Android Hardware Reverse Engineering

Ghidra & IDA Pro for Android Modem Firmware RE: Advanced Techniques

By Antigravity Research Published May 30, 2026 ⏱️ 3 Min Read
Google AdSense Native Placement - Horizontal Top-Post banner

Introduction to Android Modem Firmware Reverse Engineering

Android devices rely heavily on their modem firmware for all cellular communications, from basic calls and SMS to advanced data services. Reverse engineering this firmware is crucial for uncovering vulnerabilities, understanding proprietary protocols, and even developing custom modem functionalities. This advanced guide delves into using industry-standard tools, Ghidra and IDA Pro, to dissect Android modem firmware, focusing on techniques for deep analysis.

The Challenge of Modem Firmware Analysis

Modem firmware is notoriously complex. It often runs on specialized Digital Signal Processors (DSPs) like Qualcomm’s Hexagon, or ARM Cortex-R cores, distinct from the device’s main Application Processor (AP). These environments utilize Real-Time Operating Systems (RTOS) and proprietary communication protocols, posing significant challenges for reverse engineers.

Acquiring Android Modem Firmware

Before any analysis can begin, you need the firmware image. Several methods exist:

  • Over-The-Air (OTA) Updates: Many OEMs distribute modem firmware within their full OTA update packages. These can often be downloaded directly from vendor sites or extracted from update files captured during the update process.
  • Device Dumps: If you have root access or an unlocked bootloader, you can dump the `modem.img` (or similar partitions like `RADIO`, `AP_MODEM`) directly from the device’s eMMC or UFS storage using tools like `dd`. 
    adb shellsu -c 'dd if=/dev/block/by-name/modem of=/sdcard/modem.img'adb pull /sdcard/modem.img .
  • Manufacturer Service Firmware: These often contain full modem images and can sometimes be found on third-party firmware repositories.

Initial Triage with Binwalk

Once you have a `modem.img`, `binwalk` is invaluable for initial analysis, identifying embedded filesystems, compression, and known headers.

binwalk -e modem.img

This command extracts embedded files and partitions, giving you a better understanding of the image’s internal structure. You might find further nested images, firmware blobs, or configuration files.

Ghidra for Architectural Recognition and Initial Exploration

Ghidra, with its multi-architecture support and powerful decompilation, is an excellent choice for the initial exploration of modem firmware.

Loading the Firmware and Identifying the Architecture

  1. Create a New Project: Start a new Ghidra project.
  2. Import File: Drag and drop your extracted modem firmware binary into the Ghidra project.
  3. Specify Processor: Ghidra will often prompt you to select the processor. For Qualcomm modems, this is typically either a Hexagon DSP (e.g., `Qualcomm_Hexagon`) or an ARM Cortex-R core (e.g., `ARM:LE:32:v7`). Correctly identifying the architecture is critical for accurate disassembly and decompilation. If unsure, look for tell-tale instruction sets or common vector tables.
  4. Memory Map Configuration: Define memory blocks according to common modem memory layouts (e.g., base address 0x0 for flash, RAM regions for data). Sometimes, you might need to manually specify the load address if it’s not at 0.

Symbol and String Extraction

After initial analysis, Ghidra’s powerful features come into play:

  • String Search: Look for common modem-related strings like AT commands (e.g., `+CME ERROR`, `AT+CMGS`), RIL commands, or file paths within the firmware. These often reveal critical functionality.
  • Function Identification: Ghidra’s auto-analysis will identify many functions. Pay attention to cross-references (`XREF`) to understand call graphs. Functions dealing with interrupt vectors, task scheduling, or memory management for the RTOS are good starting points.
// Ghidra Script Example (Python) to find specific string referencesfrom ghidra.program.flatapi import *from ghidra.program.model.listing import Datafor function in currentProgram.getFunctionManager().getFunctions(True):    # Iterate over all functions    for ref in function.getReferenceIteratorTo():        # Check references within the function        if ref.getReferenceType().isData():            data = getDataAt(ref.getToAddress())            if data and data.isString():                string_val = data.getValue().replace('', '')                if

        
        
        

            

                
            

            

                
Android Mobile Specs & Compare Directory

                
Are you researching mobile hardware properties, processor SoCs, GPU chipsets, or RAM configurations? Access our complete specs catalog to compare up to 5 devices side-by-side!

                Compare Devices Specs →
Google AdSense Inline Placement - Content Footer banner
Tags: #Android RE #Ghidra #IDA Pro #Modem Firmware #Reverse Engineering

Related Technical Guides

Build Your Own Lab: MediaTek DA Mode Vulnerability Analysis Setup Guide

May 29, 2026

Reverse Engineering Android eMMC Dumps: Unlocking Encrypted User Data

May 30, 2026

Recovering Bricked Android Devices: The JTAG Hardware Fix Tutorial

May 29, 2026