Dissecting modern (3G/4G) cellular modems ========================================= :author: Harald Welte , Holger Hans Peter Freyther #:copyright: sysmocom - s.f.m.c. GmbH (License: CC-BY-SA) :backend: slidy :max-width: 45em //include::33c3-modems.css[] == This talk * Our motivation and approach * A bit of History * Selecting a device * An unexpected surprise * Firmware upgrade * Recommendations/Wishes == Motivation // 9 years of Osmocom? // 3G and 4G development // Hardware for decoding * Implementing GSM specifications for the last decade (OpenMoko, Osmocom) * 7 years since OsmocomBB for GSM * In the past used and built devices using 2G modems * Started to build 3G/4G software, logs/traces help == History image:images/sl6087_hw.png[height=280,role="gimmick_right"] * OpenAT by Sierra Wireless * 2G and 3G were available * Write C code using OpenAT APIs * Dynamically loaded into the RTOS * Runs without privilege separation, MMU * Eclipse based IDE and plugins (in clojure) * Discontinued HW platform => Locked in * Various limitations == Device requirements * Get textual logging when handling messages * Get a copy of the radio network messages and export to GSMTAP * Like Tobias Engels https://github.com/2b-as/xgoldmon[x-goldmon] * But for GPRS, 3G and 4G * Enabled by default and not to be removed == DIAG protocol * Qualcomm diag in many products (see Guillaume Delugres https://events.ccc.de/congress/2011/Fahrplan/attachments/2022_11-ccc-qcombbdbg.pdf[talk] at 28C3) * HDLC frame, CRC16, simple framing (0x7e) * Command, Response, Events ** Enable logging of subsystems ** Enable events for subsystems ** Trigger firmware upgrade ** Read/Write RAM * ModemManager uses it for additional information * gsmparser of snoopsnitch to export to GSMTAP == Selecting a device * 3G Options Icon stick exposes DIAG out of the box * Quectel UC20 (2G+3G) enable it by default * Quectel EC20 (2G+3G+4G) enable it by default * 2G, 3G and 4G sounds quite nice == Quectel EC20 image:images/ec20.png[height=200,role="gimmick_right"] * Using a Qualcomm MDM 9615 chipset * Also used in the iPhone5 * Surprisingly runs Linux * Not surprising to people familiar with MDM9615 (e.g https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEFCON-23-Mickey-Shkatov-Jesse-Michael-Scared-poopless-LTE-and-your-laptop-UPDATED.pdf[Mickey Shkatov]) * Not a lot of documentation available // Erst ein mal EC20 und sagen wieso es interessant ist // und dann, dass es Linux hat.. um dann ein Block diagram // zu haben? [role="change_topic"] == An unexpected surprise == GPL compliance * Got a firmware upgrade to fix stability * Might contain traces of Linux? * No written offer, let's see if it runs Linux * gpl-tools to unpack unyaffs * strings, etc., AT+QLINUXCMD=? * The fun and exploration begins == GPL compliance * Linux basis created by Qualcomm used by Quectel * https://wiki.codeaurora.org/xwiki/bin/QLBEP/ * Many branches, releases, which to use? [quote, Tonino Perazzi] I tried instruction above to build yaffs2 for MDM9615, so I downloaded source M9615AAAARNLZA1611161.xml but during compilation I faced some libs that are missing such as libQMI and acdb-loader.. image:images/qualcom_many_releases.png[width="80%"] == GPL compliance [qanda] Asking for the complete and corresponding source:: Receiving source for the flash tool == GPL compliance [qanda] Asking for the complete and corresponding source:: We never been in legal dispute and we always make sure to understand IPR ahead of using technology belonging to third party. == GPL compliance [qanda] Asking for the complete and corresponding source:: We appreciate the efforts that your client had put into the open source project netfilter/iptable. However, We have some doubts about the alleged copyright. From our perspective, your client does not have the right to empower the copyright. We think software netfilter/iptable is built on the code operating system GUN/Linux, thus subject to GPL terms, where FSF requires that each author of code incorporated in FSF projects either provide copyright assignment to FSF or disclaim copyright (“we should keep the copyright status of the program as simple as possible. We do this by asking each contributor to either assign the copyright on his contribution to the FSF, or disclaim copyright on it and thus put it in the public domain”). Therefore, It seems that your client does not have the copyright on netfilter/iptable. As one of the leading providers of wireless solution, Quectel is always respectful IPR. We would like to compliant with GPL and do some necessary statements,including a disclaimer or appropriate notices. Under the terms of GPL, we would like to dedicate Kernel code of EC25x to free software community. == GPL compliance [qanda] Asking for the complete and corresponding source:: Many thanks for your detailed explanations GPL/LGPL license terms and the practical methods. I will carefully study your suggestions again and find a proper way to open GLP/LGPL licensed software. Basically, we will simply provide a tarball of open source for download at this time. And release the git repositories in next step. == GPL compliance [qanda] Asking for the complete and corresponding source:: We are always willing to achieve GPL compliance. == GPL compliance [qanda] Asking for the complete and corresponding source:: To be frank, we have no experience over Open Source things before. So we need some time to know of all things and construct the Open Source projects. Within a short time, we cannot construct a perfect web site to present Open Source things now. However, we will continue to do like that. == GPL compliance [qanda] Your tarball is missing some files:: We have issued all GPL licensed source code. We have no the xt_dscp file in the project, and nor Qulacomm. It must be caused by your compilation environment. If you have more question or problem during the development with Quectel module, please add my Skype ID (XXXXX), I will continue to support you on Skype. The email will not discuss the compiling issue any more.'' == GPL compliance * ... many months later * License compliance still not achieved * Sierra Wireless Legato is a positive example image:images/legato_flash.png[width="80%"] [role="change_topic"] == MDM 9615 HW and SW == Qualcomm Hardware * Qualcomm MDM 9615 chipset * Used in the iPhone 5 and automotive * Modems like Quectel EC20, Sierra Wireless MC7355 * No public HW documentation?! * Either not many people study it or are not allowed to share? == MDM 9615 HW Overview * ???? // Block diagram? // Listing of interfaces. // Show it is a highly complex SoC... with even more things // that are unknown.. device tree file, periperhal, etc == MDM SW Overview image:images/gandroid_logo.png[height=200,role="gimmick_right"] * GNU libc, busybox userland * Android Debug Bridge (adb) * Android Linux kernel * Android Bootloader * Using OpenEmbedded to build images * Developed and maintained by Qualcomm == Linux kernel overview * Qualcomm Android Linux kernel * Huge changes compared to mainline * CPU and peripheral support * == ... == Funny commands * AT+QLINUXCMD, e.g. switch usb config to get adb * AT+QFASTBOOT, switch to the bootloader * AT+QPRINT, print dmesg * AT for system("echo mem > /sys/power/state") [role="change_topic"] == Firmware upgrade == recovery and applypatch * Android ~4.0 based https://android.googlesource.com/platform/bootable/recovery.git/+/android-4.0.4_r2.1[recovery.git] * Updates are zip files with deltas, SHA1+RSA * recovery started on boot, drives applypatch ---- // Look for an RSA signature embedded in the .ZIP file comment given // the path to the zip. Verify it matches one of the given public // keys. ---- == Qualcomm EC20 firmware upgrade image:images/redbend.png[height=76,role="gimmick_right"] * Based on the recovery.git code * But for some reason (legacy?) is using RedBend * RSA linked into the binary but not called * RedBend used by many more companies and systems (e.g. Quectel UC20) == RedBend (delta update) software * Used in OMA DeviceManagement? (e.g. https://www.blackhat.com/docs/us-14/materials/us-14-Solnik-Cellular-Exploitation-On-A-Global-Scale-The-Rise-And-Fall-Of-The-Control-Protocol.pdf[Solnik]) * Lots of starring at hexdumps, lots of help from Dieter Spaar * Binary file format to diff, inserts, remove, link files * Variable size Table Of Contents ** Filenames separated with 0x00 ** Permissions separated with 0xAF ** Sections for diff, inserts with crc32, filesize, permission * Heavy in pointers/offsets, not robust * Not cryptographically signed! * Created tools to partially extract and create .diff file image:images/delta_header.png[width=600] == Firmware upgrade overview //[source] ---- $ strings atfwd_daemon | egrep "wget|QCMAP|fota|update.z" ... QCMAP_ConnectionManager /etc/mobileap_cfg.xml n n fotanet /usr/bin/wget -T 20 -t 3 %s -O %s mv %s %s && mkdir -p /cache/fota && echo %s > %s /cache/fota/ipth_config_dfs.txt rm -rf /cache/fota /cache/recovery /cache/update.zip Start download fota for update.zip ---- * atfwd_daemon can be asked to start upgrade * Configure APN, specify URL, store result to update.zip * Add status and reboot to recovery * Apply update.zip and reboot == Firmware upgrade process image:images/upgrade_process.png[] == Firmware example * Show it? == Recommedation * Continue to allow owners of devices to reflash * Secure the FOTA upgrading with owner specified keys * Make it more easy to rebuild code == Questions * Questions? == Announcement * 3G femtocells for Osmocom/OpenBSC development == Links * Collection of links for further study * https://osmocom.org/projects/quectel-modems * https://events.ccc.de/congress/2011/Fahrplan/attachments/2022_11-ccc-qcombbdbg.pdf * https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEFCON-23-Mickey-Shkatov-Jesse-Michael-Scared-poopless-LTE-and-your-laptop-UPDATED.pdf * https://github.com/2b-as/xgoldmon * https://www.blackhat.com/docs/us-14/materials/us-14-Solnik-Cellular-Exploitation-On-A-Global-Scale-The-Rise-And-Fall-Of-The-Control-Protocol.pdf