[Community] Next generation OpenPhoenux devices

Dr. H. Nikolaus Schaller hns at goldelico.com
Sat Apr 20 11:00:05 CEST 2013

Am 19.04.2013 um 16:06 schrieb Bob Ham:

> On 2013-03-18 13:12, Dr. H. Nikolaus Schaller wrote:
>> Am 18.03.2013 um 12:56 schrieb Sven Dyroff:
>>> Hello Nikolaus,
>>>> GSM/UMTS has an open driver ("HSO") and otherwise uses AT
>>> commands, i.e. everything free and open.
>>> What about the closed firmware within the modem?
>> Yes, it is closed. But why do you expect that it can be open(ed)?.
>  http://www.wired.com/threatlevel/2013/04/verizon-rigmaiden-aircard/
> Note that this article describes only one known scenario where a modem's operation is altered surreptitiously.
> I am very concerned that I do not have access to the firmware running on my phone's modem.  I'm not concerned because I have imagined one hypothetical scenario in which bad things could possibly be done.  I'm concerned because I have no idea what *is* happening in the modem.  I'm concerned because I know the only real limit to the abuse that can be done using the 

Well, there is background literature (e.g. [1,2]) and the protocols of GSM/UMTS are almost open [3]. So you can learn what is going on in some (not your personal) modem.

> modem is the hardware capabilities.  The limit is not what the government says, or what the police force says, or what the mobile network says, or what I would like to imagine.
> If I don't have control of the binaries running on my phone's modem, through access to the source code, then the modem is wide open for abuse.

But only if it implements over-the-air updates or someone makes you click on an installer from unknown sources... I am sure this can not go unnoticed.

> The modem is a computer.  I am a user.  I want to be free to use my computer however I see fit, and to secure it.
> I don't want to go outside the boundaries of the law with respect to radio telephony, in the same way that I have no desire to crack banks using my desktop computer.  I just want to be free.

Yes, I agree that it would be good and inspiring if we were able to take a look inside the code.

But my opinion is that it is not necessary as long as there are two separate processors using some well known - and open - interface. This allows to inspect for suspicious code and protect all the data on the application processor against remote access. It is even possible to disable the interface driver in your kernel or make it do additional safety checks. So the firmware in the modem isn't more harmful than things going on in the network.

The article above reveals that there was great effort on the network side (including a portable high-energy base station) to make it work. And I would assume that they just cleverly used features of the (published) GSM protocols like beaons, list of neighbouring cells etc. to do their task. This are all protocols useful for daily life - but can also be manipulated on the network side for other purposes. Maybe even without changing the firmware!

But is there any chance to open to firmware of an embedded subsystem?

The PowerVR SGX reverse engineering project hasn't made any progress. The Marvell WiFi hasn't either :(
So my conjecture is that the open source community is no longer interested in opening things by doing the tough task of reverse engineering... Is it a lack of knowledge? Of time? Of energy? Of simply reward for doing it? I don't really know.

The final question about this article is if *we* (community/society) should really help suspects like those mentioned in the article to protect themselves against prosecution better than before. I think it is also in *our* interest that police can catch people doing e.g. tax fraud (and other bad crime). Otherwise we all have to pay *their* taxes...

Just some thoughts and no solutions,

[1]: http://wireless.arcada.fi/MOBWI/material/CN_6_3.html
[2]: http://de.slideshare.net/kirank29/gsm-and-umts-protocols-and-callflow
[3]: http://www.3gpp.org/ftp/Specs/

More information about the Community mailing list