diff --git a/2023/uni_stralsund-dect_hacks/base_tl_lowres_rgb.jpg b/2023/uni_stralsund-dect_hacks/base_tl_lowres_rgb.jpg new file mode 100644 index 0000000..176e27d Binary files /dev/null and b/2023/uni_stralsund-dect_hacks/base_tl_lowres_rgb.jpg differ diff --git a/2023/uni_stralsund-dect_hacks/dect-hacks.pdf b/2023/uni_stralsund-dect_hacks/dect-hacks.pdf new file mode 100644 index 0000000..803d6c4 Binary files /dev/null and b/2023/uni_stralsund-dect_hacks/dect-hacks.pdf differ diff --git a/2023/uni_stralsund-dect_hacks/dect-hacks.tex b/2023/uni_stralsund-dect_hacks/dect-hacks.tex new file mode 100644 index 0000000..b424308 --- /dev/null +++ b/2023/uni_stralsund-dect_hacks/dect-hacks.tex @@ -0,0 +1,380 @@ + +\newcommand{\degree}{\ensuremath{^\circ}} +%\documentclass[handout]{beamer} +\documentclass[aspectratio=169,11pt]{beamer} + +% This file is a solution template for: + +% - Talk at a conference/colloquium. +% - Talk length is about 20min. +% - Style is ornate. + + + +% Copyright 2004 by Till Tantau . +% +% In principle, this file can be redistributed and/or modified under +% the terms of the GNU Public License, version 2. +% +% However, this file is supposed to be a template to be modified +% for your own needs. For this reason, if you use this file as a +% template and not specifically distribute it as part of a another +% package/program, I grant the extra permission to freely copy and +% modify this file as you see fit and even to delete this copyright +% notice. + + +\mode +{ + \usetheme{CambridgeUS} + \usecolortheme{whale} + +%\setbeamercolor{titlelike}{parent=palette primary,fg=black} +\setbeamercolor{frametitle}{use=block title,fg=black,bg=block title.bg!10!bg} +% from beamercolorthemeorchid.sty to make it look more like warsaw +\setbeamercolor{block title}{use=structure,fg=white,bg=structure.fg!75!black} +\setbeamercolor{block title alerted}{use=alerted text,fg=white,bg=alerted text.fg!75!black} +\setbeamercolor{block title example}{use=example text,fg=white,bg=example text.fg!75!black} + +\setbeamercolor{block body}{parent=normal text,use=block title,bg=block title.bg!10!bg} +\setbeamercolor{block body alerted}{parent=normal text,use=block title alerted,bg=block title alerted.bg!10!bg} +\setbeamercolor{block body example}{parent=normal text,use=block title example,bg=block title example.bg!10!bg} + + + + % or ... + + %\setbeamercovered{transparent} + % or whatever (possibly just delete it) +} + +\mode{ + \usepackage{misc/handoutWithNotes} + \pgfpagesuselayout{2 on 1 with notes landscape}[a4paper,border shrink=5mm] + \usecolortheme{seahorse} +} + +% ensure the page number is printed in front of the author name in the footer +%\newcommand*\oldmacro{} +%\let\oldmacro\insertshortauthor% save previous definition +%\renewcommand*\insertshortauthor{% +% \leftskip=.3cm% before the author could be a plus1fill ... +% \insertframenumber\,/\,\inserttotalframenumber\hfill\oldmacro} + +\usepackage[english]{babel} +\usepackage[latin1]{inputenc} +\usepackage{times} +\usepackage[T1]{fontenc} + +\usepackage{subfigure} +\usepackage{hyperref} +\usepackage{textcomp,listings} +%\usepackage{german} +\lstset{basicstyle=\scriptsize\ttfamily, upquote, tabsize=8} + + +\title{Open Source DECT Hacks} +\subtitle{A century after deDECTed, OsmocomDECT} +\author{Harald~Welte} +\institute{sysmocom GmbH / Osmocom project} +\date[January 2023]{Hochschule Stralsund} + + +% - Use the \inst command only if there are several affiliations. +% - Keep it simple, no one is interested in your street address. + +% - Either use conference name or its abbreviation. +% - Not really informative to the audience, more for people (including +% yourself) who are reading the slides online + +\subject{Having fun with DECT} +% This is only inserted into the PDF information catalog. Can be left +% out. + + + +% If you have a file called "university-logo-filename.xxx", where xxx +% is a graphic format that can be processed by latex or pdflatex, +% resp., then you can add a logo as follows: + +% \pgfdeclareimage[height=0.5cm]{university-logo}{university-logo-filename} +% \logo{\pgfuseimage{university-logo}} + + + +% Delete this, if you do not want the table of contents to pop up at +% the beginning of each subsection: +%\AtBeginSubsection[] +%{ +% \begin{frame}{Outline} +% \tableofcontents[currentsection,currentsubsection] +% \end{frame} +%} + + +% If you wish to uncover everything in a step-wise fashion, uncomment +% the following command: + +%\beamerdefaultoverlayspecification{<+->} + + +\begin{document} + +\begin{frame} + \titlepage +\end{frame} + + +% Structuring a talk is a difficult task and the following structure +% may not be suitable. Here are some rules that apply for this +% solution: + +% - Exactly two or three sections (other than the summary). +% - At *most* three subsections per section. +% - Talk about 30s to 2min per frame. So there should be between about +% 15 and 30 frames, all told. + +% - A conference audience is likely to know very little of what you +% are going to talk about. So *simplify*! +% - In a 20min talk, getting the main ideas across is hard +% enough. Leave out details, even if it means being less precise than +% you think necessary. +% - If you omit details that are vital to the proof/implementation, +% just say so once. Everybody will be happy with that. + +%\include{part-introduction} + + +%\part{Java SIM} + +\begin{frame}{Disclaimer} + \begin{itemize} + \item The real DECT hacking heroes are elsewhere. Not me. + \item I has tangentially involved in deDECTed and the Aastra RFP reverse engineering + \item but I forgot most of DECT specific knowledge by now, it's been too long + \item forgive me if I should mix things up with TETRA or GSM or other systems :( + \end{itemize} +\end{frame} + +\section{Past DECT related FOSS} + +\begin{frame}{Existing DECT related FOSS work} +\begin{description} + \item[deDECTed] old receiver/sniffer project with kismet, wireshark, com-on-air driver + \item[OsmocomDECT] project for a in-kernel (PHL/MAC/DLC layer) DECT stack for Linux + Asterisk port on top + \item[gr-dect2] SDR / gnuradio block for receiving unencrypted DECT audio + \item[Aastra RFP hacks] Partial wireshark dissector; partial RFP reversing; proxy for proprietary protocol between RFP and OMM + \item[Misc DECT Hacks] Various (early) toying wih DECT devices on \#osmocom IRC +\end{description} +\end{frame} + +\begin{frame}{deDECTed (2008)} +\begin{itemize} + \item Earliest known DECT security research project by hacker community + \item Erik Tews, Ralf-Philipp Weinmann and Andreas Schuler + \item Used specific PCMCIA DECT adapters (Dosch+Anand) available at the time + \item Loads sniffer firmware into DECT Instruction Processor inside Dialogic chip + \item kismet/wireshark and other tools + \item See \url{https://media.ccc.de/v/25c3-2937-en-dect} +\end{itemize} +\end{frame} + +\begin{frame}{OsmocomDECT (2010-2013)} +\begin{itemize} + \item Not security centric, but idea was to implement full DECT stack for a FOSS FP + \item Developed by Patrick McHardy (Linux kernel developer at that time) + \item Supported hardware was the same PCMCIA cards used in deDECTed + \item Kernel for PHL/MAC/DLC layer + \item Socket based interface to higher protocol layers in userspace + \item See \url{https://osmocom.org/projects/dect/wiki} and specifically \url{https://osmocom.org/attachments/4809} +\end{itemize} +\end{frame} + +\begin{frame}{Aastra/Mitel RFP hacking (2019)} +\begin{itemize} + \item Aastra/Mitel has a professinal high-end DECT system + \item FP called {\em Remote Fixed Part (RFP)} attach via Ethernet/IP to central softswitch (OMM) + \item RFPs consist of Dialogic/Sitel SC14xxxx chip and a ARM/Linux SoC on a single board + \item interconnected via a Ethernet (!) + \item partially reversed internal Ethernet; created wireshark dissector + \item MITM on IP based protocol between RFP and OMM; rfp-proxy + \item Links: + \begin{itemize} + \item \url{https://media.ccc.de/v/osmodevcon2019-100-aastra-mitel-dect-base-station-dissection} + \item \url{https://media.ccc.de/v/36c3-10576-mifail_oder_mit_gigaset_ware_das_nicht_passiert} + \end{itemize} +\end{itemize} +\end{frame} + + +\section{2022 Osmocom {\em Misc DECT hacks} (2022)} + +\begin{frame}{2022 Osmocom {\em Misc DECT hacks}} +\begin{itemize} + \item In Q4/2022 some folks (steve-m, manawyrm, tSYS) were interested in playing with DECT again + \item started with innocent replacement of ringtones on PP, see + \url{https://osmocom.org/projects/misc-dect-hacks/wiki/Gigaset_C430_Hacking} + \item continued with a firmware patch for the decade-old annoying {\em Gigaset over-charges NiMH batteries and kills them} bug + \item plus some other bits and pieces... +\end{itemize} +\end{frame} + +\section{Gigaset Debug Adapter} + +\begin{frame}{Gigaset Debug Adapter} +\begin{itemize} + \item Many Gigaset PP (like popular C430) have these two test pads in the battery compartment + \item Turns out: It's actually the UART of the Sitel/Dialogic DECT processor + \item Even better: You can boot the PP from UART + \item manawyrm + tSYS: Let's build an OSHW adapter for it! + \begin{itemize} + \item design files at \url{https://github.com/Manawyrm/Gigaset-Debug-Adapter} + \item parts kit available from \url{https://shop.sysmocom.de/Gigaset-Debug-Adapter-DIY-kit/gset-dbg-ad-kit} + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{Gigaset Debug Adapter} +\begin{figure}[h] + \centering + \includegraphics[width=99mm]{gigaset-adapter2.jpg} +\end{figure} +\end{frame} + +\begin{frame}{What to do with Gigaset Debug Adapter} +\begin{itemize} + \item Replace your batteries with the Debug Adapter + \item Power is provided via USB + \item On-board CP2102N USB-UART connects to test pads via pogo pins + \item Talk to the Dialogic ROM-loader on the CR16C core, such as... + \begin{itemize} + \item using the brand-new {\em dialogic-sc14441-uart-boot} + \item using dialogic/gigaset tools + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{dialogic-sc14441-uart-boot} +\begin{itemize} + \item Host software tool (python) to talk to target + \item Target firmware + \begin{itemize} + \item low-legel bring-up + \item drivers for UART and QSPI + \item code to read/erase/write flash, get Flash ID, ... + \end{itemize} + \item Links: + \begin{itemize} + \item Source code at \url{https://github.com/TobleMiner/dialog-cr16c-uart-boot} + \end{itemize} +\end{itemize} +\end{frame} + +\subsection{Gigaset Elements Base} + +\begin{frame}{Gigaset Elements Base} +\parbox{.50\textwidth}{ +\begin{itemize} + \item This is a DECT ULE (IoT sensors) base station sold in Germany during the past few years + \item original/official use case is for some vendor-provide Cloud platform (boring, why would anyone ever do that?) + \item Internally it's a Dialogic/Sitel SC14452 SoC with RAM + FLASH + Ethernet + \item Ethernet makes it interesting (higher bandwidth than a UART of a PP) +\end{itemize} +}\hfill\parbox{.45\textwidth}{ + \includegraphics[width=60mm]{gigaset_base_pcba.jpg} +} +\end{frame} + +\begin{frame}{Gigaset Elements Base} +\parbox{.50\textwidth}{ +\begin{itemize} + \item Original vendor software based around ucLinux + \item {\em complete and corresponding} source code provided under GPLv2 + \begin{itemize} + \item not just source code to all FOSS components (bootloader, Linux, etc.) + \item {\em scripts to control compilation and installation} + \item even a full toolchain for cross-compilation to the cr16c target + \end{itemize} + \item Links: + \begin{itemize} + \item \url{https://osmocom.org/projects/misc-dect-hacks/wiki/Gigaset_Elements_Base} + \end{itemize} +\end{itemize} +}\hfill\parbox{.45\textwidth}{ + \includegraphics[width=60mm]{base_tl_lowres_rgb.jpg} +} +\end{frame} + +\begin{frame}{Dialogic/Sitel CR16C JTAG} +\parbox{.50\textwidth}{ +\begin{itemize} + \item SC14xxx chips don't have JTAG as we know it (TDI/TDO/TMS/TCK/TRST) + \item they have something they call {\em single-wire JTAG}, sometimes also NEXUS + \item not to be confused with SWD (found in modern ARM Cortex) + \item Specs for this single-wire JTAG nowhere to be found. + \item Proprietary hardware debuggers with related support rare + \item Coincidence: One RTX2041 showed up on eBay in Q4/2022 +\end{itemize} +}\hfill\parbox{.45\textwidth}{ + \includegraphics[width=60mm]{rtx2041.png} +} +\end{frame} + +\begin{frame}{Dialogic/Sitel CR16C JTAG} +\begin{itemize} + \item JTAG test pin found on bottom side of Gigaset Elements base (by tracing the pin from the SC14452) + \item RTX2041 off ebay works like a charm + \item sniffed the single-wire debug with logic analyzer + \item some people are interested in looking into reversing how JTAG is encapsulated over that single-wire +\end{itemize} +\end{frame} + +\section{Outlook} + +\begin{frame}{The DECT dream from the FOSS hacker PoV} +\begin{itemize} + \item try to get sniffer functionality working on present-day hardware + \item See if one can resurrect existing OsmocomDECT code on present-day hardware + \begin{itemize} + \item Not sure if a kernel-based approach is the right way to go + \item ... We are doing GSM and LTE fully in userspace for many years now + \item Kernel development makes things just much more difficult + \end{itemize} + \item In terms of tools and information, we have more available today than we ever had before + \item Missing: People with deep technical interest {\bf and} time... +\end{itemize} +\end{frame} + +\begin{frame}{Some words on hardware} +\begin{itemize} + \item It seems there's really only two chipset families out there + \item The good old NatSemi/Dialogic/Sitel SC14xxx chip family + \begin{itemize} + \item old Dosch+Anand PCMCIA cards + \item many, if not all Gigaset PP/FP + \item SC14CVM modules available at Electronics distributors + \item a lot of leaked / reversed information over time + \item most recently bought by Renesas; Newest generation swaps CR16C for ARM. + \end{itemize} + \item The DSPgroup chips (e.g. DCX81) + \begin{itemize} + \item much less information known or leaked + \item found for example in a number of USB-DECT dongles for DECT headsets + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{Announcement} +I brought some goodies... +\begin{itemize} + \item 3x Gigaset Elements Base + \item 3x Gigaset Debug Adapter kit +\end{itemize} +Let's see if anyone thinks the are interested enough to do something useful with them... +\end{frame} + +\begin{frame}{The End} +EOF +\end{frame} + +\end{document} diff --git a/2023/uni_stralsund-dect_hacks/gigaset-adapter2.jpg b/2023/uni_stralsund-dect_hacks/gigaset-adapter2.jpg new file mode 100644 index 0000000..38530af Binary files /dev/null and b/2023/uni_stralsund-dect_hacks/gigaset-adapter2.jpg differ diff --git a/2023/uni_stralsund-dect_hacks/gigaset_base_pcba.jpg b/2023/uni_stralsund-dect_hacks/gigaset_base_pcba.jpg new file mode 100644 index 0000000..93397ee Binary files /dev/null and b/2023/uni_stralsund-dect_hacks/gigaset_base_pcba.jpg differ diff --git a/2023/uni_stralsund-dect_hacks/rtx2041.png b/2023/uni_stralsund-dect_hacks/rtx2041.png new file mode 100644 index 0000000..8bd3305 Binary files /dev/null and b/2023/uni_stralsund-dect_hacks/rtx2041.png differ