill Buchanan OBE via YouTube Live Breaking into Encrypted 3D Printer Firmware
Hackaday via YouTube Debugging Electronics - You Can’t Handle the Ground Truth!
Hackaday via YouTube