Skip to content

Helpful scripts for various tasks performed during reverse engineering the Shannon Baseband with the goal to exploit the Samsung Galaxy S6

Notifications You must be signed in to change notification settings

brinlyau/shannonRE

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Helpful scripts for various tasks performed during reverse engineering the Shannon Baseband with the goal to exploit the Samsung Galaxy S6. Specifically, this is the code release for https://comsecuris.com/slides/recon2016-breaking_band.pdf

Please reach out to us for patches or future research in this direction!

Structure of this repository:

├── 010
│   └── sam.bt [010 template for Shannon's TOC header format]
├── android
│   ├── collect-ramdump.sh [Collect ramdumps using cbd directly, requires root]
│   └── download-dump.sh [Collect ramdumps using the menu, does not require root]
├── idapython
│   ├── loader
│   │   └── sam_modem_ramdump.py [IDA loader for the Shannon MAIN image]
│   ├── misc
│   │   └── clean-IDC.sh [Clean up an IDC by removing {comments, filenames, *_something named labels, deletes}]
│   │   └── typeinfo.idc [Structure definitions for a Shannon idb]
│   └── plugins
│       ├── def_arm32_functions.py [Auto-find more functions by scanning for prologues]
│       ├── find_mcr.py [Find and label all the mcr instructions in an idb]
│       ├── label_functions.py [Label function names automatically using string references]
│       ├── name_msg_handlers.py [Name an L3 task's message handlers in its dispatch table automatically]
│       ├── parse_mpu.py [Parse the modem's MPU config table and pretty print all the configuration rules]
│       ├── pseudocomments.py [Save/Restore pseudocode comments from/to an idb. This is useful because IDCs lack these.]
│       ├── register_map.py [Label the register map inside a modem ramdump]
│       ├── stackscan.py [Identify possible stackframes inside a modem ramdump]
│       └── taskscan.py [Walk the task linked list in a modem ramdump to enumerate and label tasks]
└── modem
    ├── memdump.py [Dump memory ranges live from the modem]
    ├── readmem.py [Read memory from a modem address]
    ├── unpack_modem.py [Split up a modem image into its TOC parts (Boot, Main, etc)]
    └── writemem.py [Write memory to a modem address]

About

Helpful scripts for various tasks performed during reverse engineering the Shannon Baseband with the goal to exploit the Samsung Galaxy S6

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Python 66.2%
  • C 28.8%
  • Shell 5.0%