[{"data":1,"prerenderedAt":1318},["ShallowReactive",2],{"/baseband-exploitation-modern-smartphones/":3,"related-baseband-exploitation-modern-smartphones":1317},{"id":4,"title":5,"author":6,"authorName":6,"category":6,"date":6,"description":6,"extension":7,"image":6,"imageAlt":6,"lastModified":6,"meta":8,"readingTime":6,"severity":6,"stem":1315,"__hash__":1316,"body":9},"articles/baseband-exploitation-modern-smartphones.md","Baseband Exploitation Modern Smartphones",null,"md",{"body":9},{"type":10,"value":11,"toc":1305},"minimark",[12,15,20,29,37,44,85,89,100],[13,14],"hr",{},[16,17,19],"h2",{"id":18},"title-baseband-exploitation-in-modern-smartphonesdescription-telcosec-research-on-smartphone-baseband-exploitation-attack-surfaces-shannonmediatek-firmware-analysis-ota-fuzzing-methods-and-zero-click-vulnerabilitiesdate-2024-03-04lastmodified-2026-05-15author-ruben-f-silvaauthorname-telcosec-researchcategory-mobile_securityseverity-criticalimage-imagesarticlesbaseband-exploitation-herowebpimagealt-baseband-exploitation-smartphone-modem-security-analysisreadingtime-22","title: \"Baseband Exploitation in Modern Smartphones\"\ndescription: \"TelcoSec research on smartphone baseband exploitation: attack surfaces, Shannon/MediaTek firmware analysis, OTA fuzzing methods, and zero-click vulnerabilities.\"\ndate: \"2024-03-04\"\nlastModified: \"2026-05-15\"\nauthor: \"Ruben F. Silva\"\nauthorName: \"TelcoSec Research\"\ncategory: \"MOBILE_SECURITY\"\nseverity: \"CRITICAL\"\nimage: \"/images/articles/baseband-exploitation-hero.webp\"\nimageAlt: \"Baseband Exploitation - Smartphone Modem Security Analysis\"\nreadingTime: 22",[21,22,23,24,28],"p",{},"The baseband processor — the modem chip that handles all cellular communication — is arguably the most security-critical component in any smartphone. It operates below the application processor (AP), runs its own Real-Time Operating System (RTOS) with full access to the radio hardware, and processes untrusted over-the-air (OTA) messages ",[25,26,27],"em",{},"before"," any authentication occurs. A vulnerability in the baseband grants an attacker full control of the modem, enabling silent call interception, location tracking, and in many cases, escalation to the application processor and the Android/iOS operating system itself.",[21,30,31,32,36],{},"This makes baseband exploitation the holy grail of mobile offensive security: a single vulnerability can enable a ",[33,34,35],"strong",{},"zero-click, zero-interaction remote code execution"," attack against any device within radio range. No phishing link, no user action — just a crafted radio message.",[38,39],"lead-magnet",{"ctaTitle":40,"description":41,"tag":42,"title":43},"GET ATTACK MAP","Download the complete baseband vulnerability taxonomy and fuzzing framework reference for Samsung Shannon, Qualcomm, and MediaTek chipsets (PDF).","baseband_lead_magnet","RESOURCES: Baseband Attack Surface Map",[45,46,49,58],"article-intel-briefing",{"accent":47,"title":48},"red","CRITICAL RISK",[21,50,51,52,57],{},"Baseband vulnerabilities represent the most critical class of mobile security flaws. They are reachable over-the-air without user interaction, execute in a privileged context with direct hardware access, and often bypass all application-layer security measures. Unlike application vulnerabilities that require user interaction, baseband bugs are exploitable by anyone with a ",[53,54,56],"a",{"href":55},"/imsi-catchers-and-rogue-base-stations/","IMSI catchers"," within radio range.",[59,60,62],"template",{"v-slot:takeaways":61},"",[63,64,65,69,72,75,82],"ul",{},[66,67,68],"li",{},"Zero-click, over-the-air exploitation — no user interaction required",[66,70,71],{},"Pre-authentication attack surface: NAS, RRC, and paging messages processed before security mode",[66,73,74],{},"Samsung Shannon, Qualcomm, and MediaTek basebands are prime research targets",[66,76,77,81],{},[53,78,80],{"href":79},"/setting-up-private-lte-5g-lab/","Private lab infrastructure"," is essential for safe OTA fuzzing",[66,83,84],{},"Baseband-to-AP escalation can compromise the entire device",[16,86,88],{"id":87},"architecture","I. Baseband Architecture: The Hidden Computer Inside Your Phone",[21,90,91,92,95,96,99],{},"Every smartphone contains two processors: the ",[33,93,94],{},"Application Processor (AP)"," running Android/iOS, and the ",[33,97,98],{},"Baseband Processor (BP)"," running a proprietary Real-Time Operating System (RTOS) that handles all cellular protocol processing. These two processors share a communication channel (typically shared memory or a PCIe bus) but run completely independent software stacks.",[101,102,105,106,111,225,229,301,305,311,362,365,367],"info-callout",{"type":103,"title":104},"warning","Critical Security Boundary","\nThe baseband processor handles all protocol parsing for untrusted over-the-air messages. It processes NAS (Non-Access Stratum), RRC (Radio Resource Control), and lower-layer radio messages — many of which arrive BEFORE mutual authentication is established. This means the baseband must parse attacker-controlled data in an unauthenticated context, creating a vast pre-authentication attack surface.\n\n",[107,108,110],"h3",{"id":109},"major-baseband-platforms","Major Baseband Platforms",[112,113,114,136],"table",{},[115,116,117],"thead",{},[118,119,120,124,127,130,133],"tr",{},[121,122,123],"th",{},"Vendor",[121,125,126],{},"Chipset Family",[121,128,129],{},"RTOS",[121,131,132],{},"Devices",[121,134,135],{},"Research Accessibility",[137,138,139,157,174,191,208],"tbody",{},[118,140,141,145,148,151,154],{},[142,143,144],"td",{},"Samsung",[142,146,147],{},"Shannon (Exynos Modem)",[142,149,150],{},"Samsung Proprietary RTOS",[142,152,153],{},"Samsung Galaxy (Exynos variants), Google Pixel 6/7/8",[142,155,156],{},"High — most researched, ASAN support available",[118,158,159,162,165,168,171],{},[142,160,161],{},"Qualcomm",[142,163,164],{},"Snapdragon Modem (X55/X65/X75)",[142,166,167],{},"QuRT (Qualcomm RTOS)",[142,169,170],{},"Most Android flagships (Snapdragon variants), iPhones 12-15",[142,172,173],{},"Medium — heavily obfuscated, some research published",[118,175,176,179,182,185,188],{},[142,177,178],{},"MediaTek",[142,180,181],{},"Helio/Dimensity Modem",[142,183,184],{},"Nucleus RTOS",[142,186,187],{},"Budget-to-mid-range Android devices",[142,189,190],{},"Medium — growing research community",[118,192,193,196,199,202,205],{},[142,194,195],{},"Intel",[142,197,198],{},"XMM (discontinued)",[142,200,201],{},"ThreadX RTOS",[142,203,204],{},"iPhones 7-11",[142,206,207],{},"High — well-documented post-discontinuation",[118,209,210,213,216,219,222],{},[142,211,212],{},"HiSilicon",[142,214,215],{},"Balong",[142,217,218],{},"LiteOS",[142,220,221],{},"Huawei devices",[142,223,224],{},"Low — restricted access",[107,226,228],{"id":227},"vendor-architecture-deep-dive","Vendor Architecture Deep-Dive",[230,231,237,271,286],"grid",{"className":232},[233,234,235,236],"grid-cols-1","md:grid-cols-3","gap-6","my-8",[238,239,249,259,268],"div",{"className":240},[241,242,243,244,245,246,247,248],"bg-[#050B14]","p-6","border","border-[var(--border)]","group","hover:border-[var(--primary)]","transition-colors","relative",[250,251],"absolute",{":right-0":252,":top-0":252,"className":253},"true",[254,255,256,257,258],"w-8","h-8","bg-gradient-to-bl","from-[var(--primary)]/20","to-transparent",[260,261,263,267],"h4",{"id":262},"qualcomm-msm",[264,265,266],"span",{},">"," Qualcomm MSM",[21,269,270],{},"Powers the majority of Android devices globally. Firmware extracted via QFIL or EDL mode. The QuRT RTOS uses a microkernel architecture with hardware-enforced memory isolation between tasks. However, the cellular protocol handlers share a flat memory space, making intra-modem lateral movement trivial after initial exploitation.",[238,272,274,277,283],{"className":273},[241,242,243,244,245,246,247,248],[250,275],{":right-0":252,":top-0":252,"className":276},[254,255,256,257,258],[260,278,280,282],{"id":279},"samsung-shannon",[264,281,266],{}," Samsung Shannon",[21,284,285],{},"Used in Samsung Exynos-based Galaxy devices and Google Pixels. Notable for multiple RCE vulnerabilities discovered by Google Project Zero in 2023-2024. Samsung has since added ASAN (AddressSanitizer) to Shannon firmware builds, making it the first baseband with runtime memory safety instrumentation.",[238,287,289,292,298],{"className":288},[241,242,243,244,245,246,247,248],[250,290],{":right-0":252,":top-0":252,"className":291},[254,255,256,257,258],[260,293,295,297],{"id":294},"mediatek",[264,296,266],{}," MediaTek",[21,299,300],{},"Dominant in budget and mid-range devices across emerging markets. The Nucleus RTOS runs a monolithic architecture where all tasks share the same address space. Less publicly researched but equally susceptible to firmware vulnerabilities — and deployed on billions of devices worldwide.",[107,302,304],{"id":303},"pre-auth-surface","The Pre-Authentication Attack Surface",[21,306,307,308,310],{},"The critical insight for baseband exploitation is that a significant portion of the cellular protocol stack must be processed ",[25,309,27],{}," mutual authentication is established. When a UE (smartphone) encounters a new cell, the following messages are processed without any cryptographic protection:",[312,313,314,320,326,332,338,344,350,356],"ol",{},[66,315,316,319],{},[33,317,318],{},"MIB (Master Information Block):"," Broadcast on the Physical Broadcast Channel (PBCH) — contains basic system parameters",[66,321,322,325],{},[33,323,324],{},"SIB (System Information Blocks):"," Broadcast on the DL-SCH — contains cell configuration, PLMN identity, access control",[66,327,328,331],{},[33,329,330],{},"Paging Messages:"," Addressed to specific UEs to notify them of incoming calls/data — processed in idle mode",[66,333,334,337],{},[33,335,336],{},"RRC Setup/Reconfiguration:"," Initial RRC connection establishment — occurs before NAS security is activated",[66,339,340,343],{},[33,341,342],{},"NAS Identity Request:"," Pre-authentication identity queries (IMSI request in 4G, SUCI in 5G)",[66,345,346,349],{},[33,347,348],{},"NAS Authentication Request:"," The 5G-AKA challenge — malformed authentication vectors can trigger parsing bugs",[66,351,352,355],{},[33,353,354],{},"NAS Security Mode Command:"," Activates encryption/integrity — but the message itself is received before protection is active",[66,357,358,361],{},[33,359,360],{},"Tracking Area Update (TAU) Reject:"," Used to force devices off a network or into a different radio access technology",[363,364],"diagrams-baseband-exploit-chain-diagram",{},[13,366],{},[368,369,373,379,381,383,387,390,394,498,502,509,512,515,522,525,534,537,541,661,663,667,674,678,681,686,689,693,696,700,704,708,712,716,720,727,730,734,737,740,744,751,755,758,762,766,770,774,777,781,784,791,794,797,808,810,814,817,821,908,912,915,1031],"code-block",{"language":370,"filename":371,"code":372},"text","Pre-Authentication Message Flow","UE (Baseband)                                    gNB/eNB\n  |                                                |\n  |\u003C--- MIB (PBCH broadcast) ----------------------|  ← UNAUTHENTICATED\n  |\u003C--- SIB1-SIB9 (DL-SCH broadcast) -------------|  ← UNAUTHENTICATED\n  |\u003C--- Paging (if applicable) --------------------|  ← UNAUTHENTICATED\n  |---- RRC Setup Request ---------------------->  |  ← UNAUTHENTICATED\n  |\u003C--- RRC Setup --------------------------------|  ← UNAUTHENTICATED\n  |---- RRC Setup Complete (+ NAS Registration) ->|  ← UNAUTHENTICATED\n  |\u003C--- NAS Identity Request (optional) ----------|  ← UNAUTHENTICATED\n  |---- NAS Identity Response ------------------->|  ← UNAUTHENTICATED\n  |\u003C--- NAS Authentication Request ---------------|  ← UNAUTHENTICATED\n  |---- NAS Authentication Response ------------->|  ← UNAUTHENTICATED\n  |\u003C--- NAS Security Mode Command ---------------|  ← INTEGRITY PROTECTED\n  |---- NAS Security Mode Complete -------------->|  ← ENCRYPTED + INTEGRITY\n  |================================================|  ← ALL SUBSEQUENT = PROTECTED",[21,374,375,376,378],{},"Every message above the double line is processed by the baseband in plaintext, with no integrity or authenticity verification. An attacker operating a ",[53,377,56],{"href":55}," can inject arbitrary content into any of these messages.",[363,380],{},[13,382],{},[16,384,386],{"id":385},"exploitation","II. Exploitation Techniques and Vulnerability Classes",[21,388,389],{},"Baseband firmware is written primarily in C/C++ with some ARM assembly, running on bare-metal or a minimal RTOS without modern exploit mitigations. Many baseband processors lack ASLR, stack canaries, or W^X memory protections, making exploitation significantly easier than application-layer attacks.",[107,391,393],{"id":392},"vulnerability-classes","Vulnerability Classes",[112,395,396,412],{},[115,397,398],{},[118,399,400,403,406,409],{},[121,401,402],{},"Class",[121,404,405],{},"Description",[121,407,408],{},"Example CVEs",[121,410,411],{},"Exploitability",[137,413,414,428,442,456,470,484],{},[118,415,416,419,422,425],{},[142,417,418],{},"Stack Buffer Overflow",[142,420,421],{},"ASN.1/PER decoding of oversized RRC/NAS fields",[142,423,424],{},"CVE-2023-24033 (Shannon)",[142,426,427],{},"Critical — direct RIP control",[118,429,430,433,436,439],{},[142,431,432],{},"Heap Overflow",[142,434,435],{},"Memory corruption in message reassembly buffers",[142,437,438],{},"CVE-2024-20069 (MediaTek)",[142,440,441],{},"High — requires heap shaping",[118,443,444,447,450,453],{},[142,445,446],{},"Integer Overflow",[142,448,449],{},"Length field manipulation in TLV-encoded IEs",[142,451,452],{},"CVE-2022-20170 (Pixel)",[142,454,455],{},"High — leads to heap/stack overflow",[118,457,458,461,464,467],{},[142,459,460],{},"Use-After-Free",[142,462,463],{},"Race conditions in connection state management",[142,465,466],{},"Various Samsung Shannon",[142,468,469],{},"Critical — arbitrary read/write",[118,471,472,475,478,481],{},[142,473,474],{},"Type Confusion",[142,476,477],{},"Incorrect ASN.1 CHOICE/SEQUENCE handling",[142,479,480],{},"Google Project Zero Shannon findings",[142,482,483],{},"Critical — arbitrary memory access",[118,485,486,489,492,495],{},[142,487,488],{},"Null Pointer Dereference",[142,490,491],{},"Missing validation on optional IEs",[142,493,494],{},"Numerous across all vendors",[142,496,497],{},"Low — typically DoS only",[107,499,501],{"id":500},"asn1-attacks","ASN.1 Parsing: The Primary Attack Vector",[21,503,504,505,508],{},"Cellular protocols encode most messages using ",[33,506,507],{},"ASN.1 PER (Packed Encoding Rules)"," — a binary encoding format that is notoriously complex to implement correctly. The ASN.1 schemas for LTE and 5G NR are defined in 3GPP TS 36.331 (LTE RRC) and TS 38.331 (NR RRC) and contain deeply nested, recursive data structures with optional fields, variable-length arrays, and complex CHOICE types.",[21,510,511],{},"Typical fuzzing targets in ASN.1 RRC messages:",[21,513,514],{},"\u003CCodeBlock\nlanguage=\"c\"\nfilename=\"asn1_rrc_parsing_vuln_example.c\"\ncode=\"// Simplified example: Stack buffer overflow in SIB parsing\n// Real vulnerabilities follow similar patterns",[21,516,517,518,521],{},"typedef struct {\nuint8_t  num_cells;      // Attacker-controlled from OTA\nuint16_t cell_ids",[264,519,520],{},"64",";   // Fixed-size buffer\n} NeighborCellList;",[21,523,524],{},"void parse_sib4(uint8_t *raw_msg, size_t len) {\nNeighborCellList ncl;",[526,527,531],"pre",{"className":528,"code":530,"language":370},[529],"language-text","// BUG: num_cells read from OTA message without bounds check\nncl.num_cells = decode_integer(raw_msg, 0, 255);\n\n// If num_cells > 64, this overflows the cell_ids buffer\nfor (int i = 0; i \u003C ncl.num_cells; i++) {\n    ncl.cell_ids[i] = decode_integer(raw_msg, 0, 503);\n    // ^^^ Stack buffer overflow when i >= 64\n}\n",[532,533,530],"code",{"__ignoreMap":61},[21,535,536],{},"}\"\n/>",[107,538,540],{"id":539},"cve-analysis","Historical CVE Analysis: Real-World Baseband Exploits",[112,542,543,561],{},[115,544,545],{},[118,546,547,550,552,555,558],{},[121,548,549],{},"CVE",[121,551,123],{},[121,553,554],{},"Component",[121,556,557],{},"Impact",[121,559,560],{},"Discovery",[137,562,563,580,595,611,628,644],{},[118,564,565,568,571,574,577],{},[142,566,567],{},"CVE-2023-24033",[142,569,570],{},"Samsung Shannon",[142,572,573],{},"SDP attribute parsing in IMS",[142,575,576],{},"Zero-click RCE via crafted SIP message",[142,578,579],{},"Google Project Zero",[118,581,582,585,587,590,593],{},[142,583,584],{},"CVE-2023-26072-26076",[142,586,570],{},[142,588,589],{},"NAS EMM/ESM message parsing",[142,591,592],{},"Pre-auth OTA memory corruption",[142,594,579],{},[118,596,597,600,602,605,608],{},[142,598,599],{},"CVE-2024-20069",[142,601,178],{},[142,603,604],{},"NAS message handler",[142,606,607],{},"Heap overflow in modem firmware",[142,609,610],{},"MediaTek PSIRT",[118,612,613,616,619,622,625],{},[142,614,615],{},"CVE-2022-20170",[142,617,618],{},"Google Pixel (Shannon)",[142,620,621],{},"NR RRC message parsing",[142,623,624],{},"Remote code execution",[142,626,627],{},"Internal Google security",[118,629,630,633,635,638,641],{},[142,631,632],{},"CVE-2020-0069",[142,634,178],{},[142,636,637],{},"AT command interface",[142,639,640],{},"Local privilege escalation to modem",[142,642,643],{},"Multiple researchers",[118,645,646,649,652,655,658],{},[142,647,648],{},"N/A (Pwn2Own)",[142,650,651],{},"Multiple",[142,653,654],{},"Various RRC/NAS handlers",[142,656,657],{},"Zero-click RCE demonstrated live",[142,659,660],{},"Pwn2Own Mobile (2023, 2024)",[13,662],{},[16,664,666],{"id":665},"research-methodology","III. Research Methodology: OTA Fuzzing Pipeline",[21,668,669,670,673],{},"Baseband research follows a systematic pipeline that requires both hardware and software infrastructure. The ",[53,671,672],{"href":79},"TelcoSec lab guide"," covers the prerequisite hardware setup in detail.",[107,675,677],{"id":676},"phase-1-firmware-extraction-and-static-analysis","Phase 1: Firmware Extraction and Static Analysis",[21,679,680],{},"\u003CCodeBlock\nlanguage=\"bash\"\nis-terminal\ncode=\"  # Samsung Shannon firmware extraction (from factory image)",[682,683,685],"h1",{"id":684},"_1-download-factory-image-and-extract-modem-partition","1. Download factory image and extract modem partition",[21,687,688],{},"tar -xf SM-G998B_firmware.tar.md5\nsimg2img modem.img modem.raw",[682,690,692],{"id":691},"_2-extract-the-shannon-binary-from-the-modem-partition","2. Extract the Shannon binary from the modem partition",[21,694,695],{},"python3 shannon_fw_tools/extract.py modem.raw -o shannon_fw/",[682,697,699],{"id":698},"_3-load-into-ghidra-with-arm-cortex-r-processor-profile","3. Load into Ghidra with ARM Cortex-R processor profile",[682,701,703],{"id":702},"key-analysis-targets","Key analysis targets:",[682,705,707],{"id":706},"nas-message-dispatcher-look-for-esmemm-opcode-switch-tables","- NAS message dispatcher (look for ESM/EMM opcode switch tables)",[682,709,711],{"id":710},"asn1-per-codec-functions-look-for-uper_decode_-symbols","- ASN.1 PER codec functions (look for uper_decode_* symbols)",[682,713,715],{"id":714},"rrc-reconfiguration-handlers-sib-parsing-measurement-reports","- RRC reconfiguration handlers (SIB parsing, measurement reports)\">",[107,717,719],{"id":718},"phase-2-dynamic-fuzzing-infrastructure","Phase 2: Dynamic Fuzzing Infrastructure",[21,721,722,723,726],{},"The OTA fuzzing setup uses a ",[53,724,725],{"href":79},"private lab"," with srsRAN to broadcast malformed messages to a target device:",[21,728,729],{},"\u003CCodeBlock\nlanguage=\"python\"\nfilename=\"rrc_fuzzer_example.py\"\ncode=\"  # Simplified: Sending a malformed RRC SystemInformationBlock",[682,731,733],{"id":732},"to-trigger-an-asn1-parser-overflow-in-the-target-baseband","to trigger an ASN.1 parser overflow in the target baseband",[21,735,736],{},"from srsran_controller import GnbController\nimport struct",[21,738,739],{},"gnb = GnbController(config='gnb_fuzz.yaml')",[682,741,743],{"id":742},"build-a-malformed-sib4-with-excessive-neighbor-cell-count","Build a malformed SIB4 with excessive neighbor cell count",[21,745,746,747,750],{},"malformed_sib = build_sib4(\ncell_barred=False,\nplmn_list=",[264,748,749],{},"{'mcc': '001', 'mnc': '01'}",",\n# Trigger: nested SEQUENCE with depth > parser limit\nintra_freq_neigh_cell_list=overflow_payload(\nnum_cells=256,          # Exceeds expected maximum of 16\ncell_individual_offset=15  # Valid range 0-30\n)\n)",[682,752,754],{"id":753},"broadcast-the-malformed-sib-on-the-bcch","Broadcast the malformed SIB on the BCCH",[21,756,757],{},"gnb.broadcast_sib(sib_type=4, payload=malformed_sib)",[682,759,761],{"id":760},"monitor-target-device-for-crash-via-diagnostic-interface","Monitor target device for crash via diagnostic interface",[682,763,765],{"id":764},"samsung-shannon-ipc-logs-via-devumts_ipc0","Samsung: Shannon IPC logs via /dev/umts_ipc0",[682,767,769],{"id":768},"qualcomm-qxdm-diagnostic-messages-via-devdiag","Qualcomm: QXDM diagnostic messages via /dev/diag",[682,771,773],{"id":772},"mediatek-ccci-ipc-channel","MediaTek: CCCI IPC channel\"",[21,775,776],{},"/>",[107,778,780],{"id":779},"phase-3-crash-analysis-and-triage","Phase 3: Crash Analysis and Triage",[21,782,783],{},"After detecting a crash, the diagnostic logs reveal the crash context:",[21,785,786,787,790],{},"\u003CCodeBlock\nlanguage=\"text\"\nfilename=\"shannon_crash_dump.log\"\ncode=\"",[264,788,789],{},"FATAL"," Exception: Data Abort at PC=0x41B8F230\nDFSR=0x00000805 (Translation fault, Section)\nDFAR=0x48484848  ← Controlled value from OTA payload",[21,792,793],{},"Register dump:\nR0=0x48484848  R1=0x00000100  R2=0x41D0A000\nR3=0x00000000  R4=0x41C12800  R5=0x00000003\nSP=0x41D09F80  LR=0x41B8F1C4  PC=0x41B8F230",[21,795,796],{},"Stack trace:\n#0  0x41B8F230  rrc_decode_sib4_neighbor_list+0x6C\n#1  0x41B8E100  rrc_process_system_information+0x1A8\n#2  0x41B8D000  rrc_handle_bcch_dl_sch+0x44\n#3  0x41B80000  l2_dispatch_pdu+0x128\">",[21,798,799,800,803,804,807],{},"The crash dump shows register ",[532,801,802],{},"R0"," contains the attacker-controlled value ",[532,805,806],{},"0x48484848",", confirming that the overflow successfully corrupted a pointer used in a memory access operation. The stack trace reveals the exact code path from the broadcast channel handler through the SIB4 parser.",[13,809],{},[16,811,813],{"id":812},"bp-to-ap","IV. Baseband-to-AP Escalation",[21,815,816],{},"Compromising the baseband is powerful on its own (call interception, SMS theft, location tracking), but the highest-value attacks escalate from the baseband to the application processor. This gives the attacker full control of the entire device — including encrypted messaging apps, authentication tokens, and stored credentials.",[107,818,820],{"id":819},"escalation-vectors","Escalation Vectors",[112,822,823,838],{},[115,824,825],{},[118,826,827,830,833,836],{},[121,828,829],{},"Vector",[121,831,832],{},"Mechanism",[121,834,835],{},"Difficulty",[121,837,557],{},[137,839,840,854,868,882,895],{},[118,841,842,845,848,851],{},[142,843,844],{},"Shared Memory",[142,846,847],{},"Direct R/W to AP memory regions via MMIO",[142,849,850],{},"Medium — requires memory map knowledge",[142,852,853],{},"Full AP compromise",[118,855,856,859,862,865],{},[142,857,858],{},"AT Command Interface",[142,860,861],{},"Inject AT commands to control AP modem HAL",[142,863,864],{},"Low — well-documented interface",[142,866,867],{},"Limited — depends on HAL permissions",[118,869,870,873,876,879],{},[142,871,872],{},"RIL IPC Channel",[142,874,875],{},"Exploit the Radio Interface Layer daemon",[142,877,878],{},"Medium — requires serialization bugs",[142,880,881],{},"Root on AP (Android)",[118,883,884,887,890,893],{},[142,885,886],{},"DMA Attack",[142,888,889],{},"Use baseband DMA engine to write AP memory",[142,891,892],{},"High — requires DMA controller access",[142,894,853],{},[118,896,897,900,903,906],{},[142,898,899],{},"USB/PCIe Bridge",[142,901,902],{},"Exploit the inter-processor communication bus",[142,904,905],{},"High — hardware-specific",[142,907,853],{},[107,909,911],{"id":910},"defense-landscape","Defense Landscape",[21,913,914],{},"Modern devices are beginning to implement baseband isolation, though coverage remains inconsistent:",[112,916,917,934],{},[115,918,919],{},[118,920,921,924,926,929,931],{},[121,922,923],{},"Defense",[121,925,144],{},[121,927,928],{},"Apple",[121,930,161],{},[121,932,933],{},"Effectiveness",[137,935,936,953,968,982,998,1015],{},[118,937,938,941,944,947,950],{},[142,939,940],{},"ASLR in Baseband",[142,942,943],{},"Partial (Shannon)",[142,945,946],{},"Yes",[142,948,949],{},"Partial",[142,951,952],{},"Medium — limited entropy",[118,954,955,958,961,963,965],{},[142,956,957],{},"Stack Canaries",[142,959,960],{},"Recent firmware",[142,962,946],{},[142,964,960],{},[142,966,967],{},"Medium — can be leaked",[118,969,970,973,975,977,979],{},[142,971,972],{},"W^X Memory",[142,974,949],{},[142,976,946],{},[142,978,949],{},[142,980,981],{},"High — prevents simple shellcode",[118,983,984,987,990,993,995],{},[142,985,986],{},"ASAN (runtime)",[142,988,989],{},"Yes (Shannon)",[142,991,992],{},"No",[142,994,992],{},[142,996,997],{},"High — catches memory corruption",[118,999,1000,1003,1006,1009,1012],{},[142,1001,1002],{},"AP-BP Memory Isolation",[142,1004,1005],{},"IOMMU",[142,1007,1008],{},"IOMMU + PPL",[142,1010,1011],{},"SMMU",[142,1013,1014],{},"High — but bypass research active",[118,1016,1017,1020,1023,1026,1028],{},[142,1018,1019],{},"Baseband Sandboxing",[142,1021,1022],{},"Limited",[142,1024,1025],{},"Strong (SEPOS)",[142,1027,1022],{},[142,1029,1030],{},"Varies — Apple leads",[101,1032,1035,1036,1038,1042,1146,1148,1152,1162,1168,1174,1188,1194,1202,1204,1208,1214,1217,1258,1276,1297],{"type":1033,"title":1034},"note","Responsible Disclosure","\nAll baseband vulnerabilities discovered by TelcoSec researchers are reported to the affected vendor through coordinated disclosure before any public documentation. We follow a 90-day disclosure timeline aligned with Google Project Zero's policy.\n\n",[13,1037],{},[16,1039,1041],{"id":1040},"references","V. Authoritative References",[1043,1044,1047],"glass-panel",{"className":1045},[242,1046],"bg-black/20",[63,1048,1049,1066,1082,1098,1114,1130],{},[66,1050,1051,1057,1060],{},[33,1052,1053,1056],{},[264,1054,1055],{},"01"," Google Project Zero",[25,1058,1059],{},"Samsung Shannon Baseband RCE Research (2023-2024)",[53,1061,1065],{"href":1062,"rel":1063},"https://projectzero.google/",[1064],"nofollow","READ P0 RESEARCH →",[66,1067,1068,1074,1077],{},[33,1069,1070,1073],{},[264,1071,1072],{},"02"," 3GPP TS 36.331",[25,1075,1076],{},"E-UTRA Radio Resource Control (RRC) Protocol Specification",[53,1078,1081],{"href":1079,"rel":1080},"https://www.3gpp.org/dynareport?code=36331.htm",[1064],"3GPP TS 36.331 – LTE RRC Protocol →",[66,1083,1084,1090,1093],{},[33,1085,1086,1089],{},[264,1087,1088],{},"03"," 3GPP TS 38.331",[25,1091,1092],{},"NR Radio Resource Control (RRC) Protocol Specification",[53,1094,1097],{"href":1095,"rel":1096},"https://www.3gpp.org/dynareport?code=38331.htm",[1064],"3GPP TS 38.331 – 5G NR RRC Protocol →",[66,1099,1100,1106,1109],{},[33,1101,1102,1105],{},[264,1103,1104],{},"04"," MITRE FiGHT",[25,1107,1108],{},"Baseband RCE via Rogue Base Station Technique",[53,1110,1113],{"href":1111,"rel":1112},"https://fight.mitre.org/",[1064],"MITRE FiGHT Threat Framework →",[66,1115,1116,1122,1125],{},[33,1117,1118,1121],{},[264,1119,1120],{},"05"," Samsung Mobile Security",[25,1123,1124],{},"Shannon Baseband Security Updates",[53,1126,1129],{"href":1127,"rel":1128},"https://security.samsungmobile.com/",[1064],"Samsung Mobile Security Advisories →",[66,1131,1132,1138,1141],{},[33,1133,1134,1137],{},[264,1135,1136],{},"06"," Qualcomm Product Security",[25,1139,1140],{},"Snapdragon Modem Security Bulletins",[53,1142,1145],{"href":1143,"rel":1144},"https://www.qualcomm.com/company/product-security",[1064],"Qualcomm Product Security Bulletins →",[13,1147],{},[16,1149,1151],{"id":1150},"faq","VI. Frequently Asked Questions",[1153,1154,1156],"faq-item",{"title":1155},"What is a zero-click baseband exploit?",[21,1157,1158,1159,1161],{},"A zero-click exploit targets the baseband processor through malformed over-the-air messages. The victim doesn't need to click anything, open an app, or interact with their phone — simply being connected to a cellular network within range of a ",[53,1160,56],{"href":55}," is enough for the attack to execute. The malformed message is processed by the baseband's protocol parser before any user-level software is involved.",[1153,1163,1165],{"title":1164},"Can airplane mode protect against baseband attacks?",[21,1166,1167],{},"Yes, airplane mode completely disables the cellular radio and therefore the baseband processor cannot receive OTA messages. However, on some devices, the baseband firmware remains loaded in memory even in airplane mode, and the radio can be re-enabled without a full processor restart. For maximum security in high-risk environments, physically disabling the radio (Faraday bag) is recommended.",[1153,1169,1171],{"title":1170},"Are iPhones vulnerable to baseband attacks?",[21,1172,1173],{},"Yes. iPhones use Qualcomm or Intel basebands (and Apple's own modem starting with iPhone 17). The baseband firmware is equally opaque and subject to the same class of OTA vulnerabilities. Apple does apply stronger sandboxing between the baseband and AP processors (via IOMMU and the Secure Enclave), which can limit the impact of a modem compromise but does not prevent the initial baseband exploitation.",[1153,1175,1177],{"title":1176},"What equipment do I need for baseband fuzzing?",[21,1178,1179,1180,1183,1184,1187],{},"At minimum: a ",[53,1181,1182],{"href":79},"USRP B210 SDR",", a compute node running srsRAN, a Faraday cage for RF containment, and programmable SIM cards. For firmware analysis, you'll need Ghidra or IDA Pro and vendor-specific diagnostic tools (QXDM for Qualcomm, Shannon tools for Samsung). See our ",[53,1185,1186],{"href":79},"complete lab setup guide"," for the full hardware procurement list.",[1153,1189,1191],{"title":1190},"How do vendors patch baseband vulnerabilities?",[21,1192,1193],{},"Baseband patches are delivered through firmware updates, typically bundled with monthly Android security bulletins or iOS updates. The patch cycle averages 60-90 days from report to deployment. Unlike application patches, baseband updates require carrier certification in many regions, which can add additional delays. This extended exposure window makes zero-day baseband vulnerabilities exceptionally valuable to attackers.",[1153,1195,1197],{"title":1196},"What is the relationship between IMSI catchers and baseband exploitation?",[21,1198,1199,1201],{},[53,1200,56],{"href":55}," (rogue base stations) serve as the delivery mechanism for baseband exploits. The IMSI catcher forces the target UE to connect by broadcasting a stronger signal, then delivers malformed protocol messages during the pre-authentication phase. Without a rogue base station or compromised legitimate infrastructure, remote baseband exploitation over the air is significantly more difficult.",[13,1203],{},[16,1205,1207],{"id":1206},"conclusion-next-steps","Conclusion & Next Steps",[21,1209,1210,1211,1213],{},"Baseband exploitation represents the frontier of mobile security research. As 5G NR introduces more complex protocol stacks (with larger ASN.1 schemas, new NAS procedures, and additional pre-authentication messages), the attack surface of the modem processor continues to expand. The convergence of ",[53,1212,56],{"href":55}," accessibility, pre-authentication attack surfaces, and minimal exploit mitigations makes the baseband the single most critical component for mobile security assessment.",[21,1215,1216],{},"The research pipeline for effective baseband security:",[312,1218,1219,1229,1235,1241,1252],{},[66,1220,1221,1224,1225,1228],{},[33,1222,1223],{},"Build the lab:"," Deploy ",[53,1226,1227],{"href":79},"private LTE/5G infrastructure"," with srsRAN and Open5GS",[66,1230,1231,1234],{},[33,1232,1233],{},"Extract and analyze firmware:"," Use vendor-specific tools and Ghidra to map the protocol handlers",[66,1236,1237,1240],{},[33,1238,1239],{},"Fuzz systematically:"," Target ASN.1 parsers in NAS, RRC, and IMS layers with structured OTA fuzzing",[66,1242,1243,1246,1247,1251],{},[33,1244,1245],{},"Escalate and validate:"," Confirm exploitability and test ",[53,1248,1250],{"href":1249},"#bp-to-ap","baseband-to-AP escalation"," paths",[66,1253,1254,1257],{},[33,1255,1256],{},"Disclose responsibly:"," Coordinate with vendors through 90-day disclosure timelines",[21,1259,1260,1261,1265,1266,1270,1271,1275],{},"Interested in developing baseband security capabilities for your organization? Explore TelcoSec's ",[53,1262,1264],{"href":1263},"/telecom-penetration-testing-methodologies/","telecom pentesting methodology"," for the full offensive lifecycle, or browse the ",[53,1267,1269],{"href":1268},"/projects/library/","TelcoSec research library"," for related signaling and ",[53,1272,1274],{"href":1273},"/glossary/#radio-access-network-ran","RAN"," security intelligence.",[238,1277,1283,1284,1283,1292],{"className":1278},[1279,1280,1281,1282,236],"flex","flex-col","sm:flex-row","gap-4","\n  ",[1285,1286,1291],"nuxt-link",{"to":1287,"className":1288},"/services/",[1289,1290],"btn-terminal-fill","text-center","REQUEST ASSESSMENT",[1285,1293,1296],{"to":79,"className":1294},[1295,1290],"btn-terminal","BUILD YOUR LAB →",[1298,1299],"telecom-security-cta",{"title":1300,"description":1301,"ctalink":1302,"ctatext":1303,"context":1304},"MASTER BASEBAND RESEARCH?","Master the art of cellular modem exploitation. Learn to extract firmware, identify protocol handlers, and build OTA fuzzers in our hands-on Academy tracks. Access the cellular modem research vault and QSIM/Shannon baseband instances.","https://app.telcosec.net/api/auth/login","LEARN BASEBAND EXPLOITATION STEPS [→]","baseband_exploitation",{"title":61,"searchDepth":1306,"depth":1306,"links":1307},2,[1308,1309],{"id":18,"depth":1306,"text":19},{"id":87,"depth":1306,"text":88,"children":1310},[1311,1313,1314],{"id":109,"depth":1312,"text":110},3,{"id":227,"depth":1312,"text":228},{"id":303,"depth":1312,"text":304},"baseband-exploitation-modern-smartphones","_YqE2z15oDt5ywn1iOcnEAIlrUpwynOIR2moVfGD-KQ",[],1782059596568]