diff options
author | Holger Hans Peter Freyther <holger@moiji-mobile.com> | 2016-12-27 11:45:46 +0100 |
---|---|---|
committer | Holger Hans Peter Freyther <holger@moiji-mobile.com> | 2016-12-27 11:45:46 +0100 |
commit | 07e5c7d692ada060563b94884bed8c94e302a01b (patch) | |
tree | 7fd283fdd9e0f72dc72a10ce24f7be42b26783a4 /2016/33c3/33c3-modems.adoc | |
parent | c91fea6d73088cb9058c0cea8fa6a6d72e538717 (diff) |
More structure, spelling, clarification, images..
Diffstat (limited to '2016/33c3/33c3-modems.adoc')
-rw-r--r-- | 2016/33c3/33c3-modems.adoc | 62 |
1 files changed, 34 insertions, 28 deletions
diff --git a/2016/33c3/33c3-modems.adoc b/2016/33c3/33c3-modems.adoc index a4ed5a7..e4d2418 100644 --- a/2016/33c3/33c3-modems.adoc +++ b/2016/33c3/33c3-modems.adoc @@ -22,59 +22,66 @@ Dissecting modern (3G/4G) cellular modems // 9 years of Osmocom? // 3G and 4G development // Hardware for decoding -* Implementing GSM specifications for the last decade (OpenMoko, Osmocom) +* Implementing GSM specifications for the last decade +* OpenMoko and then Osmocom * 7 years since OsmocomBB for GSM * In the past used and built devices using 2G modems -* Started to build 3G/4G software, logs/traces help +* Started to build 3G/4G software and logs/traces help +* Build tools to help understanding cellular technology == History image:images/sl6087_hw.png[height=280,role="gimmick_right"] * OpenAT by Sierra Wireless -* 2G and 3G were available * Write C code using OpenAT APIs * Dynamically loaded into the RTOS * Runs without privilege separation, MMU * Eclipse based IDE and plugins (in clojure) +* Protocol to multiplex AT, log, debug +* 2G and 3G modems were available * Discontinued HW platform => Locked in -* Various limitations +* Various other limitations == Device requirements * Get textual logging when handling messages -* Get a copy of the radio network messages and export to GSMTAP +* Get a copy of the radio network message and export to GSMTAP * Like Tobias Engels https://github.com/2b-as/xgoldmon[x-goldmon] * But for GPRS, 3G and 4G -* Enabled by default and not to be removed +* Enabled by default and not locked down in the future -== DIAG protocol +== Qualcomm DIAG protocol + +* Qualcomm DIAG in many products (DVB-H, GSM, ...) +* https://events.ccc.de/congress/2011/Fahrplan/attachments/2022_11-ccc-qcombbdbg.pdf[Presented] by Guillaume Delugre at 28C3 +* Simple HDLC frame (0x7e), cmd, data, CRC16 + +* Thousands of different message structures +* Events, Logging, Command/Response +* ModemManager, gsm-parser consume only a small fraction + +image:images/diag_frame.png[width="90%"] -* Qualcomm diag in many products (see Guillaume Delugres https://events.ccc.de/congress/2011/Fahrplan/attachments/2022_11-ccc-qcombbdbg.pdf[talk] at 28C3) -* HDLC frame, CRC16, simple framing (0x7e) -* Command, Response, Events -** Enable logging of subsystems -** Enable events for subsystems -** Trigger firmware upgrade -** Read/Write RAM -* ModemManager uses it for additional information -* gsmparser of snoopsnitch to export to GSMTAP == Selecting a device +image:images/28c3_option_stick.png[width="30%",role="gimmick_right"] + * 3G Options Icon stick exposes DIAG out of the box * Quectel UC20 (2G+3G) enable it by default * Quectel EC20 (2G+3G+4G) enable it by default * 2G, 3G and 4G sounds quite nice +* EC20 comes as mini-PCIe module as well == Quectel EC20 image:images/ec20.png[height=200,role="gimmick_right"] -* Using a Qualcomm MDM 9615 chipset +* Uses a Qualcomm MDM 9615 chipset * Also used in the iPhone5 -* Surprisingly runs Linux +* In our case surprisingly runs Linux * Not surprising to people familiar with MDM9615 (e.g https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEFCON-23-Mickey-Shkatov-Jesse-Michael-Scared-poopless-LTE-and-your-laptop-UPDATED.pdf[Mickey Shkatov]) * Not a lot of documentation available @@ -88,7 +95,7 @@ image:images/ec20.png[height=200,role="gimmick_right"] == GPL compliance * Got a firmware upgrade to fix stability -* Might contain traces of Linux? +* Looks like it contains traces of Linux? * No written offer, let's see if it runs Linux * gpl-tools to unpack unyaffs * strings, etc., AT+QLINUXCMD=? @@ -97,7 +104,7 @@ image:images/ec20.png[height=200,role="gimmick_right"] == GPL compliance -* Linux basis created by Qualcomm used by Quectel +* Linux basis created by Qualcomm and used by Quectel * https://wiki.codeaurora.org/xwiki/bin/QLBEP/ * Many branches, releases, which to use? @@ -252,9 +259,9 @@ image:images/gandroid_logo.png[height=200,role="gimmick_right"] image:images/redbend.png[height=76,role="gimmick_right"] * Based on the recovery.git code -* But for some reason (legacy?) is using RedBend -* RSA linked into the binary but not called -* RedBend used by many more companies and systems (e.g. Quectel UC20) +* But for some reason using RedBend for the update (legacy?) +* RSA still linked into the binary but not used +* RedBend used by many more companies and systems (e.g. Quectel UC20, automotive) == RedBend (delta update) software @@ -262,7 +269,8 @@ image:images/redbend.png[height=76,role="gimmick_right"] * Used in OMA DeviceManagement? (e.g. https://www.blackhat.com/docs/us-14/materials/us-14-Solnik-Cellular-Exploitation-On-A-Global-Scale-The-Rise-And-Fall-Of-The-Control-Protocol.pdf[Solnik]) * Lots of starring at hexdumps, lots of help from Dieter Spaar * Binary file format to diff, inserts, remove, link files -* Variable size Table Of Contents +* Can update images/mtd partitions too +* Variable sized LZMAed Table Of Contents ** Filenames separated with 0x00 ** Permissions separated with 0xAF ** Sections for diff, inserts with crc32, filesize, permission @@ -296,10 +304,8 @@ Start download fota for update.zip image:images/upgrade_process.png[] - -== Firmware example - -* Show it? +* Applies what ever was downloaded... +* Assumes no MITM is possible == Recommedation |