1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
|
Dissecting modern (3G/4G) cellular modems
=========================================
:author: Harald Welte <laforge@gpl-violations.org>
#:copyright: sysmocom - s.f.m.c. GmbH (License: CC-BY-SA)
:backend: slidy
:max-width: 45em
//include::33c3-modems.css[]
== Motivation
// 9 years of Osmocom?
// 3G and 4G development
// Hardware for decoding
* 9 years of Osmocom, 7 years since OsmocomBB
* Started to look at implementing 3G/4G
* Modems are a tool for research and development
** Logs to analyze a specific problem
** Traces to learn how something works
* Modems power cellular IoT devices
** 1.1 billion new cellular devices by 2021
** eCall for vehicles
** Integrated and worldwide certifications
== This talk
* A bit of History
* Device overview
* Qualcomm Kernel, Drivers and Userspace
* Firmware upgrade
== History
* Wavecom, Sierra Wireless OpenAT systems
* OpenAT allowed to build C code
* Dynamically loaded into the modem OS
* Runs without privilege separation, MMU
* Odd limitations, blocking leads to watchdog reset
[role="change_topic"]
== Device/Market overview
== Chipset vendors
* Intel
* Mediatek
* Qualcomm
* ???
== Stack vendors
* Fewer than used to be?
* Risk of monoculture
== Modem vendors
* Mostly Qualcomm based chipsets
* Cinterion, Huawei, U-Blox, Quectel, Sierra Wireless, Telit, ...
== Qualcomm HW
* Patents on CDMA technology
* Extending their market position in 3G to 4G
* Product wide diagnostic, log, control interface
== DIAG protocol
* HDLC frame, CRC16, simple framing
* Command and Response
** E.g. enable logging for categories
** Read/Write NVRAM
* Various implementations (e.g. ModemManager)
== Quectel EC20
image:images/ec20.png[height=200,role="gimmick_right"]
* DIAG port mentioned in the documentation
* Is available out of the box
* MDM 9615 based module for 2G, 3G, 4G
* Surprisingly runs Linux
* Not surprising to people familiar with MDM9615 (e.g https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEFCON-23-Mickey-Shkatov-Jesse-Michael-Scared-poopless-LTE-and-your-laptop-UPDATED.pdf[Mickey Shkatov])
// Erst ein mal EC20 und sagen wieso es interessant ist
// und dann, dass es Linux hat.. um dann ein Block diagram
// zu haben?
[role="change_topic"]
== Qualcomm Details
== MDM 9615 HW Intro
* Qualcomm MDM 9615 chipset
* Used in the iPhone 5 and automotive
* Modems like Quectel EC20, Sierra Wireless MC7355
* No public HW documentation?!
== MDM 9615 HW Overview
* ????
// Block diagram?
// Listing of interfaces.
// Show it is a highly complex SoC... with even more things
// that are unknown.. device tree file, periperhal, etc
== MDM SW Overview
image:images/gandroid_logo.png[height=200,role="gimmick_right"]
* GNU libc, busybox userland
* Android Debug Bridge (adb)
* Android Linux kernel
* Android Bootloader
* Using OpenEmbedded to build images
* Developed and maintained by Qualcomm
== Linux kernel overview
* Qualcomm Android Linux kernel
* Huge changes compared to mainline
* CPU and peripheral support
* <List frameworks here>
== ...
[role="change_topic"]
== Firmware upgrade
// put the headline in the center
== recovery and applypatch
* Android ~4.0 based https://android.googlesource.com/platform/bootable/recovery.git/+/android-4.0.4_r2.1[recovery.git]
* Updates are zip files with deltas, SHA1+RSA
* recovery started on boot, drives applypatch
----
// Look for an RSA signature embedded in the .ZIP file comment given
// the path to the zip. Verify it matches one of the given public
// keys.
----
== Qualcomm EC20 firmware upgrade
image:images/redbend.png[height=76,role="gimmick_right"]
* Based on the recovery.git code
* But for some reason (legacy?) is using RedBend
* RSA linked into the binary but not called
* RedBend used by many more companies and systems (e.g. Quectel UC20)
== RedBend (delta update) software
* Used in OMA DeviceManagement? (e.g. https://www.blackhat.com/docs/us-14/materials/us-14-Solnik-Cellular-Exploitation-On-A-Global-Scale-The-Rise-And-Fall-Of-The-Control-Protocol.pdf[Solnik])
* Lots of starring at hexdumps, lots of help from Dieter Spaar
* Binary file format to diff, inserts, remove, link files
* Variable size Table Of Contents
** Filenames separated with 0x00
** Permissions separated with 0xAF
** Sections for diff, inserts with crc32, filesize, permission
* Heavy in pointers/offsets, not robust
* Not cryptographically signed!
* Created tools to partially extract and create .diff file
image:images/delta_header.png[width=600]
== Firmware upgrade overview
//[source]
----
$ strings atfwd_daemon | egrep "wget|QCMAP|fota|update.z"
... QCMAP_ConnectionManager /etc/mobileap_cfg.xml n n fotanet
/usr/bin/wget -T 20 -t 3 %s -O %s
mv %s %s && mkdir -p /cache/fota && echo %s > %s
/cache/fota/ipth_config_dfs.txt
rm -rf /cache/fota /cache/recovery /cache/update.zip
Start download fota for update.zip
----
* atfwd_daemon can be asked to start upgrade
* Configure APN, specify URL, store result to update.zip
* Add status and reboot to recovery
* Apply update.zip and reboot
== Firmware upgrade process
image:images/upgrade_process.png[]
== Hijacking firmware upgrade
* Prepare a .diff with a new binary
* Operate a fake BTS/nodeB/eNodeB
* Trigger or wait for firmware update check
* Redirect request
* Wait for firmware to be installed
* Optionally make it look like a network error
== Questions
* Questions?
|
