diff options
-rw-r--r-- | 2016/33c3/.gitignore | 1 | ||||
-rw-r--r-- | 2016/33c3/33c3-modems.adoc | 62 | ||||
-rw-r--r-- | 2016/33c3/Makefile | 5 | ||||
-rw-r--r-- | 2016/33c3/images/28c3_option_stick.png | bin | 0 -> 383889 bytes | |||
-rw-r--r-- | 2016/33c3/images/diag_frame.blockdiag | 16 | ||||
-rw-r--r-- | 2016/33c3/images/upgrade_process.blockdiag | 8 |
6 files changed, 61 insertions, 31 deletions
diff --git a/2016/33c3/.gitignore b/2016/33c3/.gitignore index 0e9f87c..6720ae5 100644 --- a/2016/33c3/.gitignore +++ b/2016/33c3/.gitignore @@ -1,3 +1,4 @@ *.sw? 33c3-modems.html images/upgrade_process.png +images/diag_frame.png diff --git a/2016/33c3/33c3-modems.adoc b/2016/33c3/33c3-modems.adoc index a4ed5a7..e4d2418 100644 --- a/2016/33c3/33c3-modems.adoc +++ b/2016/33c3/33c3-modems.adoc @@ -22,59 +22,66 @@ Dissecting modern (3G/4G) cellular modems // 9 years of Osmocom? // 3G and 4G development // Hardware for decoding -* Implementing GSM specifications for the last decade (OpenMoko, Osmocom) +* Implementing GSM specifications for the last decade +* OpenMoko and then Osmocom * 7 years since OsmocomBB for GSM * In the past used and built devices using 2G modems -* Started to build 3G/4G software, logs/traces help +* Started to build 3G/4G software and logs/traces help +* Build tools to help understanding cellular technology == History image:images/sl6087_hw.png[height=280,role="gimmick_right"] * OpenAT by Sierra Wireless -* 2G and 3G were available * Write C code using OpenAT APIs * Dynamically loaded into the RTOS * Runs without privilege separation, MMU * Eclipse based IDE and plugins (in clojure) +* Protocol to multiplex AT, log, debug +* 2G and 3G modems were available * Discontinued HW platform => Locked in -* Various limitations +* Various other limitations == Device requirements * Get textual logging when handling messages -* Get a copy of the radio network messages and export to GSMTAP +* Get a copy of the radio network message and export to GSMTAP * Like Tobias Engels https://github.com/2b-as/xgoldmon[x-goldmon] * But for GPRS, 3G and 4G -* Enabled by default and not to be removed +* Enabled by default and not locked down in the future -== DIAG protocol +== Qualcomm DIAG protocol + +* Qualcomm DIAG in many products (DVB-H, GSM, ...) +* https://events.ccc.de/congress/2011/Fahrplan/attachments/2022_11-ccc-qcombbdbg.pdf[Presented] by Guillaume Delugre at 28C3 +* Simple HDLC frame (0x7e), cmd, data, CRC16 + +* Thousands of different message structures +* Events, Logging, Command/Response +* ModemManager, gsm-parser consume only a small fraction + +image:images/diag_frame.png[width="90%"] -* Qualcomm diag in many products (see Guillaume Delugres https://events.ccc.de/congress/2011/Fahrplan/attachments/2022_11-ccc-qcombbdbg.pdf[talk] at 28C3) -* HDLC frame, CRC16, simple framing (0x7e) -* Command, Response, Events -** Enable logging of subsystems -** Enable events for subsystems -** Trigger firmware upgrade -** Read/Write RAM -* ModemManager uses it for additional information -* gsmparser of snoopsnitch to export to GSMTAP == Selecting a device +image:images/28c3_option_stick.png[width="30%",role="gimmick_right"] + * 3G Options Icon stick exposes DIAG out of the box * Quectel UC20 (2G+3G) enable it by default * Quectel EC20 (2G+3G+4G) enable it by default * 2G, 3G and 4G sounds quite nice +* EC20 comes as mini-PCIe module as well == Quectel EC20 image:images/ec20.png[height=200,role="gimmick_right"] -* Using a Qualcomm MDM 9615 chipset +* Uses a Qualcomm MDM 9615 chipset * Also used in the iPhone5 -* Surprisingly runs Linux +* In our case surprisingly runs Linux * Not surprising to people familiar with MDM9615 (e.g https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEFCON-23-Mickey-Shkatov-Jesse-Michael-Scared-poopless-LTE-and-your-laptop-UPDATED.pdf[Mickey Shkatov]) * Not a lot of documentation available @@ -88,7 +95,7 @@ image:images/ec20.png[height=200,role="gimmick_right"] == GPL compliance * Got a firmware upgrade to fix stability -* Might contain traces of Linux? +* Looks like it contains traces of Linux? * No written offer, let's see if it runs Linux * gpl-tools to unpack unyaffs * strings, etc., AT+QLINUXCMD=? @@ -97,7 +104,7 @@ image:images/ec20.png[height=200,role="gimmick_right"] == GPL compliance -* Linux basis created by Qualcomm used by Quectel +* Linux basis created by Qualcomm and used by Quectel * https://wiki.codeaurora.org/xwiki/bin/QLBEP/ * Many branches, releases, which to use? @@ -252,9 +259,9 @@ image:images/gandroid_logo.png[height=200,role="gimmick_right"] image:images/redbend.png[height=76,role="gimmick_right"] * Based on the recovery.git code -* But for some reason (legacy?) is using RedBend -* RSA linked into the binary but not called -* RedBend used by many more companies and systems (e.g. Quectel UC20) +* But for some reason using RedBend for the update (legacy?) +* RSA still linked into the binary but not used +* RedBend used by many more companies and systems (e.g. Quectel UC20, automotive) == RedBend (delta update) software @@ -262,7 +269,8 @@ image:images/redbend.png[height=76,role="gimmick_right"] * Used in OMA DeviceManagement? (e.g. https://www.blackhat.com/docs/us-14/materials/us-14-Solnik-Cellular-Exploitation-On-A-Global-Scale-The-Rise-And-Fall-Of-The-Control-Protocol.pdf[Solnik]) * Lots of starring at hexdumps, lots of help from Dieter Spaar * Binary file format to diff, inserts, remove, link files -* Variable size Table Of Contents +* Can update images/mtd partitions too +* Variable sized LZMAed Table Of Contents ** Filenames separated with 0x00 ** Permissions separated with 0xAF ** Sections for diff, inserts with crc32, filesize, permission @@ -296,10 +304,8 @@ Start download fota for update.zip image:images/upgrade_process.png[] - -== Firmware example - -* Show it? +* Applies what ever was downloaded... +* Assumes no MITM is possible == Recommedation diff --git a/2016/33c3/Makefile b/2016/33c3/Makefile index 507bf69..51c8a92 100644 --- a/2016/33c3/Makefile +++ b/2016/33c3/Makefile @@ -4,5 +4,8 @@ all: 33c3-modems.html images/upgrade_process.png: images/upgrade_process.blockdiag blockdiag -a -o images/upgrade_process.png images/upgrade_process.blockdiag -33c3-modems.html: 33c3-modems.adoc 33c3-modems.css images/upgrade_process.png +images/diag_frame.png: images/diag_frame.blockdiag + blockdiag -a -o images/diag_frame.png images/diag_frame.blockdiag + +33c3-modems.html: 33c3-modems.adoc 33c3-modems.css images/upgrade_process.png images/diag_frame.png asciidoc -a stylesheet=$(PWD)/33c3-modems.css 33c3-modems.adoc diff --git a/2016/33c3/images/28c3_option_stick.png b/2016/33c3/images/28c3_option_stick.png Binary files differnew file mode 100644 index 0000000..00f0ce6 --- /dev/null +++ b/2016/33c3/images/28c3_option_stick.png diff --git a/2016/33c3/images/diag_frame.blockdiag b/2016/33c3/images/diag_frame.blockdiag new file mode 100644 index 0000000..171d650 --- /dev/null +++ b/2016/33c3/images/diag_frame.blockdiag @@ -0,0 +1,16 @@ +blockdiag { + node_height = 100; + span_width = 2; + default_fontsize = 16; + + START [label="0x7E"]; + CMD [label="CMD"]; + DAT [label="Payload", width=300]; + CRC [label="CRC16"]; + END [label="0x7E"]; + + START -> CMD [style = none]; + CMD -> DAT [style = none]; + DAT -> CRC [style = none]; + CRC -> END [style = none]; +} diff --git a/2016/33c3/images/upgrade_process.blockdiag b/2016/33c3/images/upgrade_process.blockdiag index fdd769d..4e94ef3 100644 --- a/2016/33c3/images/upgrade_process.blockdiag +++ b/2016/33c3/images/upgrade_process.blockdiag @@ -1,12 +1,16 @@ blockdiag { node_width = 200; + default_group_color = none; AT [label="atfwd_daemon"]; QC [label="QCMAP_ConnectionManager"]; WG [label="wget"]; RI [label="recovery image"]; - AT -> QC; - AT -> WG -> RI; + AT -> QC [label="start"]; + AT -> WG [label="start"]; + AT -> RI [label="reboot"]; + + group { WG; RI }; } |