summaryrefslogtreecommitdiff
path: root/2016/33c3/33c3-modems.adoc
blob: a4ed5a719ecf4951da2f8c1173d735d48b03a274 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328

Dissecting modern (3G/4G) cellular modems
=========================================
:author:	Harald Welte <laforge@gpl-violations.org>, Holger Hans Peter Freyther
#:copyright:	sysmocom - s.f.m.c. GmbH (License: CC-BY-SA)
:backend:	slidy
:max-width:	45em

//include::33c3-modems.css[]

== This talk

* Our motivation and approach
* A bit of History
* Selecting a device
* An unexpected surprise
* Firmware upgrade
* Recommendations/Wishes

== Motivation

// 9 years of Osmocom?
// 3G and 4G development
// Hardware for decoding
* Implementing GSM specifications for the last decade (OpenMoko, Osmocom)
* 7 years since OsmocomBB for GSM
* In the past used and built devices using 2G modems
* Started to build 3G/4G software, logs/traces help

== History

image:images/sl6087_hw.png[height=280,role="gimmick_right"]

* OpenAT by Sierra Wireless
* 2G and 3G were available
* Write C code using OpenAT APIs
* Dynamically loaded into the RTOS
* Runs without privilege separation, MMU
* Eclipse based IDE and plugins (in clojure)
* Discontinued HW platform => Locked in
* Various limitations

== Device requirements

* Get textual logging when handling messages
* Get a copy of the radio network messages and export to GSMTAP
* Like Tobias Engels https://github.com/2b-as/xgoldmon[x-goldmon]
* But for GPRS, 3G and 4G
* Enabled by default and not to be removed

== DIAG protocol

* Qualcomm diag in many products (see Guillaume Delugres https://events.ccc.de/congress/2011/Fahrplan/attachments/2022_11-ccc-qcombbdbg.pdf[talk] at 28C3)
* HDLC frame, CRC16, simple framing (0x7e)
* Command, Response, Events
** Enable logging of subsystems
** Enable events for subsystems
** Trigger firmware upgrade
** Read/Write RAM
* ModemManager uses it for additional information
* gsmparser of snoopsnitch to export to GSMTAP

== Selecting a device

* 3G Options Icon stick exposes DIAG out of the box
* Quectel UC20 (2G+3G) enable it by default
* Quectel EC20 (2G+3G+4G) enable it by default
* 2G, 3G and 4G sounds quite nice


== Quectel EC20

image:images/ec20.png[height=200,role="gimmick_right"]

* Using a Qualcomm MDM 9615 chipset
* Also used in the iPhone5
* Surprisingly runs Linux
* Not surprising to people familiar with MDM9615 (e.g https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEFCON-23-Mickey-Shkatov-Jesse-Michael-Scared-poopless-LTE-and-your-laptop-UPDATED.pdf[Mickey Shkatov])
* Not a lot of documentation available

// Erst ein mal EC20 und sagen wieso es interessant ist
// und dann, dass es Linux hat.. um dann ein Block diagram
// zu haben?

[role="change_topic"]
== An unexpected surprise

== GPL compliance

* Got a firmware upgrade to fix stability
* Might contain traces of Linux?
* No written offer, let's see if it runs Linux
* gpl-tools to unpack unyaffs
* strings, etc., AT+QLINUXCMD=?
* The fun and exploration begins


== GPL compliance

* Linux basis created by Qualcomm used by Quectel
* https://wiki.codeaurora.org/xwiki/bin/QLBEP/
* Many branches, releases, which to use?

[quote, Tonino Perazzi]
I tried instruction above to build yaffs2 for MDM9615, so I downloaded source M9615AAAARNLZA1611161.xml but during compilation I faced some libs that are missing such as libQMI and acdb-loader..

image:images/qualcom_many_releases.png[width="80%"]

== GPL compliance

[qanda]
Asking for the complete and corresponding source::
	Receiving source for the flash tool

== GPL compliance

[qanda]
Asking for the complete and corresponding source::
	We never been in legal dispute and we always make sure to understand IPR ahead of using technology belonging to third party.


== GPL compliance

[qanda]
Asking for the complete and corresponding source::
	We appreciate the efforts that your client had put into the open source
project netfilter/iptable. However, We have some doubts about the alleged
copyright. From our perspective, your client does not have the right to
empower the copyright. We think software netfilter/iptable is built on
the code operating system GUN/Linux, thus subject to GPL terms, where FSF
requires that each author of code incorporated in FSF projects either
provide copyright assignment to FSF or disclaim copyright (“we should keep
the copyright status of the program as simple as possible. We do this by
asking each contributor to either assign the copyright on his contribution
to the FSF, or disclaim copyright on it and thus put it in the public
domain”). Therefore, It seems that your client does not have the copyright
on netfilter/iptable.
As one of the leading providers of wireless solution, Quectel is always
respectful IPR. We would like to compliant with GPL and do some necessary
statements,including a disclaimer or appropriate notices. Under the terms
of GPL, we would like to dedicate Kernel code of EC25x to free software
community.

== GPL compliance

[qanda]
Asking for the complete and corresponding source::
	Many thanks for your detailed explanations GPL/LGPL license terms and the practical methods. I will carefully study your suggestions again and find a proper way to open GLP/LGPL licensed software. Basically, we will simply provide a tarball of open source for download at this time. And release the git repositories in next step.

== GPL compliance

[qanda]
Asking for the complete and corresponding source::
	We are always willing to achieve GPL compliance.

== GPL compliance

[qanda]
Asking for the complete and corresponding source::
	To be frank, we have no experience over Open Source things before. So we need some time to know of all things and construct the Open Source projects. Within a short time, we cannot construct a perfect web site to present Open Source things now. However, we will continue to do like that.

== GPL compliance

[qanda]
Your tarball is missing some files::
 	We have issued all GPL licensed source code.
 We have no the xt_dscp file in the project, and nor Qulacomm. It must be
 caused by your compilation environment.
 If you have more question or problem during the development with Quectel
 module, please add my Skype ID (XXXXX), I will continue to support you
 on Skype.
 The email will not discuss the compiling issue any more.''



== GPL compliance

* ... many months later
* License compliance still not achieved
* Sierra Wireless Legato is a positive example

image:images/legato_flash.png[width="80%"]

[role="change_topic"]
== MDM 9615 HW and SW


== Qualcomm Hardware

* Qualcomm MDM 9615 chipset
* Used in the iPhone 5 and automotive
* Modems like Quectel EC20, Sierra Wireless MC7355
* No public HW documentation?!
* Either not many people study it or are not allowed to share?

== MDM 9615 HW Overview

* ????
// Block diagram?
// Listing of interfaces.
// Show it is a highly complex SoC... with even more things
// that are unknown.. device tree file, periperhal, etc

== MDM SW Overview

image:images/gandroid_logo.png[height=200,role="gimmick_right"]

* GNU libc, busybox userland
* Android Debug Bridge (adb)
* Android Linux kernel
* Android Bootloader
* Using OpenEmbedded to build images
* Developed and maintained by Qualcomm




== Linux kernel overview

* Qualcomm Android Linux kernel
* Huge changes compared to mainline
* CPU and peripheral support
* <List frameworks here>

== ...

== Funny commands

* AT+QLINUXCMD, e.g. switch usb config to get adb
* AT+QFASTBOOT, switch to the bootloader
* AT+QPRINT, print dmesg
* AT for system("echo mem > /sys/power/state")



[role="change_topic"]
== Firmware upgrade

== recovery and applypatch

* Android ~4.0 based https://android.googlesource.com/platform/bootable/recovery.git/+/android-4.0.4_r2.1[recovery.git]
* Updates are zip files with deltas, SHA1+RSA
* recovery started on boot, drives applypatch
----
// Look for an RSA signature embedded in the .ZIP file comment given
// the path to the zip.  Verify it matches one of the given public
// keys.
----

== Qualcomm EC20 firmware upgrade

image:images/redbend.png[height=76,role="gimmick_right"]

* Based on the recovery.git code
* But for some reason (legacy?) is using RedBend
* RSA linked into the binary but not called
* RedBend used by many more companies and systems (e.g. Quectel UC20)


== RedBend (delta update) software

* Used in OMA DeviceManagement? (e.g. https://www.blackhat.com/docs/us-14/materials/us-14-Solnik-Cellular-Exploitation-On-A-Global-Scale-The-Rise-And-Fall-Of-The-Control-Protocol.pdf[Solnik])
* Lots of starring at hexdumps, lots of help from Dieter Spaar
* Binary file format to diff, inserts, remove, link files
* Variable size Table Of Contents
** Filenames separated with 0x00
** Permissions separated with 0xAF
** Sections for diff, inserts with crc32, filesize, permission
* Heavy in pointers/offsets, not robust
* Not cryptographically signed!
* Created tools to partially extract and create .diff file

image:images/delta_header.png[width=600]


== Firmware upgrade overview

//[source]
----
$ strings atfwd_daemon | egrep  "wget|QCMAP|fota|update.z"

... QCMAP_ConnectionManager /etc/mobileap_cfg.xml n n fotanet
/usr/bin/wget -T 20 -t 3 %s -O %s
mv %s %s && mkdir -p /cache/fota && echo %s > %s
/cache/fota/ipth_config_dfs.txt
rm -rf /cache/fota /cache/recovery /cache/update.zip
Start download fota for update.zip
----

* atfwd_daemon can be asked to start upgrade
* Configure APN, specify URL, store result to update.zip
* Add status and reboot to recovery
* Apply update.zip and reboot

== Firmware upgrade process

image:images/upgrade_process.png[]


== Firmware example

* Show it?


== Recommedation

* Continue to allow owners of devices to reflash
* Secure the FOTA upgrading with owner specified keys
* Make it more easy to rebuild code


== Questions

* Questions?


== Announcement

* 3G femtocells for Osmocom/OpenBSC development

== Links

* Collection of links for further study
* https://osmocom.org/projects/quectel-modems
* https://events.ccc.de/congress/2011/Fahrplan/attachments/2022_11-ccc-qcombbdbg.pdf
* https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEFCON-23-Mickey-Shkatov-Jesse-Michael-Scared-poopless-LTE-and-your-laptop-UPDATED.pdf
* https://github.com/2b-as/xgoldmon
* https://www.blackhat.com/docs/us-14/materials/us-14-Solnik-Cellular-Exploitation-On-A-Global-Scale-The-Rise-And-Fall-Of-The-Control-Protocol.pdf
personal git repositories of Harald Welte. Your mileage may vary