Ghidra nanoMIPS ISA module

MITRE Techniques

• [T1518] Software Discovery – The process of discovering and identifying firmware from MediaTek that runs on nanoMIPS architecture. Quote: ‘The process involves discovering and identifying firmware from MediaTek that runs on nanoMIPS architecture. This includes analyzing various carrier-specific firmware versions for the MediaTek SoC.’
• [T1587] Reverse Engineering – Fundamental to this project is the reverse engineering of baseband firmware. Quote: ‘Fundamental to this project is the reverse engineering of baseband firmware. This includes disassembling and decompiling the firmware to understand its functionality and structure, which is crucial for identifying potential vulnerabilities and understanding the baseband processor’s operation.’
• [T1620] Exploitation for Evasion – Techniques could potentially be applied to evade security measures in embedded systems. Quote: ‘While not explicitly mentioned as a malicious action in your scenario, the techniques developed and used could potentially be applied in scenarios where evasion of security measures in embedded systems is required. This would typically involve understanding how firmware interacts with hardware to circumvent or disable security features.’
• [T1588] Develop Capabilities – Development of a new nanoMIPS disassembler and decompiler module for Ghidra is a key capability. Quote: ‘The development of a new nanoMIPS disassembler and decompiler module for Ghidra to handle the specific firmware structures encountered is a key capability developed during this engagement.’
• [T1195] Supply Chain Compromise – Analyzing and potentially modifying firmware can introduce supply chain risks. Quote: ‘Analyzing and potentially modifying firmware can lead to supply chain risks, where compromised firmware could be injected into the distribution channels, affecting the integrity of the devices.’
• [T0202] Hardware Reverse Engineering – Reversing hardware components and firmware is relevant for baseband processors and mobile network interactions. Quote: ‘This is a specific technique under the MITRE Mobile ATT&CK matrix, focusing on the reverse engineering of hardware components and firmware. It is especially relevant when dealing with the baseband processors and understanding their interaction with mobile network functionalities.’
• [T1055] Process Injection – Could be used to modify firmware to inject malicious code into legitimate processes. Quote: ‘This may be applicable if the reverse engineering findings were used to modify the firmware to inject malicious code into legitimate processes to hide or facilitate further malicious actions.’
• [T1576] Software Modification – Modifying baseband firmware for legitimate or malicious purposes. Quote: ‘Modifying the baseband firmware, whether for legitimate or malicious purposes, falls under this technique. In security research, this might be aimed at improving security or developing patches, while in an adversarial context, it might be used to implant backdoors or disable security features.’