Home

Awesome

Helpful scripts for various tasks performed during reverse engineering the Shannon Baseband with the goal to exploit the Samsung Galaxy S6. Specifically, this is the code release for https://comsecuris.com/slides/recon2016-breaking_band.pdf

Please reach out to us for patches or future research in this direction!

Structure of this repository:

├── 010
│   └── sam.bt [010 template for Shannon's TOC header format]
├── android
│   ├── collect-ramdump.sh [Collect ramdumps using cbd directly, requires root]
│   └── download-dump.sh [Collect ramdumps using the menu, does not require root]
├── idapython
│   ├── loader
│   │   └── sam_modem_ramdump.py [IDA loader for the Shannon MAIN image]
│   ├── misc
│   │   └── clean-IDC.sh [Clean up an IDC by removing {comments, filenames, *_something named labels, deletes}]
│   │   └── typeinfo.idc [Structure definitions for a Shannon idb]
│   └── plugins
│       ├── def_arm32_functions.py [Auto-find more functions by scanning for prologues]
│       ├── find_mcr.py [Find and label all the mcr instructions in an idb]
│       ├── label_functions.py [Label function names automatically using string references]
│       ├── name_msg_handlers.py [Name an L3 task's message handlers in its dispatch table automatically]
│       ├── parse_mpu.py [Parse the modem's MPU config table and pretty print all the configuration rules]
│       ├── pseudocomments.py [Save/Restore pseudocode comments from/to an idb. This is useful because IDCs lack these.]
│       ├── register_map.py [Label the register map inside a modem ramdump]
│       ├── stackscan.py [Identify possible stackframes inside a modem ramdump]
│       └── taskscan.py [Walk the task linked list in a modem ramdump to enumerate and label tasks]
└── modem
    ├── memdump.py [Dump memory ranges live from the modem]
    ├── readmem.py [Read memory from a modem address]
    ├── unpack_modem.py [Split up a modem image into its TOC parts (Boot, Main, etc)]
    └── writemem.py [Write memory to a modem address]