summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorHolger Hans Peter Freyther <holger@moiji-mobile.com>2016-12-27 00:02:57 +0100
committerHolger Hans Peter Freyther <holger@moiji-mobile.com>2016-12-27 00:03:25 +0100
commit58ebf63972072216e7e98b4adfa153928c312937 (patch)
treec8044d947c7b9e8cff358bafb8bfeb98fcb67eb9
parent7fee51876b3310c48f44450e362b0c8be7ffaea3 (diff)
More wip for the structure and content of the talk
-rw-r--r--2016/33c3/33c3-modems.adoc256
-rw-r--r--2016/33c3/images/legato_flash.pngbin0 -> 48841 bytes
-rw-r--r--2016/33c3/images/qualcom_many_releases.pngbin0 -> 46664 bytes
-rw-r--r--2016/33c3/images/quectel_ipr.pdfbin0 -> 178034 bytes
-rw-r--r--2016/33c3/images/sl6087_hw.pngbin0 -> 1594528 bytes
5 files changed, 194 insertions, 62 deletions
diff --git a/2016/33c3/33c3-modems.adoc b/2016/33c3/33c3-modems.adoc
index e39d592..d7aec22 100644
--- a/2016/33c3/33c3-modems.adoc
+++ b/2016/33c3/33c3-modems.adoc
@@ -1,100 +1,211 @@
Dissecting modern (3G/4G) cellular modems
=========================================
-:author: Harald Welte <laforge@gpl-violations.org>
+:author: Harald Welte <laforge@gpl-violations.org>, Holger Hans Peter Freyther
#:copyright: sysmocom - s.f.m.c. GmbH (License: CC-BY-SA)
:backend: slidy
:max-width: 45em
//include::33c3-modems.css[]
-== Motivation
-
-// 9 years of Osmocom?
-// 3G and 4G development
-// Hardware for decoding
-* 9 years of Osmocom, 7 years since OsmocomBB
-* Started to look at implementing 3G/4G
-* Modems are a tool for research and development
-** Logs to analyze a specific problem
-** Traces to learn how something works
-* Modems power cellular IoT devices
-** 1.1 billion new cellular devices by 2021
-** eCall for vehicles
-** Integrated and worldwide certifications
-
== This talk
+* Our motivation and approach
* A bit of History
-* Device overview
-* Qualcomm Kernel, Drivers and Userspace
+* Selecting a device
+* An unexpected surprise
* Firmware upgrade
+* Recommendations/Wishes
-== History
-
-* Wavecom, Sierra Wireless OpenAT systems
-* OpenAT allowed to build C code
-* Dynamically loaded into the modem OS
-* Runs without privilege separation, MMU
-* Odd limitations, blocking leads to watchdog reset
+== Motivation
-[role="change_topic"]
-== Device/Market overview
+// 9 years of Osmocom?
+// 3G and 4G development
+// Hardware for decoding
+* Implementing GSM specifications for the last decade (OpenMoko, Osmocom)
+* 7 years since OsmocomBB for GSM
+* In the past used and built devices using 2G modems
+* Started to build 3G/4G software, logs/traces help
-== Chipset vendors
+== History
-* Intel
-* Mediatek
-* Qualcomm
-* ???
+image:images/sl6087_hw.png[height=280,role="gimmick_right"]
-== Stack vendors
+* OpenAT by Sierra Wireless
+* 2G and 3G were available
+* Write C code using OpenAT APIs
+* Dynamically loaded into the RTOS
+* Runs without privilege separation, MMU
+* Eclipse based IDE and plugins (in clojure)
+* Discontinued HW platform => Locked in
+* Various limitations
-* Fewer than used to be?
-* Risk of monoculture
+== Device requirements
-== Modem vendors
+* Get textual logging when handling messages
+* Get a copy of the radio network messages and export to GSMTAP
+* Like Tobias Engels https://github.com/2b-as/xgoldmon[x-goldmon]
+* But for GPRS, 3G and 4G
+* Enabled by default and not to be removed
-* Mostly Qualcomm based chipsets
-* Cinterion, Huawei, U-Blox, Quectel, Sierra Wireless, Telit, ...
+== DIAG protocol
-== Qualcomm HW
+* Qualcomm diag in many products (see Guillaume Delugres https://events.ccc.de/congress/2011/Fahrplan/attachments/2022_11-ccc-qcombbdbg.pdf[talk] at 28C3)
+* HDLC frame, CRC16, simple framing (0x7e)
+* Command, Response, Events
+** Enable logging of subsystems
+** Enable events for subsystems
+** Trigger firmware upgrade
+** Read/Write RAM
+* ModemManager uses it for additional information
+* gsmparser of snoopsnitch to export to GSMTAP
-* Patents on CDMA technology
-* Extending their market position in 3G to 4G
-* Product wide diagnostic, log, control interface
+== Selecting a device
-== DIAG protocol
+* 3G Options Icon stick exposes DIAG out of the box
+* Quectel UC20 (2G+3G) enable it by default
+* Quectel EC20 (2G+3G+4G) enable it by default
+* 2G, 3G and 4G sounds quite nice
-* HDLC frame, CRC16, simple framing
-* Command and Response
-** E.g. enable logging for categories
-** Read/Write NVRAM
-* Various implementations (e.g. ModemManager)
== Quectel EC20
image:images/ec20.png[height=200,role="gimmick_right"]
-* DIAG port mentioned in the documentation
-* Is available out of the box
-* MDM 9615 based module for 2G, 3G, 4G
+* Using a Qualcomm MDM 9615 chipset
+* Also used in the iPhone5
* Surprisingly runs Linux
* Not surprising to people familiar with MDM9615 (e.g https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEFCON-23-Mickey-Shkatov-Jesse-Michael-Scared-poopless-LTE-and-your-laptop-UPDATED.pdf[Mickey Shkatov])
+* Not a lot of documentation available
// Erst ein mal EC20 und sagen wieso es interessant ist
// und dann, dass es Linux hat.. um dann ein Block diagram
// zu haben?
[role="change_topic"]
-== Qualcomm Details
+== An unexpected surprise
+
+== GPL compliance
+
+* Got a firmware upgrade to fix stability
+* Might contain traces of Linux?
+* No written offer, let's see if it runs Linux
+* gpl-tools to unpack unyaffs
+* strings, etc., AT+QLINUXCMD=?
+* The fun and exploration begins
+
+
+== GPL compliance
+
+* Linux basis created by Qualcomm used by Quectel
+* https://wiki.codeaurora.org/xwiki/bin/QLBEP/
+* Many branches, releases, which to use?
+
+[quote, Tonino Perazzi]
+I tried instruction above to build yaffs2 for MDM9615, so I downloaded source M9615AAAARNLZA1611161.xml but during compilation I faced some libs that are missing such as libQMI and acdb-loader..
+
+image:images/qualcom_many_releases.png[width="80%"]
+
+== GPL compliance
+
+[quote, Us]
+Asking for the complete and corresponding source
+
+[quote, Quectel]
+Receiving source for the flash tool
+
+== GPL compliance
+
+[quote, Us]
+Asking for the complete and corresponding source
+
+[quote, Quectel]
+We never been in legal dispute and we always make sure to understand IPR ahead of using technology belonging to third party.
+
+
+== GPL compliance
+
+[quote, Us]
+Asking for the complete and corresponding source
+
+[quote, Quectel]
+We appreciate the efforts that your client had put into the open source
+project netfilter/iptable. However, We have some doubts about the alleged
+copyright. From our perspective, your client does not have the right to
+empower the copyright. We think software netfilter/iptable is built on
+the code operating system GUN/Linux, thus subject to GPL terms, where FSF
+requires that each author of code incorporated in FSF projects either
+provide copyright assignment to FSF or disclaim copyright (“we should keep
+the copyright status of the program as simple as possible. We do this by
+asking each contributor to either assign the copyright on his contribution
+to the FSF, or disclaim copyright on it and thus put it in the public
+domain”). Therefore, It seems that your client does not have the copyright
+on netfilter/iptable.
+As one of the leading providers of wireless solution, Quectel is always
+respectful IPR. We would like to compliant with GPL and do some necessary
+statements,including a disclaimer or appropriate notices. Under the terms
+of GPL, we would like to dedicate Kernel code of EC25x to free software
+community.
+
+== GPL compliance
+
+[quote, Us]
+Asking for the complete and corresponding source
+
+[quote, Quectel]
+Many thanks for your detailed explanations GPL/LGPL license terms and the practical methods. I will carefully study your suggestions again and find a proper way to open GLP/LGPL licensed software. Basically, we will simply provide a tarball of open source for download at this time. And release the git repositories in next step.
+
+== GPL compliance
+
+[quote, Us]
+Asking for the complete and corresponding source
+
+[quote, Quectel]
+We are always willing to achieve GPL compliance.
+
+== GPL compliance
+
+[quote, Us]
+Asking for the complete and corresponding source
+
+[quote, Quectel]
+To be frank, we have no experience over Open Source things before. So we need some time to know of all things and construct the Open Source projects. Within a short time, we cannot construct a perfect web site to present Open Source things now. However, we will continue to do like that.
+
+== GPL compliance
+
+[quote, Us]
+Your tarball is missing some files.
+
+[quote, Quectel]
+ We have issued all GPL licensed source code.
+ We have no the xt_dscp file in the project, and nor Qulacomm. It must be
+ caused by your compilation environment.
+ If you have more question or problem during the development with Quectel
+ module, please add my Skype ID (XXXXX), I will continue to support you
+ on Skype.
+ The email will not discuss the compiling issue any more.''
+
+
+
+== GPL compliance
+
+* ... many months later
+* License compliance still not achieved
+* Sierra Wireless Legato is a positive example
+
+image:images/legato_flash.png[width="80%"]
+
+[role="change_topic"]
+== MDM 9615 HW and SW
-== MDM 9615 HW Intro
+
+== Qualcomm Hardware
* Qualcomm MDM 9615 chipset
* Used in the iPhone 5 and automotive
* Modems like Quectel EC20, Sierra Wireless MC7355
* No public HW documentation?!
+* Either not many people study it or are not allowed to share?
== MDM 9615 HW Overview
@@ -127,13 +238,18 @@ image:images/gandroid_logo.png[height=200,role="gimmick_right"]
== ...
+== Funny commands
+
+* AT+QLINUXCMD, e.g. switch usb config to get adb
+* AT+QFASTBOOT, switch to the bootloader
+* AT+QPRINT, print dmesg
+* AT for system("echo mem > /sys/power/state")
+
[role="change_topic"]
== Firmware upgrade
-// put the headline in the center
-
== recovery and applypatch
* Android ~4.0 based https://android.googlesource.com/platform/bootable/recovery.git/+/android-4.0.4_r2.1[recovery.git]
@@ -195,16 +311,32 @@ Start download fota for update.zip
image:images/upgrade_process.png[]
-== Hijacking firmware upgrade
+== Firmware example
-* Prepare a .diff with a new binary
-* Operate a fake BTS/nodeB/eNodeB
-* Trigger or wait for firmware update check
-* Redirect request
-* Wait for firmware to be installed
-* Optionally make it look like a network error
+* Show it?
+
+
+== Recommedation
+
+* Continue to allow owners of devices to reflash
+* Secure the FOTA upgrading with owner specified keys
+* Make it more easy to rebuild code
== Questions
* Questions?
+
+
+== Announcement
+
+* 3G femtocells for Osmocom/OpenBSC development
+
+== Links
+
+* Collection of links for further study
+* https://osmocom.org/projects/quectel-modems
+* https://events.ccc.de/congress/2011/Fahrplan/attachments/2022_11-ccc-qcombbdbg.pdf
+* https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEFCON-23-Mickey-Shkatov-Jesse-Michael-Scared-poopless-LTE-and-your-laptop-UPDATED.pdf
+* https://github.com/2b-as/xgoldmon
+* https://www.blackhat.com/docs/us-14/materials/us-14-Solnik-Cellular-Exploitation-On-A-Global-Scale-The-Rise-And-Fall-Of-The-Control-Protocol.pdf
diff --git a/2016/33c3/images/legato_flash.png b/2016/33c3/images/legato_flash.png
new file mode 100644
index 0000000..6bea66a
--- /dev/null
+++ b/2016/33c3/images/legato_flash.png
Binary files differ
diff --git a/2016/33c3/images/qualcom_many_releases.png b/2016/33c3/images/qualcom_many_releases.png
new file mode 100644
index 0000000..8384a4b
--- /dev/null
+++ b/2016/33c3/images/qualcom_many_releases.png
Binary files differ
diff --git a/2016/33c3/images/quectel_ipr.pdf b/2016/33c3/images/quectel_ipr.pdf
new file mode 100644
index 0000000..982cb68
--- /dev/null
+++ b/2016/33c3/images/quectel_ipr.pdf
Binary files differ
diff --git a/2016/33c3/images/sl6087_hw.png b/2016/33c3/images/sl6087_hw.png
new file mode 100644
index 0000000..ed204a1
--- /dev/null
+++ b/2016/33c3/images/sl6087_hw.png
Binary files differ
personal git repositories of Harald Welte. Your mileage may vary