diff options
Diffstat (limited to '2016/33c3')
-rw-r--r-- | 2016/33c3/33c3-modems.adoc | 189 | ||||
-rw-r--r-- | 2016/33c3/images/quectel_ipr.jpg | bin | 0 -> 59089 bytes |
2 files changed, 110 insertions, 79 deletions
diff --git a/2016/33c3/33c3-modems.adoc b/2016/33c3/33c3-modems.adoc index a79f784..4ba0bbd 100644 --- a/2016/33c3/33c3-modems.adoc +++ b/2016/33c3/33c3-modems.adoc @@ -26,30 +26,38 @@ Dissecting modern (3G/4G) cellular modems * 8 years since _Anatomy of Smartphone Hardware_ at 25C3 * 7 years since OsmocomBB for GSM * Used and built M2M devices using 2G modems at work -* Started to build Osmocom 3G/4G software, logs/traces help -* Build tools to help understanding cellular technology - -== History - -image:images/sl6087_hw.png[height=280,role="gimmick_right"] - -* OpenAT by Sierra Wireless -* Write C code using OpenAT APIs -* Dynamically loaded into the RTOS -* Runs without privilege separation, MMU -* Eclipse based IDE and plugins (in clojure) -* Protocol to multiplex AT, log, debug -* 2G and 3G modems were available -* Discontinued HW platform => Locked in -* Various other limitations +* so we're looking for a modem that can be used for +** our next-generation M2M/embedded devices +** testing/logging/tracing Osmocom 3G/4G network-side software +** building more tools to help understanding cellular technology + +== Cellular Modems in M2M + +image:images/sl6087_hw.png[height=300,role="gimmick_right"] + +* Assume you want to build a M2M device +* Classic approach to M2M/Embedded cellular: +** Cellular modem with AT commands over Serial/USB +** Main Processor runs M2M application +* if you run Application in Modem, you can save PCB space, power and BOM cost +** OpenAT by Sierra Wireless +*** Write C code using OpenAT APIs +*** Dynamically loaded into the RTOS +*** Runs without privilege separation, MMU +*** Protocol to multiplex AT, log, debug +*** Discontinued HW platform => Locked in +*** Various other limitations == Device requirements -* Get textual logging when handling messages -* Get a copy of the radio network message and export to GSMTAP -* Like Tobias Engels https://github.com/2b-as/xgoldmon[x-goldmon] -* But for GPRS, 3G and 4G -* Enabled by default and not locked down in the future +Our requirements for a good modem + +** Ability to run application code inside modem +** Avoid modem supplier vendor lock-in (EOL, ...) +** Get textual logging when handling messages +** Get a copy of the radio network messages and export to GSMTAP +*** Like Tobias Engels https://github.com/2b-as/xgoldmon[x-goldmon] +*** But for all GPRS, EGPRS, UMTS and LTE messages == Qualcomm DIAG protocol @@ -67,22 +75,20 @@ image:images/diag_frame.png[width="90%"] image:images/28c3_option_stick.png[width="30%",role="gimmick_right"] -* 3G Options Icon stick exposes DIAG out of the box -* Quectel UC20 (2G+3G) enable it by default -* Quectel EC20 (2G+3G+4G) enable it by default -* 2G, 3G and 4G sounds quite nice -* EC20 comes as mini-PCIe module as well - - -== Quectel EC20 +* Old Option Icon 225 stick exposes DIAG out of the box +* Quectel UC20 (2G+3G) expose DIAG by default +** but no LTE support +* Quectel EC20 (2G+3G+4G) expose DIAG by default +** 2G, 3G and 4G sounds quite nice +** EC20 not only a LGA solder module but also as mini-PCIe +*** convenient for early testing / prototyping without custom board -image:images/ec20.png[height=200,role="gimmick_right"] +image:images/ec20.png[height=300,role="gimmick_right"] -* Using a Qualcomm MDM9615 chipset +* EC20 using a Qualcomm MDM9615 chipset ** Also used in the iPhone5 -* Surprisingly runs Linux -* Not surprising to people familiar with MDM9615 (e.g https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEFCON-23-Mickey-Shkatov-Jesse-Michael-Scared-poopless-LTE-and-your-laptop-UPDATED.pdf[Mickey Shkatov]) -* Almost no documentation available +** Almost no documentation on MDM9615 available +** Still, a good candidate for starting our research... // Erst ein mal EC20 und sagen wieso es interessant ist // und dann, dass es Linux hat.. um dann ein Block diagram @@ -91,21 +97,32 @@ image:images/ec20.png[height=200,role="gimmick_right"] [role="change_topic"] == An unexpected surprise -== GPL compliance +== Firmware update, hints of Linux -* Got a firmware upgrade to fix stability +* Got a firmware upgrade to fix stability / bugs * Looks like it contains traces of Linux? +* Looks like it uses fastboot for the update +* Other people have already found Linux in MDM9615 based products (e.g https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEFCON-23-Mickey-Shkatov-Jesse-Michael-Scared-poopless-LTE-and-your-laptop-UPDATED.pdf[Mickey Shkatov] at DEFCON 23) +* But why would there be Linux inside a Modem? +** Qualcomm is known for their REX/AMSS on Hexagon baseband ?!? +* And if it contains Linux, GPL requires them to mention that, include + License text and provide source code ?!? + +== GPL compliance + * No written offer, let's see if it runs Linux * Armijn Hemels `gpltool.git` has `unyaffs` to unpack yaffs -* strings, etc., `AT+QLINUXCMD=?` -* The fun and exploration begins - +* `strings`, etc. clearly reveal Linux, glibc, busyox +** other intresting strings like `AT+QLINUXCMD=?` show up +* The fun and exploration begins... +** technical analysis (serial console, firmware reversing, ...) +** legal enforcement to get source code of GPL/LGPL components (Harald is founder of http://gpl-violations.org[gpl-violations.org]) == GPL compliance * Linux basis created by Qualcomm and used by Quectel -* https://wiki.codeaurora.org/xwiki/bin/QLBEP/ -* Many branches, releases, which to use? +** https://wiki.codeaurora.org/xwiki/bin/QLBEP/ +** Many branches, releases, which to use? [quote, Tonino Perazzi] I tried instruction above to build yaffs2 for MDM9615, so I downloaded source `M9615AAAARNLZA1611161.xml` but during compilation I faced some libs that are missing such as libQMI and acdb-loader.. @@ -116,33 +133,30 @@ image:images/qualcom_many_releases.png[width="80%"] [qanda] Asking for the complete and corresponding source:: - Receiving source for the flash tool - -== GPL compliance - +[quote,Quectel] +** The source code of Qflash tool in Linux is attached, [...] [qanda] -Asking for the complete and corresponding source:: - We never been in legal dispute and we always make sure to understand IPR ahead of using technology belonging to third party. +Asking again for the complete and corresponding source:: +[quote,Quectel] +We never been in legal dispute and we always make sure to understand IPR ahead of using technology belonging to third party. +image:images/quectel_ipr.jpg[width="100%"] == GPL compliance [qanda] Asking for the complete and corresponding source:: +[quote,Quectel] We appreciate the efforts that your client had put into the open source -project netfilter/iptable. However, We have some doubts about the alleged -copyright. From our perspective, your client does not have the right to -empower the copyright. We think software netfilter/iptable is built on -the code operating system GUN/Linux, thus subject to GPL terms, where FSF +project netfilter/_iptable_. However, [...] *your client does not have the right to +empower the copyright*. We think software netfilter/iptable is built on +the code operating system _GUN_/Linux, thus subject to GPL terms, where FSF requires that each author of code incorporated in FSF projects either -provide copyright assignment to FSF or disclaim copyright (“we should keep -the copyright status of the program as simple as possible. We do this by -asking each contributor to either assign the copyright on his contribution -to the FSF, or disclaim copyright on it and thus put it in the public -domain”). Therefore, It seems that your client does not have the copyright -on netfilter/iptable. -As one of the leading providers of wireless solution, Quectel is always -respectful IPR. We would like to compliant with GPL and do some necessary +provide copyright assignment to FSF or disclaim copyright. Therefore, +It seems that *your client does not have the copyright on netfilter/iptable.* + + + +As one of the leading providers of wireless solution, *Quectel is always +respectful IPR*. We would like to compliant with GPL and do some necessary statements,including a disclaimer or appropriate notices. Under the terms of GPL, we would like to dedicate Kernel code of EC25x to free software community. @@ -151,39 +165,45 @@ community. [qanda] Asking for the complete and corresponding source:: +[quote,Quectel] Many thanks for your detailed explanations GPL/LGPL license terms and the practical methods. I will carefully study your suggestions again and find a proper way to open GLP/LGPL licensed software. Basically, we will simply provide a tarball of open source for download at this time. And release the git repositories in next step. -== GPL compliance - [qanda] Asking for the complete and corresponding source:: +[quote,Quectel] We are always willing to achieve GPL compliance. -== GPL compliance - [qanda] Asking for the complete and corresponding source:: - To be frank, we have no experience over Open Source things before. So we need some time to know of all things and construct the Open Source projects. Within a short time, we cannot construct a perfect web site to present Open Source things now. However, we will continue to do like that. +[quote,Quectel] + So we need some time to know of all things and construct the Open Source projects. Within a short time, we cannot construct a perfect web site to present Open Source things now. However, we will continue to do like that. == GPL compliance [qanda] Your tarball is missing some files:: - We have issued all GPL licensed source code. - We have no the xt_dscp file in the project, and nor Qulacomm. It must be - caused by your compilation environment. - If you have more question or problem during the development with Quectel - module, please add my Skype ID (XXXXX), I will continue to support you - on Skype. - The email will not discuss the compiling issue any more.'' +[quote,Quectel] +We have issued all GPL licensed source code. +*We have no the xt_dscp file in the project, and nor Qulacomm*. It must be +caused by your compilation environment. +If you have more question or problem during the development with Quectel +module, please add my Skype ID (XXXXX), I will continue to support you +on Skype. + +*The email will not discuss the compiling issue any more.* == GPL compliance * ... many months later -* License compliance still not achieved +** we have received various source tarballs +** they contain not only GPL/LGPL code but other FOSS code (thanks!) +** full license compliance still not achieved, but improving... * Sierra Wireless Legato is a positive example of a competitor +** they not only provide the OE/Linux source but extensive +documentation! +** but they try to lure customers into a proprietary Legato framework, +and thus again vendor-lock-in :( image:images/legato_flash.png[width="80%"] @@ -301,8 +321,8 @@ We found a bunch of proprietary Linux userspace programs |`atfwd_daemon`|Implement Quectel-Specific AT Commands |`quectel_daemon`|?; various ASoC related bits |`qti`|? -|`mbim`|Mobile Broadband IF Model (tranlates MBIM to QMI) -|`QCMAP_ConnectionManager`|runs linux-base WiFi AP/router wit LTE backhaup +|`mbim`|Mobile Broadband IF Model (translates MBIM to QMI) +|`QCMAP_ConnectionManager`|runs linux-base WiFi AP/router with LTE backhaup |`quec_bridge`|reads GPS NMEA from `/dev/nmea` and writes it to `/dev/ttyGS0` |=== @@ -405,21 +425,32 @@ Start download fota for update.zip * Add status and reboot to recovery * Apply update.zip and reboot -== Recommedation +== Recommedation to modem vendors -* Please keep it open, good for learning +* It is great to have an open and accessible Qualcomm based modem for + further research and developing custom applicatins/extensions +* Security issues (particularly unverified FOTA) must be fixed +* We need security from attackers _without locking out the user/owner_ +** If vendors introduce verified boot and/or FOTA, allow owner specified keys! +* Please keep it open, good for learning and many applications * Allow owners to modify the software of their device * Secure the FOTA upgrading with owner specified keys +== Unrelated Announcement + +* Osmocom project has gained support for 3G/3.5G during 2016 +* Osmocom suffers from lack of contributions :( +* We want to motivate more contriutions +** _Accelerate 3.5G_ programme provides 50 free 3.5 femtocells to contributors +** tell us how you would use your free femtocell to improve Osmocom +** Call for Proposals runs until January 31st, 2017. +** FIXME: link to wiki page == Questions * Questions? -== Announcement - -* 3G femtocells for Osmocom/OpenBSC development == Links diff --git a/2016/33c3/images/quectel_ipr.jpg b/2016/33c3/images/quectel_ipr.jpg Binary files differnew file mode 100644 index 0000000..011bd36 --- /dev/null +++ b/2016/33c3/images/quectel_ipr.jpg |