add slides for Stralsund talk tomorrow
This commit is contained in:
parent
ae35b7395c
commit
47b9dd1600
Binary file not shown.
After Width: | Height: | Size: 16 KiB |
Binary file not shown.
|
@ -0,0 +1,380 @@
|
|||
|
||||
\newcommand{\degree}{\ensuremath{^\circ}}
|
||||
%\documentclass[handout]{beamer}
|
||||
\documentclass[aspectratio=169,11pt]{beamer}
|
||||
|
||||
% This file is a solution template for:
|
||||
|
||||
% - Talk at a conference/colloquium.
|
||||
% - Talk length is about 20min.
|
||||
% - Style is ornate.
|
||||
|
||||
|
||||
|
||||
% Copyright 2004 by Till Tantau <tantau@users.sourceforge.net>.
|
||||
%
|
||||
% In principle, this file can be redistributed and/or modified under
|
||||
% the terms of the GNU Public License, version 2.
|
||||
%
|
||||
% However, this file is supposed to be a template to be modified
|
||||
% for your own needs. For this reason, if you use this file as a
|
||||
% template and not specifically distribute it as part of a another
|
||||
% package/program, I grant the extra permission to freely copy and
|
||||
% modify this file as you see fit and even to delete this copyright
|
||||
% notice.
|
||||
|
||||
|
||||
\mode<presentation>
|
||||
{
|
||||
\usetheme{CambridgeUS}
|
||||
\usecolortheme{whale}
|
||||
|
||||
%\setbeamercolor{titlelike}{parent=palette primary,fg=black}
|
||||
\setbeamercolor{frametitle}{use=block title,fg=black,bg=block title.bg!10!bg}
|
||||
% from beamercolorthemeorchid.sty to make it look more like warsaw
|
||||
\setbeamercolor{block title}{use=structure,fg=white,bg=structure.fg!75!black}
|
||||
\setbeamercolor{block title alerted}{use=alerted text,fg=white,bg=alerted text.fg!75!black}
|
||||
\setbeamercolor{block title example}{use=example text,fg=white,bg=example text.fg!75!black}
|
||||
|
||||
\setbeamercolor{block body}{parent=normal text,use=block title,bg=block title.bg!10!bg}
|
||||
\setbeamercolor{block body alerted}{parent=normal text,use=block title alerted,bg=block title alerted.bg!10!bg}
|
||||
\setbeamercolor{block body example}{parent=normal text,use=block title example,bg=block title example.bg!10!bg}
|
||||
|
||||
|
||||
|
||||
% or ...
|
||||
|
||||
%\setbeamercovered{transparent}
|
||||
% or whatever (possibly just delete it)
|
||||
}
|
||||
|
||||
\mode<handout>{
|
||||
\usepackage{misc/handoutWithNotes}
|
||||
\pgfpagesuselayout{2 on 1 with notes landscape}[a4paper,border shrink=5mm]
|
||||
\usecolortheme{seahorse}
|
||||
}
|
||||
|
||||
% ensure the page number is printed in front of the author name in the footer
|
||||
%\newcommand*\oldmacro{}
|
||||
%\let\oldmacro\insertshortauthor% save previous definition
|
||||
%\renewcommand*\insertshortauthor{%
|
||||
% \leftskip=.3cm% before the author could be a plus1fill ...
|
||||
% \insertframenumber\,/\,\inserttotalframenumber\hfill\oldmacro}
|
||||
|
||||
\usepackage[english]{babel}
|
||||
\usepackage[latin1]{inputenc}
|
||||
\usepackage{times}
|
||||
\usepackage[T1]{fontenc}
|
||||
|
||||
\usepackage{subfigure}
|
||||
\usepackage{hyperref}
|
||||
\usepackage{textcomp,listings}
|
||||
%\usepackage{german}
|
||||
\lstset{basicstyle=\scriptsize\ttfamily, upquote, tabsize=8}
|
||||
|
||||
|
||||
\title{Open Source DECT Hacks}
|
||||
\subtitle{A century after deDECTed, OsmocomDECT}
|
||||
\author{Harald~Welte}
|
||||
\institute{sysmocom GmbH / Osmocom project}
|
||||
\date[January 2023]{Hochschule Stralsund}
|
||||
|
||||
|
||||
% - Use the \inst command only if there are several affiliations.
|
||||
% - Keep it simple, no one is interested in your street address.
|
||||
|
||||
% - Either use conference name or its abbreviation.
|
||||
% - Not really informative to the audience, more for people (including
|
||||
% yourself) who are reading the slides online
|
||||
|
||||
\subject{Having fun with DECT}
|
||||
% This is only inserted into the PDF information catalog. Can be left
|
||||
% out.
|
||||
|
||||
|
||||
|
||||
% If you have a file called "university-logo-filename.xxx", where xxx
|
||||
% is a graphic format that can be processed by latex or pdflatex,
|
||||
% resp., then you can add a logo as follows:
|
||||
|
||||
% \pgfdeclareimage[height=0.5cm]{university-logo}{university-logo-filename}
|
||||
% \logo{\pgfuseimage{university-logo}}
|
||||
|
||||
|
||||
|
||||
% Delete this, if you do not want the table of contents to pop up at
|
||||
% the beginning of each subsection:
|
||||
%\AtBeginSubsection[]
|
||||
%{
|
||||
% \begin{frame}<beamer>{Outline}
|
||||
% \tableofcontents[currentsection,currentsubsection]
|
||||
% \end{frame}
|
||||
%}
|
||||
|
||||
|
||||
% If you wish to uncover everything in a step-wise fashion, uncomment
|
||||
% the following command:
|
||||
|
||||
%\beamerdefaultoverlayspecification{<+->}
|
||||
|
||||
|
||||
\begin{document}
|
||||
|
||||
\begin{frame}
|
||||
\titlepage
|
||||
\end{frame}
|
||||
|
||||
|
||||
% Structuring a talk is a difficult task and the following structure
|
||||
% may not be suitable. Here are some rules that apply for this
|
||||
% solution:
|
||||
|
||||
% - Exactly two or three sections (other than the summary).
|
||||
% - At *most* three subsections per section.
|
||||
% - Talk about 30s to 2min per frame. So there should be between about
|
||||
% 15 and 30 frames, all told.
|
||||
|
||||
% - A conference audience is likely to know very little of what you
|
||||
% are going to talk about. So *simplify*!
|
||||
% - In a 20min talk, getting the main ideas across is hard
|
||||
% enough. Leave out details, even if it means being less precise than
|
||||
% you think necessary.
|
||||
% - If you omit details that are vital to the proof/implementation,
|
||||
% just say so once. Everybody will be happy with that.
|
||||
|
||||
%\include{part-introduction}
|
||||
|
||||
|
||||
%\part{Java SIM}
|
||||
|
||||
\begin{frame}{Disclaimer}
|
||||
\begin{itemize}
|
||||
\item The real DECT hacking heroes are elsewhere. Not me.
|
||||
\item I has tangentially involved in deDECTed and the Aastra RFP reverse engineering
|
||||
\item but I forgot most of DECT specific knowledge by now, it's been too long
|
||||
\item forgive me if I should mix things up with TETRA or GSM or other systems :(
|
||||
\end{itemize}
|
||||
\end{frame}
|
||||
|
||||
\section{Past DECT related FOSS}
|
||||
|
||||
\begin{frame}{Existing DECT related FOSS work}
|
||||
\begin{description}
|
||||
\item[deDECTed] old receiver/sniffer project with kismet, wireshark, com-on-air driver
|
||||
\item[OsmocomDECT] project for a in-kernel (PHL/MAC/DLC layer) DECT stack for Linux + Asterisk port on top
|
||||
\item[gr-dect2] SDR / gnuradio block for receiving unencrypted DECT audio
|
||||
\item[Aastra RFP hacks] Partial wireshark dissector; partial RFP reversing; proxy for proprietary protocol between RFP and OMM
|
||||
\item[Misc DECT Hacks] Various (early) toying wih DECT devices on \#osmocom IRC
|
||||
\end{description}
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}{deDECTed (2008)}
|
||||
\begin{itemize}
|
||||
\item Earliest known DECT security research project by hacker community
|
||||
\item Erik Tews, Ralf-Philipp Weinmann and Andreas Schuler
|
||||
\item Used specific PCMCIA DECT adapters (Dosch+Anand) available at the time
|
||||
\item Loads sniffer firmware into DECT Instruction Processor inside Dialogic chip
|
||||
\item kismet/wireshark and other tools
|
||||
\item See \url{https://media.ccc.de/v/25c3-2937-en-dect}
|
||||
\end{itemize}
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}{OsmocomDECT (2010-2013)}
|
||||
\begin{itemize}
|
||||
\item Not security centric, but idea was to implement full DECT stack for a FOSS FP
|
||||
\item Developed by Patrick McHardy (Linux kernel developer at that time)
|
||||
\item Supported hardware was the same PCMCIA cards used in deDECTed
|
||||
\item Kernel for PHL/MAC/DLC layer
|
||||
\item Socket based interface to higher protocol layers in userspace
|
||||
\item See \url{https://osmocom.org/projects/dect/wiki} and specifically \url{https://osmocom.org/attachments/4809}
|
||||
\end{itemize}
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}{Aastra/Mitel RFP hacking (2019)}
|
||||
\begin{itemize}
|
||||
\item Aastra/Mitel has a professinal high-end DECT system
|
||||
\item FP called {\em Remote Fixed Part (RFP)} attach via Ethernet/IP to central softswitch (OMM)
|
||||
\item RFPs consist of Dialogic/Sitel SC14xxxx chip and a ARM/Linux SoC on a single board
|
||||
\item interconnected via a Ethernet (!)
|
||||
\item partially reversed internal Ethernet; created wireshark dissector
|
||||
\item MITM on IP based protocol between RFP and OMM; rfp-proxy
|
||||
\item Links:
|
||||
\begin{itemize}
|
||||
\item \url{https://media.ccc.de/v/osmodevcon2019-100-aastra-mitel-dect-base-station-dissection}
|
||||
\item \url{https://media.ccc.de/v/36c3-10576-mifail_oder_mit_gigaset_ware_das_nicht_passiert}
|
||||
\end{itemize}
|
||||
\end{itemize}
|
||||
\end{frame}
|
||||
|
||||
|
||||
\section{2022 Osmocom {\em Misc DECT hacks} (2022)}
|
||||
|
||||
\begin{frame}{2022 Osmocom {\em Misc DECT hacks}}
|
||||
\begin{itemize}
|
||||
\item In Q4/2022 some folks (steve-m, manawyrm, tSYS) were interested in playing with DECT again
|
||||
\item started with innocent replacement of ringtones on PP, see
|
||||
\url{https://osmocom.org/projects/misc-dect-hacks/wiki/Gigaset_C430_Hacking}
|
||||
\item continued with a firmware patch for the decade-old annoying {\em Gigaset over-charges NiMH batteries and kills them} bug
|
||||
\item plus some other bits and pieces...
|
||||
\end{itemize}
|
||||
\end{frame}
|
||||
|
||||
\section{Gigaset Debug Adapter}
|
||||
|
||||
\begin{frame}{Gigaset Debug Adapter}
|
||||
\begin{itemize}
|
||||
\item Many Gigaset PP (like popular C430) have these two test pads in the battery compartment
|
||||
\item Turns out: It's actually the UART of the Sitel/Dialogic DECT processor
|
||||
\item Even better: You can boot the PP from UART
|
||||
\item manawyrm + tSYS: Let's build an OSHW adapter for it!
|
||||
\begin{itemize}
|
||||
\item design files at \url{https://github.com/Manawyrm/Gigaset-Debug-Adapter}
|
||||
\item parts kit available from \url{https://shop.sysmocom.de/Gigaset-Debug-Adapter-DIY-kit/gset-dbg-ad-kit}
|
||||
\end{itemize}
|
||||
\end{itemize}
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}{Gigaset Debug Adapter}
|
||||
\begin{figure}[h]
|
||||
\centering
|
||||
\includegraphics[width=99mm]{gigaset-adapter2.jpg}
|
||||
\end{figure}
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}{What to do with Gigaset Debug Adapter}
|
||||
\begin{itemize}
|
||||
\item Replace your batteries with the Debug Adapter
|
||||
\item Power is provided via USB
|
||||
\item On-board CP2102N USB-UART connects to test pads via pogo pins
|
||||
\item Talk to the Dialogic ROM-loader on the CR16C core, such as...
|
||||
\begin{itemize}
|
||||
\item using the brand-new {\em dialogic-sc14441-uart-boot}
|
||||
\item using dialogic/gigaset tools
|
||||
\end{itemize}
|
||||
\end{itemize}
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}{dialogic-sc14441-uart-boot}
|
||||
\begin{itemize}
|
||||
\item Host software tool (python) to talk to target
|
||||
\item Target firmware
|
||||
\begin{itemize}
|
||||
\item low-legel bring-up
|
||||
\item drivers for UART and QSPI
|
||||
\item code to read/erase/write flash, get Flash ID, ...
|
||||
\end{itemize}
|
||||
\item Links:
|
||||
\begin{itemize}
|
||||
\item Source code at \url{https://github.com/TobleMiner/dialog-cr16c-uart-boot}
|
||||
\end{itemize}
|
||||
\end{itemize}
|
||||
\end{frame}
|
||||
|
||||
\subsection{Gigaset Elements Base}
|
||||
|
||||
\begin{frame}{Gigaset Elements Base}
|
||||
\parbox{.50\textwidth}{
|
||||
\begin{itemize}
|
||||
\item This is a DECT ULE (IoT sensors) base station sold in Germany during the past few years
|
||||
\item original/official use case is for some vendor-provide Cloud platform (boring, why would anyone ever do that?)
|
||||
\item Internally it's a Dialogic/Sitel SC14452 SoC with RAM + FLASH + Ethernet
|
||||
\item Ethernet makes it interesting (higher bandwidth than a UART of a PP)
|
||||
\end{itemize}
|
||||
}\hfill\parbox{.45\textwidth}{
|
||||
\includegraphics[width=60mm]{gigaset_base_pcba.jpg}
|
||||
}
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}{Gigaset Elements Base}
|
||||
\parbox{.50\textwidth}{
|
||||
\begin{itemize}
|
||||
\item Original vendor software based around ucLinux
|
||||
\item {\em complete and corresponding} source code provided under GPLv2
|
||||
\begin{itemize}
|
||||
\item not just source code to all FOSS components (bootloader, Linux, etc.)
|
||||
\item {\em scripts to control compilation and installation}
|
||||
\item even a full toolchain for cross-compilation to the cr16c target
|
||||
\end{itemize}
|
||||
\item Links:
|
||||
\begin{itemize}
|
||||
\item \url{https://osmocom.org/projects/misc-dect-hacks/wiki/Gigaset_Elements_Base}
|
||||
\end{itemize}
|
||||
\end{itemize}
|
||||
}\hfill\parbox{.45\textwidth}{
|
||||
\includegraphics[width=60mm]{base_tl_lowres_rgb.jpg}
|
||||
}
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}{Dialogic/Sitel CR16C JTAG}
|
||||
\parbox{.50\textwidth}{
|
||||
\begin{itemize}
|
||||
\item SC14xxx chips don't have JTAG as we know it (TDI/TDO/TMS/TCK/TRST)
|
||||
\item they have something they call {\em single-wire JTAG}, sometimes also NEXUS
|
||||
\item not to be confused with SWD (found in modern ARM Cortex)
|
||||
\item Specs for this single-wire JTAG nowhere to be found.
|
||||
\item Proprietary hardware debuggers with related support rare
|
||||
\item Coincidence: One RTX2041 showed up on eBay in Q4/2022
|
||||
\end{itemize}
|
||||
}\hfill\parbox{.45\textwidth}{
|
||||
\includegraphics[width=60mm]{rtx2041.png}
|
||||
}
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}{Dialogic/Sitel CR16C JTAG}
|
||||
\begin{itemize}
|
||||
\item JTAG test pin found on bottom side of Gigaset Elements base (by tracing the pin from the SC14452)
|
||||
\item RTX2041 off ebay works like a charm
|
||||
\item sniffed the single-wire debug with logic analyzer
|
||||
\item some people are interested in looking into reversing how JTAG is encapsulated over that single-wire
|
||||
\end{itemize}
|
||||
\end{frame}
|
||||
|
||||
\section{Outlook}
|
||||
|
||||
\begin{frame}{The DECT dream from the FOSS hacker PoV}
|
||||
\begin{itemize}
|
||||
\item try to get sniffer functionality working on present-day hardware
|
||||
\item See if one can resurrect existing OsmocomDECT code on present-day hardware
|
||||
\begin{itemize}
|
||||
\item Not sure if a kernel-based approach is the right way to go
|
||||
\item ... We are doing GSM and LTE fully in userspace for many years now
|
||||
\item Kernel development makes things just much more difficult
|
||||
\end{itemize}
|
||||
\item In terms of tools and information, we have more available today than we ever had before
|
||||
\item Missing: People with deep technical interest {\bf and} time...
|
||||
\end{itemize}
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}{Some words on hardware}
|
||||
\begin{itemize}
|
||||
\item It seems there's really only two chipset families out there
|
||||
\item The good old NatSemi/Dialogic/Sitel SC14xxx chip family
|
||||
\begin{itemize}
|
||||
\item old Dosch+Anand PCMCIA cards
|
||||
\item many, if not all Gigaset PP/FP
|
||||
\item SC14CVM modules available at Electronics distributors
|
||||
\item a lot of leaked / reversed information over time
|
||||
\item most recently bought by Renesas; Newest generation swaps CR16C for ARM.
|
||||
\end{itemize}
|
||||
\item The DSPgroup chips (e.g. DCX81)
|
||||
\begin{itemize}
|
||||
\item much less information known or leaked
|
||||
\item found for example in a number of USB-DECT dongles for DECT headsets
|
||||
\end{itemize}
|
||||
\end{itemize}
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}{Announcement}
|
||||
I brought some goodies...
|
||||
\begin{itemize}
|
||||
\item 3x Gigaset Elements Base
|
||||
\item 3x Gigaset Debug Adapter kit
|
||||
\end{itemize}
|
||||
Let's see if anyone thinks the are interested enough to do something useful with them...
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}{The End}
|
||||
EOF
|
||||
\end{frame}
|
||||
|
||||
\end{document}
|
Binary file not shown.
After Width: | Height: | Size: 390 KiB |
Binary file not shown.
After Width: | Height: | Size: 955 KiB |
Binary file not shown.
After Width: | Height: | Size: 126 KiB |
Loading…
Reference in New Issue