Fun with the MTK 6573 Baseband (Patching / Replacing)

Hi,

I'm Markus, a security researcher from Germany. I recently did some
work on MTK 6573 based Android phones
(http://sched.brucon.org/event/451eb792d462066ca9bb36d419aff033). The
BB seems like an interesting target to replace with a free one because:

 - It is acutally loaded from the Android filesystem
(/etc/firmware/modem.img) running on the AP (which you can control
easily on a rooted phone).
 - It is not signed and obfuscated (and based on Nucleus OS)
 - The firmware contains a lot of custom debug info - including
strings of function names and source file names
 - Older firmware in ELF format with (partial) debug symbols has been
published
 - There is shared memory between AP and BB.

What I did so far is reversing and patching the firmware to enable the
usage of software SIM cards. Also a real SIM card can be forwarded
over TCP. You can find my patches for the Alcatel OT-910D modem.img +
AP-Side stuff + a little APDU-Card-Server here:

https://github.com/shadowsim/shadowsim

One could imagine some interesting applications as for example
exchanging SIM cards between different phones over the internet. The
main difference in application between the classic mobile phones and
smart- / feature-phones is that you can use other communication
channels (e.g. WiFi) to bootstrap mobile network authentication and