BaseMirror: Automatic Reverse Engineering of Baseband Commands from Android's Radio Interface Layer
Wenqiang Li, Haohuang Wen, Zhiqiang Lin
TL;DR
This paper tackles the challenge of baseband security analysis by shifting focus from proprietary baseband firmware to vendor RIL commands, which mirror baseband interfaces. It introduces BaseMirror, a static analysis pipeline that reconstructs a virtual-call–aware call graph and performs bidirectional taint analysis to automatically extract vendor-specific baseband commands from Android RIL binaries. Applying this to 28 Samsung Exynos RIL libraries, the authors identify 873 unique commands and validate 179 static AP→CP commands on a Galaxy A53, uncovering 8 zero-day vulnerabilities that can disrupt cellular service or grant arbitrary AP access; some issues were responsibly disclosed and patched by Samsung. The work demonstrates a scalable, generalizable approach to uncover baseband attack surfaces, enabling automated attack payload discovery and providing a foundation for broader vendor coverage and defensive mitigations.
Abstract
In modern mobile devices, baseband is an integral component running on top of cellular processors to handle crucial radio communications. However, recent research reveals significant vulnerabilities in these basebands, posing serious security risks like remote code execution. Yet, effectively scrutinizing basebands remains a daunting task, as they run closed-source and proprietary software on vendor-specific chipsets. Existing analysis methods are limited by their dependence on manual processes and heuristic approaches, reducing their scalability. This paper introduces a novel approach to unveil security issues in basebands from a unique perspective: to uncover vendor-specific baseband commands from the Radio Interface Layer (RIL), a hardware abstraction layer interfacing with basebands. To demonstrate this concept, we have designed and developed BaseMirror, a static binary analysis tool to automatically reverse engineer baseband commands from vendor-specific RIL binaries. It utilizes a bidirectional taint analysis algorithm to adeptly identify baseband commands from an enhanced control flow graph enriched with reconstructed virtual function calls. Our methodology has been applied to 28 vendor RIL libraries, encompassing a wide range of Samsung Exynos smartphone models on the market. Remarkably, BaseMirror has uncovered 873 unique baseband commands undisclosed to the public. Based on these results, we develop an automated attack discovery framework to successfully derive and validate 8 zero-day vulnerabilities that trigger denial of cellular service and arbitrary file access on a Samsung Galaxy A53 device. These findings have been reported and confirmed by Samsung and a bug bounty was awarded to us.