#qi-hardware IRC log for Sunday, 2012-06-17

whitequarkhttp://arstechnica.com/information-technology/2012/06/amd-to-add-arm-processors-to-boost-chip-security/00:32
whitequarkone of the rare times I see a situation and see a nanonote as an immediately useful solution00:32
wpwrakyou want to add a nanonote to the cpu ?00:36
whitequarknaw00:36
whitequarkjust recalled a new Cory Doctorow's book00:37
whitequarkthey used a small and presumably somewhat trusted computer to do a key signing party00:37
whitequark(they) the book is 1984, but in 2014. you got the idea. I'm too sleepy now to explain it properly anyway.00:38
wpwrak(small computer) ah, i see. yes, the ben is quite good at being small ;-)00:39
whitequarkwhile I'm not absolutely sure that NN's CPU does not contain backdoors (I haven't examined the actual silicon), that would have a really really low probability00:39
whitequarkand it definitely does not have backdoors as features00:39
whitequarkthe next-NN with M1 SoC should fix this problem00:40
wpwrakCPU backdoors would also be kinda tricky00:40
whitequarkyes00:40
wpwrakfpgas could still have "backdoors" ;-)00:40
whitequarkbesides that, NN does not have any wireless ifaces00:40
whitequarkwhich makes it quite perfectly safe for the task00:40
wpwrakmine do, sometimes :)00:40
whitequarkwell, a cpu backdoor would require extensible software cooperation00:41
whitequarkso I don't think it's even a theoretically realistic scenario00:41
whitequarkafter all, if you're _that_ paranoid, you can do RSA with a calculator00:41
whitequarkor a pen and a piece of paper00:42
whitequarkdefinitely no backdoors there.00:42
wpwraksomeone whispering numbers to make you miscalculate00:42
whitequark(fpgas) yeah, I won't blindly trust a fab to not alter the netlist. but I would evaluate the complexity of such a task, and again, it is not realistic at all00:42
whitequarknot significantly more realistic than (/me drops a pen on the floor) that pen tunneling through the floor.00:43
whitequarkit's possible according to quantum mechanics, just not very probable :D00:43
whitequarkbesides which, netlists were OCR'd with a microscope and a polarizer, and if you have the sources00:43
whitequark(see: visual6502.org)00:44
whitequarkit's all verifiable, through hard00:44
whitequarkbut military supposedly does that verification, and so could any interested party00:44
whitequarkwpwrak: are you perfectly sure that your C compiler doesn't have a, say, self-reproducible `login' backdoor which it inserts in `login' and `cc' itself, but which does not appear in the sources?00:45
whitequarkgcc is built with gcc for ages00:45
whitequarkhave it always had digital signatures? were they enforced?00:45
Action: kristianpaul remenber gnu's ftp was compromised time ago00:46
whitequarkI often think that when working with security, you just need to go to the extreme. not to do something practical, but just to evaluate the risk00:47
whitequarkwhat once seemed impossible is easy now00:47
whitequarke.g. trusted computing00:47
whitequarkpeople would laugh on this idea in '8500:47
whitequark(or should I write "trusted" each time?..)00:47
whitequark[that is, quoted.]00:48
wpwrakmy paranoia knows limits :)00:48
whitequarkwpwrak: would you consider someone placing a supplementary core as a backdoor in your CPU 20 years ago?00:48
whitequarkor, for current CPUs, there is SMM00:49
whitequarkwhich is technically an undetectable backdoor00:49
whitequarkit's not paranoia and I'm not going to throw away my Galaxy SII because it has a trusted computing module in the CPU (maybe because of the blobs; they're so badly written that they can be broken not because of malice but simply of stupidity)00:51
kristianpaulso what it is?00:51
whitequarkan evaluation of possibilites00:51
whitequarkmodern CPUs are incredibly complex (they're more like SoCs already, even in PCs), and they get more complex each year00:52
whitequarkit's anything but hard to hide a backdoor in a device like this00:52
kristianpaulyup00:52
whitequarkfor example, anyone familiar with FPGAs could confirm that it's easy to make a special long command stream that00:53
whitequarkwill instantly throw you to ring000:53
whitequarkor just instantly smm00:53
whitequarkenough, you're pwned.00:53
whitequarkyou can even hide it in microcode if you want00:53
whitequarkbesides which, AMD openly states that they put a backdoor in the CPU.00:54
whitequarkwhat else do you fucking need?!00:54
whitequark... and silence was an answer to him :)00:57
whitequarkwhatever, I'm gonna get some sleep.00:57
whitequark5AM here00:57
kristianpaulI was about to said that (sleep) :_)00:57
wolfspraulmy first practical goal for fpgatools will be an inverter :-)03:57
wolfspraulI think that's the shortest path to something that runs03:57
wolfspraulso I will take the smallest spartan-6 (xc6slx4), buy a bunch of them (like 10-20), then make the most minimal board possible to just power the chip and expose jtag03:58
wolfspraulthen use fpgatools to program the chip and get the inverter to work03:59
wolfsprauloh I guess I need 2 pads for the inverter itself as well03:59
wolfspraulinside the chip, the inverter will start at one pad, pass through an I/OLOGIC and some switch boxes before coming out negated on the other pad04:00
wolfspraulthat's the plan :-)04:00
wpwrakyou can develop this on milkymist ...04:04
Action: DocScrutinizer05 reads acklog and smiles04:21
DocScrutinizer05back*04:21
rohre04:48
pabs3whitequark: got a link to the AMD CPU backdoor thing?05:08
wolfspraulwpwrak: no that would miss the point, right now06:39
wolfspraulI am working in the bitstream, and already dealing with 2+ million bits06:39
wolfspraulI don't want to deal with 10 million instead06:39
wolfspraulplus a slx4-based inverter allows me to go through the pcb-making as well06:39
wolfspraulbut I'm coming at it from the side of the fpgatools, where I do need small incremental steps to work through the many many different 'things' that are on any spartan-6 chip, even the smallest06:40
wolfspraulof course after the inverter I will do a few more gates, include slices, more switch boxes, and eventually work my way up to larger chips like a slx4506:40
wolfspraulbut one by one, that's the point: inverter on slx4 :-)06:40
wolfspraulthe inverter doesn't even need a slice because it uses an invert mux right in the io block06:41
wolfspraulgood for me06:41
pabs3DocScrutinizer: so Nokia is joining the mobile patent wars, nice08:18
lekernelwpwrak: this wasn't a good time? huh?08:48
wpwraklekernel: they were working on other changes that would have interfered08:52
wpwrakwolfspraul: hmm, so the difference between the FPGA in M1 and the FPGA you want to play with would merely be size but not structural variety ? in that case, can't you just ignore the extra 8 Mbits, just like you'll already ignore some ~2 Mbits your inverter doesn't need ?08:54
wpwrakwolfspraul: (pcb-making) you should really pick something simpler to get started. don't worry, even simple things can get quite hard when you do them for the first time :)08:54
whitequarkDocScrutinizer05: yeah, I remember our discussion about paranoia, yes :) it'd be wrong to say that it didn't make me think09:15
whitequarkpabs3: http://arstechnica.com/information-technology/2012/06/amd-to-add-arm-processors-to-boost-chip-security/09:15
whitequarkDocScrutinizer05: just found an interesting feature in SGS2 BP09:34
whitequarkif you'll send 0xDEADDEAD to the BP bootloader instead of data length, then, instead of writing, it'll read entire modem RAM and send it to host09:34
whitequarkyes, it can write too, and reboot09:34
whitequarkand it doesn't exactly verify any signatures09:35
whitequarkwell, theoretically it does, but looks like someone fucked it up09:35
viricwhitequark: djbclark gave them to me09:35
whitequarklooks like I'm lucky on baseband modules with interesting features09:35
pabs3interesting discovery09:38
whitequarkSGS2 looks like that everywhere09:39
whitequarkit's more of devboard than a phone: there are *some* locks, but they're not very difficult to bypass09:39
whitequark... and I tried asking a Korean dev about a feature of a PMIC which was under NDA09:40
whitequarkand got a helpful reply09:40
whitequarkmaybe osmocombb folks would be interested?09:41
whitequarkthe BP is based on xgold26209:41
whitequarker, 62609:42
lekerneljust build your own fucking BP09:44
lekernelit's really frustrating to see how many hours are spent reverse engineering proprietary stuff that becomes obsolete in 1 yr09:44
viricwhat is a bp?09:45
whitequarkbaseband processor09:45
whitequarkcpu in mobile phones which talks to the GSM network09:46
viricah ok09:50
wpwrak*hmm*. i need a C function that returns a pointer to a function just like itself. do i need more sleep/caffeine or is void * really the best i can do in terms of type safety ?09:54
whitequarkhmmm10:03
whitequarkinteresting10:03
wpwraknice, isn't it ? an infinitely recursive type declaration :)10:04
whitequarkyeah, C isn't haskell10:04
whitequarkso, only void*10:05
wpwrakand of course, typedef won't accept the same name at two places10:06
whitequarkyeah10:20
whitequarkthat's why I said it's not haskell10:20
viricwpwrak: http://c-faq.com/decl/recurfuncp.html10:53
viricthe struct trick looks good to me10:54
viricif you can afford a struct. :)10:55
wpwrakoh, that's pretty nice. thanks !10:56
viricWhat do you think, about GPL....12:44
viricThere is a GPL software...12:44
viricbut I can download it only if I identify myself.12:44
viricDoes GPL say anything about the right to (more or less) private access to the sources?12:45
viric- A government website lets me download a GPL criptography software they developed, but only if I identify myself and explain why I download that.12:46
DocScrutinizer06viric: wpwrak: this again convinced me I don't know shit about c and better resort to beating up grannies on the street and robbing their handbags12:48
viric:)12:48
DocScrutinizer06or simply refuse coding in anything but assembler12:49
lekernelviric: opencores does a similar thing :)12:59
viricahh13:00
wpwrakviric: on the first access, they can make you jump as many hoops they want. make you agree to deliver a million euro, your soul, your firstborn, droit du seigneur, whatever.13:13
kristianpaulviric: redoi13:14
kristianpaulsorry13:14
wpwrakviric: but then you're FREE to spread as many copies as you want, to whomever you want :)13:14
kristianpaulviric: redistribution is not mandatory at least you use that software i understand13:14
wpwrakDocScrutinizer: C is an amazing language. it grows with you. the better your skills get, the more you understand its perfection.13:15
kristianpaulyup, (grows part)13:15
DocScrutinizer05the better you understand C the more you wish it never got invented ;-)13:15
wpwrakDocScrutinizer: you prefer junk languages like C++ ? :)13:16
DocScrutinizer05eeeeeeeeeeeeEEEEEEEEEEEeeeeeeeeeeeeeek13:16
DocScrutinizer05I'm one of those Wirth softies ;-P13:16
wpwrakaha, a quiche-eater :)13:17
DocScrutinizer05indeed13:17
wpwrakluckily, i was able to shake that bad habit a good while ago13:17
DocScrutinizer05strict typechecks - heaven!13:18
virickristianpaul: I've to use that software to send my taxes report13:18
wpwrakC has strict type checking13:18
DocScrutinizer05BWAHAHAHA13:18
viricYes, I like the C strict type checking13:18
lekernelC? perfection? lol.13:18
virictypedef is not defining a new type, though.13:18
wpwraksome of it in the form of warnings, but you get your diagnostic when you need it13:19
kristianpaulviric: and u already go it as object form?13:19
DocScrutinizer05bool foo() {...; return 345}13:19
virickristianpaul: sure. a java applet.13:19
virickristianpaul: I even run it. But it fails for me :)13:19
kristianpaulhmm13:19
DocScrutinizer05we had that less than one week ago, in some popular shite I can't recall13:19
lekernelespecially for e.g. string manipulations, which keeps infosec people fed13:19
wpwraklekernel: my most illuminating experience with C was when i wrote a language that incorporated much of C (for a scriptable debugger). there, i learned to appreciate many of the more subtle points of that language13:20
virictalking of string manipulations, I recently discovered stpcpy13:20
DocScrutinizer05now I recall: it was that funny vulnerability of MySQL13:20
kristianpauli fed with binary related operations, usually perl is more ready in such cases13:20
lekernelthere's also strfry()13:20
DocScrutinizer05that made every one out of 256 auth tries succeed no matter which credentials13:21
DocScrutinizer05and you tell me there's something like strict typechecks in C13:22
lekernelthe C library is sucky as well. how do you move/rename a folder? system("mv ...")13:22
kristianpaulis not that more a posix problem (folder) ?13:23
lekerneland of course what you give to system() has to come from the aforementioned string manipulation mess13:23
kyakhow does 'mv' move the folder?13:23
wpwraklekernel: rename() will do just fine for renaming13:23
lekernelwpwrak: no, if you cross mount points it doesn't work.13:24
wpwraklekernel: that's not a rename :)13:24
wpwrakDocScrutinizer: booleans are a perversion you quiche-eaters added. you deserve the consequences :)13:25
viriclekernel: well, some OS have different operations for move and rename13:26
viricfor example.13:26
DocScrutinizer05well, a particularly nice type we quiche-eaters added are sets, which are defined as bit fields internally13:26
DocScrutinizer05basically a uint113:27
viricrename()  renames  a  file, moving it between directories if required.13:27
viricI didn't know it.13:27
viricC89.13:27
lekerneloh and there's also memcpy vs. memmove13:28
viricof course13:28
viricthat allow operations of different performance13:29
lekernelnow if you think that sort of thing doesn't waste developer time, look at this: https://bugzilla.redhat.com/show_bug.cgi?id=63847713:29
DocScrutinizer05well, lemme guess. memmove remapping if possible?13:30
lekernelviric: wrong. the test for the direction of copy at the beginning of memmove() is unnoticeable.13:30
viricah you mean it could check if it overlaps or not?13:30
DocScrutinizer05it could simply tweak the mmu table13:31
lekernelDocScrutinizer05: no it's much simpler than that. copying memory. only if you use memcpy() you must make sure your two regions don't overlap.13:31
virichm I think you miss what's memmove about :)13:31
DocScrutinizer05which e.g. NeXTStep did per definitionem for inter-process messages13:31
larsclanguage flamewars, always so much fun13:32
lekernelas if, your brain was available to pollute it with such details13:32
kristianpaullarsc: :)13:32
wolfspraullarsc: hey sorry. what was your comment about 'ast generator' about the other day?13:32
viricLet's see if C11 addresses any of that ;)13:32
wolfspraulI didn't get it13:32
wolfspraul(that was in #milkymist, about migen)13:32
wolfspraulmy question comes down to "what is the difference between an 'ast generator' and a 'proper language'?"13:33
DocScrutinizer05lekernel: well, seems a straightforward pretty natural approach. I know if my two pointers point to unrelated objects or if I just want to shift a mem-area by a few bytes "in place"13:35
viricDocScrutinizer05: but that could be checked13:35
DocScrutinizer05what for?13:36
DocScrutinizer05AIUI it *gets* checked, in memmove13:36
viriconly have one function: memcpy13:37
DocScrutinizer05I mean, it's not a mandatory prerequisite that mem overlaps to use memmove on it13:37
viricif the regions overlap, run memmove. If not, run memcpy.13:37
larscwolfspraul: well with a ast generator you basically write in another language, a metalanguage if you want to say so. which can be very powerful.13:37
viricI meant the opposite. if overlap, memcpy. If not, memmove.13:38
DocScrutinizer05if you however know your areas never can overlap (a very usual case), why use a function with a useless check?13:38
viricbecause memmove can be implemented faster.13:38
viricamh13:38
viricno13:38
viricthe opposite.13:38
viric;)13:38
lekernelviric: really you can gain 10 nanoseconds or so on a modern machine. is it really worth all the wasted hours on that bugzilla report? no.13:39
viriclekernel: I agree I agree13:39
lekernelDocScrutinizer05: because developers make mistakes.13:41
DocScrutinizer05lekernel:  10ns??? >> The memory areas may overlap: copying takes place as though the bytes in       src are first copied into a temporary array that does not overlap src or dest, and the bytes are then copied from the temporary array to dest.13:41
DocScrutinizer05seems to include a malloc13:42
lekernelyes, 10ns. in all implementations I've seen it's only about the direction of copy.13:42
lekernelno, there's no malloc13:42
DocScrutinizer05I'd expect a tinmy bit longer than 10ns for this to complete13:43
lekerneljust a test at the beginning to determine the copy direction13:43
DocScrutinizer05now if that's true then this manpage is pretty buggy and fuckedup13:44
lekernelthe subtlety is in the "as though" ...13:44
DocScrutinizer05as the result of the operation may differ vastly in certain situations13:44
DocScrutinizer05e.g. memove IO memmapped area13:44
DocScrutinizer05there a complete mem mapping swap for each switch between read and write a byte or word could take pretty looooong13:45
lekernelI don't think you're supposed to use the regular libc memmove on weird memory-mapped I/O... it doesn't even guarantee the size/alignment of accesses13:45
DocScrutinizer05hehe, true13:46
DocScrutinizer05but manpages are supposed to be accurate13:46
wolfspraullarsc (in absence) ok, thanks. I still don't get it :-)13:47
wolfspraulbut that's ok13:47
wolfspraul"language" for me is a set of rules, grammar, syntax, vocabulary/keywords, etc.13:48
wolfspraulit's used to express something, that someone (or some program) can understand, or interpret in some way13:48
lekernelwolfspraul: if you write vhdl or verilog, you have a single language that expresses the logic more or less directly13:48
wolfspraulI'm just not familiar with the term 'ast generator'13:48
DocScrutinizer05lekernel: btw the rationale of "because developers make mistakes" clearly suggests to abandon C all together and rather use a proper lang like pascal or modula, which comes with runtime checks for all those more commonly done mistakes, like array-index out of bounds, etc13:49
kristianpaulpascal?  no again ;-)13:49
lekernelwith the migen "ast generator", you are writing python (the "metalanguage") that manipulates fragments of verilog-style logic13:50
wolfspraulmaybe I should look at migen more and then I would get it13:51
lekernelwolfspraul: does it make sense?13:51
wolfspraulno, doesn't13:51
wolfspraulbut no problem, don't worry13:51
wolfspraulinterstingly googling for 'ast generator' also yields very little13:51
lekernelDocScrutinizer05: ...and as you can see I'm writing python and moving milkymist software to lua those days :)13:53
viricwolfspraul: verilog or vhdl is lekernels' assembler, and let's say he's writing a compiler in python, for some his language to that assembler.13:55
viricor a python lib that emits that assembler (vhdl/verilog). something like this?13:55
kristianpaulassembler?13:55
kristianpaulthats the net list13:55
viricmetaphoric13:55
wolfspraul:-)13:55
viricanalogy to software13:55
kristianpaulhmm13:55
wolfspraulthis is why I love 'ast generator'13:55
wolfspraulI think this is not a widely understood term at all, given how hard it is to even google for a definition13:56
viricSo an ast generator is not cooking chicken?13:56
DocScrutinizer05lekernel: btw differences between the supposed operation of memmove and the way it's probably done in real world also may arise easily in context of multitasking13:56
wolfspraulI did find a 82 page 2008 paper from a german university13:56
wolfspraulI don't need an 'ast generator'13:56
wolfspraul:-)13:56
lekernelDocScrutinizer05: totally. but the C language has the concept of a traditional single-core CPU built in (through pointers), so it's not appropriate here.13:57
DocScrutinizer05when a concurrent process looks at first byte of dest to determine if origin is already free to rewrite it13:57
DocScrutinizer05sure you usually solve those issues with mutex etc13:58
DocScrutinizer05or define memmove section to be atomic13:58
DocScrutinizer05~wiki ast generator14:03
infobotI couldn't find a matching article in wikipedia, look for yerselves: http://en.wikipedia.org/wiki/Special:Search?search=ast+generator&go=Go14:03
DocScrutinizer05thought as much14:03
DocScrutinizer05http://en.wikipedia.org/wiki/Abstract_syntax_tree ??14:05
DocScrutinizer05or http://en.wikipedia.org/wiki/Andrew_S._Tanenbaum ? ;-P14:08
lekernel1st one ;)14:10
DocScrutinizer05if it's about Abstract Syntax Tree then I wonder why anybody would need a generator for that, since my approach always been I think of code in AST in my head, and then convert it to any arbitrary lang and syntax. That's what I always called "I don't mind which languge to use - I can program" - until somebody pointed me to http://c-faq.com/decl/recurfuncp.html :-S14:12
DocScrutinizer05.s/I can program/ I know to design programs/14:13
kristianpaulast generator is an excuse in the absence of floss synthesizers that could allow those language extensions for our topic i think14:14
viricmh I think it'd need a book covering state machines clear design and implementation (for software, in C for example).14:17
kristianpaulC conding style? :-)14:18
viricbecause it's one of those things I start with a big function and some 'if/else' clauses.. then a switch... and soon some mess with out of band information...14:18
viricC and C++ approaches to state machines would be nice14:18
viricwell, you can imagine that every program is some state machine, but with the state spread in multiple variables :)14:19
DocScrutinizer05btw http://c-faq.com/ptrs/funccall.html kinda reassured me I understand a tiny bit of C at least14:31
whitequarkon ASTs14:31
viricAs for function pointers... I like to declare function types, and instead of pointers to functions.14:32
virictypedef int fptr(char x);14:32
viricthen I use:14:32
viricfptr *x = myfunction;  x('z');14:32
whitequarkeven in this context, I assume, AST is not some free-form structure resembling a free-form algorithm. If you have verilog, you can resemble it with AST form, which allows you to manipulate the code very conveniently (compared to e.g. string functions or regexen)14:33
whitequarkbasically AST is an incredibly simple storage structure14:33
DocScrutinizer05viric: that's sth I feel familiar with14:33
whitequarknested s-exps resemble an AST14:33
viricI hate the "typedef int (*fptr)(char x)" kind of parenthesis. :)14:33
viricbut these later looks much more spread.14:33
whitequarkC is not a programming language14:33
lekernelDocScrutinizer05: I disagree with many things that Paul Graham writes, but I think there are some good ideas in this one http://www.paulgraham.com/hundred.html14:34
whitequarkit's a PDP-11 assembler which thinks it's a compiler14:34
viricUsing function typedefs, instead of pointers-to-function, allows using the typedef for the prototypes.14:34
viricTherefore throwing a bad declaration.14:35
viricin case of bad types.14:35
viricas here:  http://sprunge.us/LNaW14:36
viricthe line 3 can't be typed if the typedef were of function pointer.14:37
viricmaybe there is a good reason why most people use typedef of function pointers, but I don't know it still.14:38
larscwolfspraul: for a language you have grammar, syntax, etc and a parser which will take care of generating a AST from code written in that language. In migen you don't have that, but rather construct the AST by hand14:42
lekernelwell, you'll have it later for special cases. but keeping the low-level stuff accessible is good - we need it for many things...14:45
kristianpaulbut migen intentions is not been a language is it? i understand as the result of frustating of generating SoC by hand, now implmented in a "friendly" scripting language no?14:51
kristianpauls/frustating/frustation14:52
lekernelmigen is a "toolbox" for generating large synchronous systems. anything that makes SoC design great can go into it.14:52
kristianpauloh, so is not milkymist centric at all14:53
lekernelno. the milkymist specific stuff is in the milkymist-ng repository.14:54
kristianpaulhmm14:54
lekernelhere's another project using migen: https://github.com/brandonhamilton/rhino-tools14:56
kristianpauloh, migen include dsp ASTs as well?14:59
DocScrutinizer05lekernel: well, I agree partially on http://www.paulgraham.com/hundred.html POV15:00
lekernelif your question is whether migen flow can be used for DSP, then yes15:00
DocScrutinizer05that's why I dislike C15:00
lekernelthe "AST" (FHDL) is just like verilog... and can do pretty much everything verilog does, as long as you have a single clock15:00
DocScrutinizer05C is all about premature optimization and concept tainted by hw-related axioms/paradigms15:01
lekernelDocScrutinizer05: and therefore you do assembler instead? ;)15:01
DocScrutinizer05actually assembler is more honest in that regard15:02
kristianpaulDocScrutinizer05: you code in forth as well?15:03
DocScrutinizer05I used to15:03
DocScrutinizer05in the early 80s15:03
DocScrutinizer05pretty nice lang, after a week to get accustomed to it15:04
viric'rhino'... I had some bad time with java rhino.15:06
DocScrutinizer05we used to program a Z80 based realime video manipulation hardware in a lang 99% overlapping with forth15:06
DocScrutinizer05the whole forth code had to get interpreted 25 times per second, on a fixed pace (today you call that realtime)15:07
DocScrutinizer05basically the "mainloop" had the central wait on VSYNC15:09
DocScrutinizer05lekernel: regarding this proposition in Graham about wasting cycles for simplicity - I had a similar discussion just some 12h ago: http://mg.pov.lt/maemo-irclog/%23maemo.2012-06-17.log.html#t2012-06-17T03:03:22  http://mg.pov.lt/maemo-irclog/%23maemo.2012-06-17.log.html#t2012-06-17T03:16:31  http://mg.pov.lt/maemo-irclog/%23maemo.2012-06-17.log.html#t2012-06-17T03:24:0215:13
whitequarka fellow hacker, who reverse engineers SGS2 RIL (modem driver), just found a backdoor15:38
whitequarkif a specially-crafted incoming CSD call arrives, it passes a root shell to it15:38
whitequarkwhy am I not surprised15:38
lindi-whitequark: that's inside the BP?15:50
viricSGS = samsung galaxy something?15:51
whitequarkviric: yes15:52
whitequarklindi-: no15:52
viricand what is CSD?15:53
lindi-circuit switched data?15:53
whitequarkRIL is a service which translates AT commands from dialer and stuff to the modem IPC (thankfully, it runs in its own small compartment and cannot e.g. influence RAM of the AP)15:53
lindi-whitequark: is that part of some android phones?15:53
whitequarkyeah, CSD is circuit switched data15:53
whitequarkRIL is generally a part of any Android phone, but different vendors provide different RILs15:53
whitequarkthere is a reference, FOSS one15:53
whitequarkand Samsung ships this one with a backdoor in their phones15:53
viricquite an improvement over the foss.15:54
whitequarkwell, that's why we are writing a FOSS RIL15:54
lindi-whitequark: interesting, do you need operator help to initiate such a CSD call?15:54
whitequarklindi-: in Russia, I need to sign a contract (_very_ expensive) to be able to receive CSD calls at all15:54
whitequarkobviously the operator can still initiate it at their will15:55
viricwhat's a csd call about?15:55
whitequarkbut no, other users can't do that15:55
lindi-whitequark: yeah but could I initiate such a call?15:55
whitequarkviric: dialup through gsm15:55
whitequarklindi-: no, not while I'm in Russia with my current operator15:55
whitequarkbut I'm pretty sure it is perfectly possible in other countries/operators15:55
lindi-whitequark: yeah but I'm not in Russia15:55
whitequarklindi-: doesn't matter, incoming CSD calls are barred by my operator15:56
viricwhat's different between dialup through gsm, and usual voice calls?15:56
whitequarkviric: just like the difference between voice and data over plain old telephony15:56
whitequarkvoice call is voice, and CSD is an analog modem15:56
whitequarkwell, it's not exactly this way, but pretty close15:57
virican analog modem over gsm?15:57
whitequarkkinda15:57
viricit's about making something analog work over something digital?15:57
viricwho may want to use that?15:57
whitequarkI'm not very familiar with this technology, it was already dead when I got my first cellphone15:57
whitequarkwell15:57
whitequarkyou didn't have EDGE and GPRS back then15:57
whitequarkand you got to use CSD15:57
DocScrutinizer05whitequark: (backdoor) DUH!15:57
viricah is that about the 9600 bps internet connection?15:58
whitequarkviric: 9600 is fast.15:58
whitequarkDocScrutinizer05: it's not counting all other ways you could get control15:58
viricbefore gprs, I had 9600baud in my mobile phone, with a WAP browser15:58
whitequarkDocScrutinizer05: e.g. it sprintf()s a filename into a string and then system()s15:58
rohviric: thats csd.15:58
viricAh ok15:58
viricI remember its cost was calculated per minutes, not per amount of data transferred :)15:59
rohcsd is the '9k6 data' service in 2g (gsm)15:59
whitequarkviric: yeah, bloody expensive15:59
roheverything else came later.15:59
viricah, perfect.15:59
virichm that's why gprs mobile phones say allow to choose: "a) Only use GPRS b) fallback to GSM in case of lack of GPRS"16:00
roheverything else has much higher latency also. csd is/was much better than mobile ip now.16:00
viricI used it very rarely.16:00
whitequarkDocScrutinizer05: (the system() is from Android side and not modem), but it's as solid as swiss cheese16:01
whitequarkSGS2 is a funny machine, it does almost nothing to prevent your tinkering with it16:01
whitequarkblobs are not obfuscated nor even optimized16:01
whitequarki.e. a simple IDA run gives away all the details16:01
whitequarkthey didn't even strip them.16:01
DocScrutinizer05viric: it's a service tag on the data connection via GSM. There are tags for voice, data, fax16:02
DocScrutinizer05just like on ISDN16:02
whitequarki.e. you have all symbols AND DEBUG INFO.16:02
viricok16:02
whitequarkas I already said, modem bootloader allows you to read/write RAM and execute arbitrary code on the BP16:02
viricwhitequark: isn't it tricky about the linking, addresses, ...?16:02
rohwhitequark: why do you wonder?16:02
whitequarkroh: about what?16:03
rohabout debug symbols etc.16:03
whitequarkviric: nope, RIL is just a linux .so16:03
rohmost devices i get have adb running, some even on the ip interfaces.16:03
whitequarkroh: because I want a FOSS RIL, and also I want to know what this backdoor could do with my phone16:03
viricah, with sections and all that.16:03
rohwhitequark: thats only ONE backdoor possibility.16:03
viricroh: what's adb?16:04
whitequarkroh: I dunno what the stock firmware has, nor do I care. I run cyanogenmod on it and it doesn't have obvious stupid holes16:04
rohi do not trust the baseband fw (thats what your ril connects to) or anything else on such systems16:04
whitequarkroh: I neither16:04
DocScrutinizer05whitequark: which modem does SGS2 have?16:04
whitequarkDocScrutinizer05: xgold62616:04
rohviric: android debug bridge. the 'debugger helper tool'16:04
viricI;16:05
viricok16:05
whitequarkroh: but baseband is isolated in this machine. it doesn't control any hardware at all16:05
DocScrutinizer05whitequark: ooh, so it's not one of 'ours'16:05
rohso writing an opensource ril for droid is like putting one bucket of clean water in a pool full of mud. senseless.16:05
rohwhitequark: bullshit. sorry. most basebands have full system access.16:05
whitequarkroh: I have level 3 service manual with schematics16:05
rohincluding memory.16:05
rohbeside the possibility to use backdoors or bugs on the app-cpu. most basebands are 16:06
roh'trusted more' than the app-cpu16:06
whitequarkroh: and it only has IPC over USB for that matter. no sound routing (done by AP), no shared memory16:06
whitequarkroh: power management is done by a separate PMIC connected to AP16:07
rohwhitequark: doesnt make it better. do you think these 'ipc drivers' have any sane protections against harmful data streams?16:07
whitequarkbaseband power is managed by AP, through I don't know exactly to what degree, this needs further investigation.16:07
DocScrutinizer05roh: BS, e.g. next STE modem on SG has HSI interface and doesn't control *anything* on AP16:07
lindi-whitequark: anyways, would be really good to have some public report about this16:07
whitequarkroh: kernel is open-source and can (and will) be fixed, that's already ongoing.16:08
rohwhitequark: most of that stuff is of the lowest possible code quality. its 'write once'-code. to be thrown away and not be reused.16:08
whitequarkroh: yeah, I know and it is16:08
whitequarkI'm just saying that this phone has the sanest design I've seen, ever16:09
DocScrutinizer05http://lxr.free-electrons.com/source/net/caif/16:09
rohDocScrutinizer05: depends on the hardware platform of course. but i havent found a single device which has a sane concept to hinder a hostile baseband from rooting the app cpu16:09
whitequarkroh: apart from exploiting the (possibly buggy) USB driver, how would you do that?16:10
rohusing serials instead of shared memory windows is helping for sure. just sucks when you need more than a few bytes a second16:10
rohwhitequark: most devices dont use usb. usb sucks.16:10
DocScrutinizer05HSI16:10
DocScrutinizer05or ULPI16:11
whitequarkroh: I don't give a fuck about most devices.16:11
rohusb is high-latency and wastes power. totally stupid choice16:11
rohDocScrutinizer05: what should that be?16:11
whitequarkDocScrutinizer05: do the words "Comneon HSIC" tell anything to you?16:11
DocScrutinizer05http://lxr.free-electrons.com/source/drivers/net/caif/caif_hsi.c16:12
rohDocScrutinizer05: you want me puke, right?16:12
DocScrutinizer05whitequark: nope16:12
rohDocScrutinizer05: i will never use a device with that code on it. caif is a reason to not buy a device.16:12
DocScrutinizer05mhm16:12
DocScrutinizer05:shrug:16:13
whitequarkDocScrutinizer05: do you know reasons of such a change of the tightly coupled baseband design?16:13
whitequarkit seems surprisingly sane for phone vendors16:13
whitequarkphone/bb16:13
DocScrutinizer05what change?16:13
whitequarkfrom shm to serial16:14
rohulpi is just another word for 'usb'16:14
DocScrutinizer05shm has some issues16:14
DocScrutinizer05thanks for explaining to me, roh16:14
rohand hsi seemingly for 'make spi complicated'16:14
DocScrutinizer05;-P16:14
rohDocScrutinizer05: ;)16:14
whitequarkroh: so, what phone would you use? a dumbphone?16:15
whitequarkand if you need more features than that?16:15
rohheh. caif runs over shm and hsi, so its another layer over a layer... sigh16:15
DocScrutinizer05dafaq16:15
DocScrutinizer05it can run via arbitrary interfaces16:15
DocScrutinizer05even via rs23216:16
rohwhitequark: i dont use a smartphone. phones which cannot run without recharching for atleast a week arent anything which i can work with.16:16
DocScrutinizer05and USB16:16
viricroh: same here. :)16:16
rohDocScrutinizer05: i just checked the code, didnt see any documentation.16:16
DocScrutinizer05http://lxr.free-electrons.com/source/net/caif/caif_usb.c  http://lxr.free-electrons.com/source/drivers/net/caif/caif_serial.c16:18
rohDocScrutinizer05: but its funny how they reinvent the wheel. in the end they all do 'serial over $foo' .. why not use serials and hdlc or similar stuff which we have since the 80s?16:19
DocScrutinizer05there's also a (rather outdated) readme16:19
whitequarkhttp://imgur.com/uYr9d16:19
Action: whitequark feels himself like a pick&place machine16:19
DocScrutinizer05roh: why doesn't phonet do this?16:19
DocScrutinizer05why doesn't GSM muxer 07.?? do it?16:20
DocScrutinizer05CAIF is just a mux over arbitrary interfaces16:20
rohDocScrutinizer05: i dont know what phonet is?16:21
DocScrutinizer05and it's what RIL talks to16:21
rohcaif is proprietary erricson stuff16:21
DocScrutinizer05when the modem is offering CAIF and not phonet16:21
whitequarkDocScrutinizer05: is it patented?16:21
rohanyhow. i dont want to discuss choices in 16:22
DocScrutinizer05roh: you already stated you never will touch any hardware with CAIF code on it -why do you bother about docs or proprietary?16:22
rohdroid or so.. since we all know that none of these protocols are made due to technical thoughts, but rather by ip and businessplan logic.16:22
DocScrutinizer05honestly, I don't care what you think about CAIF16:23
rohsorry, but READ that code. i would bet on it that its exploitable a lot.16:23
rohits HUGE. 1300 lines for encapsuling serials in serials. wtf.16:24
DocScrutinizer05so what? go write better code!16:24
DocScrutinizer05it's FOSS, no?16:25
whitequark1300 lines isn't huge for C and this stuff. just saying.16:25
DocScrutinizer05anyway it's what STE LTE modem will talk over HSI to AP16:26
DocScrutinizer05of next Samsung device16:26
whitequarkDocScrutinizer05: oh, now that's interesting16:27
DocScrutinizer05and since it's FOSS you're free to implement any better code for CAIF to your liking16:27
rohDocScrutinizer05: well.. i will wait for them to build useable devices again. the current market is quite dead and boring (all the same concept and laughable battery runtime)16:27
DocScrutinizer05and stack your own RIL on top of it16:27
rohnobody needs ril.16:28
DocScrutinizer05MEH16:28
DocScrutinizer05nobody need this discussion16:28
rohno shit ;)16:28
rohbut atleast we now know that its not 'the baseband has not control' on all hardwar but just some and the state of sw isnt 'nice' .. so no. currently there is no real protection whatsoever against hostile baseband code (and that basebands can be exploited remotely was shown on multiple security events)16:30
whitequarkroh: well, the only thing I don't understand is why when I say that I can do better, you reply that it's useless16:31
rohwhitequark: ril is something android specific. if you want to do better: do not use android.16:32
whitequarkroh: what can I use _now_?16:32
whitequarkmeego? or how is that vaporware called now?16:32
rohlots of stuff. but yes. most proper devices are not build anymore or never in series.16:33
whitequarkI want a phone that I can use and can have control of (not tivoized, FOSS system). android is the nearest to that goal.16:33
whitequarkI don't see any system better16:34
whitequarkofcourse there's a baseline requirement that it should be an usable smartphone. i.e. a FR isn't an usable smartphone due to numerous issues.16:34
rohwhitequark: i liked the N950, but then nokia decided to kill themselves and not sell it.16:34
whitequarkI have nothing against N9*16:35
rohwhitequark: and simply said: there is no useable smartphone at the moment.16:35
lindi-roh: if you require one week standby times then that rules out everything indeed16:35
whitequarkwell, you can give up if you want. I'll just fix what I can get.16:36
viricI also want one week standby.16:36
rohlindi-: well.. thats my own measurement ladder. but most do not even survive the day atm. which is really sad16:36
lindi-I just use external batteries if I need longer standby time during some trip or something16:36
viricthat sounds like a mobile phone in the 90s.16:36
DocScrutinizer05whitequark: according to roh's "rationale" every device is unsafe, vulnerable and crap16:44
DocScrutinizer05even FR16:44
rohDocScrutinizer05: sorry, but yes. (but thats not because of my rationale, but simply because we were not allowed to fix bugs properly)16:45
DocScrutinizer05and to like N950 is outright insane, since THIS crap has really nasty HS stuff on OMAP16:45
rohfr actually has a good runtime compared to some other 'smartphones'16:45
rohDocScrutinizer05: i liked it because it was the first device i had in my fingers which did not lagg like hell in normal scrolling16:46
DocScrutinizer05pff, it also has vulnerable code in drivers for hw IF16:46
rohyes. like all the rest too. get used to that.16:46
DocScrutinizer05roh: for some reason I don't enjoy to discuss with you today16:46
DocScrutinizer05might be me16:46
whitequarkso much hate16:47
rohDocScrutinizer05: sorry. i know the state of mobile phones is depressing ;)16:47
DocScrutinizer05bwahaha16:47
DocScrutinizer05only depressing thing for me right now is the inconsisten reasoning you offer here16:48
DocScrutinizer05the next depressing thing for me is I have to run tests against CAIF in work, thus need to touch android (a thing I dispise)16:50
whitequarksigh16:51
viricI also like mobile phones that can turn off and on quickly16:52
whitequarkviric: for what?16:53
DocScrutinizer05viric: there's that iPhone sleeve with featurephone intergrated - maybe the thing for you? ;-)16:53
viricwell, turn on and off the radio at least16:53
viricgsm.16:53
viricall that.16:53
whitequarkviric: android turns radio on/off in a ~second16:54
whitequarkerm16:54
viricI feel better with the phone turned off, too. :) but when I want it, i dislike waiting minutes16:54
whitequarkandroid on SGS2.16:54
viricok16:55
DocScrutinizer05viric: modems take a few seconds to turn on. If you want your full inflated linuxoid OS to boot up on AP in same timespan, you got another problem not related at all to phones16:56
viricnow I don't need any linuxoid os.16:56
DocScrutinizer05what are we discussing then?16:56
whitequark... and you get even more infested dumbphone which is one big BP.16:56
viricYes I also dislike that.16:57
viricswitched off phone is the happiest :)16:57
whitequarkare you sure it is actually switched off?16:57
whitequarkI'm not16:57
DocScrutinizer05define phone!16:57
DocScrutinizer05even: define "switched off"!16:58
viric:)16:58
viricI can easily take out the battery16:58
whitequarkoh, you're one of that kind of people16:58
viriceven the rtc battery is out... I've to reset the time16:58
DocScrutinizer05and you can also take a sledgehammer16:58
DocScrutinizer05honestly, I wonder what we're discussing here16:59
viricnah, I barely switch off the phone because I'd have to wait the boot time16:59
viriclet's stop the discussion :)17:00
lekernelroh: what is all your software compiled with, again? :)17:44
lekernelsome M1 pictures http://www.falsebit.com/bit-stream/bit-stream-articles/114-blip-festival-2012-up-now-burnkit2600-m-no-carrier.html19:48
lekerneland videos http://www.youtube.com/playlist?list=PL181AAD8063FCC9DC20:15
wpwrakthe absence of current limiting on the 8:10 card slot of the ben can be quite annoying ...21:00
whitequarkwpwrak: what did you fry?21:16
wpwrakno, nothing broken. but if i use UBB to program a microcontroller circuit, the inrush current has a tendency of resetting the nanonote21:31
wpwrakand in this case, i can't leave the circuit powered, because the programming signals are shared21:32
wpwrakso it's power up, type "make prog", put the adapter in place, cut power, and then quickly hit Enter before the device discharges too much21:33
whitequarkahem.21:55
whitequarkwhat about a current limiting resistor and a cap?21:55
wpwrakmore like an inductor. a cap is already present in the ben. and yes, an inductor or such is what we should have there21:59
whitequarkoh, yes, inductor indeed23:26
Action: whitequark zzzzz23:26
--- Mon Jun 18 201200:00

Generated by irclog2html.py 2.9.2 by Marius Gedminas - find it at mg.pov.lt!