Key takeaways
1. Due to Qualcomm’s proprietary architecture, a lack of security tooling exists around their baseband
2. Our tooling enables research on Hexagon baseband with significantly reduced engineering work
3. We release the first open-source toolchain for full-system emulated Hexagon firmware fuzzing at TROOPERS25
Overview
Every phone has a cellular baseband processor to handle mobile communications (5G, 4G, GPS, and more).
Qualcomm created a specific architecture for its baseband called Hexagon. It powers the baseband processors found in most leading smartphones, including every iPhone since generation 12 except iPhone 16e and all Snapdragon-based devices. This architecture, being different from the classic ARM, x86, or MIPS that we all know, leads to a lack of security research. Most of the produced tooling is simply not applicable to it!
We developed the first open-source toolchain for full-system emulated fuzzing of any Hexagon firmware. Our work addresses a gap in baseband security research by making a previously inaccessible attack surface available for analysis. With our toolchain, open-sourced here, we invite the community to collaborate and build upon this work.
Previous research landscape and the Hexagon gap
The baseband security research community has made considerable progress in recent years, yet a critical gap has persisted regarding Qualcomm’s Hexagon architecture.
... continue reading