asked 2014-04-07 00:48:58 +0300
Where can I find more info about Jolla's BaseBand?
Came across this article now having some questions about Jolla. Is Jolla using closed BaseBand or open Osmocom? Why / why not? Does it have access to RAM or disk (or other resources)? All of it or only some portion? Is it secure from GSM-end or easily accessible/hackable by custom base-station? Is BaseBand CPU master or slave compared to application CPU?
answered 2014-09-02 15:04:57 +0300
I don't know the details, and it is a very difficult thing to answer, but we do use the Qualcomm firmware on the modem end. This has to do with ODM software support etc... If any of those problems mentioned in that article actually are present is even harder to say. Especially as the software on top is significantly different from the common stacks, a number of those findings most likely don't apply.
But does the baseband or baseband firmware indeed have unfettered access to RAM and other resources? Or is it somehow compartmentalized? A cracker or Evil Empire having access to my voice and internet traffic is something else than having access to every piece of information on the device.
Fuzzillogic ( 2014-09-02 20:12:37 +0300 )editit's Qualcomm, you cannot comparamentalize it and still have it work.
Unless you have a separate CPU with connects to this QC chipset and runs the actual OS... very much overhead in this kind of system
I do think QC is evil and there should be an alternative to it, even though it is very advanced and cost efficient. They have made their chipset on the presumption that all is integrated on it, not comparamentallizable
juiceme ( 2014-09-03 00:34:27 +0300 )editanswered 2014-09-06 14:29:20 +0300
You can find out quite a bit with googling and looking at the system. I've wanted to write this up for some time, but since there's no Wiki, it will probably get lost in the Q&A style, but here we go anyhow.
The Jolla Sailphone uses an QCT MSM8930 CDP SoC. This is a Snapdragon 400 architecture, consisting of the ARM CPU cores together with several Hexagon DSPs (see also here). This DSP is an VLIW with a proprietary instruction set. It's not entirely clear how they are used, but there are probably two in the Modem subsystem and one for Multimedia, possible more (less general ones). The Multimedia DSP can in theory be programmed by applications for things like face recognition and speech analysis (or other typical DSP workloads). The modem DSPs or similar cores are probably responsible for all radio-related activities (and potentially much of that as Software Defined Radio): GSM, LTE etc.; WLAN, Bluetooth; noise-cancelling, FM-radio and GPS/Glonass.
The firmware images for these coprocessors can be found in /firmware/image on the Sailphone. It's very likely that these are protected with a cryptographic checksum on boot, so one probably cannot change them directly.
The main cores, coprocessors and other components on the SoC are connected by various busses (called "fabrics"). At least one of them is a Slimbus. One can only speculate if the coprocessors have direct access to the main memory, or if they need to go through the main core(s) in order to access it.
As to the security implications: The baseband DSP is complex, the protocol is complex, so it's likely to contain bugs or even backdoors. So you shouldn't visit China if there's sensitive information on your Sailphone, but then any cellphone or laptop is likely to get (physically) compromised when visiting China, so that's not news. Even if the NSA or similar agencies have reverse engineered the baseband, found bugs, tailored the bugs to specifically access Jolla (which is different from most Android phones/iPhones), and consider you important enough to target you in that way, they still would have a lot easier time by just get physical access to your phone or just listening in on the communications.
So in terms of being a real threat it's rather unlikely. The Jolla developers can't do anything about that, either, because they are probably bound by a contract to not reverse engineer or change the firmware, and they likely don't have the time for it, anyway.
It would be much more interesting to gain access to the Multimedia DSP and be able to play around with it. I'd also be interested in a more low-level access to the GPS interface.
Good googling :) thanks, This information should be added here I would say https://sailfishos.org/wiki/Main_Page
Nieldk ( 2014-09-07 08:43:12 +0300 )edit@Nieldk: I don't think that Wiki is public. At least I can neither create an account, nor log in. Yes, an open wiki for SailfishOS would be really nice to have (https://together.jolla.com/question/48947/is-there-a-wiki-for-jollasailfishos/)
dthierbach ( 2014-09-07 17:43:28 +0300 )editanswered 2014-09-03 12:52:34 +0300
In regards to the baseband firmware, there's not much we can do about it. Maybe Jolla at their next iteration can develop their own.
In regards to RAM/ROM/FLASH access, Sailfish could (easily?) encrypt all it's data in RAM and in ROM/FLASH, thus circumventing the liberal access from the baseband processor.
answered 2014-09-02 19:49:47 +0300
On a general level this is an area, which is close to the bare metal and where an RTOS is a requirement. Both of which call for an in-depth knowledge of the hardware. And most likely the hw manufacturer wouldn't want to share this kind of an information. So one would need to do extensive reverse engineering etc. Also on top of that for example Qualcomm's baseband is actually integrated into the SoC.
Yes there's an open-source project called Osmocom, but I wonder who would have the resources to develop it to a commercial level (besides a baseband manufacturer itself). At the moment it supports a very limited number of basebands and only GSM.
Besides basebands, there are lots and lots of other devices that run a possibly buggy and vulnerable proprietary firmware. You could for example hack into an office VOIP phone or copier for getting access to the internal network, photocopies or the phone's mic. This would be much more feasible than hacking a tightly secured server.
Asked: 2014-04-07 00:48:58 +0300
Seen: 1,672 times
Last updated: Sep 06 '14
It is highly likely that the GSM modem can get access to the RAM used by the CPU. Something to be considered for Jolla 2.
richardski ( 2014-04-09 13:02:17 +0300 )editFunny how nobody seems to want to answer this kind of question :D
velimir ( 2014-09-02 12:09:05 +0300 )editMaybe those at Jolla who could answer are not allowed because of NDA or something?
Venty ( 2014-09-02 12:12:31 +0300 )edityes, but with whom did they sign the nda and why? all interesting questions, considering they advertise the device as "Open source"..
Disclaimer; i am not trying to give blame here, i just find these questions interesting :)
velimir ( 2014-09-02 12:16:43 +0300 )edit