diff options
Diffstat (limited to '2016/33c3/33c3-modems.adoc')
-rw-r--r-- | 2016/33c3/33c3-modems.adoc | 210 |
1 files changed, 210 insertions, 0 deletions
diff --git a/2016/33c3/33c3-modems.adoc b/2016/33c3/33c3-modems.adoc new file mode 100644 index 0000000..e39d592 --- /dev/null +++ b/2016/33c3/33c3-modems.adoc @@ -0,0 +1,210 @@ + +Dissecting modern (3G/4G) cellular modems +========================================= +:author: Harald Welte <laforge@gpl-violations.org> +#:copyright: sysmocom - s.f.m.c. GmbH (License: CC-BY-SA) +:backend: slidy +:max-width: 45em + +//include::33c3-modems.css[] + +== Motivation + +// 9 years of Osmocom? +// 3G and 4G development +// Hardware for decoding +* 9 years of Osmocom, 7 years since OsmocomBB +* Started to look at implementing 3G/4G +* Modems are a tool for research and development +** Logs to analyze a specific problem +** Traces to learn how something works +* Modems power cellular IoT devices +** 1.1 billion new cellular devices by 2021 +** eCall for vehicles +** Integrated and worldwide certifications + +== This talk + +* A bit of History +* Device overview +* Qualcomm Kernel, Drivers and Userspace +* Firmware upgrade + +== History + +* Wavecom, Sierra Wireless OpenAT systems +* OpenAT allowed to build C code +* Dynamically loaded into the modem OS +* Runs without privilege separation, MMU +* Odd limitations, blocking leads to watchdog reset + +[role="change_topic"] +== Device/Market overview + +== Chipset vendors + +* Intel +* Mediatek +* Qualcomm +* ??? + +== Stack vendors + +* Fewer than used to be? +* Risk of monoculture + +== Modem vendors + +* Mostly Qualcomm based chipsets +* Cinterion, Huawei, U-Blox, Quectel, Sierra Wireless, Telit, ... + +== Qualcomm HW + +* Patents on CDMA technology +* Extending their market position in 3G to 4G +* Product wide diagnostic, log, control interface + +== DIAG protocol + +* HDLC frame, CRC16, simple framing +* Command and Response +** E.g. enable logging for categories +** Read/Write NVRAM +* Various implementations (e.g. ModemManager) + +== Quectel EC20 + +image:images/ec20.png[height=200,role="gimmick_right"] + +* DIAG port mentioned in the documentation +* Is available out of the box +* MDM 9615 based module for 2G, 3G, 4G +* Surprisingly runs Linux +* Not surprising to people familiar with MDM9615 (e.g https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEFCON-23-Mickey-Shkatov-Jesse-Michael-Scared-poopless-LTE-and-your-laptop-UPDATED.pdf[Mickey Shkatov]) + +// Erst ein mal EC20 und sagen wieso es interessant ist +// und dann, dass es Linux hat.. um dann ein Block diagram +// zu haben? + +[role="change_topic"] +== Qualcomm Details + +== MDM 9615 HW Intro + +* Qualcomm MDM 9615 chipset +* Used in the iPhone 5 and automotive +* Modems like Quectel EC20, Sierra Wireless MC7355 +* No public HW documentation?! + +== MDM 9615 HW Overview + +* ???? +// Block diagram? +// Listing of interfaces. +// Show it is a highly complex SoC... with even more things +// that are unknown.. device tree file, periperhal, etc + +== MDM SW Overview + +image:images/gandroid_logo.png[height=200,role="gimmick_right"] + +* GNU libc, busybox userland +* Android Debug Bridge (adb) +* Android Linux kernel +* Android Bootloader +* Using OpenEmbedded to build images +* Developed and maintained by Qualcomm + + + + +== Linux kernel overview + +* Qualcomm Android Linux kernel +* Huge changes compared to mainline +* CPU and peripheral support +* <List frameworks here> + +== ... + + + +[role="change_topic"] +== Firmware upgrade + +// put the headline in the center + +== recovery and applypatch + +* Android ~4.0 based https://android.googlesource.com/platform/bootable/recovery.git/+/android-4.0.4_r2.1[recovery.git] +* Updates are zip files with deltas, SHA1+RSA +* recovery started on boot, drives applypatch +---- +// Look for an RSA signature embedded in the .ZIP file comment given +// the path to the zip. Verify it matches one of the given public +// keys. +---- + +== Qualcomm EC20 firmware upgrade + +image:images/redbend.png[height=76,role="gimmick_right"] + +* Based on the recovery.git code +* But for some reason (legacy?) is using RedBend +* RSA linked into the binary but not called +* RedBend used by many more companies and systems (e.g. Quectel UC20) + + +== RedBend (delta update) software + +* Used in OMA DeviceManagement? (e.g. https://www.blackhat.com/docs/us-14/materials/us-14-Solnik-Cellular-Exploitation-On-A-Global-Scale-The-Rise-And-Fall-Of-The-Control-Protocol.pdf[Solnik]) +* Lots of starring at hexdumps, lots of help from Dieter Spaar +* Binary file format to diff, inserts, remove, link files +* Variable size Table Of Contents +** Filenames separated with 0x00 +** Permissions separated with 0xAF +** Sections for diff, inserts with crc32, filesize, permission +* Heavy in pointers/offsets, not robust +* Not cryptographically signed! +* Created tools to partially extract and create .diff file + +image:images/delta_header.png[width=600] + + +== Firmware upgrade overview + +//[source] +---- +$ strings atfwd_daemon | egrep "wget|QCMAP|fota|update.z" + +... QCMAP_ConnectionManager /etc/mobileap_cfg.xml n n fotanet +/usr/bin/wget -T 20 -t 3 %s -O %s +mv %s %s && mkdir -p /cache/fota && echo %s > %s +/cache/fota/ipth_config_dfs.txt +rm -rf /cache/fota /cache/recovery /cache/update.zip +Start download fota for update.zip +---- + +* atfwd_daemon can be asked to start upgrade +* Configure APN, specify URL, store result to update.zip +* Add status and reboot to recovery +* Apply update.zip and reboot + +== Firmware upgrade process + +image:images/upgrade_process.png[] + + +== Hijacking firmware upgrade + +* Prepare a .diff with a new binary +* Operate a fake BTS/nodeB/eNodeB +* Trigger or wait for firmware update check +* Redirect request +* Wait for firmware to be installed +* Optionally make it look like a network error + + +== Questions + +* Questions? |