Retro tech is cool. Retro tech that works is even cooler. When we can see technology working, hold it in our hand, and use it as though we’ve been transported back in time; that’s when we feel truly connected to history. To help others create small time anomalies of their own, [Dmitrii Eliuseev] put together a quick how-to for creating your own Advanced Mobile Phone System (AMPS) network which can bring some of the classic cellular heroes of yesterday back to life.
Few readers will be surprised to learn that this project is built on software defined radio (SDR) and the Osmocom-Analog project, which we’ve seen before used to create a more modern GSM network at EMF Camp. Past projects were based on LimeSDR, but here we see that USRP is just as easily supported. [Dmitrii] also provides a brief history of AMPS, including some of the reasons it persisted so long, until 2007! The system features a very large coverage area with relatively few towers and has surprisingly good audio quality. He also discusses its disadvantages, primarily that anyone with a scanner and the right know-how could tune to the analog voice frequencies and eavesdrop on conversations. That alone, we must admit, is a pretty strong case for retiring the system.
The article does note that there may be legal issues with running your own cell network, so be sure to check your local regulations. He also points out that AMPS is robust enough to work short-range with a dummy load instead of an antenna, which may help avoid regulatory issues. That being said, SDRs have opened up so many possibilities for what hackers can do with old wireless protocols. You can even go back to the time when pagers were king. Alternatively, if wired is more your thing, we can always recommend becoming your own dial-up ISP.
[LaForge] and [Holger] have been hacking around on cell phones for quite a while now, and this led to them working on the open cellphone at OpenMoko and developing the OsmocomBB GSM SDR software. Now, they are turning their sights on 3G and 4G modems, mostly because they would like to use them inside their own devices, but would also like to make them accessible to the broader hacker community. In this talk at the 33rd Chaos Communications Congress (33C3), they discuss their progress in making this darkest part of the modern smartphone useful for the rest of us.
This talk isn’t about the plug-and-play usage of a modern cell-phone modem, though, it’s about reprogramming it. They pick a Qualcomm chipset because it has a useful DIAG protocol, and in particular choose the Quectel EC20 modem that’s used in the iPhone5, because it makes the DIAG stream easily available.
Our story begins with a firmware upgrade from the manufacturer. They unzipped the files, and were pleasantly surprised to find that it’s actually running Linux, undocumented and without the source code being available. Now, [LaForge] just happens to be the founder of gpl-violations.org and knows a thing or two about getting code from vendors who use Linux without following the terms and conditions. The legal story is long and convoluted, and still ongoing, but they got a lot of code from Quectel, and it looks like they’re trying to make good.
Qualcomm, on the other hand, makes the Linux kernel source code available, if not documented. (This is the source on which Quectel’s code is based.) [LaForge] took over the task of documenting it, and then developing some tools for it — there is more going on than we can cover. All of the results of their work are available on the wiki site, if you’re getting ready to dig in.
Continue reading “33C3: Dissecting 3G/4G Phone Modems”