From 809379fb58b05411ca51bb7f14c9cb8394de08bb Mon Sep 17 00:00:00 2001 From: Harald Welte Date: Thu, 29 Dec 2016 18:35:30 +0100 Subject: rename 33c3 directory --- 2016/33c3/.gitignore | 7 - 2016/33c3/33c3-modems.adoc | 528 ---------- 2016/33c3/33c3-modems.css | 31 - 2016/33c3/Makefile | 10 - 2016/33c3/images/28c3_option_stick.png | Bin 383889 -> 0 bytes 2016/33c3/images/Android_robot.svg | 19 - 2016/33c3/images/Android_robot_GNU_head.svg | 1109 -------------------- 2016/33c3/images/delta_header.png | Bin 15978 -> 0 bytes 2016/33c3/images/diag.dot | 29 - 2016/33c3/images/diag.svg | 507 --------- 2016/33c3/images/diag_frame.blockdiag | 16 - 2016/33c3/images/ec20.png | Bin 107045 -> 0 bytes 2016/33c3/images/ec20_uart.jpg | Bin 2431521 -> 0 bytes 2016/33c3/images/gandroid_logo.png | Bin 134316 -> 0 bytes 2016/33c3/images/heckert_gnu.svg | 94 -- 2016/33c3/images/heckert_gnu_filling.png | Bin 54056 -> 0 bytes 2016/33c3/images/legato_flash.png | Bin 48841 -> 0 bytes 2016/33c3/images/mpcie_breakout.jpg | Bin 1077055 -> 0 bytes 2016/33c3/images/mv_uart.jpg | Bin 966890 -> 0 bytes 2016/33c3/images/qmi_services.dot | 27 - 2016/33c3/images/qmi_smd_qmuxd.dot | 37 - 2016/33c3/images/qmi_smd_qmuxd.svg | 567 ---------- 2016/33c3/images/qualcom_many_releases.png | Bin 46664 -> 0 bytes 2016/33c3/images/qualcomm_le.svg | 954 ----------------- 2016/33c3/images/quectel_ipr.jpg | Bin 57525 -> 0 bytes 2016/33c3/images/quectel_ipr.pdf | Bin 178034 -> 0 bytes 2016/33c3/images/redbend.png | Bin 15643 -> 0 bytes 2016/33c3/images/sl6087_hw.png | Bin 1594528 -> 0 bytes 2016/33c3/images/upgrade_process.blockdiag | 16 - 2016/cellular_modems_33c3/.gitignore | 7 + 2016/cellular_modems_33c3/33c3-modems.adoc | 528 ++++++++++ 2016/cellular_modems_33c3/33c3-modems.css | 31 + 2016/cellular_modems_33c3/Makefile | 10 + .../images/28c3_option_stick.png | Bin 0 -> 383889 bytes 2016/cellular_modems_33c3/images/Android_robot.svg | 19 + .../images/Android_robot_GNU_head.svg | 1109 ++++++++++++++++++++ 2016/cellular_modems_33c3/images/delta_header.png | Bin 0 -> 15978 bytes 2016/cellular_modems_33c3/images/diag.dot | 29 + 2016/cellular_modems_33c3/images/diag.svg | 507 +++++++++ .../images/diag_frame.blockdiag | 16 + 2016/cellular_modems_33c3/images/ec20.png | Bin 0 -> 107045 bytes 2016/cellular_modems_33c3/images/ec20_uart.jpg | Bin 0 -> 2431521 bytes 2016/cellular_modems_33c3/images/gandroid_logo.png | Bin 0 -> 134316 bytes 2016/cellular_modems_33c3/images/heckert_gnu.svg | 94 ++ .../images/heckert_gnu_filling.png | Bin 0 -> 54056 bytes 2016/cellular_modems_33c3/images/legato_flash.png | Bin 0 -> 48841 bytes .../cellular_modems_33c3/images/mpcie_breakout.jpg | Bin 0 -> 1077055 bytes 2016/cellular_modems_33c3/images/mv_uart.jpg | Bin 0 -> 966890 bytes 2016/cellular_modems_33c3/images/qmi_services.dot | 27 + 2016/cellular_modems_33c3/images/qmi_smd_qmuxd.dot | 37 + 2016/cellular_modems_33c3/images/qmi_smd_qmuxd.svg | 567 ++++++++++ .../images/qualcom_many_releases.png | Bin 0 -> 46664 bytes 2016/cellular_modems_33c3/images/qualcomm_le.svg | 954 +++++++++++++++++ 2016/cellular_modems_33c3/images/quectel_ipr.jpg | Bin 0 -> 57525 bytes 2016/cellular_modems_33c3/images/quectel_ipr.pdf | Bin 0 -> 178034 bytes 2016/cellular_modems_33c3/images/redbend.png | Bin 0 -> 15643 bytes 2016/cellular_modems_33c3/images/sl6087_hw.png | Bin 0 -> 1594528 bytes .../images/upgrade_process.blockdiag | 16 + 58 files changed, 3951 insertions(+), 3951 deletions(-) delete mode 100644 2016/33c3/.gitignore delete mode 100644 2016/33c3/33c3-modems.adoc delete mode 100644 2016/33c3/33c3-modems.css delete mode 100644 2016/33c3/Makefile delete mode 100644 2016/33c3/images/28c3_option_stick.png delete mode 100644 2016/33c3/images/Android_robot.svg delete mode 100644 2016/33c3/images/Android_robot_GNU_head.svg delete mode 100644 2016/33c3/images/delta_header.png delete mode 100644 2016/33c3/images/diag.dot delete mode 100644 2016/33c3/images/diag.svg delete mode 100644 2016/33c3/images/diag_frame.blockdiag delete mode 100644 2016/33c3/images/ec20.png delete mode 100644 2016/33c3/images/ec20_uart.jpg delete mode 100644 2016/33c3/images/gandroid_logo.png delete mode 100644 2016/33c3/images/heckert_gnu.svg delete mode 100644 2016/33c3/images/heckert_gnu_filling.png delete mode 100644 2016/33c3/images/legato_flash.png delete mode 100644 2016/33c3/images/mpcie_breakout.jpg delete mode 100644 2016/33c3/images/mv_uart.jpg delete mode 100644 2016/33c3/images/qmi_services.dot delete mode 100644 2016/33c3/images/qmi_smd_qmuxd.dot delete mode 100644 2016/33c3/images/qmi_smd_qmuxd.svg delete mode 100644 2016/33c3/images/qualcom_many_releases.png delete mode 100644 2016/33c3/images/qualcomm_le.svg delete mode 100644 2016/33c3/images/quectel_ipr.jpg delete mode 100644 2016/33c3/images/quectel_ipr.pdf delete mode 100644 2016/33c3/images/redbend.png delete mode 100644 2016/33c3/images/sl6087_hw.png delete mode 100644 2016/33c3/images/upgrade_process.blockdiag create mode 100644 2016/cellular_modems_33c3/.gitignore create mode 100644 2016/cellular_modems_33c3/33c3-modems.adoc create mode 100644 2016/cellular_modems_33c3/33c3-modems.css create mode 100644 2016/cellular_modems_33c3/Makefile create mode 100644 2016/cellular_modems_33c3/images/28c3_option_stick.png create mode 100644 2016/cellular_modems_33c3/images/Android_robot.svg create mode 100644 2016/cellular_modems_33c3/images/Android_robot_GNU_head.svg create mode 100644 2016/cellular_modems_33c3/images/delta_header.png create mode 100644 2016/cellular_modems_33c3/images/diag.dot create mode 100644 2016/cellular_modems_33c3/images/diag.svg create mode 100644 2016/cellular_modems_33c3/images/diag_frame.blockdiag create mode 100644 2016/cellular_modems_33c3/images/ec20.png create mode 100644 2016/cellular_modems_33c3/images/ec20_uart.jpg create mode 100644 2016/cellular_modems_33c3/images/gandroid_logo.png create mode 100644 2016/cellular_modems_33c3/images/heckert_gnu.svg create mode 100644 2016/cellular_modems_33c3/images/heckert_gnu_filling.png create mode 100644 2016/cellular_modems_33c3/images/legato_flash.png create mode 100644 2016/cellular_modems_33c3/images/mpcie_breakout.jpg create mode 100644 2016/cellular_modems_33c3/images/mv_uart.jpg create mode 100644 2016/cellular_modems_33c3/images/qmi_services.dot create mode 100644 2016/cellular_modems_33c3/images/qmi_smd_qmuxd.dot create mode 100644 2016/cellular_modems_33c3/images/qmi_smd_qmuxd.svg create mode 100644 2016/cellular_modems_33c3/images/qualcom_many_releases.png create mode 100644 2016/cellular_modems_33c3/images/qualcomm_le.svg create mode 100644 2016/cellular_modems_33c3/images/quectel_ipr.jpg create mode 100644 2016/cellular_modems_33c3/images/quectel_ipr.pdf create mode 100644 2016/cellular_modems_33c3/images/redbend.png create mode 100644 2016/cellular_modems_33c3/images/sl6087_hw.png create mode 100644 2016/cellular_modems_33c3/images/upgrade_process.blockdiag (limited to '2016') diff --git a/2016/33c3/.gitignore b/2016/33c3/.gitignore deleted file mode 100644 index e867027..0000000 --- a/2016/33c3/.gitignore +++ /dev/null @@ -1,7 +0,0 @@ -*.sw? -33c3-modems.html -images/upgrade_process.png -images/diag_frame.png -images/diag.png -images/qmi_services.png -images/qmi_smd_qmuxd.png diff --git a/2016/33c3/33c3-modems.adoc b/2016/33c3/33c3-modems.adoc deleted file mode 100644 index e00627f..0000000 --- a/2016/33c3/33c3-modems.adoc +++ /dev/null @@ -1,528 +0,0 @@ - -Dissecting modern (3G/4G) cellular modems -========================================= -:author: Harald Welte, Holger Hans Peter Freyther -:copyright: Harald Welte, Holger Hans Peter Freyther (License: CC-BY-SA) -:backend: slidy -:max-width: 45em - -//include::33c3-modems.css[] - -== This talk - -* Our motivation -* A bit of History -* Selecting a device -* An unexpected surprise -* Firmware upgrade -* Outlook/Recommendations/Wishes - -== Motivation - -// 9 years of Osmocom? -// 3G and 4G development -// Hardware for decoding -* Implementing GSM specifications for the last decade (OpenMoko, Osmocom) -* 8 years since _Anatomy of Smartphone Hardware_ at 25C3 -* 7 years since OsmocomBB for GSM -* Used and built M2M devices using 2G modems at work -* so we're looking for a modem that can be used for -** our next-generation M2M/embedded devices -** testing/logging/tracing Osmocom 3G/4G network-side software -** building more tools to help understanding cellular technology - -== Cellular Modems in M2M - -image:images/sl6087_hw.png[height=300,role="gimmick_right"] - -* Assume you want to build a M2M device -* Classic approach to M2M/Embedded cellular: -** Cellular modem with AT commands over Serial/USB -** Main Processor runs M2M application -* if you run Application in Modem, you can save PCB space, power and BOM cost -** OpenAT by Sierra Wireless -*** Write C code using OpenAT APIs -*** Dynamically loaded into the RTOS -*** Runs without privilege separation, MMU -*** Protocol to multiplex AT, log, debug -*** Discontinued HW platform => Locked in -*** Various other limitations - -== Device requirements - -Our requirements for a good modem - -** Ability to run application code inside modem -** Avoid modem supplier vendor lock-in (EOL, ...) -** Get textual logging when handling messages -** Get a copy of the radio network messages and export to GSMTAP -*** Like Tobias Engels https://github.com/2b-as/xgoldmon[x-goldmon] -*** But for all GPRS, EGPRS, UMTS and LTE messages - -== Qualcomm DIAG protocol - -* Qualcomm DIAG in many products (DVB-H, GSM, ...) -* https://events.ccc.de/congress/2011/Fahrplan/attachments/2022_11-ccc-qcombbdbg.pdf[Presented] by Guillaume Delugre at 28C3 -* Simple HDLC frame (0x7e), cmd, data, CRC16 - -* Events, Logging, Command/Response -* Thousands of different message structures -* ModemManager, gsm-parser consume only a small fraction - -image:images/diag_frame.svg[width="90%"] - -== Selecting a device - -image:images/28c3_option_stick.png[width="30%",role="gimmick_right"] - -* Old Option Icon 225 stick exposes DIAG out of the box -* Quectel UC20 (2G+3G) expose DIAG by default -** but no LTE support -* Quectel EC20 (2G+3G+4G) expose DIAG by default -** 2G, 3G and 4G sounds quite nice -** EC20 not only a LGA solder module but also as mini-PCIe -*** convenient for early testing / prototyping without custom board - -image:images/ec20.png[height=300,role="gimmick_right"] - -* EC20 using a Qualcomm MDM9615 chipset -** Also used in the iPhone5 -** Almost no documentation on MDM9615 available -** Still, a good candidate for starting our research... - -// Erst ein mal EC20 und sagen wieso es interessant ist -// und dann, dass es Linux hat.. um dann ein Block diagram -// zu haben? - -[role="change_topic"] -== An unexpected surprise - -== Firmware update, hints of Linux - -* Got a firmware upgrade to fix stability / bugs -* Looks like it contains traces of Linux? -* Looks like it uses fastboot for the update -* Other people have already found Linux in MDM9615 based products (e.g https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEFCON-23-Mickey-Shkatov-Jesse-Michael-Scared-poopless-LTE-and-your-laptop-UPDATED.pdf[Mickey Shkatov] at DEFCON 23) -* But why would there be Linux inside a Modem? -** Qualcomm is known for their REX/AMSS on Hexagon baseband ?!? -* And if it contains Linux, GPL requires them to mention that, include - License text and provide source code ?!? - -== GPL compliance - -* No written offer, let's see if it runs Linux -* Armijn Hemels `gpltool.git` has `unyaffs` to unpack yaffs -* `strings`, etc. clearly reveal Linux, glibc, busybox -** other interesting strings like `AT+QLINUXCMD=?` show up -* The fun and exploration begins... -** technical analysis (serial console, firmware reversing, ...) -** legal enforcement to get source code of GPL/LGPL components (Harald is founder of http://gpl-violations.org[gpl-violations.org]) - -== Hardware based analysis - -* mPCIe modules often expose additional signals like PCM audio on - non-standard pins -* existing PC/embedded mainboards don't use those signals -* create Osmocom mPCIe-breakout board to access those signals -* https://osmocom.org/projects/mpcie-breakout/wiki - -image:images/mpcie_breakout.jpg[width="70%"] - -== Serial Console - -* EC20 solder module documents DBG_UART pinout, but not all modules - have it enabled? -* serial console is at 1.8V, but the 1.8V supply is not accessible (so - not easy to add external level shifter / Vref) -* create Osmocom multi-voltage USB-UART with selectable 1.8, - 2.3, 2.5, 2.8, 3.0 and 3.3V logic level - -image:images/mv_uart.jpg[width="40%",role="gimmick_right"] - -* https://osmocom.org/projects/mv-uart/wiki -* root password (DES hash): `oelinux123` - -== Retro-fitting Serial Console to mPCIe module - -* unfortunately the DBG_UART on the LGA module solder pads is not - exposed to mPCIE -* some soldering required to retro-fit a 2.54mm header: - -image:images/ec20_uart.jpg[width="70%"] - -== GPL compliance - -* Linux basis created by Qualcomm and used by Quectel -** https://wiki.codeaurora.org/xwiki/bin/QLBEP/ -** Many branches, releases, which to use? - -[quote, Tonino Perazzi] -I tried instruction above to build yaffs2 for MDM9615, so I downloaded source `M9615AAAARNLZA1611161.xml` but during compilation I faced some libs that are missing such as libQMI and acdb-loader.. - -image:images/qualcom_many_releases.png[width="80%"] - -== GPL compliance - -[qanda] -Asking for the complete and corresponding source:: -[quote,Quectel] -** The source code of Qflash tool in Linux is attached, [...] -[qanda] -Asking again for the complete and corresponding source:: -[quote,Quectel] -We never been in legal dispute and we always make sure to understand IPR ahead of using technology belonging to third party. - -image:images/quectel_ipr.jpg[width="100%"] - -== GPL compliance - -[qanda] -Asking for the complete and corresponding source:: -[quote,Quectel] - We appreciate the efforts that your client had put into the open source -project netfilter/_iptable_. However, [...] *your client does not have the right to -empower the copyright*. We think software netfilter/iptable is built on -the code operating system _GUN_/Linux, thus subject to GPL terms, where FSF -requires that each author of code incorporated in FSF projects either -provide copyright assignment to FSF or disclaim copyright. Therefore, -It seems that *your client does not have the copyright on netfilter/iptable.* + - + -As one of the leading providers of wireless solution, *Quectel is always -respectful IPR*. We would like to compliant with GPL and do some necessary -statements,including a disclaimer or appropriate notices. Under the terms -of GPL, we would like to dedicate Kernel code of EC25x to free software -community. - -== GPL compliance - -[qanda] -Asking for the complete and corresponding source:: -[quote,Quectel] - Many thanks for your detailed explanations GPL/LGPL license terms and the practical methods. I will carefully study your suggestions again and find a proper way to open GLP/LGPL licensed software. Basically, we will simply provide a tarball of open source for download at this time. And release the git repositories in next step. - -[qanda] -Asking for the complete and corresponding source:: -[quote,Quectel] - We are always willing to achieve GPL compliance. - -[qanda] -Asking for the complete and corresponding source:: -[quote,Quectel] - So we need some time to know of all things and construct the Open Source projects. Within a short time, we cannot construct a perfect web site to present Open Source things now. However, we will continue to do like that. - -== GPL compliance - -[qanda] -Your tarball is missing some files:: -[quote,Quectel] -We have issued all GPL licensed source code. -*We have no the xt_dscp file in the project, and nor Qulacomm*. It must be -caused by your compilation environment. -If you have more question or problem during the development with Quectel -module, please add my Skype ID (XXXXX), I will continue to support you -on Skype. + -*The email will not discuss the compiling issue any more.* - - - -== GPL compliance - -* ... many months later -** we have received various source tarballs -** they contain not only GPL/LGPL code but other FOSS code (thanks!) -** full license compliance still not achieved, but improving... -* Sierra Wireless Legato is a positive example of a competitor -** they not only provide the OE/Linux source but extensive -documentation! -** but they try to lure customers into a proprietary Legato framework, -and thus again vendor-lock-in :( - -image:images/legato_flash.png[width="80%"] - -[role="change_topic"] -== MDM 9615 HW and SW - - -== Qualcomm Hardware - -* Qualcomm MDM9615 chipset -* Used in the iPhone 5 and automotive -* Modems like Quectel EC20, Sierra Wireless MC7355 -* No public HW documentation?! -* Either not many people study it or are not allowed to share? - -== MDM 9615 HW Overview - -* ???? -// Block diagram? -// Listing of interfaces. -// Show it is a highly complex SoC... with even more things -// that are unknown.. device tree file, peripheral, etc - - -== How to access the system? - -* serial console requires soldering re-work and is slow -* easy mechanism to get shell and transfer files from/to target -* Android `adbd` present on the modem but not exposed via USB -* it's possible to re-configure the Linux kernel Android USB Gadget: -** `AT+QLINUXCMD="/usr/bin/usb_uartdiag"` -** device re-enumerates with different composite USB interfaces -* Linux kernel driver on host needs patching (static interface - mapping assumption) -** patches available in `quectel-experiments.git`, documented in wiki - - -== MDM 9615 AP SW Overview - -image:images/gandroid_logo.png[height=200,role="gimmick_right"] - -The software stack seems to be called *Qualcomm LE* - -* Android Bootloader -* Android Linux kernel -* Android Debug Bridge (adb) -* but: GNU libc, busybox userland -* Using OpenEmbedded to build images -* Developed and maintained by Qualcomm - - -== Qualcomm Linux kernel overview - -* Qualcomm Android Linux kernel -* Huge changes compared to mainline `git diff -w | wc -l` -** `v3.0.21` in EC20: 1.5 million lines -** `v3.18.20` in EC25: 1.9 million lines -* Expected: CPU + peripheral drivers -* Less expected: -** smem_log (shared memory logging) -** ipc_log (inter-processOR communication) -** remote spinlocks - -== Qualcomm Linux kernel subsystems - -Some of the Qualcomm-specific kernel sub-systems - -[cols="20%,80%"] -|=== -|SMD|Shared Memory Device -|IPC|Inter Processor Communications -|RMNET|Remote Network -|BAM|Bus Access Manager -|IPA|Internet Packet Accelerator -|DIAGFWD|DIAG Forwarding -|AF_MSM_IPC|Socket family for Qualcomm IPC -|=== - -== Qualcomm LE System Architecture - -image:images/qualcomm_le.svg[width="50%",role="gimmick_right"] - -* simplified block diagram -* USB interface fully controlled by Linux AP -** very complex Qualcomm Android USB Gadget -** some endpoints mapped to SMD queues -** other endpoints handled by _regular_ Linux -** GPS NMEA takes completely different path than AT commands, despite -both being serial ports? -** DIAG and QMI handled in more complex ways - -== DIAG in Qualcomm LE - -* DIAG interface of Modem exposed on SMD -* diagfwd distributes messages between USB, SMD and `/dev/diagchar` -* Linux userspace processes don't use syslog, but diag msg for logging via `libdiag.so` - -image:images/diag.svg[width="100%"] - -== QMI in Qualcomm LE - -every `rmnet` data device has associated QMI control - -* on your Linux PC: `qmi_wwan` and `/dev/cdc-wdm` -* on Qualcomm LE modem: `/dev/smdcntlN`, multiplexed by `qmuxd` - -image:images/qmi_smd_qmuxd.svg[width="100%"] - -== Tools for analysis - -We created some tools to help our analysis - -* used OE to build matching `opkg` and OE packages for `socat`, `lsof`, `strace` -* FOSS programs for the Linux AP linked against proprietary `libqmi-framework.so` -** `qmi_test`: Simple program to read IMEI via QMI -** `atcop_test`: Test program to implement AT commands in Linux userspace -* 100% FOSS programs -** `qmuxd_wrapper`: LD_PRELOAD wrapper for tracing between `qmuxd` and QMI clients -** `libqmi-glib` transport support for `qmuxd` (work in progress) -** `osmo-qcdiag`: Host tool for obtaining DIAG based logs from Linux programs + QMI traces, decoded via `libmi-glib` - -== Userspace programs - -We found a bunch of proprietary Linux userspace programs - -[cols="20%,80%"] -|=== -|`adbd`|Implements Android Debug Bridge -|`atfwd_daemon`|Implement Quectel-Specific AT Commands -|`quectel_daemon`|?; various ASoC related bits -|`qti`|? -|`mbim`|Mobile Broadband IF Model (translates MBIM to QMI) -|`QCMAP_ConnectionManager`|runs linux-base WiFi AP/router with LTE backhaul -|`quec_bridge`|reads GPS NMEA from `/dev/nmea` and writes it to `/dev/ttyGS0` -|=== - -[role="change_topic"] -== Funny bits + pieces - -== Funny AT commands - -* `AT+QLINUXCMD`, e.g. switch usb config to get adb -** arbitrary shell commands executed as root on r/w rootfs! -* `AT+QFASTBOOT`, switch to the bootloader -* `AT+QPRINT`, print dmesg -* AT for `system("echo mem > /sys/power/state")` - -== How many processes does it take to reboot a system? - -* `rebootdiagapp` registers DIAG command (cmd code 0x29) -** spawns thread that runs `system("qmi_simple_ril_test input=/tmp/reset")` -** `system("echo 'modem reset' > /tmp/reset")` -*** makes `qmi_simple_ril_test` send a QMI message to modem -** `system("rm /tmp/reset")` -** writes "REBOOT" to `/dev/rebooterdev` this time using `fwrite()`! -* `reboot_daemon` reads `/dev/rebooterdev` - ----- -read_count = read(pipe_fd,buf,MAX_BUF-1); -/* if read REBOOT_STR, then call reboot */ -if(strncmp(buf,REBOOT_STR,strlen(REBOOT_STR)) == 0) { - debug_printf("going for reboot\n"); - printf("reboot-daemon: initiating reboot\n"); - system("reboot"); -} ----- - -== C programs that look like shell scripts - -* strings /usr/bin/quectel_daemon - ----- -echo "nau8814-aif1" > /sys/devices/platform/soc-audio.0/tx_dai_name -cp -f /cache/usb/qcfg_usbcfg /etc/; cp -f /cache/usb/usb /etc/init.d/ -echo 90 >/sys/kernel/debug/pm8xxx-pwm-dbg/0/duty-cycle -pkill -f "/bin/sh /usr/bin/nmea_demon.sh" -ps ef | grep "quec_bridge /dev/nmea /dev/ttyGS0" | grep -v grep -cd /cache/ufs;ls ----- - -[role="change_topic"] -== Firmware upgrade - -== recovery and applypatch - -* Qualcomm uses https://android.googlesource.com/platform/bootable/recovery.git/+/android-4.0.4_r2.1[recovery.git] from Android ~4.0 -* Updates are zip files with deltas, SHA1+RSA -* recovery started on boot, drives applypatch ----- -// Look for an RSA signature embedded in the .ZIP file comment given -// the path to the zip. Verify it matches one of the given public -// keys. ----- - -== Qualcomm EC20 firmware upgrade - -image:images/redbend.png[width="30%",role="gimmick_right"] - -* Based on the recovery.git code -* But for some reason using RedBend for the update (legacy?) -* RSA still linked into the binary but not used -* RedBend used by many more companies and systems (e.g. Quectel UC20, automotive) - - -== RedBend (delta update) software - -* Used in OMA DeviceManagement as well? (e.g. https://www.blackhat.com/docs/us-14/materials/us-14-Solnik-Cellular-Exploitation-On-A-Global-Scale-The-Rise-And-Fall-Of-The-Control-Protocol.pdf[Mathew Solnik]) -* Lots of starring at hexdumps, lots of help from Dieter Spaar -* Created tools to partially extract and create .diff files -* Heavy in pointers/offsets, not robust -* Crashes on crafted files -* Not cryptographically signed! - -image:images/delta_header.png[width="80%"] - - -== Firmware upgrade overview - -image:images/upgrade_process.svg[width="55%",role="gimmick_right"] -//[source] ----- -$ strings atfwd_daemon | egrep "wget|QCMAP|fota|update.z" - -... QCMAP_ConnectionManager /etc/mobileap_cfg.xml n n fotanet -/usr/bin/wget -T 20 -t 3 %s -O %s -mv %s %s && mkdir -p /cache/fota && echo %s > %s -/cache/fota/ipth_config_dfs.txt -rm -rf /cache/fota /cache/recovery /cache/update.zip -Start download fota for update.zip ----- - -* atfwd_daemon can be asked to start upgrade -* Configure APN, specify URL, store result to update.zip -* Add status and reboot to recovery -* Apply update.zip and reboot - -== Recommendation to modem vendors - -* It is great to have an open and accessible Qualcomm based modem for - further research and developing custom applications/extensions -* Security issues (particularly unverified FOTA) must be fixed -* We need security from attackers _without locking out the user/owner_ -** If vendors introduce verified boot and/or FOTA, allow owner specified keys! -* Please keep it open, good for learning and many applications -* Allow owners to modify the software of their device -* Secure the FOTA upgrading with owner specified keys - -== Status and Outlook - -* Status today -** Osmocom wiki with all our findings public now! -** debug tools (`osmo-qcdiag`, LD_PRELOAD wrapper, `qmi_test`, etc.) released -** mpcie-breakout + mv-uart released + available -** `libqmi-glib` integration WIP -* Outlook -** we hope to grow documentation in wiki -** please help us out: read code, play with devices + update wiki -** OE/opkg package feed planned -** aim is to have 100% FOSS userland on Cortex-A5 - -== Unrelated Announcement - -* Osmocom project has gained support for 3G/3.5G during 2016 -* Osmocom suffers from lack of contributions :( -* We want to motivate more contributions -** _Accelerate 3.5G_ programme provides 50 free 3.5 femtocells to contributors -** tell us how you would use your free femtocell to improve Osmocom -** Call for Proposals runs until January 31st, 2017. -** see http://sysmocom.de/downloads/accelerate_3g5_cfp.pdf - -== Questions - -* Questions? - - - -== Links - -* Our results / hacks -** https://osmocom.org/projects/quectel-modems -** git://git.osmocom.org/quectel-experiments.git -** git://git.osmocom.org/osmo-qcdiag.git -** ftp://ftp.osmocom.org/quectel (mirrored) -* Collection of links for further study -** ftp://ftp2.quectel.com/OpenSrc/ -** https://wiki.codeaurora.org/xwiki/bin/QLBEP/ -** https://events.ccc.de/congress/2011/Fahrplan/attachments/2022_11-ccc-qcombbdbg.pdf -** https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEFCON-23-Mickey-Shkatov-Jesse-Michael-Scared-poopless-LTE-and-your-laptop-UPDATED.pdf -** https://github.com/2b-as/xgoldmon -** https://www.blackhat.com/docs/us-14/materials/us-14-Solnik-Cellular-Exploitation-On-A-Global-Scale-The-Rise-And-Fall-Of-The-Control-Protocol.pdf diff --git a/2016/33c3/33c3-modems.css b/2016/33c3/33c3-modems.css deleted file mode 100644 index 0e43ccb..0000000 --- a/2016/33c3/33c3-modems.css +++ /dev/null @@ -1,31 +0,0 @@ -div.change_topic { - display: flex; - align-items: center; - justify-content: center; -} - -div.change_topic h1 { - text-align: center; - border-bottom-width: 0px; -} - -span.gimmick_right img { - float: right; -} - -div.qanda ol { - list-style-type: none; -} - -.monospaced, code, pre { - color: black; - font-weight: bold; -} - -div.quoteblock, div.verseblock { - color: black; -} - -em { - color: black; -} diff --git a/2016/33c3/Makefile b/2016/33c3/Makefile deleted file mode 100644 index 4f92de6..0000000 --- a/2016/33c3/Makefile +++ /dev/null @@ -1,10 +0,0 @@ -all: 33c3-modems.html - -images/upgrade_process.svg: images/upgrade_process.blockdiag - blockdiag -Tsvg -a -o images/upgrade_process.svg images/upgrade_process.blockdiag - -images/diag_frame.svg: images/diag_frame.blockdiag - blockdiag -Tsvg -a -o images/diag_frame.svg images/diag_frame.blockdiag - -33c3-modems.html: 33c3-modems.adoc 33c3-modems.css images/upgrade_process.svg images/diag_frame.svg - asciidoc -a stylesheet=$(PWD)/33c3-modems.css 33c3-modems.adoc diff --git a/2016/33c3/images/28c3_option_stick.png b/2016/33c3/images/28c3_option_stick.png deleted file mode 100644 index 00f0ce6..0000000 Binary files a/2016/33c3/images/28c3_option_stick.png and /dev/null differ diff --git a/2016/33c3/images/Android_robot.svg b/2016/33c3/images/Android_robot.svg deleted file mode 100644 index 4e8f114..0000000 --- a/2016/33c3/images/Android_robot.svg +++ /dev/null @@ -1,19 +0,0 @@ - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/2016/33c3/images/Android_robot_GNU_head.svg b/2016/33c3/images/Android_robot_GNU_head.svg deleted file mode 100644 index 4e56f15..0000000 --- a/2016/33c3/images/Android_robot_GNU_head.svg +++ /dev/null @@ -1,1109 +0,0 @@ - - - - - - - - - - - - image/svg+xml - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/2016/33c3/images/delta_header.png b/2016/33c3/images/delta_header.png deleted file mode 100644 index f5cb75c..0000000 Binary files a/2016/33c3/images/delta_header.png and /dev/null differ diff --git a/2016/33c3/images/diag.dot b/2016/33c3/images/diag.dot deleted file mode 100644 index 4114e52..0000000 --- a/2016/33c3/images/diag.dot +++ /dev/null @@ -1,29 +0,0 @@ -#!graphviz -digraph G { - graph [ dpi = 50 ]; - rankdir = RL; - - MDSP [ label = "Modem DSP" ]; - - SMD - diagfwd - f_diag - USB - - SMD -> MDSP - subgraph cluster_kernel { - label = "Linux Kenrnel" - diagfwd -> SMD - diagchar -> diagfwd - f_diag -> diagfwd - USB -> f_diag - } - subgraph cluster_userspace { - label = "Linux Userspace" - qmuxd -> diagchar [ label = "/dev/diag" ]; - atfwd_daemon -> qmuxd [ label = "/dev/diag" ] - QCMAP -> qmuxd [ label = "/dev/diag" ] - quectel_daemon -> qmuxd [ label = "/dev/diag" ] - } - Host -> USB -} diff --git a/2016/33c3/images/diag.svg b/2016/33c3/images/diag.svg deleted file mode 100644 index aa78778..0000000 --- a/2016/33c3/images/diag.svg +++ /dev/null @@ -1,507 +0,0 @@ - - - - - - - - - - image/svg+xml - - - - - - - - - G - - - cluster_kernel - - Linux Kenrnel - - - cluster_userspace - - Linux Userspace - - - - MDSP - - Modem DSP - - - - SMD - - SMD - - - - SMD->MDSP - - - - - - diagfwd - - diagfwd - - - - diagfwd->SMD - - - - - - f_diag - - f_diag - - - - f_diag->diagfwd - - - - - - USB - - USB - - - - USB->f_diag - - - - - - diagchar - - diagchar - - - - diagchar->diagfwd - - - - - - qmuxd - - qmuxd - - - - qmuxd->diagchar - - - /dev/diag - - - - atfwd_daemon - - atfwd_daemon - - - - atfwd_daemon->qmuxd - - - /dev/diag - - - - QCMAP - - QCMAP - - - - QCMAP->qmuxd - - - /dev/diag - - - - quectel_daemon - - quectel_daemon - - - - quectel_daemon->qmuxd - - - /dev/diag - - - - Host - - Host - - - - Host->USB - - - - - diff --git a/2016/33c3/images/diag_frame.blockdiag b/2016/33c3/images/diag_frame.blockdiag deleted file mode 100644 index 171d650..0000000 --- a/2016/33c3/images/diag_frame.blockdiag +++ /dev/null @@ -1,16 +0,0 @@ -blockdiag { - node_height = 100; - span_width = 2; - default_fontsize = 16; - - START [label="0x7E"]; - CMD [label="CMD"]; - DAT [label="Payload", width=300]; - CRC [label="CRC16"]; - END [label="0x7E"]; - - START -> CMD [style = none]; - CMD -> DAT [style = none]; - DAT -> CRC [style = none]; - CRC -> END [style = none]; -} diff --git a/2016/33c3/images/ec20.png b/2016/33c3/images/ec20.png deleted file mode 100644 index d1a7321..0000000 Binary files a/2016/33c3/images/ec20.png and /dev/null differ diff --git a/2016/33c3/images/ec20_uart.jpg b/2016/33c3/images/ec20_uart.jpg deleted file mode 100644 index e6da750..0000000 Binary files a/2016/33c3/images/ec20_uart.jpg and /dev/null differ diff --git a/2016/33c3/images/gandroid_logo.png b/2016/33c3/images/gandroid_logo.png deleted file mode 100644 index c0e173f..0000000 Binary files a/2016/33c3/images/gandroid_logo.png and /dev/null differ diff --git a/2016/33c3/images/heckert_gnu.svg b/2016/33c3/images/heckert_gnu.svg deleted file mode 100644 index 06403cb..0000000 --- a/2016/33c3/images/heckert_gnu.svg +++ /dev/null @@ -1,94 +0,0 @@ - - - - - - - - - image/svg+xml - - - - - Aurelio A. Hecker <aurium@gmail.com> - - - GNU Head - - - - - - - - - - - - - - - - - - - - - diff --git a/2016/33c3/images/heckert_gnu_filling.png b/2016/33c3/images/heckert_gnu_filling.png deleted file mode 100644 index aa7ec90..0000000 Binary files a/2016/33c3/images/heckert_gnu_filling.png and /dev/null differ diff --git a/2016/33c3/images/legato_flash.png b/2016/33c3/images/legato_flash.png deleted file mode 100644 index 6bea66a..0000000 Binary files a/2016/33c3/images/legato_flash.png and /dev/null differ diff --git a/2016/33c3/images/mpcie_breakout.jpg b/2016/33c3/images/mpcie_breakout.jpg deleted file mode 100644 index e2bfed5..0000000 Binary files a/2016/33c3/images/mpcie_breakout.jpg and /dev/null differ diff --git a/2016/33c3/images/mv_uart.jpg b/2016/33c3/images/mv_uart.jpg deleted file mode 100644 index 978ef37..0000000 Binary files a/2016/33c3/images/mv_uart.jpg and /dev/null differ diff --git a/2016/33c3/images/qmi_services.dot b/2016/33c3/images/qmi_services.dot deleted file mode 100644 index 7371152..0000000 --- a/2016/33c3/images/qmi_services.dot +++ /dev/null @@ -1,27 +0,0 @@ -#!graphviz -digraph G { - graph [ dpi = 50 ]; - rankdir = RL; - - subgraph cluster_mdsp { - label = "Modem CPU" - WDS - DMS - NAS - PBM - QMUX - SHM - - WDS -> QMUX - DMS -> QMUX - NAS -> QMUX - NAS -> QMUX - PBM -> QMUX - QMUX -> SHM - } - SHM -> SMD - subgraph cluster_linux { - label = "Linux CPU" - SMD - } -} diff --git a/2016/33c3/images/qmi_smd_qmuxd.dot b/2016/33c3/images/qmi_smd_qmuxd.dot deleted file mode 100644 index 9df36d1..0000000 --- a/2016/33c3/images/qmi_smd_qmuxd.dot +++ /dev/null @@ -1,37 +0,0 @@ -#!graphviz -digraph G { - graph [ dpi = 50 ]; - rankdir = RL; - - MDSP[ label = "Modem DSP" ]; - - SMD [ label = "Shared Memory Devices" ]; - frmnet [ label = "f_rmnet USB Gadget" ]; - USB [ label = "USB to Host"]; - qmuxd - atfwd_daemon - quectel_daemon - mbimd - ipth_dme - qti - qxmapp - QCMAP [ label= "QCMAP_ConnectionManager" ]; - - SMD -> MDSP - subgraph cluster_kernel { - label = "Linux Kenrnel" - frmnet -> SMD - USB -> frmnet - } - subgraph cluster_userspace { - label = "Linux Userspace" - qmuxd -> SMD [ label = "/dev/smdccntlN" ]; - atfwd_daemon -> qmuxd [ label = "/var/qmux_connect_socket" ] - QCMAP -> qmuxd [ label = "/var/qmux_connect_socket" ] - quectel_daemon -> qmuxd [ label = "/var/qmux_connect_socket" ] - mbimd -> qmuxd [ label = "/var/qmux_connect_socket" ] - ipth_dme -> qmuxd [ label = "/var/qmux_connect_socket" ] - qti -> qmuxd [ label = "/var/qmux_connect_socket" ] - qxmapp -> qmuxd [ label = "/var/qmux_connect_socket" ] - } -} diff --git a/2016/33c3/images/qmi_smd_qmuxd.svg b/2016/33c3/images/qmi_smd_qmuxd.svg deleted file mode 100644 index 57fee42..0000000 --- a/2016/33c3/images/qmi_smd_qmuxd.svg +++ /dev/null @@ -1,567 +0,0 @@ - - - - - - - - - - image/svg+xml - - - - - - - - - G - - - cluster_kernel - - Linux Kenrnel - - - cluster_userspace - - Linux Userspace - - - - MDSP - - Modem DSP - - - - SMD - - Shared Memory Devices - - - - SMD->MDSP - - - - - - frmnet - - f_rmnet USB Gadget - - - - frmnet->SMD - - - - - - USB - - USB to Host - - - - USB->frmnet - - - - - - qmuxd - - qmuxd - - - - qmuxd->SMD - - - /dev/smdccntlN - - - - atfwd_daemon - - atfwd_daemon - - - - atfwd_daemon->qmuxd - - - /var/qmux_connect_socket - - - - quectel_daemon - - quectel_daemon - - - - quectel_daemon->qmuxd - - - /var/qmux_connect_socket - - - - mbimd - - mbimd - - - - mbimd->qmuxd - - - /var/qmux_connect_socket - - - - ipth_dme - - ipth_dme - - - - ipth_dme->qmuxd - - - /var/qmux_connect_socket - - - - qti - - qti - - - - qti->qmuxd - - - /var/qmux_connect_socket - - - - qxmapp - - qxmapp - - - - qxmapp->qmuxd - - - /var/qmux_connect_socket - - - - QCMAP - - QCMAP_ConnectionManager - - - - QCMAP->qmuxd - - - /var/qmux_connect_socket - - - diff --git a/2016/33c3/images/qualcom_many_releases.png b/2016/33c3/images/qualcom_many_releases.png deleted file mode 100644 index 8384a4b..0000000 Binary files a/2016/33c3/images/qualcom_many_releases.png and /dev/null differ diff --git a/2016/33c3/images/qualcomm_le.svg b/2016/33c3/images/qualcomm_le.svg deleted file mode 100644 index a1c76ba..0000000 --- a/2016/33c3/images/qualcomm_le.svg +++ /dev/null @@ -1,954 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - image/svg+xml - - - - - - - - - - - - - - - - f_serial - f_rmnet - f_serial - f_ffs - f_diag - USB Gadget - - NMEA - - ATCMD - - - - RMNET - - - - - - DIAG - - - - QMI - - - - ATCMD - - - - RMNET - - - - QMI - - - - - SMD (Shared Memory Device) - - - - SMD (Shared Memory Device) - - - /dev/nmea - /dev/smdcntl0 - /dev/diag - /dev/ttyGS0 - QMI clients - - quec_bridge - - - - qmuxd - - - - adbd - - - rmnet0 - - - HexagonModem CPU - ARM Cortex-A5Application CPU - Userspace - Linux Kernel - - - - - - - - - - - - - - - diagfwd - - - - - - - - - - diff --git a/2016/33c3/images/quectel_ipr.jpg b/2016/33c3/images/quectel_ipr.jpg deleted file mode 100644 index 47d361a..0000000 Binary files a/2016/33c3/images/quectel_ipr.jpg and /dev/null differ diff --git a/2016/33c3/images/quectel_ipr.pdf b/2016/33c3/images/quectel_ipr.pdf deleted file mode 100644 index 982cb68..0000000 Binary files a/2016/33c3/images/quectel_ipr.pdf and /dev/null differ diff --git a/2016/33c3/images/redbend.png b/2016/33c3/images/redbend.png deleted file mode 100644 index 36aa85d..0000000 Binary files a/2016/33c3/images/redbend.png and /dev/null differ diff --git a/2016/33c3/images/sl6087_hw.png b/2016/33c3/images/sl6087_hw.png deleted file mode 100644 index ed204a1..0000000 Binary files a/2016/33c3/images/sl6087_hw.png and /dev/null differ diff --git a/2016/33c3/images/upgrade_process.blockdiag b/2016/33c3/images/upgrade_process.blockdiag deleted file mode 100644 index 4e94ef3..0000000 --- a/2016/33c3/images/upgrade_process.blockdiag +++ /dev/null @@ -1,16 +0,0 @@ -blockdiag { - - node_width = 200; - default_group_color = none; - - AT [label="atfwd_daemon"]; - QC [label="QCMAP_ConnectionManager"]; - WG [label="wget"]; - RI [label="recovery image"]; - - AT -> QC [label="start"]; - AT -> WG [label="start"]; - AT -> RI [label="reboot"]; - - group { WG; RI }; -} diff --git a/2016/cellular_modems_33c3/.gitignore b/2016/cellular_modems_33c3/.gitignore new file mode 100644 index 0000000..e867027 --- /dev/null +++ b/2016/cellular_modems_33c3/.gitignore @@ -0,0 +1,7 @@ +*.sw? +33c3-modems.html +images/upgrade_process.png +images/diag_frame.png +images/diag.png +images/qmi_services.png +images/qmi_smd_qmuxd.png diff --git a/2016/cellular_modems_33c3/33c3-modems.adoc b/2016/cellular_modems_33c3/33c3-modems.adoc new file mode 100644 index 0000000..e00627f --- /dev/null +++ b/2016/cellular_modems_33c3/33c3-modems.adoc @@ -0,0 +1,528 @@ + +Dissecting modern (3G/4G) cellular modems +========================================= +:author: Harald Welte, Holger Hans Peter Freyther +:copyright: Harald Welte, Holger Hans Peter Freyther (License: CC-BY-SA) +:backend: slidy +:max-width: 45em + +//include::33c3-modems.css[] + +== This talk + +* Our motivation +* A bit of History +* Selecting a device +* An unexpected surprise +* Firmware upgrade +* Outlook/Recommendations/Wishes + +== Motivation + +// 9 years of Osmocom? +// 3G and 4G development +// Hardware for decoding +* Implementing GSM specifications for the last decade (OpenMoko, Osmocom) +* 8 years since _Anatomy of Smartphone Hardware_ at 25C3 +* 7 years since OsmocomBB for GSM +* Used and built M2M devices using 2G modems at work +* so we're looking for a modem that can be used for +** our next-generation M2M/embedded devices +** testing/logging/tracing Osmocom 3G/4G network-side software +** building more tools to help understanding cellular technology + +== Cellular Modems in M2M + +image:images/sl6087_hw.png[height=300,role="gimmick_right"] + +* Assume you want to build a M2M device +* Classic approach to M2M/Embedded cellular: +** Cellular modem with AT commands over Serial/USB +** Main Processor runs M2M application +* if you run Application in Modem, you can save PCB space, power and BOM cost +** OpenAT by Sierra Wireless +*** Write C code using OpenAT APIs +*** Dynamically loaded into the RTOS +*** Runs without privilege separation, MMU +*** Protocol to multiplex AT, log, debug +*** Discontinued HW platform => Locked in +*** Various other limitations + +== Device requirements + +Our requirements for a good modem + +** Ability to run application code inside modem +** Avoid modem supplier vendor lock-in (EOL, ...) +** Get textual logging when handling messages +** Get a copy of the radio network messages and export to GSMTAP +*** Like Tobias Engels https://github.com/2b-as/xgoldmon[x-goldmon] +*** But for all GPRS, EGPRS, UMTS and LTE messages + +== Qualcomm DIAG protocol + +* Qualcomm DIAG in many products (DVB-H, GSM, ...) +* https://events.ccc.de/congress/2011/Fahrplan/attachments/2022_11-ccc-qcombbdbg.pdf[Presented] by Guillaume Delugre at 28C3 +* Simple HDLC frame (0x7e), cmd, data, CRC16 + +* Events, Logging, Command/Response +* Thousands of different message structures +* ModemManager, gsm-parser consume only a small fraction + +image:images/diag_frame.svg[width="90%"] + +== Selecting a device + +image:images/28c3_option_stick.png[width="30%",role="gimmick_right"] + +* Old Option Icon 225 stick exposes DIAG out of the box +* Quectel UC20 (2G+3G) expose DIAG by default +** but no LTE support +* Quectel EC20 (2G+3G+4G) expose DIAG by default +** 2G, 3G and 4G sounds quite nice +** EC20 not only a LGA solder module but also as mini-PCIe +*** convenient for early testing / prototyping without custom board + +image:images/ec20.png[height=300,role="gimmick_right"] + +* EC20 using a Qualcomm MDM9615 chipset +** Also used in the iPhone5 +** Almost no documentation on MDM9615 available +** Still, a good candidate for starting our research... + +// Erst ein mal EC20 und sagen wieso es interessant ist +// und dann, dass es Linux hat.. um dann ein Block diagram +// zu haben? + +[role="change_topic"] +== An unexpected surprise + +== Firmware update, hints of Linux + +* Got a firmware upgrade to fix stability / bugs +* Looks like it contains traces of Linux? +* Looks like it uses fastboot for the update +* Other people have already found Linux in MDM9615 based products (e.g https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEFCON-23-Mickey-Shkatov-Jesse-Michael-Scared-poopless-LTE-and-your-laptop-UPDATED.pdf[Mickey Shkatov] at DEFCON 23) +* But why would there be Linux inside a Modem? +** Qualcomm is known for their REX/AMSS on Hexagon baseband ?!? +* And if it contains Linux, GPL requires them to mention that, include + License text and provide source code ?!? + +== GPL compliance + +* No written offer, let's see if it runs Linux +* Armijn Hemels `gpltool.git` has `unyaffs` to unpack yaffs +* `strings`, etc. clearly reveal Linux, glibc, busybox +** other interesting strings like `AT+QLINUXCMD=?` show up +* The fun and exploration begins... +** technical analysis (serial console, firmware reversing, ...) +** legal enforcement to get source code of GPL/LGPL components (Harald is founder of http://gpl-violations.org[gpl-violations.org]) + +== Hardware based analysis + +* mPCIe modules often expose additional signals like PCM audio on + non-standard pins +* existing PC/embedded mainboards don't use those signals +* create Osmocom mPCIe-breakout board to access those signals +* https://osmocom.org/projects/mpcie-breakout/wiki + +image:images/mpcie_breakout.jpg[width="70%"] + +== Serial Console + +* EC20 solder module documents DBG_UART pinout, but not all modules + have it enabled? +* serial console is at 1.8V, but the 1.8V supply is not accessible (so + not easy to add external level shifter / Vref) +* create Osmocom multi-voltage USB-UART with selectable 1.8, + 2.3, 2.5, 2.8, 3.0 and 3.3V logic level + +image:images/mv_uart.jpg[width="40%",role="gimmick_right"] + +* https://osmocom.org/projects/mv-uart/wiki +* root password (DES hash): `oelinux123` + +== Retro-fitting Serial Console to mPCIe module + +* unfortunately the DBG_UART on the LGA module solder pads is not + exposed to mPCIE +* some soldering required to retro-fit a 2.54mm header: + +image:images/ec20_uart.jpg[width="70%"] + +== GPL compliance + +* Linux basis created by Qualcomm and used by Quectel +** https://wiki.codeaurora.org/xwiki/bin/QLBEP/ +** Many branches, releases, which to use? + +[quote, Tonino Perazzi] +I tried instruction above to build yaffs2 for MDM9615, so I downloaded source `M9615AAAARNLZA1611161.xml` but during compilation I faced some libs that are missing such as libQMI and acdb-loader.. + +image:images/qualcom_many_releases.png[width="80%"] + +== GPL compliance + +[qanda] +Asking for the complete and corresponding source:: +[quote,Quectel] +** The source code of Qflash tool in Linux is attached, [...] +[qanda] +Asking again for the complete and corresponding source:: +[quote,Quectel] +We never been in legal dispute and we always make sure to understand IPR ahead of using technology belonging to third party. + +image:images/quectel_ipr.jpg[width="100%"] + +== GPL compliance + +[qanda] +Asking for the complete and corresponding source:: +[quote,Quectel] + We appreciate the efforts that your client had put into the open source +project netfilter/_iptable_. However, [...] *your client does not have the right to +empower the copyright*. We think software netfilter/iptable is built on +the code operating system _GUN_/Linux, thus subject to GPL terms, where FSF +requires that each author of code incorporated in FSF projects either +provide copyright assignment to FSF or disclaim copyright. Therefore, +It seems that *your client does not have the copyright on netfilter/iptable.* + + + +As one of the leading providers of wireless solution, *Quectel is always +respectful IPR*. We would like to compliant with GPL and do some necessary +statements,including a disclaimer or appropriate notices. Under the terms +of GPL, we would like to dedicate Kernel code of EC25x to free software +community. + +== GPL compliance + +[qanda] +Asking for the complete and corresponding source:: +[quote,Quectel] + Many thanks for your detailed explanations GPL/LGPL license terms and the practical methods. I will carefully study your suggestions again and find a proper way to open GLP/LGPL licensed software. Basically, we will simply provide a tarball of open source for download at this time. And release the git repositories in next step. + +[qanda] +Asking for the complete and corresponding source:: +[quote,Quectel] + We are always willing to achieve GPL compliance. + +[qanda] +Asking for the complete and corresponding source:: +[quote,Quectel] + So we need some time to know of all things and construct the Open Source projects. Within a short time, we cannot construct a perfect web site to present Open Source things now. However, we will continue to do like that. + +== GPL compliance + +[qanda] +Your tarball is missing some files:: +[quote,Quectel] +We have issued all GPL licensed source code. +*We have no the xt_dscp file in the project, and nor Qulacomm*. It must be +caused by your compilation environment. +If you have more question or problem during the development with Quectel +module, please add my Skype ID (XXXXX), I will continue to support you +on Skype. + +*The email will not discuss the compiling issue any more.* + + + +== GPL compliance + +* ... many months later +** we have received various source tarballs +** they contain not only GPL/LGPL code but other FOSS code (thanks!) +** full license compliance still not achieved, but improving... +* Sierra Wireless Legato is a positive example of a competitor +** they not only provide the OE/Linux source but extensive +documentation! +** but they try to lure customers into a proprietary Legato framework, +and thus again vendor-lock-in :( + +image:images/legato_flash.png[width="80%"] + +[role="change_topic"] +== MDM 9615 HW and SW + + +== Qualcomm Hardware + +* Qualcomm MDM9615 chipset +* Used in the iPhone 5 and automotive +* Modems like Quectel EC20, Sierra Wireless MC7355 +* No public HW documentation?! +* Either not many people study it or are not allowed to share? + +== MDM 9615 HW Overview + +* ???? +// Block diagram? +// Listing of interfaces. +// Show it is a highly complex SoC... with even more things +// that are unknown.. device tree file, peripheral, etc + + +== How to access the system? + +* serial console requires soldering re-work and is slow +* easy mechanism to get shell and transfer files from/to target +* Android `adbd` present on the modem but not exposed via USB +* it's possible to re-configure the Linux kernel Android USB Gadget: +** `AT+QLINUXCMD="/usr/bin/usb_uartdiag"` +** device re-enumerates with different composite USB interfaces +* Linux kernel driver on host needs patching (static interface + mapping assumption) +** patches available in `quectel-experiments.git`, documented in wiki + + +== MDM 9615 AP SW Overview + +image:images/gandroid_logo.png[height=200,role="gimmick_right"] + +The software stack seems to be called *Qualcomm LE* + +* Android Bootloader +* Android Linux kernel +* Android Debug Bridge (adb) +* but: GNU libc, busybox userland +* Using OpenEmbedded to build images +* Developed and maintained by Qualcomm + + +== Qualcomm Linux kernel overview + +* Qualcomm Android Linux kernel +* Huge changes compared to mainline `git diff -w | wc -l` +** `v3.0.21` in EC20: 1.5 million lines +** `v3.18.20` in EC25: 1.9 million lines +* Expected: CPU + peripheral drivers +* Less expected: +** smem_log (shared memory logging) +** ipc_log (inter-processOR communication) +** remote spinlocks + +== Qualcomm Linux kernel subsystems + +Some of the Qualcomm-specific kernel sub-systems + +[cols="20%,80%"] +|=== +|SMD|Shared Memory Device +|IPC|Inter Processor Communications +|RMNET|Remote Network +|BAM|Bus Access Manager +|IPA|Internet Packet Accelerator +|DIAGFWD|DIAG Forwarding +|AF_MSM_IPC|Socket family for Qualcomm IPC +|=== + +== Qualcomm LE System Architecture + +image:images/qualcomm_le.svg[width="50%",role="gimmick_right"] + +* simplified block diagram +* USB interface fully controlled by Linux AP +** very complex Qualcomm Android USB Gadget +** some endpoints mapped to SMD queues +** other endpoints handled by _regular_ Linux +** GPS NMEA takes completely different path than AT commands, despite +both being serial ports? +** DIAG and QMI handled in more complex ways + +== DIAG in Qualcomm LE + +* DIAG interface of Modem exposed on SMD +* diagfwd distributes messages between USB, SMD and `/dev/diagchar` +* Linux userspace processes don't use syslog, but diag msg for logging via `libdiag.so` + +image:images/diag.svg[width="100%"] + +== QMI in Qualcomm LE + +every `rmnet` data device has associated QMI control + +* on your Linux PC: `qmi_wwan` and `/dev/cdc-wdm` +* on Qualcomm LE modem: `/dev/smdcntlN`, multiplexed by `qmuxd` + +image:images/qmi_smd_qmuxd.svg[width="100%"] + +== Tools for analysis + +We created some tools to help our analysis + +* used OE to build matching `opkg` and OE packages for `socat`, `lsof`, `strace` +* FOSS programs for the Linux AP linked against proprietary `libqmi-framework.so` +** `qmi_test`: Simple program to read IMEI via QMI +** `atcop_test`: Test program to implement AT commands in Linux userspace +* 100% FOSS programs +** `qmuxd_wrapper`: LD_PRELOAD wrapper for tracing between `qmuxd` and QMI clients +** `libqmi-glib` transport support for `qmuxd` (work in progress) +** `osmo-qcdiag`: Host tool for obtaining DIAG based logs from Linux programs + QMI traces, decoded via `libmi-glib` + +== Userspace programs + +We found a bunch of proprietary Linux userspace programs + +[cols="20%,80%"] +|=== +|`adbd`|Implements Android Debug Bridge +|`atfwd_daemon`|Implement Quectel-Specific AT Commands +|`quectel_daemon`|?; various ASoC related bits +|`qti`|? +|`mbim`|Mobile Broadband IF Model (translates MBIM to QMI) +|`QCMAP_ConnectionManager`|runs linux-base WiFi AP/router with LTE backhaul +|`quec_bridge`|reads GPS NMEA from `/dev/nmea` and writes it to `/dev/ttyGS0` +|=== + +[role="change_topic"] +== Funny bits + pieces + +== Funny AT commands + +* `AT+QLINUXCMD`, e.g. switch usb config to get adb +** arbitrary shell commands executed as root on r/w rootfs! +* `AT+QFASTBOOT`, switch to the bootloader +* `AT+QPRINT`, print dmesg +* AT for `system("echo mem > /sys/power/state")` + +== How many processes does it take to reboot a system? + +* `rebootdiagapp` registers DIAG command (cmd code 0x29) +** spawns thread that runs `system("qmi_simple_ril_test input=/tmp/reset")` +** `system("echo 'modem reset' > /tmp/reset")` +*** makes `qmi_simple_ril_test` send a QMI message to modem +** `system("rm /tmp/reset")` +** writes "REBOOT" to `/dev/rebooterdev` this time using `fwrite()`! +* `reboot_daemon` reads `/dev/rebooterdev` + +---- +read_count = read(pipe_fd,buf,MAX_BUF-1); +/* if read REBOOT_STR, then call reboot */ +if(strncmp(buf,REBOOT_STR,strlen(REBOOT_STR)) == 0) { + debug_printf("going for reboot\n"); + printf("reboot-daemon: initiating reboot\n"); + system("reboot"); +} +---- + +== C programs that look like shell scripts + +* strings /usr/bin/quectel_daemon + +---- +echo "nau8814-aif1" > /sys/devices/platform/soc-audio.0/tx_dai_name +cp -f /cache/usb/qcfg_usbcfg /etc/; cp -f /cache/usb/usb /etc/init.d/ +echo 90 >/sys/kernel/debug/pm8xxx-pwm-dbg/0/duty-cycle +pkill -f "/bin/sh /usr/bin/nmea_demon.sh" +ps ef | grep "quec_bridge /dev/nmea /dev/ttyGS0" | grep -v grep +cd /cache/ufs;ls +---- + +[role="change_topic"] +== Firmware upgrade + +== recovery and applypatch + +* Qualcomm uses https://android.googlesource.com/platform/bootable/recovery.git/+/android-4.0.4_r2.1[recovery.git] from Android ~4.0 +* Updates are zip files with deltas, SHA1+RSA +* recovery started on boot, drives applypatch +---- +// Look for an RSA signature embedded in the .ZIP file comment given +// the path to the zip. Verify it matches one of the given public +// keys. +---- + +== Qualcomm EC20 firmware upgrade + +image:images/redbend.png[width="30%",role="gimmick_right"] + +* Based on the recovery.git code +* But for some reason using RedBend for the update (legacy?) +* RSA still linked into the binary but not used +* RedBend used by many more companies and systems (e.g. Quectel UC20, automotive) + + +== RedBend (delta update) software + +* Used in OMA DeviceManagement as well? (e.g. https://www.blackhat.com/docs/us-14/materials/us-14-Solnik-Cellular-Exploitation-On-A-Global-Scale-The-Rise-And-Fall-Of-The-Control-Protocol.pdf[Mathew Solnik]) +* Lots of starring at hexdumps, lots of help from Dieter Spaar +* Created tools to partially extract and create .diff files +* Heavy in pointers/offsets, not robust +* Crashes on crafted files +* Not cryptographically signed! + +image:images/delta_header.png[width="80%"] + + +== Firmware upgrade overview + +image:images/upgrade_process.svg[width="55%",role="gimmick_right"] +//[source] +---- +$ strings atfwd_daemon | egrep "wget|QCMAP|fota|update.z" + +... QCMAP_ConnectionManager /etc/mobileap_cfg.xml n n fotanet +/usr/bin/wget -T 20 -t 3 %s -O %s +mv %s %s && mkdir -p /cache/fota && echo %s > %s +/cache/fota/ipth_config_dfs.txt +rm -rf /cache/fota /cache/recovery /cache/update.zip +Start download fota for update.zip +---- + +* atfwd_daemon can be asked to start upgrade +* Configure APN, specify URL, store result to update.zip +* Add status and reboot to recovery +* Apply update.zip and reboot + +== Recommendation to modem vendors + +* It is great to have an open and accessible Qualcomm based modem for + further research and developing custom applications/extensions +* Security issues (particularly unverified FOTA) must be fixed +* We need security from attackers _without locking out the user/owner_ +** If vendors introduce verified boot and/or FOTA, allow owner specified keys! +* Please keep it open, good for learning and many applications +* Allow owners to modify the software of their device +* Secure the FOTA upgrading with owner specified keys + +== Status and Outlook + +* Status today +** Osmocom wiki with all our findings public now! +** debug tools (`osmo-qcdiag`, LD_PRELOAD wrapper, `qmi_test`, etc.) released +** mpcie-breakout + mv-uart released + available +** `libqmi-glib` integration WIP +* Outlook +** we hope to grow documentation in wiki +** please help us out: read code, play with devices + update wiki +** OE/opkg package feed planned +** aim is to have 100% FOSS userland on Cortex-A5 + +== Unrelated Announcement + +* Osmocom project has gained support for 3G/3.5G during 2016 +* Osmocom suffers from lack of contributions :( +* We want to motivate more contributions +** _Accelerate 3.5G_ programme provides 50 free 3.5 femtocells to contributors +** tell us how you would use your free femtocell to improve Osmocom +** Call for Proposals runs until January 31st, 2017. +** see http://sysmocom.de/downloads/accelerate_3g5_cfp.pdf + +== Questions + +* Questions? + + + +== Links + +* Our results / hacks +** https://osmocom.org/projects/quectel-modems +** git://git.osmocom.org/quectel-experiments.git +** git://git.osmocom.org/osmo-qcdiag.git +** ftp://ftp.osmocom.org/quectel (mirrored) +* Collection of links for further study +** ftp://ftp2.quectel.com/OpenSrc/ +** https://wiki.codeaurora.org/xwiki/bin/QLBEP/ +** https://events.ccc.de/congress/2011/Fahrplan/attachments/2022_11-ccc-qcombbdbg.pdf +** https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEFCON-23-Mickey-Shkatov-Jesse-Michael-Scared-poopless-LTE-and-your-laptop-UPDATED.pdf +** https://github.com/2b-as/xgoldmon +** https://www.blackhat.com/docs/us-14/materials/us-14-Solnik-Cellular-Exploitation-On-A-Global-Scale-The-Rise-And-Fall-Of-The-Control-Protocol.pdf diff --git a/2016/cellular_modems_33c3/33c3-modems.css b/2016/cellular_modems_33c3/33c3-modems.css new file mode 100644 index 0000000..0e43ccb --- /dev/null +++ b/2016/cellular_modems_33c3/33c3-modems.css @@ -0,0 +1,31 @@ +div.change_topic { + display: flex; + align-items: center; + justify-content: center; +} + +div.change_topic h1 { + text-align: center; + border-bottom-width: 0px; +} + +span.gimmick_right img { + float: right; +} + +div.qanda ol { + list-style-type: none; +} + +.monospaced, code, pre { + color: black; + font-weight: bold; +} + +div.quoteblock, div.verseblock { + color: black; +} + +em { + color: black; +} diff --git a/2016/cellular_modems_33c3/Makefile b/2016/cellular_modems_33c3/Makefile new file mode 100644 index 0000000..4f92de6 --- /dev/null +++ b/2016/cellular_modems_33c3/Makefile @@ -0,0 +1,10 @@ +all: 33c3-modems.html + +images/upgrade_process.svg: images/upgrade_process.blockdiag + blockdiag -Tsvg -a -o images/upgrade_process.svg images/upgrade_process.blockdiag + +images/diag_frame.svg: images/diag_frame.blockdiag + blockdiag -Tsvg -a -o images/diag_frame.svg images/diag_frame.blockdiag + +33c3-modems.html: 33c3-modems.adoc 33c3-modems.css images/upgrade_process.svg images/diag_frame.svg + asciidoc -a stylesheet=$(PWD)/33c3-modems.css 33c3-modems.adoc diff --git a/2016/cellular_modems_33c3/images/28c3_option_stick.png b/2016/cellular_modems_33c3/images/28c3_option_stick.png new file mode 100644 index 0000000..00f0ce6 Binary files /dev/null and b/2016/cellular_modems_33c3/images/28c3_option_stick.png differ diff --git a/2016/cellular_modems_33c3/images/Android_robot.svg b/2016/cellular_modems_33c3/images/Android_robot.svg new file mode 100644 index 0000000..4e8f114 --- /dev/null +++ b/2016/cellular_modems_33c3/images/Android_robot.svg @@ -0,0 +1,19 @@ + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/2016/cellular_modems_33c3/images/Android_robot_GNU_head.svg b/2016/cellular_modems_33c3/images/Android_robot_GNU_head.svg new file mode 100644 index 0000000..4e56f15 --- /dev/null +++ b/2016/cellular_modems_33c3/images/Android_robot_GNU_head.svg @@ -0,0 +1,1109 @@ + + + + + + + + + + + + image/svg+xml + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/2016/cellular_modems_33c3/images/delta_header.png b/2016/cellular_modems_33c3/images/delta_header.png new file mode 100644 index 0000000..f5cb75c Binary files /dev/null and b/2016/cellular_modems_33c3/images/delta_header.png differ diff --git a/2016/cellular_modems_33c3/images/diag.dot b/2016/cellular_modems_33c3/images/diag.dot new file mode 100644 index 0000000..4114e52 --- /dev/null +++ b/2016/cellular_modems_33c3/images/diag.dot @@ -0,0 +1,29 @@ +#!graphviz +digraph G { + graph [ dpi = 50 ]; + rankdir = RL; + + MDSP [ label = "Modem DSP" ]; + + SMD + diagfwd + f_diag + USB + + SMD -> MDSP + subgraph cluster_kernel { + label = "Linux Kenrnel" + diagfwd -> SMD + diagchar -> diagfwd + f_diag -> diagfwd + USB -> f_diag + } + subgraph cluster_userspace { + label = "Linux Userspace" + qmuxd -> diagchar [ label = "/dev/diag" ]; + atfwd_daemon -> qmuxd [ label = "/dev/diag" ] + QCMAP -> qmuxd [ label = "/dev/diag" ] + quectel_daemon -> qmuxd [ label = "/dev/diag" ] + } + Host -> USB +} diff --git a/2016/cellular_modems_33c3/images/diag.svg b/2016/cellular_modems_33c3/images/diag.svg new file mode 100644 index 0000000..aa78778 --- /dev/null +++ b/2016/cellular_modems_33c3/images/diag.svg @@ -0,0 +1,507 @@ + + + + + + + + + + image/svg+xml + + + + + + + + + G + + + cluster_kernel + + Linux Kenrnel + + + cluster_userspace + + Linux Userspace + + + + MDSP + + Modem DSP + + + + SMD + + SMD + + + + SMD->MDSP + + + + + + diagfwd + + diagfwd + + + + diagfwd->SMD + + + + + + f_diag + + f_diag + + + + f_diag->diagfwd + + + + + + USB + + USB + + + + USB->f_diag + + + + + + diagchar + + diagchar + + + + diagchar->diagfwd + + + + + + qmuxd + + qmuxd + + + + qmuxd->diagchar + + + /dev/diag + + + + atfwd_daemon + + atfwd_daemon + + + + atfwd_daemon->qmuxd + + + /dev/diag + + + + QCMAP + + QCMAP + + + + QCMAP->qmuxd + + + /dev/diag + + + + quectel_daemon + + quectel_daemon + + + + quectel_daemon->qmuxd + + + /dev/diag + + + + Host + + Host + + + + Host->USB + + + + + diff --git a/2016/cellular_modems_33c3/images/diag_frame.blockdiag b/2016/cellular_modems_33c3/images/diag_frame.blockdiag new file mode 100644 index 0000000..171d650 --- /dev/null +++ b/2016/cellular_modems_33c3/images/diag_frame.blockdiag @@ -0,0 +1,16 @@ +blockdiag { + node_height = 100; + span_width = 2; + default_fontsize = 16; + + START [label="0x7E"]; + CMD [label="CMD"]; + DAT [label="Payload", width=300]; + CRC [label="CRC16"]; + END [label="0x7E"]; + + START -> CMD [style = none]; + CMD -> DAT [style = none]; + DAT -> CRC [style = none]; + CRC -> END [style = none]; +} diff --git a/2016/cellular_modems_33c3/images/ec20.png b/2016/cellular_modems_33c3/images/ec20.png new file mode 100644 index 0000000..d1a7321 Binary files /dev/null and b/2016/cellular_modems_33c3/images/ec20.png differ diff --git a/2016/cellular_modems_33c3/images/ec20_uart.jpg b/2016/cellular_modems_33c3/images/ec20_uart.jpg new file mode 100644 index 0000000..e6da750 Binary files /dev/null and b/2016/cellular_modems_33c3/images/ec20_uart.jpg differ diff --git a/2016/cellular_modems_33c3/images/gandroid_logo.png b/2016/cellular_modems_33c3/images/gandroid_logo.png new file mode 100644 index 0000000..c0e173f Binary files /dev/null and b/2016/cellular_modems_33c3/images/gandroid_logo.png differ diff --git a/2016/cellular_modems_33c3/images/heckert_gnu.svg b/2016/cellular_modems_33c3/images/heckert_gnu.svg new file mode 100644 index 0000000..06403cb --- /dev/null +++ b/2016/cellular_modems_33c3/images/heckert_gnu.svg @@ -0,0 +1,94 @@ + + + + + + + + + image/svg+xml + + + + + Aurelio A. Hecker <aurium@gmail.com> + + + GNU Head + + + + + + + + + + + + + + + + + + + + + diff --git a/2016/cellular_modems_33c3/images/heckert_gnu_filling.png b/2016/cellular_modems_33c3/images/heckert_gnu_filling.png new file mode 100644 index 0000000..aa7ec90 Binary files /dev/null and b/2016/cellular_modems_33c3/images/heckert_gnu_filling.png differ diff --git a/2016/cellular_modems_33c3/images/legato_flash.png b/2016/cellular_modems_33c3/images/legato_flash.png new file mode 100644 index 0000000..6bea66a Binary files /dev/null and b/2016/cellular_modems_33c3/images/legato_flash.png differ diff --git a/2016/cellular_modems_33c3/images/mpcie_breakout.jpg b/2016/cellular_modems_33c3/images/mpcie_breakout.jpg new file mode 100644 index 0000000..e2bfed5 Binary files /dev/null and b/2016/cellular_modems_33c3/images/mpcie_breakout.jpg differ diff --git a/2016/cellular_modems_33c3/images/mv_uart.jpg b/2016/cellular_modems_33c3/images/mv_uart.jpg new file mode 100644 index 0000000..978ef37 Binary files /dev/null and b/2016/cellular_modems_33c3/images/mv_uart.jpg differ diff --git a/2016/cellular_modems_33c3/images/qmi_services.dot b/2016/cellular_modems_33c3/images/qmi_services.dot new file mode 100644 index 0000000..7371152 --- /dev/null +++ b/2016/cellular_modems_33c3/images/qmi_services.dot @@ -0,0 +1,27 @@ +#!graphviz +digraph G { + graph [ dpi = 50 ]; + rankdir = RL; + + subgraph cluster_mdsp { + label = "Modem CPU" + WDS + DMS + NAS + PBM + QMUX + SHM + + WDS -> QMUX + DMS -> QMUX + NAS -> QMUX + NAS -> QMUX + PBM -> QMUX + QMUX -> SHM + } + SHM -> SMD + subgraph cluster_linux { + label = "Linux CPU" + SMD + } +} diff --git a/2016/cellular_modems_33c3/images/qmi_smd_qmuxd.dot b/2016/cellular_modems_33c3/images/qmi_smd_qmuxd.dot new file mode 100644 index 0000000..9df36d1 --- /dev/null +++ b/2016/cellular_modems_33c3/images/qmi_smd_qmuxd.dot @@ -0,0 +1,37 @@ +#!graphviz +digraph G { + graph [ dpi = 50 ]; + rankdir = RL; + + MDSP[ label = "Modem DSP" ]; + + SMD [ label = "Shared Memory Devices" ]; + frmnet [ label = "f_rmnet USB Gadget" ]; + USB [ label = "USB to Host"]; + qmuxd + atfwd_daemon + quectel_daemon + mbimd + ipth_dme + qti + qxmapp + QCMAP [ label= "QCMAP_ConnectionManager" ]; + + SMD -> MDSP + subgraph cluster_kernel { + label = "Linux Kenrnel" + frmnet -> SMD + USB -> frmnet + } + subgraph cluster_userspace { + label = "Linux Userspace" + qmuxd -> SMD [ label = "/dev/smdccntlN" ]; + atfwd_daemon -> qmuxd [ label = "/var/qmux_connect_socket" ] + QCMAP -> qmuxd [ label = "/var/qmux_connect_socket" ] + quectel_daemon -> qmuxd [ label = "/var/qmux_connect_socket" ] + mbimd -> qmuxd [ label = "/var/qmux_connect_socket" ] + ipth_dme -> qmuxd [ label = "/var/qmux_connect_socket" ] + qti -> qmuxd [ label = "/var/qmux_connect_socket" ] + qxmapp -> qmuxd [ label = "/var/qmux_connect_socket" ] + } +} diff --git a/2016/cellular_modems_33c3/images/qmi_smd_qmuxd.svg b/2016/cellular_modems_33c3/images/qmi_smd_qmuxd.svg new file mode 100644 index 0000000..57fee42 --- /dev/null +++ b/2016/cellular_modems_33c3/images/qmi_smd_qmuxd.svg @@ -0,0 +1,567 @@ + + + + + + + + + + image/svg+xml + + + + + + + + + G + + + cluster_kernel + + Linux Kenrnel + + + cluster_userspace + + Linux Userspace + + + + MDSP + + Modem DSP + + + + SMD + + Shared Memory Devices + + + + SMD->MDSP + + + + + + frmnet + + f_rmnet USB Gadget + + + + frmnet->SMD + + + + + + USB + + USB to Host + + + + USB->frmnet + + + + + + qmuxd + + qmuxd + + + + qmuxd->SMD + + + /dev/smdccntlN + + + + atfwd_daemon + + atfwd_daemon + + + + atfwd_daemon->qmuxd + + + /var/qmux_connect_socket + + + + quectel_daemon + + quectel_daemon + + + + quectel_daemon->qmuxd + + + /var/qmux_connect_socket + + + + mbimd + + mbimd + + + + mbimd->qmuxd + + + /var/qmux_connect_socket + + + + ipth_dme + + ipth_dme + + + + ipth_dme->qmuxd + + + /var/qmux_connect_socket + + + + qti + + qti + + + + qti->qmuxd + + + /var/qmux_connect_socket + + + + qxmapp + + qxmapp + + + + qxmapp->qmuxd + + + /var/qmux_connect_socket + + + + QCMAP + + QCMAP_ConnectionManager + + + + QCMAP->qmuxd + + + /var/qmux_connect_socket + + + diff --git a/2016/cellular_modems_33c3/images/qualcom_many_releases.png b/2016/cellular_modems_33c3/images/qualcom_many_releases.png new file mode 100644 index 0000000..8384a4b Binary files /dev/null and b/2016/cellular_modems_33c3/images/qualcom_many_releases.png differ diff --git a/2016/cellular_modems_33c3/images/qualcomm_le.svg b/2016/cellular_modems_33c3/images/qualcomm_le.svg new file mode 100644 index 0000000..a1c76ba --- /dev/null +++ b/2016/cellular_modems_33c3/images/qualcomm_le.svg @@ -0,0 +1,954 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + image/svg+xml + + + + + + + + + + + + + + + + f_serial + f_rmnet + f_serial + f_ffs + f_diag + USB Gadget + + NMEA + + ATCMD + + + + RMNET + + + + + + DIAG + + + + QMI + + + + ATCMD + + + + RMNET + + + + QMI + + + + + SMD (Shared Memory Device) + + + + SMD (Shared Memory Device) + + + /dev/nmea + /dev/smdcntl0 + /dev/diag + /dev/ttyGS0 + QMI clients + + quec_bridge + + + + qmuxd + + + + adbd + + + rmnet0 + + + HexagonModem CPU + ARM Cortex-A5Application CPU + Userspace + Linux Kernel + + + + + + + + + + + + + + + diagfwd + + + + + + + + + + diff --git a/2016/cellular_modems_33c3/images/quectel_ipr.jpg b/2016/cellular_modems_33c3/images/quectel_ipr.jpg new file mode 100644 index 0000000..47d361a Binary files /dev/null and b/2016/cellular_modems_33c3/images/quectel_ipr.jpg differ diff --git a/2016/cellular_modems_33c3/images/quectel_ipr.pdf b/2016/cellular_modems_33c3/images/quectel_ipr.pdf new file mode 100644 index 0000000..982cb68 Binary files /dev/null and b/2016/cellular_modems_33c3/images/quectel_ipr.pdf differ diff --git a/2016/cellular_modems_33c3/images/redbend.png b/2016/cellular_modems_33c3/images/redbend.png new file mode 100644 index 0000000..36aa85d Binary files /dev/null and b/2016/cellular_modems_33c3/images/redbend.png differ diff --git a/2016/cellular_modems_33c3/images/sl6087_hw.png b/2016/cellular_modems_33c3/images/sl6087_hw.png new file mode 100644 index 0000000..ed204a1 Binary files /dev/null and b/2016/cellular_modems_33c3/images/sl6087_hw.png differ diff --git a/2016/cellular_modems_33c3/images/upgrade_process.blockdiag b/2016/cellular_modems_33c3/images/upgrade_process.blockdiag new file mode 100644 index 0000000..4e94ef3 --- /dev/null +++ b/2016/cellular_modems_33c3/images/upgrade_process.blockdiag @@ -0,0 +1,16 @@ +blockdiag { + + node_width = 200; + default_group_color = none; + + AT [label="atfwd_daemon"]; + QC [label="QCMAP_ConnectionManager"]; + WG [label="wget"]; + RI [label="recovery image"]; + + AT -> QC [label="start"]; + AT -> WG [label="start"]; + AT -> RI [label="reboot"]; + + group { WG; RI }; +} -- cgit v1.2.3