Topic for #qi-hardware is now Copyleft hardware - http://qi-hardware.com | hardware hackers join here to discuss Ben NanoNote, atben / atusb 802.15.4 wireless, and other community driven hw projects | public logging at http://en.qi-hardware.com/irclogs
<whitequark>
one of the rare times I see a situation and see a nanonote as an immediately useful solution
Ayla has quit [Quit: Lost terminal]
<wpwrak>
you want to add a nanonote to the cpu ?
<whitequark>
naw
Ayla has joined #qi-hardware
<whitequark>
just recalled a new Cory Doctorow's book
<whitequark>
they used a small and presumably somewhat trusted computer to do a key signing party
<whitequark>
(they) the book is 1984, but in 2014. you got the idea. I'm too sleepy now to explain it properly anyway.
<wpwrak>
(small computer) ah, i see. yes, the ben is quite good at being small ;-)
<whitequark>
while I'm not absolutely sure that NN's CPU does not contain backdoors (I haven't examined the actual silicon), that would have a really really low probability
<whitequark>
and it definitely does not have backdoors as features
<whitequark>
the next-NN with M1 SoC should fix this problem
<wpwrak>
CPU backdoors would also be kinda tricky
<whitequark>
yes
<wpwrak>
fpgas could still have "backdoors" ;-)
<whitequark>
besides that, NN does not have any wireless ifaces
<whitequark>
which makes it quite perfectly safe for the task
<wpwrak>
mine do, sometimes :)
<whitequark>
well, a cpu backdoor would require extensible software cooperation
<whitequark>
so I don't think it's even a theoretically realistic scenario
Ayla has quit [Ping timeout: 245 seconds]
<whitequark>
after all, if you're _that_ paranoid, you can do RSA with a calculator
<whitequark>
or a pen and a piece of paper
<whitequark>
definitely no backdoors there.
<wpwrak>
someone whispering numbers to make you miscalculate
<whitequark>
(fpgas) yeah, I won't blindly trust a fab to not alter the netlist. but I would evaluate the complexity of such a task, and again, it is not realistic at all
<whitequark>
not significantly more realistic than (/me drops a pen on the floor) that pen tunneling through the floor.
Ayla has joined #qi-hardware
<whitequark>
it's possible according to quantum mechanics, just not very probable :D
<whitequark>
besides which, netlists were OCR'd with a microscope and a polarizer, and if you have the sources
<whitequark>
(see: visual6502.org)
<whitequark>
it's all verifiable, through hard
<whitequark>
but military supposedly does that verification, and so could any interested party
<whitequark>
wpwrak: are you perfectly sure that your C compiler doesn't have a, say, self-reproducible `login' backdoor which it inserts in `login' and `cc' itself, but which does not appear in the sources?
<whitequark>
gcc is built with gcc for ages
<whitequark>
have it always had digital signatures? were they enforced?
* kristianpaul
remenber gnu's ftp was compromised time ago
<whitequark>
I often think that when working with security, you just need to go to the extreme. not to do something practical, but just to evaluate the risk
<whitequark>
what once seemed impossible is easy now
<whitequark>
e.g. trusted computing
<whitequark>
people would laugh on this idea in '85
<whitequark>
(or should I write "trusted" each time?..)
<whitequark>
[that is, quoted.]
<wpwrak>
my paranoia knows limits :)
<whitequark>
wpwrak: would you consider someone placing a supplementary core as a backdoor in your CPU 20 years ago?
<whitequark>
or, for current CPUs, there is SMM
<whitequark>
which is technically an undetectable backdoor
<whitequark>
it's not paranoia and I'm not going to throw away my Galaxy SII because it has a trusted computing module in the CPU (maybe because of the blobs; they're so badly written that they can be broken not because of malice but simply of stupidity)
<kristianpaul>
so what it is?
<whitequark>
an evaluation of possibilites
<whitequark>
modern CPUs are incredibly complex (they're more like SoCs already, even in PCs), and they get more complex each year
<whitequark>
it's anything but hard to hide a backdoor in a device like this
<kristianpaul>
yup
<whitequark>
for example, anyone familiar with FPGAs could confirm that it's easy to make a special long command stream that
<whitequark>
will instantly throw you to ring0
<whitequark>
or just instantly smm
<whitequark>
enough, you're pwned.
<whitequark>
you can even hide it in microcode if you want
<whitequark>
besides which, AMD openly states that they put a backdoor in the CPU.
<whitequark>
what else do you fucking need?!
<whitequark>
... and silence was an answer to him :)
<whitequark>
whatever, I'm gonna get some sleep.
<whitequark>
5AM here
<kristianpaul>
I was about to said that (sleep) :_)
Textmode has quit [Ping timeout: 255 seconds]
wej has quit [Ping timeout: 248 seconds]
Textmode has joined #qi-hardware
wej has joined #qi-hardware
wej has quit [Ping timeout: 272 seconds]
wej has joined #qi-hardware
Textmode has quit [Ping timeout: 255 seconds]
Ayla has quit [Quit: dodo]
rz2k has quit [Ping timeout: 245 seconds]
rzk has joined #qi-hardware
Textmode has joined #qi-hardware
dandon has joined #qi-hardware
Textmode has quit [Ping timeout: 255 seconds]
<wolfspraul>
my first practical goal for fpgatools will be an inverter :-)
<wolfspraul>
I think that's the shortest path to something that runs
<wolfspraul>
so I will take the smallest spartan-6 (xc6slx4), buy a bunch of them (like 10-20), then make the most minimal board possible to just power the chip and expose jtag
<wolfspraul>
then use fpgatools to program the chip and get the inverter to work
<wolfspraul>
oh I guess I need 2 pads for the inverter itself as well
Textmode has joined #qi-hardware
<wolfspraul>
inside the chip, the inverter will start at one pad, pass through an I/OLOGIC and some switch boxes before coming out negated on the other pad
<wolfspraul>
that's the plan :-)
<wpwrak>
you can develop this on milkymist ...
Textmode has quit [Ping timeout: 255 seconds]
* DocScrutinizer05
reads acklog and smiles
<DocScrutinizer05>
back*
Textmode has joined #qi-hardware
compcube has quit [Quit: Leaving]
<roh>
re
Textmode has quit [Ping timeout: 256 seconds]
<pabs3>
whitequark: got a link to the AMD CPU backdoor thing?
jekhor has joined #qi-hardware
emeb has joined #qi-hardware
Textmode has joined #qi-hardware
emeb has quit [Ping timeout: 246 seconds]
emeb has joined #qi-hardware
jekhor has quit [Ping timeout: 246 seconds]
emeb has left #qi-hardware [#qi-hardware]
Textmode has quit [Ping timeout: 255 seconds]
<wolfspraul>
wpwrak: no that would miss the point, right now
<wolfspraul>
I am working in the bitstream, and already dealing with 2+ million bits
<wolfspraul>
I don't want to deal with 10 million instead
<wolfspraul>
plus a slx4-based inverter allows me to go through the pcb-making as well
<wolfspraul>
but I'm coming at it from the side of the fpgatools, where I do need small incremental steps to work through the many many different 'things' that are on any spartan-6 chip, even the smallest
<wolfspraul>
of course after the inverter I will do a few more gates, include slices, more switch boxes, and eventually work my way up to larger chips like a slx45
<wolfspraul>
but one by one, that's the point: inverter on slx4 :-)
<wolfspraul>
the inverter doesn't even need a slice because it uses an invert mux right in the io block
<wolfspraul>
good for me
larsc has joined #qi-hardware
<pabs3>
DocScrutinizer: so Nokia is joining the mobile patent wars, nice
<lekernel>
wpwrak: this wasn't a good time? huh?
<wpwrak>
lekernel: they were working on other changes that would have interfered
<wpwrak>
wolfspraul: hmm, so the difference between the FPGA in M1 and the FPGA you want to play with would merely be size but not structural variety ? in that case, can't you just ignore the extra 8 Mbits, just like you'll already ignore some ~2 Mbits your inverter doesn't need ?
<wpwrak>
wolfspraul: (pcb-making) you should really pick something simpler to get started. don't worry, even simple things can get quite hard when you do them for the first time :)
lekernel_ has joined #qi-hardware
lekernel has quit [Ping timeout: 246 seconds]
lekernel_ is now known as lekernel
kyak has quit []
<whitequark>
DocScrutinizer05: yeah, I remember our discussion about paranoia, yes :) it'd be wrong to say that it didn't make me think
<whitequark>
DocScrutinizer05: just found an interesting feature in SGS2 BP
<whitequark>
if you'll send 0xDEADDEAD to the BP bootloader instead of data length, then, instead of writing, it'll read entire modem RAM and send it to host
<whitequark>
yes, it can write too, and reboot
<whitequark>
and it doesn't exactly verify any signatures
<whitequark>
well, theoretically it does, but looks like someone fucked it up
<viric>
whitequark: djbclark gave them to me
<whitequark>
looks like I'm lucky on baseband modules with interesting features
<pabs3>
interesting discovery
<whitequark>
SGS2 looks like that everywhere
<whitequark>
it's more of devboard than a phone: there are *some* locks, but they're not very difficult to bypass
<whitequark>
... and I tried asking a Korean dev about a feature of a PMIC which was under NDA
<whitequark>
and got a helpful reply
<whitequark>
maybe osmocombb folks would be interested?
<whitequark>
the BP is based on xgold262
<whitequark>
er, 626
phirsch has joined #qi-hardware
<lekernel>
just build your own fucking BP
<lekernel>
it's really frustrating to see how many hours are spent reverse engineering proprietary stuff that becomes obsolete in 1 yr
<viric>
what is a bp?
<whitequark>
baseband processor
<whitequark>
cpu in mobile phones which talks to the GSM network
<viric>
ah ok
<wpwrak>
*hmm*. i need a C function that returns a pointer to a function just like itself. do i need more sleep/caffeine or is void * really the best i can do in terms of type safety ?
<whitequark>
hmmm
<whitequark>
interesting
<wpwrak>
nice, isn't it ? an infinitely recursive type declaration :)
<whitequark>
yeah, C isn't haskell
<whitequark>
so, only void*
<wpwrak>
and of course, typedef won't accept the same name at two places
rejon_ has quit [Remote host closed the connection]
<viric>
but I can download it only if I identify myself.
DocScrutinizer has quit [Disconnected by services]
DocScrutinizer has joined #qi-hardware
<viric>
Does GPL say anything about the right to (more or less) private access to the sources?
DocScrutinizer06 has joined #qi-hardware
<viric>
- A government website lets me download a GPL criptography software they developed, but only if I identify myself and explain why I download that.
DocScrutinizer05 has quit [Ping timeout: 246 seconds]
<DocScrutinizer06>
viric: wpwrak: this again convinced me I don't know shit about c and better resort to beating up grannies on the street and robbing their handbags
<viric>
:)
<DocScrutinizer06>
or simply refuse coding in anything but assembler
DocScrutinizer06 is now known as DocScrutinizer05
<lekernel>
viric: opencores does a similar thing :)
<viric>
ahh
Ayla has joined #qi-hardware
Aylax has quit [Quit: Bye]
Ayla has quit [Ping timeout: 252 seconds]
Ayla has joined #qi-hardware
Ayla has quit [Client Quit]
<wpwrak>
viric: on the first access, they can make you jump as many hoops they want. make you agree to deliver a million euro, your soul, your firstborn, droit du seigneur, whatever.
<kristianpaul>
viric: redoi
<kristianpaul>
sorry
<wpwrak>
viric: but then you're FREE to spread as many copies as you want, to whomever you want :)
<kristianpaul>
viric: redistribution is not mandatory at least you use that software i understand
<wpwrak>
DocScrutinizer: C is an amazing language. it grows with you. the better your skills get, the more you understand its perfection.
<kristianpaul>
yup, (grows part)
<DocScrutinizer05>
the better you understand C the more you wish it never got invented ;-)
<wpwrak>
DocScrutinizer: you prefer junk languages like C++ ? :)
<DocScrutinizer05>
I'm one of those Wirth softies ;-P
<wpwrak>
aha, a quiche-eater :)
<DocScrutinizer05>
indeed
<wpwrak>
luckily, i was able to shake that bad habit a good while ago
<DocScrutinizer05>
strict typechecks - heaven!
<viric>
kristianpaul: I've to use that software to send my taxes report
<wpwrak>
C has strict type checking
<DocScrutinizer05>
BWAHAHAHA
<viric>
Yes, I like the C strict type checking
<lekernel>
C? perfection? lol.
<viric>
typedef is not defining a new type, though.
<wpwrak>
some of it in the form of warnings, but you get your diagnostic when you need it
<kristianpaul>
viric: and u already go it as object form?
<DocScrutinizer05>
bool foo() {...; return 345}
<viric>
kristianpaul: sure. a java applet.
<viric>
kristianpaul: I even run it. But it fails for me :)
<kristianpaul>
hmm
<DocScrutinizer05>
we had that less than one week ago, in some popular shite I can't recall
<lekernel>
especially for e.g. string manipulations, which keeps infosec people fed
<wpwrak>
lekernel: my most illuminating experience with C was when i wrote a language that incorporated much of C (for a scriptable debugger). there, i learned to appreciate many of the more subtle points of that language
<viric>
talking of string manipulations, I recently discovered stpcpy
<DocScrutinizer05>
now I recall: it was that funny vulnerability of MySQL
<kristianpaul>
i fed with binary related operations, usually perl is more ready in such cases
<lekernel>
there's also strfry()
<DocScrutinizer05>
that made every one out of 256 auth tries succeed no matter which credentials
<DocScrutinizer05>
and you tell me there's something like strict typechecks in C
<lekernel>
the C library is sucky as well. how do you move/rename a folder? system("mv ...")
<kristianpaul>
is not that more a posix problem (folder) ?
<lekernel>
and of course what you give to system() has to come from the aforementioned string manipulation mess
<kyak>
how does 'mv' move the folder?
<wpwrak>
lekernel: rename() will do just fine for renaming
<lekernel>
wpwrak: no, if you cross mount points it doesn't work.
<wpwrak>
lekernel: that's not a rename :)
<wpwrak>
DocScrutinizer: booleans are a perversion you quiche-eaters added. you deserve the consequences :)
<viric>
lekernel: well, some OS have different operations for move and rename
<viric>
for example.
<DocScrutinizer05>
well, a particularly nice type we quiche-eaters added are sets, which are defined as bit fields internally
<DocScrutinizer05>
basically a uint1
<viric>
rename() renames a file, moving it between directories if required.
<viric>
I didn't know it.
<viric>
C89.
<lekernel>
oh and there's also memcpy vs. memmove
<viric>
of course
<viric>
that allow operations of different performance
<DocScrutinizer05>
well, lemme guess. memmove remapping if possible?
<lekernel>
viric: wrong. the test for the direction of copy at the beginning of memmove() is unnoticeable.
<viric>
ah you mean it could check if it overlaps or not?
<DocScrutinizer05>
it could simply tweak the mmu table
<lekernel>
DocScrutinizer05: no it's much simpler than that. copying memory. only if you use memcpy() you must make sure your two regions don't overlap.
<viric>
hm I think you miss what's memmove about :)
<DocScrutinizer05>
which e.g. NeXTStep did per definitionem for inter-process messages
<larsc>
language flamewars, always so much fun
<lekernel>
as if, your brain was available to pollute it with such details
<kristianpaul>
larsc: :)
<wolfspraul>
larsc: hey sorry. what was your comment about 'ast generator' about the other day?
<viric>
Let's see if C11 addresses any of that ;)
<wolfspraul>
I didn't get it
<wolfspraul>
(that was in #milkymist, about migen)
<wolfspraul>
my question comes down to "what is the difference between an 'ast generator' and a 'proper language'?"
<DocScrutinizer05>
lekernel: well, seems a straightforward pretty natural approach. I know if my two pointers point to unrelated objects or if I just want to shift a mem-area by a few bytes "in place"
<viric>
DocScrutinizer05: but that could be checked
<DocScrutinizer05>
what for?
<DocScrutinizer05>
AIUI it *gets* checked, in memmove
<viric>
only have one function: memcpy
<DocScrutinizer05>
I mean, it's not a mandatory prerequisite that mem overlaps to use memmove on it
<viric>
if the regions overlap, run memmove. If not, run memcpy.
<larsc>
wolfspraul: well with a ast generator you basically write in another language, a metalanguage if you want to say so. which can be very powerful.
Ayla has joined #qi-hardware
<viric>
I meant the opposite. if overlap, memcpy. If not, memmove.
<DocScrutinizer05>
if you however know your areas never can overlap (a very usual case), why use a function with a useless check?
<viric>
because memmove can be implemented faster.
<viric>
amh
<viric>
no
<viric>
the opposite.
<viric>
;)
<lekernel>
viric: really you can gain 10 nanoseconds or so on a modern machine. is it really worth all the wasted hours on that bugzilla report? no.
<viric>
lekernel: I agree I agree
<lekernel>
DocScrutinizer05: because developers make mistakes.
<DocScrutinizer05>
lekernel: 10ns??? >> The memory areas may overlap: copying takes place as though the bytes in src are first copied into a temporary array that does not overlap src or dest, and the bytes are then copied from the temporary array to dest.
<DocScrutinizer05>
seems to include a malloc
larsc has quit [Ping timeout: 244 seconds]
<lekernel>
yes, 10ns. in all implementations I've seen it's only about the direction of copy.
<lekernel>
no, there's no malloc
<DocScrutinizer05>
I'd expect a tinmy bit longer than 10ns for this to complete
<lekernel>
just a test at the beginning to determine the copy direction
<DocScrutinizer05>
now if that's true then this manpage is pretty buggy and fuckedup
<lekernel>
the subtlety is in the "as though" ...
<DocScrutinizer05>
as the result of the operation may differ vastly in certain situations
<DocScrutinizer05>
e.g. memove IO memmapped area
<DocScrutinizer05>
there a complete mem mapping swap for each switch between read and write a byte or word could take pretty looooong
<lekernel>
I don't think you're supposed to use the regular libc memmove on weird memory-mapped I/O... it doesn't even guarantee the size/alignment of accesses
<DocScrutinizer05>
hehe, true
<DocScrutinizer05>
but manpages are supposed to be accurate
<wolfspraul>
larsc (in absence) ok, thanks. I still don't get it :-)
<wolfspraul>
but that's ok
<wolfspraul>
"language" for me is a set of rules, grammar, syntax, vocabulary/keywords, etc.
<wolfspraul>
it's used to express something, that someone (or some program) can understand, or interpret in some way
<lekernel>
wolfspraul: if you write vhdl or verilog, you have a single language that expresses the logic more or less directly
<wolfspraul>
I'm just not familiar with the term 'ast generator'
<DocScrutinizer05>
lekernel: btw the rationale of "because developers make mistakes" clearly suggests to abandon C all together and rather use a proper lang like pascal or modula, which comes with runtime checks for all those more commonly done mistakes, like array-index out of bounds, etc
<kristianpaul>
pascal? no again ;-)
<lekernel>
with the migen "ast generator", you are writing python (the "metalanguage") that manipulates fragments of verilog-style logic
<wolfspraul>
maybe I should look at migen more and then I would get it
<lekernel>
wolfspraul: does it make sense?
<wolfspraul>
no, doesn't
<wolfspraul>
but no problem, don't worry
<wolfspraul>
interstingly googling for 'ast generator' also yields very little
<lekernel>
DocScrutinizer05: ...and as you can see I'm writing python and moving milkymist software to lua those days :)
<viric>
wolfspraul: verilog or vhdl is lekernels' assembler, and let's say he's writing a compiler in python, for some his language to that assembler.
<viric>
or a python lib that emits that assembler (vhdl/verilog). something like this?
<kristianpaul>
assembler?
<kristianpaul>
thats the net list
<viric>
metaphoric
<wolfspraul>
:-)
<viric>
analogy to software
<kristianpaul>
hmm
<wolfspraul>
this is why I love 'ast generator'
<wolfspraul>
I think this is not a widely understood term at all, given how hard it is to even google for a definition
<viric>
So an ast generator is not cooking chicken?
<DocScrutinizer05>
lekernel: btw differences between the supposed operation of memmove and the way it's probably done in real world also may arise easily in context of multitasking
<wolfspraul>
I did find a 82 page 2008 paper from a german university
<wolfspraul>
I don't need an 'ast generator'
<wolfspraul>
:-)
<lekernel>
DocScrutinizer05: totally. but the C language has the concept of a traditional single-core CPU built in (through pointers), so it's not appropriate here.
<DocScrutinizer05>
when a concurrent process looks at first byte of dest to determine if origin is already free to rewrite it
<DocScrutinizer05>
sure you usually solve those issues with mutex etc
Ayla has quit [Quit: brb]
<DocScrutinizer05>
or define memmove section to be atomic
<DocScrutinizer05>
if it's about Abstract Syntax Tree then I wonder why anybody would need a generator for that, since my approach always been I think of code in AST in my head, and then convert it to any arbitrary lang and syntax. That's what I always called "I don't mind which languge to use - I can program" - until somebody pointed me to http://c-faq.com/decl/recurfuncp.html :-S
<DocScrutinizer05>
.s/I can program/ I know to design programs/
<kristianpaul>
ast generator is an excuse in the absence of floss synthesizers that could allow those language extensions for our topic i think
<viric>
mh I think it'd need a book covering state machines clear design and implementation (for software, in C for example).
<kristianpaul>
C conding style? :-)
<viric>
because it's one of those things I start with a big function and some 'if/else' clauses.. then a switch... and soon some mess with out of band information...
<viric>
C and C++ approaches to state machines would be nice
<viric>
well, you can imagine that every program is some state machine, but with the state spread in multiple variables :)
<viric>
As for function pointers... I like to declare function types, and instead of pointers to functions.
<viric>
typedef int fptr(char x);
<viric>
then I use:
larsc has joined #qi-hardware
<viric>
fptr *x = myfunction; x('z');
<whitequark>
even in this context, I assume, AST is not some free-form structure resembling a free-form algorithm. If you have verilog, you can resemble it with AST form, which allows you to manipulate the code very conveniently (compared to e.g. string functions or regexen)
<whitequark>
basically AST is an incredibly simple storage structure
<DocScrutinizer05>
viric: that's sth I feel familiar with
<whitequark>
nested s-exps resemble an AST
<viric>
I hate the "typedef int (*fptr)(char x)" kind of parenthesis. :)
<viric>
but these later looks much more spread.
<whitequark>
C is not a programming language
<lekernel>
DocScrutinizer05: I disagree with many things that Paul Graham writes, but I think there are some good ideas in this one http://www.paulgraham.com/hundred.html
<whitequark>
it's a PDP-11 assembler which thinks it's a compiler
<viric>
Using function typedefs, instead of pointers-to-function, allows using the typedef for the prototypes.
<viric>
the line 3 can't be typed if the typedef were of function pointer.
<viric>
maybe there is a good reason why most people use typedef of function pointers, but I don't know it still.
<larsc>
wolfspraul: for a language you have grammar, syntax, etc and a parser which will take care of generating a AST from code written in that language. In migen you don't have that, but rather construct the AST by hand
<lekernel>
well, you'll have it later for special cases. but keeping the low-level stuff accessible is good - we need it for many things...
<kristianpaul>
but migen intentions is not been a language is it? i understand as the result of frustating of generating SoC by hand, now implmented in a "friendly" scripting language no?
<kristianpaul>
s/frustating/frustation
<qi-bot>
kristianpaul meant: "but migen intentions is not been a language is it? i understand as the result of frustation of generating SoC by hand, now implmented in a "friendly" scripting language no?"
<lekernel>
migen is a "toolbox" for generating large synchronous systems. anything that makes SoC design great can go into it.
<kristianpaul>
oh, so is not milkymist centric at all
<lekernel>
no. the milkymist specific stuff is in the milkymist-ng repository.
<whitequark>
a fellow hacker, who reverse engineers SGS2 RIL (modem driver), just found a backdoor
<whitequark>
if a specially-crafted incoming CSD call arrives, it passes a root shell to it
<whitequark>
why am I not surprised
<lindi->
whitequark: that's inside the BP?
<viric>
SGS = samsung galaxy something?
kyak has quit []
<whitequark>
viric: yes
<whitequark>
lindi-: no
<viric>
and what is CSD?
<lindi->
circuit switched data?
<lindi->
whitequark: is that part of some android phones?
<whitequark>
RIL is a service which translates AT commands from dialer and stuff to the modem IPC (thankfully, it runs in its own small compartment and cannot e.g. influence RAM of the AP)
<whitequark>
yeah, CSD is circuit switched data
<whitequark>
RIL is generally a part of any Android phone, but different vendors provide different RILs
<whitequark>
there is a reference, FOSS one
<whitequark>
and Samsung ships this one with a backdoor in their phones
<viric>
quite an improvement over the foss.
<whitequark>
well, that's why we are writing a FOSS RIL
<lindi->
whitequark: interesting, do you need operator help to initiate such a CSD call?
<whitequark>
lindi-: in Russia, I need to sign a contract (_very_ expensive) to be able to receive CSD calls at all
<whitequark>
obviously the operator can still initiate it at their will
<viric>
what's a csd call about?
<whitequark>
but no, other users can't do that
<lindi->
whitequark: yeah but could I initiate such a call?
<whitequark>
viric: dialup through gsm
<whitequark>
lindi-: no, not while I'm in Russia with my current operator
<whitequark>
but I'm pretty sure it is perfectly possible in other countries/operators
<lindi->
whitequark: yeah but I'm not in Russia
<whitequark>
lindi-: doesn't matter, incoming CSD calls are barred by my operator
<viric>
what's different between dialup through gsm, and usual voice calls?
<whitequark>
viric: just like the difference between voice and data over plain old telephony
<whitequark>
voice call is voice, and CSD is an analog modem
<whitequark>
well, it's not exactly this way, but pretty close
<viric>
an analog modem over gsm?
<whitequark>
kinda
<viric>
it's about making something analog work over something digital?
<viric>
who may want to use that?
<whitequark>
I'm not very familiar with this technology, it was already dead when I got my first cellphone
<whitequark>
well
<whitequark>
you didn't have EDGE and GPRS back then
<whitequark>
and you got to use CSD
<DocScrutinizer05>
whitequark: (backdoor) DUH!
<viric>
ah is that about the 9600 bps internet connection?
<whitequark>
viric: 9600 is fast.
<whitequark>
DocScrutinizer05: it's not counting all other ways you could get control
<viric>
before gprs, I had 9600baud in my mobile phone, with a WAP browser
<whitequark>
DocScrutinizer05: e.g. it sprintf()s a filename into a string and then system()s
<roh>
viric: thats csd.
<viric>
Ah ok
<viric>
I remember its cost was calculated per minutes, not per amount of data transferred :)
<roh>
csd is the '9k6 data' service in 2g (gsm)
<whitequark>
viric: yeah, bloody expensive
<roh>
everything else came later.
<viric>
ah, perfect.
<viric>
hm that's why gprs mobile phones say allow to choose: "a) Only use GPRS b) fallback to GSM in case of lack of GPRS"
<roh>
everything else has much higher latency also. csd is/was much better than mobile ip now.
<viric>
I used it very rarely.
<whitequark>
DocScrutinizer05: (the system() is from Android side and not modem), but it's as solid as swiss cheese
<whitequark>
SGS2 is a funny machine, it does almost nothing to prevent your tinkering with it
<whitequark>
blobs are not obfuscated nor even optimized
<whitequark>
i.e. a simple IDA run gives away all the details
<whitequark>
they didn't even strip them.
<DocScrutinizer05>
viric: it's a service tag on the data connection via GSM. There are tags for voice, data, fax
<DocScrutinizer05>
just like on ISDN
<whitequark>
i.e. you have all symbols AND DEBUG INFO.
<viric>
ok
<whitequark>
as I already said, modem bootloader allows you to read/write RAM and execute arbitrary code on the BP
<viric>
whitequark: isn't it tricky about the linking, addresses, ...?
<roh>
whitequark: why do you wonder?
<whitequark>
roh: about what?
<roh>
about debug symbols etc.
<whitequark>
viric: nope, RIL is just a linux .so
<roh>
most devices i get have adb running, some even on the ip interfaces.
<whitequark>
roh: because I want a FOSS RIL, and also I want to know what this backdoor could do with my phone
<viric>
ah, with sections and all that.
<roh>
whitequark: thats only ONE backdoor possibility.
<viric>
roh: what's adb?
<whitequark>
roh: I dunno what the stock firmware has, nor do I care. I run cyanogenmod on it and it doesn't have obvious stupid holes
<roh>
i do not trust the baseband fw (thats what your ril connects to) or anything else on such systems
<whitequark>
roh: I neither
<DocScrutinizer05>
whitequark: which modem does SGS2 have?
<whitequark>
DocScrutinizer05: xgold626
<roh>
viric: android debug bridge. the 'debugger helper tool'
<viric>
щл
<viric>
ok
<whitequark>
roh: but baseband is isolated in this machine. it doesn't control any hardware at all
<DocScrutinizer05>
whitequark: ooh, so it's not one of 'ours'
<roh>
so writing an opensource ril for droid is like putting one bucket of clean water in a pool full of mud. senseless.
<roh>
whitequark: bullshit. sorry. most basebands have full system access.
<whitequark>
roh: I have level 3 service manual with schematics
<roh>
including memory.
<roh>
beside the possibility to use backdoors or bugs on the app-cpu. most basebands are
<roh>
'trusted more' than the app-cpu
<whitequark>
roh: and it only has IPC over USB for that matter. no sound routing (done by AP), no shared memory
antgreen has joined #qi-hardware
<whitequark>
roh: power management is done by a separate PMIC connected to AP
<roh>
whitequark: doesnt make it better. do you think these 'ipc drivers' have any sane protections against harmful data streams?
<whitequark>
baseband power is managed by AP, through I don't know exactly to what degree, this needs further investigation.
<DocScrutinizer05>
roh: BS, e.g. next STE modem on SG has HSI interface and doesn't control *anything* on AP
<lindi->
whitequark: anyways, would be really good to have some public report about this
<whitequark>
roh: kernel is open-source and can (and will) be fixed, that's already ongoing.
<roh>
whitequark: most of that stuff is of the lowest possible code quality. its 'write once'-code. to be thrown away and not be reused.
<whitequark>
roh: yeah, I know and it is
<whitequark>
I'm just saying that this phone has the sanest design I've seen, ever
<roh>
DocScrutinizer05: depends on the hardware platform of course. but i havent found a single device which has a sane concept to hinder a hostile baseband from rooting the app cpu
<whitequark>
roh: apart from exploiting the (possibly buggy) USB driver, how would you do that?
<roh>
using serials instead of shared memory windows is helping for sure. just sucks when you need more than a few bytes a second
<roh>
whitequark: most devices dont use usb. usb sucks.
<DocScrutinizer05>
HSI
<DocScrutinizer05>
or ULPI
<whitequark>
roh: I don't give a fuck about most devices.
<roh>
usb is high-latency and wastes power. totally stupid choice
<whitequark>
DocScrutinizer05: do the words "Comneon HSIC" tell anything to you?
<roh>
DocScrutinizer05: but its funny how they reinvent the wheel. in the end they all do 'serial over $foo' .. why not use serials and hdlc or similar stuff which we have since the 80s?
<DocScrutinizer05>
there's also a (rather outdated) readme
* whitequark
feels himself like a pick&place machine
<DocScrutinizer05>
roh: why doesn't phonet do this?
<DocScrutinizer05>
why doesn't GSM muxer 07.?? do it?
<DocScrutinizer05>
CAIF is just a mux over arbitrary interfaces
<roh>
DocScrutinizer05: i dont know what phonet is?
<DocScrutinizer05>
and it's what RIL talks to
<roh>
caif is proprietary erricson stuff
<DocScrutinizer05>
when the modem is offering CAIF and not phonet
<whitequark>
DocScrutinizer05: is it patented?
<roh>
anyhow. i dont want to discuss choices in
<DocScrutinizer05>
roh: you already stated you never will touch any hardware with CAIF code on it -why do you bother about docs or proprietary?
<roh>
droid or so.. since we all know that none of these protocols are made due to technical thoughts, but rather by ip and businessplan logic.
<DocScrutinizer05>
honestly, I don't care what you think about CAIF
<roh>
sorry, but READ that code. i would bet on it that its exploitable a lot.
<roh>
its HUGE. 1300 lines for encapsuling serials in serials. wtf.
<DocScrutinizer05>
so what? go write better code!
<DocScrutinizer05>
it's FOSS, no?
<whitequark>
1300 lines isn't huge for C and this stuff. just saying.
<DocScrutinizer05>
anyway it's what STE LTE modem will talk over HSI to AP
<DocScrutinizer05>
of next Samsung device
<whitequark>
DocScrutinizer05: oh, now that's interesting
<DocScrutinizer05>
and since it's FOSS you're free to implement any better code for CAIF to your liking
<roh>
DocScrutinizer05: well.. i will wait for them to build useable devices again. the current market is quite dead and boring (all the same concept and laughable battery runtime)
<DocScrutinizer05>
and stack your own RIL on top of it
<roh>
nobody needs ril.
<DocScrutinizer05>
MEH
<DocScrutinizer05>
nobody need this discussion
<roh>
no shit ;)
<roh>
but atleast we now know that its not 'the baseband has not control' on all hardwar but just some and the state of sw isnt 'nice' .. so no. currently there is no real protection whatsoever against hostile baseband code (and that basebands can be exploited remotely was shown on multiple security events)
<whitequark>
roh: well, the only thing I don't understand is why when I say that I can do better, you reply that it's useless
<roh>
whitequark: ril is something android specific. if you want to do better: do not use android.
<whitequark>
roh: what can I use _now_?
<whitequark>
meego? or how is that vaporware called now?
<roh>
lots of stuff. but yes. most proper devices are not build anymore or never in series.
<whitequark>
I want a phone that I can use and can have control of (not tivoized, FOSS system). android is the nearest to that goal.
<whitequark>
I don't see any system better
<whitequark>
ofcourse there's a baseline requirement that it should be an usable smartphone. i.e. a FR isn't an usable smartphone due to numerous issues.
<roh>
whitequark: i liked the N950, but then nokia decided to kill themselves and not sell it.
<whitequark>
I have nothing against N9*
<roh>
whitequark: and simply said: there is no useable smartphone at the moment.
<lindi->
roh: if you require one week standby times then that rules out everything indeed
<whitequark>
well, you can give up if you want. I'll just fix what I can get.
<viric>
I also want one week standby.
<roh>
lindi-: well.. thats my own measurement ladder. but most do not even survive the day atm. which is really sad
<lindi->
I just use external batteries if I need longer standby time during some trip or something
<viric>
that sounds like a mobile phone in the 90s.
<DocScrutinizer05>
whitequark: according to roh's "rationale" every device is unsafe, vulnerable and crap
<DocScrutinizer05>
even FR
<roh>
DocScrutinizer05: sorry, but yes. (but thats not because of my rationale, but simply because we were not allowed to fix bugs properly)
<DocScrutinizer05>
and to like N950 is outright insane, since THIS crap has really nasty HS stuff on OMAP
<roh>
fr actually has a good runtime compared to some other 'smartphones'
<roh>
DocScrutinizer05: i liked it because it was the first device i had in my fingers which did not lagg like hell in normal scrolling
<DocScrutinizer05>
pff, it also has vulnerable code in drivers for hw IF
<roh>
yes. like all the rest too. get used to that.
<DocScrutinizer05>
roh: for some reason I don't enjoy to discuss with you today
<DocScrutinizer05>
might be me
<whitequark>
so much hate
<roh>
DocScrutinizer05: sorry. i know the state of mobile phones is depressing ;)
<DocScrutinizer05>
bwahaha
<DocScrutinizer05>
only depressing thing for me right now is the inconsisten reasoning you offer here
<DocScrutinizer05>
the next depressing thing for me is I have to run tests against CAIF in work, thus need to touch android (a thing I dispise)
ChanServ has quit [*.net *.split]
<whitequark>
sigh
<viric>
I also like mobile phones that can turn off and on quickly
<whitequark>
viric: for what?
<DocScrutinizer05>
viric: there's that iPhone sleeve with featurephone intergrated - maybe the thing for you? ;-)
<viric>
well, turn on and off the radio at least
<viric>
gsm.
<viric>
all that.
<whitequark>
viric: android turns radio on/off in a ~second
<whitequark>
erm
<viric>
I feel better with the phone turned off, too. :) but when I want it, i dislike waiting minutes
<whitequark>
android on SGS2.
<viric>
ok
<DocScrutinizer05>
viric: modems take a few seconds to turn on. If you want your full inflated linuxoid OS to boot up on AP in same timespan, you got another problem not related at all to phones
<viric>
now I don't need any linuxoid os.
<DocScrutinizer05>
what are we discussing then?
<whitequark>
... and you get even more infested dumbphone which is one big BP.
<viric>
Yes I also dislike that.
<viric>
switched off phone is the happiest :)
<whitequark>
are you sure it is actually switched off?
<whitequark>
I'm not
<DocScrutinizer05>
define phone!
<DocScrutinizer05>
even: define "switched off"!
<viric>
:)
<viric>
I can easily take out the battery
<whitequark>
oh, you're one of that kind of people
<viric>
even the rtc battery is out... I've to reset the time
<DocScrutinizer05>
and you can also take a sledgehammer
<DocScrutinizer05>
honestly, I wonder what we're discussing here
<viric>
nah, I barely switch off the phone because I'd have to wait the boot time
<viric>
let's stop the discussion :)
ChanServ has joined #qi-hardware
antgreen has quit [Ping timeout: 246 seconds]
<lekernel>
roh: what is all your software compiled with, again? :)