Usually a reference platform is something for developers and is not widely distributed. With android, the reference platform is a mass market device in the hands of millions of people worldwide.
So, if there is a goal of a completely open phone - FaiF all the way through - why isn't one of the nexus phones a natural target for reverse engineering and spec-leaking ?
One of the issues with the calypso chipset that I have seen discussed here is what OS to run on the upper layers of the phone - and this is a non-issue, since the nexus phones have been designed from the ground up to run linux. Even if you decline to put android specifically on it, you could run any other variant you like.
I am not trivializing the work that has gone into calypso, and I realize that different nexus variants may have totally different baseband components, so you would have to choose one specific nexus model ... but isn't the real difficulty simply the secrecy of the specs of the chipset, and leaked specs solve the problem whether it is a 2G calypso or a 4G OMAP ?
1) We're not the one that decide which chipset specs are leaked ... Also, we had a complete working gsm stack example for that chipset as a guide (the specs are not always complete / correct / enough). There is nothing even closely like that for any of the newer chips that I know of.
2) Most modern chipsets have cryptographic securities preventing the loading of a custom baseband firmware on them.
3) 3G / 4G chipsets are _vastly_ more complicated. As it is for the calypso there aren't that many people with the skills to work on the firmware, so for more complicated chipset the situation might be even worse.
4) When you're experimenting with stuff that can brick / destroy your phone (and I have a couple of dead ones ...), you don't want to do that on your brand new 600$ phone.
Cheers,
Sylvain
Sylvain Munaut писал 01.10.2012 15:50:
- We're not the one that decide which chipset specs are leaked ...
Also, we had a complete working gsm stack example for that chipset as a guide (the specs are not always complete / correct / enough). There is nothing even closely like that for any of the newer chips that I know of.
Enter Galaxy S II GT-i9100.
- Most modern chipsets have cryptographic securities preventing the
loading of a custom baseband firmware on them.
For some reason, the baseband does not verify, well, anything. Both AP and BP have capabilites for checking the signature, but keys are zeroed. You can load whatever you want on the BP, dump RAM, etc. Sammy has omitted the NOR flash for the BP and used a RAM chip instead, hence the BP is "flashed" at every boot.
- 3G / 4G chipsets are _vastly_ more complicated. As it is for the
calypso there aren't that many people with the skills to work on the firmware, so for more complicated chipset the situation might be even worse.
For some reason, the baseband has been compiled with debugging info turned on. Prior to flipping any bit in any register it writes a textual description to the debug port, which is trivially accessible through USB. No soldering required.
- When you're experimenting with stuff that can brick / destroy your
phone (and I have a couple of dead ones ...), you don't want to do that on your brand new 600$ phone.
For some reason, the boot process is guided by the AP. Unless you do something really evil, you have completely zero chances of bricking your beloved $600 phone.
Cheers,
Sylvain
It's also a pretty nice cellphone.
Hi,
Enter Galaxy S II GT-i9100.
Interesting info and target. But, do you have links to the datasheet, programmers manual and source code of the baseband ?
It might expose a shitload of debug info, but without reference material, this is gonna take much much longer if you want to rewrite a stack from scratch.
Cheers,
Sylvain
Sylvain Munaut писал 01.10.2012 18:22:
Hi,
Enter Galaxy S II GT-i9100.
Interesting info and target. But, do you have links to the datasheet, programmers manual and source code of the baseband ?
Quite unfortunately, no. Here are all sensible HW-related links I was able to collect:
http://forum.xda-developers.com/showthread.php?t=1108103 http://forum.xda-developers.com/showthread.php?t=1104139 http://forum.xda-developers.com/showthread.php?t=1264021 http://forum.xda-developers.com/showthread.php?t=1649278 http://forum.xda-developers.com/showthread.php?t=1316501 http://forum.xda-developers.com/showthread.php?t=1313588 http://forum.xda-developers.com/showpost.php?p=25970245&postcount=22 http://forum.xda-developers.com/showthread.php?t=1483053 http://www.anandtech.com/show/4686/samsung-galaxy-s-2-international-review-t... http://forum.xda-developers.com/showthread.php?t=820275&page=10 http://forum.xda-developers.com/showthread.php?t=1372365&highlight=i9100
The baseband boot/RIL protocol is reverse-engineered at
https://github.com/grindars/android_hardware_samsung_freeril
It might expose a shitload of debug info, but without reference material, this is gonna take much much longer if you want to rewrite a stack from scratch.
Cheers,
Sylvain
2012/10/1 Peter Zotov whitequark@whitequark.org:
Sylvain Munaut писал 01.10.2012 18:22:
Hi,
Enter Galaxy S II GT-i9100.
Interesting info and target. But, do you have links to the datasheet, programmers manual and source code of the baseband ?
Hi,
The situation with Galaxy S II is very interesting. Where did you find the information about BP processor debug access and running your own code from BP SRAM ? I've read through the links from xda-dev you provided but I couldn't locate this information.
Regards, Maciej Grela
Maciej Grela писал 02.10.2012 01:34:
2012/10/1 Peter Zotov whitequark@whitequark.org:
Sylvain Munaut писал 01.10.2012 18:22:
Hi,
Enter Galaxy S II GT-i9100.
Interesting info and target. But, do you have links to the datasheet, programmers manual and source code of the baseband ?
Hi,
The situation with Galaxy S II is very interesting. Where did you find the information about BP processor debug access and running your own code from BP SRAM ? I've read through the links from xda-dev you provided but I couldn't locate this information.
Regards, Maciej Grela
My colleague/friend Sergey Gridassov[1] has been developing a replacement RIL[2] for SGS2 and found everything of the above. He probably won't be posting to this list because he's not a native English speaker, but if there is enough interest (and it seems that there is), I could prepare and post the relevant instructions. It's pretty trivial actually.
[1]: http://github.com/grindars [2]: https://github.com/grindars/android_hardware_samsung_freeril
2012/10/1 Peter Zotov whitequark@whitequark.org:
Maciej Grela писал 02.10.2012 01:34:
2012/10/1 Peter Zotov whitequark@whitequark.org:
Sylvain Munaut писал 01.10.2012 18:22:
Hi,
Enter Galaxy S II GT-i9100.
Interesting info and target. But, do you have links to the datasheet, programmers manual and source code of the baseband ?
Hi,
The situation with Galaxy S II is very interesting. Where did you find the information about BP processor debug access and running your own code from BP SRAM ? I've read through the links from xda-dev you provided but I couldn't locate this information.
Regards, Maciej Grela
My colleague/friend Sergey Gridassov[1] has been developing a replacement RIL[2] for SGS2 and found everything of the above. He probably won't be posting to this list because he's not a native English speaker, but if there is enough interest (and it seems that there is), I could prepare and post the relevant instructions. It's pretty trivial actually.
Please do publish them. This is pretty cool.
Regards, Maciej Grela
On Mon, Oct 1, 2012 at 10:22 PM, Sylvain Munaut wrote:
But, do you have links to the datasheet, programmers manual and source code of the baseband ?
We were discussing this on IRC and Peter pointed out this:
http://forum.xda-developers.com/showthread.php?t=1483053
only thing missing is the actual source code and that will probably continue missing :(
On Mon, Oct 1, 2012 at 4:12 PM, Paul Wise pabs@debian.org wrote:
On Mon, Oct 1, 2012 at 10:22 PM, Sylvain Munaut wrote:
But, do you have links to the datasheet, programmers manual and source code of the baseband ?
We were discussing this on IRC and Peter pointed out this:
http://forum.xda-developers.com/showthread.php?t=1483053
-- bye, pabs
Paul,
On Mon, 1 Oct 2012, Paul Wise wrote:
On Mon, Oct 1, 2012 at 10:22 PM, Sylvain Munaut wrote:
But, do you have links to the datasheet, programmers manual and source code of the baseband ?
We were discussing this on IRC and Peter pointed out this:
k
I am looking at the list of devices covered by this xda-dev posting - most interesting is the Samsung Galaxy Nexus - again, this is a reference handset, something that in the past was in the hands of developers only, but now many people around the world are using.
So that's very interesting, which was the point of my OP - the google nexus phones represent a particularly ripe avenue for osmocom since they are reference handsets, and presumably the "warez" that you need are in many more hands than previous chipset docs and code. Perhaps there is a flaw in my assumption ?
The bad news is that the list of devices from the xda-dev posting does NOT include the Galaxy S II GT-i9100, which was mentioned earlier in this thread.
I wonder:
- how did the calypso docs leak in the first place ? Was it indeed a real breach of intellectual property, or did they just get published by TI since they were uninteresting in some way ? How nefarious is the story there ?
- What would it actually cost to get the documentation and code needed for either of these two items we are discussing above ? If I go to Qualcomm and sign up as a developer (under a corp name, etc.) .... is it $10k ? $100k ? Or are the docs you need not available at any price ?
I would like to think that the "warez" needed for one of these targets are so widely distributed (because of the android ecosystem and the aggressive push there) that simply putting out a loud and wide "call for leaks" would yield some results...
TI or Qualcomm will not sell "you" their IP , no matter what . there is a very complicated "legal" process behind these kinds of deals , specifically a regulation process done outside the vendor , that is usually a government organization . you would however be able to purchase protected DSP style working components and NDAed dox with 6-figure deals .
there is a different type of business you can look into though , take a look at Lyrtech's stuff for example . you can buy at least as good as HDL crystal clear IP from them licensed and hassle free with support and dox and all , but they target specially built systems , usually huge expensive SDRs .
the alleged TI's leaks , mo matter what the circumstance , are not to my experiences of much practical importance . if you got the engineering resources and enough money to put such stuff into use , you may as well code it all from scratch , since most specs are already public . the Patents usually prevent people from certifying , therefore , prevent selling big time for serious profit and limiting the market . its not like they are Nuclear missile code secrets . difference between engineering and reverse engineering in Software ecosystem and Telecom ecosystem is exactly in the time/resource/profit formulation . kids code a virus or crack a code over a couple of nights using ollydbg , although they need to learn a lot of math and electric shit before doing baseband scale maneuver . they almost never do , or Apple offer them Jobs ;)
M.
On چهارشنبه, مهر ۱۲, ۱۳۹۱ at ۲۱:۲۲, John Case wrote:
Paul,
On Mon, 1 Oct 2012, Paul Wise wrote:
On Mon, Oct 1, 2012 at 10:22 PM, Sylvain Munaut wrote:
But, do you have links to the datasheet, programmers manual and source code of the baseband ?
We were discussing this on IRC and Peter pointed out this:
k
I am looking at the list of devices covered by this xda-dev posting - most interesting is the Samsung Galaxy Nexus - again, this is a reference handset, something that in the past was in the hands of developers only, but now many people around the world are using.
So that's very interesting, which was the point of my OP - the google nexus phones represent a particularly ripe avenue for osmocom since they are reference handsets, and presumably the "warez" that you need are in many more hands than previous chipset docs and code. Perhaps there is a flaw in my assumption ?
The bad news is that the list of devices from the xda-dev posting does NOT include the Galaxy S II GT-i9100, which was mentioned earlier in this thread.
I wonder:
- how did the calypso docs leak in the first place ? Was it indeed a real
breach of intellectual property, or did they just get published by TI since they were uninteresting in some way ? How nefarious is the story there ?
- What would it actually cost to get the documentation and code needed for
either of these two items we are discussing above ? If I go to Qualcomm and sign up as a developer (under a corp name, etc.) .... is it $10k ? $100k ? Or are the docs you need not available at any price ?
I would like to think that the "warez" needed for one of these targets are so widely distributed (because of the android ecosystem and the aggressive push there) that simply putting out a loud and wide "call for leaks" would yield some results...
On Thu, 4 Oct 2012, Mh wrote:
TI or Qualcomm will not sell "you" their IP , no matter what . there is a very complicated "legal" process behind these kinds of deals , specifically a regulation process done outside the vendor , that is usually a government organization . you would however be able to purchase protected DSP style working components and NDAed dox with 6-figure deals .
Ok. So if there was to be a free-as-in-freedom Galaxy Nexus, with full control of all layers, it would be the result of a real, material breech, or leak. Someone would have to do Something Bad.
there is a different type of business you can look into though , take a look at Lyrtech's stuff for example . you can buy at least as good as HDL crystal clear IP from them licensed and hassle free with support and dox and all , but they target specially built systems , usually huge expensive SDRs .
But the point here is an end user (like me) having a secure and free-as-in-freedom phone, so unless we're going to create a community-backed reference platform (which would be great, of course) this doesn't help a lot. Are there any 3G handsets currently for sale that have this (more open) system underneath ?
the alleged TI's leaks , mo matter what the circumstance , are not to my experiences of much practical importance . if you got the engineering resources and enough money to put such stuff into use , you may as well code it all from scratch , since most specs are already public . the Patents usually prevent people from certifying , therefore , prevent selling big time for serious profit and limiting the market . its not like they are Nuclear missile code secrets . difference between engineering and reverse engineering in Software ecosystem and Telecom ecosystem is exactly in the time/resource/profit formulation . kids code a virus or crack a code over a couple of nights using ollydbg , although they need to learn a lot of math and electric shit before doing baseband scale maneuver . they almost never do , or Apple offer them Jobs ;)
You're approaching this as if I want to build and market cell site equipment, or build my own infrastructure ... of course that is interesting, but really all I want is a somewhat modern phone that I can control and feel somewhat secure in using, which means either isolataing the basebadn processor (see my other thread about using USB GSM modems with a galaxy music player) or breaking the baseband of a platform more useful than calypso...
I do wonder, however, if these open reference chipsets exist, why we are looking at calypso as the basis for the "other" osmocom projects (like the baseband dev kit that has been proposed...) it seems like your example would be less of a dead end...
Correct , "Dead End" . if you are aiming at somewhat "All Layers Open for All" in any of Industrialized Telecom Standards , like GSM , UMTS , LTE -- you are either alone or one of the already huge Cartel vendors , the usual suspects . i am specifically referring to business-oriented closed-circuit cold-blooded capitalistic side of the issue . it is big bucks and involves elements of serious power . like Oil business , you simply can not dig a whole and start a shop today . a whole layers of politics and beneficiaries are involved to stop you doing that . internationally recognized organizations like ITU , also , for more or less same reasons do not let some one man company or a small scale team who is not already in bed with big players to go solo , and be available everywhere .
Note that i am not in essence , talking about "Security" , whatever that means to you or the next person . you might be well , or feel safe , with your standards under your treat model for your whole life using primitives like 2Gs . in fact i believe this is valid for , figuratively speaking , 99.9 of consumers . it is import an to differentiate between Patents , Licenses , Lobbying for money and ownership all the way down to technical details of how to implement some A5/3 efficient code that can not be tempered with by an evil rouge element in or mitm the network that cancels the whole point for good .
you will not reach to a widely usable phone , that all the details of it is free and open by all means . business , export restrictions , regulations and shareholders are responsible for that , good or bad . you CAN define specifics of a secure system based on your priorities and test and certify to see if it fits your criteria or not on the other hand . what society you belong to ?
- Freedom of software warriors - Political Activist , Reporter in a Hostile environment or some Humanitarian effort type - Business opportunity research - Military and Dark ops - Finance with 7+ figure daily account exchange - a dude with 007s up his ass after leakage of those topless pix - a Kind smily average father - into white slavery , drug smuggling , dark international arms sales
Secure and "Feel Alright" might have different interpretations in each group but that "Open" mobile phone internationally available , legal and realistic is as you put it correctly , a Dead end.
M.
On پنجشنبه, مهر ۱۳, ۱۳۹۱ at ۱:۴۲, John Case wrote:
On Thu, 4 Oct 2012, Mh wrote:
TI or Qualcomm will not sell "you" their IP , no matter what . there is a very complicated "legal" process behind these kinds of deals , specifically a regulation process done outside the vendor , that is usually a government organization . you would however be able to purchase protected DSP style working components and NDAed dox with 6-figure deals .
Ok. So if there was to be a free-as-in-freedom Galaxy Nexus, with full control of all layers, it would be the result of a real, material breech, or leak. Someone would have to do Something Bad.
there is a different type of business you can look into though , take a look at Lyrtech's stuff for example . you can buy at least as good as HDL crystal clear IP from them licensed and hassle free with support and dox and all , but they target specially built systems , usually huge expensive SDRs .
But the point here is an end user (like me) having a secure and free-as-in-freedom phone, so unless we're going to create a community-backed reference platform (which would be great, of course) this doesn't help a lot. Are there any 3G handsets currently for sale that have this (more open) system underneath ?
the alleged TI's leaks , mo matter what the circumstance , are not to my experiences of much practical importance . if you got the engineering resources and enough money to put such stuff into use , you may as well code it all from scratch , since most specs are already public . the Patents usually prevent people from certifying , therefore , prevent selling big time for serious profit and limiting the market . its not like they are Nuclear missile code secrets . difference between engineering and reverse engineering in Software ecosystem and Telecom ecosystem is exactly in the time/resource/profit formulation . kids code a virus or crack a code over a couple of nights using ollydbg , although they need to learn a lot of math and electric shit before doing baseband scale maneuver . they almost never do , or Apple offer them Jobs ;)
You're approaching this as if I want to build and market cell site equipment, or build my own infrastructure ... of course that is interesting, but really all I want is a somewhat modern phone that I can control and feel somewhat secure in using, which means either isolataing the basebadn processor (see my other thread about using USB GSM modems with a galaxy music player) or breaking the baseband of a platform more useful than calypso...
I do wonder, however, if these open reference chipsets exist, why we are looking at calypso as the basis for the "other" osmocom projects (like the baseband dev kit that has been proposed...) it seems like your example would be less of a dead end...
On Thu, 4 Oct 2012, Mh wrote:
you will not reach to a widely usable phone , that all the details of it is free and open by all means . business , export restrictions , regulations and shareholders are responsible for that , good or bad . you CAN define specifics of a secure system based on your priorities and test and certify to see if it fits your criteria or not on the other hand . what society you belong to ?
Well, I disagree. First of all, if we assume that the Internet is available in some fashion, you can have a general purpose unix computer in your hand, with no mobile chipset, and use SIP. It's not common, but it's workable and it is indeed free all the way through (depending on your configuration and your OS choice). If you consider that the Samsung Galaxy Player is *hardware identical* to one of the worlds most popular android phones (except for the missing mobile chipset), I would say that's a "widely usable phone".
And further, if we choose strategy "B", where we encourage, or facilitate a leak of baseband IP, then you can go that route.
And that is why I think the reference platform of google nexus phones is very interesting and very unique ... the ps3 breaks, and other breaks like that, were possible because millions of people had these hardware identical boxes in their own houses - you can't let the cat that far out of the bag and expect the secrets will stay secret. CSS, playstation, iTunes, and whatever dvd-jon is working on this week all show that to be true.
One clarification:
I wasn't saying that pursuing an open mobile platform was a dead end, I was saying that pursuing calypso was a dead end.
John Case wrote:
I was saying that pursuing calypso was a dead end.
I disagree.
There are still quite a few people in the world who can learn about low-level details of 2G cell phone networks, and that is valuable.
I think your approach to stay with a non-cell phone device is admirable, but in practise it's not nearly as convenient and so it doesn't scale. It might be good enough for some, but in any case it can't really be called a cell phone.
//Peter
you have a point here , but Students are using stuff ranging from Sagem trace phone and its software and API goodness down to Matlab working simulations for more than two decades . there is a misconception that i observe in recent years when attention to telecom networks bolded in blackhat style communities and later in open source "software" society : it is one thing to learn , say , GSM by coding hacking reversing setting up openbts reflashing motorola or nokia whatever old phones -- and there is another thing referred to as Building total Open Cellphones total Open BSCs etc for real use and wide spread Cells . and 1st is valuable , and it is not new , its just getting more attention as the business is growing . the 2nd is just delusion .
regarding to another point in this thread : i'd love to see leaks . its just good to have other's property all over the place ( i personally don't like it if its done to me but quite frankly i'd enjoy take a look at any interesting leaks , whether GSM or other things that is getting more common nowadays on web , and i am not ashamed of calling my own dual standard , bullshit - because it is and humans were/are always full of it , hats off to Louie CK by the way ) -- therefore i see it as a good idea to make a wave and encourage some retard engineer with access to internal network of one of these 2-3 vendors to leak shit . remember Microsoft's source partial leak ? i've still got it and although it never had any use for me , very suddenly when i am going through archives some nights i take a look at some random .cpp , there are always a comment or even dialogue between coders inside a function that worth a long good laugh . then what ? having access to someone's IPs , specially with nowadays lawyers , Licensing or Patents disputes , government who sells kilohertz of air for billions.. is not realistically do any good . add to this and the previous mails , the fact that life is too short and many things happen to a Person or small teams , like the one who developed one of the best Linux Files systems then killed his ex wife in some Stupid move and now doing time . to have something "Steady" for wide area use for long time it needs infrastructure , funds , motivated people , buying and selling stocks.. . for cellphone style communications , such establishments already exist . the ones to my understanding many "Hackers" want to bypass , while paying tax to their government , that pays membership fees to remain a member of , say , ITU and play other roles in restrictions ( no matter how we judge this ) . this was my "dead end" answer to John based on . it is not just about "Calypso" .
On پنجشنبه, مهر ۱۳, ۱۳۹۱ at ۱۶:۳۸, Peter Stuge wrote:
John Case wrote:
I was saying that pursuing calypso was a dead end.
I disagree.
There are still quite a few people in the world who can learn about low-level details of 2G cell phone networks, and that is valuable.
I think your approach to stay with a non-cell phone device is admirable, but in practise it's not nearly as convenient and so it doesn't scale. It might be good enough for some, but in any case it can't really be called a cell phone.
//Peter
On Thu, 4 Oct 2012, Peter Stuge wrote:
John Case wrote:
I was saying that pursuing calypso was a dead end.
I disagree.
There are still quite a few people in the world who can learn about low-level details of 2G cell phone networks, and that is valuable.
Ok, I'll qualify that ... I think that pursuing calypso as the only working component of osmocom, and to the exclusion of all else, is a dead end.
If Harold gets the open implementation of calypso up and running as a dev kit and we can all build imsi catchers with that, that's great - I will buy 10.
In term of making peoples lives better and giving people more security and freedom, there needs to be a 3G (or even LTE) platform.
I am repeating myself, but again: when was the last time a reference handset was in the hands of millions of people ? And had been produced as a showcase of running a free OS ? If these kids can break the PS3, one of these nexus platforms should be able to be cracked wide open.
I think your approach to stay with a non-cell phone device is admirable, but in practise it's not nearly as convenient and so it doesn't scale. It might be good enough for some, but in any case it can't really be called a cell phone.
I'm just looking for control and security in my mobile computer ... I see two different routes to get there:
1. Gain complete, end to end (BP + AP) control over some hardware platform (obviously preferable)
2. Just find a computer I like and add a USB modem to it (only thing currently workable)
So it's not what I want, and certainly not what I would push others toward - it's just the only option...
John Case wrote:
I was saying that pursuing calypso was a dead end.
There are still quite a few people in the world who can learn about low-level details of 2G cell phone networks, and that is valuable.
Ok, I'll qualify that ... I think that pursuing calypso as the only working component of osmocom, and to the exclusion of all else, is a dead end.
I don't think anyone in the osmocom family of projects excludes anything. If you want to go for making an open 3G or LTE platform then go for it! It's no small undertaking however.
//Peter
baseband-devel@lists.osmocom.org
-
Francisco Guerreiro -
John Case -
Maciej Grela -
Mh -
Paul Wise -
Peter Stuge -
Peter Zotov -
Sylvain Munaut