[LEDE-DEV] FCC killing open platforms and inovations

Sven Eckelmann sven.eckelmann at openmesh.com
Tue Feb 14 03:45:33 PST 2017 

On Dienstag, 14. Februar 2017 11:03:56 CET Petr Štetiar wrote:
> Simon Wunderlich <simon.wunderlich at open-mesh.com> [2016-11-17 11:19:48]:
[...]
> Overflows can substitute soldering http://blog.true.cz/2017/02/free-your-router-again/

> but even the Open Mesh representative thinks

We told you before that we are not OpenMesh employees. So please stop citing
us like we are "Open Mesh representative"(s) or spoke persons of OpenMesh.
There is a reason why we forwarded you to the official OpenMesh support -
because we don't have the authority to speak for OpenMesh.

> that locked down U-Boot is a reasonable and solid lockdown solution:
> > On the other hand, swapping the u-boot is not so trivial, at least without 
> > opening/soldering/modifying the flash from outside, which is considered a 
> > reasonable hurdle.

And Simon never said that it is a solid lockdown solution. He only said that
it is "is considered a reasonable hurdle" in reference to the requirements
OpenMesh got from the FCC (or FCC partner - I don't know the details). And
I wouldn't call your solution trivial (cool, but not trivial).

To be fair, he didn't mention other ways like software problems which allow
you to gain more access. Either because he thought that this is obvious,
that he didn't want to list every possible way, just didn't thought that
he must provide an extensive list or just forgot about it.

But the FCC did seem to have accepted the current solution as "reasonable
hurdle" - not sure how long this will be the case.

Your reaction seems shows me (I am not talking about or for OpenMesh) that
such discussions only end in disasters and only help people like you to
attack others. This is especially sad because Simon organized and moderated
different discussions on conferences about the FCC lockdown, consequences
for open source and possible solutions which make the FCC/EU happy + OSS
happy. No wonder that companies usually don't want to take part in such
discussions.

> Well, to execute the shell commands you need access to the router over
> the SSH connection, right. Open Mesh users located within USA or Canada
> are treated with more love in the CloudTrax cloud system and as a reward
> for their customer loyalty?, they nowadays can’t even connect to their
> access points with SSH. How long it’s going to take Open Mesh to treat
> all customers equally? When they start rewarding them all with no SSH
> access?

I don't have the knowledge about any such plans for the EU. But I think
you already answered it yourself. The flash is not specially protected
on these devices and allowing SSH access to the devices would allow to
easily circumvent the signature checks. Either by accessing the mtd
devices or by accessing the memory directly.

So my guess (not speaking for OpenMesh) I would guess that similar
things would be necessary for the EU when the "lockdown directive" [3]
is in place.

> We’re users and supporters of open source, so we take it almost personally
> if some vendors like Open Mesh (BTW since February 2017 it’s Datto company),
> which are using open source software in their products and benefit from it
> to a great extent, don’t play nice with the open source community and even
> violates the copyright law. Yep, the usual GNU GPL license infringement.
>
> We’ve asked Open Mesh in November 2016 for sources of U-Boot (GPLv2 license)
> for OM5P-AC device, but we didn’t received the sources till today, as of
> Sunday February 12th, 2017.

It is in the same google drive like the other sources [1]. It is called
om5p-ac.tar.bz2 and was added in mid December like the rest of the source code
you've asked for.

And the funny part is that you've already uploaded it to github [2] two months
ago. Still you claim that you have not received it. Btw. this is earlier than
Simon or I got the source code from OpenMesh.

What do you think will such partially ill-founded attacks like you did in the
blog post achieve? That companies will talk more or less to the open source
advocates?

I (talking again about myself not OpenMesh - just in case you didn't notice
it in the rest of the mail and want to use my words again to blame them for
something) personally want open hardware (actual OSS hardware would be nice
but HW which I can use freely from SW is also ok) and open software. And
I've already told you how to get them unlocked outside the FCC regions
without any extra exploit/soldering. If you want to avoid drastic lockdown
on all devices (company independent) in the EU then you should start to
attach the EU directive instead of insulting persons/companies [3].

If you want to write about lockdowns and workarounds for lockdowns - fine,
and I am even interested in it (you never know what you have to unlock in
the future). But are these attacks necessary? Especially when you know
that a lot of your attacks are based on things which are not true.

Kind regards,
	Sven

[1] https://drive.google.com/open?id=0B8GHi_JcerOJZ000bjZnc2Fad2s
[2] https://github.com/true-systems/openmesh-gpl-elx-uboot-sdk/
[3] https://fosdem.org/2017/schedule/event/radio_lockdown_directive/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.infradead.org/pipermail/lede-dev/attachments/20170214/f5b38ab3/attachment.sig>

More information about the Lede-dev mailing list