0 00:00:00,000 --> 00:00:30,000 Dear viewer, these subtitles were generated by a machine via the service Trint and therefore are (very) buggy. If you are capable, please help us to create good quality subtitles: https://c3subtitles.de/talk/722 Thanks! 1 00:00:13,650 --> 00:00:16,109 So the next talk is titled 2 00:00:16,110 --> 00:00:18,479 Dissecting Modern 3G, 3 00:00:18,480 --> 00:00:20,339 4G, Cellular Modems. 4 00:00:20,340 --> 00:00:22,439 This is by Harold 5 00:00:22,440 --> 00:00:24,959 Valetta and Holography Frater. 6 00:00:24,960 --> 00:00:26,249 And that was totally mispronounced. 7 00:00:26,250 --> 00:00:27,300 Sorry about that video 8 00:00:28,770 --> 00:00:30,899 we saw in the previous presentations 9 00:00:30,900 --> 00:00:33,689 on smart cities that there's a lot of Iot 10 00:00:33,690 --> 00:00:35,069 that doesn't need to communicate. 11 00:00:36,480 --> 00:00:39,089 And while there's Zogby and Lauren 12 00:00:39,090 --> 00:00:41,399 and other protocols, most likely 13 00:00:41,400 --> 00:00:43,139 they're going to fall back on what is 14 00:00:43,140 --> 00:00:44,699 really their tried and proven. 15 00:00:44,700 --> 00:00:47,159 And those are the 3G, 4G modems. 16 00:00:48,900 --> 00:00:51,689 I don't really need to introduce 17 00:00:51,690 --> 00:00:53,309 our speakers today. They're well known 18 00:00:53,310 --> 00:00:55,469 for years and years and years here at 19 00:00:55,470 --> 00:00:56,759 the Congress. 20 00:00:56,760 --> 00:00:58,169 So I'm just going to pass it right over 21 00:00:58,170 --> 00:01:00,389 to them and have a great 22 00:01:00,390 --> 00:01:01,390 talk. 23 00:01:09,740 --> 00:01:11,479 So today, we're going to talk about 24 00:01:11,480 --> 00:01:13,689 cellular modems just to differentiate, 25 00:01:13,690 --> 00:01:15,859 it's not about baseband or basement 26 00:01:15,860 --> 00:01:17,959 exploitation, it's really about a 27 00:01:17,960 --> 00:01:20,749 GSM module or 3G or 4G module. 28 00:01:20,750 --> 00:01:22,849 Our talk is going to be structured 29 00:01:22,850 --> 00:01:25,009 in a couple of phases. 30 00:01:25,010 --> 00:01:26,989 First of all, our motivation. 31 00:01:28,070 --> 00:01:29,539 Why are we looking into it? 32 00:01:29,540 --> 00:01:30,680 Where are we coming from? 33 00:01:31,790 --> 00:01:33,469 The second part will lead to the history. 34 00:01:33,470 --> 00:01:35,329 What have we done before in terms of 35 00:01:35,330 --> 00:01:37,459 modems are 36 00:01:37,460 --> 00:01:39,649 looking at how we we picked these 37 00:01:39,650 --> 00:01:41,929 modems. We actually looked at then 38 00:01:41,930 --> 00:01:43,849 some things that we actually didn't 39 00:01:43,850 --> 00:01:45,559 expect when looking at it. 40 00:01:46,850 --> 00:01:49,249 Also then looking at the firmware 41 00:01:49,250 --> 00:01:51,409 upgrade mechanism, if there's one, how it 42 00:01:51,410 --> 00:01:53,239 works, what has been done. 43 00:01:53,240 --> 00:01:54,769 And we will finish with our 44 00:01:54,770 --> 00:01:56,269 recommendations and wish us. 45 00:01:59,340 --> 00:02:01,559 First of all, we're implementing 46 00:02:01,560 --> 00:02:03,659 GSM specifications for more than 47 00:02:03,660 --> 00:02:05,279 a decade now. 48 00:02:05,280 --> 00:02:07,049 It started with humble beginnings of 49 00:02:07,050 --> 00:02:09,209 sending eight commands to modems 50 00:02:09,210 --> 00:02:12,359 on mobile devices 51 00:02:12,360 --> 00:02:14,279 to actually working on a free software 52 00:02:14,280 --> 00:02:17,009 smartphone at Open Molcho and then 53 00:02:17,010 --> 00:02:18,779 working on Open VSC and Osmo. 54 00:02:18,780 --> 00:02:21,089 Com to implement radio 55 00:02:21,090 --> 00:02:23,489 area network software and call network 56 00:02:23,490 --> 00:02:24,539 software. 57 00:02:24,540 --> 00:02:26,939 And has been eight years since Laforet 58 00:02:26,940 --> 00:02:29,369 presented about how our 59 00:02:29,370 --> 00:02:31,379 Zand modern smartphone hardware looks 60 00:02:31,380 --> 00:02:32,429 like. 61 00:02:32,430 --> 00:02:34,020 It's 70 years since we 62 00:02:35,640 --> 00:02:37,889 worked on Osmo Cumbie to run our 63 00:02:37,890 --> 00:02:39,959 own baseband software on our 64 00:02:39,960 --> 00:02:41,999 commercial great hardware. 65 00:02:42,000 --> 00:02:44,229 And professionally, 66 00:02:44,230 --> 00:02:46,319 we have worked with M2M devices 67 00:02:46,320 --> 00:02:48,749 and have built M2M devices ourselves 68 00:02:48,750 --> 00:02:50,579 using 2G modems. 69 00:02:50,580 --> 00:02:52,689 And from this point we 70 00:02:52,690 --> 00:02:54,869 we started to explore how 71 00:02:54,870 --> 00:02:56,999 which kind of device would we use in 72 00:02:57,000 --> 00:02:59,099 modern embedded devices 73 00:02:59,100 --> 00:03:01,439 or M2M or Iot devices 74 00:03:01,440 --> 00:03:04,049 these days for our implementation 75 00:03:04,050 --> 00:03:06,209 of 3G and 4G 76 00:03:06,210 --> 00:03:07,769 network software. 77 00:03:07,770 --> 00:03:09,899 So if you send messages over 78 00:03:09,900 --> 00:03:11,939 the air and you don't get a response, 79 00:03:11,940 --> 00:03:13,109 it's always difficult. 80 00:03:13,110 --> 00:03:15,779 Like did you encoded correctly, 81 00:03:15,780 --> 00:03:17,849 was it? And so we looked into having a 82 00:03:17,850 --> 00:03:20,039 device that allows us to to get 83 00:03:20,040 --> 00:03:22,349 log in to see if the message arrived 84 00:03:22,350 --> 00:03:23,400 or so now we're 85 00:03:24,780 --> 00:03:27,419 even able to extract 86 00:03:27,420 --> 00:03:28,949 traces from it. 87 00:03:28,950 --> 00:03:30,929 And what's also important for us and got 88 00:03:30,930 --> 00:03:33,329 us into Osmo comment open VSC 89 00:03:33,330 --> 00:03:35,219 is to build tools to allow others to 90 00:03:35,220 --> 00:03:37,619 understand how cellular technology 91 00:03:37,620 --> 00:03:39,899 works. So while TCP 92 00:03:39,900 --> 00:03:42,449 IP might be well known to many of us 93 00:03:42,450 --> 00:03:44,819 how the IPS actually transmitted 94 00:03:44,820 --> 00:03:46,859 back to the Kornet and relative to the 95 00:03:46,860 --> 00:03:48,989 Internet is not that clear and we want 96 00:03:48,990 --> 00:03:51,179 to make it more visible and having 97 00:03:51,180 --> 00:03:52,999 technology and tools helps for it. 98 00:03:55,740 --> 00:03:57,899 For a brief moment, picture 99 00:03:57,900 --> 00:04:00,329 yourself trying to beltzer classic 100 00:04:00,330 --> 00:04:01,379 M2M device, 101 00:04:02,970 --> 00:04:04,589 you might pick a modem because it's 102 00:04:04,590 --> 00:04:06,629 already certified and easy to use, but 103 00:04:06,630 --> 00:04:08,399 you need to run some application code on 104 00:04:08,400 --> 00:04:10,799 it. And the traditional applique 105 00:04:10,800 --> 00:04:11,939 approach would be to get a 106 00:04:11,940 --> 00:04:14,249 microcontroller or a bigger 107 00:04:14,250 --> 00:04:16,289 processor and connect these two devices 108 00:04:16,290 --> 00:04:17,939 using USB or Sirio. 109 00:04:19,589 --> 00:04:21,749 But it means that you need to have 110 00:04:21,750 --> 00:04:23,849 a bigger PCV, more power consumption. 111 00:04:23,850 --> 00:04:25,739 So it would be nice if you can run 112 00:04:25,740 --> 00:04:28,229 application software on the modem itself 113 00:04:28,230 --> 00:04:30,839 already. And one of the 114 00:04:30,840 --> 00:04:32,729 driving factors for it is to reduce the 115 00:04:32,730 --> 00:04:34,949 PC space, to have a lower power 116 00:04:34,950 --> 00:04:37,049 consumption, to save on the bill 117 00:04:37,050 --> 00:04:39,989 of materials, have fewer components. 118 00:04:39,990 --> 00:04:42,189 And Daxam, we found something. 119 00:04:42,190 --> 00:04:43,769 It's called open. 120 00:04:43,770 --> 00:04:46,079 It's done by Sciarra Wireless. 121 00:04:46,080 --> 00:04:48,119 And mostly it allows you to write C 122 00:04:48,120 --> 00:04:50,669 software, which is then compiled 123 00:04:50,670 --> 00:04:53,159 with the disk and uploaded to the 124 00:04:53,160 --> 00:04:55,019 modem and you can start running. 125 00:04:55,020 --> 00:04:57,239 It will be loaded into the real 126 00:04:57,240 --> 00:04:59,369 time operating system. 127 00:04:59,370 --> 00:05:01,439 It runs as a normal process. 128 00:05:01,440 --> 00:05:03,719 There's no Muno privilege separation. 129 00:05:03,720 --> 00:05:05,279 So if your application crashes, the 130 00:05:05,280 --> 00:05:06,449 entire modem will crash 131 00:05:07,680 --> 00:05:08,729 to e debugging. 132 00:05:08,730 --> 00:05:11,849 Surveillance has like a nice tools 133 00:05:11,850 --> 00:05:14,129 to get output and send it commands 134 00:05:14,130 --> 00:05:15,449 and logging debugging. 135 00:05:15,450 --> 00:05:17,159 That's the problem with this approach is 136 00:05:17,160 --> 00:05:19,349 that if you build an application and make 137 00:05:19,350 --> 00:05:21,509 it stable, you know so much about US 138 00:05:21,510 --> 00:05:23,849 Open at stuff that you're mostly locked 139 00:05:23,850 --> 00:05:24,899 into this API. 140 00:05:24,900 --> 00:05:27,119 So your architecture and software 141 00:05:27,120 --> 00:05:29,249 is following 142 00:05:29,250 --> 00:05:31,409 what open it application will look 143 00:05:31,410 --> 00:05:33,839 like. And then you've spent years 144 00:05:33,840 --> 00:05:35,969 developing an application and suddenly 145 00:05:35,970 --> 00:05:37,889 there's no path for 4G. 146 00:05:37,890 --> 00:05:40,109 So you're locked in and even your 2G 147 00:05:40,110 --> 00:05:43,199 modems will be discontinued. 148 00:05:43,200 --> 00:05:45,119 So it's it's a nice platform to get 149 00:05:45,120 --> 00:05:46,949 started, but it's kind of a dead end. 150 00:05:48,150 --> 00:05:50,339 And this brings us to like our modern 151 00:05:50,340 --> 00:05:52,139 requirements of what does a good modem 152 00:05:52,140 --> 00:05:53,140 look like. 153 00:05:54,120 --> 00:05:56,219 And one is we still want to be able to 154 00:05:56,220 --> 00:05:58,439 run our own code in it and not like 155 00:05:58,440 --> 00:06:00,809 some Python script or some 156 00:06:00,810 --> 00:06:03,089 limited Java, but like our real 157 00:06:03,090 --> 00:06:05,339 C application with 158 00:06:05,340 --> 00:06:07,739 access to the device and no artificial 159 00:06:07,740 --> 00:06:08,939 control. 160 00:06:08,940 --> 00:06:10,979 We don't want to be locked in by a single 161 00:06:10,980 --> 00:06:13,169 modem vendor. So it might be OK to use 162 00:06:13,170 --> 00:06:15,749 a specific chipset, but we don't 163 00:06:15,750 --> 00:06:17,819 want to be forced to follow whatever as a 164 00:06:17,820 --> 00:06:19,619 modem supplier wants us to do 165 00:06:21,590 --> 00:06:23,609 for for debugging purposes. 166 00:06:23,610 --> 00:06:25,859 We want to be able to 167 00:06:25,860 --> 00:06:27,839 get locked messages to see what's 168 00:06:27,840 --> 00:06:30,299 important misdoing, see 169 00:06:30,300 --> 00:06:32,429 if it's throwing away stuff, debug 170 00:06:32,430 --> 00:06:35,069 output, be able to control it. 171 00:06:35,070 --> 00:06:37,139 And for 3G and 4G development, 172 00:06:37,140 --> 00:06:38,729 we want to be able to see through radio 173 00:06:38,730 --> 00:06:39,899 messages. 174 00:06:39,900 --> 00:06:42,059 And you might know a tool 175 00:06:42,060 --> 00:06:44,129 called X Goldman has been written by 176 00:06:44,130 --> 00:06:45,629 by to be a single. 177 00:06:45,630 --> 00:06:48,029 It allows you to get tracing 178 00:06:48,030 --> 00:06:50,249 information from Infineon baseman's, 179 00:06:50,250 --> 00:06:51,389 but it has some limitations. 180 00:06:51,390 --> 00:06:53,809 So we want something like one buffer 181 00:06:53,810 --> 00:06:56,279 press edge UMTS 182 00:06:56,280 --> 00:06:57,280 and LTE, 183 00:06:59,190 --> 00:07:01,469 the modem 184 00:07:01,470 --> 00:07:03,869 market or generals' easy cellular market 185 00:07:03,870 --> 00:07:06,869 is kind of dominated by by Qualcomm 186 00:07:06,870 --> 00:07:09,119 and it's kind of set by 187 00:07:09,120 --> 00:07:10,109 itself. 188 00:07:10,110 --> 00:07:11,399 But it also means that 189 00:07:13,770 --> 00:07:16,499 if you pick a modem, most likely it runs 190 00:07:16,500 --> 00:07:18,779 or it's based on a Qualcomm chipset. 191 00:07:18,780 --> 00:07:20,999 And Qualcomm is very 192 00:07:21,000 --> 00:07:22,049 close to 193 00:07:23,130 --> 00:07:25,079 what we want from a modem because they 194 00:07:25,080 --> 00:07:27,779 expose something called Sediuk protocol. 195 00:07:27,780 --> 00:07:29,939 And it's also used 196 00:07:29,940 --> 00:07:32,489 in many different Qualcomm products from 197 00:07:32,490 --> 00:07:35,189 age to GSM to femtocell. 198 00:07:35,190 --> 00:07:36,869 The first time I personally heard about 199 00:07:36,870 --> 00:07:38,969 it was ETSI 28 Sastry 200 00:07:38,970 --> 00:07:40,889 by a talk from Guillaume's that looked 201 00:07:40,890 --> 00:07:43,259 into the baseband Qualcomm stack 202 00:07:43,260 --> 00:07:45,389 and the stack protocol's 203 00:07:45,390 --> 00:07:46,739 easy framing. It's very simple. 204 00:07:46,740 --> 00:07:48,869 It's like classic DLC with 205 00:07:48,870 --> 00:07:51,449 the start and an end marker 206 00:07:51,450 --> 00:07:53,519 with the comment, bith some payload 207 00:07:53,520 --> 00:07:54,989 and the checksum. 208 00:07:54,990 --> 00:07:57,419 And it's used for events 209 00:07:57,420 --> 00:07:59,259 like if if your modem is switching a 210 00:07:59,260 --> 00:08:01,739 network, you get an event, you can enable 211 00:08:01,740 --> 00:08:02,999 logging and then you get a lot of 212 00:08:03,000 --> 00:08:05,189 textural output, but also 213 00:08:05,190 --> 00:08:06,869 for comments and response. 214 00:08:06,870 --> 00:08:09,029 So you can send a comment 215 00:08:09,030 --> 00:08:11,159 to read the memory address and to get 216 00:08:11,160 --> 00:08:13,649 some value from this memory address back. 217 00:08:13,650 --> 00:08:15,869 And literally, there are thousands 218 00:08:15,870 --> 00:08:18,209 of different messages that 219 00:08:18,210 --> 00:08:19,709 can be sent or received. 220 00:08:19,710 --> 00:08:21,539 And in terms of free software 221 00:08:21,540 --> 00:08:24,329 implementations, flexi modem or 222 00:08:24,330 --> 00:08:26,609 GSM, pausa, only use a fraction 223 00:08:26,610 --> 00:08:28,259 of these available messages. 224 00:08:28,260 --> 00:08:30,269 But it means like the protocol is 225 00:08:30,270 --> 00:08:31,829 something you want to have direct access 226 00:08:31,830 --> 00:08:34,019 to because it allows you to to see 227 00:08:34,020 --> 00:08:35,070 what's important is doing. 228 00:08:36,210 --> 00:08:37,739 And it brings us to the point of 229 00:08:37,740 --> 00:08:39,658 selecting a device that is exposing 230 00:08:39,659 --> 00:08:41,928 Dayak. And in the past, 231 00:08:41,929 --> 00:08:43,529 the option I can speak might have been a 232 00:08:43,530 --> 00:08:44,530 very good 233 00:08:45,990 --> 00:08:48,329 device to use because it's exposing 234 00:08:48,330 --> 00:08:50,759 diag on USB out of the box. 235 00:08:50,760 --> 00:08:51,779 But it's kind of old. 236 00:08:51,780 --> 00:08:53,489 It's using old Qualcomm software. 237 00:08:53,490 --> 00:08:54,449 It's limited. 238 00:08:54,450 --> 00:08:56,789 2G and 3G, so we look into something 239 00:08:56,790 --> 00:08:58,889 more modern and want to see the devices 240 00:08:58,890 --> 00:09:01,229 we found is from a Chinese modem 241 00:09:01,230 --> 00:09:03,329 manufacturer called Correcto, it's the 242 00:09:03,330 --> 00:09:05,579 U.S. Twenty. It exposes 243 00:09:05,580 --> 00:09:07,949 Dayak out of the box. 244 00:09:07,950 --> 00:09:10,019 It's even documented in their hardware 245 00:09:10,020 --> 00:09:12,629 interface that it's a diagnostic 246 00:09:12,630 --> 00:09:14,769 interface, but sadly, 247 00:09:14,770 --> 00:09:16,319 it doesn't support LTE. 248 00:09:16,320 --> 00:09:18,449 If you look at a modern device, it 249 00:09:18,450 --> 00:09:20,669 makes sense to not go for 2G and 3G 250 00:09:20,670 --> 00:09:22,739 only, but also have an option to go for 251 00:09:22,740 --> 00:09:24,899 4G. Which brings us to 252 00:09:24,900 --> 00:09:26,549 the DC 20. 253 00:09:26,550 --> 00:09:28,739 It looks like the U.S. 254 00:09:28,740 --> 00:09:30,509 20, but it has LTE. 255 00:09:30,510 --> 00:09:32,400 So that sounded quite nice 256 00:09:34,020 --> 00:09:36,029 for building a product that can be 257 00:09:36,030 --> 00:09:39,059 soldered to your VCP, but 258 00:09:39,060 --> 00:09:41,399 for development purposes, they also offer 259 00:09:41,400 --> 00:09:43,919 it in our mini PCI Express form factor 260 00:09:43,920 --> 00:09:46,259 so you can just plug it into one of your 261 00:09:46,260 --> 00:09:48,899 devices that might already have mini PCI 262 00:09:48,900 --> 00:09:51,089 Express. So we picked the 263 00:09:51,090 --> 00:09:53,049 Easy 20 as like a module. 264 00:09:53,050 --> 00:09:55,049 We want to look at it and once we started 265 00:09:55,050 --> 00:09:57,809 to look, it has like Qualcomm 266 00:09:57,810 --> 00:10:00,599 MDMA 965 chipsets, 267 00:10:00,600 --> 00:10:02,639 which surprisingly is also used in the 268 00:10:02,640 --> 00:10:04,889 iPhone five. 269 00:10:04,890 --> 00:10:07,019 But beyond that, there's not a lot of 270 00:10:07,020 --> 00:10:09,659 documentation of what it has. 271 00:10:09,660 --> 00:10:11,639 Which brings us to the unexpected 272 00:10:11,640 --> 00:10:13,829 surprise. So after I got 273 00:10:13,830 --> 00:10:16,019 older, I used that 274 00:10:16,020 --> 00:10:18,179 comment interface just to to play 275 00:10:18,180 --> 00:10:20,009 with it, to see if my application could 276 00:10:20,010 --> 00:10:22,199 do what it wants and was 277 00:10:22,200 --> 00:10:23,669 hanging like after a day. 278 00:10:23,670 --> 00:10:26,249 And I got involved with the 279 00:10:26,250 --> 00:10:28,349 supplier of the modem and they gave me 280 00:10:28,350 --> 00:10:31,259 a few more updates, which was a zip file. 281 00:10:31,260 --> 00:10:34,229 And I unpacked it and 282 00:10:34,230 --> 00:10:36,659 I'll find them looked awfully like 283 00:10:36,660 --> 00:10:38,939 like a Linux system, which is 284 00:10:38,940 --> 00:10:41,069 why my modem have a Linux system in 285 00:10:41,070 --> 00:10:43,889 it, but maybe I'm just mistaking 286 00:10:43,890 --> 00:10:46,079 it. And then they have a flash 287 00:10:46,080 --> 00:10:48,149 tool and it looks like the Flash two of 288 00:10:48,150 --> 00:10:50,119 Android was fast words, but like, OK, 289 00:10:50,120 --> 00:10:52,110 maybe it's coincidences or it was 290 00:10:54,060 --> 00:10:55,739 it was just convenient to use it. 291 00:10:55,740 --> 00:10:57,689 But actually other people have already 292 00:10:57,690 --> 00:11:00,299 seen that, like the MGM 96, 293 00:11:00,300 --> 00:11:02,519 96 runs Linux on it, like 294 00:11:02,520 --> 00:11:05,369 I see Def Con 26 by Mickey shot 295 00:11:05,370 --> 00:11:06,370 off. 296 00:11:07,110 --> 00:11:09,749 So apparently it runs Linux 297 00:11:09,750 --> 00:11:12,149 on your modem. 298 00:11:12,150 --> 00:11:13,979 And the question is why, why would it 299 00:11:13,980 --> 00:11:14,939 even run Linux? 300 00:11:14,940 --> 00:11:17,009 Because Qualcomm is known to have 301 00:11:17,010 --> 00:11:19,439 pudder IP stack into the modem 302 00:11:19,440 --> 00:11:21,749 IP Sorkh SERP. 303 00:11:21,750 --> 00:11:23,190 Why would they stop doing it. 304 00:11:24,210 --> 00:11:26,449 It didn't really make sense. 305 00:11:26,450 --> 00:11:28,559 So we started to to look at 306 00:11:28,560 --> 00:11:30,539 it. And also there is almost no 307 00:11:30,540 --> 00:11:32,399 information that Linux actually runs on 308 00:11:32,400 --> 00:11:33,719 this device. 309 00:11:33,720 --> 00:11:34,720 Um. 310 00:11:35,640 --> 00:11:37,529 Which means no written offer 311 00:11:39,060 --> 00:11:41,549 that I use to our minds, Elseworlds 312 00:11:41,550 --> 00:11:43,889 to untax Ezzy Flesch 313 00:11:43,890 --> 00:11:45,989 filesystem, it really 314 00:11:45,990 --> 00:11:48,329 looks like Linux and 315 00:11:48,330 --> 00:11:50,309 I started to look at some of the binaries 316 00:11:50,310 --> 00:11:52,409 that are not standards, but is 317 00:11:52,410 --> 00:11:54,599 a character Qualcomm specific. 318 00:11:54,600 --> 00:11:56,369 And you see funny strings that look like 319 00:11:56,370 --> 00:11:58,439 80 commands, but like 80 plus 320 00:11:58,440 --> 00:12:00,509 like succulence comment. 321 00:12:00,510 --> 00:12:01,510 What would it do? 322 00:12:03,540 --> 00:12:05,699 And at this point, we started to 323 00:12:05,700 --> 00:12:07,799 explore those technicalities of 324 00:12:07,800 --> 00:12:09,209 what is this platform really looking 325 00:12:09,210 --> 00:12:11,249 like? But also from a legal point of 326 00:12:11,250 --> 00:12:13,589 view, like, can we please get the source 327 00:12:13,590 --> 00:12:15,239 code? Can you please put a written offer 328 00:12:15,240 --> 00:12:17,369 in it? And at this point, I hand 329 00:12:17,370 --> 00:12:18,370 over to Laforet. 330 00:12:19,710 --> 00:12:21,179 Yeah, so. 331 00:12:26,990 --> 00:12:29,059 Yeah, so as a lucky coincidence, I have 332 00:12:29,060 --> 00:12:31,189 been doing some enforcement in 333 00:12:31,190 --> 00:12:33,470 the past so well. 334 00:12:36,390 --> 00:12:38,639 OK, but first, we started 335 00:12:38,640 --> 00:12:40,889 to look a bit at the hardware and, well, 336 00:12:40,890 --> 00:12:42,779 if you're doing hardware anyway 337 00:12:42,780 --> 00:12:45,169 professionally and you have all 338 00:12:45,170 --> 00:12:46,919 the tools and the process and your 339 00:12:46,920 --> 00:12:48,329 partners for assembly and so on and so 340 00:12:48,330 --> 00:12:49,949 on, why not just do a couple of boards to 341 00:12:49,950 --> 00:12:51,809 help you with the task at hand? 342 00:12:51,810 --> 00:12:54,299 So many of the mini PCI Express modules 343 00:12:54,300 --> 00:12:56,949 that you can find for cellular modems, 344 00:12:56,950 --> 00:12:58,979 um, they have additional signals on 345 00:12:58,980 --> 00:13:01,229 undocumented pins of the mini 346 00:13:01,230 --> 00:13:03,719 PCI Express Connector, like VCM 347 00:13:03,720 --> 00:13:06,689 Audio or even others and so on. 348 00:13:06,690 --> 00:13:08,489 And while, of course, if you just put the 349 00:13:08,490 --> 00:13:11,009 modem in a regular PC mainboard 350 00:13:11,010 --> 00:13:13,589 or an embedded device, those signals that 351 00:13:13,590 --> 00:13:15,029 they don't terminate anywhere, they're 352 00:13:15,030 --> 00:13:17,519 just not used on the slots side. 353 00:13:17,520 --> 00:13:19,709 And solidary wires to 354 00:13:19,710 --> 00:13:21,689 the pitch of a mini PCI Express board is 355 00:13:21,690 --> 00:13:23,069 not very convenient. 356 00:13:23,070 --> 00:13:25,629 So I created what we call a 357 00:13:25,630 --> 00:13:27,779 breakout board and you can 358 00:13:27,780 --> 00:13:29,219 see a picture of that is an open hardware 359 00:13:29,220 --> 00:13:30,779 project, schematics and everything. 360 00:13:30,780 --> 00:13:32,399 Design files have been published. 361 00:13:32,400 --> 00:13:34,319 So you have this connector on the right 362 00:13:34,320 --> 00:13:36,119 hand side which exposes all these extra 363 00:13:36,120 --> 00:13:38,249 signals so you can actually 364 00:13:38,250 --> 00:13:40,499 easily access to the various 365 00:13:40,500 --> 00:13:42,179 undocumented signals. 366 00:13:42,180 --> 00:13:44,429 So the easy 20 Soldo 367 00:13:44,430 --> 00:13:46,679 module documents there are 368 00:13:46,680 --> 00:13:48,539 Depak, you are at pins, which are not the 369 00:13:48,540 --> 00:13:50,159 normal. You are pins on which you speak 370 00:13:50,160 --> 00:13:52,529 at commands, but as additional you are. 371 00:13:52,530 --> 00:13:54,239 But it seems like not all modules have it 372 00:13:54,240 --> 00:13:56,009 enabled. So we bought modules from three 373 00:13:56,010 --> 00:13:56,909 different suppliers. 374 00:13:56,910 --> 00:13:58,619 They all have different firmware versions 375 00:13:58,620 --> 00:14:01,259 and different, uh, 376 00:14:01,260 --> 00:14:02,249 configurations. 377 00:14:02,250 --> 00:14:03,629 And some of them have it enables some 378 00:14:03,630 --> 00:14:06,029 not. But those that had it enabled 379 00:14:06,030 --> 00:14:07,649 have it at one point eight volts. 380 00:14:07,650 --> 00:14:09,239 But how can I say, 381 00:14:10,350 --> 00:14:12,419 uh, in their 382 00:14:12,420 --> 00:14:14,429 wisdom, the designers decided not to 383 00:14:14,430 --> 00:14:16,259 expose the one point eight volt voltage 384 00:14:16,260 --> 00:14:17,819 real on any of the other pins of the 385 00:14:17,820 --> 00:14:20,099 modem. So you have external voltages 386 00:14:20,100 --> 00:14:21,959 of three, uh, three point six well, two 387 00:14:21,960 --> 00:14:23,309 point three world and so on, but at one 388 00:14:23,310 --> 00:14:24,299 point eight volt. 389 00:14:24,300 --> 00:14:26,429 And since in previous projects, whenever 390 00:14:26,430 --> 00:14:28,439 I needed to attach to a you are the front 391 00:14:28,440 --> 00:14:30,929 of an embedded device, I built another 392 00:14:30,930 --> 00:14:32,909 level shifter for a specific voltage I 393 00:14:32,910 --> 00:14:34,799 already had built for two point eight two 394 00:14:34,800 --> 00:14:37,499 point five two point three volts before 395 00:14:37,500 --> 00:14:39,479 I decided, OK, let's do a board that is a 396 00:14:39,480 --> 00:14:40,829 multi voltage. You are so you can 397 00:14:40,830 --> 00:14:42,389 actually select the voltage of your you 398 00:14:42,390 --> 00:14:45,119 are with a small, uh, rotary switch 399 00:14:45,120 --> 00:14:47,429 and connect to a 400 00:14:47,430 --> 00:14:48,929 series of parts of various devices. 401 00:14:48,930 --> 00:14:50,309 And that's what's here is also another 402 00:14:50,310 --> 00:14:51,559 open hardware project at Osmo. 403 00:14:53,130 --> 00:14:54,609 Yeah. And then you attach to the serial 404 00:14:54,610 --> 00:14:57,779 port and you get a Linux login prompt. 405 00:14:57,780 --> 00:14:59,999 And interestingly, if you 406 00:15:00,000 --> 00:15:01,979 look at the firmware update file that 407 00:15:01,980 --> 00:15:04,409 Holga just mentioned, it contains, 408 00:15:04,410 --> 00:15:06,989 of course, on parts of the file and 409 00:15:06,990 --> 00:15:08,819 there is only a hash. 410 00:15:08,820 --> 00:15:10,409 And if you do a little bit of password 411 00:15:10,410 --> 00:15:11,939 cracking, you see it's only Linux. 412 00:15:11,940 --> 00:15:14,279 One, two or three is the root password 413 00:15:14,280 --> 00:15:15,280 of the device. 414 00:15:19,830 --> 00:15:22,169 So by now, we were 250 percent 415 00:15:22,170 --> 00:15:24,469 sure that there is no that 416 00:15:24,470 --> 00:15:25,830 there is not a single device, 417 00:15:27,080 --> 00:15:29,369 and yet this, by the way, how the full 418 00:15:29,370 --> 00:15:31,169 setup looks like, you can see I sold it 419 00:15:31,170 --> 00:15:32,699 the small additional three Canada to get 420 00:15:32,700 --> 00:15:33,929 access to the yard 421 00:15:34,950 --> 00:15:36,269 on this module. 422 00:15:36,270 --> 00:15:38,429 And just way we could start 423 00:15:38,430 --> 00:15:39,479 to explore it further. 424 00:15:39,480 --> 00:15:41,549 So, OK, brings us to the topic 425 00:15:41,550 --> 00:15:42,989 of, well, where can we find the source 426 00:15:42,990 --> 00:15:44,279 code? The module didn't show up with a 427 00:15:44,280 --> 00:15:45,419 written offer. It didn't ship with a 428 00:15:45,420 --> 00:15:47,459 license text. It didn't include source 429 00:15:47,460 --> 00:15:49,109 code. It didn't even mention that Linux 430 00:15:49,110 --> 00:15:51,479 or other GPL license software was used. 431 00:15:51,480 --> 00:15:53,849 So while digging around 432 00:15:53,850 --> 00:15:55,199 the official supplier of it, the 433 00:15:55,200 --> 00:15:56,909 manufacturer didn't I didn't release 434 00:15:56,910 --> 00:15:58,259 anything. I didn't provide any such 435 00:15:58,260 --> 00:16:00,419 information. We were looking a bit around 436 00:16:00,420 --> 00:16:02,339 because, I mean, it's likely that other 437 00:16:02,340 --> 00:16:03,479 devices do the same. 438 00:16:03,480 --> 00:16:05,789 And we found that actually Qualcomm 439 00:16:05,790 --> 00:16:08,699 is publishing a complete 440 00:16:08,700 --> 00:16:11,039 open embedded build system 441 00:16:11,040 --> 00:16:13,199 for building Linux for those modem 442 00:16:13,200 --> 00:16:14,099 chipsets. 443 00:16:14,100 --> 00:16:15,959 So this includes the open embedded 444 00:16:15,960 --> 00:16:19,049 metalious, the kernel, the the bootloader 445 00:16:19,050 --> 00:16:21,719 and various other bits and pieces. 446 00:16:21,720 --> 00:16:24,569 And it's almost completely undocumented. 447 00:16:24,570 --> 00:16:26,819 Basically some dreadfuls and you can pick 448 00:16:26,820 --> 00:16:29,309 around them, but there's not really 449 00:16:30,450 --> 00:16:31,979 a documentation how to use it. 450 00:16:31,980 --> 00:16:34,199 And well, if you look at the 451 00:16:34,200 --> 00:16:36,239 entry level website of this open source 452 00:16:36,240 --> 00:16:38,159 project from Qualcomm, which is called 453 00:16:38,160 --> 00:16:40,319 Aurora, well, that's like literally 454 00:16:40,320 --> 00:16:42,209 hundreds of branches and tags and you 455 00:16:42,210 --> 00:16:43,889 don't really know what to use for what. 456 00:16:43,890 --> 00:16:45,769 And they say, well, this is one example, 457 00:16:45,770 --> 00:16:47,189 the version that you can build. 458 00:16:47,190 --> 00:16:49,499 And then somebody think years ago 459 00:16:49,500 --> 00:16:51,359 posted. Well, I tried your instructions, 460 00:16:51,360 --> 00:16:53,249 but, well, it doesn't compile. 461 00:16:53,250 --> 00:16:54,539 I'm facing some issues and of course, 462 00:16:54,540 --> 00:16:55,979 nobody ever responds because. 463 00:16:55,980 --> 00:16:57,450 Well, you know, um, 464 00:16:58,680 --> 00:16:59,849 why would they ever respond? 465 00:16:59,850 --> 00:17:01,409 But anyway, it's it's public. 466 00:17:01,410 --> 00:17:03,479 And on that website, you can find it 467 00:17:03,480 --> 00:17:04,809 and you can start building. 468 00:17:04,810 --> 00:17:06,299 So we started building that. 469 00:17:06,300 --> 00:17:07,858 Of course, this we also ran into the 470 00:17:07,859 --> 00:17:08,789 issues that didn't build. 471 00:17:08,790 --> 00:17:10,499 But anyway, in the end, we we managed to 472 00:17:10,500 --> 00:17:11,759 build some of the code. 473 00:17:11,760 --> 00:17:13,019 And meanwhile, we were talking to the 474 00:17:13,020 --> 00:17:15,328 manufacturer of the modem and 475 00:17:15,329 --> 00:17:16,439 asking them for the complete and 476 00:17:16,440 --> 00:17:17,699 corresponding source code. 477 00:17:17,700 --> 00:17:19,049 And then what they sent is the complete 478 00:17:19,050 --> 00:17:20,429 and corresponding source code to the 479 00:17:20,430 --> 00:17:22,108 firmware update tool that you run on your 480 00:17:22,109 --> 00:17:24,299 PC, which we didn't ask for. 481 00:17:24,300 --> 00:17:25,649 And it was not GPL license. 482 00:17:25,650 --> 00:17:26,999 We still received the source code. 483 00:17:27,000 --> 00:17:28,000 OK, nice. 484 00:17:35,180 --> 00:17:36,709 It's good at that point we could 485 00:17:36,710 --> 00:17:38,809 understand how different the protocol 486 00:17:38,810 --> 00:17:42,109 works towards the modem, um, 487 00:17:42,110 --> 00:17:43,639 and then while you ask again for the 488 00:17:43,640 --> 00:17:45,019 complete and corresponding source code 489 00:17:45,020 --> 00:17:47,029 and say, oh, we never been, by the way, 490 00:17:47,030 --> 00:17:49,129 all the typos and grammar issues 491 00:17:49,130 --> 00:17:50,839 are not introduced by us. 492 00:17:50,840 --> 00:17:52,549 So we never been in a legal dispute. 493 00:17:52,550 --> 00:17:54,049 And we always make sure to understand 494 00:17:54,050 --> 00:17:55,759 intellectual property rights ahead of 495 00:17:55,760 --> 00:17:57,229 using technology belonging to a third 496 00:17:57,230 --> 00:17:59,329 party. Well, clearly, they did not in 497 00:17:59,330 --> 00:18:00,859 the Linux case. And then they sent us 498 00:18:00,860 --> 00:18:01,789 this nice little letter. 499 00:18:01,790 --> 00:18:03,049 This is an excerpt from it. 500 00:18:03,050 --> 00:18:05,209 And it's like all we always 501 00:18:05,210 --> 00:18:06,679 respect the importance of intellectual 502 00:18:06,680 --> 00:18:07,909 property rights and laws. 503 00:18:07,910 --> 00:18:10,339 And we actively engage with known 504 00:18:10,340 --> 00:18:12,079 essentially intellectual property rights 505 00:18:12,080 --> 00:18:14,389 owners. Apparently, the copyright 506 00:18:14,390 --> 00:18:16,159 owners of Linux and other free software 507 00:18:16,160 --> 00:18:18,729 are not essential 508 00:18:18,730 --> 00:18:21,109 and and so on in order to 509 00:18:22,310 --> 00:18:23,599 be compliant with the right. So then you 510 00:18:23,600 --> 00:18:25,129 ask again and you ask again. 511 00:18:25,130 --> 00:18:26,809 So you see why we always ask the same 512 00:18:26,810 --> 00:18:28,339 question. And it's like, oh, we 513 00:18:28,340 --> 00:18:30,349 appreciate the efforts. 514 00:18:30,350 --> 00:18:32,749 This was to the lawyer of the 515 00:18:32,750 --> 00:18:34,369 IP table project. 516 00:18:34,370 --> 00:18:35,929 They missed the fact that it's multiple 517 00:18:35,930 --> 00:18:37,849 tables with Cingular. 518 00:18:37,850 --> 00:18:39,919 But anyway, well, then your 519 00:18:39,920 --> 00:18:42,019 client doesn't have the right 520 00:18:42,020 --> 00:18:43,379 to empower a copyright. 521 00:18:43,380 --> 00:18:45,379 It's like, OK, that's new to me. 522 00:18:45,380 --> 00:18:47,629 And and they 523 00:18:47,630 --> 00:18:49,759 claimed that I had transferred 524 00:18:49,760 --> 00:18:50,869 my copyright to the Free Software 525 00:18:50,870 --> 00:18:53,359 Foundation, which I never did, and which 526 00:18:53,360 --> 00:18:55,639 nobody I think or this is highly unusual 527 00:18:55,640 --> 00:18:57,109 if you work on Linux, kind of cool to do 528 00:18:57,110 --> 00:18:57,889 so. 529 00:18:57,890 --> 00:18:59,809 So I did not have copyright. 530 00:18:59,810 --> 00:19:01,669 OK, anyway. And Caccamo. 531 00:19:01,670 --> 00:19:04,189 Sorry, sorry. My mistake to always 532 00:19:04,190 --> 00:19:05,599 respects intellectual property rights. 533 00:19:05,600 --> 00:19:06,600 Of course. 534 00:19:07,160 --> 00:19:09,139 OK, so still no source code then we ask 535 00:19:09,140 --> 00:19:11,299 again and asking well and thank 536 00:19:11,300 --> 00:19:13,019 you for your detailed explanations that 537 00:19:14,360 --> 00:19:16,429 we will provide iterable and 538 00:19:16,430 --> 00:19:18,699 then always willing to achieve 539 00:19:18,700 --> 00:19:20,779 GPL compliance and so on 540 00:19:20,780 --> 00:19:22,489 and so on. And then another month or so 541 00:19:22,490 --> 00:19:25,309 passes and then 542 00:19:25,310 --> 00:19:27,349 I finally well we do some legal 543 00:19:27,350 --> 00:19:28,939 enforcement, we do some warning notices 544 00:19:28,940 --> 00:19:29,959 and so on. 545 00:19:29,960 --> 00:19:32,179 And then we 546 00:19:32,180 --> 00:19:33,889 are not perfect and we cannot construct a 547 00:19:33,890 --> 00:19:36,019 perfect website, which I never requested. 548 00:19:36,020 --> 00:19:37,430 We just wanted a source code. 549 00:19:38,790 --> 00:19:40,849 And then, well, you get 550 00:19:40,850 --> 00:19:43,219 some source code and it doesn't build 551 00:19:43,220 --> 00:19:45,169 and then say, well, there is ahead to 552 00:19:45,170 --> 00:19:46,879 find missing. And by coincidence, it's a 553 00:19:46,880 --> 00:19:48,139 header file that I wrote. 554 00:19:48,140 --> 00:19:49,819 I don't know that it is unintentional. 555 00:19:49,820 --> 00:19:51,950 I mean, how many times did I write? 556 00:19:58,080 --> 00:19:59,939 And if you know, if tables, there is a 557 00:19:59,940 --> 00:20:01,859 match for the differentiated services 558 00:20:01,860 --> 00:20:03,659 code point for DCP for using the IP 559 00:20:03,660 --> 00:20:05,429 header, and that has a header file, which 560 00:20:05,430 --> 00:20:07,559 is like eight lines of of 561 00:20:07,560 --> 00:20:09,119 boilerplate definitions. 562 00:20:09,120 --> 00:20:10,049 And this was missing. 563 00:20:10,050 --> 00:20:11,339 And there's an oh, we don't have this 564 00:20:11,340 --> 00:20:13,169 file. And Qualcomm also doesn't have this 565 00:20:13,170 --> 00:20:14,729 file. And Qualcomm never provided this 566 00:20:14,730 --> 00:20:15,959 file to us. 567 00:20:15,960 --> 00:20:17,819 I mean, it's in the public repositories 568 00:20:17,820 --> 00:20:19,999 that Qualcomm hosts on 569 00:20:20,000 --> 00:20:22,079 on called Aurora and the colonel doesn't 570 00:20:22,080 --> 00:20:23,579 build without those files. 571 00:20:23,580 --> 00:20:25,469 And then, by the way, we will not discuss 572 00:20:25,470 --> 00:20:27,330 compiling issues by email anymore. 573 00:20:29,760 --> 00:20:32,039 OK, then some more time I 574 00:20:32,040 --> 00:20:32,909 gets more and more. 575 00:20:32,910 --> 00:20:34,469 Then you get individual files and 576 00:20:34,470 --> 00:20:36,629 individual emails and you put those files 577 00:20:36,630 --> 00:20:37,769 in your Colonel Sastry 578 00:20:39,100 --> 00:20:41,459 and then you see that 579 00:20:41,460 --> 00:20:43,229 the scripts in the kernel have missing 580 00:20:43,230 --> 00:20:45,269 executable bits, but certain C files 581 00:20:45,270 --> 00:20:47,460 suddenly have executable bits and 582 00:20:48,480 --> 00:20:50,309 then another file is missing and so on 583 00:20:50,310 --> 00:20:52,109 and so on. But by now we have received 584 00:20:52,110 --> 00:20:53,519 various source code tarballs. 585 00:20:53,520 --> 00:20:55,589 They interestingly contain 586 00:20:55,590 --> 00:20:57,869 not only the GPL LGBT called, but also 587 00:20:57,870 --> 00:20:59,969 other code with like BSD 588 00:20:59,970 --> 00:21:01,739 type or Apache type licenses where they 589 00:21:01,740 --> 00:21:03,419 wouldn't have to release it, which is 590 00:21:03,420 --> 00:21:04,859 good. And they did this intentionally. 591 00:21:04,860 --> 00:21:06,959 And I think it's a very nice 592 00:21:06,960 --> 00:21:09,059 sign of them that they don't release only 593 00:21:09,060 --> 00:21:11,519 what they have to, but they release more 594 00:21:11,520 --> 00:21:12,599 for the easy 20. 595 00:21:12,600 --> 00:21:14,279 It's still not a license compliant. 596 00:21:14,280 --> 00:21:16,019 There is no visible source code included. 597 00:21:16,020 --> 00:21:17,489 For example, not that busy books would 598 00:21:17,490 --> 00:21:19,199 ever have done any GPL enforcement in the 599 00:21:19,200 --> 00:21:22,019 past and. 600 00:21:22,020 --> 00:21:24,149 Well, but that's not 601 00:21:24,150 --> 00:21:25,859 my primary concern. 602 00:21:25,860 --> 00:21:27,929 And I think it's it's 603 00:21:27,930 --> 00:21:29,099 it's getting there and it's work. 604 00:21:29,100 --> 00:21:30,419 I've learned you can use the source code 605 00:21:30,420 --> 00:21:31,349 that they release. 606 00:21:31,350 --> 00:21:33,119 Interestingly, there's other motor 607 00:21:33,120 --> 00:21:35,309 manufacturers like Sierra Wireless, 608 00:21:35,310 --> 00:21:37,379 which are also building more 609 00:21:37,380 --> 00:21:39,749 dams on such a Qualcomm 610 00:21:39,750 --> 00:21:42,029 systems, and 611 00:21:42,030 --> 00:21:44,309 they release not only the source 612 00:21:44,310 --> 00:21:45,929 code, but extensive documentation. 613 00:21:45,930 --> 00:21:47,609 So this is a small excerpt from a 614 00:21:47,610 --> 00:21:49,199 screenshot where you can actually all 615 00:21:49,200 --> 00:21:50,939 they describe how to build it with open 616 00:21:50,940 --> 00:21:52,169 and better to describe how to use 617 00:21:52,170 --> 00:21:53,879 Facebook to install the Fermor on the 618 00:21:53,880 --> 00:21:55,559 module and so on and so on. 619 00:21:55,560 --> 00:21:57,629 However, as good as they are 620 00:21:57,630 --> 00:21:58,949 and the open source side, they try to 621 00:21:58,950 --> 00:22:00,629 lure customers into a proprietary 622 00:22:00,630 --> 00:22:02,519 framework like that that was open in the 623 00:22:02,520 --> 00:22:04,469 past and that well, again, would result 624 00:22:04,470 --> 00:22:05,279 in vendor lock in. 625 00:22:05,280 --> 00:22:06,329 So it's not really 626 00:22:07,500 --> 00:22:09,599 recommended or I think a smart 627 00:22:09,600 --> 00:22:11,729 move to, uh, to go ahead that way. 628 00:22:11,730 --> 00:22:13,829 And with that, I'm going to hand back 629 00:22:13,830 --> 00:22:16,289 to Holga before returning 630 00:22:16,290 --> 00:22:17,290 later. 631 00:22:25,040 --> 00:22:27,249 We're going to very briefly look at the 632 00:22:27,250 --> 00:22:28,279 HeartWare. 633 00:22:28,280 --> 00:22:30,499 It's a Qualcomm MBM ships that I've 634 00:22:30,500 --> 00:22:32,689 already mentioned also in iPhones, 635 00:22:32,690 --> 00:22:34,759 and it turns out maybe in your 636 00:22:34,760 --> 00:22:35,760 future car, 637 00:22:37,070 --> 00:22:39,079 at least right now, it's the modems from 638 00:22:39,080 --> 00:22:41,299 Intel inside of Syria, wireless, 639 00:22:41,300 --> 00:22:43,429 but certainly from a free software point 640 00:22:43,430 --> 00:22:45,349 of view, like it runs Linux. 641 00:22:45,350 --> 00:22:47,239 It talks to the hardware, but there is 642 00:22:47,240 --> 00:22:49,969 absolutely no documentation 643 00:22:49,970 --> 00:22:52,999 of agency hardware in the Internet. 644 00:22:53,000 --> 00:22:55,099 I'd like even on other websites, 645 00:22:55,100 --> 00:22:57,889 not nothing, because 646 00:22:57,890 --> 00:23:00,049 it brings us to the hardware overview so 647 00:23:00,050 --> 00:23:01,099 we know there's a 648 00:23:02,150 --> 00:23:04,339 processor inside, probably hexagons 649 00:23:04,340 --> 00:23:05,420 connected somehow. 650 00:23:07,150 --> 00:23:09,279 Nothing. So that's very frustrating to 651 00:23:09,280 --> 00:23:11,769 have spent many years on free software 652 00:23:11,770 --> 00:23:13,899 to see Linux winning, even getting into 653 00:23:13,900 --> 00:23:16,209 the modem devices, but 654 00:23:16,210 --> 00:23:17,949 no hardware documentation being 655 00:23:17,950 --> 00:23:20,199 available, not even a block diagram. 656 00:23:20,200 --> 00:23:21,549 All right. You have to. 657 00:23:21,550 --> 00:23:23,619 And not even a block diagram here. 658 00:23:23,620 --> 00:23:24,620 So nothing. 659 00:23:26,410 --> 00:23:27,969 Let's look at the software part and 660 00:23:27,970 --> 00:23:30,099 explore this system from a software 661 00:23:30,100 --> 00:23:31,100 point of view. 662 00:23:32,120 --> 00:23:34,089 The photo has shown how to get a serial 663 00:23:34,090 --> 00:23:36,309 console on it, but not every modem has 664 00:23:36,310 --> 00:23:38,709 enabled. And we didn't 665 00:23:38,710 --> 00:23:40,929 look at what it takes to enable 666 00:23:40,930 --> 00:23:43,329 it. And also soldiering is not 667 00:23:43,330 --> 00:23:45,789 that nice. So after exploring 668 00:23:45,790 --> 00:23:48,159 the easy route or the root system, 669 00:23:48,160 --> 00:23:50,979 so we started runs an Android Dybbuk 670 00:23:50,980 --> 00:23:53,319 Bridge. So if you have used Androids 671 00:23:53,320 --> 00:23:55,539 or EDB, Shalal should give you a shell. 672 00:23:55,540 --> 00:23:57,849 And nicely, we have already seen 673 00:23:57,850 --> 00:24:00,489 the 80 plus curious commands to execute 674 00:24:00,490 --> 00:24:02,019 something on the device. 675 00:24:02,020 --> 00:24:03,969 And we found a script that is 676 00:24:03,970 --> 00:24:06,129 reconfiguring the Android USB 677 00:24:06,130 --> 00:24:08,479 gadgets to actually put 678 00:24:08,480 --> 00:24:10,299 a DB in it as well. 679 00:24:10,300 --> 00:24:12,429 So let's try to execute the eight 680 00:24:12,430 --> 00:24:14,589 commands and then 681 00:24:14,590 --> 00:24:16,299 suddenly the cereal's on your host. 682 00:24:16,300 --> 00:24:19,599 Linux don't work anymore because 683 00:24:19,600 --> 00:24:21,789 the easy way is a accused 684 00:24:21,790 --> 00:24:23,859 serial killer modulus written. 685 00:24:23,860 --> 00:24:25,839 It's matching a device based on the 686 00:24:25,840 --> 00:24:26,979 number of interfaces. 687 00:24:26,980 --> 00:24:29,049 And if you added EDB to it, 688 00:24:29,050 --> 00:24:30,759 you suddenly don't have four interfaces 689 00:24:30,760 --> 00:24:32,739 but five interfaces and you're your 690 00:24:32,740 --> 00:24:34,409 driver cannot identify the device. 691 00:24:34,410 --> 00:24:36,699 So we had to first take it a bit 692 00:24:36,700 --> 00:24:39,009 and Lafarge has made a more clean patch 693 00:24:39,010 --> 00:24:40,359 to actually get it. 694 00:24:40,360 --> 00:24:42,519 But after a small experience, we 695 00:24:42,520 --> 00:24:44,379 have EDB shell on it. 696 00:24:44,380 --> 00:24:46,569 It works on any module, 697 00:24:46,570 --> 00:24:46,989 but yeah. 698 00:24:46,990 --> 00:24:49,419 And the shell is the root, of course. 699 00:24:49,420 --> 00:24:51,219 I mean, so you don't even need the 700 00:24:51,220 --> 00:24:53,019 device. It's like you get the router 701 00:24:53,020 --> 00:24:54,909 immediately so there's no lock down as 702 00:24:54,910 --> 00:24:55,489 well. 703 00:24:55,490 --> 00:24:58,149 It's rude. There's no silent auction, 704 00:24:58,150 --> 00:25:00,279 just a very nice and 705 00:25:00,280 --> 00:25:01,359 open Linux system 706 00:25:02,920 --> 00:25:05,179 to build it. It's it's 707 00:25:05,180 --> 00:25:07,419 it's a bit odd that it has a bootloader 708 00:25:07,420 --> 00:25:09,099 as it seems to be proprietary. 709 00:25:09,100 --> 00:25:11,199 Then it has the Android bootloader and 710 00:25:11,200 --> 00:25:13,299 Android Linux kernel, 711 00:25:13,300 --> 00:25:15,159 the Android debug, which we've mentioned. 712 00:25:15,160 --> 00:25:17,259 But surprisingly, it's not using the rest 713 00:25:17,260 --> 00:25:19,599 of the Android system, but it has a new 714 00:25:19,600 --> 00:25:22,029 Lipsey was busy box use system 715 00:25:22,030 --> 00:25:23,169 five in it. 716 00:25:23,170 --> 00:25:26,289 So it's a very classic open embedded 717 00:25:26,290 --> 00:25:28,449 build and it's actively developed 718 00:25:28,450 --> 00:25:29,769 and maintained by Qualcomm. 719 00:25:29,770 --> 00:25:31,299 But they make so many releases you 720 00:25:31,300 --> 00:25:32,759 actually don't know which one to pick. 721 00:25:32,760 --> 00:25:35,050 It's it's a bit of a zoom. 722 00:25:36,250 --> 00:25:38,349 Yeah. And then you start to look a 723 00:25:38,350 --> 00:25:40,329 bit at the Asciano that is released. 724 00:25:40,330 --> 00:25:43,269 And luckily and interestingly, and 725 00:25:43,270 --> 00:25:45,459 to my pleasant surprise, there's 726 00:25:45,460 --> 00:25:46,849 no binary only module. 727 00:25:46,850 --> 00:25:48,789 So everything in the krona is released in 728 00:25:48,790 --> 00:25:49,689 source code. 729 00:25:49,690 --> 00:25:51,099 Nevertheless, of course, it's a lot of 730 00:25:51,100 --> 00:25:53,229 source code. So if you look a little 731 00:25:53,230 --> 00:25:55,479 bit at the number of lines, it shows 732 00:25:55,480 --> 00:25:57,909 up between the closest mainline version 733 00:25:57,910 --> 00:25:59,649 and the kernel that's used in those 734 00:25:59,650 --> 00:26:01,329 modules, you end up with one point five 735 00:26:01,330 --> 00:26:04,059 to one point nine million lines of diff. 736 00:26:04,060 --> 00:26:05,619 I mean, this is not actually code lines. 737 00:26:05,620 --> 00:26:07,629 This is counting all the lines of a diff 738 00:26:07,630 --> 00:26:09,249 output, including the context. 739 00:26:09,250 --> 00:26:11,229 But still, it gives you an idea about the 740 00:26:11,230 --> 00:26:13,089 size of the difference as compared to 741 00:26:13,090 --> 00:26:15,309 Main Line. And of course, you expect on 742 00:26:15,310 --> 00:26:17,439 those kernels that all the CPU 743 00:26:17,440 --> 00:26:19,449 specific stuff and lots of driver code 744 00:26:19,450 --> 00:26:20,559 and so on and so on. 745 00:26:20,560 --> 00:26:22,929 But then if you look at it in more detail 746 00:26:22,930 --> 00:26:25,449 and as a disclaimer, I haven't looked at 747 00:26:25,450 --> 00:26:27,729 Qualcomm, Android, Linux, Kurnitz 748 00:26:27,730 --> 00:26:29,939 during the past 10 years or so and 749 00:26:29,940 --> 00:26:31,749 to say eight years, not six years, 750 00:26:31,750 --> 00:26:33,389 whatever, a long time. 751 00:26:33,390 --> 00:26:35,679 And and I know there's a lot of code 752 00:26:35,680 --> 00:26:37,839 in there, but I didn't expect all 753 00:26:37,840 --> 00:26:39,489 the different things that I found in 754 00:26:39,490 --> 00:26:39,699 there. 755 00:26:39,700 --> 00:26:41,379 I mean, they have their own shared memory 756 00:26:41,380 --> 00:26:42,789 based logging infrastructure. 757 00:26:42,790 --> 00:26:44,199 And shared memory is not shared memory 758 00:26:44,200 --> 00:26:45,189 with the modem processor. 759 00:26:45,190 --> 00:26:47,619 It's only shared in the network system 760 00:26:47,620 --> 00:26:49,809 YAF and in the processor communication 761 00:26:49,810 --> 00:26:51,249 logging process. 762 00:26:51,250 --> 00:26:53,649 IPC is not inter process communication 763 00:26:53,650 --> 00:26:55,419 like you would know its inter processor 764 00:26:55,420 --> 00:26:56,499 communication. 765 00:26:56,500 --> 00:26:57,849 And you have something which is 766 00:26:57,850 --> 00:26:59,529 completely flabbergasted me. 767 00:26:59,530 --> 00:27:01,209 It's called remote spinless. 768 00:27:01,210 --> 00:27:02,679 I mean, you know, spin like you you 769 00:27:02,680 --> 00:27:04,959 basically you, you have a mutual 770 00:27:04,960 --> 00:27:06,789 exclusion mechanisms that only one thread 771 00:27:06,790 --> 00:27:08,739 on it, one c.p.u can enter a critical 772 00:27:08,740 --> 00:27:09,740 part of the code 773 00:27:11,080 --> 00:27:13,389 on your multiprocessor Linux system. 774 00:27:13,390 --> 00:27:15,159 But then here you can actually also 775 00:27:15,160 --> 00:27:17,349 Blocher, the modem processor, 776 00:27:17,350 --> 00:27:18,879 the Exergen on the other side from 777 00:27:18,880 --> 00:27:20,679 entering a particular section. 778 00:27:20,680 --> 00:27:22,779 What could possibly go wrong if you 779 00:27:22,780 --> 00:27:25,239 hold if you keep the realtime 780 00:27:25,240 --> 00:27:26,679 operating system in busy waiting? 781 00:27:26,680 --> 00:27:27,699 But OK. 782 00:27:27,700 --> 00:27:28,839 Um, yeah. 783 00:27:28,840 --> 00:27:30,879 Then you look at the source code and I've 784 00:27:30,880 --> 00:27:32,199 actually since I haven't looked at 785 00:27:32,200 --> 00:27:34,269 Qualcomm Kronosaurus code for quite some 786 00:27:34,270 --> 00:27:36,069 time, I was expecting well this has been 787 00:27:36,070 --> 00:27:38,259 in all these, uh, Linux Android phones 788 00:27:38,260 --> 00:27:40,329 that have Qualcomm chipsets and lots of 789 00:27:40,330 --> 00:27:41,709 printers, open source. 790 00:27:41,710 --> 00:27:43,449 Plenty of people must have analyzed it. 791 00:27:43,450 --> 00:27:45,129 And there's certainly some documentation's 792 00:27:45,130 --> 00:27:46,359 and high level overview. 793 00:27:46,360 --> 00:27:48,129 But all these individual subsystems, how 794 00:27:48,130 --> 00:27:50,139 to glue together how this works. 795 00:27:50,140 --> 00:27:52,449 And I could just look this documentation 796 00:27:52,450 --> 00:27:53,439 or look at that documentation. 797 00:27:53,440 --> 00:27:54,999 But interestingly, it doesn't exist. 798 00:27:55,000 --> 00:27:56,499 So I had to start to write that 799 00:27:56,500 --> 00:27:57,699 documentation. 800 00:27:57,700 --> 00:27:59,409 Um, there's now a lot of information in 801 00:27:59,410 --> 00:28:01,209 our wiki and some of the interesting 802 00:28:01,210 --> 00:28:03,519 parts that you find is in there is 803 00:28:03,520 --> 00:28:05,589 the shared memory device, which is the 804 00:28:05,590 --> 00:28:06,879 core of all the intact. 805 00:28:06,880 --> 00:28:08,949 Between different course, you have 806 00:28:08,950 --> 00:28:10,639 to process the communications, you have 807 00:28:10,640 --> 00:28:12,969 remote network, you have a 808 00:28:12,970 --> 00:28:14,470 has also ABAM to Bam, 809 00:28:15,700 --> 00:28:17,769 it's the access manager 810 00:28:17,770 --> 00:28:19,569 and we have IPA. 811 00:28:19,570 --> 00:28:21,699 This is not your favorite beverage, but 812 00:28:21,700 --> 00:28:23,109 the Internet accelerator 813 00:28:24,490 --> 00:28:26,649 and it some diagnostics 814 00:28:26,650 --> 00:28:28,119 forwarding and so on. And if you look at 815 00:28:28,120 --> 00:28:30,339 these subsystems, I draw 816 00:28:30,340 --> 00:28:32,529 a graph, you know, if you know how rare 817 00:28:32,530 --> 00:28:35,469 that is, I draw a picture and 818 00:28:35,470 --> 00:28:37,939 it symbolizes 819 00:28:37,940 --> 00:28:39,759 what's happening in this modem. 820 00:28:39,760 --> 00:28:41,919 So if you look at this picture, you 821 00:28:41,920 --> 00:28:44,379 will see basically the large 822 00:28:44,380 --> 00:28:46,599 square at the top is the the application 823 00:28:46,600 --> 00:28:49,179 processor. The bottom small part 824 00:28:49,180 --> 00:28:51,309 is the modem processor, 825 00:28:51,310 --> 00:28:53,409 which we don't know much, of course. 826 00:28:53,410 --> 00:28:54,699 But then on the left side, due to the 827 00:28:54,700 --> 00:28:56,169 availability of source code, we can see 828 00:28:56,170 --> 00:28:57,309 what's happening. So you have the shared 829 00:28:57,310 --> 00:28:59,379 memory device and then you have channels 830 00:28:59,380 --> 00:29:00,999 implemented by the shared memory device 831 00:29:01,000 --> 00:29:02,439 and individual different subsystem 832 00:29:02,440 --> 00:29:04,509 binding to those channels as two 833 00:29:04,510 --> 00:29:06,699 for eight commands which attach 834 00:29:06,700 --> 00:29:08,829 to the serial function gadget 835 00:29:08,830 --> 00:29:11,079 of the USB gadget called in Linux. 836 00:29:11,080 --> 00:29:13,239 So basically the important part 837 00:29:13,240 --> 00:29:14,240 is to see that 838 00:29:15,430 --> 00:29:17,679 the USB you speak you don't speak 839 00:29:17,680 --> 00:29:19,569 to the modem actually to the modem 840 00:29:19,570 --> 00:29:20,979 processor, to the basement processor, but 841 00:29:20,980 --> 00:29:23,379 you speak USB to the Linux gadget 842 00:29:23,380 --> 00:29:25,599 inside the Linux arm core 843 00:29:25,600 --> 00:29:27,869 on those devices and then that Linux arm 844 00:29:27,870 --> 00:29:29,949 or forwards or handles 845 00:29:29,950 --> 00:29:32,139 different interfaces on your USB 846 00:29:32,140 --> 00:29:33,939 configuration in different ways. 847 00:29:33,940 --> 00:29:36,429 And you have this small box symbolizing 848 00:29:36,430 --> 00:29:38,079 the userspace and you can see how the 849 00:29:38,080 --> 00:29:39,369 different passcode. 850 00:29:39,370 --> 00:29:41,219 It's quite interesting if you look at the 851 00:29:41,220 --> 00:29:43,359 040 have a serial port for GPS 852 00:29:43,360 --> 00:29:44,739 and you have a serial port for 80 853 00:29:44,740 --> 00:29:46,779 commands and you think, well, OK, these 854 00:29:46,780 --> 00:29:48,459 are both serial four devices. 855 00:29:48,460 --> 00:29:50,409 They must be handled quite similarly. 856 00:29:50,410 --> 00:29:52,689 But no, the GPS 857 00:29:52,690 --> 00:29:54,729 part is actually handled here. 858 00:29:54,730 --> 00:29:56,709 Over here, it goes into userspace. 859 00:29:56,710 --> 00:29:58,509 It's Bridgid, it goes into a virtual 860 00:29:58,510 --> 00:30:00,309 serial port here again and it goes into 861 00:30:00,310 --> 00:30:02,559 the Zerega. Just the commands 862 00:30:02,560 --> 00:30:04,179 go straight here inside the kernel and 863 00:30:04,180 --> 00:30:05,439 never end up in userspace. 864 00:30:05,440 --> 00:30:07,839 So I don't know why, but it's 865 00:30:07,840 --> 00:30:10,029 quite sophisticated to 866 00:30:10,030 --> 00:30:10,869 say. 867 00:30:10,870 --> 00:30:13,209 And if we look at the diagnostic 868 00:30:13,210 --> 00:30:14,679 subsystem, which is particularly of 869 00:30:14,680 --> 00:30:16,719 interest to us, and now you can see I 870 00:30:16,720 --> 00:30:17,859 didn't draw graphs anymore. 871 00:30:17,860 --> 00:30:19,269 I just wrote a little bit of Nottie. 872 00:30:21,160 --> 00:30:23,219 We have the more than 873 00:30:23,220 --> 00:30:25,299 D.V. on the left hand side, we have 874 00:30:25,300 --> 00:30:27,179 the then we have the scroll where we have 875 00:30:27,180 --> 00:30:28,909 the shared memory device on this. 876 00:30:28,910 --> 00:30:31,109 A diag forwarding module in the kernel 877 00:30:31,110 --> 00:30:32,759 binds on that. 878 00:30:32,760 --> 00:30:34,979 We have a connection to the diagnostic 879 00:30:34,980 --> 00:30:37,109 function gadget of the USB gadget 880 00:30:37,110 --> 00:30:38,929 driver and that is goes to your host. 881 00:30:38,930 --> 00:30:40,889 So if you talk to Dayak protocol to the 882 00:30:40,890 --> 00:30:42,569 modem, it actually goes this way through 883 00:30:42,570 --> 00:30:44,549 Linux, through a shared memory device in 884 00:30:44,550 --> 00:30:45,899 the modem DSP. 885 00:30:45,900 --> 00:30:47,369 But what's even more interesting is that 886 00:30:47,370 --> 00:30:49,199 there is a diagnostics character device 887 00:30:49,200 --> 00:30:52,289 on Linux called Def Dayak, which, 888 00:30:52,290 --> 00:30:54,329 well, for example, SecureWorks, the other 889 00:30:54,330 --> 00:30:57,029 processes they basically 890 00:30:57,030 --> 00:30:59,579 attach to this diagnostics 891 00:30:59,580 --> 00:31:01,799 device and all the logging that 892 00:31:01,800 --> 00:31:03,239 you find in those Linux userspace 893 00:31:03,240 --> 00:31:04,679 processes. They don't use this. 894 00:31:04,680 --> 00:31:05,909 They don't use an Android locking 895 00:31:05,910 --> 00:31:07,389 framework, but they lock through the 896 00:31:07,390 --> 00:31:09,569 Qualcomm diagnostic subsystem and 897 00:31:09,570 --> 00:31:10,949 you get the log messages of those 898 00:31:10,950 --> 00:31:12,929 processes through this kind of device 899 00:31:12,930 --> 00:31:14,699 over to the function device, over to you 900 00:31:14,700 --> 00:31:15,839 is being to the host. 901 00:31:15,840 --> 00:31:17,879 So if you manage to figure out which 902 00:31:17,880 --> 00:31:19,969 logging flags and so on to enable 903 00:31:19,970 --> 00:31:21,659 you get the log output of those Linux 904 00:31:21,660 --> 00:31:24,119 user LAN processors over, Diek. 905 00:31:24,120 --> 00:31:25,949 Well, very Qualcomm like not so 906 00:31:25,950 --> 00:31:28,079 surprising, but still, uh, sort of 907 00:31:28,080 --> 00:31:29,999 unusual in the Linux world. 908 00:31:30,000 --> 00:31:32,489 If you look at the networking, the QMI, 909 00:31:32,490 --> 00:31:34,559 which controls your, um, basically 910 00:31:34,560 --> 00:31:36,839 the modem which network you attach 911 00:31:36,840 --> 00:31:38,879 to, whether you activate PDF contacts, 912 00:31:38,880 --> 00:31:41,069 yoku those parameters and so on, 913 00:31:41,070 --> 00:31:43,589 you might have used QMI, SCIRI 914 00:31:43,590 --> 00:31:45,989 or other tools on on your Linux 915 00:31:45,990 --> 00:31:48,479 laptop to talk to such modems. 916 00:31:48,480 --> 00:31:50,939 And in this specific case of those Linux 917 00:31:50,940 --> 00:31:53,729 based, um, Qualcomm modems, 918 00:31:53,730 --> 00:31:55,959 well you again have the modem DSP goes 919 00:31:55,960 --> 00:31:58,079 through the shared memory device, 920 00:31:58,080 --> 00:32:00,599 uh talks to the M-Net device, 921 00:32:00,600 --> 00:32:02,279 the USB gadget you aspire to host, and 922 00:32:02,280 --> 00:32:03,659 then you have your host PC somewhere on 923 00:32:03,660 --> 00:32:05,219 the right hand side over there. 924 00:32:05,220 --> 00:32:07,259 So this is basically the pass UQM it 925 00:32:07,260 --> 00:32:09,839 takes. But then you have also QMI 926 00:32:09,840 --> 00:32:11,819 in the user land on the modem itself, 927 00:32:11,820 --> 00:32:13,979 which is what's presented here, and they 928 00:32:13,980 --> 00:32:16,289 have what's called a Q Maxted, the 929 00:32:16,290 --> 00:32:18,389 QMI Multiplexed Daemon, which 930 00:32:18,390 --> 00:32:20,849 then offers a unique Stollman sockets 931 00:32:20,850 --> 00:32:23,009 to various different client programs. 932 00:32:23,010 --> 00:32:24,899 So basically all these userspace 933 00:32:24,900 --> 00:32:27,029 programs, by using this unique Stollman 934 00:32:27,030 --> 00:32:28,619 socket, they can talk to you and to the 935 00:32:28,620 --> 00:32:30,809 modem as well, and all of them can 936 00:32:30,810 --> 00:32:32,969 basically configure get 937 00:32:32,970 --> 00:32:34,649 status reports and so on, all the 938 00:32:34,650 --> 00:32:35,789 different parts and all the different 939 00:32:35,790 --> 00:32:37,949 services on the modem, which is 940 00:32:37,950 --> 00:32:39,509 interesting. And it's something that we 941 00:32:39,510 --> 00:32:41,429 want to have coming from our initial 942 00:32:41,430 --> 00:32:42,749 motivation. We want to run our own 943 00:32:42,750 --> 00:32:44,939 applications in there and we want to talk 944 00:32:44,940 --> 00:32:47,009 to the schoolmasters and talk 945 00:32:47,010 --> 00:32:48,449 to you. Am I in there? 946 00:32:48,450 --> 00:32:50,879 So we created a couple of tools to help 947 00:32:50,880 --> 00:32:52,379 the analysis. 948 00:32:52,380 --> 00:32:53,939 On the one hand side, we use the open 949 00:32:53,940 --> 00:32:56,219 embedded that Qualcomm 950 00:32:56,220 --> 00:32:59,009 released to build a matching OPG 951 00:32:59,010 --> 00:33:01,199 and the packages for four tools 952 00:33:01,200 --> 00:33:03,149 that you need, like soccer esterase 953 00:33:03,150 --> 00:33:06,809 elsewhere and so on for some exploration. 954 00:33:06,810 --> 00:33:08,969 We also have written a couple of C 955 00:33:08,970 --> 00:33:11,129 programs for testing, basically 956 00:33:11,130 --> 00:33:13,529 for accessing the QMI from code inside 957 00:33:13,530 --> 00:33:14,519 the modem. 958 00:33:14,520 --> 00:33:15,709 That's successful. 959 00:33:15,710 --> 00:33:17,879 Um, and then we have 960 00:33:17,880 --> 00:33:19,919 a couple of those still linked to the 961 00:33:19,920 --> 00:33:22,289 proprietary libraries that are provided 962 00:33:22,290 --> 00:33:23,819 in the modem. And then we have started 963 00:33:23,820 --> 00:33:25,949 with some entirely free 964 00:33:25,950 --> 00:33:28,859 open source programs like the cumulative 965 00:33:28,860 --> 00:33:30,659 wrapper, which is an LTE preloaded right 966 00:33:30,660 --> 00:33:32,669 library. So you can trace this Muxtape 967 00:33:32,670 --> 00:33:34,919 communication and there is 968 00:33:34,920 --> 00:33:37,079 ongoing work for a live QMI G live 969 00:33:37,080 --> 00:33:39,090 transport, uh, for the security, 970 00:33:40,440 --> 00:33:43,229 which then would enable you to run 971 00:33:43,230 --> 00:33:45,479 a program that's linked against the free 972 00:33:45,480 --> 00:33:46,119 software. 973 00:33:46,120 --> 00:33:48,269 You live inside the modem 974 00:33:48,270 --> 00:33:49,899 so you can develop it like you run it on 975 00:33:49,900 --> 00:33:51,629 laptop, but you can run it transparently 976 00:33:51,630 --> 00:33:53,789 inside the modem after cross compilation. 977 00:33:55,090 --> 00:33:57,359 That's also a tool which we call Osmo QC 978 00:33:57,360 --> 00:33:59,849 Diag, which is basically a host, 979 00:33:59,850 --> 00:34:02,189 a tool for obtaining this stock 980 00:34:02,190 --> 00:34:04,469 based logs from from the modem. 981 00:34:04,470 --> 00:34:06,749 So you can run this on your laptop, 982 00:34:06,750 --> 00:34:08,729 attach it to the modem, and then you get 983 00:34:08,730 --> 00:34:10,349 all kinds of Trace's, not only the 984 00:34:10,350 --> 00:34:12,569 interface Trace's, but also QMI Protocol 985 00:34:12,570 --> 00:34:14,579 Trace's, which we then again decode using 986 00:34:14,580 --> 00:34:15,869 live QMI. 987 00:34:15,870 --> 00:34:18,089 So you get a textual representation 988 00:34:18,090 --> 00:34:20,459 that's ongoing work here to basically 989 00:34:20,460 --> 00:34:22,019 move all of that into Wireshark. 990 00:34:22,020 --> 00:34:23,519 So you get the full decode of that in 991 00:34:23,520 --> 00:34:24,599 Wireshark, but that's 992 00:34:25,710 --> 00:34:27,299 not yet there. 993 00:34:27,300 --> 00:34:28,888 So what kind of user based programs do we 994 00:34:28,889 --> 00:34:29,889 find. OK. 995 00:34:30,690 --> 00:34:32,099 We know what that does. 996 00:34:32,100 --> 00:34:34,919 We have an ATF WD deman well 997 00:34:34,920 --> 00:34:35,908 forwarding deman. 998 00:34:35,909 --> 00:34:37,019 Well what does it do? 999 00:34:37,020 --> 00:34:38,549 It implements those things like an 80 1000 00:34:38,550 --> 00:34:39,749 plus Q Linux. 1001 00:34:39,750 --> 00:34:40,948 CMD. 1002 00:34:40,949 --> 00:34:41,949 Um. 1003 00:34:42,570 --> 00:34:44,669 And other 1004 00:34:44,670 --> 00:34:46,259 comments, so basically use the space 1005 00:34:46,260 --> 00:34:48,209 program on Linux, can register like a 1006 00:34:48,210 --> 00:34:50,399 callback within the modem to forward 1007 00:34:50,400 --> 00:34:52,649 certain eight commands into Linux 1008 00:34:52,650 --> 00:34:54,238 UserSpacE, but you can then implement 1009 00:34:54,239 --> 00:34:55,979 them so you can basically implement 1010 00:34:55,980 --> 00:34:58,199 custom it commands in userspace programs. 1011 00:34:59,340 --> 00:35:01,079 There is all kinds of other software 1012 00:35:01,080 --> 00:35:02,879 which we haven't really figured out yet, 1013 00:35:02,880 --> 00:35:03,880 a lot of what they do. 1014 00:35:04,980 --> 00:35:07,109 There's one monster 1015 00:35:07,110 --> 00:35:09,149 called the Cookie Map Connection Manager, 1016 00:35:09,150 --> 00:35:11,459 which basically allows 1017 00:35:11,460 --> 00:35:13,799 you to run Linux based Wi-Fi access point 1018 00:35:13,800 --> 00:35:15,929 with LTE backhaul 1019 00:35:15,930 --> 00:35:18,089 excuse me, for the TiVo. 1020 00:35:18,090 --> 00:35:20,609 So basically you have to attach 1021 00:35:20,610 --> 00:35:23,159 a Wi-Fi chip to the audio 1022 00:35:23,160 --> 00:35:25,199 interface of your modem module and then 1023 00:35:25,200 --> 00:35:27,899 you have a full personal access point 1024 00:35:27,900 --> 00:35:30,719 device that has an LTE backhaul 1025 00:35:30,720 --> 00:35:33,029 and then the Wi-Fi. 1026 00:35:33,030 --> 00:35:35,099 You like the parameters, for example, 1027 00:35:35,100 --> 00:35:37,139 the key and the side and the channel and 1028 00:35:37,140 --> 00:35:38,819 so on. You configure all of that through 1029 00:35:38,820 --> 00:35:40,229 through what it commands. 1030 00:35:40,230 --> 00:35:42,329 Of course, if 1031 00:35:42,330 --> 00:35:44,669 you ever wanted to look at software 1032 00:35:44,670 --> 00:35:46,649 that receives eight commands and then 1033 00:35:46,650 --> 00:35:48,909 generates textual config files for 1034 00:35:48,910 --> 00:35:51,509 WIPA Supplicant and for host évidemment, 1035 00:35:51,510 --> 00:35:54,239 then you can look at this code. 1036 00:35:54,240 --> 00:35:55,319 I prefer not to. 1037 00:35:55,320 --> 00:35:56,699 So we have 1038 00:35:57,780 --> 00:35:59,989 the connector bridge, which is 1039 00:35:59,990 --> 00:36:01,049 it's a very simple device. 1040 00:36:01,050 --> 00:36:02,999 It reads from one device and it writes it 1041 00:36:03,000 --> 00:36:03,959 to another device. 1042 00:36:03,960 --> 00:36:06,119 And apparently this is such 1043 00:36:06,120 --> 00:36:07,829 a complex task that you need to schedule 1044 00:36:07,830 --> 00:36:08,609 a different process. 1045 00:36:08,610 --> 00:36:09,929 And I think it has three threads or 1046 00:36:09,930 --> 00:36:11,459 something obscure like that. 1047 00:36:11,460 --> 00:36:13,619 So, OK, well, 1048 00:36:13,620 --> 00:36:15,119 which brings us to the funny bits and 1049 00:36:15,120 --> 00:36:17,369 pieces that you find in those modems. 1050 00:36:17,370 --> 00:36:18,869 Well, the first thing is 80 plus 1051 00:36:18,870 --> 00:36:20,939 calculators come and we spoke 1052 00:36:20,940 --> 00:36:22,949 about that. You can run arbitrary 1053 00:36:22,950 --> 00:36:25,349 commands as rude in a redivide Rulfo 1054 00:36:25,350 --> 00:36:26,259 system in there. 1055 00:36:26,260 --> 00:36:28,499 So basically, you can do anything. 1056 00:36:28,500 --> 00:36:30,699 I mean, you can send an arm at 1057 00:36:30,700 --> 00:36:33,479 Asharaf session and while it's gone, 1058 00:36:33,480 --> 00:36:34,349 it's dead, Jim. 1059 00:36:34,350 --> 00:36:36,659 So we also have commands 1060 00:36:36,660 --> 00:36:38,489 to switch to fast food mode so you can 1061 00:36:38,490 --> 00:36:40,080 update the firmware you have 1062 00:36:41,190 --> 00:36:42,840 especially at command to print. 1063 00:36:44,370 --> 00:36:46,829 And you have also all kinds of other 1064 00:36:46,830 --> 00:36:48,929 commands. And when you when you do 1065 00:36:48,930 --> 00:36:51,019 a strings, just strings 1066 00:36:51,020 --> 00:36:52,979 a call on those executables, it looks 1067 00:36:52,980 --> 00:36:55,049 like Allscripts in many cases. 1068 00:36:55,050 --> 00:36:56,699 And one of the most funny things I found 1069 00:36:56,700 --> 00:36:58,379 in this modem is how many processes and 1070 00:36:58,380 --> 00:37:00,359 threads does it take to reboot a system? 1071 00:37:00,360 --> 00:37:02,489 It's apparently a very complex question. 1072 00:37:03,960 --> 00:37:05,459 How do you reboot your system? 1073 00:37:06,630 --> 00:37:08,249 Apparently, this was the easiest method 1074 00:37:08,250 --> 00:37:09,029 they could find. 1075 00:37:09,030 --> 00:37:11,099 So there's one process to reboot 1076 00:37:11,100 --> 00:37:13,319 Dayak app, which registers a dire command 1077 00:37:13,320 --> 00:37:15,389 with command codes as IREX 29 with 1078 00:37:15,390 --> 00:37:17,969 the DIAG infrastructure, and it spawns 1079 00:37:17,970 --> 00:37:19,829 a thread which executes another 1080 00:37:19,830 --> 00:37:21,629 executable called QMI Simple, the real 1081 00:37:21,630 --> 00:37:24,419 test with an input pfeifle 1082 00:37:24,420 --> 00:37:26,549 and then it calls system echo mode 1083 00:37:26,550 --> 00:37:28,769 and reset in two to ride mode 1084 00:37:28,770 --> 00:37:30,989 and reset into the five four of the input 1085 00:37:30,990 --> 00:37:33,059 of the process it just spawned, 1086 00:37:33,060 --> 00:37:35,259 and which then causes this to send 1087 00:37:35,260 --> 00:37:37,349 a clear message to the modem which 1088 00:37:37,350 --> 00:37:39,239 will reboot the basement processor. 1089 00:37:39,240 --> 00:37:40,709 And then of course you clean up, you 1090 00:37:40,710 --> 00:37:43,139 remove that temporary file because there 1091 00:37:43,140 --> 00:37:44,879 is not a temp office, but it's read right 1092 00:37:44,880 --> 00:37:46,519 filesystem. 1093 00:37:46,520 --> 00:37:48,629 And then it goes on to write 1094 00:37:48,630 --> 00:37:50,789 the string reboot into 1095 00:37:50,790 --> 00:37:52,979 this reboot def using affright, not 1096 00:37:52,980 --> 00:37:54,749 using echo this time. 1097 00:37:54,750 --> 00:37:57,089 Right. This is a C program, not a script. 1098 00:37:57,090 --> 00:37:59,459 So apparently they discovered 1099 00:37:59,460 --> 00:38:00,460 that and used F right. 1100 00:38:01,560 --> 00:38:03,629 And then we have a reboot deman a second 1101 00:38:03,630 --> 00:38:05,459 process again with two or three threads 1102 00:38:05,460 --> 00:38:07,649 which reads this reboot a device, and 1103 00:38:07,650 --> 00:38:09,239 then actually they published the source 1104 00:38:09,240 --> 00:38:12,239 code. So this is the actual source code. 1105 00:38:12,240 --> 00:38:14,399 So you read from this def 1106 00:38:14,400 --> 00:38:16,379 reboot a device, then just a nice common 1107 00:38:16,380 --> 00:38:18,029 document. And what it does you do a 1108 00:38:18,030 --> 00:38:20,159 string compar you have the 1109 00:38:20,160 --> 00:38:21,959 first print F going for Riverwood, you 1110 00:38:21,960 --> 00:38:24,389 have the second print F initiating reboot 1111 00:38:24,390 --> 00:38:26,369 and then you call system on the reviewed 1112 00:38:26,370 --> 00:38:28,709 executable. So apparently 1113 00:38:28,710 --> 00:38:30,119 the most simple method. 1114 00:38:36,790 --> 00:38:38,289 So if you ever were wondering how we 1115 00:38:38,290 --> 00:38:40,809 would reboot your Linux system, this is 1116 00:38:40,810 --> 00:38:41,810 the new reference. 1117 00:38:44,640 --> 00:38:46,139 Yeah, then we have programs that look 1118 00:38:46,140 --> 00:38:48,319 like shell scripts, so this is an actual, 1119 00:38:48,320 --> 00:38:50,659 of course, condensed output of strings 1120 00:38:50,660 --> 00:38:51,809 on the character demon, right? 1121 00:38:51,810 --> 00:38:54,079 You see like Echo in Sisyphus files, 1122 00:38:54,080 --> 00:38:56,599 you see copying files, even a semicolon 1123 00:38:56,600 --> 00:38:58,999 in there. You see echo into the duty 1124 00:38:59,000 --> 00:39:01,379 cycle of some some fills with modulation, 1125 00:39:01,380 --> 00:39:02,839 an idea of what that does. 1126 00:39:02,840 --> 00:39:05,389 And then they even grab for the process 1127 00:39:05,390 --> 00:39:08,119 and they kill processes 1128 00:39:08,120 --> 00:39:10,699 with the most obscure things. 1129 00:39:10,700 --> 00:39:12,619 And they even they don't use Reider, but 1130 00:39:12,620 --> 00:39:14,689 they do like less and then parse the 1131 00:39:14,690 --> 00:39:16,249 output of that rather than use open 1132 00:39:16,250 --> 00:39:18,079 territory. And the usual calls you would 1133 00:39:18,080 --> 00:39:20,059 do to get a list of files. 1134 00:39:20,060 --> 00:39:22,459 And it's quite amusing. 1135 00:39:24,400 --> 00:39:26,809 Yeah, which brings us to the topic 1136 00:39:26,810 --> 00:39:27,799 of fun about this. 1137 00:39:27,800 --> 00:39:29,959 But you can I actually 1138 00:39:29,960 --> 00:39:30,889 miss this example? 1139 00:39:30,890 --> 00:39:32,209 Sorry, I have to make a quick 1140 00:39:32,210 --> 00:39:33,129 interruption here. 1141 00:39:33,130 --> 00:39:35,419 And all these machine to machine modems, 1142 00:39:35,420 --> 00:39:36,709 they typically have an led and the 1143 00:39:36,710 --> 00:39:38,719 blinking rhythm of the lead indicates to 1144 00:39:38,720 --> 00:39:40,759 you whether it's registered to the 1145 00:39:40,760 --> 00:39:42,349 network, whether the data connection is 1146 00:39:42,350 --> 00:39:43,639 open, whether it's searching for 1147 00:39:43,640 --> 00:39:45,049 networks. That's all different blinking 1148 00:39:45,050 --> 00:39:46,249 patterns of the. 1149 00:39:46,250 --> 00:39:48,169 And how do you implement this on this 1150 00:39:48,170 --> 00:39:50,599 modem? Well, you run a userspace daemon 1151 00:39:50,600 --> 00:39:53,209 that calls system echo one 1152 00:39:53,210 --> 00:39:55,459 to the API, which 1153 00:39:55,460 --> 00:39:57,169 controls the LED all the time. 1154 00:39:57,170 --> 00:39:59,389 You know, sort of like the it's 1155 00:39:59,390 --> 00:40:00,799 not like the kernel would have 1156 00:40:00,800 --> 00:40:03,019 infrastructure for blinking patterns 1157 00:40:03,020 --> 00:40:04,579 and so on and so on. 1158 00:40:04,580 --> 00:40:06,709 But OK, so you have a demon that does 1159 00:40:06,710 --> 00:40:09,109 nothing else but basically toggling 1160 00:40:09,110 --> 00:40:11,479 your TVI all by exponential 1161 00:40:11,480 --> 00:40:14,359 processes using the systems is quite 1162 00:40:14,360 --> 00:40:16,179 OK. With that I hand over to. 1163 00:40:24,200 --> 00:40:25,759 Now, the question is, do you expect 1164 00:40:25,760 --> 00:40:27,499 anything after the topic of firmware 1165 00:40:27,500 --> 00:40:28,969 upgrade or is it going to be an empty 1166 00:40:28,970 --> 00:40:29,970 slide? 1167 00:40:31,820 --> 00:40:33,949 And the answer is they know that 1168 00:40:33,950 --> 00:40:36,739 they have to offer firmware upgrades 1169 00:40:36,740 --> 00:40:38,779 over the updates, making it as small as 1170 00:40:38,780 --> 00:40:39,799 possible. 1171 00:40:39,800 --> 00:40:41,629 And actually, it's something that 1172 00:40:41,630 --> 00:40:43,339 Qualcomm is preparing for more than 1173 00:40:43,340 --> 00:40:45,829 winders. So it's based on the Android 1174 00:40:45,830 --> 00:40:48,209 from around four point zero recovery 1175 00:40:48,210 --> 00:40:50,749 gates not using Android myself. 1176 00:40:50,750 --> 00:40:53,149 I haven't looked at how it worked before. 1177 00:40:53,150 --> 00:40:54,949 Many of you might be more familiar with 1178 00:40:54,950 --> 00:40:57,619 it, but it's mostly a zip file 1179 00:40:57,620 --> 00:41:00,079 and it contains Delta updates. 1180 00:41:00,080 --> 00:41:02,179 And surprisingly, they are somehow 1181 00:41:03,410 --> 00:41:05,509 hashed to to assure one ends 1182 00:41:05,510 --> 00:41:07,189 and the second one is being signed was 1183 00:41:07,190 --> 00:41:09,679 there was a private key and the result 1184 00:41:09,680 --> 00:41:12,079 is being put into a comment of zip file. 1185 00:41:12,080 --> 00:41:14,449 That's probably pretty standard, but 1186 00:41:14,450 --> 00:41:16,399 looked a bit odd. And it's nice that they 1187 00:41:16,400 --> 00:41:18,679 prepare a properly 1188 00:41:18,680 --> 00:41:20,349 secure firmware upgrade. 1189 00:41:20,350 --> 00:41:22,399 It was like minimal Delta functionality. 1190 00:41:22,400 --> 00:41:24,800 So what has Wachtell done to this code? 1191 00:41:26,180 --> 00:41:27,169 So I still use it. 1192 00:41:27,170 --> 00:41:29,389 That's that's quite nice. 1193 00:41:29,390 --> 00:41:31,549 But they have removed or actually 1194 00:41:31,550 --> 00:41:33,349 not really removed that they're not using 1195 00:41:33,350 --> 00:41:35,899 the RSA code to verify a signature. 1196 00:41:37,270 --> 00:41:39,289 And instead of using the standard Android 1197 00:41:39,290 --> 00:41:41,479 way to to patch these systems, 1198 00:41:41,480 --> 00:41:44,029 they use a proprietary component from 1199 00:41:44,030 --> 00:41:45,799 a company that used to be called Duret 1200 00:41:45,800 --> 00:41:47,659 Bend. But now it's Hammen and probably 1201 00:41:47,660 --> 00:41:48,660 soon Samsung. 1202 00:41:49,670 --> 00:41:51,979 And the Redmond component 1203 00:41:51,980 --> 00:41:54,169 is nothing that character 1204 00:41:54,170 --> 00:41:55,609 has written. But it's a commercial 1205 00:41:55,610 --> 00:41:57,829 product and it's used 1206 00:41:57,830 --> 00:41:59,419 in the U.S. 1207 00:41:59,420 --> 00:42:01,219 20 module as well. 1208 00:42:01,220 --> 00:42:03,619 And also in other automotive projects. 1209 00:42:03,620 --> 00:42:06,169 We have seen red band updates 1210 00:42:06,170 --> 00:42:08,239 being used. So at this point 1211 00:42:08,240 --> 00:42:10,189 I started to look into how does this 1212 00:42:10,190 --> 00:42:12,049 update form look like? 1213 00:42:12,050 --> 00:42:14,299 And instead of presenting a very complex 1214 00:42:14,300 --> 00:42:16,939 form of the format, I 1215 00:42:16,940 --> 00:42:18,229 have this slice. 1216 00:42:18,230 --> 00:42:20,359 So other people like Messias 1217 00:42:20,360 --> 00:42:22,429 only get, I think, blackheads 1218 00:42:22,430 --> 00:42:24,559 percent of something called a tax on all 1219 00:42:24,560 --> 00:42:26,139 my device management. 1220 00:42:26,140 --> 00:42:28,459 This can be remotely triggered, 1221 00:42:28,460 --> 00:42:30,709 but this is the update mechanism 1222 00:42:30,710 --> 00:42:32,639 used here cannot be remotely triggered. 1223 00:42:32,640 --> 00:42:34,879 The modem needs to to be 1224 00:42:35,930 --> 00:42:37,399 asked to start an update. 1225 00:42:37,400 --> 00:42:39,839 So that's already a bit more secure. 1226 00:42:39,840 --> 00:42:41,959 But I 1227 00:42:41,960 --> 00:42:43,909 started to look at the hex thumbs of a 1228 00:42:43,910 --> 00:42:45,379 specific Delta update. 1229 00:42:45,380 --> 00:42:47,599 And with a lot of help from SPA, we 1230 00:42:47,600 --> 00:42:49,729 actually managed to understand 1231 00:42:49,730 --> 00:42:51,889 how the updates binary looks 1232 00:42:51,890 --> 00:42:53,239 like. 1233 00:42:53,240 --> 00:42:55,219 And we have created a small tool to take 1234 00:42:55,220 --> 00:42:57,379 an existing update and put 1235 00:42:57,380 --> 00:42:59,539 it into smaller parts and also be able 1236 00:42:59,540 --> 00:43:02,269 to create our own defiles. 1237 00:43:02,270 --> 00:43:03,919 The format itself is 1238 00:43:05,090 --> 00:43:07,669 has many different pointers and offsets. 1239 00:43:07,670 --> 00:43:10,129 So in the example you might already 1240 00:43:10,130 --> 00:43:13,039 see the offsets here and confederacies. 1241 00:43:13,040 --> 00:43:15,559 So it starts with a common header 1242 00:43:15,560 --> 00:43:16,560 and then. 1243 00:43:17,140 --> 00:43:19,209 It's after he had over 1244 00:43:19,210 --> 00:43:21,639 LGM, a compressed 1245 00:43:21,640 --> 00:43:23,889 table of contents or 1246 00:43:23,890 --> 00:43:26,139 however you want to call it, and outside 1247 00:43:26,140 --> 00:43:28,099 in the header you have an offset into the 1248 00:43:28,100 --> 00:43:29,110 decompressed 1249 00:43:30,400 --> 00:43:32,199 version of this table of contents were 1250 00:43:32,200 --> 00:43:33,729 actually file update starts. 1251 00:43:33,730 --> 00:43:36,009 And when 1252 00:43:36,010 --> 00:43:37,809 you start playing or creating your own 1253 00:43:37,810 --> 00:43:39,549 file, you might get the offset wrong. 1254 00:43:39,550 --> 00:43:41,259 And this is the update. 1255 00:43:41,260 --> 00:43:44,739 Binary just crashes with a malformed 1256 00:43:44,740 --> 00:43:45,759 update file. 1257 00:43:45,760 --> 00:43:48,039 So it's like not very robust code, 1258 00:43:48,040 --> 00:43:50,049 a very complicated file format, and 1259 00:43:50,050 --> 00:43:52,209 nothing is cryptographically signed. 1260 00:43:52,210 --> 00:43:53,979 So when you use strings on the binary, 1261 00:43:53,980 --> 00:43:56,319 you see the word signature, but it 1262 00:43:56,320 --> 00:43:58,389 only refers to a key 32 1263 00:43:58,390 --> 00:43:59,390 Shaxson. 1264 00:44:03,430 --> 00:44:05,559 The next part, like now we understand 1265 00:44:05,560 --> 00:44:07,510 how the update format works, 1266 00:44:08,830 --> 00:44:10,899 we can create our own update 1267 00:44:10,900 --> 00:44:12,129 files. 1268 00:44:12,130 --> 00:44:14,169 The question is how do they end up on the 1269 00:44:14,170 --> 00:44:15,499 device? 1270 00:44:15,500 --> 00:44:17,589 And it's something that is implemented 1271 00:44:17,590 --> 00:44:20,039 in the forward demand that Harold 1272 00:44:20,040 --> 00:44:22,689 has mentioned. And if you have a script 1273 00:44:22,690 --> 00:44:25,449 for some specific strings 1274 00:44:25,450 --> 00:44:27,309 like W. gets this U.S. 1275 00:44:27,310 --> 00:44:30,219 map connection and show a photo update, 1276 00:44:30,220 --> 00:44:32,139 you already kind of guesthouses 1277 00:44:32,140 --> 00:44:33,160 application works. 1278 00:44:34,210 --> 00:44:35,439 So you issue it. 1279 00:44:35,440 --> 00:44:38,349 Command was a are for updating it. 1280 00:44:38,350 --> 00:44:40,539 In turn, it will disable 1281 00:44:40,540 --> 00:44:42,609 your normal IP connection that you have 1282 00:44:42,610 --> 00:44:45,339 established on your host and opens are 1283 00:44:45,340 --> 00:44:47,739 the PDP context on the device 1284 00:44:47,740 --> 00:44:50,169 itself using the 1285 00:44:50,170 --> 00:44:52,209 customer connection manager, then it will 1286 00:44:52,210 --> 00:44:54,369 spawn. Will you get to download the 1287 00:44:54,370 --> 00:44:55,370 file? 1288 00:44:56,200 --> 00:44:59,109 Will use systems to move it to 1289 00:44:59,110 --> 00:45:01,179 the right, the rectory, it will 1290 00:45:01,180 --> 00:45:02,949 remember what it wants to do with this 1291 00:45:02,950 --> 00:45:05,379 file and it will reboot into the recovery 1292 00:45:05,380 --> 00:45:06,849 position and system. 1293 00:45:06,850 --> 00:45:09,009 And at this point, the 1294 00:45:09,010 --> 00:45:11,199 updates file will just be applied and the 1295 00:45:11,200 --> 00:45:13,419 system will reboot once again, again, 1296 00:45:13,420 --> 00:45:15,669 without any cryptographically 1297 00:45:15,670 --> 00:45:16,689 signature or checks. 1298 00:45:16,690 --> 00:45:18,999 So if you manage to hijack 1299 00:45:19,000 --> 00:45:21,279 the update process, you can install any 1300 00:45:21,280 --> 00:45:23,979 binary on the device or on the 1301 00:45:23,980 --> 00:45:26,079 on the modem or anywhere else on 1302 00:45:26,080 --> 00:45:28,269 the system as you want. 1303 00:45:28,270 --> 00:45:30,399 So but instead of just 1304 00:45:30,400 --> 00:45:32,679 seeing how bad it is, we want to say, 1305 00:45:32,680 --> 00:45:34,959 like, what do we expect 1306 00:45:34,960 --> 00:45:36,879 them to do? And I'm handing over 1307 00:45:36,880 --> 00:45:38,349 Trevithick. 1308 00:45:38,350 --> 00:45:40,299 Yeah. So rather than saying, oh, this is 1309 00:45:40,300 --> 00:45:41,799 all bad, it's all unlocked and is 1310 00:45:41,800 --> 00:45:43,089 insecure and so on. 1311 00:45:43,090 --> 00:45:45,129 Well it's fun for us of course, because 1312 00:45:45,130 --> 00:45:45,789 that's what we wanted. 1313 00:45:45,790 --> 00:45:47,859 Right. We wanted a modem device where 1314 00:45:47,860 --> 00:45:49,419 we could do basically whatever we want 1315 00:45:49,420 --> 00:45:51,279 to. And we don't have to break 1316 00:45:51,280 --> 00:45:53,289 sophisticated security mechanisms that 1317 00:45:53,290 --> 00:45:55,119 are designed to keep the user or the 1318 00:45:55,120 --> 00:45:57,639 customer the owner of the product out. 1319 00:45:57,640 --> 00:45:59,979 So, yes, there are security issues 1320 00:45:59,980 --> 00:46:02,289 and security issues must be fixed, 1321 00:46:02,290 --> 00:46:04,449 but we need security mechanisms that 1322 00:46:04,450 --> 00:46:06,369 work without locking out the user or the 1323 00:46:06,370 --> 00:46:07,899 owner of the device, of course. 1324 00:46:07,900 --> 00:46:10,129 So this is our public 1325 00:46:10,130 --> 00:46:11,919 call to the manufacturers. 1326 00:46:11,920 --> 00:46:14,049 If you fix those 1327 00:46:14,050 --> 00:46:16,689 issues, keep in mind that 1328 00:46:16,690 --> 00:46:18,969 the openness of the platform is 1329 00:46:18,970 --> 00:46:20,769 interesting for all kinds of legitimate 1330 00:46:20,770 --> 00:46:21,969 use cases. 1331 00:46:21,970 --> 00:46:22,989 And while you want to 1332 00:46:24,220 --> 00:46:26,289 protect against malicious attackers, 1333 00:46:26,290 --> 00:46:29,259 you, of course, still want to enable 1334 00:46:29,260 --> 00:46:30,849 the actual owners of the device and the 1335 00:46:30,850 --> 00:46:32,499 users of those devices to use the 1336 00:46:32,500 --> 00:46:34,119 flexibility they provide. 1337 00:46:34,120 --> 00:46:35,529 Because there's a lot of a lot of. 1338 00:46:35,530 --> 00:46:36,530 Yeah, it's. 1339 00:46:44,220 --> 00:46:45,899 Yeah, so what's the status today and 1340 00:46:45,900 --> 00:46:47,039 outlook? 1341 00:46:47,040 --> 00:46:49,379 Well, we have just, 1342 00:46:49,380 --> 00:46:51,479 uh, opened the 1343 00:46:51,480 --> 00:46:53,099 wiki on the assets on last slide there, 1344 00:46:53,100 --> 00:46:53,609 all the links. 1345 00:46:53,610 --> 00:46:55,379 So on the Osmo project, we now have a 1346 00:46:55,380 --> 00:46:58,109 wiki for correcto, Qualcomm modems, 1347 00:46:58,110 --> 00:47:00,059 where all the information that I gather 1348 00:47:00,060 --> 00:47:02,469 from reading the thousands 1349 00:47:02,470 --> 00:47:04,409 and thousands of lines of source code is 1350 00:47:04,410 --> 00:47:05,429 in there. 1351 00:47:05,430 --> 00:47:06,359 We have released that. 1352 00:47:06,360 --> 00:47:08,489 I've actually presented in this 1353 00:47:08,490 --> 00:47:10,439 talk in a good repository and source 1354 00:47:10,440 --> 00:47:11,339 code. 1355 00:47:11,340 --> 00:47:13,619 The hardware boards are 1356 00:47:13,620 --> 00:47:16,349 released as open adva and available. 1357 00:47:16,350 --> 00:47:18,539 And what's unfortunately still ongoing 1358 00:47:18,540 --> 00:47:20,699 is the lack of integration, which 1359 00:47:20,700 --> 00:47:22,799 is to some extent to the fact that I've 1360 00:47:22,800 --> 00:47:24,229 never written anything against Jila 1361 00:47:24,230 --> 00:47:26,189 before or anything inside a program that 1362 00:47:26,190 --> 00:47:27,339 uses Jilib. 1363 00:47:27,340 --> 00:47:29,579 It's like all this infrastructure. 1364 00:47:29,580 --> 00:47:31,709 I'm usually more low level than that. 1365 00:47:31,710 --> 00:47:33,779 Um, and, uh, well, we hope to 1366 00:47:33,780 --> 00:47:35,999 grow this documentation and we kindly 1367 00:47:36,000 --> 00:47:38,219 invite all of you with an interest in, 1368 00:47:38,220 --> 00:47:40,679 uh, well, understanding those platforms 1369 00:47:40,680 --> 00:47:41,639 better to help us out. 1370 00:47:41,640 --> 00:47:44,819 You don't actually need to necessarily 1371 00:47:44,820 --> 00:47:46,469 reverse engineer and disassemble things. 1372 00:47:46,470 --> 00:47:47,969 It's just read the source code, 1373 00:47:47,970 --> 00:47:49,739 understand what it does and play a bit 1374 00:47:49,740 --> 00:47:50,859 with the device. 1375 00:47:50,860 --> 00:47:53,189 Um, we are planning an open 1376 00:47:53,190 --> 00:47:55,559 embedded package feed so we can actually 1377 00:47:55,560 --> 00:47:57,719 easily install additional everyone can 1378 00:47:57,720 --> 00:47:59,609 easily install additional packages on 1379 00:47:59,610 --> 00:48:01,139 those modems. 1380 00:48:01,140 --> 00:48:02,349 There's plenty of flash. 1381 00:48:02,350 --> 00:48:04,379 So I think it's like 20, 30 megabytes of 1382 00:48:04,380 --> 00:48:05,279 free flash. 1383 00:48:05,280 --> 00:48:06,659 So you can install quite a number of 1384 00:48:06,660 --> 00:48:08,579 additional packages in there. 1385 00:48:08,580 --> 00:48:10,889 And our aim is to have free software, 1386 00:48:10,890 --> 00:48:12,869 only use the land on this Kordic cortex, 1387 00:48:12,870 --> 00:48:14,009 a five CPU. 1388 00:48:14,010 --> 00:48:15,989 So to do away with all those proprietary 1389 00:48:15,990 --> 00:48:17,489 processes that are running userspace in 1390 00:48:17,490 --> 00:48:19,799 the libraries and run the, 1391 00:48:19,800 --> 00:48:21,899 uh, the the open source kernel 1392 00:48:21,900 --> 00:48:23,969 and have basically dyslipidemia 1393 00:48:23,970 --> 00:48:26,039 integration and 1394 00:48:26,040 --> 00:48:28,379 all other bits needed to 1395 00:48:28,380 --> 00:48:30,869 run our own standard Linux 1396 00:48:30,870 --> 00:48:33,509 user and code in there, um 1397 00:48:33,510 --> 00:48:35,549 and have custom images that we can run on 1398 00:48:35,550 --> 00:48:37,590 modems in for all kinds of use cases. 1399 00:48:39,230 --> 00:48:41,389 OK, now, before we go for 1400 00:48:41,390 --> 00:48:43,339 Q&A, in a minute, there's an unrelated 1401 00:48:43,340 --> 00:48:44,749 announcement that we would like to 1402 00:48:44,750 --> 00:48:45,889 present here. 1403 00:48:45,890 --> 00:48:47,659 The unspoken project has gained support 1404 00:48:47,660 --> 00:48:49,159 for running your own thirty three point 1405 00:48:49,160 --> 00:48:51,109 five G network during the last year. 1406 00:48:51,110 --> 00:48:53,059 Not sure who has noticed that. 1407 00:48:53,060 --> 00:48:55,249 Unfortunately, is suffers a bit of 1408 00:48:55,250 --> 00:48:56,629 a lack of contributions. 1409 00:48:56,630 --> 00:48:58,099 So we want to motivate people to 1410 00:48:58,100 --> 00:48:59,689 contribute more. 1411 00:48:59,690 --> 00:49:01,669 And we have just started an accelerated 1412 00:49:01,670 --> 00:49:03,229 three point five G program, which 1413 00:49:03,230 --> 00:49:05,299 provides fifty free three point 1414 00:49:05,300 --> 00:49:07,369 five G femtocell to people 1415 00:49:07,370 --> 00:49:09,289 who can convince us that they would 1416 00:49:09,290 --> 00:49:11,329 contribute something reasonable to our 1417 00:49:11,330 --> 00:49:13,549 project. So these femtocell 1418 00:49:13,550 --> 00:49:14,789 are already supported by the ultimate 1419 00:49:14,790 --> 00:49:16,879 Concord's or using the femtocell and the 1420 00:49:16,880 --> 00:49:18,589 Osmo Concorde. You can run your own three 1421 00:49:18,590 --> 00:49:20,719 point five G network and we're 1422 00:49:20,720 --> 00:49:21,859 giving those away for free. 1423 00:49:21,860 --> 00:49:23,929 So if you're interested in any of 1424 00:49:23,930 --> 00:49:26,119 that, please submit a proposal 1425 00:49:26,120 --> 00:49:28,159 until the end of January and then you 1426 00:49:28,160 --> 00:49:29,839 will hopefully receive your free 1427 00:49:29,840 --> 00:49:32,119 femtocell until the end of February. 1428 00:49:41,750 --> 00:49:43,250 Which brings us to questions, 1429 00:49:44,270 --> 00:49:46,339 yes, Q&A 1430 00:49:46,340 --> 00:49:48,589 time, we have a total of 1431 00:49:48,590 --> 00:49:49,839 eight microphones here, 1432 00:49:50,870 --> 00:49:52,909 one, two, three, four, five, six, seven, 1433 00:49:52,910 --> 00:49:53,910 eight. I can do math, 1434 00:49:55,190 --> 00:49:56,779 please step up to the microphones to ask 1435 00:49:56,780 --> 00:49:57,889 your question. 1436 00:49:57,890 --> 00:49:59,539 Meanwhile, we have from the signals 1437 00:49:59,540 --> 00:50:01,039 angel, we have a question. 1438 00:50:01,040 --> 00:50:03,199 Yes. The Internet wants to know if there 1439 00:50:03,200 --> 00:50:05,570 will be in quotes next open Moco. 1440 00:50:06,800 --> 00:50:09,469 OK, um, 1441 00:50:09,470 --> 00:50:11,629 not not 1442 00:50:11,630 --> 00:50:12,199 from us. 1443 00:50:12,200 --> 00:50:14,099 No, we're not working on a mobile phone. 1444 00:50:14,100 --> 00:50:16,129 Um, we're looking at modems now that 1445 00:50:16,130 --> 00:50:17,130 mobile phones at the moment. 1446 00:50:18,770 --> 00:50:20,839 So microphone two. 1447 00:50:20,840 --> 00:50:22,739 So just to clarify, does that mean that 1448 00:50:22,740 --> 00:50:25,279 Linux runs on the iPhone five? 1449 00:50:25,280 --> 00:50:26,359 We don't know. 1450 00:50:26,360 --> 00:50:27,289 We don't know. 1451 00:50:27,290 --> 00:50:28,969 We have yet to hear from you if you can 1452 00:50:28,970 --> 00:50:31,219 find it. But I think you can run 1453 00:50:31,220 --> 00:50:32,599 the trip for something else on this 1454 00:50:32,600 --> 00:50:33,619 cortex processor. 1455 00:50:33,620 --> 00:50:35,839 Um, but, uh, 1456 00:50:35,840 --> 00:50:36,840 we don't know. 1457 00:50:38,270 --> 00:50:39,739 Signal's angel. 1458 00:50:39,740 --> 00:50:40,740 Yeah. 1459 00:50:42,020 --> 00:50:44,029 The Internet wants to know why there are 1460 00:50:44,030 --> 00:50:46,339 no mini PC Express 1461 00:50:46,340 --> 00:50:48,529 M to to, uh, USB three 1462 00:50:48,530 --> 00:50:50,689 adapters because they think 1463 00:50:50,690 --> 00:50:53,059 LTE is capable of at least three 1464 00:50:53,060 --> 00:50:55,009 megabits and USB two could be a 1465 00:50:55,010 --> 00:50:56,010 bottleneck. 1466 00:50:58,460 --> 00:51:00,829 Well, um, I'm not really in the business 1467 00:51:00,830 --> 00:51:03,599 of manufacturing or selling adapters, so 1468 00:51:03,600 --> 00:51:05,209 I mean, yes, we did this open hardware 1469 00:51:05,210 --> 00:51:07,729 device out of a specific need, but 1470 00:51:07,730 --> 00:51:08,869 you would have to ask the hardware 1471 00:51:08,870 --> 00:51:10,099 manufacturers that I'm sorry, 1472 00:51:11,300 --> 00:51:13,159 could I ask the people who are leaving to 1473 00:51:13,160 --> 00:51:14,419 leave quietly, please? 1474 00:51:17,290 --> 00:51:18,290 Microsoft to 1475 00:51:19,540 --> 00:51:21,669 buy the entire E20 with the 1476 00:51:21,670 --> 00:51:23,799 breakout board and the word as a 1477 00:51:23,800 --> 00:51:24,800 single kit somewhere 1478 00:51:25,870 --> 00:51:28,059 where you can contact us, but 1479 00:51:28,060 --> 00:51:30,189 it's not really something that we 1480 00:51:30,190 --> 00:51:31,599 have prepared for. 1481 00:51:31,600 --> 00:51:33,939 But, yes, it's certainly an option. 1482 00:51:33,940 --> 00:51:35,619 But I mean, we're not here to sell you 1483 00:51:35,620 --> 00:51:37,089 anything. We're here to invite you to 1484 00:51:37,090 --> 00:51:39,639 help us learn about modems, 1485 00:51:39,640 --> 00:51:41,679 things and the Android debug. 1486 00:51:41,680 --> 00:51:44,319 You actually don't really need this area 1487 00:51:44,320 --> 00:51:46,479 so you can replace the device using 1488 00:51:46,480 --> 00:51:48,249 USB, even if you break it can be 1489 00:51:48,250 --> 00:51:49,569 refreshed. 1490 00:51:49,570 --> 00:51:51,409 And EDB, shall you have your old shell. 1491 00:51:51,410 --> 00:51:53,529 So that's Four Forks 1492 00:51:53,530 --> 00:51:55,299 and was articulateness and you can 1493 00:51:55,300 --> 00:51:57,559 actually start to lock in on the enemy 1494 00:51:57,560 --> 00:51:58,659 a console as well. 1495 00:51:58,660 --> 00:52:00,849 So even if EDB doesn't work, 1496 00:52:00,850 --> 00:52:02,419 you can get a lock in on it. 1497 00:52:02,420 --> 00:52:04,239 So it's very easy to to get started 1498 00:52:04,240 --> 00:52:06,639 without zero signals. 1499 00:52:06,640 --> 00:52:07,640 Angel. 1500 00:52:09,700 --> 00:52:10,700 OK, 1501 00:52:12,060 --> 00:52:14,159 do you have. Have you tried to get a 1502 00:52:14,160 --> 00:52:16,649 source code from other manufacturers? 1503 00:52:18,350 --> 00:52:19,350 Um. 1504 00:52:20,090 --> 00:52:22,729 Well, we know at this point 1505 00:52:22,730 --> 00:52:25,399 of I think, three different manufacturers 1506 00:52:25,400 --> 00:52:27,619 that use this MDM nine, 1507 00:52:27,620 --> 00:52:31,039 six, 15 plus Linux combination 1508 00:52:31,040 --> 00:52:33,529 from correctible, we have just described 1509 00:52:33,530 --> 00:52:35,509 how it went. Cierra has published all 1510 00:52:35,510 --> 00:52:37,609 this already by themselves in a 1511 00:52:37,610 --> 00:52:39,229 very good way. So there's no need to ask 1512 00:52:39,230 --> 00:52:40,369 them. It's out there. You can just 1513 00:52:40,370 --> 00:52:41,959 download. It is documented. 1514 00:52:41,960 --> 00:52:44,299 And the third one is an old end of life 1515 00:52:44,300 --> 00:52:46,369 Huawei module, where we have 1516 00:52:46,370 --> 00:52:48,939 also asked, but this is still ongoing. 1517 00:52:48,940 --> 00:52:51,339 And now it's interesting. 1518 00:52:51,340 --> 00:52:52,909 Ledet from a Chinese supplier, you get 1519 00:52:52,910 --> 00:52:54,679 the excuse, oh, there is Christmas coming 1520 00:52:54,680 --> 00:52:56,059 up for us. Like, OK, so, so many 1521 00:52:56,060 --> 00:52:57,929 Christians in China but OK. 1522 00:52:57,930 --> 00:52:59,539 But I think I'm quite sure if I ask in 1523 00:52:59,540 --> 00:53:00,979 January again guys. Oh there is Chinese 1524 00:53:00,980 --> 00:53:03,259 New Year coming up, but 1525 00:53:03,260 --> 00:53:05,749 we'll see about that microphone 1526 00:53:05,750 --> 00:53:06,750 for. 1527 00:53:08,020 --> 00:53:10,089 You mentioned the Qualcomm chip 1528 00:53:10,090 --> 00:53:11,559 used in the iPhone five. 1529 00:53:12,850 --> 00:53:14,619 Does this mean, well, 1530 00:53:16,420 --> 00:53:17,649 is it likely that 1531 00:53:18,970 --> 00:53:21,939 the iPhone application process of talks, 1532 00:53:21,940 --> 00:53:24,339 it commands to Qualcomm 1533 00:53:24,340 --> 00:53:26,219 chip is still stiff 1534 00:53:27,550 --> 00:53:28,779 state of the art? 1535 00:53:28,780 --> 00:53:29,959 No, it's not state of the art. 1536 00:53:29,960 --> 00:53:30,909 And I don't think it's happening. 1537 00:53:30,910 --> 00:53:33,099 I mean, you also on these modern 1538 00:53:33,100 --> 00:53:35,289 modules, the demand is there for 1539 00:53:35,290 --> 00:53:36,279 legacy purposes. 1540 00:53:36,280 --> 00:53:38,649 You have the QMI exported over USB 1541 00:53:38,650 --> 00:53:40,869 and normally you let your modem manager 1542 00:53:40,870 --> 00:53:42,699 or your whatever you use a phone or 1543 00:53:42,700 --> 00:53:45,039 whatever infrastructure talks kumite 1544 00:53:45,040 --> 00:53:46,040 or those devices. 1545 00:53:47,640 --> 00:53:49,289 I'm going to go back to the signals 1546 00:53:49,290 --> 00:53:50,290 again. 1547 00:53:50,790 --> 00:53:52,919 The question is, what is the 1548 00:53:52,920 --> 00:53:55,409 total size of the flash 1549 00:53:55,410 --> 00:53:57,569 or whatever's on there and how much 1550 00:53:57,570 --> 00:54:00,299 RAM has this thing got? 1551 00:54:00,300 --> 00:54:01,499 I don't know. I don't remember. 1552 00:54:01,500 --> 00:54:04,139 The flash size was Ramiz, 42 1553 00:54:04,140 --> 00:54:05,429 megabytes. 1554 00:54:05,430 --> 00:54:07,559 Yeah, that's this 32 megabytes of 1555 00:54:07,560 --> 00:54:08,489 RAM on this. 1556 00:54:08,490 --> 00:54:11,129 The successor, the Easy 25 has 128 1557 00:54:11,130 --> 00:54:12,629 megs of RAM, but a flash size. 1558 00:54:12,630 --> 00:54:14,879 I also don't remember right now, but 1559 00:54:14,880 --> 00:54:16,139 it check out the wiki. 1560 00:54:16,140 --> 00:54:18,269 We have put logs and all kinds of 1561 00:54:18,270 --> 00:54:20,279 Dembski outputs and so on, all on the on 1562 00:54:20,280 --> 00:54:21,449 the wiki. So I'm quite sure it's 1563 00:54:21,450 --> 00:54:22,450 somewhere in there. 1564 00:54:23,070 --> 00:54:24,090 Microphone for 1565 00:54:25,490 --> 00:54:27,689 you said that you tried to check Lagarto, 1566 00:54:27,690 --> 00:54:29,039 Linux, FINSIA. 1567 00:54:29,040 --> 00:54:30,329 Wouldn't it be possible to completely 1568 00:54:30,330 --> 00:54:31,979 build your own kernel there and your 1569 00:54:31,980 --> 00:54:32,980 applications? 1570 00:54:34,200 --> 00:54:36,269 Um, yes, it's certainly 1571 00:54:36,270 --> 00:54:38,759 possible. But then of course 1572 00:54:38,760 --> 00:54:40,829 if you do this, you 1573 00:54:40,830 --> 00:54:43,199 buy a lot of things, uh, with your money 1574 00:54:43,200 --> 00:54:44,519 that you don't use in the end. 1575 00:54:44,520 --> 00:54:46,649 So, uh, and you 1576 00:54:46,650 --> 00:54:49,109 support a vendor that tries to, um, 1577 00:54:49,110 --> 00:54:50,699 lock people into this proprietary 1578 00:54:50,700 --> 00:54:51,149 framework. 1579 00:54:51,150 --> 00:54:53,399 So it's, uh, yes, 1580 00:54:53,400 --> 00:54:55,139 it's possible. But do you have to use a 1581 00:54:55,140 --> 00:54:57,329 framework? I don't think so. 1582 00:54:57,330 --> 00:54:58,229 No, you don't have to. 1583 00:54:58,230 --> 00:55:00,119 But I mean, they are developing this. 1584 00:55:00,120 --> 00:55:01,709 And part of what you pay for is this 1585 00:55:01,710 --> 00:55:03,389 framework, and that's why their products 1586 00:55:03,390 --> 00:55:04,089 are more expensive. 1587 00:55:04,090 --> 00:55:06,499 So microphone 1588 00:55:06,500 --> 00:55:08,939 to do you have some ballpark 1589 00:55:08,940 --> 00:55:10,739 figure about the power consumption in the 1590 00:55:10,740 --> 00:55:12,690 lowest power, quittin current mode? 1591 00:55:14,010 --> 00:55:16,139 No, um, I'm quite sure it's 1592 00:55:16,140 --> 00:55:17,459 going to be high. 1593 00:55:17,460 --> 00:55:19,229 I think I'll get some comment on that. 1594 00:55:19,230 --> 00:55:20,759 Yeah. So when are you looking at this 1595 00:55:20,760 --> 00:55:22,709 device? You use airstrikes against AQ 1596 00:55:22,710 --> 00:55:25,109 marks the end. It's like mostly waking 1597 00:55:25,110 --> 00:55:27,299 up every couple of milliseconds. 1598 00:55:27,300 --> 00:55:29,399 So it's not power efficiency 1599 00:55:29,400 --> 00:55:31,499 code. It's really, really, really 1600 00:55:31,500 --> 00:55:33,959 annoying to see processes 1601 00:55:33,960 --> 00:55:35,639 that run all the time. 1602 00:55:35,640 --> 00:55:38,339 And from the previous slides is a comment 1603 00:55:38,340 --> 00:55:40,469 to have systems 1604 00:55:40,470 --> 00:55:42,029 that's actually the advanced power 1605 00:55:42,030 --> 00:55:43,499 management. So you can trigger an eight 1606 00:55:43,500 --> 00:55:45,249 command to have the device sleep and 1607 00:55:45,250 --> 00:55:48,219 adviser echo into 1608 00:55:48,220 --> 00:55:50,429 into it to go to sleep so it can 1609 00:55:50,430 --> 00:55:51,899 be tuned. And was a free software 1610 00:55:51,900 --> 00:55:54,179 userspace. It can probably be better than 1611 00:55:54,180 --> 00:55:55,180 what it is right now. 1612 00:55:56,910 --> 00:55:57,910 Signals Angel again, 1613 00:55:59,070 --> 00:56:01,259 how accessible is the 1614 00:56:01,260 --> 00:56:02,260 baseband? 1615 00:56:02,940 --> 00:56:05,129 Like a memory and like 1616 00:56:05,130 --> 00:56:06,130 Imai and stuff. 1617 00:56:08,570 --> 00:56:10,459 We haven't really investigated this in 1618 00:56:10,460 --> 00:56:12,289 detail, but we also haven't seen any 1619 00:56:12,290 --> 00:56:13,999 signature verification and so on there, 1620 00:56:14,000 --> 00:56:16,399 so I think it's completely open. 1621 00:56:16,400 --> 00:56:17,400 Um. 1622 00:56:19,920 --> 00:56:22,049 So he has a DSP firmware, 1623 00:56:22,050 --> 00:56:24,569 is in a separate in three separate 1624 00:56:24,570 --> 00:56:26,879 partitions, and there's no RSA 1625 00:56:26,880 --> 00:56:30,069 signature and it's the end of the 1626 00:56:30,070 --> 00:56:31,349 these politicians. 1627 00:56:31,350 --> 00:56:33,419 So it seems that you can modify it 1628 00:56:33,420 --> 00:56:35,279 if they're locked down like Époque 1629 00:56:35,280 --> 00:56:37,049 comment. That's something we haven't 1630 00:56:37,050 --> 00:56:38,459 tried or I looked at it. 1631 00:56:40,290 --> 00:56:41,290 Microphone one, 1632 00:56:42,980 --> 00:56:45,119 the modules readily available in the 1633 00:56:45,120 --> 00:56:48,089 LGA package, rather than the 1634 00:56:48,090 --> 00:56:49,709 many pieces of board, like if people 1635 00:56:49,710 --> 00:56:50,909 wanted to start trying to use these on 1636 00:56:50,910 --> 00:56:53,039 open hardware, they should 1637 00:56:53,040 --> 00:56:54,479 be available again. 1638 00:56:54,480 --> 00:56:56,069 Yes. I mean, they were temporarily not 1639 00:56:56,070 --> 00:56:58,619 available due to the enforcement, but 1640 00:56:58,620 --> 00:57:00,629 I think now they should be available 1641 00:57:00,630 --> 00:57:01,289 again. 1642 00:57:01,290 --> 00:57:03,209 And what are the quarter the costs of 1643 00:57:03,210 --> 00:57:04,919 those budgets like? 1644 00:57:04,920 --> 00:57:07,049 Ah, I think it's like forty 1645 00:57:07,050 --> 00:57:09,389 seven something euros 1646 00:57:09,390 --> 00:57:11,739 around that region of maybe what I was 1647 00:57:11,740 --> 00:57:13,289 most more than 50 about anyway, somewhere 1648 00:57:13,290 --> 00:57:14,159 in that region. 1649 00:57:14,160 --> 00:57:15,160 OK. 1650 00:57:15,990 --> 00:57:18,119 So one more question from the Internet. 1651 00:57:19,200 --> 00:57:19,769 Yeah. 1652 00:57:19,770 --> 00:57:22,319 And the Internet wants to know if you can 1653 00:57:22,320 --> 00:57:24,569 capture Leya to network stuff with this. 1654 00:57:25,820 --> 00:57:26,989 Yes, yes, you can. 1655 00:57:29,030 --> 00:57:31,429 So I think that's the end of our 1656 00:57:31,430 --> 00:57:32,839 Q&A session. 1657 00:57:32,840 --> 00:57:34,670 Please join me in 1658 00:57:36,470 --> 00:57:39,259 thanking the forage and 1659 00:57:39,260 --> 00:57:41,449 hunger on this fantastic talk about 1660 00:57:41,450 --> 00:57:43,009 things that I really didn't want to know 1661 00:57:43,010 --> 00:57:44,209 about 3G modems.