The Hexagon baseband, a proprietary Qualcomm component in iPhones and many Android phones, has been a black box in mobile security for a long time.
Its opaque nature, high complexity and the lack of full-system emulation capabilities have hindered in-depth analysis, making it a prime target for high-impact exploitation. In this talk, we present the first full system emulation-based fuzzer for Hexagon basebands, enabling targeted fuzzing of the telco stack that is present in everyone’s pocket. Additionally, we provide tooling and documentation around reverse-engineering these firmware blobs.