summaryrefslogtreecommitdiff
path: root/2016/33c3/33c3-modems.adoc
diff options
context:
space:
mode:
Diffstat (limited to '2016/33c3/33c3-modems.adoc')
-rw-r--r--2016/33c3/33c3-modems.adoc62
1 files changed, 34 insertions, 28 deletions
diff --git a/2016/33c3/33c3-modems.adoc b/2016/33c3/33c3-modems.adoc
index a4ed5a7..e4d2418 100644
--- a/2016/33c3/33c3-modems.adoc
+++ b/2016/33c3/33c3-modems.adoc
@@ -22,59 +22,66 @@ Dissecting modern (3G/4G) cellular modems
// 9 years of Osmocom?
// 3G and 4G development
// Hardware for decoding
-* Implementing GSM specifications for the last decade (OpenMoko, Osmocom)
+* Implementing GSM specifications for the last decade
+* OpenMoko and then Osmocom
* 7 years since OsmocomBB for GSM
* In the past used and built devices using 2G modems
-* Started to build 3G/4G software, logs/traces help
+* Started to build 3G/4G software and logs/traces help
+* Build tools to help understanding cellular technology
== History
image:images/sl6087_hw.png[height=280,role="gimmick_right"]
* OpenAT by Sierra Wireless
-* 2G and 3G were available
* Write C code using OpenAT APIs
* Dynamically loaded into the RTOS
* Runs without privilege separation, MMU
* Eclipse based IDE and plugins (in clojure)
+* Protocol to multiplex AT, log, debug
+* 2G and 3G modems were available
* Discontinued HW platform => Locked in
-* Various limitations
+* Various other limitations
== Device requirements
* Get textual logging when handling messages
-* Get a copy of the radio network messages and export to GSMTAP
+* Get a copy of the radio network message and export to GSMTAP
* Like Tobias Engels https://github.com/2b-as/xgoldmon[x-goldmon]
* But for GPRS, 3G and 4G
-* Enabled by default and not to be removed
+* Enabled by default and not locked down in the future
-== DIAG protocol
+== Qualcomm DIAG protocol
+
+* Qualcomm DIAG in many products (DVB-H, GSM, ...)
+* https://events.ccc.de/congress/2011/Fahrplan/attachments/2022_11-ccc-qcombbdbg.pdf[Presented] by Guillaume Delugre at 28C3
+* Simple HDLC frame (0x7e), cmd, data, CRC16
+
+* Thousands of different message structures
+* Events, Logging, Command/Response
+* ModemManager, gsm-parser consume only a small fraction
+
+image:images/diag_frame.png[width="90%"]
-* Qualcomm diag in many products (see Guillaume Delugres https://events.ccc.de/congress/2011/Fahrplan/attachments/2022_11-ccc-qcombbdbg.pdf[talk] at 28C3)
-* HDLC frame, CRC16, simple framing (0x7e)
-* Command, Response, Events
-** Enable logging of subsystems
-** Enable events for subsystems
-** Trigger firmware upgrade
-** Read/Write RAM
-* ModemManager uses it for additional information
-* gsmparser of snoopsnitch to export to GSMTAP
== Selecting a device
+image:images/28c3_option_stick.png[width="30%",role="gimmick_right"]
+
* 3G Options Icon stick exposes DIAG out of the box
* Quectel UC20 (2G+3G) enable it by default
* Quectel EC20 (2G+3G+4G) enable it by default
* 2G, 3G and 4G sounds quite nice
+* EC20 comes as mini-PCIe module as well
== Quectel EC20
image:images/ec20.png[height=200,role="gimmick_right"]
-* Using a Qualcomm MDM 9615 chipset
+* Uses a Qualcomm MDM 9615 chipset
* Also used in the iPhone5
-* Surprisingly runs Linux
+* In our case surprisingly runs Linux
* Not surprising to people familiar with MDM9615 (e.g https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEFCON-23-Mickey-Shkatov-Jesse-Michael-Scared-poopless-LTE-and-your-laptop-UPDATED.pdf[Mickey Shkatov])
* Not a lot of documentation available
@@ -88,7 +95,7 @@ image:images/ec20.png[height=200,role="gimmick_right"]
== GPL compliance
* Got a firmware upgrade to fix stability
-* Might contain traces of Linux?
+* Looks like it contains traces of Linux?
* No written offer, let's see if it runs Linux
* gpl-tools to unpack unyaffs
* strings, etc., AT+QLINUXCMD=?
@@ -97,7 +104,7 @@ image:images/ec20.png[height=200,role="gimmick_right"]
== GPL compliance
-* Linux basis created by Qualcomm used by Quectel
+* Linux basis created by Qualcomm and used by Quectel
* https://wiki.codeaurora.org/xwiki/bin/QLBEP/
* Many branches, releases, which to use?
@@ -252,9 +259,9 @@ image:images/gandroid_logo.png[height=200,role="gimmick_right"]
image:images/redbend.png[height=76,role="gimmick_right"]
* Based on the recovery.git code
-* But for some reason (legacy?) is using RedBend
-* RSA linked into the binary but not called
-* RedBend used by many more companies and systems (e.g. Quectel UC20)
+* But for some reason using RedBend for the update (legacy?)
+* RSA still linked into the binary but not used
+* RedBend used by many more companies and systems (e.g. Quectel UC20, automotive)
== RedBend (delta update) software
@@ -262,7 +269,8 @@ image:images/redbend.png[height=76,role="gimmick_right"]
* Used in OMA DeviceManagement? (e.g. https://www.blackhat.com/docs/us-14/materials/us-14-Solnik-Cellular-Exploitation-On-A-Global-Scale-The-Rise-And-Fall-Of-The-Control-Protocol.pdf[Solnik])
* Lots of starring at hexdumps, lots of help from Dieter Spaar
* Binary file format to diff, inserts, remove, link files
-* Variable size Table Of Contents
+* Can update images/mtd partitions too
+* Variable sized LZMAed Table Of Contents
** Filenames separated with 0x00
** Permissions separated with 0xAF
** Sections for diff, inserts with crc32, filesize, permission
@@ -296,10 +304,8 @@ Start download fota for update.zip
image:images/upgrade_process.png[]
-
-== Firmware example
-
-* Show it?
+* Applies what ever was downloaded...
+* Assumes no MITM is possible
== Recommedation
personal git repositories of Harald Welte. Your mileage may vary