Extending LTE/5G Modem Firmware Re-Hosting and Fuzzing Approaches with Networking Capabilities


Mobile phone modems are an integral part of most modern communicating devices. Their direct access to potentially unencrypted data within phones, and their mission critical role in anything from wind turbine monitoring to the emergency call functionality of cars, make them an interesting target for attackers with different motivations such as espionage and sabotage.

Security analysis of such devices is a time-consuming undertaking, as it historically required manual reverse engineering of their complex firmware. Recent advancements in the research areas of fuzzing and re-hosting now allow to run such firmware in an emulator. However, these emulators lack a connection to a mobile network, and thus a lot of functionality is not realistically reachable for fuzzing purposes.

The goal of this thesis is to extend an existing emulator/fuzzer for modem firmware, to establish a network connection between the emulated modem firmware, and an open source implementation of an LTE/5G base station, based on srsRAN.

Related Work


This is a Master thesis topic
– Knowledge of C++ and Python
– Basic understanding of mobile network protocols (MAC, RLC, NAS/PDCP)
– Some experience in reverse engineering (ideally with Ghidra)