summaryrefslogtreecommitdiff
path: root/2016/33c3
diff options
context:
space:
mode:
authorHarald Welte <laforge@gnumonks.org>2016-12-27 19:57:12 +0100
committerHarald Welte <laforge@gnumonks.org>2016-12-27 19:57:12 +0100
commitf4d92937f0473bd5d37c659a16cb229e4534bd1c (patch)
treedae86cfc8f61e8354977ce156ecc36bbddcd42ad /2016/33c3
parentec7676c390c2ab7888ea318015cd853fc1659c18 (diff)
33c3: more work on the slides, hopefully nearing completion
Diffstat (limited to '2016/33c3')
-rw-r--r--2016/33c3/33c3-modems.adoc189
-rw-r--r--2016/33c3/images/quectel_ipr.jpgbin0 -> 59089 bytes
2 files changed, 110 insertions, 79 deletions
diff --git a/2016/33c3/33c3-modems.adoc b/2016/33c3/33c3-modems.adoc
index a79f784..4ba0bbd 100644
--- a/2016/33c3/33c3-modems.adoc
+++ b/2016/33c3/33c3-modems.adoc
@@ -26,30 +26,38 @@ Dissecting modern (3G/4G) cellular modems
* 8 years since _Anatomy of Smartphone Hardware_ at 25C3
* 7 years since OsmocomBB for GSM
* Used and built M2M devices using 2G modems at work
-* Started to build Osmocom 3G/4G software, logs/traces help
-* Build tools to help understanding cellular technology
-
-== History
-
-image:images/sl6087_hw.png[height=280,role="gimmick_right"]
-
-* OpenAT by Sierra Wireless
-* Write C code using OpenAT APIs
-* Dynamically loaded into the RTOS
-* Runs without privilege separation, MMU
-* Eclipse based IDE and plugins (in clojure)
-* Protocol to multiplex AT, log, debug
-* 2G and 3G modems were available
-* Discontinued HW platform => Locked in
-* Various other limitations
+* so we're looking for a modem that can be used for
+** our next-generation M2M/embedded devices
+** testing/logging/tracing Osmocom 3G/4G network-side software
+** building more tools to help understanding cellular technology
+
+== Cellular Modems in M2M
+
+image:images/sl6087_hw.png[height=300,role="gimmick_right"]
+
+* Assume you want to build a M2M device
+* Classic approach to M2M/Embedded cellular:
+** Cellular modem with AT commands over Serial/USB
+** Main Processor runs M2M application
+* if you run Application in Modem, you can save PCB space, power and BOM cost
+** OpenAT by Sierra Wireless
+*** Write C code using OpenAT APIs
+*** Dynamically loaded into the RTOS
+*** Runs without privilege separation, MMU
+*** Protocol to multiplex AT, log, debug
+*** Discontinued HW platform => Locked in
+*** Various other limitations
== Device requirements
-* Get textual logging when handling messages
-* Get a copy of the radio network message and export to GSMTAP
-* Like Tobias Engels https://github.com/2b-as/xgoldmon[x-goldmon]
-* But for GPRS, 3G and 4G
-* Enabled by default and not locked down in the future
+Our requirements for a good modem
+
+** Ability to run application code inside modem
+** Avoid modem supplier vendor lock-in (EOL, ...)
+** Get textual logging when handling messages
+** Get a copy of the radio network messages and export to GSMTAP
+*** Like Tobias Engels https://github.com/2b-as/xgoldmon[x-goldmon]
+*** But for all GPRS, EGPRS, UMTS and LTE messages
== Qualcomm DIAG protocol
@@ -67,22 +75,20 @@ image:images/diag_frame.png[width="90%"]
image:images/28c3_option_stick.png[width="30%",role="gimmick_right"]
-* 3G Options Icon stick exposes DIAG out of the box
-* Quectel UC20 (2G+3G) enable it by default
-* Quectel EC20 (2G+3G+4G) enable it by default
-* 2G, 3G and 4G sounds quite nice
-* EC20 comes as mini-PCIe module as well
-
-
-== Quectel EC20
+* Old Option Icon 225 stick exposes DIAG out of the box
+* Quectel UC20 (2G+3G) expose DIAG by default
+** but no LTE support
+* Quectel EC20 (2G+3G+4G) expose DIAG by default
+** 2G, 3G and 4G sounds quite nice
+** EC20 not only a LGA solder module but also as mini-PCIe
+*** convenient for early testing / prototyping without custom board
-image:images/ec20.png[height=200,role="gimmick_right"]
+image:images/ec20.png[height=300,role="gimmick_right"]
-* Using a Qualcomm MDM9615 chipset
+* EC20 using a Qualcomm MDM9615 chipset
** Also used in the iPhone5
-* Surprisingly runs Linux
-* Not surprising to people familiar with MDM9615 (e.g https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEFCON-23-Mickey-Shkatov-Jesse-Michael-Scared-poopless-LTE-and-your-laptop-UPDATED.pdf[Mickey Shkatov])
-* Almost no documentation available
+** Almost no documentation on MDM9615 available
+** Still, a good candidate for starting our research...
// Erst ein mal EC20 und sagen wieso es interessant ist
// und dann, dass es Linux hat.. um dann ein Block diagram
@@ -91,21 +97,32 @@ image:images/ec20.png[height=200,role="gimmick_right"]
[role="change_topic"]
== An unexpected surprise
-== GPL compliance
+== Firmware update, hints of Linux
-* Got a firmware upgrade to fix stability
+* Got a firmware upgrade to fix stability / bugs
* Looks like it contains traces of Linux?
+* Looks like it uses fastboot for the update
+* Other people have already found Linux in MDM9615 based products (e.g https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEFCON-23-Mickey-Shkatov-Jesse-Michael-Scared-poopless-LTE-and-your-laptop-UPDATED.pdf[Mickey Shkatov] at DEFCON 23)
+* But why would there be Linux inside a Modem?
+** Qualcomm is known for their REX/AMSS on Hexagon baseband ?!?
+* And if it contains Linux, GPL requires them to mention that, include
+ License text and provide source code ?!?
+
+== GPL compliance
+
* No written offer, let's see if it runs Linux
* Armijn Hemels `gpltool.git` has `unyaffs` to unpack yaffs
-* strings, etc., `AT+QLINUXCMD=?`
-* The fun and exploration begins
-
+* `strings`, etc. clearly reveal Linux, glibc, busyox
+** other intresting strings like `AT+QLINUXCMD=?` show up
+* The fun and exploration begins...
+** technical analysis (serial console, firmware reversing, ...)
+** legal enforcement to get source code of GPL/LGPL components (Harald is founder of http://gpl-violations.org[gpl-violations.org])
== GPL compliance
* Linux basis created by Qualcomm and used by Quectel
-* https://wiki.codeaurora.org/xwiki/bin/QLBEP/
-* Many branches, releases, which to use?
+** https://wiki.codeaurora.org/xwiki/bin/QLBEP/
+** Many branches, releases, which to use?
[quote, Tonino Perazzi]
I tried instruction above to build yaffs2 for MDM9615, so I downloaded source `M9615AAAARNLZA1611161.xml` but during compilation I faced some libs that are missing such as libQMI and acdb-loader..
@@ -116,33 +133,30 @@ image:images/qualcom_many_releases.png[width="80%"]
[qanda]
Asking for the complete and corresponding source::
- Receiving source for the flash tool
-
-== GPL compliance
-
+[quote,Quectel]
+** The source code of Qflash tool in Linux is attached, [...]
[qanda]
-Asking for the complete and corresponding source::
- We never been in legal dispute and we always make sure to understand IPR ahead of using technology belonging to third party.
+Asking again for the complete and corresponding source::
+[quote,Quectel]
+We never been in legal dispute and we always make sure to understand IPR ahead of using technology belonging to third party.
+image:images/quectel_ipr.jpg[width="100%"]
== GPL compliance
[qanda]
Asking for the complete and corresponding source::
+[quote,Quectel]
We appreciate the efforts that your client had put into the open source
-project netfilter/iptable. However, We have some doubts about the alleged
-copyright. From our perspective, your client does not have the right to
-empower the copyright. We think software netfilter/iptable is built on
-the code operating system GUN/Linux, thus subject to GPL terms, where FSF
+project netfilter/_iptable_. However, [...] *your client does not have the right to
+empower the copyright*. We think software netfilter/iptable is built on
+the code operating system _GUN_/Linux, thus subject to GPL terms, where FSF
requires that each author of code incorporated in FSF projects either
-provide copyright assignment to FSF or disclaim copyright (“we should keep
-the copyright status of the program as simple as possible. We do this by
-asking each contributor to either assign the copyright on his contribution
-to the FSF, or disclaim copyright on it and thus put it in the public
-domain”). Therefore, It seems that your client does not have the copyright
-on netfilter/iptable.
-As one of the leading providers of wireless solution, Quectel is always
-respectful IPR. We would like to compliant with GPL and do some necessary
+provide copyright assignment to FSF or disclaim copyright. Therefore,
+It seems that *your client does not have the copyright on netfilter/iptable.* +
+ +
+As one of the leading providers of wireless solution, *Quectel is always
+respectful IPR*. We would like to compliant with GPL and do some necessary
statements,including a disclaimer or appropriate notices. Under the terms
of GPL, we would like to dedicate Kernel code of EC25x to free software
community.
@@ -151,39 +165,45 @@ community.
[qanda]
Asking for the complete and corresponding source::
+[quote,Quectel]
Many thanks for your detailed explanations GPL/LGPL license terms and the practical methods. I will carefully study your suggestions again and find a proper way to open GLP/LGPL licensed software. Basically, we will simply provide a tarball of open source for download at this time. And release the git repositories in next step.
-== GPL compliance
-
[qanda]
Asking for the complete and corresponding source::
+[quote,Quectel]
We are always willing to achieve GPL compliance.
-== GPL compliance
-
[qanda]
Asking for the complete and corresponding source::
- To be frank, we have no experience over Open Source things before. So we need some time to know of all things and construct the Open Source projects. Within a short time, we cannot construct a perfect web site to present Open Source things now. However, we will continue to do like that.
+[quote,Quectel]
+ So we need some time to know of all things and construct the Open Source projects. Within a short time, we cannot construct a perfect web site to present Open Source things now. However, we will continue to do like that.
== GPL compliance
[qanda]
Your tarball is missing some files::
- We have issued all GPL licensed source code.
- We have no the xt_dscp file in the project, and nor Qulacomm. It must be
- caused by your compilation environment.
- If you have more question or problem during the development with Quectel
- module, please add my Skype ID (XXXXX), I will continue to support you
- on Skype.
- The email will not discuss the compiling issue any more.''
+[quote,Quectel]
+We have issued all GPL licensed source code.
+*We have no the xt_dscp file in the project, and nor Qulacomm*. It must be
+caused by your compilation environment.
+If you have more question or problem during the development with Quectel
+module, please add my Skype ID (XXXXX), I will continue to support you
+on Skype. +
+*The email will not discuss the compiling issue any more.*
== GPL compliance
* ... many months later
-* License compliance still not achieved
+** we have received various source tarballs
+** they contain not only GPL/LGPL code but other FOSS code (thanks!)
+** full license compliance still not achieved, but improving...
* Sierra Wireless Legato is a positive example of a competitor
+** they not only provide the OE/Linux source but extensive
+documentation!
+** but they try to lure customers into a proprietary Legato framework,
+and thus again vendor-lock-in :(
image:images/legato_flash.png[width="80%"]
@@ -301,8 +321,8 @@ We found a bunch of proprietary Linux userspace programs
|`atfwd_daemon`|Implement Quectel-Specific AT Commands
|`quectel_daemon`|?; various ASoC related bits
|`qti`|?
-|`mbim`|Mobile Broadband IF Model (tranlates MBIM to QMI)
-|`QCMAP_ConnectionManager`|runs linux-base WiFi AP/router wit LTE backhaup
+|`mbim`|Mobile Broadband IF Model (translates MBIM to QMI)
+|`QCMAP_ConnectionManager`|runs linux-base WiFi AP/router with LTE backhaup
|`quec_bridge`|reads GPS NMEA from `/dev/nmea` and writes it to `/dev/ttyGS0`
|===
@@ -405,21 +425,32 @@ Start download fota for update.zip
* Add status and reboot to recovery
* Apply update.zip and reboot
-== Recommedation
+== Recommedation to modem vendors
-* Please keep it open, good for learning
+* It is great to have an open and accessible Qualcomm based modem for
+ further research and developing custom applicatins/extensions
+* Security issues (particularly unverified FOTA) must be fixed
+* We need security from attackers _without locking out the user/owner_
+** If vendors introduce verified boot and/or FOTA, allow owner specified keys!
+* Please keep it open, good for learning and many applications
* Allow owners to modify the software of their device
* Secure the FOTA upgrading with owner specified keys
+== Unrelated Announcement
+
+* Osmocom project has gained support for 3G/3.5G during 2016
+* Osmocom suffers from lack of contributions :(
+* We want to motivate more contriutions
+** _Accelerate 3.5G_ programme provides 50 free 3.5 femtocells to contributors
+** tell us how you would use your free femtocell to improve Osmocom
+** Call for Proposals runs until January 31st, 2017.
+** FIXME: link to wiki page
== Questions
* Questions?
-== Announcement
-
-* 3G femtocells for Osmocom/OpenBSC development
== Links
diff --git a/2016/33c3/images/quectel_ipr.jpg b/2016/33c3/images/quectel_ipr.jpg
new file mode 100644
index 0000000..011bd36
--- /dev/null
+++ b/2016/33c3/images/quectel_ipr.jpg
Binary files differ
personal git repositories of Harald Welte. Your mileage may vary