§ Case study · Firmware reverse engineering 2026 · ongoing · Active reverse

Huawei Balong — VxWorks RE

VxWorks on a cellular baseband.

C-core and A-core disassembly for remote eSIM on hardware that doesn't officially support it.

Reverse-engineering the proprietary VxWorks-based cellular modem firmware on Huawei Balong chipsets — both the comm processor (C-core) and application processor (A-core) — to implement remote eSIM provisioning on hardware that doesn't officially support it.

  • Firmware RE
  • VxWorks
  • ARM
  • APDU
  • Baseband
  • eSIM
Architecture
ARM
C-core + A-core
RTOS
VxWorks
real-time, kernel-mode
Goal
Remote eSIM
on unsupported hardware
Stage
Active
static + dynamic analysis

§ Abstract

Cellular modems run on opaque firmware. The chipset vendor publishes nothing useful; the carriers depend on the vendor’s word; the operator gets a black box that either works or doesn’t. This project takes the housing off.

The target is the Huawei Balong baseband — a HiSilicon SoC running VxWorks across two cores: a comm processor (C-core) handling the radio stack, and an application processor (A-core) handling everything above it. Remote eSIM provisioning, per GSMA SGP.22, requires specific cooperation from the modem firmware. On most consumer devices that cooperation is locked to vendor-blessed eSIM profiles. The goal here: enable arbitrary remote eSIM on hardware the vendor never intended to support it.

§ What surfaced

  • Two cores, two firmware images. C-core handles the LTE/5G RAT layer; A-core hosts the higher-level stack including SIM-toolkit handlers.
  • VxWorks symbol exports are stripped but recoverable via control-flow signature matching against open-source VxWorks BSPs.
  • APDU command flow between modem and SIM is dispatched through a single command parser that can be hooked.
  • GSMA SGP.22 message formats are recognizable byte-for-byte once you know what you’re looking at.

§ Method

Static analysis with Ghidra. Disassembly across both cores. Function identification via call-graph fingerprinting and the few exported symbols that survive stripping. APDU command flow traced manually from the SIM-interface handler back to the toolkit dispatcher.

Once the SIM dispatcher is mapped, the modem can be patched to accept eSIM provisioning commands from a remote source under SGP.22 — over-the-air enrollment without the vendor-locked path.

§ Implementation

In progress. The current state: identified entrypoints for both cores, mapped the SIM-toolkit dispatcher, traced the APDU command flow through to the radio stack. Patch development is underway for the C-core dispatcher to accept SGP.22-formatted enrollment requests.

This is one of the projects that landed me in Ghidra full-time. It’s also one of the most fun things I’ve worked on in years.

§ Outcomes (so far)

  • Both cores reverse-engineered to the function level
  • APDU command flow traced from SIM interface through dispatcher to radio stack
  • SGP.22 eSIM enrollment messages identified in the firmware’s parser
  • Patch path identified for enabling unsupported eSIM provisioning

Full write-up will land here when the engineering wraps. Until then — happy to talk to anyone reverse-engineering VxWorks basebands, or anyone building infrastructure that depends on assuming the modem firmware is what the vendor says it is.

Let's take the housing off something.

Reverse-engineering, Web3 infrastructure, firmware teardowns, consulting. I answer email inside 24 hours.

me@mostafa.dk → Book a call