From 7fee51876b3310c48f44450e362b0c8be7ffaea3 Mon Sep 17 00:00:00 2001 From: Holger Hans Peter Freyther Date: Mon, 26 Dec 2016 19:33:40 +0100 Subject: wip... structure and content for 33c3 talk Structure and content will change in the coming hours.. --- 2016/33c3/.gitignore | 2 + 2016/33c3/33c3-modems.adoc | 210 +++++ 2016/33c3/33c3-modems.css | 14 + 2016/33c3/Makefile | 8 + 2016/33c3/images/Android_robot.svg | 19 + 2016/33c3/images/Android_robot_GNU_head.svg | 1109 +++++++++++++++++++++++++++ 2016/33c3/images/delta_header.png | Bin 0 -> 15978 bytes 2016/33c3/images/ec20.png | Bin 0 -> 107045 bytes 2016/33c3/images/gandroid_logo.png | Bin 0 -> 134316 bytes 2016/33c3/images/heckert_gnu.svg | 94 +++ 2016/33c3/images/heckert_gnu_filling.png | Bin 0 -> 54056 bytes 2016/33c3/images/redbend.png | Bin 0 -> 15643 bytes 2016/33c3/images/upgrade_process.blockdiag | 12 + 13 files changed, 1468 insertions(+) create mode 100644 2016/33c3/.gitignore create mode 100644 2016/33c3/33c3-modems.adoc create mode 100644 2016/33c3/33c3-modems.css create mode 100644 2016/33c3/Makefile create mode 100644 2016/33c3/images/Android_robot.svg create mode 100644 2016/33c3/images/Android_robot_GNU_head.svg create mode 100644 2016/33c3/images/delta_header.png create mode 100644 2016/33c3/images/ec20.png create mode 100644 2016/33c3/images/gandroid_logo.png create mode 100644 2016/33c3/images/heckert_gnu.svg create mode 100644 2016/33c3/images/heckert_gnu_filling.png create mode 100644 2016/33c3/images/redbend.png create mode 100644 2016/33c3/images/upgrade_process.blockdiag diff --git a/2016/33c3/.gitignore b/2016/33c3/.gitignore new file mode 100644 index 0000000..a84c768 --- /dev/null +++ b/2016/33c3/.gitignore @@ -0,0 +1,2 @@ +33c3-modems.html +images/upgrade_process.png diff --git a/2016/33c3/33c3-modems.adoc b/2016/33c3/33c3-modems.adoc new file mode 100644 index 0000000..e39d592 --- /dev/null +++ b/2016/33c3/33c3-modems.adoc @@ -0,0 +1,210 @@ + +Dissecting modern (3G/4G) cellular modems +========================================= +:author: Harald Welte +#:copyright: sysmocom - s.f.m.c. GmbH (License: CC-BY-SA) +:backend: slidy +:max-width: 45em + +//include::33c3-modems.css[] + +== Motivation + +// 9 years of Osmocom? +// 3G and 4G development +// Hardware for decoding +* 9 years of Osmocom, 7 years since OsmocomBB +* Started to look at implementing 3G/4G +* Modems are a tool for research and development +** Logs to analyze a specific problem +** Traces to learn how something works +* Modems power cellular IoT devices +** 1.1 billion new cellular devices by 2021 +** eCall for vehicles +** Integrated and worldwide certifications + +== This talk + +* A bit of History +* Device overview +* Qualcomm Kernel, Drivers and Userspace +* Firmware upgrade + +== History + +* Wavecom, Sierra Wireless OpenAT systems +* OpenAT allowed to build C code +* Dynamically loaded into the modem OS +* Runs without privilege separation, MMU +* Odd limitations, blocking leads to watchdog reset + +[role="change_topic"] +== Device/Market overview + +== Chipset vendors + +* Intel +* Mediatek +* Qualcomm +* ??? + +== Stack vendors + +* Fewer than used to be? +* Risk of monoculture + +== Modem vendors + +* Mostly Qualcomm based chipsets +* Cinterion, Huawei, U-Blox, Quectel, Sierra Wireless, Telit, ... + +== Qualcomm HW + +* Patents on CDMA technology +* Extending their market position in 3G to 4G +* Product wide diagnostic, log, control interface + +== DIAG protocol + +* HDLC frame, CRC16, simple framing +* Command and Response +** E.g. enable logging for categories +** Read/Write NVRAM +* Various implementations (e.g. ModemManager) + +== Quectel EC20 + +image:images/ec20.png[height=200,role="gimmick_right"] + +* DIAG port mentioned in the documentation +* Is available out of the box +* MDM 9615 based module for 2G, 3G, 4G +* Surprisingly runs Linux +* Not surprising to people familiar with MDM9615 (e.g https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEFCON-23-Mickey-Shkatov-Jesse-Michael-Scared-poopless-LTE-and-your-laptop-UPDATED.pdf[Mickey Shkatov]) + +// Erst ein mal EC20 und sagen wieso es interessant ist +// und dann, dass es Linux hat.. um dann ein Block diagram +// zu haben? + +[role="change_topic"] +== Qualcomm Details + +== MDM 9615 HW Intro + +* Qualcomm MDM 9615 chipset +* Used in the iPhone 5 and automotive +* Modems like Quectel EC20, Sierra Wireless MC7355 +* No public HW documentation?! + +== MDM 9615 HW Overview + +* ???? +// Block diagram? +// Listing of interfaces. +// Show it is a highly complex SoC... with even more things +// that are unknown.. device tree file, periperhal, etc + +== MDM SW Overview + +image:images/gandroid_logo.png[height=200,role="gimmick_right"] + +* GNU libc, busybox userland +* Android Debug Bridge (adb) +* Android Linux kernel +* Android Bootloader +* Using OpenEmbedded to build images +* Developed and maintained by Qualcomm + + + + +== Linux kernel overview + +* Qualcomm Android Linux kernel +* Huge changes compared to mainline +* CPU and peripheral support +* + +== ... + + + +[role="change_topic"] +== Firmware upgrade + +// put the headline in the center + +== recovery and applypatch + +* Android ~4.0 based https://android.googlesource.com/platform/bootable/recovery.git/+/android-4.0.4_r2.1[recovery.git] +* Updates are zip files with deltas, SHA1+RSA +* recovery started on boot, drives applypatch +---- +// Look for an RSA signature embedded in the .ZIP file comment given +// the path to the zip. Verify it matches one of the given public +// keys. +---- + +== Qualcomm EC20 firmware upgrade + +image:images/redbend.png[height=76,role="gimmick_right"] + +* Based on the recovery.git code +* But for some reason (legacy?) is using RedBend +* RSA linked into the binary but not called +* RedBend used by many more companies and systems (e.g. Quectel UC20) + + +== RedBend (delta update) software + +* Used in OMA DeviceManagement? (e.g. https://www.blackhat.com/docs/us-14/materials/us-14-Solnik-Cellular-Exploitation-On-A-Global-Scale-The-Rise-And-Fall-Of-The-Control-Protocol.pdf[Solnik]) +* Lots of starring at hexdumps, lots of help from Dieter Spaar +* Binary file format to diff, inserts, remove, link files +* Variable size Table Of Contents +** Filenames separated with 0x00 +** Permissions separated with 0xAF +** Sections for diff, inserts with crc32, filesize, permission +* Heavy in pointers/offsets, not robust +* Not cryptographically signed! +* Created tools to partially extract and create .diff file + +image:images/delta_header.png[width=600] + + +== Firmware upgrade overview + +//[source] +---- +$ strings atfwd_daemon | egrep "wget|QCMAP|fota|update.z" + +... QCMAP_ConnectionManager /etc/mobileap_cfg.xml n n fotanet +/usr/bin/wget -T 20 -t 3 %s -O %s +mv %s %s && mkdir -p /cache/fota && echo %s > %s +/cache/fota/ipth_config_dfs.txt +rm -rf /cache/fota /cache/recovery /cache/update.zip +Start download fota for update.zip +---- + +* atfwd_daemon can be asked to start upgrade +* Configure APN, specify URL, store result to update.zip +* Add status and reboot to recovery +* Apply update.zip and reboot + +== Firmware upgrade process + +image:images/upgrade_process.png[] + + +== Hijacking firmware upgrade + +* Prepare a .diff with a new binary +* Operate a fake BTS/nodeB/eNodeB +* Trigger or wait for firmware update check +* Redirect request +* Wait for firmware to be installed +* Optionally make it look like a network error + + +== Questions + +* Questions? diff --git a/2016/33c3/33c3-modems.css b/2016/33c3/33c3-modems.css new file mode 100644 index 0000000..1876239 --- /dev/null +++ b/2016/33c3/33c3-modems.css @@ -0,0 +1,14 @@ +div.change_topic { + display: flex; + align-items: center; + justify-content: center; +} + +div.change_topic h1 { + text-align: center; + border-bottom-width: 0px; +} + +span.gimmick_right img { + float: right; +} diff --git a/2016/33c3/Makefile b/2016/33c3/Makefile new file mode 100644 index 0000000..507bf69 --- /dev/null +++ b/2016/33c3/Makefile @@ -0,0 +1,8 @@ +all: 33c3-modems.html + + +images/upgrade_process.png: images/upgrade_process.blockdiag + blockdiag -a -o images/upgrade_process.png images/upgrade_process.blockdiag + +33c3-modems.html: 33c3-modems.adoc 33c3-modems.css images/upgrade_process.png + asciidoc -a stylesheet=$(PWD)/33c3-modems.css 33c3-modems.adoc diff --git a/2016/33c3/images/Android_robot.svg b/2016/33c3/images/Android_robot.svg new file mode 100644 index 0000000..4e8f114 --- /dev/null +++ b/2016/33c3/images/Android_robot.svg @@ -0,0 +1,19 @@ + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/2016/33c3/images/Android_robot_GNU_head.svg b/2016/33c3/images/Android_robot_GNU_head.svg new file mode 100644 index 0000000..4e56f15 --- /dev/null +++ b/2016/33c3/images/Android_robot_GNU_head.svg @@ -0,0 +1,1109 @@ + + + + + + + + + + + + image/svg+xml + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/2016/33c3/images/delta_header.png b/2016/33c3/images/delta_header.png new file mode 100644 index 0000000..f5cb75c Binary files /dev/null and b/2016/33c3/images/delta_header.png differ diff --git a/2016/33c3/images/ec20.png b/2016/33c3/images/ec20.png new file mode 100644 index 0000000..d1a7321 Binary files /dev/null and b/2016/33c3/images/ec20.png differ diff --git a/2016/33c3/images/gandroid_logo.png b/2016/33c3/images/gandroid_logo.png new file mode 100644 index 0000000..c0e173f Binary files /dev/null and b/2016/33c3/images/gandroid_logo.png differ diff --git a/2016/33c3/images/heckert_gnu.svg b/2016/33c3/images/heckert_gnu.svg new file mode 100644 index 0000000..06403cb --- /dev/null +++ b/2016/33c3/images/heckert_gnu.svg @@ -0,0 +1,94 @@ + + + + + + + + + image/svg+xml + + + + + Aurelio A. Hecker <aurium@gmail.com> + + + GNU Head + + + + + + + + + + + + + + + + + + + + + diff --git a/2016/33c3/images/heckert_gnu_filling.png b/2016/33c3/images/heckert_gnu_filling.png new file mode 100644 index 0000000..aa7ec90 Binary files /dev/null and b/2016/33c3/images/heckert_gnu_filling.png differ diff --git a/2016/33c3/images/redbend.png b/2016/33c3/images/redbend.png new file mode 100644 index 0000000..36aa85d Binary files /dev/null and b/2016/33c3/images/redbend.png differ diff --git a/2016/33c3/images/upgrade_process.blockdiag b/2016/33c3/images/upgrade_process.blockdiag new file mode 100644 index 0000000..fdd769d --- /dev/null +++ b/2016/33c3/images/upgrade_process.blockdiag @@ -0,0 +1,12 @@ +blockdiag { + + node_width = 200; + + AT [label="atfwd_daemon"]; + QC [label="QCMAP_ConnectionManager"]; + WG [label="wget"]; + RI [label="recovery image"]; + + AT -> QC; + AT -> WG -> RI; +} -- cgit v1.2.3