add slides for Stralsund talk tomorrow

2023/uni_stralsund-dect_hacks/dect-hacks.tex

@@ -0,0 +1,380 @@
+
+\newcommand{\degree}{\ensuremath{^\circ}}
+%\documentclass[handout]{beamer}
+\documentclass[aspectratio=169,11pt]{beamer}
+
+% This file is a solution template for:
+
+% - Talk at a conference/colloquium.
+% - Talk length is about 20min.
+% - Style is ornate.
+
+
+
+% Copyright 2004 by Till Tantau <tantau@users.sourceforge.net>.
+%
+% In principle, this file can be redistributed and/or modified under
+% the terms of the GNU Public License, version 2.
+%
+% However, this file is supposed to be a template to be modified
+% for your own needs. For this reason, if you use this file as a
+% template and not specifically distribute it as part of a another
+% package/program, I grant the extra permission to freely copy and
+% modify this file as you see fit and even to delete this copyright
+% notice. 
+
+
+\mode<presentation>
+{
+  \usetheme{CambridgeUS}
+  \usecolortheme{whale}
+
+%\setbeamercolor{titlelike}{parent=palette primary,fg=black}
+\setbeamercolor{frametitle}{use=block title,fg=black,bg=block title.bg!10!bg}
+% from beamercolorthemeorchid.sty to make it look more like warsaw
+\setbeamercolor{block title}{use=structure,fg=white,bg=structure.fg!75!black}
+\setbeamercolor{block title alerted}{use=alerted text,fg=white,bg=alerted text.fg!75!black}
+\setbeamercolor{block title example}{use=example text,fg=white,bg=example text.fg!75!black}
+
+\setbeamercolor{block body}{parent=normal text,use=block title,bg=block title.bg!10!bg}
+\setbeamercolor{block body alerted}{parent=normal text,use=block title alerted,bg=block title alerted.bg!10!bg}
+\setbeamercolor{block body example}{parent=normal text,use=block title example,bg=block title example.bg!10!bg}
+
+
+
+  % or ...
+
+  %\setbeamercovered{transparent}
+  % or whatever (possibly just delete it)
+}
+
+\mode<handout>{
+	\usepackage{misc/handoutWithNotes}
+	\pgfpagesuselayout{2 on 1 with notes landscape}[a4paper,border shrink=5mm]
+	\usecolortheme{seahorse}
+}
+
+% ensure the page number is printed in front of the author name in the footer 
+%\newcommand*\oldmacro{}
+%\let\oldmacro\insertshortauthor% save previous definition
+%\renewcommand*\insertshortauthor{%
+%  \leftskip=.3cm% before the author could be a plus1fill ...
+%  \insertframenumber\,/\,\inserttotalframenumber\hfill\oldmacro}
+
+\usepackage[english]{babel}
+\usepackage[latin1]{inputenc}
+\usepackage{times}
+\usepackage[T1]{fontenc}
+
+\usepackage{subfigure}
+\usepackage{hyperref}
+\usepackage{textcomp,listings}
+%\usepackage{german}
+\lstset{basicstyle=\scriptsize\ttfamily, upquote, tabsize=8}
+
+
+\title{Open Source DECT Hacks}
+\subtitle{A century after deDECTed, OsmocomDECT}
+\author{Harald~Welte}
+\institute{sysmocom GmbH / Osmocom project}
+\date[January 2023]{Hochschule Stralsund}
+
+
+% - Use the \inst command only if there are several affiliations.
+% - Keep it simple, no one is interested in your street address.
+
+% - Either use conference name or its abbreviation.
+% - Not really informative to the audience, more for people (including
+%   yourself) who are reading the slides online
+
+\subject{Having fun with DECT}
+% This is only inserted into the PDF information catalog. Can be left
+% out. 
+
+
+
+% If you have a file called "university-logo-filename.xxx", where xxx
+% is a graphic format that can be processed by latex or pdflatex,
+% resp., then you can add a logo as follows:
+
+% \pgfdeclareimage[height=0.5cm]{university-logo}{university-logo-filename}
+% \logo{\pgfuseimage{university-logo}}
+
+
+
+% Delete this, if you do not want the table of contents to pop up at
+% the beginning of each subsection:
+%\AtBeginSubsection[]
+%{
+%  \begin{frame}<beamer>{Outline}
+%    \tableofcontents[currentsection,currentsubsection]
+%  \end{frame}
+%}
+
+
+% If you wish to uncover everything in a step-wise fashion, uncomment
+% the following command: 
+
+%\beamerdefaultoverlayspecification{<+->}
+
+
+\begin{document}
+
+\begin{frame}
+  \titlepage
+\end{frame}
+
+
+% Structuring a talk is a difficult task and the following structure
+% may not be suitable. Here are some rules that apply for this
+% solution: 
+
+% - Exactly two or three sections (other than the summary).
+% - At *most* three subsections per section.
+% - Talk about 30s to 2min per frame. So there should be between about
+%   15 and 30 frames, all told.
+
+% - A conference audience is likely to know very little of what you
+%   are going to talk about. So *simplify*!
+% - In a 20min talk, getting the main ideas across is hard
+%   enough. Leave out details, even if it means being less precise than
+%   you think necessary.
+% - If you omit details that are vital to the proof/implementation,
+%   just say so once. Everybody will be happy with that.
+
+%\include{part-introduction}
+
+
+%\part{Java SIM}
+
+\begin{frame}{Disclaimer}
+	\begin{itemize}
+		\item The real DECT hacking heroes are elsewhere. Not me.
+		\item I has tangentially involved in deDECTed and the Aastra RFP reverse engineering
+		\item but I forgot most of DECT specific knowledge by now, it's been too long
+		\item forgive me if I should mix things up with TETRA or GSM or other systems :(
+	\end{itemize}
+\end{frame}
+
+\section{Past DECT related FOSS}
+
+\begin{frame}{Existing DECT related FOSS work}
+\begin{description}
+	\item[deDECTed] old receiver/sniffer project with kismet, wireshark, com-on-air driver
+	\item[OsmocomDECT] project for a in-kernel (PHL/MAC/DLC layer) DECT stack for Linux + Asterisk port on top
+	\item[gr-dect2] SDR / gnuradio block for receiving unencrypted DECT audio
+	\item[Aastra RFP hacks] Partial wireshark dissector; partial RFP reversing; proxy for proprietary protocol between RFP and OMM
+	\item[Misc DECT Hacks] Various (early) toying wih DECT devices on \#osmocom IRC
+\end{description}
+\end{frame}
+
+\begin{frame}{deDECTed (2008)} 
+\begin{itemize}
+	\item Earliest known DECT security research project by hacker community
+	\item Erik Tews, Ralf-Philipp Weinmann and Andreas Schuler
+	\item Used specific PCMCIA DECT adapters (Dosch+Anand) available at the time
+	\item Loads sniffer firmware into DECT Instruction Processor inside Dialogic chip
+	\item kismet/wireshark and other tools
+	\item See \url{https://media.ccc.de/v/25c3-2937-en-dect}
+\end{itemize}
+\end{frame}
+
+\begin{frame}{OsmocomDECT (2010-2013)}
+\begin{itemize}
+	\item Not security centric, but idea was to implement full DECT stack for a FOSS FP
+	\item Developed by Patrick McHardy (Linux kernel developer at that time)
+	\item Supported hardware was the same PCMCIA cards used in deDECTed
+	\item Kernel for PHL/MAC/DLC layer
+	\item Socket based interface to higher protocol layers in userspace
+	\item See \url{https://osmocom.org/projects/dect/wiki} and specifically \url{https://osmocom.org/attachments/4809}
+\end{itemize}
+\end{frame}
+
+\begin{frame}{Aastra/Mitel RFP hacking (2019)}
+\begin{itemize}
+	\item Aastra/Mitel has a professinal high-end DECT system
+	\item FP called {\em Remote Fixed Part (RFP)} attach via Ethernet/IP to central softswitch (OMM)
+	\item RFPs consist of Dialogic/Sitel SC14xxxx chip and a ARM/Linux SoC on a single board
+	\item interconnected via a Ethernet (!)
+	\item partially reversed internal Ethernet; created wireshark dissector
+	\item MITM on IP based protocol between RFP and OMM; rfp-proxy
+	\item Links:
+	\begin{itemize}
+		\item \url{https://media.ccc.de/v/osmodevcon2019-100-aastra-mitel-dect-base-station-dissection}
+		\item \url{https://media.ccc.de/v/36c3-10576-mifail_oder_mit_gigaset_ware_das_nicht_passiert}
+	\end{itemize}
+\end{itemize}
+\end{frame}
+
+
+\section{2022 Osmocom {\em Misc DECT hacks} (2022)}
+
+\begin{frame}{2022 Osmocom {\em Misc DECT hacks}}
+\begin{itemize}
+	\item In Q4/2022 some folks (steve-m, manawyrm, tSYS) were interested in playing with DECT again
+	\item started with innocent replacement of ringtones on PP, see
+		\url{https://osmocom.org/projects/misc-dect-hacks/wiki/Gigaset_C430_Hacking}
+	\item continued with a firmware patch for the decade-old annoying {\em Gigaset over-charges NiMH batteries and kills them} bug
+	\item plus some other bits and pieces...
+\end{itemize}
+\end{frame}
+
+\section{Gigaset Debug Adapter}
+
+\begin{frame}{Gigaset Debug Adapter}
+\begin{itemize}
+	\item Many Gigaset PP (like popular C430) have these two test pads in the battery compartment
+	\item Turns out: It's actually the UART of the Sitel/Dialogic DECT processor
+	\item Even better: You can boot the PP from UART
+	\item manawyrm + tSYS: Let's build an OSHW adapter for it!
+	\begin{itemize}
+		\item design files at \url{https://github.com/Manawyrm/Gigaset-Debug-Adapter}
+		\item parts kit available from \url{https://shop.sysmocom.de/Gigaset-Debug-Adapter-DIY-kit/gset-dbg-ad-kit}
+	\end{itemize}
+\end{itemize}
+\end{frame}
+
+\begin{frame}{Gigaset Debug Adapter}
+\begin{figure}[h]
+	\centering
+	\includegraphics[width=99mm]{gigaset-adapter2.jpg}
+\end{figure}
+\end{frame}
+
+\begin{frame}{What to do with Gigaset Debug Adapter}
+\begin{itemize}
+	\item Replace your batteries with the Debug Adapter
+	\item Power is provided via USB
+	\item On-board CP2102N USB-UART connects to test pads via pogo pins
+	\item Talk to the Dialogic ROM-loader on the CR16C core, such as...
+	\begin{itemize}
+		\item using the brand-new {\em dialogic-sc14441-uart-boot}
+		\item using dialogic/gigaset tools
+	\end{itemize}
+\end{itemize}
+\end{frame}
+
+\begin{frame}{dialogic-sc14441-uart-boot}
+\begin{itemize}
+	\item Host software tool (python) to talk to target
+	\item Target firmware
+	\begin{itemize}
+		\item low-legel bring-up
+		\item drivers for UART and QSPI
+		\item code to read/erase/write flash, get Flash ID, ...
+	\end{itemize}
+	\item Links:
+	\begin{itemize}
+		\item Source code at \url{https://github.com/TobleMiner/dialog-cr16c-uart-boot}
+	\end{itemize}
+\end{itemize}
+\end{frame}
+
+\subsection{Gigaset Elements Base}
+
+\begin{frame}{Gigaset Elements Base}
+\parbox{.50\textwidth}{
+\begin{itemize}
+	\item This is a DECT ULE (IoT sensors) base station sold in Germany during the past few years
+	\item original/official use case is for some vendor-provide Cloud platform (boring, why would anyone ever do that?)
+	\item Internally it's a Dialogic/Sitel SC14452 SoC with RAM + FLASH + Ethernet
+	\item Ethernet makes it interesting (higher bandwidth than a UART of a PP)
+\end{itemize}
+}\hfill\parbox{.45\textwidth}{
+	\includegraphics[width=60mm]{gigaset_base_pcba.jpg}
+}
+\end{frame}
+
+\begin{frame}{Gigaset Elements Base}
+\parbox{.50\textwidth}{
+\begin{itemize}
+	\item Original vendor software based around ucLinux
+	\item {\em complete and corresponding} source code provided under GPLv2
+	\begin{itemize}
+		\item not just source code to all FOSS components (bootloader, Linux, etc.)
+		\item {\em scripts to control compilation and installation}
+		\item even a full toolchain for cross-compilation to the cr16c target
+	\end{itemize}
+	\item Links:
+	\begin{itemize}
+		\item \url{https://osmocom.org/projects/misc-dect-hacks/wiki/Gigaset_Elements_Base}
+	\end{itemize}
+\end{itemize}
+}\hfill\parbox{.45\textwidth}{
+	\includegraphics[width=60mm]{base_tl_lowres_rgb.jpg}
+}
+\end{frame}
+
+\begin{frame}{Dialogic/Sitel CR16C JTAG}
+\parbox{.50\textwidth}{
+\begin{itemize}
+	\item SC14xxx chips don't have JTAG as we know it (TDI/TDO/TMS/TCK/TRST)
+	\item they have something they call {\em single-wire JTAG}, sometimes also NEXUS
+	\item not to be confused with SWD (found in modern ARM Cortex)
+	\item Specs for this single-wire JTAG nowhere to be found.
+	\item Proprietary hardware debuggers with related support rare
+	\item Coincidence: One RTX2041 showed up on eBay in Q4/2022
+\end{itemize}
+}\hfill\parbox{.45\textwidth}{
+	\includegraphics[width=60mm]{rtx2041.png}
+}
+\end{frame}
+
+\begin{frame}{Dialogic/Sitel CR16C JTAG}
+\begin{itemize}
+	\item JTAG test pin found on bottom side of Gigaset Elements base (by tracing the pin from the SC14452)
+	\item RTX2041 off ebay works like a charm
+	\item sniffed the single-wire debug with logic analyzer
+	\item some people are interested in looking into reversing how JTAG is encapsulated over that single-wire
+\end{itemize}
+\end{frame}
+
+\section{Outlook}
+
+\begin{frame}{The DECT dream from the FOSS hacker PoV}
+\begin{itemize}
+	\item try to get sniffer functionality working on present-day hardware
+	\item See if one can resurrect existing OsmocomDECT code on present-day hardware
+	\begin{itemize}
+		\item Not sure if a kernel-based approach is the right way to go
+		\item ... We are doing GSM and LTE fully in userspace for many years now
+		\item Kernel development makes things just much more difficult
+	\end{itemize}
+	\item In terms of tools and information, we have more available today than we ever had before
+	\item Missing: People with deep technical interest {\bf and} time...
+\end{itemize}
+\end{frame}
+
+\begin{frame}{Some words on hardware}
+\begin{itemize}
+	\item It seems there's really only two chipset families out there
+	\item The good old NatSemi/Dialogic/Sitel SC14xxx chip family
+	\begin{itemize}
+		\item old Dosch+Anand PCMCIA cards
+		\item many, if not all Gigaset PP/FP
+		\item SC14CVM modules available at Electronics distributors
+		\item a lot of leaked / reversed information over time
+		\item most recently bought by Renesas; Newest generation swaps CR16C for ARM.
+	\end{itemize}
+	\item The DSPgroup chips (e.g. DCX81)
+	\begin{itemize}
+		\item much less information known or leaked
+		\item found for example in a number of USB-DECT dongles for DECT headsets
+	\end{itemize}
+\end{itemize}
+\end{frame}
+
+\begin{frame}{Announcement}
+I brought some goodies...
+\begin{itemize}
+	\item 3x Gigaset Elements Base
+	\item 3x Gigaset Debug Adapter kit
+\end{itemize}
+Let's see if anyone thinks the are interested enough to do something useful with them...
+\end{frame}
+
+\begin{frame}{The End}
+EOF
+\end{frame}
+
+\end{document}