From 58ebf63972072216e7e98b4adfa153928c312937 Mon Sep 17 00:00:00 2001 From: Holger Hans Peter Freyther Date: Tue, 27 Dec 2016 00:02:57 +0100 Subject: More wip for the structure and content of the talk --- 2016/33c3/33c3-modems.adoc | 256 ++++++++++++++++++++++------- 2016/33c3/images/legato_flash.png | Bin 0 -> 48841 bytes 2016/33c3/images/qualcom_many_releases.png | Bin 0 -> 46664 bytes 2016/33c3/images/quectel_ipr.pdf | Bin 0 -> 178034 bytes 2016/33c3/images/sl6087_hw.png | Bin 0 -> 1594528 bytes 5 files changed, 194 insertions(+), 62 deletions(-) create mode 100644 2016/33c3/images/legato_flash.png create mode 100644 2016/33c3/images/qualcom_many_releases.png create mode 100644 2016/33c3/images/quectel_ipr.pdf create mode 100644 2016/33c3/images/sl6087_hw.png (limited to '2016') diff --git a/2016/33c3/33c3-modems.adoc b/2016/33c3/33c3-modems.adoc index e39d592..d7aec22 100644 --- a/2016/33c3/33c3-modems.adoc +++ b/2016/33c3/33c3-modems.adoc @@ -1,100 +1,211 @@ Dissecting modern (3G/4G) cellular modems ========================================= -:author: Harald Welte +:author: Harald Welte , Holger Hans Peter Freyther #:copyright: sysmocom - s.f.m.c. GmbH (License: CC-BY-SA) :backend: slidy :max-width: 45em //include::33c3-modems.css[] -== Motivation - -// 9 years of Osmocom? -// 3G and 4G development -// Hardware for decoding -* 9 years of Osmocom, 7 years since OsmocomBB -* Started to look at implementing 3G/4G -* Modems are a tool for research and development -** Logs to analyze a specific problem -** Traces to learn how something works -* Modems power cellular IoT devices -** 1.1 billion new cellular devices by 2021 -** eCall for vehicles -** Integrated and worldwide certifications - == This talk +* Our motivation and approach * A bit of History -* Device overview -* Qualcomm Kernel, Drivers and Userspace +* Selecting a device +* An unexpected surprise * Firmware upgrade +* Recommendations/Wishes -== History - -* Wavecom, Sierra Wireless OpenAT systems -* OpenAT allowed to build C code -* Dynamically loaded into the modem OS -* Runs without privilege separation, MMU -* Odd limitations, blocking leads to watchdog reset +== Motivation -[role="change_topic"] -== Device/Market overview +// 9 years of Osmocom? +// 3G and 4G development +// Hardware for decoding +* Implementing GSM specifications for the last decade (OpenMoko, Osmocom) +* 7 years since OsmocomBB for GSM +* In the past used and built devices using 2G modems +* Started to build 3G/4G software, logs/traces help -== Chipset vendors +== History -* Intel -* Mediatek -* Qualcomm -* ??? +image:images/sl6087_hw.png[height=280,role="gimmick_right"] -== Stack vendors +* OpenAT by Sierra Wireless +* 2G and 3G were available +* Write C code using OpenAT APIs +* Dynamically loaded into the RTOS +* Runs without privilege separation, MMU +* Eclipse based IDE and plugins (in clojure) +* Discontinued HW platform => Locked in +* Various limitations -* Fewer than used to be? -* Risk of monoculture +== Device requirements -== Modem vendors +* Get textual logging when handling messages +* Get a copy of the radio network messages and export to GSMTAP +* Like Tobias Engels https://github.com/2b-as/xgoldmon[x-goldmon] +* But for GPRS, 3G and 4G +* Enabled by default and not to be removed -* Mostly Qualcomm based chipsets -* Cinterion, Huawei, U-Blox, Quectel, Sierra Wireless, Telit, ... +== DIAG protocol -== Qualcomm HW +* Qualcomm diag in many products (see Guillaume Delugres https://events.ccc.de/congress/2011/Fahrplan/attachments/2022_11-ccc-qcombbdbg.pdf[talk] at 28C3) +* HDLC frame, CRC16, simple framing (0x7e) +* Command, Response, Events +** Enable logging of subsystems +** Enable events for subsystems +** Trigger firmware upgrade +** Read/Write RAM +* ModemManager uses it for additional information +* gsmparser of snoopsnitch to export to GSMTAP -* Patents on CDMA technology -* Extending their market position in 3G to 4G -* Product wide diagnostic, log, control interface +== Selecting a device -== DIAG protocol +* 3G Options Icon stick exposes DIAG out of the box +* Quectel UC20 (2G+3G) enable it by default +* Quectel EC20 (2G+3G+4G) enable it by default +* 2G, 3G and 4G sounds quite nice -* HDLC frame, CRC16, simple framing -* Command and Response -** E.g. enable logging for categories -** Read/Write NVRAM -* Various implementations (e.g. ModemManager) == Quectel EC20 image:images/ec20.png[height=200,role="gimmick_right"] -* DIAG port mentioned in the documentation -* Is available out of the box -* MDM 9615 based module for 2G, 3G, 4G +* Using a Qualcomm MDM 9615 chipset +* Also used in the iPhone5 * Surprisingly runs Linux * Not surprising to people familiar with MDM9615 (e.g https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEFCON-23-Mickey-Shkatov-Jesse-Michael-Scared-poopless-LTE-and-your-laptop-UPDATED.pdf[Mickey Shkatov]) +* Not a lot of documentation available // Erst ein mal EC20 und sagen wieso es interessant ist // und dann, dass es Linux hat.. um dann ein Block diagram // zu haben? [role="change_topic"] -== Qualcomm Details +== An unexpected surprise + +== GPL compliance + +* Got a firmware upgrade to fix stability +* Might contain traces of Linux? +* No written offer, let's see if it runs Linux +* gpl-tools to unpack unyaffs +* strings, etc., AT+QLINUXCMD=? +* The fun and exploration begins + + +== GPL compliance + +* Linux basis created by Qualcomm used by Quectel +* https://wiki.codeaurora.org/xwiki/bin/QLBEP/ +* Many branches, releases, which to use? + +[quote, Tonino Perazzi] +I tried instruction above to build yaffs2 for MDM9615, so I downloaded source M9615AAAARNLZA1611161.xml but during compilation I faced some libs that are missing such as libQMI and acdb-loader.. + +image:images/qualcom_many_releases.png[width="80%"] + +== GPL compliance + +[quote, Us] +Asking for the complete and corresponding source + +[quote, Quectel] +Receiving source for the flash tool + +== GPL compliance + +[quote, Us] +Asking for the complete and corresponding source + +[quote, Quectel] +We never been in legal dispute and we always make sure to understand IPR ahead of using technology belonging to third party. + + +== GPL compliance + +[quote, Us] +Asking for the complete and corresponding source + +[quote, Quectel] +We appreciate the efforts that your client had put into the open source +project netfilter/iptable. However, We have some doubts about the alleged +copyright. From our perspective, your client does not have the right to +empower the copyright. We think software netfilter/iptable is built on +the code operating system GUN/Linux, thus subject to GPL terms, where FSF +requires that each author of code incorporated in FSF projects either +provide copyright assignment to FSF or disclaim copyright (“we should keep +the copyright status of the program as simple as possible. We do this by +asking each contributor to either assign the copyright on his contribution +to the FSF, or disclaim copyright on it and thus put it in the public +domain”). Therefore, It seems that your client does not have the copyright +on netfilter/iptable. +As one of the leading providers of wireless solution, Quectel is always +respectful IPR. We would like to compliant with GPL and do some necessary +statements,including a disclaimer or appropriate notices. Under the terms +of GPL, we would like to dedicate Kernel code of EC25x to free software +community. + +== GPL compliance + +[quote, Us] +Asking for the complete and corresponding source + +[quote, Quectel] +Many thanks for your detailed explanations GPL/LGPL license terms and the practical methods. I will carefully study your suggestions again and find a proper way to open GLP/LGPL licensed software. Basically, we will simply provide a tarball of open source for download at this time. And release the git repositories in next step. + +== GPL compliance + +[quote, Us] +Asking for the complete and corresponding source + +[quote, Quectel] +We are always willing to achieve GPL compliance. + +== GPL compliance + +[quote, Us] +Asking for the complete and corresponding source + +[quote, Quectel] +To be frank, we have no experience over Open Source things before. So we need some time to know of all things and construct the Open Source projects. Within a short time, we cannot construct a perfect web site to present Open Source things now. However, we will continue to do like that. + +== GPL compliance + +[quote, Us] +Your tarball is missing some files. + +[quote, Quectel] + We have issued all GPL licensed source code. + We have no the xt_dscp file in the project, and nor Qulacomm. It must be + caused by your compilation environment. + If you have more question or problem during the development with Quectel + module, please add my Skype ID (XXXXX), I will continue to support you + on Skype. + The email will not discuss the compiling issue any more.'' + + + +== GPL compliance + +* ... many months later +* License compliance still not achieved +* Sierra Wireless Legato is a positive example + +image:images/legato_flash.png[width="80%"] + +[role="change_topic"] +== MDM 9615 HW and SW -== MDM 9615 HW Intro + +== Qualcomm Hardware * Qualcomm MDM 9615 chipset * Used in the iPhone 5 and automotive * Modems like Quectel EC20, Sierra Wireless MC7355 * No public HW documentation?! +* Either not many people study it or are not allowed to share? == MDM 9615 HW Overview @@ -127,13 +238,18 @@ image:images/gandroid_logo.png[height=200,role="gimmick_right"] == ... +== Funny commands + +* AT+QLINUXCMD, e.g. switch usb config to get adb +* AT+QFASTBOOT, switch to the bootloader +* AT+QPRINT, print dmesg +* AT for system("echo mem > /sys/power/state") + [role="change_topic"] == Firmware upgrade -// put the headline in the center - == recovery and applypatch * Android ~4.0 based https://android.googlesource.com/platform/bootable/recovery.git/+/android-4.0.4_r2.1[recovery.git] @@ -195,16 +311,32 @@ Start download fota for update.zip image:images/upgrade_process.png[] -== Hijacking firmware upgrade +== Firmware example -* Prepare a .diff with a new binary -* Operate a fake BTS/nodeB/eNodeB -* Trigger or wait for firmware update check -* Redirect request -* Wait for firmware to be installed -* Optionally make it look like a network error +* Show it? + + +== Recommedation + +* Continue to allow owners of devices to reflash +* Secure the FOTA upgrading with owner specified keys +* Make it more easy to rebuild code == Questions * Questions? + + +== Announcement + +* 3G femtocells for Osmocom/OpenBSC development + +== Links + +* Collection of links for further study +* https://osmocom.org/projects/quectel-modems +* https://events.ccc.de/congress/2011/Fahrplan/attachments/2022_11-ccc-qcombbdbg.pdf +* https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEFCON-23-Mickey-Shkatov-Jesse-Michael-Scared-poopless-LTE-and-your-laptop-UPDATED.pdf +* https://github.com/2b-as/xgoldmon +* https://www.blackhat.com/docs/us-14/materials/us-14-Solnik-Cellular-Exploitation-On-A-Global-Scale-The-Rise-And-Fall-Of-The-Control-Protocol.pdf diff --git a/2016/33c3/images/legato_flash.png b/2016/33c3/images/legato_flash.png new file mode 100644 index 0000000..6bea66a Binary files /dev/null and b/2016/33c3/images/legato_flash.png differ diff --git a/2016/33c3/images/qualcom_many_releases.png b/2016/33c3/images/qualcom_many_releases.png new file mode 100644 index 0000000..8384a4b Binary files /dev/null and b/2016/33c3/images/qualcom_many_releases.png differ diff --git a/2016/33c3/images/quectel_ipr.pdf b/2016/33c3/images/quectel_ipr.pdf new file mode 100644 index 0000000..982cb68 Binary files /dev/null and b/2016/33c3/images/quectel_ipr.pdf differ diff --git a/2016/33c3/images/sl6087_hw.png b/2016/33c3/images/sl6087_hw.png new file mode 100644 index 0000000..ed204a1 Binary files /dev/null and b/2016/33c3/images/sl6087_hw.png differ -- cgit v1.2.3