State-of-the-art report on Qualcomm DIAG diagnostic protocol research, its modern implementation as it appears in Hexagon basebands, advanced harnessing and reverse-engineering on modern off-the-shelf smartphones.
Diag is a proprietary diagnostics and control protocol implemented in omnipresent Qualcomm Hexagon-based cellular modems, such as those built-in Snapdragon SoCs, and named so after the DIAG task in the baseband's RTOS that handles it. Diag presents an interesting non-OTA attack surface via a locally exposed interface channels to both the application processor OS and the USB endpoints, and advanced capabilities for controlling the baseband.
Since Diag was first reverse-engineered around 2010, a lot has changed: mobile basebands are becoming increasingly security-hardened and production-fused, Hexagon architecture is gaining some serious advantages in the competition, and the Diag protocol itself was changed and locked down. Meanwhile, local attack surface in basebands is gaining importance, and so does baseband security and vulnerability research.
In this talk I will present the state-of-the-art on Diag research, based on previously unpublished details about the inner workings of the Diag infrastracture that I reverse-engineered and harnessed for my research purposes, its modern use, and how we can exploit it to talk to the production-fused baseband chip on off-the-shelf modern phones such as Google Pixel, while understanding what exactly we are doing.