1001 lines
29 KiB
Plaintext
1001 lines
29 KiB
Plaintext
%include "default.mgp"
|
|
%default 1 bgrad
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
%nodefault
|
|
%back "blue"
|
|
|
|
%center
|
|
%size 7
|
|
|
|
Free and Open Source Software
|
|
in the
|
|
Mobile World
|
|
|
|
%center
|
|
%size 4
|
|
by
|
|
|
|
Harald Welte <laforge@gnumonks.org>
|
|
|
|
netfilter.org / openmoko.org / openpcd.org
|
|
gpl-violations.org / openezx.org / gnufiish.org
|
|
berlin.ccc.de / openBSC.gnumonks.org
|
|
deDECTed.org / hmw-consulting.de / viatech.com
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
FOSS in the Mobile World
|
|
Introduction
|
|
|
|
Who is speaking to you?
|
|
an independent Free Software developer, consultant and trainer
|
|
15 years experience using/deploying and developing for Linux on server and workstation
|
|
12 years professional experience doing Linux system + kernel level development
|
|
strong focus on network security and embedded
|
|
expert in Free and Open Source Software (FOSS) copyright and licensing
|
|
digital board-level hardware design, esp. embedded systems
|
|
active developer and contributor to many FOSS projects
|
|
thus, a techie, who will therefore not have fancy animated slides ;)
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
FOSS in the Mobile World
|
|
Why?
|
|
|
|
|
|
Why?
|
|
For the same reason you have FOSS in other areas
|
|
You can run a 100% FOSS Personal Computer / Laptop
|
|
The majority of all consumer electronics network gear runs Linux
|
|
DSL-Router, WiFi Access Point, Network Attached Storage
|
|
To enable people to exercise the core freedoms
|
|
to study and understand the software
|
|
to share the software with others
|
|
to modify, and run + share modified versions
|
|
Because the mobile world is 100% proprietary and anti-competitive
|
|
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
FOSS in the Mobile World
|
|
The closed Mobile World
|
|
|
|
|
|
Compare the Mobile world with the PC world
|
|
In the PC world
|
|
you buy some more or less standardized hardware
|
|
you have the freedom to install whatever OS on it
|
|
you have the freedom to install whatever Apps on it
|
|
you can run it 100% based on FOSS and get the freedoms
|
|
you connect to communications networks with (dsl-)modem
|
|
the network protocol stack (TCP/IP, WiFi, ISDN) runs on the PC
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
FOSS in the Mobile World
|
|
The closed Mobile World
|
|
|
|
|
|
Compare the Mobile world with the PC world
|
|
In the Mobile world
|
|
you buy some product (mobile phone)
|
|
the product ships with pre-installed OS and Apps
|
|
the manufacturer does everything to prevent you from installing a OS of your choice
|
|
there is no single product/solution based on 100% FOSS
|
|
the network protocol stack (GSM/GPRS/UMTS) runs in proprietary firmware
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
FOSS in the Mobile World
|
|
The closed Mobile World
|
|
|
|
|
|
It gets even worse....
|
|
The phone maker and/or operator have remote control over
|
|
reading/writing entries of your phonebook
|
|
making your phone send SMS
|
|
making your phone place phone calls
|
|
update/change the software over the air (FOTA)
|
|
preventing you from using the bluetooth/USB interface the way you want
|
|
transfer ringtones, make backups, tethering
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
FOSS in the Mobile World
|
|
The closed Mobile World
|
|
|
|
|
|
So the end result
|
|
You buy a product for _a lot_ of money...
|
|
... but you don't _own_ the product. The manufacturer or operator does
|
|
So why should you pay money?
|
|
If it is yours, you decide what it does or doesn't do.
|
|
If the operators want to own the phone, they should rent it to you, not sell it.
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
FOSS in the Mobile World
|
|
How can we free the phone
|
|
|
|
|
|
We can free the mobile phone world by:
|
|
building more open hardware
|
|
hard, since most chips/components are very FOSS unfriendly
|
|
developing FOSS based OS/middleware/applications
|
|
easily possible, but hard without open hardware
|
|
developing a FOSS GSM protocol stack
|
|
extremely hard, tight NDA's and business conduct basically prevent anyone from entering the market
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
FOSS in the Mobile World
|
|
How can we free the phone
|
|
|
|
|
|
FOSS for mobile phones
|
|
HTC-Linux / xda-developers project
|
|
reverse-engineering of HTC smartphones
|
|
OpenEZX.org
|
|
reverse-engineering Motorola EZX and MAGX phones
|
|
gnufiish.org
|
|
reverse-engineering E-TEN glofiish phones
|
|
openmoko.org
|
|
designing and building open, FOSS-friendly phones
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
FOSS in the Mobile World
|
|
Reverse Engineering
|
|
|
|
|
|
Reverse Engineering projects
|
|
are always late
|
|
they start after the product ships
|
|
is getting harder and harder
|
|
many new System-on-a-Chip have docs under NDA
|
|
frequent use of FPGA or CPLD or custom ASIC
|
|
cryptographic signatures in boot loader
|
|
very rarely have a big impact
|
|
the software might be complete when hardware is end-of-life
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
FOSS in the Mobile World
|
|
Reverse Engineering
|
|
|
|
|
|
How to find such a Linux-friendly device?
|
|
|
|
Look at hardware details of available devices
|
|
Use Google to find out what hardware they use
|
|
Use FCC database to get PCB photographs
|
|
Look at WM firmware images (registry/...)
|
|
At some point you buy one and take it apart
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
FOSS in the Mobile World
|
|
Linux-friendly hardware
|
|
|
|
I went through this process
|
|
I found the E-TEN glofiish devices
|
|
They are very similar to Openmoko
|
|
Samsung S3C2442 SoC MCP with NAND+SDRAM
|
|
TD028TTEC1 full-VGA LCM
|
|
Other hardware parts reasonably supported/known
|
|
Marvell 8686/libertas WiFi (SPI attached)
|
|
SiRF GPS (UART attached)
|
|
CSR Bluetooth (UART attached)
|
|
Only some unknown parts
|
|
CPLD for power management and kbd matrix
|
|
Ericsson GSM Modem (AT commandset documented!)
|
|
Cameras (I don't really care)
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
FOSS in the Mobile World
|
|
Project gnufiish
|
|
|
|
|
|
Project 'gnufiish'
|
|
Port Linux to the E-TEN glofiish devices
|
|
Initially to the M800 and X800
|
|
Almost all glofiish have very similar hardware
|
|
Openmoko merges all my patches in their kernel!
|
|
Official inclusion to Openmoko distribution
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
FOSS in the Mobile World
|
|
Project gnufiish
|
|
|
|
gnufiish Status
|
|
Kernel (2.6.24/2.6.27) booted on _first attempt_
|
|
Working
|
|
I2C host controller
|
|
I2C communication to CPLD and FM Radio
|
|
USB Device mode (Ethernet gadget)
|
|
Touchscreen input
|
|
LCM Framebuffer
|
|
LCM Backlight control
|
|
GPS and Bluetooth power control
|
|
GPIO buttons
|
|
In the works
|
|
Audio Codec driver (50% done)
|
|
GSM Modem (SPI) driver (80% done)
|
|
M800 Keyboard + Capsense driver (25% done)
|
|
SPI glue to libertas WiFi driver (70% done)
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
FOSS in the Mobile World
|
|
HOWTO
|
|
|
|
How was this done?
|
|
Various reverse engineering techniques
|
|
Take actual board apart, note major components
|
|
Use HaRET (hardwar reverse engineering tool)
|
|
Find + use JTAG testpads
|
|
Find + use serial console
|
|
Disassemble WinMobile drivers
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
FOSS in the Mobile World
|
|
Take hardware apart
|
|
|
|
Opening the case and void your warranty
|
|
%image "x800_backside_nobat_nocover.jpg"
|
|
Note the convenient test pads beneath the battery
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
FOSS in the Mobile World
|
|
Take hardware apart
|
|
|
|
Opening the case
|
|
%image "x800_opening_the_case.jpg" 800x600
|
|
If you have a bit of experience in taking apart devices, you can do that without any damage...
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
FOSS in the Mobile World
|
|
Take hardware apart
|
|
|
|
The Mainboard with all its shielding covers
|
|
%image "x800_mainboard_with_shielding.jpg" 800x600
|
|
Obvoiusly, the shielding needs to go
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
FOSS in the Mobile World
|
|
Take hardware apart
|
|
|
|
The application processor section
|
|
%image "x800_application_processor.jpg"
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
FOSS in the Mobile World
|
|
Take hardware apart
|
|
|
|
The HSDPA modem section
|
|
%image "x800_hsdpa_modem.jpg"
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
FOSS in the Mobile World
|
|
Take hardware apart
|
|
|
|
The backside
|
|
%image "x800_backside_with_lcm.jpg"
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
FOSS in the Mobile World
|
|
JTAG pins
|
|
|
|
Find + use JTAG testpads
|
|
JTAG is basically a long shift register
|
|
Input, Output, Clock (TDI, TDO, TCK)
|
|
Therefore, you can try to shift data in and check if/where it comes out
|
|
Automatized JTAG search by project "jtagfinder" by Hunz (German CCC member)
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
FOSS in the Mobile World
|
|
JTAG pins
|
|
|
|
Find + use JTAG testpads
|
|
%image "x800_dbgconn_closeup.jpg"
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
FOSS in the Mobile World
|
|
JTAG pins
|
|
|
|
Find + use JTAG testpads
|
|
%image "x800_debcon_pcb.jpg"
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
FOSS in the Mobile World
|
|
JTAG pins
|
|
|
|
Find + use JTAG testpads
|
|
%image "x800_jtagfinder_probes.jpg"
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
FOSS in the Mobile World
|
|
JTAG pins
|
|
|
|
Find + use JTAG testpads
|
|
%image "x800_jtagfinder.jpg"
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
FOSS in the Mobile World
|
|
JTAG pins
|
|
|
|
|
|
Found JTAG pins
|
|
Chain 1
|
|
Samsung S3C2442 Application Processor
|
|
Has standard ARM JTAG ICE
|
|
Chain 2
|
|
CPLD programming interface
|
|
Remaining work
|
|
find the nTRST and nSRST pins
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
FOSS in the Mobile World
|
|
Serial console
|
|
|
|
|
|
How to find the serial console
|
|
Just run some code that you think writes to it
|
|
Use a Scope to find typical patterns of a serial port
|
|
I haven't actually done (or needed) this on the glofiish yet, but on many other devices
|
|
RxD pin is harder to find, just trial+error usually works as soon as you have some interactive prompt that echo's the characters you write
|
|
Don't forget to add level shifter from 3.3/5V to RS232 levels
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
FOSS in the Mobile World
|
|
What's HaRET
|
|
|
|
What is HaRET
|
|
a Windows executable program for any WinCE based OS
|
|
offers a control interface on a TCP port
|
|
connect to it using haretconsole (python script) on Linux PC
|
|
supports a number of popular ARM based SoC (PXA, S3C, MSM)
|
|
features include
|
|
GPIO state and tracing
|
|
MMIO read/write
|
|
virtual/physical memory mapping
|
|
IRQ tracing (by redirecting IRQ vectors)
|
|
load Linux into ram and boot it from within WinCE
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
FOSS in the Mobile World
|
|
Using HaRET
|
|
|
|
Using HaRET
|
|
run the program on the target device
|
|
connect to it using haretconsole over USB-Ethernet
|
|
read GPIO configuration
|
|
Create GPIO funciton map based on SoC data sheet
|
|
watch for GPIO changes
|
|
remove the signal from the noise
|
|
exclude unitneresting and frequently changing GPIOs
|
|
watch for GPIO changes while performing certain events
|
|
press every button and check
|
|
start/stop peripherals
|
|
insert/eject SD card
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
FOSS in the Mobile World
|
|
Using HaRET
|
|
|
|
|
|
Using HARET
|
|
watch for IRQ changes/events
|
|
e.g. you see DMA3 interrupts while talking to the GSM
|
|
read MMIO config of DMA controller to determine user: SPI
|
|
read SPI controller configuration + DMA controller configuration
|
|
find RAM address of data buffers read/written by DMA
|
|
haretconsole writes logfiles
|
|
you can start to annotate the logfiles
|
|
of course, all of this could be done using JTAG, too.
|
|
but with HaRET, you mostly don't need it!!!
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
FOSS in the Mobile World
|
|
Disassembling WinCE drivers
|
|
|
|
|
|
Disassembling WinCE drivers
|
|
is the obvious thing to do, right?
|
|
is actually not all that easy, since
|
|
WinCE doesn't allow you to read the DLLs
|
|
not via ActiveSync neither WinCE filesystem API's
|
|
Apparently, they are pre-linked and not real files anymore
|
|
luckily, there are tools in the 'ROM cooking' scene
|
|
hundreds of different tools, almost all need Windows PC
|
|
therefore, not useful to me
|
|
conclusion: Need to understand the ROM image format
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
FOSS in the Mobile World
|
|
Disassembling WinCE ROM files
|
|
|
|
|
|
Disassembling WinCE ROM files
|
|
'datextract' to extract different portions like OS image
|
|
'x520.pl' to remove spare NAND OOB sectors from image and get a file
|
|
split resulting image in bootsplash, cabarchive and disk image
|
|
'xx1.pl' to split cabarchive into CAB files
|
|
'partextract' to split disk image in partitions
|
|
'SRPX2XIP.exe' (wine) to decompress XPRS compressed partition0+1
|
|
'dumpxip.pl' to dump/recreate files in partition0 and 1
|
|
'ImgfsToDump.exe' to dump/recreate files in partition2 (imagefs)
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
FOSS in the Mobile World
|
|
Disassembling WinCE Drivers
|
|
|
|
|
|
Disassembling WinCE Drivers
|
|
Now we finally have the re-created DLL's with the drivers
|
|
Use your favourite debugger/disassembler to take them apart
|
|
I'm a big fan of IDA (Interactive Disassembler)
|
|
The only proprietary software that I license+use in 15 years
|
|
There's actually a Linux x86 version
|
|
Was even using it with qemu on my Powerbook some years back
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
FOSS in the Mobile World
|
|
WinCE Registry
|
|
|
|
|
|
WinCE has a registry, too
|
|
I never really understood what this registry is all about, but it doesn't matter ;)
|
|
You can use 'synce-registry' to dump it to Linux
|
|
Contains important information about
|
|
how drivers are interconnected
|
|
various configuration parameters of drivers
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
OpenMoko
|
|
|
|
|
|
|
|
|
|
%center
|
|
%size 7
|
|
OpenMoko
|
|
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
OpenMoko
|
|
WARNING
|
|
|
|
|
|
While I have been the Lead System Architect for hardware and system level software, throughout the first 16 months of the project,
|
|
|
|
I have quit working for OpenMoko, Inc. or the FIC group in November 2007.
|
|
|
|
Thus, I do not officially represent either of these entities!
|
|
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
OpenMoko
|
|
What is OpenMoko
|
|
|
|
The commercial side
|
|
|
|
OpenMoko, Inc., ("OpenMoko, the Company")
|
|
Doing the actual hardware development
|
|
Funding the OpenMoko software R&D
|
|
Responsible for product definition, sales, marketing, PR, ...
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
OpenMoko
|
|
What is OpenMoko
|
|
|
|
The community side
|
|
OpenMoko, the overall Free Software project
|
|
A FOSS project working on
|
|
OpenMoko kernel/u-boot patches (hardware support)
|
|
OpenMoko GNU/Linux distribution
|
|
OpenMoko UI / framework
|
|
Funded by OpenMoko, Inc.
|
|
|
|
OpenMoko, the embedded GNU/Linux distribution
|
|
An OE-built embedded GNU/Linux distribution for mobile communications devices
|
|
Primarily targetted at OpenMoko/FIC handsets
|
|
Is being ported to other devices by the community
|
|
Maintained by OE coreteam member employed by OpenMoko, Inc.
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
OpenMoko
|
|
What is OpenMoko about?
|
|
|
|
|
|
Open
|
|
Opening up the formerly-closed mobile world
|
|
on any achievable level
|
|
|
|
Mobile
|
|
Mobile devices are the future
|
|
|
|
Free
|
|
100% Free Software from driver through UI
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
OpenMoko
|
|
Neo1973 GTA01 hardware
|
|
|
|
Neo1973 GTA01 hardware (2007)
|
|
S3C2410 SoC @ 266MHz
|
|
2.8" 480x640 LCM, 262k colors
|
|
128MB SDRAM
|
|
64MB SLC NAND (512/16k)
|
|
USB 1.1 device and host (unpowered)
|
|
A-GPS (without processor)
|
|
GSM+GPRS chipset (ARM7 based)
|
|
Wolfson audio codec
|
|
2 stereo speakers (1.2W)
|
|
2.5mm headset jack
|
|
CSR4 based Bluetooth
|
|
NXP PCF50606 power management unit
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
OpenMoko
|
|
Neo1973 GTA02 hardware
|
|
|
|
Neo1973 GTA02 hardware (2008)
|
|
S3C2442B SoC @ 400 MHz (500MHz option)
|
|
2.8" 480x640 LCM, 262k colors
|
|
128MB SDRAM
|
|
256MB SLC NAND (2048/128k)
|
|
USB 1.1 device and host (with power)
|
|
A-GPS (fully autonomous firmware-based)
|
|
GSM+GPRS chipset (Ti Calypso, ARM7 based)
|
|
CSR4 based Bluetooth
|
|
Atheros AR6k based 802.11b/g WiFi
|
|
2 3D accelerometers
|
|
Smedia Glamo 3362 GPU
|
|
NXP PCF50633 power management unit
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
OpenMoko
|
|
Hackable Device
|
|
|
|
Hackable Device
|
|
Standards compliance wherever possible
|
|
The device shall be under full user control
|
|
Everyone should be able to hack it, at any level
|
|
Make entry barrier for development as easy as possible
|
|
bootloader prompt via USB serial emulation
|
|
Serial console
|
|
JTAG for the people
|
|
Provide Debug Board with embedded USB JTAG + serial adapter
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
OpenMoko
|
|
User control
|
|
|
|
User control
|
|
The phone needs to be under control of the user, and the free software he uses
|
|
Even backdoors or rogue GSM firmware shall not be able to intrude the privacy fo the user
|
|
So we e.g. put the Audio codec (under explicit control from the Linux-running AP) between microphone/speaker and the GSM modem
|
|
So we enable the Linux-running AP to cut power of the GSM modem
|
|
Thus, free software (and thus the user) remains in ultimate control
|
|
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
OpenMoko
|
|
Hackable at any level
|
|
|
|
Hardware Hacking
|
|
we even encourage hardware hacking
|
|
I2C, SPI, GPIO and IRQ line on documented test pads and connector
|
|
allows for attachment of new peripherals to the device
|
|
even the hardware schematics available under FOSS-permissive NDA
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
OpenMoko
|
|
Hackable at any level
|
|
|
|
System-level hacking (bootloader, OS)
|
|
entire bootloader from very first instruction FOSS
|
|
entire kernel including all drivers FOSS
|
|
JTAG accessible on debug connector
|
|
serial console on debug connector
|
|
debug board (USB JTAG adaptor and USB serial converter)
|
|
un-brickable through emergency boot loader in read-only NOR flash (GTA02)
|
|
DFU (Device Firmware Upgrade) for full-system re-flash via USB
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
OpenMoko
|
|
Hackable at any level
|
|
|
|
Userspace and UI level hacking
|
|
entire userspace world FOSS (libraries, daemons, UI, X driver, ...)
|
|
FOSS build system and toolchain/SDK enable anyone to build custom softwar packages and/or flash images
|
|
provide a programming environment as close as possible to the Linux desktop world
|
|
allow developers to re-use their existing Linux development skills
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
OpenMoko
|
|
GSM Integration
|
|
|
|
But you can't hack the GSM stack
|
|
yes, that is true.
|
|
pretty much like you can't hack the firmware of your SCSI or RAID controller, WiFi card, Bluetooth chipset, etc.
|
|
even the firmware of a good old analogue phone line (voice) modem was not hackable
|
|
having proprietary firmware on a dedicated peripheral CPU is even acceptable to the FSF!
|
|
And no doubt, anyone inside OpenMoko would love to ever have a open source GSM stack. Patches welcome :)
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
OpenMoko
|
|
GSM Integration
|
|
|
|
But you can't hack the GSM stack
|
|
so you get the maximum level of freedom that you can get with any other peripheral device:
|
|
open source low-level (mux, power mgmt) drivers
|
|
open source high-level drivers (gsm daemon)
|
|
openly documented serial protocol (TS 07.05, 07.07, 07.10)
|
|
asking for more freedom on the GSM side is hypocritical when accepting the very same level with other peripheral devices.
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
OpenMoko
|
|
GSM Integration
|
|
|
|
But you can't hack the GSM stack
|
|
besides that
|
|
GTA01 has baseband JTAG on test pins
|
|
OpenMoko does not cryptographically sign GSM firmware images
|
|
GSM firmware is user-upgradable
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
OpenMoko
|
|
Difference
|
|
|
|
Difference from other Linux phones
|
|
'others' discourage third parties from writing apps
|
|
you need explicit permission? WTF!
|
|
'others' try to make customers pay for a device that's still under manufacturer / GSM operator control
|
|
'others' use proprietary kernel modules
|
|
locks you into some old kernel version
|
|
'others' use proprietary bootloaders
|
|
'others' dont give you JTAG/serial access
|
|
'others' use proprietary UI toolkits
|
|
vendor lock-in
|
|
'others' dont give out their build system
|
|
'others' dont give out their firmware update tools
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
FOSS for the Mobile World
|
|
|
|
|
|
|
|
|
|
%center
|
|
%size 7
|
|
FOSS for the GSM network side
|
|
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
FOSS for the Mobile World
|
|
Why FOSS for the network side?
|
|
|
|
|
|
Why?
|
|
For the same reason you might run other networks
|
|
To learn and experiment with technology
|
|
To boldly go where no [free] man has gone before ;)
|
|
Practical demonstration of known GSM security problems
|
|
Raise public awareness abut GSM [in]security
|
|
thus increase the incentive for the market to improve
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
FOSS in the Mobile World
|
|
Legal Disclaimer
|
|
|
|
|
|
Legal Disclaimer
|
|
Don't try this at home!
|
|
GSM operates on LICENSED spectrum
|
|
Thus, you need approval from the regulatory authority
|
|
Only use BTS with dummy load!
|
|
Don't interfere with the operators!
|
|
Our software is strictly for research purpose only
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
FOSS in the Mobile World
|
|
GSM Network Architecture
|
|
|
|
|
|
The Hitchhikers Guide to the GSM Network
|
|
unfortunately does not exist
|
|
|
|
The GSM related literature
|
|
is typically too high-level
|
|
|
|
The GSM protocol specifications
|
|
are publicly available but _very_ comprehensive (1,108 PDFs, 414MByte)
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
FOSS in the Mobile World
|
|
GSM Network Architecture
|
|
|
|
GSM is a bit-synchronous network
|
|
it draws many analogies from ISDN and SDN
|
|
layer 2 modelled after Q.921 / LAPD
|
|
call signalling modelled Q.931
|
|
but: many more protocols for mobility management, radio resources, ...
|
|
like all traditional Telco protocols: Intelligence in the network, not in the end nodes.
|
|
|
|
GSM is a TDMA "nightmare"
|
|
e.g. you never know from/for whom data is without the timing context
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
FOSS in the Mobile World
|
|
GSM Network Architecture
|
|
|
|
MS
|
|
Mobile Station (your Phone)
|
|
BTS
|
|
Base Transceiver Station
|
|
BSC
|
|
Base Station Controller
|
|
MSC
|
|
Mobile Switching Center
|
|
HLR/VLR
|
|
Home/Visitor Location Register
|
|
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
FOSS in the Mobile World
|
|
GSM Base Transceiver Station
|
|
|
|
BTS
|
|
As the name indicates "transceiver"
|
|
Handles
|
|
Layer 1 and some parts of RF layer2
|
|
Modulation/Demodulation
|
|
Time Multiplex, scheduling of frames
|
|
Is not a "Base Station", i.e. not self-contained
|
|
True 'slave' to the BSC
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
FOSS in the Mobile World
|
|
GSM Base Station Controller
|
|
|
|
|
|
BSC
|
|
Base Station Controller
|
|
Handles
|
|
most of the actual decision making
|
|
really controls most aspects of BTSs
|
|
handles intra-BSC cell handover
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
FOSS in the Mobile World
|
|
GSM A-bis interface
|
|
|
|
|
|
BSC <-> BTS Interface
|
|
is called A-bis
|
|
has the following control layers on E1 TS1
|
|
L2ML (Layer 2 Management)
|
|
TEI management similar to ISDN
|
|
OML (Organization & Maintenance)
|
|
System parameters, events
|
|
RSL (Radio Subsystem Layer)
|
|
has encoded voice data (TRAU frames) on other E1 TS
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
FOSS in the Mobile World
|
|
The Siemens BS-11 microBTS
|
|
|
|
|
|
Siemens BS-11 microBTS
|
|
plain old 2G (GSM voice calls, CSD)
|
|
one or two TRX, 30mW to 2W each, GSM900
|
|
two E1 interfaces (for daisy-chaining)
|
|
documentation under NDA, but
|
|
99.9% of the A-bis protocol available from GSM specs
|
|
See TS 04.08 (RLL), 12.21 (OML), 08.58 (RSL)
|
|
RS232 serial port for Local Maintenance Terminal
|
|
LMT software proprietary under NDA
|
|
not needed for operation of the BTS
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
FOSS in the Mobile World
|
|
The Siemens BS-11 microBTS
|
|
|
|
%image "1_small.jpg"
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
FOSS in the Mobile World
|
|
The Siemens BS-11 microBTS
|
|
|
|
|
|
First steps with the Siemens BS-11
|
|
Harald bought a BS-11 on e-Bay in 2006
|
|
Started to read some specs (08.5x) about A-bis
|
|
Started to build cables for E1 and power
|
|
Bought HFC-E1 PCI card
|
|
Bought Elmi EGM35 Abis analyzer (e-Bay once again)
|
|
Contacted with other people who also bought BS-11
|
|
Found somebody who could provide Abis traces
|
|
Never really had time due to Openmoko and other projects
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
FOSS in the Mobile World
|
|
OpenBSC
|
|
|
|
|
|
OpenBSC (12/2008)
|
|
get L2ML to work with mISDN
|
|
mainline mISDN doesn't deal with multiple SAPIs and fixed TEI
|
|
learn how new sockets-based mISDN API works
|
|
come up with event-driven architecture, single sleect loop, no threads, ...
|
|
At 25C3:
|
|
add libdbi/sqlite database for "HLR"
|
|
get paging to work, support for configurable network ID
|
|
debugging + stabilization with > 1000 test users ;)
|
|
IMSI + IMEI skimming
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
FOSS in the Mobile World
|
|
Work at 25C3
|
|
|
|
|
|
IMSI+IMEI skimming
|
|
very simple:
|
|
phones with automatic network selection pick strongest network
|
|
they send LOCATION UPDATE REQUEST
|
|
we send IDENTITY REQUEST IMSI + IMEISV
|
|
they send IMSI + IMEISV
|
|
we store this in the databasa
|
|
and then send LOCATION UPDATE REJECT
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
FOSS in the Mobile World
|
|
Work at 25C3
|
|
|
|
|
|
Mobile Originated Call
|
|
once a MS is registered, we can
|
|
dial a number from the MS
|
|
allocate and establish a TCH/F
|
|
deal with the Signalling and get into Connect
|
|
unfortunately, code for handling voice streams not finished
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
FOSS in the Mobile World
|
|
Work at 25C3
|
|
|
|
|
|
Mobile Originated SMS
|
|
once a MS is registered, we can
|
|
send a SMS
|
|
parse + acknowledge SMS PDU data
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
FOSS in the Mobile World
|
|
Work at 25C3
|
|
|
|
|
|
The Egypt simulation
|
|
apparently GPS is illegal in mobile phones in Egypt
|
|
"Egypt detection" implemented by checking if any surrounding cells are with Egypt country code
|
|
phones don't even have to register to our BTS!
|
|
so if we claim to be e.g. MobiNil, phones will shut off their GPS
|
|
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
FOSS in the Mobile World
|
|
Other GSM related FOSS
|
|
|
|
|
|
Other GSM related FOSS
|
|
OpenBTS
|
|
100% Software Defined Radio bsed on USRP + gnuradio
|
|
implements entire RF+layer1/2/3 and interfacing to SIP/Asterisk
|
|
much more than just a BTS!!
|
|
some code overlap with OpenBSC
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
FOSS in the Mobile World
|
|
Other GSM related FOSS
|
|
|
|
|
|
THC GSM project
|
|
now converging into airprobe.org
|
|
working on a protocol analyzer / sniffer for GSM Um Air interface
|
|
slow progress, only few people understand the technology
|
|
but it's actually not all that hard, just needs time and motivation
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
FOSS in the Mobile World
|
|
Links
|
|
|
|
OpenBSC
|
|
http://openbsc.gnumonks.org/
|
|
3GPP / ETSI GSM Specs
|
|
http://www.3gpp.org/
|
|
Priv-Doz. Dr.-Ing Joachim Goeller
|
|
http://www2.informatik.hu-berlin.de/~goeller
|
|
THC GSM Wiki
|
|
http://wiki.thc.org/gsm
|
|
OpenBTS
|
|
http://gnuradio.org/trac/wiki/OpenBTS
|
|
Harald's branch of gsm-tvoid, etc
|
|
git://git.gnumonks.org/gsm.git
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
FOSS in the Mobile World
|
|
Thanks
|
|
|
|
|
|
Thanks to
|
|
The FSF and Richard Stallman for the GPL
|
|
which e.g. enabled us to get the kernel source for the EZX phones
|
|
Openmoko, Inc. for their work on Freeing the mobile world
|
|
The ETSI/3GPP for having all their specifications online
|
|
zecke, alphaone, Stefan for their work on OpenBSC
|
|
W. for his extensive A-bis protocol traces and MA-10
|
|
Netzing AG for funding my OpenBSC work
|
|
Pablo for inviting me to this conference in Seville
|