1. 48
  1.  

  2. 5

    For more fun with AT commands and baseband processors, I would highly recommend a paper that appeared at USENIX Security in 2018: https://www.usenix.org/conference/usenixsecurity18/presentation/tian

    1. 4

      Holy cow. I knew that baseband processors were fairly sophisticated, but I had no idea they had their own Linux OS and you can just route packets around using iptables (inside the phone!). The security implications are pretty substantial, since a Linux vulnerability (in whatever older kernel version the processor runs) could compromise all data on the device.

      1. 6

        Baseband processors were horrifyingly vulnerable and never updated long before anyone thought of running linux on them. A device with a baseband modem is a walking vulnerability and baseband modems which are connected to your phone’s CPU via shared memory are walking vulnerabilities with access to all your secrets. What’s worse is, the legalities of FCC certification means you can’t do anything about it without potentially going to jail for it.

        As I understand it all snapdragon based SOCs (basically what every modern android phone uses) probably have the baseband modem integrated into the SOC using shared memory. Sure an IOMMU could help here but I still think it’s horrifying. Apple seems to use a separate baseband connected over HSIC (basically a kind of USB). The pinephone and librem 5 also segregate the baseband (even better than apple does). But you wouldn’t know this because nobody seems to even want to advertise this that much.

        The Neo900 was the only project I’ve known of that actually tried to segregate the modem properly and add monitoring to it (by using current sensors on the antenna and power draw, by not connecting either the microphone or the speaker to the modem directly (which is common even on phones which don’t have the modem in the SOC) and by being able to completely disconnect power to the modem including from software).

        Nobody talks about this, nobody cares about this, it’s completely insane.

        1. 2

          At this point, there isn’t a lot of space between ultra-tiny microcontrollers like the MSP430, and small ARM processors running Linux. When a Linux-capable ARM SOC costs a dollar, what’s the point?

          1. 1

            This Quectel device is not normally used as a mobile phone baseband, so I reckon the Linux device is a separate application processor core that executes the AT command interface[*], and then the baseband processor runs independently “under” that (but is tightly coupled to the Linux application processor, the same way it is in an Android phone SoC only in that case the Linux prcoessor has more resources and runs Android.)

            i.e. there’s an extra layer of Linux OS here compared to the processor+baseband you find in a lot of things.

            [*] and if you’re Quectel’s customer you can probably get it pre-provisioned to officially run other things, or get an SDK for it.

          2. 3

            I think [linux] (and arguably [security]) might be better tag(s) here; [mobile] seems to expand to “Mobile app/web development” which I’m not convinced applies.

            With all that said: this is an amazing article, and also Pine*-related stuff tends to be fun to read!

            1. 2

              So according to Lukasz Erecinski

              the Quectel EG25-G LTE modem runs its own closed-source OS

              And according to this blog the modem runs Linux, which is GPLv2. Wouldn’t the manufacturer be legally required to share their OS sources for anyone who has the binaries, ie. any PinePhone owner?

              1. 4

                They comply with the GPL by hosting an FTP site with the GPL code that they use, which appears to just be copies of the stock Linux kernel source code. The rest of the OS is presumably proprietary.

                1. 2

                  Interesting! AFAICT any kernel modules (eg. drivers) must be GPLv2 because they’re linked to a GPLv2 codebase. It’s possible all their proprietary code is in userspace, but that’s a bit unexpected.

              2. 1

                This is simultaneously amazing and scary.