Android Hardware Reverse Engineering

How to Extract and Analyze Android Modem Firmware: A Step-by-Step Guide

By Antigravity Research Published May 30, 2026 ⏱️ 4 Min Read
Google AdSense Native Placement - Horizontal Top-Post banner

Introduction to Android Modem Firmware Reverse Engineering

The modem firmware, often referred to as the ‘baseband,’ is a critical and often overlooked component of an Android device. It’s the software that controls the radio hardware responsible for cellular communication (2G, 3G, 4G, 5G), Wi-Fi, Bluetooth, and GPS. Due to its direct interaction with network infrastructure, vulnerabilities in modem firmware can have severe security implications, ranging from remote code execution to unauthorized data access. Reverse engineering this firmware is crucial for security research, vulnerability discovery, and understanding proprietary communication protocols. This guide provides a step-by-step approach to extracting and performing initial analysis on Android modem firmware.

Understanding Modem Firmware Architecture

Modern Android devices predominantly use System-on-Chips (SoCs) from manufacturers like Qualcomm, MediaTek, and Samsung Exynos. Each vendor has its own architecture for modem firmware, but they generally follow similar principles:

  • Separation of Concerns: The modem runs on a separate, often real-time operating system (RTOS) or a bare-metal environment, distinct from Android (which runs on the Application Processor).
  • Communication: The Application Processor (AP) communicates with the Baseband Processor (BP) via various interfaces, often through shared memory regions or proprietary inter-processor communication (IPC) mechanisms.
  • Proprietary Nature: The code is almost always proprietary and closed-source, making reverse engineering essential.

For Qualcomm devices, the modem firmware is typically part of the Non-HLOS (Non-High Level Operating System) partition or bundled within the `modem.img` or `NON-HLOS.bin` files.

Methods of Firmware Extraction

1. Extracting from Official Stock ROMs/OTA Updates

This is often the safest and easiest method. Manufacturers release full factory images or OTA update packages which contain the modem firmware.

Steps:

  1. Download Stock ROM: Obtain the full factory image or OTA update package for your specific device model from the manufacturer’s official website (e.g., Google’s factory images, Samsung firmware on Sammobile, OnePlus downloads).
  2. Unpack the Archive: Stock ROMs are often ZIP, TGZ, or proprietary archive formats. Use appropriate tools to extract their contents. For `.zip` files, a simple unzip utility will work. For Samsung `.tar.md5` files, you might need 7-Zip or Odin to extract further.
  3. Identify Modem Files: Look for files like `modem.bin`, `NON-HLOS.bin`, `radio.img`, or files within a `firmware` subdirectory. These filenames vary by vendor and device.
unzip stock_rom_XYZ.zip -d extracted_romls extracted_rom/ # Look for modem.bin, NON-HLOS.bin, or similar files

2. On-Device Extraction (Root Required)

If your device is rooted, you can directly access the modem partition or its corresponding files from the device itself.

Steps:

  1. Gain Root Access: Ensure your Android device is rooted.
  2. Identify Modem Partition: Use `adb shell` to list partitions and identify the modem-related partition. Common names include `/dev/block/bootdevice/by-name/modem` or similar.
adb shellsu # Grant root accessls -l /dev/block/bootdevice/by-name/ # Look for 'modem' or 'radio' partition
  • Dump the Partition: Use `dd` to copy the partition content to a file on your device, then pull it to your computer.
    • adb shellsu dd if=/dev/block/bootdevice/by-name/modem of=/sdcard/modem.binadb pull /sdcard/modem.bin .

    3. Intercepting During Flashing (Advanced)

    Tools like Qualcomm Product Support Tool (QPST) or Odin for Samsung devices are used by manufacturers and service centers to flash firmware. It’s possible to intercept the communication or extract files directly from these tools’ directories during the flashing process, though this is more complex and tool-dependent.

    Initial Analysis Techniques

    Once you have extracted the modem firmware file (e.g., `modem.bin` or `NON-HLOS.bin`), you can begin the analysis.

    1. File Type and Structure Analysis with Binwalk

    binwalk is an excellent tool for identifying embedded files and executable code within binary images. It can detect file systems, compression, and various executable formats.

    binwalk -e modem.bin

    The `-e` flag extracts known file types. This might reveal smaller embedded images, kernel modules, or configuration files that are part of the modem firmware. Look for ARM executables, ELF files, or files with high entropy.

    2. String Analysis

    Extracting human-readable strings can reveal version numbers, error messages, function names, URLs, or API calls, providing clues about the firmware’s functionality.

    strings -n 8 modem.bin | grep -i
    
        
        
        
    
            
    
                
            
    
            
    
                
    Android Mobile Specs & Compare Directory
    
                
    Are you researching mobile hardware properties, processor SoCs, GPU chipsets, or RAM configurations? Access our complete specs catalog to compare up to 5 devices side-by-side!
    
                Compare Devices Specs →
    Google AdSense Inline Placement - Content Footer banner
    Tags: #Android #Modem Firmware #Qualcomm #Reverse Engineering #Security Research

    Related Technical Guides

    Troubleshooting Failed Sideloads: Identifying & Exploiting Hardware Test Points for Access

    May 30, 2026

    Reverse Engineering MediaTek BROM: Setting Up Your Vulnerability Research Lab & Debugging Environment

    May 29, 2026

    Troubleshooting NAND Read Errors: Practical Steps for Successful Data Recovery from Android

    May 30, 2026