2023 archived version go to current version

Practical Baseband Exploitation

4200€ | 9th to the 12th of October 2023 | Espace Vinci, Rue des Jeuneurs, Paris, France

Baseband exploitation is often considered the cream of the offensive security field. In the last decade, only a handful of such exploits were publicly released. As a result, many researchers view the ability to silently achieve code execution on a victim’s device by emulating a GSM or LTE base station as a difficult objective.

In reality, baseband exploitation is not that challenging! By following a simple list of steps, a baseband platform can be quickly opened up for research, debugging and exploitation. In this course, students will learn our systematic approach to baseband research - from setting up a fake base station using SDR and open-source BTS software, modifying BTS code to trigger bugs and deliver a payload, and finally reverse engineering the relevant protocols, hunting for bugs and exploiting them.

By the end of this heavily hands-on course, students will become familiar with two extremely common baseband platforms, Shannon and MediaTek, gain the skills to debug these and other baseband platforms, and learn about previously discovered bugs in basebands, and how they have been exploited.

Objectives of the training

Understanding communication processors at the architecture level

Extracting baseband firmware for a device

Understanding, loading, and analysing the RTOS baseband firmware

Basic familiarity with 3GPP protocols, in particular GSM and GPRS

Understanding the relevant GSM and GPRS attack surfaces

Setting up a base station (BTS) and modifying its code

Reverse engineering the code - methods and tricks

Bug hunting - methods, tips, and previously discovered bugs

Exploitation tricks in the baseband

The trainer

Who will run this training?



Pedro Ribeiro is a vulnerability researcher and reverse engineer with over 16 years of experience. Pedro has found and exploited hundreds of vulnerabilities in software, hardware and firmware. He has over 160 CVE ID attributed to his name (most of which related to remote code execution vulnerabilities) and has authored over 60 Metasploit modules which have been released publicly. He also regularly competes in Pwn2Own as part of the Flashback Team, winning the coveted Master of Pwn in 2020.

Besides his public vulnerability research activities, he is the founder and director of a penetration testing and reverse engineering consultancy based in London (Agile Information Security), and of an offensive security consultancy based in Europe (Vectorize).

More information about Pedro’s publicly disclosed vulnerabilities can be found at https://github.com/pedrib/PoC. Flashback Team’s YouTube channel can be found at https://www.youtube.com/c/FlashbackTeam


Seamus Burke is a senior vulnerability researcher with more than 7 years of experience on mobile targets, with a focus on Android. He has spoken at multiple security conferences, including Def Con and Shmoocon, and has a particular affection for embedded targets like basebands and bootroms.

When not staring at IDA, he likes to spend his time wrenching on cars and racing.


What will we do?


Day 1: Introduction, initial analysis and debugging
  • Introduction to communication processors (CP):
    • The evolution and challenges of communication systems
    • Baseband processors: An architecture overview
    • CP architectures: Broadcom, Qualcomm, MediaTek, Samsung
  • Code extraction and initial analysis:
    • Challenges of baseband code extraction
    • Getting the firmware
    • Initial analysis: Parsing the firmware header
    • Loading into IDA: Base addresses and program segmentation
  • Understanding baseband Real Time Operating Systems (RTOS)
    • Data structures and IPC
    • Memory permissions and mappings
    • Mapping the attack surface
    • Identifying functions and symbols in the code and writing a function mapping
    • Extracting debug strings and parsing them to name functions in the IDB
  • Debugging:
    • Obtaining memory dumps
    • Getting RWX permissions
    • Building a debugger
Day 2: Cellular protocols and static analysis
  • Introduction to GSM, GPRS and UMTS:
    • Guide to the relevant 3GPP protocols
    • Working with the specs
    • Determining the protocol attack surface
    • Real time packet captures, analysing a sample PCAP
  • Shannon: Static analysis and an architecture overview:
    • Tasks, memory management and code structure
    • Debugging functionality
    • Samsung IPC: Talking to the Application Processor
    • The Platform Abstraction Layer and the HAL
  • MediaTek: A comparison with Shannon:
    • Nucleus OS: implementation in MediaTek
    • Debugging the MediaTek baseband
    • Interaction with the AP
  • Setting up a rogue BTS:
    • Getting started with YateBTS
    • Making phone calls and sending SMS over your own network
Day 3: Finding bugs in Shannon and MediaTek
  • 2G and 3G sub-protocols:
    • Full reversing of a CC handler function in Shannon and in MediaTek
    • Adapting YateBTS to run with GPRS and a primer on the protocol
  • Vulnerability research in LTE and 5G:
    • The additional complexities of setting up an eNodeB
    • Working with mutual authentication
    • Enumerating pre-authentication attack surfaces
  • Finding Shannon bugs
    • Guiding the students towards finding a Shannon bug presented at Pwn2Own
    • Guiding the students towards finding a recent Shannon bug that was silently
    • Enumerating related parsers
  • Finding MediaTek bugs:
    • Guiding the students towards finding a GPRS bug in MediaTek (DoS)
    • Analysing the bug using the adapted hooking framework
    • Opening related attack surfaces in MediaTek
Day 4: Exploiting a Shannon n-day
  • Modifying YateBTS code to deliver the exploit payload
  • Exploit primitives
    • Restoring execution after a Shannon stack overflow – resuming the message
      parsing loop
    • Exploiting heap overflows in Shannon OS
    • Analysing the stack and heap for secondary exploitation primitives
    • Challenges/exploit mitigations
  • Achieving code execution:
    • Developing a proof of concept (PoC)
    • Using ROP for a full exploit
    • Loading the initial shellcode stub into global memory
    • Building a custom bridgehead – receiving the main payload over the air
    • Second stage: Modifying the system’s behaviour in order to capture traffic or
      escalate to the AP
  • Baseband emulation for vulnerability research
  • Escalating to the Application Processor (AP) and Android - an introduction


  • C and Python
  • Good reverse engineering knowledge
  • Recommended: Familiarity with ARM assembly

Hardware Requirements

  • A working laptop
  • 40 GB free Hard disk space

Software Requirements

  • IDA Pro or IDA Home with ARM Architecture is a must
  • 32-bit ARM Decompiler is OPTIONAL, but highly recommended:
    • IDA Pro users can use the accompanying Hex Rays ARM decompiler
    • Ghidra’s ARM decompiler can be used as a standalone decompiler for students with IDA Home (only if you really can’t get the Hex-Rays decompiler)
  • Linux / Windows / Mac OS X desktop operating systems
  • VMWare Player / VMWare Workstation / VMWare Fusion MANDATORY
  • Administrator / root access MANDATORY

Other trainings

What else might interest you?

Attacking Instant Messaging Applications

Vectorize (Nitay Artenstein & Iddo Eldor & Jacob Bech)

Attacking the Linux Kernel

Andrey Konovalov

Binary Literacy 2: Static Analysis of C++ with Hex-Rays

Rolf Rolles

iOS for Security Engineers

Victor Cutillas & Etienne Helluy-Lafont

Offensive Azure AD and hybrid AD security

Dirk-jan Mollema

Software Deobfuscation Techniques

Tim Blazytko

Windows Internals for Security Engineers

Yarden Shafir