path: root/2016
diff options
authorHolger Hans Peter Freyther <>2016-12-27 00:02:57 +0100
committerHolger Hans Peter Freyther <>2016-12-27 00:03:25 +0100
commit58ebf63972072216e7e98b4adfa153928c312937 (patch)
treec8044d947c7b9e8cff358bafb8bfeb98fcb67eb9 /2016
parent7fee51876b3310c48f44450e362b0c8be7ffaea3 (diff)
More wip for the structure and content of the talk
Diffstat (limited to '2016')
-rw-r--r--2016/33c3/images/legato_flash.pngbin0 -> 48841 bytes
-rw-r--r--2016/33c3/images/qualcom_many_releases.pngbin0 -> 46664 bytes
-rw-r--r--2016/33c3/images/quectel_ipr.pdfbin0 -> 178034 bytes
-rw-r--r--2016/33c3/images/sl6087_hw.pngbin0 -> 1594528 bytes
5 files changed, 194 insertions, 62 deletions
diff --git a/2016/33c3/33c3-modems.adoc b/2016/33c3/33c3-modems.adoc
index e39d592..d7aec22 100644
--- a/2016/33c3/33c3-modems.adoc
+++ b/2016/33c3/33c3-modems.adoc
@@ -1,100 +1,211 @@
Dissecting modern (3G/4G) cellular modems
-:author: Harald Welte <>
+:author: Harald Welte <>, Holger Hans Peter Freyther
#:copyright: sysmocom - s.f.m.c. GmbH (License: CC-BY-SA)
:backend: slidy
:max-width: 45em
-== Motivation
-// 9 years of Osmocom?
-// 3G and 4G development
-// Hardware for decoding
-* 9 years of Osmocom, 7 years since OsmocomBB
-* Started to look at implementing 3G/4G
-* Modems are a tool for research and development
-** Logs to analyze a specific problem
-** Traces to learn how something works
-* Modems power cellular IoT devices
-** 1.1 billion new cellular devices by 2021
-** eCall for vehicles
-** Integrated and worldwide certifications
== This talk
+* Our motivation and approach
* A bit of History
-* Device overview
-* Qualcomm Kernel, Drivers and Userspace
+* Selecting a device
+* An unexpected surprise
* Firmware upgrade
+* Recommendations/Wishes
-== History
-* Wavecom, Sierra Wireless OpenAT systems
-* OpenAT allowed to build C code
-* Dynamically loaded into the modem OS
-* Runs without privilege separation, MMU
-* Odd limitations, blocking leads to watchdog reset
+== Motivation
-== Device/Market overview
+// 9 years of Osmocom?
+// 3G and 4G development
+// Hardware for decoding
+* Implementing GSM specifications for the last decade (OpenMoko, Osmocom)
+* 7 years since OsmocomBB for GSM
+* In the past used and built devices using 2G modems
+* Started to build 3G/4G software, logs/traces help
-== Chipset vendors
+== History
-* Intel
-* Mediatek
-* Qualcomm
-* ???
-== Stack vendors
+* OpenAT by Sierra Wireless
+* 2G and 3G were available
+* Write C code using OpenAT APIs
+* Dynamically loaded into the RTOS
+* Runs without privilege separation, MMU
+* Eclipse based IDE and plugins (in clojure)
+* Discontinued HW platform => Locked in
+* Various limitations
-* Fewer than used to be?
-* Risk of monoculture
+== Device requirements
-== Modem vendors
+* Get textual logging when handling messages
+* Get a copy of the radio network messages and export to GSMTAP
+* Like Tobias Engels[x-goldmon]
+* But for GPRS, 3G and 4G
+* Enabled by default and not to be removed
-* Mostly Qualcomm based chipsets
-* Cinterion, Huawei, U-Blox, Quectel, Sierra Wireless, Telit, ...
+== DIAG protocol
-== Qualcomm HW
+* Qualcomm diag in many products (see Guillaume Delugres[talk] at 28C3)
+* HDLC frame, CRC16, simple framing (0x7e)
+* Command, Response, Events
+** Enable logging of subsystems
+** Enable events for subsystems
+** Trigger firmware upgrade
+** Read/Write RAM
+* ModemManager uses it for additional information
+* gsmparser of snoopsnitch to export to GSMTAP
-* Patents on CDMA technology
-* Extending their market position in 3G to 4G
-* Product wide diagnostic, log, control interface
+== Selecting a device
-== DIAG protocol
+* 3G Options Icon stick exposes DIAG out of the box
+* Quectel UC20 (2G+3G) enable it by default
+* Quectel EC20 (2G+3G+4G) enable it by default
+* 2G, 3G and 4G sounds quite nice
-* HDLC frame, CRC16, simple framing
-* Command and Response
-** E.g. enable logging for categories
-** Read/Write NVRAM
-* Various implementations (e.g. ModemManager)
== Quectel EC20
-* DIAG port mentioned in the documentation
-* Is available out of the box
-* MDM 9615 based module for 2G, 3G, 4G
+* Using a Qualcomm MDM 9615 chipset
+* Also used in the iPhone5
* Surprisingly runs Linux
* Not surprising to people familiar with MDM9615 (e.g[Mickey Shkatov])
+* Not a lot of documentation available
// Erst ein mal EC20 und sagen wieso es interessant ist
// und dann, dass es Linux hat.. um dann ein Block diagram
// zu haben?
-== Qualcomm Details
+== An unexpected surprise
+== GPL compliance
+* Got a firmware upgrade to fix stability
+* Might contain traces of Linux?
+* No written offer, let's see if it runs Linux
+* gpl-tools to unpack unyaffs
+* strings, etc., AT+QLINUXCMD=?
+* The fun and exploration begins
+== GPL compliance
+* Linux basis created by Qualcomm used by Quectel
+* Many branches, releases, which to use?
+[quote, Tonino Perazzi]
+I tried instruction above to build yaffs2 for MDM9615, so I downloaded source M9615AAAARNLZA1611161.xml but during compilation I faced some libs that are missing such as libQMI and acdb-loader..
+== GPL compliance
+[quote, Us]
+Asking for the complete and corresponding source
+[quote, Quectel]
+Receiving source for the flash tool
+== GPL compliance
+[quote, Us]
+Asking for the complete and corresponding source
+[quote, Quectel]
+We never been in legal dispute and we always make sure to understand IPR ahead of using technology belonging to third party.
+== GPL compliance
+[quote, Us]
+Asking for the complete and corresponding source
+[quote, Quectel]
+We appreciate the efforts that your client had put into the open source
+project netfilter/iptable. However, We have some doubts about the alleged
+copyright. From our perspective, your client does not have the right to
+empower the copyright. We think software netfilter/iptable is built on
+the code operating system GUN/Linux, thus subject to GPL terms, where FSF
+requires that each author of code incorporated in FSF projects either
+provide copyright assignment to FSF or disclaim copyright (“we should keep
+the copyright status of the program as simple as possible. We do this by
+asking each contributor to either assign the copyright on his contribution
+to the FSF, or disclaim copyright on it and thus put it in the public
+domain”). Therefore, It seems that your client does not have the copyright
+on netfilter/iptable.
+As one of the leading providers of wireless solution, Quectel is always
+respectful IPR. We would like to compliant with GPL and do some necessary
+statements,including a disclaimer or appropriate notices. Under the terms
+of GPL, we would like to dedicate Kernel code of EC25x to free software
+== GPL compliance
+[quote, Us]
+Asking for the complete and corresponding source
+[quote, Quectel]
+Many thanks for your detailed explanations GPL/LGPL license terms and the practical methods. I will carefully study your suggestions again and find a proper way to open GLP/LGPL licensed software. Basically, we will simply provide a tarball of open source for download at this time. And release the git repositories in next step.
+== GPL compliance
+[quote, Us]
+Asking for the complete and corresponding source
+[quote, Quectel]
+We are always willing to achieve GPL compliance.
+== GPL compliance
+[quote, Us]
+Asking for the complete and corresponding source
+[quote, Quectel]
+To be frank, we have no experience over Open Source things before. So we need some time to know of all things and construct the Open Source projects. Within a short time, we cannot construct a perfect web site to present Open Source things now. However, we will continue to do like that.
+== GPL compliance
+[quote, Us]
+Your tarball is missing some files.
+[quote, Quectel]
+ We have issued all GPL licensed source code.
+ We have no the xt_dscp file in the project, and nor Qulacomm. It must be
+ caused by your compilation environment.
+ If you have more question or problem during the development with Quectel
+ module, please add my Skype ID (XXXXX), I will continue to support you
+ on Skype.
+ The email will not discuss the compiling issue any more.''
+== GPL compliance
+* ... many months later
+* License compliance still not achieved
+* Sierra Wireless Legato is a positive example
+== MDM 9615 HW and SW
-== MDM 9615 HW Intro
+== Qualcomm Hardware
* Qualcomm MDM 9615 chipset
* Used in the iPhone 5 and automotive
* Modems like Quectel EC20, Sierra Wireless MC7355
* No public HW documentation?!
+* Either not many people study it or are not allowed to share?
== MDM 9615 HW Overview
@@ -127,13 +238,18 @@ image:images/gandroid_logo.png[height=200,role="gimmick_right"]
== ...
+== Funny commands
+* AT+QLINUXCMD, e.g. switch usb config to get adb
+* AT+QFASTBOOT, switch to the bootloader
+* AT+QPRINT, print dmesg
+* AT for system("echo mem > /sys/power/state")
== Firmware upgrade
-// put the headline in the center
== recovery and applypatch
* Android ~4.0 based[recovery.git]
@@ -195,16 +311,32 @@ Start download fota for
-== Hijacking firmware upgrade
+== Firmware example
-* Prepare a .diff with a new binary
-* Operate a fake BTS/nodeB/eNodeB
-* Trigger or wait for firmware update check
-* Redirect request
-* Wait for firmware to be installed
-* Optionally make it look like a network error
+* Show it?
+== Recommedation
+* Continue to allow owners of devices to reflash
+* Secure the FOTA upgrading with owner specified keys
+* Make it more easy to rebuild code
== Questions
* Questions?
+== Announcement
+* 3G femtocells for Osmocom/OpenBSC development
+== Links
+* Collection of links for further study
diff --git a/2016/33c3/images/legato_flash.png b/2016/33c3/images/legato_flash.png
new file mode 100644
index 0000000..6bea66a
--- /dev/null
+++ b/2016/33c3/images/legato_flash.png
Binary files differ
diff --git a/2016/33c3/images/qualcom_many_releases.png b/2016/33c3/images/qualcom_many_releases.png
new file mode 100644
index 0000000..8384a4b
--- /dev/null
+++ b/2016/33c3/images/qualcom_many_releases.png
Binary files differ
diff --git a/2016/33c3/images/quectel_ipr.pdf b/2016/33c3/images/quectel_ipr.pdf
new file mode 100644
index 0000000..982cb68
--- /dev/null
+++ b/2016/33c3/images/quectel_ipr.pdf
Binary files differ
diff --git a/2016/33c3/images/sl6087_hw.png b/2016/33c3/images/sl6087_hw.png
new file mode 100644
index 0000000..ed204a1
--- /dev/null
+++ b/2016/33c3/images/sl6087_hw.png
Binary files differ
personal git repositories of Harald Welte. Your mileage may vary