summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--2016/33c3/.gitignore1
-rw-r--r--2016/33c3/33c3-modems.adoc62
-rw-r--r--2016/33c3/Makefile5
-rw-r--r--2016/33c3/images/28c3_option_stick.pngbin0 -> 383889 bytes
-rw-r--r--2016/33c3/images/diag_frame.blockdiag16
-rw-r--r--2016/33c3/images/upgrade_process.blockdiag8
6 files changed, 61 insertions, 31 deletions
diff --git a/2016/33c3/.gitignore b/2016/33c3/.gitignore
index 0e9f87c..6720ae5 100644
--- a/2016/33c3/.gitignore
+++ b/2016/33c3/.gitignore
@@ -1,3 +1,4 @@
*.sw?
33c3-modems.html
images/upgrade_process.png
+images/diag_frame.png
diff --git a/2016/33c3/33c3-modems.adoc b/2016/33c3/33c3-modems.adoc
index a4ed5a7..e4d2418 100644
--- a/2016/33c3/33c3-modems.adoc
+++ b/2016/33c3/33c3-modems.adoc
@@ -22,59 +22,66 @@ Dissecting modern (3G/4G) cellular modems
// 9 years of Osmocom?
// 3G and 4G development
// Hardware for decoding
-* Implementing GSM specifications for the last decade (OpenMoko, Osmocom)
+* Implementing GSM specifications for the last decade
+* OpenMoko and then Osmocom
* 7 years since OsmocomBB for GSM
* In the past used and built devices using 2G modems
-* Started to build 3G/4G software, logs/traces help
+* Started to build 3G/4G software and logs/traces help
+* Build tools to help understanding cellular technology
== History
image:images/sl6087_hw.png[height=280,role="gimmick_right"]
* OpenAT by Sierra Wireless
-* 2G and 3G were available
* Write C code using OpenAT APIs
* Dynamically loaded into the RTOS
* Runs without privilege separation, MMU
* Eclipse based IDE and plugins (in clojure)
+* Protocol to multiplex AT, log, debug
+* 2G and 3G modems were available
* Discontinued HW platform => Locked in
-* Various limitations
+* Various other limitations
== Device requirements
* Get textual logging when handling messages
-* Get a copy of the radio network messages and export to GSMTAP
+* Get a copy of the radio network message and export to GSMTAP
* Like Tobias Engels https://github.com/2b-as/xgoldmon[x-goldmon]
* But for GPRS, 3G and 4G
-* Enabled by default and not to be removed
+* Enabled by default and not locked down in the future
-== DIAG protocol
+== Qualcomm DIAG protocol
+
+* Qualcomm DIAG in many products (DVB-H, GSM, ...)
+* https://events.ccc.de/congress/2011/Fahrplan/attachments/2022_11-ccc-qcombbdbg.pdf[Presented] by Guillaume Delugre at 28C3
+* Simple HDLC frame (0x7e), cmd, data, CRC16
+
+* Thousands of different message structures
+* Events, Logging, Command/Response
+* ModemManager, gsm-parser consume only a small fraction
+
+image:images/diag_frame.png[width="90%"]
-* Qualcomm diag in many products (see Guillaume Delugres https://events.ccc.de/congress/2011/Fahrplan/attachments/2022_11-ccc-qcombbdbg.pdf[talk] at 28C3)
-* HDLC frame, CRC16, simple framing (0x7e)
-* Command, Response, Events
-** Enable logging of subsystems
-** Enable events for subsystems
-** Trigger firmware upgrade
-** Read/Write RAM
-* ModemManager uses it for additional information
-* gsmparser of snoopsnitch to export to GSMTAP
== Selecting a device
+image:images/28c3_option_stick.png[width="30%",role="gimmick_right"]
+
* 3G Options Icon stick exposes DIAG out of the box
* Quectel UC20 (2G+3G) enable it by default
* Quectel EC20 (2G+3G+4G) enable it by default
* 2G, 3G and 4G sounds quite nice
+* EC20 comes as mini-PCIe module as well
== Quectel EC20
image:images/ec20.png[height=200,role="gimmick_right"]
-* Using a Qualcomm MDM 9615 chipset
+* Uses a Qualcomm MDM 9615 chipset
* Also used in the iPhone5
-* Surprisingly runs Linux
+* In our case surprisingly runs Linux
* Not surprising to people familiar with MDM9615 (e.g https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEFCON-23-Mickey-Shkatov-Jesse-Michael-Scared-poopless-LTE-and-your-laptop-UPDATED.pdf[Mickey Shkatov])
* Not a lot of documentation available
@@ -88,7 +95,7 @@ image:images/ec20.png[height=200,role="gimmick_right"]
== GPL compliance
* Got a firmware upgrade to fix stability
-* Might contain traces of Linux?
+* Looks like it contains traces of Linux?
* No written offer, let's see if it runs Linux
* gpl-tools to unpack unyaffs
* strings, etc., AT+QLINUXCMD=?
@@ -97,7 +104,7 @@ image:images/ec20.png[height=200,role="gimmick_right"]
== GPL compliance
-* Linux basis created by Qualcomm used by Quectel
+* Linux basis created by Qualcomm and used by Quectel
* https://wiki.codeaurora.org/xwiki/bin/QLBEP/
* Many branches, releases, which to use?
@@ -252,9 +259,9 @@ image:images/gandroid_logo.png[height=200,role="gimmick_right"]
image:images/redbend.png[height=76,role="gimmick_right"]
* Based on the recovery.git code
-* But for some reason (legacy?) is using RedBend
-* RSA linked into the binary but not called
-* RedBend used by many more companies and systems (e.g. Quectel UC20)
+* But for some reason using RedBend for the update (legacy?)
+* RSA still linked into the binary but not used
+* RedBend used by many more companies and systems (e.g. Quectel UC20, automotive)
== RedBend (delta update) software
@@ -262,7 +269,8 @@ image:images/redbend.png[height=76,role="gimmick_right"]
* Used in OMA DeviceManagement? (e.g. https://www.blackhat.com/docs/us-14/materials/us-14-Solnik-Cellular-Exploitation-On-A-Global-Scale-The-Rise-And-Fall-Of-The-Control-Protocol.pdf[Solnik])
* Lots of starring at hexdumps, lots of help from Dieter Spaar
* Binary file format to diff, inserts, remove, link files
-* Variable size Table Of Contents
+* Can update images/mtd partitions too
+* Variable sized LZMAed Table Of Contents
** Filenames separated with 0x00
** Permissions separated with 0xAF
** Sections for diff, inserts with crc32, filesize, permission
@@ -296,10 +304,8 @@ Start download fota for update.zip
image:images/upgrade_process.png[]
-
-== Firmware example
-
-* Show it?
+* Applies what ever was downloaded...
+* Assumes no MITM is possible
== Recommedation
diff --git a/2016/33c3/Makefile b/2016/33c3/Makefile
index 507bf69..51c8a92 100644
--- a/2016/33c3/Makefile
+++ b/2016/33c3/Makefile
@@ -4,5 +4,8 @@ all: 33c3-modems.html
images/upgrade_process.png: images/upgrade_process.blockdiag
blockdiag -a -o images/upgrade_process.png images/upgrade_process.blockdiag
-33c3-modems.html: 33c3-modems.adoc 33c3-modems.css images/upgrade_process.png
+images/diag_frame.png: images/diag_frame.blockdiag
+ blockdiag -a -o images/diag_frame.png images/diag_frame.blockdiag
+
+33c3-modems.html: 33c3-modems.adoc 33c3-modems.css images/upgrade_process.png images/diag_frame.png
asciidoc -a stylesheet=$(PWD)/33c3-modems.css 33c3-modems.adoc
diff --git a/2016/33c3/images/28c3_option_stick.png b/2016/33c3/images/28c3_option_stick.png
new file mode 100644
index 0000000..00f0ce6
--- /dev/null
+++ b/2016/33c3/images/28c3_option_stick.png
Binary files differ
diff --git a/2016/33c3/images/diag_frame.blockdiag b/2016/33c3/images/diag_frame.blockdiag
new file mode 100644
index 0000000..171d650
--- /dev/null
+++ b/2016/33c3/images/diag_frame.blockdiag
@@ -0,0 +1,16 @@
+blockdiag {
+ node_height = 100;
+ span_width = 2;
+ default_fontsize = 16;
+
+ START [label="0x7E"];
+ CMD [label="CMD"];
+ DAT [label="Payload", width=300];
+ CRC [label="CRC16"];
+ END [label="0x7E"];
+
+ START -> CMD [style = none];
+ CMD -> DAT [style = none];
+ DAT -> CRC [style = none];
+ CRC -> END [style = none];
+}
diff --git a/2016/33c3/images/upgrade_process.blockdiag b/2016/33c3/images/upgrade_process.blockdiag
index fdd769d..4e94ef3 100644
--- a/2016/33c3/images/upgrade_process.blockdiag
+++ b/2016/33c3/images/upgrade_process.blockdiag
@@ -1,12 +1,16 @@
blockdiag {
node_width = 200;
+ default_group_color = none;
AT [label="atfwd_daemon"];
QC [label="QCMAP_ConnectionManager"];
WG [label="wget"];
RI [label="recovery image"];
- AT -> QC;
- AT -> WG -> RI;
+ AT -> QC [label="start"];
+ AT -> WG [label="start"];
+ AT -> RI [label="reboot"];
+
+ group { WG; RI };
}
personal git repositories of Harald Welte. Your mileage may vary