33c3: more work on the slides, hopefully nearing completion

2016/33c3/33c3-modems.adoc

@@ -26,30 +26,38 @@ Dissecting modern (3G/4G) cellular modems
 * 8 years since _Anatomy of Smartphone Hardware_ at 25C3
 * 7 years since OsmocomBB for GSM
 * Used and built M2M devices using 2G modems at work
-* Started to build Osmocom 3G/4G software, logs/traces help
-* Build tools to help understanding cellular technology
+* so we're looking for a modem that can be used for
+** our next-generation M2M/embedded devices
+** testing/logging/tracing Osmocom 3G/4G network-side software
+** building more tools to help understanding cellular technology
 
-== History
+== Cellular Modems in M2M
 
-image:images/sl6087_hw.png[height=280,role="gimmick_right"]
+image:images/sl6087_hw.png[height=300,role="gimmick_right"]
 
-* OpenAT by Sierra Wireless
-* Write C code using OpenAT APIs
-* Dynamically loaded into the RTOS
-* Runs without privilege separation, MMU
-* Eclipse based IDE and plugins (in clojure)
-* Protocol to multiplex AT, log, debug
-* 2G and 3G modems were available
-* Discontinued HW platform => Locked in
-* Various other limitations
+* Assume you want to build a M2M device
+* Classic approach to M2M/Embedded cellular:
+** Cellular modem with AT commands over Serial/USB
+** Main Processor runs M2M application
+* if you run Application in Modem, you can save PCB space, power and BOM cost
+** OpenAT by Sierra Wireless
+*** Write C code using OpenAT APIs
+*** Dynamically loaded into the RTOS
+*** Runs without privilege separation, MMU
+*** Protocol to multiplex AT, log, debug
+*** Discontinued HW platform => Locked in
+*** Various other limitations
 
 == Device requirements
 
-* Get textual logging when handling messages
-* Get a copy of the radio network message and export to GSMTAP
-* Like Tobias Engels https://github.com/2b-as/xgoldmon[x-goldmon]
-* But for GPRS, 3G and 4G
-* Enabled by default and not locked down in the future
+Our requirements for a good modem
+
+** Ability to run application code inside modem
+** Avoid modem supplier vendor lock-in (EOL, ...)
+** Get textual logging when handling messages
+** Get a copy of the radio network messages and export to GSMTAP
+*** Like Tobias Engels https://github.com/2b-as/xgoldmon[x-goldmon]
+*** But for all GPRS, EGPRS, UMTS and LTE messages
 
 == Qualcomm DIAG protocol
 
@@ -67,22 +75,20 @@ image:images/diag_frame.png[width="90%"]
 
 image:images/28c3_option_stick.png[width="30%",role="gimmick_right"]
 
-* 3G Options Icon stick exposes DIAG out of the box
-* Quectel UC20 (2G+3G) enable it by default
-* Quectel EC20 (2G+3G+4G) enable it by default
-* 2G, 3G and 4G sounds quite nice
-* EC20 comes as mini-PCIe module as well
+* Old Option Icon 225 stick exposes DIAG out of the box
+* Quectel UC20 (2G+3G) expose DIAG by default
+** but no LTE support
+* Quectel EC20 (2G+3G+4G) expose DIAG by default
+** 2G, 3G and 4G sounds quite nice
+** EC20 not only a LGA solder module but also as mini-PCIe
+*** convenient for early testing / prototyping without custom board
 
+image:images/ec20.png[height=300,role="gimmick_right"]
 
-== Quectel EC20
-
-image:images/ec20.png[height=200,role="gimmick_right"]
-
-* Using a Qualcomm MDM9615 chipset
+* EC20 using a Qualcomm MDM9615 chipset
 ** Also used in the iPhone5
-* Surprisingly runs Linux
-* Not surprising to people familiar with MDM9615 (e.g https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEFCON-23-Mickey-Shkatov-Jesse-Michael-Scared-poopless-LTE-and-your-laptop-UPDATED.pdf[Mickey Shkatov])
-* Almost no documentation available
+** Almost no documentation on MDM9615 available
+** Still, a good candidate for starting our research...
 
 // Erst ein mal EC20 und sagen wieso es interessant ist
 // und dann, dass es Linux hat.. um dann ein Block diagram
@@ -91,21 +97,32 @@ image:images/ec20.png[height=200,role="gimmick_right"]
 [role="change_topic"]
 == An unexpected surprise
 
+== Firmware update, hints of Linux
+
+* Got a firmware upgrade to fix stability / bugs
+* Looks like it contains traces of Linux?
+* Looks like it uses fastboot for the update
+* Other people have already found Linux in MDM9615 based products (e.g https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEFCON-23-Mickey-Shkatov-Jesse-Michael-Scared-poopless-LTE-and-your-laptop-UPDATED.pdf[Mickey Shkatov] at DEFCON 23)
+* But why would there be Linux inside a Modem?
+** Qualcomm is known for their REX/AMSS on Hexagon baseband ?!?
+* And if it contains Linux, GPL requires them to mention that, include
+  License text and provide source code ?!?
+
 == GPL compliance
 
-* Got a firmware upgrade to fix stability
-* Looks like it contains traces of Linux?
 * No written offer, let's see if it runs Linux
 * Armijn Hemels `gpltool.git` has `unyaffs` to unpack yaffs
-* strings, etc., `AT+QLINUXCMD=?`
-* The fun and exploration begins
-
+* `strings`, etc. clearly reveal Linux, glibc, busyox
+** other intresting strings like `AT+QLINUXCMD=?` show up
+* The fun and exploration begins...
+** technical analysis (serial console, firmware reversing, ...)
+** legal enforcement to get source code of GPL/LGPL components (Harald is founder of http://gpl-violations.org[gpl-violations.org])
 
 == GPL compliance
 
 * Linux basis created by Qualcomm and used by Quectel
-* https://wiki.codeaurora.org/xwiki/bin/QLBEP/
-* Many branches, releases, which to use?
+** https://wiki.codeaurora.org/xwiki/bin/QLBEP/
+** Many branches, releases, which to use?
 
 [quote, Tonino Perazzi]
 I tried instruction above to build yaffs2 for MDM9615, so I downloaded source `M9615AAAARNLZA1611161.xml` but during compilation I faced some libs that are missing such as libQMI and acdb-loader..
@@ -116,33 +133,30 @@ image:images/qualcom_many_releases.png[width="80%"]
 
 [qanda]
 Asking for the complete and corresponding source::
-	Receiving source for the flash tool
-
-== GPL compliance
-
-[qanda]
-Asking for the complete and corresponding source::
-	We never been in legal dispute and we always make sure to understand IPR ahead of using technology belonging to third party.
-
+[quote,Quectel]
+** The source code of Qflash tool in Linux is attached, [...]
+[qanda]
+Asking again for the complete and corresponding source::
+[quote,Quectel]
+We never been in legal dispute and we always make sure to understand IPR ahead of using technology belonging to third party.
+
+image:images/quectel_ipr.jpg[width="100%"]
 
 == GPL compliance
 
 [qanda]
 Asking for the complete and corresponding source::
+[quote,Quectel]
 	We appreciate the efforts that your client had put into the open source
-project netfilter/iptable. However, We have some doubts about the alleged
-copyright. From our perspective, your client does not have the right to
-empower the copyright. We think software netfilter/iptable is built on
-the code operating system GUN/Linux, thus subject to GPL terms, where FSF
+project netfilter/_iptable_. However, [...] *your client does not have the right to
+empower the copyright*. We think software netfilter/iptable is built on
+the code operating system _GUN_/Linux, thus subject to GPL terms, where FSF
 requires that each author of code incorporated in FSF projects either
-provide copyright assignment to FSF or disclaim copyright (“we should keep
-the copyright status of the program as simple as possible. We do this by
-asking each contributor to either assign the copyright on his contribution
-to the FSF, or disclaim copyright on it and thus put it in the public
-domain”). Therefore, It seems that your client does not have the copyright
-on netfilter/iptable.
-As one of the leading providers of wireless solution, Quectel is always
-respectful IPR. We would like to compliant with GPL and do some necessary
+provide copyright assignment to FSF or disclaim copyright. Therefore,
+It seems that *your client does not have the copyright on netfilter/iptable.* +
+ +
+As one of the leading providers of wireless solution, *Quectel is always
+respectful IPR*. We would like to compliant with GPL and do some necessary
 statements，including a disclaimer or appropriate notices. Under the terms
 of GPL, we would like to dedicate Kernel code of EC25x to free software
 community.
@@ -151,39 +165,45 @@ community.
 
 [qanda]
 Asking for the complete and corresponding source::
+[quote,Quectel]
 	Many thanks for your detailed explanations GPL/LGPL license terms and the practical methods. I will carefully study your suggestions again and find a proper way to open GLP/LGPL licensed software. Basically, we will simply provide a tarball of open source for download at this time. And release the git repositories in next step.
 
-== GPL compliance
-
 [qanda]
 Asking for the complete and corresponding source::
+[quote,Quectel]
 	We are always willing to achieve GPL compliance.
 
-== GPL compliance
-
 [qanda]
 Asking for the complete and corresponding source::
-	To be frank, we have no experience over Open Source things before. So we need some time to know of all things and construct the Open Source projects. Within a short time, we cannot construct a perfect web site to present Open Source things now. However, we will continue to do like that.
+[quote,Quectel]
+	So we need some time to know of all things and construct the Open Source projects. Within a short time, we cannot construct a perfect web site to present Open Source things now. However, we will continue to do like that.
 
 == GPL compliance
 
 [qanda]
 Your tarball is missing some files::
- 	We have issued all GPL licensed source code.
- We have no the xt_dscp file in the project, and nor Qulacomm. It must be
- caused by your compilation environment.
- If you have more question or problem during the development with Quectel
- module, please add my Skype ID (XXXXX), I will continue to support you
- on Skype.
- The email will not discuss the compiling issue any more.''
+[quote,Quectel]
+We have issued all GPL licensed source code.
+*We have no the xt_dscp file in the project, and nor Qulacomm*. It must be
+caused by your compilation environment.
+If you have more question or problem during the development with Quectel
+module, please add my Skype ID (XXXXX), I will continue to support you
+on Skype. +
+*The email will not discuss the compiling issue any more.*
 
 
 
 == GPL compliance
 
 * ... many months later
-* License compliance still not achieved
+** we have received various source tarballs
+** they contain not only GPL/LGPL code but other FOSS code (thanks!)
+** full license compliance still not achieved, but improving...
 * Sierra Wireless Legato is a positive example of a competitor
+** they not only provide the OE/Linux source but extensive
+documentation!
+** but they try to lure customers into a proprietary Legato framework,
+and thus again vendor-lock-in :(
 
 image:images/legato_flash.png[width="80%"]
 
@@ -301,8 +321,8 @@ We found a bunch of proprietary Linux userspace programs
 |`atfwd_daemon`|Implement Quectel-Specific AT Commands
 |`quectel_daemon`|?; various ASoC related bits
 |`qti`|?
-|`mbim`|Mobile Broadband IF Model (tranlates MBIM to QMI)
-|`QCMAP_ConnectionManager`|runs linux-base WiFi AP/router wit LTE backhaup
+|`mbim`|Mobile Broadband IF Model (translates MBIM to QMI)
+|`QCMAP_ConnectionManager`|runs linux-base WiFi AP/router with LTE backhaup
 |`quec_bridge`|reads GPS NMEA from `/dev/nmea` and writes it to `/dev/ttyGS0`
 |===
 
@@ -405,21 +425,32 @@ Start download fota for update.zip
 * Add status and reboot to recovery
 * Apply update.zip and reboot
 
-== Recommedation
+== Recommedation to modem vendors
 
-* Please keep it open, good for learning
+* It is great to have an open and accessible Qualcomm based modem for
+  further research and developing custom applicatins/extensions
+* Security issues (particularly unverified FOTA) must be fixed
+* We need security from attackers _without locking out the user/owner_
+** If vendors introduce verified boot and/or FOTA, allow owner specified keys!
+* Please keep it open, good for learning and many applications
 * Allow owners to modify the software of their device
 * Secure the FOTA upgrading with owner specified keys
 
+== Unrelated Announcement
+
+* Osmocom project has gained support for 3G/3.5G during 2016
+* Osmocom suffers from lack of contributions :(
+* We want to motivate more contriutions
+** _Accelerate 3.5G_ programme provides 50 free 3.5 femtocells to contributors
+** tell us how you would use your free femtocell to improve Osmocom
+** Call for Proposals runs until January 31st, 2017.
+** FIXME: link to wiki page
 
 == Questions
 
 * Questions?
 
 
-== Announcement
-
-* 3G femtocells for Osmocom/OpenBSC development
 
 == Links