Skip to content

mastermindCodes/note3-baseband-platform

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
 
 
 
 
 
 

Repository files navigation

Galaxy Note 3 — Rooted Android Baseband Security Platform

Samsung Galaxy Note 3 (SM-N9005) | crDroid A11 | Lolz Kernel v18 | Magisk
Alpine Linux chroot | Qualcomm MSM8974 | Full DIAG/SMD/QMI access
Tested across Android 4 → 13. A11 is the final optimal version.


What Makes This Different

Most security research platforms (Raspberry Pi, laptop, cloud VPS) cannot do what this phone can.

This device has raw access to the Qualcomm cellular modem — the separate ARM processor running AMSS firmware that handles all GSM/LTE/WCDMA radio communication. Modern phones lock these interfaces behind SELinux, hardware firewalls, and verified boot. The Note 3 with Lolz kernel and permissive SELinux has none of those restrictions.

The /dev/diag diagnostic port, /dev/smd* shared memory channels, and /dev/qmi* Qualcomm MSM Interface are all readable and writable. This is a capability that effectively disappeared after 2016.


Repository Structure

note3-baseband-platform/
├── README.md
├── kernel/
│   ├── lolz_v18_features.md       # Lolz kernel capabilities unlocked
│   ├── undervolt_config.md         # CPU voltage control (-50mV across all freqs)
│   └── hotplug_tuning.md          # Blu_plug min 1/max 4, always-on
├── modem/
│   ├── diag_port.py               # Qualcomm DIAG stream reader
│   ├── smd_at_interface.py        # Bidirectional AT via /dev/smd0
│   ├── qmi_query.sh               # QMI modem interrogation
│   ├── carrier_encryption_audit.md # How to detect A5/0-3 negotiation
│   ├── imsi_catcher_detect.md     # Cell tower logging & anomaly detection
│   └── firmware_dump_guide.md     # Extracting AMSS modem binary
├── system/
│   ├── nfc_hal_blocker/           # Magisk module — kill NFC HAL on unsupported hw
│   ├── debloat_freeze_list.md     # 60+ safely frozen packages
│   ├── acc_battery_limiter.md     # ACC config for always-plugged (70-80%)
│   └── selinux_policy_notes.md    # Permissive policy & analysis
├── network/
│   ├── netfilter_forensics.sh     # nf_conntrack + iptables logging
│   ├── isp_audit.sh               # ISP path mapping, DNS poisoning, port blocking
│   └── transparent_proxy.md       # mitmproxy via iptables NAT redirect
├── alpine/
│   ├── chroot_setup.md
│   └── server_deployment.md
└── docs/
    ├── why_a11_is_optimal.md
    └── carrier_audit_full.md

Unique Capabilities

1. Cellular Baseband Access (Desktop Cannot Do)

Interface What It Does Modern Phone Access
/dev/diag Qualcomm diagnostic port — real-time modem state, radio firmware messages, encryption negotiation ❌ Blocked
/dev/smd0-7 Shared memory driver — bidirectional AT command bus to baseband CPU ❌ Blocked
/dev/qmi0-2 Qualcomm MSM Interface — modem configuration, network registration, SMS at firmware level ❌ Blocked

Only this device can: Read A5/0-3 encryption negotiation in real-time, detect IMSI catchers by logging every cell tower handoff at the baseband level, probe SS7 vulnerabilities via USSD commands sent directly to the modem CPU.

2. Kernel-Level Power & Performance Control (Modern Phones Cannot Do)

  • CPU undervolt — Lolz kernel exposes per-frequency voltage table. Apply -50mV across all 18 frequency steps. No modern phone exposes CPU voltage.
  • CPU overclock — 2.5 GHz (stock 2.2 GHz) via kernel custom frequencies
  • Hotplug tuning — Blu_plug with configurable min/max cores. Keep 4 cores online always for SSH responsiveness.
  • Battery slate mode/sys/class/power_supply/battery/batt_slate_mode allows hardware-level charging pause. Used by ACC for 70-80% battery longevity.

3. Unrestricted Netfilter (Kernel 3.4)

  • Full nf_conntrack — track every connection on your network in real-time
  • oem_nat_pre iptables chain — intercept and redirect traffic at kernel level
  • No eBPF restrictions — classic iptables with full LOG, DNAT, REDIRECT targets
  • Transparent MITM proxy via simple iptables rules

4. No Verified Boot / Runtime System Modification

  • /vendor, /system writable at runtime
  • Rename HAL libraries live (NFC fix)
  • Magisk modules apply at kernel level
  • SELinux permissive allows unrestricted process access

Tools Quick Start

# Read modem firmware version via AT
python3 tools/smd_at.py AT+CGMI

# Start DIAG port logging (requires SIM with data)
python3 tools/diag_port.py --log /data/modem_diag.log

# Run ISP infrastructure audit
bash tools/isp_audit.sh

Device Specs

Component Detail
SoC Qualcomm Snapdragon 800 (MSM8974)
CPU 4× Krait 400 @ 2.5 GHz (OC)
GPU Adreno 330 @ 450 MHz
RAM 3 GB (2.89 GB usable)
Kernel Linux 3.4.113 Lolz v18
Modem Qualcomm MDM9x25 (AMSS firmware)
WiFi Broadcom BCM4335
Storage 32 GB eMMC
Battery Always plugged, ACC 70-80%
Idle RAM ~800 MB after debloat
Swap 1 GB ZRAM
Uptime 24/7 headless

License

MIT — use freely, but the DIAG/SMD interface knowledge is rare. If you build on it, credit where due.

About

Qualcomm baseband security research platform — Galaxy Note 3, DIAG/SMD/QMI cellular modem access, kernel tuning, carrier auditing

Resources

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors