Helpful scripts for various tasks performed during reverse engineering the Shannon Baseband with the goal to exploit the Samsung Galaxy S6. Specifically, this is the code release for https://comsecuris.com/slides/recon2016-breaking_band.pdf
Please reach out to us for patches or future research in this direction!
Structure of this repository:
├── 010
│ └── sam.bt [010 template for Shannon's TOC header format]
├── android
│ ├── collect-ramdump.sh [Collect ramdumps using cbd directly, requires root]
│ └── download-dump.sh [Collect ramdumps using the menu, does not require root]
├── idapython
│ ├── loader
│ │ └── sam_modem_ramdump.py [IDA loader for the Shannon MAIN image]
│ ├── misc
│ │ └── clean-IDC.sh [Clean up an IDC by removing {comments, filenames, *_something named labels, deletes}]
│ │ └── typeinfo.idc [Structure definitions for a Shannon idb]
│ └── plugins
│ ├── def_arm32_functions.py [Auto-find more functions by scanning for prologues]
│ ├── find_mcr.py [Find and label all the mcr instructions in an idb]
│ ├── label_functions.py [Label function names automatically using string references]
│ ├── name_msg_handlers.py [Name an L3 task's message handlers in its dispatch table automatically]
│ ├── parse_mpu.py [Parse the modem's MPU config table and pretty print all the configuration rules]
│ ├── pseudocomments.py [Save/Restore pseudocode comments from/to an idb. This is useful because IDCs lack these.]
│ ├── register_map.py [Label the register map inside a modem ramdump]
│ ├── stackscan.py [Identify possible stackframes inside a modem ramdump]
│ └── taskscan.py [Walk the task linked list in a modem ramdump to enumerate and label tasks]
└── modem
├── memdump.py [Dump memory ranges live from the modem]
├── readmem.py [Read memory from a modem address]
├── unpack_modem.py [Split up a modem image into its TOC parts (Boot, Main, etc)]
└── writemem.py [Write memory to a modem address]
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent