[Community] Wifi, Modem and GPS

Christoph Mair christoph.mair at gmail.com
Mon Jul 14 22:17:14 CEST 2014


Hi Oliver,

the GTA04 contains two GPS receivers: one inside the modem (connected
via USB) and one extra receiver module which can be controlled through
a serial interface (RS232 but, 1.8V level). The receiver inside the
moden has no connection to any GPS antenna and therefore does not work
at all. If you solder a coaxial cable to the right pads and connect it
to the main GPS antenna (or an external one, but remember to include
the circuitry to power active antennas!) it will work.

Regarding the firmware:
The modem could try to attack the host side USB stack and use some
buffer overflows to execute data on the main CPU. I think this is
quite sophisticated and the probability that this will work is rather
low. The Neo900 includes additional circuitry to detect such bad
behavior by measuring the current consumption of the module.
The GPS receiver could also try to attack the GPS client software
(gpsd or similar) by sending bogus data. I think the probability to
exploit this is even lower. As a simple countermeasure, don't run such
daemons as root monitor the process and power off the module as soon
as the daemon dies (I think this is already done automatically when
the tty interface is closed). The power for the GPS is entirely
controlled by the host. If the regulator is off, there is nothing the
module could do to prevent losing power.
The same applies for the WiFi and BT-SoC. I'm no SDIO expert but as
far as i know the module can only transmit data when the host supplies
a clock signal. Maybe it could generate the clock itself, but the OMAP
is not configured for external SDIO clock input and would ignore
whatever the module tries to send. So the only possibility (that i can
imagine) is to attack the driver, which is open source. In case of
emergency just turn off the regulator which supplies the module. In
general this option is valid for about every peripheral (are there any
known attacks via IrDA yet?) Only the UMTS-modem has a "please switch
yourself off"-pin and could ignore such requests and this is why the
Neo900 includes additional hard- and software to check if the module
is misbehaving.

Does this help?

Best regards,
  Christoph


On Mon, Jul 14, 2014 at 9:49 PM,  <wonderphone at posteo.de> wrote:
> Hi all,
>
> today, a question about the hardware design of both GTA04(05) and Neo900
> (GTA04B7):
>
> We have seen a lot of communication about the modem. In both devices it is
> connected via UBS and behaves like (no is!)  a real peripheral.
>
> Now, do we have the GPS receiver included in the modem or is it a different
> component with a different connection to the CPU and RAM?
>
> What about the wifi module? It is connected over SDIO or GPIO. What does
> that mean in terms of separation from the rest of the system, i.e. what can
> the non-free firmware do?
>
> Thank you
>
> Oliver
>
> _______________________________________________
> Community mailing list
> Community at openphoenux.org
> http://lists.goldelico.com/mailman/listinfo.cgi/community
> http://www.openphoenux.org



More information about the Community mailing list