From ec7676c390c2ab7888ea318015cd853fc1659c18 Mon Sep 17 00:00:00 2001 From: Harald Welte Date: Tue, 27 Dec 2016 17:38:09 +0100 Subject: 33c3: more slides --- 2016/33c3/33c3-modems.adoc | 74 ++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 71 insertions(+), 3 deletions(-) diff --git a/2016/33c3/33c3-modems.adoc b/2016/33c3/33c3-modems.adoc index a3c5e5d..a79f784 100644 --- a/2016/33c3/33c3-modems.adoc +++ b/2016/33c3/33c3-modems.adoc @@ -229,10 +229,14 @@ The software stack seems to be called *Qualcomm LE* ** `v3.18.20` in EC25: 1.9 million lines * Expected: CPU + peripheral drivers * Less expected: -** smem_log, ipc_log, remote spinlocks, etc. +** smem_log (shared memory logging) +** ipc_log (inter-processOR communication) +** remote spinlocks == Qualcomm Linux kernel subsystems +Some of the Qualcomm-specific kerrnel sub-systems + [cols="20%,80%"] |=== |SMD|Shared Memory Device @@ -241,6 +245,7 @@ The software stack seems to be called *Qualcomm LE* |BAM|Bus Access Manager |IPA|Internet Packet Accelerator |DIAGFWD|DIAG Forwarding +|AF_MSM_IPC|Socket family for Qualcomm IPC |=== == Qualcomm LE System Architecture @@ -273,7 +278,38 @@ every `rmnet` data device has associated QMI control image:images/qmi_smd_qmuxd.svg[width="100%"] -== Funny commands +== Tools for analysis + +We created some tools to help our analysis + +* used OE to build matching `opkg` and OE packages for `socat`, `lsof`, `strace` +* FOSS programs for the Linux AP linked against proprietary `libqmi-framework.so` +** `qmi_test`: Simple program to read IMEI via QMI +** `atcop_test`: Test program to implement AT commands in Linux userspace +* 100% FOSS programs +** `qmuxd_wrapper`: LD_PRELOAD wrapper for tracing betwene `qmuxd` and QMI clients +** `libqmi-glib` transport support for `qmuxd` (work in progress) +** `osmo-qcdiag`: Host tool for obtaining DIAG based logs from Linux programs + QMI traces, decoded via `libmi-glib` + +== Userspace programs + +We found a bunch of proprietary Linux userspace programs + +[cols="20%,80%"] +|=== +|`adbd`|Implements Android Debug Bridge +|`atfwd_daemon`|Implement Quectel-Specific AT Commands +|`quectel_daemon`|?; various ASoC related bits +|`qti`|? +|`mbim`|Mobile Broadband IF Model (tranlates MBIM to QMI) +|`QCMAP_ConnectionManager`|runs linux-base WiFi AP/router wit LTE backhaup +|`quec_bridge`|reads GPS NMEA from `/dev/nmea` and writes it to `/dev/ttyGS0` +|=== + +[role="change_topic"] +== Funny bits + pieces + +== Funny AT commands * `AT+QLINUXCMD`, e.g. switch usb config to get adb ** arbitrary shell commands executed as root on r/w rootfs! @@ -281,7 +317,38 @@ image:images/qmi_smd_qmuxd.svg[width="100%"] * `AT+QPRINT`, print dmesg * AT for `system("echo mem > /sys/power/state")` +== How many processes does it take to reboot a system? + +* `rebootdiagapp` registers DIAG command (cmd code 0x29) +** spawns thread that runs `system("qmi_simple_ril_test input=/tmp/reset")` +** `system("echo 'modem reset' > /tmp/reset")` +*** makes `qmi_simple_ril_test` send a QMI message to modem +** `system("rm /tmp/reset")` +** writes "REBOOT" to `/dev/rebooterdev` this time using `fwrite()`! +* `reboot_daemon` reads `/dev/rebooterdev` + +---- +read_count = read(pipe_fd,buf,MAX_BUF-1); +/* if read REBOOT_STR, then call reboot */ +if(strncmp(buf,REBOOT_STR,strlen(REBOOT_STR)) == 0) { + debug_printf("going for reboot\n"); + printf("reboot-daemon: initiating reboot\n"); + system("reboot"); +} +---- + +== C programs that look like shell scripts + +* strings /usr/bin/quectel_daemon +---- +echo "nau8814-aif1" > /sys/devices/platform/soc-audio.0/tx_dai_name +cp -f /cache/usb/qcfg_usbcfg /etc/; cp -f /cache/usb/usb /etc/init.d/ +echo 90 >/sys/kernel/debug/pm8xxx-pwm-dbg/0/duty-cycle +pkill -f "/bin/sh /usr/bin/nmea_demon.sh" +ps ef | grep "quec_bridge /dev/nmea /dev/ttyGS0" | grep -v grep +cd /cache/ufs;ls +---- [role="change_topic"] == Firmware upgrade @@ -358,7 +425,8 @@ Start download fota for update.zip * Our results / hacks ** https://osmocom.org/projects/quectel-modems -** FIXME: quectel-experiments.git +** git://git.osmocom.org/quectel-experiments.git +** git://git.osmocom.org/osmo-qcdiag.git ** FIXME: quectel source tarball mirror * Collection of links for further study ** ftp://ftp2.quectel.com/OpenSrc/ -- cgit v1.2.3