Hexagon fuzz: Full-system emulated fuzzing of Qualcomm basebands

Summary

Key takeaways1. Due to Qualcomm’s proprietary architecture, a lack of security tooling exists around their baseband2. Our tooling enables research on Hexagon baseband with significantly reduced engineering work3. We release the first open-source toolchain for full-system emulated Hexagon firmware fuzzing at TROOPERS25OverviewEvery phone has a cellular baseband processor to handle mobile communications (5G, 4G, GPS, and more). Qualcomm created a specific architecture for its baseband called Hexagon. It powers the baseband processors found in most leading smartphones, including every iPhone since generation 12 except iPhone 16e and all Snapdragon-based devices. This architecture, being different from the classic ARM, x86, or MIPS that we all know, leads to a lack of security research. Most of the produced tooling is simply not applicable to it!We developed the first open-source toolchain for full-system emulated fuzzing of any Hexagon firmware. Our work addresses a gap in baseband security research by making a previously inaccessible attack surface available for analysis. With our toolchain, open-sourced here, we invite the community to collaborate and build upon this work.Previous research landscape and the Hexagon gapThe baseband security research community has made considerable progress in recent years, yet a critical gap has persisted regarding Qualcomm’s Hexagon architecture.Early work like BaseSAFE (2020, Maier and al.) introduces an advanced framework for fuzzing basebands. Building on this, FirmWire (2022, Hernandez et al.) provides baseband emulation platforms for fuzzing.These tools are the go-to solution for fuzzing basebands which use ARM, x86, MIPS and other standard architectures. But, as the FirmWire paper observes:“Unlike other baseband implementations, Qualcomm leverages a fully-custom architecture known as Hexagon […] Unfortunately, tooling for this architecture is sparse, and especially full-system emulators are lacking.”Other research efforts aroun...