More structure, spelling, clarification, images..

2016-12-27 11:45:46 +01:00 · 2016-12-27 11:45:46 +01:00 · 07e5c7d692
parent c91fea6d73
commit 07e5c7d692
6 changed files with 61 additions and 31 deletions
--- a/2016/33c3/.gitignore
+++ b/2016/33c3/.gitignore
@ -1,3 +1,4 @@
 *.sw?
 33c3-modems.html
 images/upgrade_process.png
+images/diag_frame.png
--- a/2016/33c3/33c3-modems.adoc
+++ b/2016/33c3/33c3-modems.adoc
@ -22,59 +22,66 @@ Dissecting modern (3G/4G) cellular modems
 // 9 years of Osmocom?
 // 3G and 4G development
 // Hardware for decoding
-* Implementing GSM specifications for the last decade (OpenMoko, Osmocom)
+* Implementing GSM specifications for the last decade
+* OpenMoko and then Osmocom
 * 7 years since OsmocomBB for GSM
 * In the past used and built devices using 2G modems
-* Started to build 3G/4G software, logs/traces help
+* Started to build 3G/4G software and logs/traces help
+* Build tools to help understanding cellular technology

 == History

 image:images/sl6087_hw.png[height=280,role="gimmick_right"]

 * OpenAT by Sierra Wireless
-* 2G and 3G were available
 * Write C code using OpenAT APIs
 * Dynamically loaded into the RTOS
 * Runs without privilege separation, MMU
 * Eclipse based IDE and plugins (in clojure)
+* Protocol to multiplex AT, log, debug
+* 2G and 3G modems were available
 * Discontinued HW platform => Locked in
-* Various limitations
+* Various other limitations

 == Device requirements

 * Get textual logging when handling messages
-* Get a copy of the radio network messages and export to GSMTAP
+* Get a copy of the radio network message and export to GSMTAP
 * Like Tobias Engels https://github.com/2b-as/xgoldmon[x-goldmon]
 * But for GPRS, 3G and 4G
-* Enabled by default and not to be removed
+* Enabled by default and not locked down in the future

-== DIAG protocol
+== Qualcomm DIAG protocol
+
+* Qualcomm DIAG in many products (DVB-H, GSM, ...)
+* https://events.ccc.de/congress/2011/Fahrplan/attachments/2022_11-ccc-qcombbdbg.pdf[Presented] by Guillaume Delugre at 28C3
+* Simple HDLC frame (0x7e), cmd, data, CRC16
+
+* Thousands of different message structures
+* Events, Logging, Command/Response
+* ModemManager, gsm-parser consume only a small fraction
+
+image:images/diag_frame.png[width="90%"]

-* Qualcomm diag in many products (see Guillaume Delugres https://events.ccc.de/congress/2011/Fahrplan/attachments/2022_11-ccc-qcombbdbg.pdf[talk] at 28C3)
-* HDLC frame, CRC16, simple framing (0x7e)
-* Command, Response, Events
-** Enable logging of subsystems
-** Enable events for subsystems
-** Trigger firmware upgrade
-** Read/Write RAM
-* ModemManager uses it for additional information
-* gsmparser of snoopsnitch to export to GSMTAP

 == Selecting a device

+image:images/28c3_option_stick.png[width="30%",role="gimmick_right"]
+
 * 3G Options Icon stick exposes DIAG out of the box
 * Quectel UC20 (2G+3G) enable it by default
 * Quectel EC20 (2G+3G+4G) enable it by default
 * 2G, 3G and 4G sounds quite nice
+* EC20 comes as mini-PCIe module as well


 == Quectel EC20

 image:images/ec20.png[height=200,role="gimmick_right"]

-* Using a Qualcomm MDM 9615 chipset
+* Uses a Qualcomm MDM 9615 chipset
 * Also used in the iPhone5
-* Surprisingly runs Linux
+* In our case surprisingly runs Linux
 * Not surprising to people familiar with MDM9615 (e.g https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEFCON-23-Mickey-Shkatov-Jesse-Michael-Scared-poopless-LTE-and-your-laptop-UPDATED.pdf[Mickey Shkatov])
 * Not a lot of documentation available

@ -88,7 +95,7 @@ image:images/ec20.png[height=200,role="gimmick_right"]
 == GPL compliance

 * Got a firmware upgrade to fix stability
-* Might contain traces of Linux?
+* Looks like it contains traces of Linux?
 * No written offer, let's see if it runs Linux
 * gpl-tools to unpack unyaffs
 * strings, etc., AT+QLINUXCMD=?
@ -97,7 +104,7 @@ image:images/ec20.png[height=200,role="gimmick_right"]

 == GPL compliance

-* Linux basis created by Qualcomm used by Quectel
+* Linux basis created by Qualcomm and used by Quectel
 * https://wiki.codeaurora.org/xwiki/bin/QLBEP/
 * Many branches, releases, which to use?

@ -252,9 +259,9 @@ image:images/gandroid_logo.png[height=200,role="gimmick_right"]
 image:images/redbend.png[height=76,role="gimmick_right"]

 * Based on the recovery.git code
-* But for some reason (legacy?) is using RedBend
-* RSA linked into the binary but not called
-* RedBend used by many more companies and systems (e.g. Quectel UC20)
+* But for some reason using RedBend for the update (legacy?)
+* RSA still linked into the binary but not used
+* RedBend used by many more companies and systems (e.g. Quectel UC20, automotive)


 == RedBend (delta update) software
@ -262,7 +269,8 @@ image:images/redbend.png[height=76,role="gimmick_right"]
 * Used in OMA DeviceManagement? (e.g. https://www.blackhat.com/docs/us-14/materials/us-14-Solnik-Cellular-Exploitation-On-A-Global-Scale-The-Rise-And-Fall-Of-The-Control-Protocol.pdf[Solnik])
 * Lots of starring at hexdumps, lots of help from Dieter Spaar
 * Binary file format to diff, inserts, remove, link files
-* Variable size Table Of Contents
+* Can update images/mtd partitions too
+* Variable sized LZMAed Table Of Contents
 ** Filenames separated with 0x00
 ** Permissions separated with 0xAF
 ** Sections for diff, inserts with crc32, filesize, permission
@ -296,10 +304,8 @@ Start download fota for update.zip

 image:images/upgrade_process.png[]

-
-== Firmware example
-
-* Show it?
+* Applies what ever was downloaded...
+* Assumes no MITM is possible


 == Recommedation
--- a/2016/33c3/Makefile
+++ b/2016/33c3/Makefile
@ -4,5 +4,8 @@ all: 33c3-modems.html
 images/upgrade_process.png: images/upgrade_process.blockdiag
 	blockdiag -a -o images/upgrade_process.png images/upgrade_process.blockdiag

-33c3-modems.html: 33c3-modems.adoc 33c3-modems.css images/upgrade_process.png
+images/diag_frame.png: images/diag_frame.blockdiag
+	blockdiag -a -o images/diag_frame.png images/diag_frame.blockdiag
+
+33c3-modems.html: 33c3-modems.adoc 33c3-modems.css images/upgrade_process.png images/diag_frame.png
 	 asciidoc -a stylesheet=$(PWD)/33c3-modems.css 33c3-modems.adoc
--- a/2016/33c3/images/28c3_option_stick.png
+++ b/2016/33c3/images/28c3_option_stick.png
--- a/2016/33c3/images/diag_frame.blockdiag
+++ b/2016/33c3/images/diag_frame.blockdiag
@ -0,0 +1,16 @@
+blockdiag {
+	node_height = 100;
+	span_width = 2;
+	default_fontsize = 16;
+
+	START [label="0x7E"];
+	CMD [label="CMD"];
+	DAT [label="Payload", width=300];
+	CRC [label="CRC16"];
+	END [label="0x7E"];
+
+	START -> CMD [style = none];
+	CMD -> DAT [style = none];
+	DAT -> CRC [style = none];
+	CRC -> END [style = none];
+}
--- a/2016/33c3/images/upgrade_process.blockdiag
+++ b/2016/33c3/images/upgrade_process.blockdiag
@ -1,12 +1,16 @@
 blockdiag {

 	node_width = 200;
+	default_group_color = none;

 	AT [label="atfwd_daemon"];
 	QC [label="QCMAP_ConnectionManager"];
 	WG [label="wget"];
 	RI [label="recovery image"];

-	AT -> QC;
-	AT -> WG -> RI;
+	AT -> QC [label="start"];
+	AT -> WG [label="start"];
+	AT -> RI [label="reboot"];
+
+	group { WG; RI };
 }