# Unveiling the Mysteries of Hexagon QDSP6 JTAG

concect Theorem and

Alisa Esage Zero Day Engineering Research & Training Black Hat Asia 2025, Singapore

bgineering

### About me

### Alisa Esage Shevchenko

- Independent Hacker
- Founder of Zero Day Engineering
- Researcher of God Mode<sup>\*</sup> since 1999





# Zero Day Engineering

research & training

\* gaming term

### About this talk

### What is Hexagon?

- Qualcomm Snapdragon & MDM chips
  - ~30% of smartphone market
  - Now entering laptop market
  - One or more specialized cores on the Snapdragon SoC are Hexagon cores
- Hexagon architecture
  - Proprietary by Qualcomm, secure
  - Mostly fw code behind Secure Boot
  - VLIW optimized for parallel execution, solid benchmarks
  - Started as DSP for specialized media workloads
  - Runs modem on Android MSM, aka baseband. Variety of attack vectors
  - Now, NPU

### What is the problem with Hexagon?

• You can't debug it

# Intro

### Hexagon and Snapdragon



https://d eveloper. qualcom m.com/d ownload/ sd820e/q ualcomm -snapdra gon-820e -processo r-apg809 6sge-devi ce-specifi cation.pd f

### Inside your smartphone (msm based)



# Recap: Hexagon architecture Hexagon: programmer's view



#### 1.3.6 Instruction packets

Sequences of instructions can be explicitly grouped into packets for parallel execution. For example:

R8 = memh(R3++#2) R12 = memw(R1++#4) R = mpy(R10,R6):<<l:sat R7 = add(R9,#2)

#### 1.3.7 Dot-new instructions

In many cases, a predicate or general register can be both generated and used in the same instruction packet. This feature is expressed in assembly language by appending the suffix ".new" to the specified register. For example:

```
{
    P0 = cmp.eq(R2,#4)
    if (P0.new) R3 = memw(R4)
    if (!P0.new) R5 = #5
    }
    {
        R2 = memh(R4+#8)
        memw(R5) = R2.new
    }
}
```

[HEXAGONISA] https://developer.qualcomm.com/download/hexagon/hexagon-v62-programmers-reference-manual.pdf

### Hexagon update

# Introducing Snapdragon<sup>®</sup> X Elite, the most powerful, intelligent, and efficient processor in its class for Windows.

With a powerful AI engine, including the world's fastest NPU for laptops, Snapdragon<sup>\*</sup> X Elite enables AI-enhanced apps that unlock focus, flow and innovation. Because laptops powered by Snapdragon technology work equally well plugged-in or on battery, your employees can work from wherever they need to.

#### Up to



### Up to

### **5.4X** MORE EFFICIENT NPU than Core Ultra 7<sup>2</sup>

| Snapdragon* X Elite: SKU Comparison Table |             |       |                |                              |                    |                                     |                                      |                |                  |
|-------------------------------------------|-------------|-------|----------------|------------------------------|--------------------|-------------------------------------|--------------------------------------|----------------|------------------|
| Qualcomm Or                               |             |       |                | n" CPU                       |                    | Qualcomm*<br>Adreno <sup></sup> GPU | Qualcomm*<br>Hexagon <sup></sup> NPU | Memory         |                  |
| Platform                                  | Part Number | Cores | Total<br>Cache | Max Multithread<br>Frequency | Dual Core<br>Boost | TFLOPs                              | NPU TOPS                             | Memory<br>Type | Transfer<br>Rate |
| Snapdragon X Elite                        | XIE-00-IDE  | 12    | 42 MB          | 3.8 GHz                      | 4.3 GHz            | 4.6                                 | 45                                   | LPDDR5x        | 8448 MT/         |
| Snapdragon X Elite                        | X1E-84-100  | 12    | 42 MB          | 3.8 GHz                      | 4.2 GHz            | 4.6                                 | 45                                   | LPDDR5x        | 8448 MT/         |
| Snapdragon X Elite                        | X1E-80-100  | 12    | 42 MB          | 3.4 GHz                      | 4.0 GHz            | 3.8                                 | 45                                   | LPDDR5x        | 8448 MT/         |
| Snapdragon X Elite                        | X1E-78-100  | 12    | 42 MB          | 3.4 GHz                      | None               | 3.8                                 | 45                                   | LPDDR5x        | 8448 MT/         |

## How do they debug Hexagon cores?

#### Hardware debugger

- Lauterbach TRACE32 (JTAG/Coresight)
  - 3rd party product, endorsed by Qualcomm
  - Requires Qualcomm "partner enrollment" level support to configure debugging (impossible)
  - Not applicable to off-the-shelf devices
  - Expensive

#### Software debugger

- Doesn't exist
  - Code that runs on Hexagon arch is heavily proprietary and undocumented, you are not supposed to know about it, let alone debug it
- Engineer your own gdb server, inject via software vulnerability exploit primitives
  - **DIY** reports in the past a lot of impressive effort
  - But limited, unreliable & unsustainable in use
- Hexagon emulator/simulator are available
  - You can write high-level app code in Hexagon SDK and "debug" it on simulator, no problem with that
  - Mostly useless for deep security research



### Trace32 User's Manual is pessimistic...

#### 1. Hexagon Conceptual Basics

Especially when starting to get familiar with the Hexagon architecture these points are of exceptional importance:

Hexagon is a secure platform: by default, debugging is prohibited. Whether the user can debug a
specific application or not is configured by the application which is executed.

If you write your own application, please consult the Hexagon documentation on how to enable debugging. If you are using a third-party application please contact the vendor of this application for a debug-enabled version.

- Beside from "debugging not allowed" there are two debugging levels:
  - **Untrusted debugging** requires a debug monitor running under the control of the application and RTOS.
  - Trusted debugging allows full control over the Hexagon core. See also Hexagon Security for more information on the Hexagon debug modes.
- Because the debugger does not have any access to the core by default, Hexagon needs to be configured via some external "instance". Normally an Arm core is responsible for configuration and loading at least an initial application for enabling debugging. Please see the chipset's documentation on how to do this.

#### **Hexagon Security**

Hexagon has three debug modes:

- 1. No debugging allowed.
- 2. Untrusted debug.

The debugger communicates with a debug monitor integrated in the kernel. This allows debugging of only a few resources, e.g. some dedicated user applications or tasks.

3. Trusted debug.

The debugger has full access and control over Hexagon.

TRACE32 only supports trusted debug.

The application running on the target selects the debug mode in its startup code. After this is done, a hardcoded software breakpoint will halt the DSP.

©1989-2024 Lauterbach

Hexagon Debugger | 12

# Wait, what is this?

| ©1989-2024 Lauterbach |                 | Hexagon Debugger                       | 56  |
|-----------------------|-----------------|----------------------------------------|-----|
| SYStem.RESetOut       |                 | Reset target without reset of debug po | ort |
| Format:               | SYStem.RESetOut |                                        |     |

This command resets the DSP via the debug registers in **ISDB**. Only the DSP will reset, not the debug port or the target system. This function only works when the CPU is in **SYStem.Mode Up**.

### ISDB

#### Television system :



Integrated Services Digital Broadcasting is a Japanese broadcasting standard for digital television and digital radio. ISDB supersedes both the NTSC-J analog television system and the previously used MUSE Hivision analog HDTV system in Japan. Wikipedia >

### Start researching, mystery builds up...

#### C adreno\_a5xx.c 5 ×



### Patent documentation FTW

respor

debug

by trai

mode.

ing th

thread

(54) Title: NON-INTRUSIVE, THREAD-SELECTIVE, DEBUGGING METHOD AND SYSTEM FOR A MULTI-THREADED DIGITAL SIGNAL PROCESSOR

(57) Abstract: Techniques for the design and use of a digital signal processor, including (but not limited to) for processing transmissions in a communications (e.g., CDMA) system. The disclosed method and system provide for processing instructions in a multi-threaded process including the use of break-point.

ating (54) Title: METHOD AND SYSTEM FOR TRUSTED/UNTRUSTED DIGITAL SIGNAL PROCESSOR DEBUGGING OPERbreak ATIONS



Codrescu et al. (54) METHOD AND SYSTEM FOR A DIGITAL SIGNAL PROCESSOR DEBUGGING DURING

POWER TRANSITIONS

(12) United States Patent

(75) Inventors: Lucian Codrescu, Austin, TX (US); William C. Anderson, Austin, TX (US); Suresh Venkumahanti, Austin, TX (US); Louis Achille Giannini, San Diego, CA (US); Manojkumar Pyla, San Diego, CA (US); Xufeng Chen, San Diego, CA (US); Xufeng Chen, San

(73) Assignee: QUALCOMM Incorporated, San Diego, CA (US)



-84

-82

# Project card: RE Hexagon Debugging

#### Sources

- Patent documentation
- Qualcomm Programmer's Reference Manuals
- Open source code
- Datasheets

#### Methods

- OSINT
- Thinking
- Grepping QURT binaries for strings
- Open baseband firmware in IDA and close it

#### Funding

- This research project was partially sponsored by a company that chose to remain anonymous
- Findings approved for disclosure
- Thank you!

### Results

- Qualcomm **ISDB system internals** revealed here for the first time
- Outlined basic prerequisites to enable and operate debugging of Hexagon firmware
- This talk will focus on the core aspects of the matter due to limited time and disclosure, a lot had to be left out
- Still a lot to uncover

# Fast forward to findings >>>

Hexagon Debugging Internals

### ISDB (In Silicone Debugger)



### Breakpoint processing circuitry



FIG. 6

# Recap: JTAG IEEE 1149.1

### The standard

- Basic technology for testing
   microelectronic circuits
- Simple interface serial pins
  - TDI (Test Data In), TDO (Test Data Out)
  - Test mode selection, clock, reset
- Very powerful
- No access control
- No resource control
- Most device vendors either don't care or rely on "security by obscurity" to hide JTAG port



### Extended JTAG pinouts



https://www.allaboutcircu its.com/technical-articles/ jtag-connectors-and-interf aces/

# JTAG and software debugging

- Powerful primitives  $\bullet$ 
  - Access to memory
  - Access to registers
  - Halt signal
- Software debugger engineering  $\bullet$ 
  - Build standard debugging ops on JTAG hardware primitives
  - wrap in GUI/CLI/gdb
  - FTDI (USB-TTL) for wiring
- Example: tracing/single step
  - Halt signal + program counter register modification
- Example: breakpoint  $\bullet$ 
  - Hardware bp: program the register

itaasetup/

- Software bp: inject the opcode
- OpenOCD



### **ISDB** Registers

| 00 | ~~. |
|----|-----|
|    |     |

2

| REGISTER<br>NAME | DESCRIPTION                      | REGISTER<br>ADDRESS | ISDB<br>TRUSTED<br>ACCESS | ISDB<br>UNTRUSTED<br>ACCESS | CORE<br>ACCESS<br>SUPERVISOR<br>MODE <sup>a</sup> |
|------------------|----------------------------------|---------------------|---------------------------|-----------------------------|---------------------------------------------------|
| ISDBST           | ISDB STATUS                      | 0x0                 | R                         | R <sup>b</sup>              | R                                                 |
| ISDBCFG0         | ISDB CONFIG 0                    | 0x1                 | R/W                       | NONE                        | NONE                                              |
| ISDBCFG1         | ISDB CONFIG 1                    | 0x2                 | R/W                       | NONE                        | NONE                                              |
| BRKPTINFO        | BREAKPOINT INFO                  | 0x3                 | R                         | NONE                        | NONE                                              |
| BRKPTINC0        | BREAKPOINT 0 ADDRESS             | 0x4                 | W                         | NONE                        | NONE                                              |
| BRKPTING0        | BREAKPOINT 0 CONFIG              | 0x5                 | W                         | NONE                        | NONE                                              |
| BRKPTINC1        | BREAKPOINT 1 ADDRESS             | 0x6                 | W                         | NONE                        | NONE                                              |
| BRKPTING1        | BREAKPOINT 1 CONFIG              | 0x7                 | W                         | NONE                        | NONE                                              |
| STFINST          | STUFF INSTRUCTION                | 0x8                 | W                         | NONE                        | NONE                                              |
| ISDBMBXIN        | MAILBOX IN (ISDB>CORE)           | 0x9                 | W                         | w                           | R                                                 |
| ISDBMXOUT        | MAILBOX IN (CORE>ISDB)           | 0xA                 | R                         | R                           | W                                                 |
| ISDBCMD          | ISDB COMMAND                     | 0xB                 | W                         | w <sup>c</sup>              | NONE                                              |
| ISDB_EN          | ISDB ENABLE                      | 0xC                 | R/W                       | R/W                         | NONE                                              |
| ISDB_VERSION     | ISDB VERSION                     | 0xD                 | R                         | R                           | NONE                                              |
| ISDB_GPR         | ISDB GENERAL PURPOSE<br>REGISTER | 0xF                 | R/W                       | NONE                        | R/W                                               |

<sup>a</sup> NO ACCESS IS ALLOWED FROM THE CORE IN USER MODE <sup>b</sup> ONLY BITS 4:0 ARE VISIBLE IN UNTRUSTED MODE

<sup>c</sup> ONLY THE INTERRUPT COMMAND IS AVAILABLE

### Trusted and Untrusted debugging mode

[0012] According to one aspect of the disclosed subject matter, a method and system for controlling between trusted and untrusted debugging operational modes includes the processes, circuitry, and instructions for operating a core processor process within a core processor associated with the digital signal processor. The method and system further operate a debugging process within a debugging mechanism of the digital signal processor, which debugging mechanism associates with the core processor. The core processor process determines the origin of debugging control as trusted debugging control or untrusted debugging control. In the event that debugging control is trusted debugging control, the core processor process provides to the trusted debugging control a first set of features and privileges. Alternatively, in the event that

(54) Title: METHOD AND SYSTEM FOR TRUSTED/UNTRUSTED DIGITAL SIGNAL PROCESSOR DEBUGGING OPER-ATIONS



### Supervisor Mode

Qualcomm Hexagon V73 Programmer's Reference Manual

Instruction Set

#### Trap

The trap instruction causes a precise exception.

Executing a trap instruction sets the EX bit in SSR to 1, which disables interrupts and enables Supervisor mode. The program then jumps to the vector location (either TRAPO or TRAP1). The instruction specifies a n 8-bit immediate field. This field is copied into the system status register cause field.

Upon returning from the service routine with a RTE, execution resumes at the packet after the TRAP instruction.

These instructions are generally intended for user code to request services from the operating system. Two TRAP instructions are provided so the OS can optimize for fast service routines and slower service routines.

| Syntax        | Behavior                                                                                                                                                                                                                        |
|---------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| trap0(#u8)    | SSR.CAUSE = #u;<br>TRAP "0";                                                                                                                                                                                                    |
| trap1(#u8)    | Assembler mapped to: "trap1(R0,#u8)"                                                                                                                                                                                            |
| trap1(Rx,#u8) | <pre>if (!can_handle_trap1_virtinsn(#u)) {     SSR.CAUSE = #u;     TRAP "1"; } else if (#u == 1) {     VMRTE; } else if (#u == 3) {     VMSETIE; } else if (#u == 4) {     VMGETIE; } else if (#u == 6) {     VMSPSWAP; }</pre> |

# SYSCFG register

- Hexagon architecture register, exposed to assembler
  - But, undocumented
  - Patent shows "one way of forming the register"  $\rightarrow$
- Supervisor-only (privileged)
  - QURT kernel OR application in privileged mode of execution; eg. modem firmware in early boot
- Use to set **ISDB\_TRUSTED** bit
  - $\circ$  0x28 == 0b0..1000
- ISDB status bit will be tested by host debugger and eligible others



- Patent documentation:
  - "Communication through a SYSCFG register as a 40-bit packet identifies the ISDB register to read/write and a 32-bit data payload"
  - RESERVED part?

### How to program SYSCFG register?

|     |          | 1993 - <b>T</b> anan (1993)<br>199 | ter transfer                            |    | general registe | rs.       |                  | V69 |
|-----|----------|------------------------------------|-----------------------------------------|----|-----------------|-----------|------------------|-----|
|     |          |                                    | l-bit singles or a<br>gister field enco |    | ligned pairs. T | 'he figur | re shows the sys | tem |
| •   | SGP0     | 16                                 | EVB                                     | 32 | ISDBST          | 48        | PMUCNTO          |     |
| 1   | SGP1     | 17                                 | MODECTL.                                | 33 | ISDBCFG0        | 49        | PMUCNT1          |     |
| 2   | STID     | 18                                 | SYSCEG                                  | 34 | ISDBCFG1        | 50        | PMUCNT2          |     |
| 3   | ELR      | 19                                 | 2                                       | 35 | 1.              | 51        | PMUCNT3          |     |
| 4   | BADVAD   | 20                                 | IPEND                                   | 36 | BRKPTPC0        | 52        | PMUEVTCFG        |     |
| 5   | BADVA1   | 21                                 | VID                                     | 37 | BRKPTCFG0       | 53        | PMUCFG           |     |
| 8   | SSR      | 22                                 | IAD                                     | 38 | BRKPTPC1        | 54        |                  |     |
| 7   | OCR      | 23                                 |                                         | 39 | BRKPTCFG1       |           | 1210211-0200     |     |
|     | HTID     | 24                                 | IEL                                     | 40 | ISDBMBXIN       |           | Reserved         |     |
|     | BADVA    | 25                                 |                                         | 41 | ISDBMBXOUT      |           |                  |     |
| 10  | IMASK    | 26                                 | IAHL                                    | 42 | ISOBEN          |           |                  |     |
| я [ |          | 27                                 | CFGBASE                                 | 43 | ISDBGPR         |           |                  |     |
|     |          | 28                                 | DIAG                                    |    |                 |           |                  |     |
|     | Reserved | 29                                 | REV                                     |    | Reserved        |           |                  |     |
|     |          | 30                                 | PCYCLELO                                |    |                 |           |                  |     |
| 15  |          | 31                                 | PCYCLEHI                                | 47 |                 | 63        |                  |     |

Sd-Rs; Sdd-Rss;

Class: SYSTEM (slot 3)

Sd-Rs

Sdd-Rss

| alcomm Hexagon V73 Programmer's Referen                                                                                              | ce Manual               | Instruction Set                                                                  |
|--------------------------------------------------------------------------------------------------------------------------------------|-------------------------|----------------------------------------------------------------------------------|
| Instruction synchronizatio                                                                                                           | 'n                      |                                                                                  |
| The isync instruction ensures that a the next instruction.                                                                           | ll previous instruction | s have committed before continuing to                                            |
| This instruction should execute after observe the results of the event):                                                             | er the following events | s (when subsequent instructions must                                             |
| <ul> <li>After modifying the TLB with a</li> <li>After modifying the SSR register</li> <li>After modifying the SYSCFG reg</li> </ul> | r                       | V73 (2024) no longer mention<br>system control registers & ho<br>to program them |
| <ul><li>After any instruction cache mai</li><li>After modifying the TID register</li></ul>                                           | •                       |                                                                                  |
| Syntax                                                                                                                               |                         | Behavior                                                                         |
| isync                                                                                                                                | instruction_sync;       |                                                                                  |
| Class: SYSTEM (slot 2)                                                                                                               |                         |                                                                                  |
| Notes                                                                                                                                |                         |                                                                                  |
| This is a solo instruction. It mus                                                                                                   | t not be grouped with   | other instructions in a packet.                                                  |

### Software breakpoint

| ualcomm Hexagon V73                  | Programmer's Referer                | ice Ma   | nual    |       |      |      |      |      |     |      |      | Instruction Se  |
|--------------------------------------|-------------------------------------|----------|---------|-------|------|------|------|------|-----|------|------|-----------------|
| Breakpoint                           | t                                   |          |         |       |      |      |      |      |     |      |      |                 |
| The <mark>brkpt</mark> instr         | uction causes the pr                | ogram    | to en   | ter D | ebu  | в ша | ode  | if e | nat | oled | l b  | y ISDB.         |
| Execution cont<br>debugger.          | rol is handed to ISDE               | and t    | he pro  | gran  | n do | es n | ot p | roc  | ee  | d u  | ntil | directed by the |
| If ISDB is disabl                    | led, this instruction i             | s treat  | ed as   | a NO  | P.   |      |      |      |     |      |      |                 |
|                                      | Syntax                              |          |         |       |      | Be   | ehav | ior  |     |      |      |                 |
| brkpt                                |                                     | Ente     | r Deb   | ug m  | ode  | ;    |      |      |     |      |      |                 |
| Class: SYST<br>Notes<br>This is a so | lo instruction. It mus              | t not l  | be gro  | uped  | wit  | h ot | her  | inst | tru | ctic | ns   | in a packet.    |
| Encoding                             |                                     |          |         |       |      |      |      |      |     |      |      |                 |
| 1 30 29 28 27 26 25 24 23            | 3 22 21 20 19 18 17 16              | 15 14 13 | 3 12 11 | 10 9  | 8    | 76   | 5    | 4    | 3 2 | 2 1  | 0    |                 |
| ICLASS sm                            |                                     | Parse    |         |       |      |      |      |      |     |      |      |                 |
| 1 1 0 1 1 0 0 0                      | 0 1                                 | PP-      |         | • •   | •    | 0 0  | 0    | •    | •   | •    | -    | brkpt           |
| Field name                           | Description<br>Supervisor mode only | ,        |         |       |      |      |      |      |     |      |      |                 |
| ICLASS                               | Instruction class                   |          |         |       |      |      |      |      |     |      |      |                 |
| Parse                                | Packet/loop parse bit               | 5        |         |       |      |      |      |      |     |      |      |                 |

### Magic Cookie

+https://android.googlesource.com/kernel/msm/+/android-7.1.0\_r0.2/drivers/esoc/esoc-mdm.h 26 27 #define MDM\_PBLRDY\_CNT 20 #define INVALID\_GPI0 (-1)28 #define MDM GPIO(mdm, i) (mdm->gpios[i]) #define MDM9x25\_LABEL "MDM9x25" #define MDM9x25\_HSIC 31 "HSIC" #define MDM9x35 LABEL "MDM9x35" 32 #define MDM9x35\_PCIE "PCIe" 33 #define MDM9x35\_DUAL\_LINK "HSIC+PCIe" 34 #define MDM9x35\_HSIC "HSIC" #define MDM9x45 LABEL "MDM9x45" 36 #define MDM9x45 PCIE "PCIe" 37 #define MDM9x55\_LABEL "MDM9x55" #define MDM9x55\_PCIE "PCIe" 39 #define MDM2AP STATUS TIMEOUT MS 120000L 40 #define MDM\_MODEM\_TIMEOUT 3000 41 #define DEF\_RAMDUMP\_TIMEOUT 42 120000 #define DEF\_RAMDUMP\_DELAY 2000 43 #define RD\_BUF\_SIZE 100 44 #define SFR\_MAX\_RETRIES 10 45 #define SFR\_RETRY\_INTERVAL 1000 46 #define MDM\_DBG\_OFFSET 0x934 47 48 #define MDM DBG MODE 0x53444247 "coresight-cti-rpm-cpu0" #define MDM\_CTI\_NAME 49 #define MDM\_CTI\_TRIG 0 #define MDM CTI CH 0 51

#### Newer msm kernels no longer leak this piece

| 000 |                                                                               |
|-----|-------------------------------------------------------------------------------|
| 660 |                                                                               |
| 661 | <pre>val = readl_relaxed(mdm-&gt;dbg_addr);</pre>                             |
| 662 | if (val == MDM_DBG_MODE) {                                                    |
| 663 | <pre>mdm-&gt;dbg_mode = true;</pre>                                           |
| 664 | <pre>mdm-&gt;cti = coresight_cti_get(MDM_CTI_NAME);</pre>                     |
| 665 | <pre>if (IS_ERR(mdm-&gt;cti)) {</pre>                                         |
| 666 | <pre>dev_err(mdm-&gt;dev, "unable to get cti handle\n");</pre>                |
| 667 | <pre>goto cti_get_err;</pre>                                                  |
| 668 | }                                                                             |
| 669 | <pre>ret = coresight_cti_map_trigout(mdm-&gt;cti, MDM_CTI_TRIG,</pre>         |
| 670 | MDM_CTI_CH);                                                                  |
| 671 | if (ret) {                                                                    |
| 672 | <pre>dev_err(mdm-&gt;dev, "unable to map trig to channel\n");</pre>           |
| 673 | <pre>goto cti_map_err;</pre>                                                  |
| 674 | }                                                                             |
| 675 | <pre>mdm-&gt;trig_cnt = 0;</pre>                                              |
| 676 | } else {                                                                      |
| 677 | <pre>dev_dbg(mdm-&gt;dev, "Not in debug mode. debug mode = %u\n", val);</pre> |
| 678 | <pre>mdm-&gt;dbg_mode = false;</pre>                                          |
| 679 | }                                                                             |

🙄 https://android.googlesource.com/kernel/msm/+/android-msm-dory-3.10-kitkat-wear/drivers/esoc/esoc-mdm-4x.c

### 0x53444247 'SDBG'

# Qualcomm IMEM

- Shared memory
- Exposed in MSM  $\rightarrow$
- Undocumented

blob: 630fa1a07f118327627afb3da8b846fc92053130 [<u>file</u>] [<u>log</u>] [<u>blame</u>]

```
Oualcomm IMEM
    IMEM is fast on-chip memory used for various debug features and dma transactions.
3
4
    Required properties
6
    -compatible: "qcom,msm-imem"
    -reg: start address and size of imem memory
8
9
    If any children nodes exist the following properties are required:
    -#address-cells: should be 1
    -#size-cells: should be 1
    -ranges: A triplet that includes the child address, parent address, &
            length. The child address is assumed to be 0.
14
    Child nodes:
    _____
    Peripheral Image Loader (pil):
    _____
    Required properties:
    -compatible: "qcom,msm-imem-pil"
    -reg: start address and size of PIL region in imem
24
    Bootloader Stats:
    ------
```

## Enable Hexagon debugging with Magic Cookie

- QURT kernel operates ISDB, mostly via privileged mode
- It uses a simple flag-based mechanism to trigger ISDB operations for applications/users
- 0x53444247 ('SDBG' in hex)
- Put the magic cookie in IMEM via JTAG
  - You need to know specific offset in IMEM for each application/control
  - Modem, PIL, mba, Android msm, QURT kernel will check the cookie
  - Triggers software setup consistent with debug mode of thread, and/or enter debug mode via ISDB

| 0x53444247                                                                  |
|-----------------------------------------------------------------------------|
|                                                                             |
| it.quent1.fr<br>https://git.quent1.fr > msm-kernel > drivers > remoteproc   |
| amsung-kernel/esoc-mdm.h at android-13 - git.quent1.fr                      |
|                                                                             |
| MDM_DBG_OFFSET 0x934. #define MDM_DBG_MODE 0x53444247. #define MDM_CTI_NAM  |
| coresight-cti-rpm-cpu0". #define MDM_CTI_TRIG 0. #define MDM_CTI_CH 0. enum |
|                                                                             |
|                                                                             |

×



https://git.halogenos.org > halogenOS > blob > esoc 🚦

#### drivers/esoc/esoc-mdm-4x.c ... - halogenOS GitLab

When the ref-count for a subsystem goes down to 0, i.e. there are no current clients for it, the subsystem is shutdown by calling the shutdown callbacks ...



git.quent1.fr https://git.guent1.fr > msm-kernel > drivers > remoteproc \*

#### samsung-kernel/esoc-mdm.h at android-12 - git.quent1.fr

... MDM\_DBG\_OFFSET 0x934. #define MDM\_DBG\_MODE 0x53444247. #define MDM\_CTI\_NAME "coresight-cti-rpm-cpu0". #define MDM\_CTI\_\_\_\_\_\_CTI\_CH 0. enum ... Big secret 1 2 Next

| qurtke                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | ernel.o                                                                                                                                                                                                                                                                                                                                       | .start:000004F8<br>.start:000004F8 02 E1 00 92<br>.start:000004F6 42 50 02 8C<br>.start:00000500<br>.start:00000500<br>.start:00000500 00 40 00 00<br>.start:00000500 00 40 00 00<br>.start:00000504 00 D2 B9 A1<br>.start:00000504 00 42 0A 85<br>.start:00000510 1E D8 20 5C<br>.start:00000511 0A 40 99 91<br>.start:00000512 A4 60 00<br>.start:00000512 A4 60 99 91<br>.start:00000512 A4 60 78<br>.start:00000528 0A C0 A4 91<br>.start:00000528 0A C0 A4 91<br>.start:0000528 0A C0 A4 91<br>.start:00000528 0A C0 A4 91<br>.start:00000528 0A C0 A4 91<br>.start:00000528 0A C0 A4 91<br>.start:0000528 0A C0 A4 9 | <pre>( r2 = asl (r2, #loc_10) ' loc_500:</pre>                                                                                                                                                                                                        |
|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| .start:0000047C 00 40 00 00<br>.start:00000480<br>.start:00000480<br>.start:00000480 00 40 99 91<br>.start:00000486 00 40 99 91<br>.start:00000486 01 C0 99 91<br>.start:00000493 01 C0 00 67<br>.start:00000494 05 CC 00 67<br>.start:00000494<br>.start:00000494 00 CC 92 6E<br>.start:00000494 00 CC 92 6D<br>.start:00000440 12 C0 00 67<br>.start:00000440 12 C0 00 67<br>.start:00000440 12 C0 00 67                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  | <pre>{ immext (#0) loc_480:</pre>                                                                                                                                                                                                                                                                                                             | start:00000530 0E 58 20 5C<br>.start:00000534 00 40 00 00<br>.start:00000538 0A C0 19 B0<br>.start:00000548 01 C0 4A 3C<br>.start:00000548 01 C1 4A 3C<br>.start:00000548<br>.start:00000548<br>.start:00000548<br>.start:00000548 21 40 00 78<br>.start:00000548 21 40 00 78<br>.start:00000558 21 40 00 78<br>.start:00000558 11 40 99 91<br>.start:00000558 11 40 99 91<br>.start:00000558 2A C0 01 67<br>.start:00000558 2A C0 01 67<br>.start:00000558 2A C0 01 67                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      | <pre>if !p0.new jump:t _setup_isdb_cont @ not equal<br/>immext (#0)<br/>r10 = add (r25, ##start) }<br/>{ memw (r10 + #start) = #(start+1)<br/>memw (r10 + #loc_4) = #(start+1) }<br/>{ memw (r10 + #loc_8) = #(start+1) }<br/>_setup_isdb_cont:</pre> |
| .start:000004AC 00 40 00 00<br>start:000004B0 00 40 99 91<br>.start:000004B0 00 40 99 91<br>.start:000004B8 01 C0 99 91<br>.start:000004C0 06 C0 41 12<br>.start:000004C4<br>.start:000004C4<br>.start:000004C4<br>.start:000004C4<br>.start:000004C4<br>.start:000004C8<br>.start:000004C8<br>.start:000004C8<br>.start:000004C8<br>.start:000004C8<br>.start:000004C8<br>.start:000004C8<br>.start:000004C8<br>.start:000004C8<br>.start:000004C8<br>.start:000004C8<br>.start:000004C8<br>.start:000004C8<br>.start:000004C8<br>.start:000004C8<br>.start:000004C8<br>.start:000004C8<br>.start:000004C8<br>.start:000004C8<br>.start:000004C8<br>.start:000004C8<br>.start:000004C8<br>.start:000004C8<br>.start:000004C8<br>.start:000004C8<br>.start:000004C8<br>.start:000004C8<br>.start:000004C8<br>.start:000004C8<br>.start:000004C8<br>.start:000004C8<br>.start:000004C8<br>.start:000004C8<br>.start:000004C8<br>.start:000004C8<br>.start:000004C8<br>.start:000004C8<br>.start:000004C8<br>.start:000004C8<br>.start:000004C8<br>.start:000004C8<br>.start:000004C8<br>.start:000004C8<br>.start:000004C8<br>.start:000004C8<br>.start:000004C8<br>.start:000004C8<br>.start:000004C8<br>.start:000004C8<br>.start:000004C8<br>.start:000004C8<br>.start:000004C8<br>.start:000004C8<br>.start:000004C8<br>.start:000004C8<br>.start:000004C8<br>.start:000004C8<br>.start:000004C8<br>.start:000004C8<br>.start:000004C8<br>.start:000004C8<br>.start:000004C8<br>.start:000004C8<br>.start:000004C8<br>.start:000004C8<br>.start:000004C8<br>.start:000004C8<br>.start:000004C8<br>.start:000004C8<br>.start:000004C8<br>.start:000004C8<br>.start:000004C8<br>.start:000004C8<br>.start:000004C8<br>.start:000004C8<br>.start:000004C8<br>.start:000004C8<br>.start:000004C8<br>.start:000004C8<br>.start:000004C8<br>.start:000004C8<br>.start:000004C8<br>.start:000004C8<br>.start:000004C8<br>.start:000004C8<br>.start:000004C8<br>.start:000004C8<br>.start:000004C8<br>.start:000004C8<br>.start:000004C8<br>.start:000004C8<br>.start:000004C8<br>.start:000004C8<br>.start:000004C8<br>.start:000004C8<br>.start:000004C8<br>.start:000004C8<br>.start:000004C8<br>.start:000004C8<br>.start:000004C8<br>.start:000004C8<br>.start:000004C8<br>.start:000004C8<br>.start:000004C8<br>.start:000004C8<br>.start:000004C8<br>.start:000004C8 | <pre>{ immext (#0)<br/>r0 = memw (r25 + ##start)<br/>immext (#0)<br/>r1 = memw (r25 + ##start) }<br/>{ p0 = cmp.eq (r0, #start) ; if (p0.new<br/>p1 = cmp.eq (r1, #start) ; if (lp1.ne<br/>_stop_at_bootup:<br/>@ CODE XREF: st<br/>{ jump _stop_at_bootup }<br/>@ End of function start_next<br/>@ ===================================</pre> | :w)`jump:nt_setup_isdb }<br>:art_next:_stop_at_bootup;j<br>:====================================                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |                                                                                                                                                                                                                                                       |

## Conclusions

### **Technology summary**

- ISDB is the low-level debugging circuitry of Hexagon architecture which sits in-between JTAG and the core
  - Don't confuse with ISDB-T, a digital TV broadcasting standard
- Debugging works by reading/writing ISDB registers, via either JTAG or software
- Multiple ways of doing things
- This research is the first step
  - System internals of ISDB
  - Key requirements to enable and control debugging over JTAG and via software
  - Untested may need extra config!

#### Security aspects

- Basically, ISDB is the core gatekeeper of debugging on Hexagon cores
  - Blocks JTAG access if is ISDB\_TRUSTED register is not set
  - Exposes software-based debugging controls via proprietary kernel code
- Trusted or Untrusted mode of operation
  - Trusted: Qualcomm's kernel dev
  - Untrusted: you
  - Actually programmable
- Specialized enablement and configuration protocols
- Qurt Kernel will check other debugging controls before enabling ISDB
  - Build-time configuration variables
  - CoT & Attestation Certificates, Fuses, IMEM
  - Inject your own ISDB enablement logic somewhere to bypass it (supervisor mode)

### References

- 1. A.Esage, "Advanced Hexagon Diag", Chaos Communications Congress (2020)
- 2. A.Esage, "Deep Dive: Qualcomm MSM Linux Kernel & ARM Mali GPU 0-day Exploit Attacks of October 2023", Zero Day Engineering Research Blog (2023)
- 3. APQ8016E Technical Reference Manual
- 4. Qualcomm<sup>®</sup> Snapdragon<sup>™</sup> 410 Processor APQ8016 Hardware Register Description
- 5. Qualcomm<sup>®</sup> Snapdragon<sup>™</sup> 410E (APQ 8016E) Processor Device Specification
- 6. WIPO patent no.2008/061067 A2
- 7. WIPO patent no.2008/061089 A2
- 8. US patent no.7,657,791 B2 of Feb. 2, 2010
- 9. Qualcomm Hexagon V66 Programmer's Reference Manual (2017)
- 10. Qualcomm Hexagon V69 Programmer's Reference Manual (2022)
- 11. Qualcomm Hexagon V73 Programmer's Reference Manual (2024)



Twitter/Youtube: @alisaesage

Email: contact@zerodayengineering.com

http://zerodayengineering.com