33C3: Dissecting 3G/4G Phone Modems

[LaForge] and [Holger] have been hacking around on cell phones for quite a while now, and this led to them working on the open cellphone at OpenMoko and developing the OsmocomBB GSM SDR software. Now, they are turning their sights on 3G and 4G modems, mostly because they would like to use them inside their own devices, but would also like to make them accessible to the broader hacker community. In this talk at the 33rd Chaos Communications Congress (33C3), they discuss their progress in making this darkest part of the modern smartphone useful for the rest of us.

This talk isn’t about the plug-and-play usage of a modern cell-phone modem, though, it’s about reprogramming it. They pick a Qualcomm chipset because it has a useful DIAG protocol, and in particular choose the Quectel EC20 modem that’s used in the iPhone5, because it makes the DIAG stream easily available.

Our story begins with a firmware upgrade from the manufacturer. They unzipped the files, and were pleasantly surprised to find that it’s actually running Linux, undocumented and without the source code being available. Now, [LaForge] just happens to be the founder of gpl-violations.org and knows a thing or two about getting code from vendors who use Linux without following the terms and conditions. The legal story is long and convoluted, and still ongoing, but they got a lot of code from Quectel, and it looks like they’re trying to make good.

Qualcomm, on the other hand, makes the Linux kernel source code available, if not documented. (This is the source on which Quectel’s code is based.) [LaForge] took over the task of documenting it, and then developing some tools for it — there is more going on than we can cover. All of the results of their work are available on the wiki site, if you’re getting ready to dig in.

As things stand now, [Holger] and [LaForge] have documented a lot of the Linux system that’s running inside the EC20 phone modem, so it’s ripe for development. They have a toolchain set up so that you can compile and flash a kernel to the modem, and there is an Android Debugging Bridge (adb) root shell, so you can do basically anything. This isn’t Arduinery — there’s still a lot of real engineering left to do before you’ll be using these modules directly in your own projects — but until now 4G and LTE phone modems have been an entirely opaque black box to the hacker community. At least now we’ve got a foothold.

21 thoughts on “33C3: Dissecting 3G/4G Phone Modems

  1. I hope their help to release cellular modem code will help put to bed the really stupid stories floating around that your phone is still transmitting your location when it’s off.

    Really, your phone when you turn it off, engages special space alien technology that allows it to transmit and NOT USE BATTERY POWER! or transmit in a way that allows standard RF testing gear to detect.

    But it doesn’t stop the tinfoil hat people from claiming the phone is always listening and reporting your location.

      1. @davedarko: I briefly checked his linked Facebook. Only red flags are not listing where he works, and seems technically savvy enough to understand he’s building a strawman. So he very well could be a disinformation peddler of some 3 letter agency. There’s a lot more of them out there than people think. Occam’s Razor says that he’s probably just an idiot tho

        @Timothy Gray: Are capacitors suddenly “MUh SPAcE ALIeN TECHNOLOGY???!!!?11”? How can you be sure your device isn’t compromised by malware that @Truth describes in his comments below? Malware that Edward Snowden risked his life and freedom to reveal to the public..? Or do you get paid to get the first comment on any blog post that might even slightly lead someone to the truth?

    1. I am quite skeptical to both sides of the claim… However here is what I came across so far:

      Depends on the phone, chipset, manufacturer, frequency of events (Transmission events). Had a phone that should be off but went to the home screen immediately to say “battery Low”. Had to pull the battery and replace to stop it.

      Bear in mind that is a personal experience account of events (Above).

      Replaced with a rugged business class from the same manufacturer: Seen no problems so far, Off means Off in this case.

      However, as you said: To some extent, this would allow us to see (In the case of the iPhone chipset) if there is spyware. However the Manufacture may not release any proprietary code if they can and thus hiding any indication if they do.

      However we can now replace said firmware with a trusted firmware (When this project is at said stage).

      P.S. Don’t slap me in the “tinfoil hatter” league just because I like to over-think some things. A loosely skeptic type being (I claim Loosely because of some bias: Childhood issues with the UK Gov’t)

    2. > But it doesn’t stop the tinfoil hat people […]

      Two things:

      (a) Depending on firmware, the phone isn’t necessarily off when it says “off”. I thought this would be obvious to every hacker/engineer. Me? I wouldn’t trust a modern smartphone, really.

      (b) If that is the only thing occurring to you when seeing the original article, which is seriously awesome stuff, please hand in your geek card.

      1. Want to know if it is off? Stick it in a biscuit tin with a suitable antenna connected to your software defined radio rig, and watch for transmissions of any sort. A mobile in a Faraday cage will be just as likely to phone the mother ship as one not in a Faraday cage I would have thought.

        1. Two hi-tech. Just put it on an amplified speaker like computer speakers and you will hear it responding to the local tower polling with the familiar dit …. dar dih dit …. dar dih dit ….

    3. When you push the power button on the phone software runs to turn off the screen and stop the blinking lights. The phone can be loaded with a special firmware/OS that keeps the microphone and the RF section powered on. This has been done with silent pushed firmware upgrades by mobile operators since at least 2006, search for “FBI use phone mic to bug” and probably had it much earlier. It is not alien technology, every telephone network world wide has legal intercept installed but not necessary enabled, and even that was abused to bug the greek government by N^HS^HA^H hackers in 2004 when the head of Vodafone in Greece committed suicide.

    4. I don’t think this entirely a ‘tin foil hat’ issue. It seem to be more about misunderstanding.

      Firstly, some older phones didn’t turn completely off. In some like apple products you can’t even remove the battery.

      Secondly, what is meant by ‘reporting location’. You would assume that this meant that some sort of GPS module was relaying the phones position. In my country the government records the position of every mobile phone every 20 minutes. This is done by triangulation from the closest towers. It requires no software on the phone and works even if the phone has no GPS capability.

    5. Phones transmitting their position when turned off is clearly an urban legend, although we’re talking about devices without a proper on-off switch so that the idea of a very limited subsystem that say every 3 minutes sends a single packet to the towers could be plausible.
      Anyway, there are other means to track a phone. What if the charging coil contained also an active RFID circuitry that could be triggered and detected say a dozen meters away? You wouldn’t pass a toll gate without being detected.
      So.. yes, urban myth, but better check because technology is moving fast and what looks like scifi today could become real very soon.

      1. Most telcos need to collect (and store) metadata about all active and inactive phones. A phone not actively engaged on a call still needs to report back which physical cell it is in, so that calls can be routed to it. A cell might be a hundred feet in a densely packed city or a couple of miles in rural country side. So even if the power button actually does removed power. Some of the long term metadata is collected for network planning, e.g a large number of active call get dropped around cell X, better coverage is needed in and around X.

        To contrast pagers were less efficient, but far more private, in that the entire network would broadcast the text messages, and the network had no idea where the receiving device was physically. Unfortunately broadcast networks are one way only and do not scale well. Telcos need to know the physical location of the devices to efficiently route data to them.

    1. I suspect the iPhone models using these Qualcomm processors are not running the Qualcomm Linux stack talked about here but are running something much simpler and lower level (evidence is that most of the work on those devices is done on the Hexagon baseband DSP and not the ARM part of the chip)

  2. Very impressive work! I’ve been poking at a couple of Huawei modems (running HiSilicon chips), in the hopes of being able to do something similar. I haven’t got terribly far, though, other than to confirm that the “Wingle” appears to be running Linux internally.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s