Qualcomm’s QDSP6, also known as “Hexagon,” is a little-known mobile-first microarchitecture distinct from ARM and RISC-V. In fact, Hexagon chips power critical components like cellular modems and DSPs within Snapdragon processors, which, in turn, drive a significant portion of the smartphone market, including certain iPhone models. A proprietary real-time operating system named QuRT runs on Hexagon cores side-by-side with the main OS running on ARM cores, such as Android or iOS. Furthermore, Hexagon chips are notoriously secure; any debugging access is severely restricted, even for OEM partners, unless they have close relationships with the vendor. As an independent hacker, you can't debug Hexagon cores at all, even with full hardware access to a Snapdragon development board.

JTAG is the industry standard for low-level debugging of computer hardware, which is presumed to be available, to some extent, on every System-on-Chip. During my investigation into JTAG availability on Qualcomm SoCs as part of a privately funded research project, I discovered a more complex scenario. The entire hardware debugging ecosystem for QDSP6 is governed by ISDB (In-Silicon Debugger), a proprietary technology layered on top of JTAG. ISDB is the kind of mysterious technology that cannot be looked up on Google (excluding name collisions with ISDB-T, a TV broadcasting standard); it can only be faintly glimpsed through sparse mentions in Qualcomm’s technical specifications and a few obscure patents. I accepted the challenge to reverse engineer ISDB without touching hardware, which is the topic of this talk.

To fully engage with this presentation, viewers are advised to first watch my previous talk from CCC 2020 titled “Advanced Hexagon Diag”, that will provide some context around Hexagon technology, while discussing a different aspect of it. A foundational understanding of assembly programming, low-level debugging, and binary reverse engineering will be helpful as well.