laforge
/
laforge-slides
1
0
Fork 0
Code Pull Requests Releases Wiki Activity
laforge-slides/2009/foss-mobile_world-seville2009/foss-mobile_world.mgp

1001 lines
29 KiB
Plaintext
Raw Permalink Blame History

%include "default.mgp"
%default 1 bgrad
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
%nodefault
%back "blue"
%center
%size 7
Free and Open Source Software
in the
Mobile World
%center
%size 4
by
Harald Welte <laforge@gnumonks.org>
netfilter.org / openmoko.org / openpcd.org
gpl-violations.org / openezx.org / gnufiish.org
berlin.ccc.de / openBSC.gnumonks.org
deDECTed.org / hmw-consulting.de / viatech.com
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
Introduction
Who is speaking to you?
an independent Free Software developer, consultant and trainer
15 years experience using/deploying and developing for Linux on server and workstation
12 years professional experience doing Linux system + kernel level development
strong focus on network security and embedded
expert in Free and Open Source Software (FOSS) copyright and licensing
digital board-level hardware design, esp. embedded systems
active developer and contributor to many FOSS projects
thus, a techie, who will therefore not have fancy animated slides ;)
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
Why?
Why?
For the same reason you have FOSS in other areas
You can run a 100% FOSS Personal Computer / Laptop
The majority of all consumer electronics network gear runs Linux
DSL-Router, WiFi Access Point, Network Attached Storage
To enable people to exercise the core freedoms
to study and understand the software
to share the software with others
to modify, and run + share modified versions
Because the mobile world is 100% proprietary and anti-competitive
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
The closed Mobile World
Compare the Mobile world with the PC world
In the PC world
you buy some more or less standardized hardware
you have the freedom to install whatever OS on it
you have the freedom to install whatever Apps on it
you can run it 100% based on FOSS and get the freedoms
you connect to communications networks with (dsl-)modem
the network protocol stack (TCP/IP, WiFi, ISDN) runs on the PC
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
The closed Mobile World
Compare the Mobile world with the PC world
In the Mobile world
you buy some product (mobile phone)
the product ships with pre-installed OS and Apps
the manufacturer does everything to prevent you from installing a OS of your choice
there is no single product/solution based on 100% FOSS
the network protocol stack (GSM/GPRS/UMTS) runs in proprietary firmware
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
The closed Mobile World
It gets even worse....
The phone maker and/or operator have remote control over
reading/writing entries of your phonebook
making your phone send SMS
making your phone place phone calls
update/change the software over the air (FOTA)
preventing you from using the bluetooth/USB interface the way you want
transfer ringtones, make backups, tethering
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
The closed Mobile World
So the end result
You buy a product for _a lot_ of money...
... but you don't _own_ the product. The manufacturer or operator does
So why should you pay money?
If it is yours, you decide what it does or doesn't do.
If the operators want to own the phone, they should rent it to you, not sell it.
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
How can we free the phone
We can free the mobile phone world by:
building more open hardware
hard, since most chips/components are very FOSS unfriendly
developing FOSS based OS/middleware/applications
easily possible, but hard without open hardware
developing a FOSS GSM protocol stack
extremely hard, tight NDA's and business conduct basically prevent anyone from entering the market
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
How can we free the phone
FOSS for mobile phones
HTC-Linux / xda-developers project
reverse-engineering of HTC smartphones
OpenEZX.org
reverse-engineering Motorola EZX and MAGX phones
gnufiish.org
reverse-engineering E-TEN glofiish phones
openmoko.org
designing and building open, FOSS-friendly phones
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
Reverse Engineering
Reverse Engineering projects
are always late
they start after the product ships
is getting harder and harder
many new System-on-a-Chip have docs under NDA
frequent use of FPGA or CPLD or custom ASIC
cryptographic signatures in boot loader
very rarely have a big impact
the software might be complete when hardware is end-of-life
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
Reverse Engineering
How to find such a Linux-friendly device?
Look at hardware details of available devices
Use Google to find out what hardware they use
Use FCC database to get PCB photographs
Look at WM firmware images (registry/...)
At some point you buy one and take it apart
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
Linux-friendly hardware
I went through this process
I found the E-TEN glofiish devices
They are very similar to Openmoko
Samsung S3C2442 SoC MCP with NAND+SDRAM
TD028TTEC1 full-VGA LCM
Other hardware parts reasonably supported/known
Marvell 8686/libertas WiFi (SPI attached)
SiRF GPS (UART attached)
CSR Bluetooth (UART attached)
Only some unknown parts
CPLD for power management and kbd matrix
Ericsson GSM Modem (AT commandset documented!)
Cameras (I don't really care)
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
Project gnufiish
Project 'gnufiish'
Port Linux to the E-TEN glofiish devices
Initially to the M800 and X800
Almost all glofiish have very similar hardware
Openmoko merges all my patches in their kernel!
Official inclusion to Openmoko distribution
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
Project gnufiish
gnufiish Status
Kernel (2.6.24/2.6.27) booted on _first attempt_
Working
I2C host controller
I2C communication to CPLD and FM Radio
USB Device mode (Ethernet gadget)
Touchscreen input
LCM Framebuffer
LCM Backlight control
GPS and Bluetooth power control
GPIO buttons
In the works
Audio Codec driver (50% done)
GSM Modem (SPI) driver (80% done)
M800 Keyboard + Capsense driver (25% done)
SPI glue to libertas WiFi driver (70% done)
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
HOWTO
How was this done?
Various reverse engineering techniques
Take actual board apart, note major components
Use HaRET (hardwar reverse engineering tool)
Find + use JTAG testpads
Find + use serial console
Disassemble WinMobile drivers
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
Take hardware apart
Opening the case and void your warranty
%image "x800_backside_nobat_nocover.jpg"
Note the convenient test pads beneath the battery
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
Take hardware apart
Opening the case
%image "x800_opening_the_case.jpg" 800x600
If you have a bit of experience in taking apart devices, you can do that without any damage...
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
Take hardware apart
The Mainboard with all its shielding covers
%image "x800_mainboard_with_shielding.jpg" 800x600
Obvoiusly, the shielding needs to go
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
Take hardware apart
The application processor section
%image "x800_application_processor.jpg"
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
Take hardware apart
The HSDPA modem section
%image "x800_hsdpa_modem.jpg"
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
Take hardware apart
The backside
%image "x800_backside_with_lcm.jpg"
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
JTAG pins
Find + use JTAG testpads
JTAG is basically a long shift register
Input, Output, Clock (TDI, TDO, TCK)
Therefore, you can try to shift data in and check if/where it comes out
Automatized JTAG search by project "jtagfinder" by Hunz (German CCC member)
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
JTAG pins
Find + use JTAG testpads
%image "x800_dbgconn_closeup.jpg"
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
JTAG pins
Find + use JTAG testpads
%image "x800_debcon_pcb.jpg"
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
JTAG pins
Find + use JTAG testpads
%image "x800_jtagfinder_probes.jpg"
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
JTAG pins
Find + use JTAG testpads
%image "x800_jtagfinder.jpg"
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
JTAG pins
Found JTAG pins
Chain 1
Samsung S3C2442 Application Processor
Has standard ARM JTAG ICE
Chain 2
CPLD programming interface
Remaining work
find the nTRST and nSRST pins
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
Serial console
How to find the serial console
Just run some code that you think writes to it
Use a Scope to find typical patterns of a serial port
I haven't actually done (or needed) this on the glofiish yet, but on many other devices
RxD pin is harder to find, just trial+error usually works as soon as you have some interactive prompt that echo's the characters you write
Don't forget to add level shifter from 3.3/5V to RS232 levels
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
What's HaRET
What is HaRET
a Windows executable program for any WinCE based OS
offers a control interface on a TCP port
connect to it using haretconsole (python script) on Linux PC
supports a number of popular ARM based SoC (PXA, S3C, MSM)
features include
GPIO state and tracing
MMIO read/write
virtual/physical memory mapping
IRQ tracing (by redirecting IRQ vectors)
load Linux into ram and boot it from within WinCE
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
Using HaRET
Using HaRET
run the program on the target device
connect to it using haretconsole over USB-Ethernet
read GPIO configuration
Create GPIO funciton map based on SoC data sheet
watch for GPIO changes
remove the signal from the noise
exclude unitneresting and frequently changing GPIOs
watch for GPIO changes while performing certain events
press every button and check
start/stop peripherals
insert/eject SD card
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
Using HaRET
Using HARET
watch for IRQ changes/events
e.g. you see DMA3 interrupts while talking to the GSM
read MMIO config of DMA controller to determine user: SPI
read SPI controller configuration + DMA controller configuration
find RAM address of data buffers read/written by DMA
haretconsole writes logfiles
you can start to annotate the logfiles
of course, all of this could be done using JTAG, too.
but with HaRET, you mostly don't need it!!!
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
Disassembling WinCE drivers
Disassembling WinCE drivers
is the obvious thing to do, right?
is actually not all that easy, since
WinCE doesn't allow you to read the DLLs
not via ActiveSync neither WinCE filesystem API's
Apparently, they are pre-linked and not real files anymore
luckily, there are tools in the 'ROM cooking' scene
hundreds of different tools, almost all need Windows PC
therefore, not useful to me
conclusion: Need to understand the ROM image format
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
Disassembling WinCE ROM files
Disassembling WinCE ROM files
'datextract' to extract different portions like OS image
'x520.pl' to remove spare NAND OOB sectors from image and get a file
split resulting image in bootsplash, cabarchive and disk image
'xx1.pl' to split cabarchive into CAB files
'partextract' to split disk image in partitions
'SRPX2XIP.exe' (wine) to decompress XPRS compressed partition0+1
'dumpxip.pl' to dump/recreate files in partition0 and 1
'ImgfsToDump.exe' to dump/recreate files in partition2 (imagefs)
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
Disassembling WinCE Drivers
Disassembling WinCE Drivers
Now we finally have the re-created DLL's with the drivers
Use your favourite debugger/disassembler to take them apart
I'm a big fan of IDA (Interactive Disassembler)
The only proprietary software that I license+use in 15 years
There's actually a Linux x86 version
Was even using it with qemu on my Powerbook some years back
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
WinCE Registry
WinCE has a registry, too
I never really understood what this registry is all about, but it doesn't matter ;)
You can use 'synce-registry' to dump it to Linux
Contains important information about
how drivers are interconnected
various configuration parameters of drivers
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenMoko
%center
%size 7
OpenMoko
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenMoko
WARNING
While I have been the Lead System Architect for hardware and system level software, throughout the first 16 months of the project,
I have quit working for OpenMoko, Inc. or the FIC group in November 2007.
Thus, I do not officially represent either of these entities!
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenMoko
What is OpenMoko
The commercial side
OpenMoko, Inc., ("OpenMoko, the Company")
Doing the actual hardware development
Funding the OpenMoko software R&D
Responsible for product definition, sales, marketing, PR, ...
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenMoko
What is OpenMoko
The community side
OpenMoko, the overall Free Software project
A FOSS project working on
OpenMoko kernel/u-boot patches (hardware support)
OpenMoko GNU/Linux distribution
OpenMoko UI / framework
Funded by OpenMoko, Inc.
OpenMoko, the embedded GNU/Linux distribution
An OE-built embedded GNU/Linux distribution for mobile communications devices
Primarily targetted at OpenMoko/FIC handsets
Is being ported to other devices by the community
Maintained by OE coreteam member employed by OpenMoko, Inc.
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenMoko
What is OpenMoko about?
Open
Opening up the formerly-closed mobile world
on any achievable level
Mobile
Mobile devices are the future
Free
100% Free Software from driver through UI
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenMoko
Neo1973 GTA01 hardware
Neo1973 GTA01 hardware (2007)
S3C2410 SoC @ 266MHz
2.8" 480x640 LCM, 262k colors
128MB SDRAM
64MB SLC NAND (512/16k)
USB 1.1 device and host (unpowered)
A-GPS (without processor)
GSM+GPRS chipset (ARM7 based)
Wolfson audio codec
2 stereo speakers (1.2W)
2.5mm headset jack
CSR4 based Bluetooth
NXP PCF50606 power management unit
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenMoko
Neo1973 GTA02 hardware
Neo1973 GTA02 hardware (2008)
S3C2442B SoC @ 400 MHz (500MHz option)
2.8" 480x640 LCM, 262k colors
128MB SDRAM
256MB SLC NAND (2048/128k)
USB 1.1 device and host (with power)
A-GPS (fully autonomous firmware-based)
GSM+GPRS chipset (Ti Calypso, ARM7 based)
CSR4 based Bluetooth
Atheros AR6k based 802.11b/g WiFi
2 3D accelerometers
Smedia Glamo 3362 GPU
NXP PCF50633 power management unit
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenMoko
Hackable Device
Hackable Device
Standards compliance wherever possible
The device shall be under full user control
Everyone should be able to hack it, at any level
Make entry barrier for development as easy as possible
bootloader prompt via USB serial emulation
Serial console
JTAG for the people
Provide Debug Board with embedded USB JTAG + serial adapter
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenMoko
User control
User control
The phone needs to be under control of the user, and the free software he uses
Even backdoors or rogue GSM firmware shall not be able to intrude the privacy fo the user
So we e.g. put the Audio codec (under explicit control from the Linux-running AP) between microphone/speaker and the GSM modem
So we enable the Linux-running AP to cut power of the GSM modem
Thus, free software (and thus the user) remains in ultimate control
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenMoko
Hackable at any level
Hardware Hacking
we even encourage hardware hacking
I2C, SPI, GPIO and IRQ line on documented test pads and connector
allows for attachment of new peripherals to the device
even the hardware schematics available under FOSS-permissive NDA
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenMoko
Hackable at any level
System-level hacking (bootloader, OS)
entire bootloader from very first instruction FOSS
entire kernel including all drivers FOSS
JTAG accessible on debug connector
serial console on debug connector
debug board (USB JTAG adaptor and USB serial converter)
un-brickable through emergency boot loader in read-only NOR flash (GTA02)
DFU (Device Firmware Upgrade) for full-system re-flash via USB
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenMoko
Hackable at any level
Userspace and UI level hacking
entire userspace world FOSS (libraries, daemons, UI, X driver, ...)
FOSS build system and toolchain/SDK enable anyone to build custom softwar packages and/or flash images
provide a programming environment as close as possible to the Linux desktop world
allow developers to re-use their existing Linux development skills
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenMoko
GSM Integration
But you can't hack the GSM stack
yes, that is true.
pretty much like you can't hack the firmware of your SCSI or RAID controller, WiFi card, Bluetooth chipset, etc.
even the firmware of a good old analogue phone line (voice) modem was not hackable
having proprietary firmware on a dedicated peripheral CPU is even acceptable to the FSF!
And no doubt, anyone inside OpenMoko would love to ever have a open source GSM stack. Patches welcome :)
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenMoko
GSM Integration
But you can't hack the GSM stack
so you get the maximum level of freedom that you can get with any other peripheral device:
open source low-level (mux, power mgmt) drivers
open source high-level drivers (gsm daemon)
openly documented serial protocol (TS 07.05, 07.07, 07.10)
asking for more freedom on the GSM side is hypocritical when accepting the very same level with other peripheral devices.
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenMoko
GSM Integration
But you can't hack the GSM stack
besides that
GTA01 has baseband JTAG on test pins
OpenMoko does not cryptographically sign GSM firmware images
GSM firmware is user-upgradable
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenMoko
Difference
Difference from other Linux phones
'others' discourage third parties from writing apps
you need explicit permission? WTF!
'others' try to make customers pay for a device that's still under manufacturer / GSM operator control
'others' use proprietary kernel modules
locks you into some old kernel version
'others' use proprietary bootloaders
'others' dont give you JTAG/serial access
'others' use proprietary UI toolkits
vendor lock-in
'others' dont give out their build system
'others' dont give out their firmware update tools
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS for the Mobile World
%center
%size 7
FOSS for the GSM network side
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS for the Mobile World
Why FOSS for the network side?
Why?
For the same reason you might run other networks
To learn and experiment with technology
To boldly go where no [free] man has gone before ;)
Practical demonstration of known GSM security problems
Raise public awareness abut GSM [in]security
thus increase the incentive for the market to improve
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
Legal Disclaimer
Legal Disclaimer
Don't try this at home!
GSM operates on LICENSED spectrum
Thus, you need approval from the regulatory authority
Only use BTS with dummy load!
Don't interfere with the operators!
Our software is strictly for research purpose only
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
GSM Network Architecture
The Hitchhikers Guide to the GSM Network
unfortunately does not exist
The GSM related literature
is typically too high-level
The GSM protocol specifications
are publicly available but _very_ comprehensive (1,108 PDFs, 414MByte)
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
GSM Network Architecture
GSM is a bit-synchronous network
it draws many analogies from ISDN and SDN
layer 2 modelled after Q.921 / LAPD
call signalling modelled Q.931
but: many more protocols for mobility management, radio resources, ...
like all traditional Telco protocols: Intelligence in the network, not in the end nodes.
GSM is a TDMA "nightmare"
e.g. you never know from/for whom data is without the timing context
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
GSM Network Architecture
MS
Mobile Station (your Phone)
BTS
Base Transceiver Station
BSC
Base Station Controller
MSC
Mobile Switching Center
HLR/VLR
Home/Visitor Location Register
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
GSM Base Transceiver Station
BTS
As the name indicates "transceiver"
Handles
Layer 1 and some parts of RF layer2
Modulation/Demodulation
Time Multiplex, scheduling of frames
Is not a "Base Station", i.e. not self-contained
True 'slave' to the BSC
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
GSM Base Station Controller
BSC
Base Station Controller
Handles
most of the actual decision making
really controls most aspects of BTSs
handles intra-BSC cell handover
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
GSM A-bis interface
BSC <-> BTS Interface
is called A-bis
has the following control layers on E1 TS1
L2ML (Layer 2 Management)
TEI management similar to ISDN
OML (Organization & Maintenance)
System parameters, events
RSL (Radio Subsystem Layer)
has encoded voice data (TRAU frames) on other E1 TS
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
The Siemens BS-11 microBTS
Siemens BS-11 microBTS
plain old 2G (GSM voice calls, CSD)
one or two TRX, 30mW to 2W each, GSM900
two E1 interfaces (for daisy-chaining)
documentation under NDA, but
99.9% of the A-bis protocol available from GSM specs
See TS 04.08 (RLL), 12.21 (OML), 08.58 (RSL)
RS232 serial port for Local Maintenance Terminal
LMT software proprietary under NDA
not needed for operation of the BTS
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
The Siemens BS-11 microBTS
%image "1_small.jpg"
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
The Siemens BS-11 microBTS
First steps with the Siemens BS-11
Harald bought a BS-11 on e-Bay in 2006
Started to read some specs (08.5x) about A-bis
Started to build cables for E1 and power
Bought HFC-E1 PCI card
Bought Elmi EGM35 Abis analyzer (e-Bay once again)
Contacted with other people who also bought BS-11
Found somebody who could provide Abis traces
Never really had time due to Openmoko and other projects
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
OpenBSC
OpenBSC (12/2008)
get L2ML to work with mISDN
mainline mISDN doesn't deal with multiple SAPIs and fixed TEI
learn how new sockets-based mISDN API works
come up with event-driven architecture, single sleect loop, no threads, ...
At 25C3:
add libdbi/sqlite database for "HLR"
get paging to work, support for configurable network ID
debugging + stabilization with > 1000 test users ;)
IMSI + IMEI skimming
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
Work at 25C3
IMSI+IMEI skimming
very simple:
phones with automatic network selection pick strongest network
they send LOCATION UPDATE REQUEST
we send IDENTITY REQUEST IMSI + IMEISV
they send IMSI + IMEISV
we store this in the databasa
and then send LOCATION UPDATE REJECT
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
Work at 25C3
Mobile Originated Call
once a MS is registered, we can
dial a number from the MS
allocate and establish a TCH/F
deal with the Signalling and get into Connect
unfortunately, code for handling voice streams not finished
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
Work at 25C3
Mobile Originated SMS
once a MS is registered, we can
send a SMS
parse + acknowledge SMS PDU data
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
Work at 25C3
The Egypt simulation
apparently GPS is illegal in mobile phones in Egypt
"Egypt detection" implemented by checking if any surrounding cells are with Egypt country code
phones don't even have to register to our BTS!
so if we claim to be e.g. MobiNil, phones will shut off their GPS
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
Other GSM related FOSS
Other GSM related FOSS
OpenBTS
100% Software Defined Radio bsed on USRP + gnuradio
implements entire RF+layer1/2/3 and interfacing to SIP/Asterisk
much more than just a BTS!!
some code overlap with OpenBSC
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
Other GSM related FOSS
THC GSM project
now converging into airprobe.org
working on a protocol analyzer / sniffer for GSM Um Air interface
slow progress, only few people understand the technology
but it's actually not all that hard, just needs time and motivation
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
Links
OpenBSC
http://openbsc.gnumonks.org/
3GPP / ETSI GSM Specs
http://www.3gpp.org/
Priv-Doz. Dr.-Ing Joachim Goeller
http://www2.informatik.hu-berlin.de/~goeller
THC GSM Wiki
http://wiki.thc.org/gsm
OpenBTS
http://gnuradio.org/trac/wiki/OpenBTS
Harald's branch of gsm-tvoid, etc
git://git.gnumonks.org/gsm.git
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
FOSS in the Mobile World
Thanks
Thanks to
The FSF and Richard Stallman for the GPL
which e.g. enabled us to get the kernel source for the EZX phones
Openmoko, Inc. for their work on Freeing the mobile world
The ETSI/3GPP for having all their specifications online
zecke, alphaone, Stefan for their work on OpenBSC
W. for his extensive A-bis protocol traces and MA-10
Netzing AG for funding my OpenBSC work
Pablo for inviting me to this conference in Seville
View Git Blame Copy Permalink