Is there an unsecured wireless network near you?
33C3: Dissecting 3G/4G Phone Modems
Tuesday, 21 February 2017 09:00

[LaForge] and [Holger] have been hacking around on cell phones for quite a while now, and this led to them working on the open cellphone at OpenMoko and developing the OsmocomBB GSM SDR software. Now, they are turning their sights on 3G and 4G modems, mostly because they would like to use them inside their own devices, but would also like to make them accessible to the broader hacker community. In this talk at the 33rd Chaos Communications Congress (33C3), they discuss their progress in making this darkest part of the modern smartphone useful for the rest of us.

This talk isn’t about the plug-and-play usage of a modern cell-phone modem, though, it’s about reprogramming it. They pick a Qualcomm chipset because it has a useful DIAG protocol, and in particular choose the Quectel EC20 modem that’s used in the iPhone5, because it makes the DIAG stream easily available.

Our story begins with a firmware upgrade from the manufacturer. They unzipped the files, and were pleasantly surprised to find that it’s actually running Linux, undocumented and without the source code being available. Now, [LaForge] just happens to be the founder of gpl-violations.org and knows a thing or two about getting code from vendors who use Linux without following the terms and conditions. The legal story is long and convoluted, and still ongoing, but they got a lot of code from Quectel, and it looks like they’re trying to make good.

Qualcomm, on the other hand, makes the Linux kernel source code available, if not documented. (This is the source on which Quectel’s code is based.) [LaForge] took over the task of documenting it, and then developing some tools for it — there is more going on than we can cover. All of the results of their work are available on the wiki site, if you’re getting ready to dig in.

As things stand now, [Holger] and [LaForge] have documented a lot of the Linux system that’s running inside the EC20 phone modem, so it’s ripe for development. They have a toolchain set up so that you can compile and flash a kernel to the modem, and there is an Android Debugging Bridge (adb) root shell, so you can do basically anything. This isn’t Arduinery — there’s still a lot of real engineering left to do before you’ll be using these modules directly in your own projects — but until now 4G and LTE phone modems have been an entirely opaque black box to the hacker community. At least now we’ve got a foothold.

Filed under: cons, wireless hacks