1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
|
%include "default.mgp"
%default 1 bgrad
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
%nodefault
%back "blue"
%center
%size 7
Free and Open Source Software
in the
Mobile World
%center
%size 4
by
Harald Welte <laforge@gnumonks.org>
netfilter.org / openmoko.org / openpcd.org
gpl-violations.org / openezx.org / gnufiish.org
berlin.ccc.de / openBSC.gnumonks.org
deDECTed.org / hmw-consulting.de / viatech.com
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
Introduction
Who is speaking to you?
an independent Free Software developer, consultant and trainer
15 years experience using/deploying and developing for Linux on server and workstation
12 years professional experience doing Linux system + kernel level development
strong focus on network security and embedded
expert in Free and Open Source Software (FOSS) copyright and licensing
digital board-level hardware design, esp. embedded systems
active developer and contributor to many FOSS projects
thus, a techie, who will therefore not have fancy animated slides ;)
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
Why?
Why?
For the same reason you have FOSS in other areas
You can run a 100% FOSS Personal Computer / Laptop
The majority of all consumer electronics network gear runs Linux
DSL-Router, WiFi Access Point, Network Attached Storage
To enable people to exercise the core freedoms
to study and understand the software
to share the software with others
to modify, and run + share modified versions
Because the mobile world is 100% proprietary and anti-competitive
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
The closed Mobile World
Compare the Mobile world with the PC world
In the PC world
you buy some more or less standardized hardware
you have the freedom to install whatever OS on it
you have the freedom to install whatever Apps on it
you can run it 100% based on FOSS and get the freedoms
you connect to communications networks with (dsl-)modem
the network protocol stack (TCP/IP, WiFi, ISDN) runs on the PC
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
The closed Mobile World
Compare the Mobile world with the PC world
In the Mobile world
you buy some product (mobile phone)
the product ships with pre-installed OS and Apps
the manufacturer does everything to prevent you from installing a OS of your choice
there is no single product/solution based on 100% FOSS
the network protocol stack (GSM/GPRS/UMTS) runs in proprietary firmware
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
The closed Mobile World
It gets even worse....
The phone maker and/or operator have remote control over
reading/writing entries of your phonebook
making your phone send SMS
making your phone place phone calls
update/change the software over the air (FOTA)
preventing you from using the bluetooth/USB interface the way you want
transfer ringtones, make backups, tethering
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
The closed Mobile World
So the end result
You buy a product for _a lot_ of money...
... but you don't _own_ the product. The manufacturer or operator does
So why should you pay money?
If it is yours, you decide what it does or doesn't do.
If the operators want to own the phone, they should rent it to you, not sell it.
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
How can we free the phone
We can free the mobile phone world by:
building more open hardware
hard, since most chips/components are very FOSS unfriendly
developing FOSS based OS/middleware/applications
easily possible, but hard without open hardware
developing a FOSS GSM protocol stack
extremely hard, tight NDA's and business conduct basically prevent anyone from entering the market
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
How can we free the phone
FOSS for mobile phones
HTC-Linux / xda-developers project
reverse-engineering of HTC smartphones
OpenEZX.org
reverse-engineering Motorola EZX and MAGX phones
gnufiish.org
reverse-engineering E-TEN glofiish phones
openmoko.org
designing and building open, FOSS-friendly phones
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
Reverse Engineering
Reverse Engineering projects
are always late
they start after the product ships
is getting harder and harder
many new System-on-a-Chip have docs under NDA
frequent use of FPGA or CPLD or custom ASIC
cryptographic signatures in boot loader
very rarely have a big impact
the software might be complete when hardware is end-of-life
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
Reverse Engineering
How to find such a Linux-friendly device?
Look at hardware details of available devices
Use Google to find out what hardware they use
Use FCC database to get PCB photographs
Look at WM firmware images (registry/...)
At some point you buy one and take it apart
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
Linux-friendly hardware
I went through this process
I found the E-TEN glofiish devices
They are very similar to Openmoko
Samsung S3C2442 SoC MCP with NAND+SDRAM
TD028TTEC1 full-VGA LCM
Other hardware parts reasonably supported/known
Marvell 8686/libertas WiFi (SPI attached)
SiRF GPS (UART attached)
CSR Bluetooth (UART attached)
Only some unknown parts
CPLD for power management and kbd matrix
Ericsson GSM Modem (AT commandset documented!)
Cameras (I don't really care)
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
Project gnufiish
Project 'gnufiish'
Port Linux to the E-TEN glofiish devices
Initially to the M800 and X800
Almost all glofiish have very similar hardware
Openmoko merges all my patches in their kernel!
Official inclusion to Openmoko distribution
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
Project gnufiish
gnufiish Status
Kernel (2.6.24/2.6.27) booted on _first attempt_
Working
I2C host controller
I2C communication to CPLD and FM Radio
USB Device mode (Ethernet gadget)
Touchscreen input
LCM Framebuffer
LCM Backlight control
GPS and Bluetooth power control
GPIO buttons
In the works
Audio Codec driver (50% done)
GSM Modem (SPI) driver (80% done)
M800 Keyboard + Capsense driver (25% done)
SPI glue to libertas WiFi driver (70% done)
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
HOWTO
How was this done?
Various reverse engineering techniques
Take actual board apart, note major components
Use HaRET (hardwar reverse engineering tool)
Find + use JTAG testpads
Find + use serial console
Disassemble WinMobile drivers
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
Take hardware apart
Opening the case and void your warranty
%image "x800_backside_nobat_nocover.jpg"
Note the convenient test pads beneath the battery
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
Take hardware apart
Opening the case
%image "x800_opening_the_case.jpg" 800x600
If you have a bit of experience in taking apart devices, you can do that without any damage...
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
Take hardware apart
The Mainboard with all its shielding covers
%image "x800_mainboard_with_shielding.jpg" 800x600
Obvoiusly, the shielding needs to go
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
Take hardware apart
The application processor section
%image "x800_application_processor.jpg"
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
Take hardware apart
The HSDPA modem section
%image "x800_hsdpa_modem.jpg"
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
Take hardware apart
The backside
%image "x800_backside_with_lcm.jpg"
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
JTAG pins
Find + use JTAG testpads
JTAG is basically a long shift register
Input, Output, Clock (TDI, TDO, TCK)
Therefore, you can try to shift data in and check if/where it comes out
Automatized JTAG search by project "jtagfinder" by Hunz (German CCC member)
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
JTAG pins
Find + use JTAG testpads
%image "x800_dbgconn_closeup.jpg"
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
JTAG pins
Find + use JTAG testpads
%image "x800_debcon_pcb.jpg"
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
JTAG pins
Find + use JTAG testpads
%image "x800_jtagfinder_probes.jpg"
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
JTAG pins
Find + use JTAG testpads
%image "x800_jtagfinder.jpg"
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
JTAG pins
Found JTAG pins
Chain 1
Samsung S3C2442 Application Processor
Has standard ARM JTAG ICE
Chain 2
CPLD programming interface
Remaining work
find the nTRST and nSRST pins
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
Serial console
How to find the serial console
Just run some code that you think writes to it
Use a Scope to find typical patterns of a serial port
I haven't actually done (or needed) this on the glofiish yet, but on many other devices
RxD pin is harder to find, just trial+error usually works as soon as you have some interactive prompt that echo's the characters you write
Don't forget to add level shifter from 3.3/5V to RS232 levels
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
What's HaRET
What is HaRET
a Windows executable program for any WinCE based OS
offers a control interface on a TCP port
connect to it using haretconsole (python script) on Linux PC
supports a number of popular ARM based SoC (PXA, S3C, MSM)
features include
GPIO state and tracing
MMIO read/write
virtual/physical memory mapping
IRQ tracing (by redirecting IRQ vectors)
load Linux into ram and boot it from within WinCE
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
Using HaRET
Using HaRET
run the program on the target device
connect to it using haretconsole over USB-Ethernet
read GPIO configuration
Create GPIO funciton map based on SoC data sheet
watch for GPIO changes
remove the signal from the noise
exclude unitneresting and frequently changing GPIOs
watch for GPIO changes while performing certain events
press every button and check
start/stop peripherals
insert/eject SD card
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
Using HaRET
Using HARET
watch for IRQ changes/events
e.g. you see DMA3 interrupts while talking to the GSM
read MMIO config of DMA controller to determine user: SPI
read SPI controller configuration + DMA controller configuration
find RAM address of data buffers read/written by DMA
haretconsole writes logfiles
you can start to annotate the logfiles
of course, all of this could be done using JTAG, too.
but with HaRET, you mostly don't need it!!!
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
Disassembling WinCE drivers
Disassembling WinCE drivers
is the obvious thing to do, right?
is actually not all that easy, since
WinCE doesn't allow you to read the DLLs
not via ActiveSync neither WinCE filesystem API's
Apparently, they are pre-linked and not real files anymore
luckily, there are tools in the 'ROM cooking' scene
hundreds of different tools, almost all need Windows PC
therefore, not useful to me
conclusion: Need to understand the ROM image format
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
Disassembling WinCE ROM files
Disassembling WinCE ROM files
'datextract' to extract different portions like OS image
'x520.pl' to remove spare NAND OOB sectors from image and get a file
split resulting image in bootsplash, cabarchive and disk image
'xx1.pl' to split cabarchive into CAB files
'partextract' to split disk image in partitions
'SRPX2XIP.exe' (wine) to decompress XPRS compressed partition0+1
'dumpxip.pl' to dump/recreate files in partition0 and 1
'ImgfsToDump.exe' to dump/recreate files in partition2 (imagefs)
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
Disassembling WinCE Drivers
Disassembling WinCE Drivers
Now we finally have the re-created DLL's with the drivers
Use your favourite debugger/disassembler to take them apart
I'm a big fan of IDA (Interactive Disassembler)
The only proprietary software that I license+use in 15 years
There's actually a Linux x86 version
Was even using it with qemu on my Powerbook some years back
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
WinCE Registry
WinCE has a registry, too
I never really understood what this registry is all about, but it doesn't matter ;)
You can use 'synce-registry' to dump it to Linux
Contains important information about
how drivers are interconnected
various configuration parameters of drivers
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenMoko
%center
%size 7
OpenMoko
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenMoko
WARNING
While I have been the Lead System Architect for hardware and system level software, throughout the first 16 months of the project,
I have quit working for OpenMoko, Inc. or the FIC group in November 2007.
Thus, I do not officially represent either of these entities!
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenMoko
What is OpenMoko
The commercial side
OpenMoko, Inc., ("OpenMoko, the Company")
Doing the actual hardware development
Funding the OpenMoko software R&D
Responsible for product definition, sales, marketing, PR, ...
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenMoko
What is OpenMoko
The community side
OpenMoko, the overall Free Software project
A FOSS project working on
OpenMoko kernel/u-boot patches (hardware support)
OpenMoko GNU/Linux distribution
OpenMoko UI / framework
Funded by OpenMoko, Inc.
OpenMoko, the embedded GNU/Linux distribution
An OE-built embedded GNU/Linux distribution for mobile communications devices
Primarily targetted at OpenMoko/FIC handsets
Is being ported to other devices by the community
Maintained by OE coreteam member employed by OpenMoko, Inc.
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenMoko
What is OpenMoko about?
Open
Opening up the formerly-closed mobile world
on any achievable level
Mobile
Mobile devices are the future
Free
100% Free Software from driver through UI
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenMoko
Neo1973 GTA01 hardware
Neo1973 GTA01 hardware (2007)
S3C2410 SoC @ 266MHz
2.8" 480x640 LCM, 262k colors
128MB SDRAM
64MB SLC NAND (512/16k)
USB 1.1 device and host (unpowered)
A-GPS (without processor)
GSM+GPRS chipset (ARM7 based)
Wolfson audio codec
2 stereo speakers (1.2W)
2.5mm headset jack
CSR4 based Bluetooth
NXP PCF50606 power management unit
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenMoko
Neo1973 GTA02 hardware
Neo1973 GTA02 hardware (2008)
S3C2442B SoC @ 400 MHz (500MHz option)
2.8" 480x640 LCM, 262k colors
128MB SDRAM
256MB SLC NAND (2048/128k)
USB 1.1 device and host (with power)
A-GPS (fully autonomous firmware-based)
GSM+GPRS chipset (Ti Calypso, ARM7 based)
CSR4 based Bluetooth
Atheros AR6k based 802.11b/g WiFi
2 3D accelerometers
Smedia Glamo 3362 GPU
NXP PCF50633 power management unit
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenMoko
Hackable Device
Hackable Device
Standards compliance wherever possible
The device shall be under full user control
Everyone should be able to hack it, at any level
Make entry barrier for development as easy as possible
bootloader prompt via USB serial emulation
Serial console
JTAG for the people
Provide Debug Board with embedded USB JTAG + serial adapter
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenMoko
User control
User control
The phone needs to be under control of the user, and the free software he uses
Even backdoors or rogue GSM firmware shall not be able to intrude the privacy fo the user
So we e.g. put the Audio codec (under explicit control from the Linux-running AP) between microphone/speaker and the GSM modem
So we enable the Linux-running AP to cut power of the GSM modem
Thus, free software (and thus the user) remains in ultimate control
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenMoko
Hackable at any level
Hardware Hacking
we even encourage hardware hacking
I2C, SPI, GPIO and IRQ line on documented test pads and connector
allows for attachment of new peripherals to the device
even the hardware schematics available under FOSS-permissive NDA
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenMoko
Hackable at any level
System-level hacking (bootloader, OS)
entire bootloader from very first instruction FOSS
entire kernel including all drivers FOSS
JTAG accessible on debug connector
serial console on debug connector
debug board (USB JTAG adaptor and USB serial converter)
un-brickable through emergency boot loader in read-only NOR flash (GTA02)
DFU (Device Firmware Upgrade) for full-system re-flash via USB
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenMoko
Hackable at any level
Userspace and UI level hacking
entire userspace world FOSS (libraries, daemons, UI, X driver, ...)
FOSS build system and toolchain/SDK enable anyone to build custom softwar packages and/or flash images
provide a programming environment as close as possible to the Linux desktop world
allow developers to re-use their existing Linux development skills
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenMoko
GSM Integration
But you can't hack the GSM stack
yes, that is true.
pretty much like you can't hack the firmware of your SCSI or RAID controller, WiFi card, Bluetooth chipset, etc.
even the firmware of a good old analogue phone line (voice) modem was not hackable
having proprietary firmware on a dedicated peripheral CPU is even acceptable to the FSF!
And no doubt, anyone inside OpenMoko would love to ever have a open source GSM stack. Patches welcome :)
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenMoko
GSM Integration
But you can't hack the GSM stack
so you get the maximum level of freedom that you can get with any other peripheral device:
open source low-level (mux, power mgmt) drivers
open source high-level drivers (gsm daemon)
openly documented serial protocol (TS 07.05, 07.07, 07.10)
asking for more freedom on the GSM side is hypocritical when accepting the very same level with other peripheral devices.
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenMoko
GSM Integration
But you can't hack the GSM stack
besides that
GTA01 has baseband JTAG on test pins
OpenMoko does not cryptographically sign GSM firmware images
GSM firmware is user-upgradable
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenMoko
Difference
Difference from other Linux phones
'others' discourage third parties from writing apps
you need explicit permission? WTF!
'others' try to make customers pay for a device that's still under manufacturer / GSM operator control
'others' use proprietary kernel modules
locks you into some old kernel version
'others' use proprietary bootloaders
'others' dont give you JTAG/serial access
'others' use proprietary UI toolkits
vendor lock-in
'others' dont give out their build system
'others' dont give out their firmware update tools
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS for the Mobile World
%center
%size 7
FOSS for the GSM network side
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS for the Mobile World
Why FOSS for the network side?
Why?
For the same reason you might run other networks
To learn and experiment with technology
To boldly go where no [free] man has gone before ;)
Practical demonstration of known GSM security problems
Raise public awareness abut GSM [in]security
thus increase the incentive for the market to improve
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
Legal Disclaimer
Legal Disclaimer
Don't try this at home!
GSM operates on LICENSED spectrum
Thus, you need approval from the regulatory authority
Only use BTS with dummy load!
Don't interfere with the operators!
Our software is strictly for research purpose only
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
GSM Network Architecture
The Hitchhikers Guide to the GSM Network
unfortunately does not exist
The GSM related literature
is typically too high-level
The GSM protocol specifications
are publicly available but _very_ comprehensive (1,108 PDFs, 414MByte)
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
GSM Network Architecture
GSM is a bit-synchronous network
it draws many analogies from ISDN and SDN
layer 2 modelled after Q.921 / LAPD
call signalling modelled Q.931
but: many more protocols for mobility management, radio resources, ...
like all traditional Telco protocols: Intelligence in the network, not in the end nodes.
GSM is a TDMA "nightmare"
e.g. you never know from/for whom data is without the timing context
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
GSM Network Architecture
MS
Mobile Station (your Phone)
BTS
Base Transceiver Station
BSC
Base Station Controller
MSC
Mobile Switching Center
HLR/VLR
Home/Visitor Location Register
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
GSM Base Transceiver Station
BTS
As the name indicates "transceiver"
Handles
Layer 1 and some parts of RF layer2
Modulation/Demodulation
Time Multiplex, scheduling of frames
Is not a "Base Station", i.e. not self-contained
True 'slave' to the BSC
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
GSM Base Station Controller
BSC
Base Station Controller
Handles
most of the actual decision making
really controls most aspects of BTSs
handles intra-BSC cell handover
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
GSM A-bis interface
BSC <-> BTS Interface
is called A-bis
has the following control layers on E1 TS1
L2ML (Layer 2 Management)
TEI management similar to ISDN
OML (Organization & Maintenance)
System parameters, events
RSL (Radio Subsystem Layer)
has encoded voice data (TRAU frames) on other E1 TS
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
The Siemens BS-11 microBTS
Siemens BS-11 microBTS
plain old 2G (GSM voice calls, CSD)
one or two TRX, 30mW to 2W each, GSM900
two E1 interfaces (for daisy-chaining)
documentation under NDA, but
99.9% of the A-bis protocol available from GSM specs
See TS 04.08 (RLL), 12.21 (OML), 08.58 (RSL)
RS232 serial port for Local Maintenance Terminal
LMT software proprietary under NDA
not needed for operation of the BTS
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
The Siemens BS-11 microBTS
%image "1_small.jpg"
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
The Siemens BS-11 microBTS
First steps with the Siemens BS-11
Harald bought a BS-11 on e-Bay in 2006
Started to read some specs (08.5x) about A-bis
Started to build cables for E1 and power
Bought HFC-E1 PCI card
Bought Elmi EGM35 Abis analyzer (e-Bay once again)
Contacted with other people who also bought BS-11
Found somebody who could provide Abis traces
Never really had time due to Openmoko and other projects
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
OpenBSC
OpenBSC (12/2008)
get L2ML to work with mISDN
mainline mISDN doesn't deal with multiple SAPIs and fixed TEI
learn how new sockets-based mISDN API works
come up with event-driven architecture, single sleect loop, no threads, ...
At 25C3:
add libdbi/sqlite database for "HLR"
get paging to work, support for configurable network ID
debugging + stabilization with > 1000 test users ;)
IMSI + IMEI skimming
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
Work at 25C3
IMSI+IMEI skimming
very simple:
phones with automatic network selection pick strongest network
they send LOCATION UPDATE REQUEST
we send IDENTITY REQUEST IMSI + IMEISV
they send IMSI + IMEISV
we store this in the databasa
and then send LOCATION UPDATE REJECT
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
Work at 25C3
Mobile Originated Call
once a MS is registered, we can
dial a number from the MS
allocate and establish a TCH/F
deal with the Signalling and get into Connect
unfortunately, code for handling voice streams not finished
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
Work at 25C3
Mobile Originated SMS
once a MS is registered, we can
send a SMS
parse + acknowledge SMS PDU data
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
Work at 25C3
The Egypt simulation
apparently GPS is illegal in mobile phones in Egypt
"Egypt detection" implemented by checking if any surrounding cells are with Egypt country code
phones don't even have to register to our BTS!
so if we claim to be e.g. MobiNil, phones will shut off their GPS
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
Other GSM related FOSS
Other GSM related FOSS
OpenBTS
100% Software Defined Radio bsed on USRP + gnuradio
implements entire RF+layer1/2/3 and interfacing to SIP/Asterisk
much more than just a BTS!!
some code overlap with OpenBSC
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
Other GSM related FOSS
THC GSM project
now converging into airprobe.org
working on a protocol analyzer / sniffer for GSM Um Air interface
slow progress, only few people understand the technology
but it's actually not all that hard, just needs time and motivation
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
Links
OpenBSC
http://openbsc.gnumonks.org/
3GPP / ETSI GSM Specs
http://www.3gpp.org/
Priv-Doz. Dr.-Ing Joachim Goeller
http://www2.informatik.hu-berlin.de/~goeller
THC GSM Wiki
http://wiki.thc.org/gsm
OpenBTS
http://gnuradio.org/trac/wiki/OpenBTS
Harald's branch of gsm-tvoid, etc
git://git.gnumonks.org/gsm.git
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
Thanks
Thanks to
The FSF and Richard Stallman for the GPL
which e.g. enabled us to get the kernel source for the EZX phones
Openmoko, Inc. for their work on Freeing the mobile world
The ETSI/3GPP for having all their specifications online
zecke, alphaone, Stefan for their work on OpenBSC
W. for his extensive A-bis protocol traces and MA-10
Netzing AG for funding my OpenBSC work
Pablo for inviting me to this conference in Seville
|
