baseband-devel October 2012

baseband-devel@lists.osmocom.org

36 participants
44 discussions

Re: How much protection does an add-on GSM modem give me vs. built into phone ?
by Peter Zotov 04 Oct '12

04 Oct '12

Denis 'GNUtoo' Carikli писал 04.10.2012 14:26: > On Thu, 4 Oct 2012 00:32:48 +0200 > Peter Stuge <peter(a)stuge.se> wrote: > >> John Case wrote: >> > the real trick I am interested is isolating (or at least >> > controlling) the interaction between the baseband processor and >> the >> > application processor. Using a computer with a USB dongle gives >> me >> > that control ... would I have that same level of control if we had >> > free software running on the baseband processor, or is there still >> > additional bleeding possible simpy by virtue of being built into >> > the computer ? >> >> In a smartphone it's almost not possible to distinguish the >> "computer" from the "GSM modem" anymore, because of how the >> hardware is constructed, so yes. > In some yes, in some no... it depend on how the smartphone was > designed: > > On one end some smartphones (openmoko GTA02,golden delicious GTA04), > the > baseband is isolated(tough on GTA04 it has access to a GPS with no > antenna(so it can't work)) . And on the other end there are > smartphones > with qualcomm System on a chip...where the modem and the CPU are in a > single chip: > The modem part has the audio DSP connected to it, the GPS. > And the baseband uses shared RAM memory and shared NAND(if I remember > well)... > And I'm not sure but maybe the baseband is even needed for booting > the > main CPU... > > There are also systems in between like the galaxy S/Neuxs S that uses > shared memory but do not have other problems... In addition to the above, there are some phones where baseband is completely submissive to the AP, namely Galaxy SII. Basically it's exactly the same as the USB dongle situation, but the dongle is integrated on the phone's PCB. > > Denis. -- WBR, Peter Zotov.

1 0

Re: How much protection does an add-on GSM modem give me vs. built into phone ?
by John Case 04 Oct '12

04 Oct '12

> First, stay away from Qualcomm-based phones. In them the baseband controls > all physical memory, as documented in the Replicant project, and thus has > control over the application processor (the "unix computer"). Ok. So what I am shooting for is a firewall between the baseband processor and the application processor, and I was indeed correct that in a "real" mobile phone there is a lot of bleeding between the two. > Second, even Infineon-based phones are not completely safe, however you can > use Replicant on the Nexus S, and thus there is no proprietary binaries (on > the Unix side) and less risk of meddling from a third party. However, this > won't prevent a baseband exploit from doing evil stuff. In addition there > are Android vulnerabilities constantly appearing, last one as you may have > heard concerned the SGS3's NFC stack. Well, that is why I said "unix computer" and not specifically android - if I am running a computer (like a samsung galaxy player) then I could do something besides android, and perhaps gain quite a bit of control. > Finally, the scenario you suggest (connecting a 3G USB modem) to a computer > seems very impractical although it adds a layer of safety since the > microphone will be fully under the control of the system you trust. However > battery life will probably be very, very short as compared to your current > 2G phone. Yes, ok. Battery life is bad, as well as the physical logistics of connecting a full sized USB dongle to a micro-USB port, etc. > By the way, as documented in presentations at CCC, Blackhat, etc. GSM > networks are not safe, there are multiple vulnerabilities ranging from > offline decryption of comms to active mitm attacks. 3G networks use > stronger, mutual authentication and do not suffer from this. In several > phones, such as the Nexus S, you can force the network mode to 3G only and > therefore have a better level of security. Yes, but the real trick I am interested is isolating (or at least controlling) the interaction between the baseband processor and the application processor. Using a computer with a USB dongle gives me that control ... would I have that same level of control if we had free software running on the baseband processor, or is there still additional bleeding possible simpy by virtue of being built into the computer ? Also, just for my own notes, what is the industry term for "making changes to application processor side of customers handset?" I have heard of some regular examples of how carriers update things and enforce changes to phones in this way (or relock them ?) but what is the term for that behavior ? Thanks.

3 2

How much protection does an add-on GSM modem give me vs. built into phone ?
by John Case 03 Oct '12

03 Oct '12

I use an old 2G dumbphone. I would like to switch and begin carrying a unix computer with me, but two things bother me: 1. When cellular device is added to computer, and integrated in a deep way (as it is in an android phone) there seem to me a lot of instances where the computer is subservient to the cellular partsof the phone. I am thinking about things like carrier published updates to applications and carrier updates to SIM data, etc. - I want to participate on the mobile phone network, but I do not want the carrier to have any access to my unix computer. It seems to me that they have a lot of access, though, when I use something like an android phone. 2. Exploits ... baseband exploits, mobie network exploits, forced dialing, speaker/mic toggling, root exploits like I saw described from rogue cellsites at defcon 2 years ago ... I want nothing to do with this. So my current thought is to not buy a phone at all, but instead buy a unix computer - perhaps the samsung galaxy player ? It is a near-clone of Samsung i9000, but without any phone hrdware (but it does have speaker and mic, so you could use it as a very nice SIP device). And my idea is that when I do not have WIFI access, I could connect a USB GSM modem to this unix computer and use the GSM modem ONLY for data, and connect SIP calls that way. My questions: 1. Am I correct that embedding the mobile components into the computer (like in a mobile phone) give my carrier many more vectors for accessing the computer side of things, and ive "mallory" many more vectors for attack ? I spoke very generally above about those methods - what are the actual names for these behaviors ? 2. Am I correct that if I connect a external GSM modem to my unix computer, I am nullifying most of these, and I am not giving my carrier any abiity to update/examine/alter/access my unix computer .... and am also avoiding things like secretly enabling the microphone, baseband exploits, etc. ? Any additional thoughts on using a computer instead of a phone, and then adding a GSM modem when that is the only way to get SIP connectivity ? Thanks.

1 0

Re: Why not a nexus chipset ?
by Peter Zotov 03 Oct '12

03 Oct '12

Maciej Grela писал 02.10.2012 02:00: >> My colleague/friend Sergey Gridassov[1] has been developing a >> replacement >> RIL[2] >> for SGS2 and found everything of the above. He probably won't be >> posting to >> this list because he's not a native English speaker, but if there is >> enough >> interest (and it seems that there is), I could prepare and post the >> relevant >> instructions. It's pretty trivial actually. >> > > Please do publish them. This is pretty cool. > > Regards, > Maciej Grela Assuming you know C, consider this code: https://github.com/grindars/android_hardware_samsung_freeril/blob/jellybean… The boot process is IROM->PSI->EBL->SecureImage. Authenticity of PSI is not checked. He has verified this by changing the magic constant 0xDEADDEAD and booting PSI. Speaking about 0xDEADDEAD, it's a command ID which makes the PSI make a complete RAM dump. So, then he has sent the modified command and successfully obtained a dump. The rest should be obvious from the source. -- WBR, Peter Zotov.

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

baseband-devel October 2012