Fun with the MTK 6573 Baseband (Patching / Replacing)

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Fun with the MTK 6573 Baseband (Patching / Replacing)

Markus Vervier
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hi,

I'm Markus, a security researcher from Germany. I recently did some
work on MTK 6573 based Android phones
(http://sched.brucon.org/event/451eb792d462066ca9bb36d419aff033). The
BB seems like an interesting target to replace with a free one because:

 - It is acutally loaded from the Android filesystem
(/etc/firmware/modem.img) running on the AP (which you can control
easily on a rooted phone).
 - It is not signed and obfuscated (and based on Nucleus OS)
 - The firmware contains a lot of custom debug info - including
strings of function names and source file names
 - Older firmware in ELF format with (partial) debug symbols has been
published
 - There is shared memory between AP and BB.

What I did so far is reversing and patching the firmware to enable the
usage of software SIM cards. Also a real SIM card can be forwarded
over TCP. You can find my patches for the Alcatel OT-910D modem.img +
AP-Side stuff + a little APDU-Card-Server here:

https://github.com/shadowsim/shadowsim

One could imagine some interesting applications as for example
exchanging SIM cards between different phones over the internet. The
main difference in application between the classic mobile phones and
smart- / feature-phones is that you can use other communication
channels (e.g. WiFi) to bootstrap mobile network authentication and
use it.

So if someone is interested in joining work on that platformm
(especially on newer phones), I would be happy to help. :-)

Cheers

Markus
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBAgAGBQJUO3muAAoJEJ8mFrQIC692wkoP/1qN5xjGkkKl+gqeHImoygdY
U6ThyaWAUgceAaSXrt1Bh1JEEYFjgsjdIyQyc/to8BeI8Gud4s+aQiTLfGasRxuq
IUz2n30L1Nn+BKNXS4qjdJSCoWpDe+aKWoTjFVQBH0OpLHDa7NZQ9Son3JxBZYL0
HAdk2UvWg1/CzkhteY7/y12DyklTAzWAA6PcJAL11qyxKzG1BzxEJkK9NfxHeFLH
Q6lRlYe1SEswQx8MARMTCt6BnITP9hd29JvfRnD43PnbBChjzwlrTn7SaVLjeCz0
qN5OWBu/fEb/RzewZf6xNyEYma1WMvHpE7BeNXzCgXZykYVldY+jjb1RB9icCJaV
jS3Yzg/QdJKNGBqFfZiAyU7i55A3g69C5UZCS5rpLiWb3lVZ4fr950SMbNxueykU
LSmUWuMEe20X+kST6faCsZ6q8BL7XYxBZxUGXg5fQiV5mj/qqIoq8dSGYhc35Vrx
jRENG2wZXgT2I2ImRSn8Azd0Cs3lP5uFCMWDNhry5a5KSZDp4obKlxBgTlv/gAXl
EQwbtyi4N32/+aPNd7GvbMUK/NUCDjrQ1ySnr1lD9Uz3TH5alaMf/wzt2DIXv6Nk
ymebs4KDD/VwnoGKdQ+B8OupamzNBOIFTFHhJfL8AmjYgvnd5o2FVLi+yt2LrbC2
5dYGgyycx4f0OJ6rxEpr
=HiGj
-----END PGP SIGNATURE-----

0x080BAF76.asc (3K) Download Attachment
0x080BAF76.asc.sig (744 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Fun with the MTK 6573 Baseband (Patching / Replacing)

RootZero
This post has NOT been accepted by the mailing list yet.
Markus and all,

I am very interesting in this project/hack.

can you share more information with US?

I searched lots web pages and do not find the source of mdlogger.cpp file.

I do have the source code of "modem.img" if you want please let me know.





thanks
RootZero
Loading...