summaryrefslogtreecommitdiff
path: root/2016/33c3
diff options
context:
space:
mode:
authorHarald Welte <laforge@gnumonks.org>2016-12-27 17:38:09 +0100
committerHarald Welte <laforge@gnumonks.org>2016-12-27 17:38:09 +0100
commitec7676c390c2ab7888ea318015cd853fc1659c18 (patch)
tree04f8fc766352d0958e79542b35b528005989c91f /2016/33c3
parent8e958631cc041305a51af9931b01db72ce84be7e (diff)
33c3: more slides
Diffstat (limited to '2016/33c3')
-rw-r--r--2016/33c3/33c3-modems.adoc74
1 files changed, 71 insertions, 3 deletions
diff --git a/2016/33c3/33c3-modems.adoc b/2016/33c3/33c3-modems.adoc
index a3c5e5d..a79f784 100644
--- a/2016/33c3/33c3-modems.adoc
+++ b/2016/33c3/33c3-modems.adoc
@@ -229,10 +229,14 @@ The software stack seems to be called *Qualcomm LE*
** `v3.18.20` in EC25: 1.9 million lines
* Expected: CPU + peripheral drivers
* Less expected:
-** smem_log, ipc_log, remote spinlocks, etc.
+** smem_log (shared memory logging)
+** ipc_log (inter-processOR communication)
+** remote spinlocks
== Qualcomm Linux kernel subsystems
+Some of the Qualcomm-specific kerrnel sub-systems
+
[cols="20%,80%"]
|===
|SMD|Shared Memory Device
@@ -241,6 +245,7 @@ The software stack seems to be called *Qualcomm LE*
|BAM|Bus Access Manager
|IPA|Internet Packet Accelerator
|DIAGFWD|DIAG Forwarding
+|AF_MSM_IPC|Socket family for Qualcomm IPC
|===
== Qualcomm LE System Architecture
@@ -273,7 +278,38 @@ every `rmnet` data device has associated QMI control
image:images/qmi_smd_qmuxd.svg[width="100%"]
-== Funny commands
+== Tools for analysis
+
+We created some tools to help our analysis
+
+* used OE to build matching `opkg` and OE packages for `socat`, `lsof`, `strace`
+* FOSS programs for the Linux AP linked against proprietary `libqmi-framework.so`
+** `qmi_test`: Simple program to read IMEI via QMI
+** `atcop_test`: Test program to implement AT commands in Linux userspace
+* 100% FOSS programs
+** `qmuxd_wrapper`: LD_PRELOAD wrapper for tracing betwene `qmuxd` and QMI clients
+** `libqmi-glib` transport support for `qmuxd` (work in progress)
+** `osmo-qcdiag`: Host tool for obtaining DIAG based logs from Linux programs + QMI traces, decoded via `libmi-glib`
+
+== Userspace programs
+
+We found a bunch of proprietary Linux userspace programs
+
+[cols="20%,80%"]
+|===
+|`adbd`|Implements Android Debug Bridge
+|`atfwd_daemon`|Implement Quectel-Specific AT Commands
+|`quectel_daemon`|?; various ASoC related bits
+|`qti`|?
+|`mbim`|Mobile Broadband IF Model (tranlates MBIM to QMI)
+|`QCMAP_ConnectionManager`|runs linux-base WiFi AP/router wit LTE backhaup
+|`quec_bridge`|reads GPS NMEA from `/dev/nmea` and writes it to `/dev/ttyGS0`
+|===
+
+[role="change_topic"]
+== Funny bits + pieces
+
+== Funny AT commands
* `AT+QLINUXCMD`, e.g. switch usb config to get adb
** arbitrary shell commands executed as root on r/w rootfs!
@@ -281,7 +317,38 @@ image:images/qmi_smd_qmuxd.svg[width="100%"]
* `AT+QPRINT`, print dmesg
* AT for `system("echo mem > /sys/power/state")`
+== How many processes does it take to reboot a system?
+
+* `rebootdiagapp` registers DIAG command (cmd code 0x29)
+** spawns thread that runs `system("qmi_simple_ril_test input=/tmp/reset")`
+** `system("echo 'modem reset' > /tmp/reset")`
+*** makes `qmi_simple_ril_test` send a QMI message to modem
+** `system("rm /tmp/reset")`
+** writes "REBOOT" to `/dev/rebooterdev` this time using `fwrite()`!
+* `reboot_daemon` reads `/dev/rebooterdev`
+
+----
+read_count = read(pipe_fd,buf,MAX_BUF-1);
+/* if read REBOOT_STR, then call reboot */
+if(strncmp(buf,REBOOT_STR,strlen(REBOOT_STR)) == 0) {
+ debug_printf("going for reboot\n");
+ printf("reboot-daemon: initiating reboot\n");
+ system("reboot");
+}
+----
+
+== C programs that look like shell scripts
+
+* strings /usr/bin/quectel_daemon
+----
+echo "nau8814-aif1" > /sys/devices/platform/soc-audio.0/tx_dai_name
+cp -f /cache/usb/qcfg_usbcfg /etc/; cp -f /cache/usb/usb /etc/init.d/
+echo 90 >/sys/kernel/debug/pm8xxx-pwm-dbg/0/duty-cycle
+pkill -f "/bin/sh /usr/bin/nmea_demon.sh"
+ps ef | grep "quec_bridge /dev/nmea /dev/ttyGS0" | grep -v grep
+cd /cache/ufs;ls
+----
[role="change_topic"]
== Firmware upgrade
@@ -358,7 +425,8 @@ Start download fota for update.zip
* Our results / hacks
** https://osmocom.org/projects/quectel-modems
-** FIXME: quectel-experiments.git
+** git://git.osmocom.org/quectel-experiments.git
+** git://git.osmocom.org/osmo-qcdiag.git
** FIXME: quectel source tarball mirror
* Collection of links for further study
** ftp://ftp2.quectel.com/OpenSrc/
personal git repositories of Harald Welte. Your mileage may vary