tecepe has quit [Remote host closed the connection]
mzpx has quit [Remote host closed the connection]
tecepe has joined ##openfpga
<rqou> offtopic: i just got gifted a emobile gp02 3g+wifi thingy
<rqou> need to hack some sane openwrt or whatever into it at some point
<rqou> aaand i just found out it doesn't support north american frequency bands
DocScrutinizer05 has quit [Disconnected by services]
DocScrutinizer05 has joined ##openfpga
<azonenberg> lol
<azonenberg> save it for next time you go back to hk?
<rqou> i already tore it down ;P
<rqou> more parts than i expected
<rqou> it has a qualcomm modem, i.MX, and an atheros wifi
<rqou> not a fully integrated uber SoC
<digshadow-s> rqou: microscope food
<rqou> for an actually more useful cellular modem, i have an em7455 that i need to get hooked up
<azonenberg> rqou: still a SBC with wifi, right?
<azonenberg> just doesnt have useful cellular
<rqou> the aliexpress seller even sent me the confidential datasheet for it :P
<rqou> yes, that part should still work
<digshadow-s> rqou: I have a satellite tracking system if you ever want to get into some rf mischief
<rqou> but there's no real convenient interface
digshadow-s has quit [Quit: leaving]
digshadow has joined ##openfpga
digshadow-s has joined ##openfpga
<rqou> for an actually useful cellular modem the em7455 looks like almost the best compromise possible
<rqou> it has LTE, USB 3.0, and "good enough" band coverage
<rqou> and dual sim
<rqou> digshadow: at some point for RF mischief I want to recreate the hack of running a 2g gsm base station legally on the US ham radio/EU gsm overlap channel
<rqou> too bad 3G/LTE fixed this :P
<digshadow> heh
<rqou> apparently when planning out gsm frequency bands regulators forgot that the US had a weird ham band allocation
<rqou> so for reference E-GSM-900 apparently has an uplink range of 880-915 mhz and a downlink of 925-960 mhz
<rqou> this just barely overlaps with the US 33cm ham band at 902-928 mhz
digshadow has quit [Ping timeout: 244 seconds]
digshadow has joined ##openfpga
<rqou> actually wait
<rqou> LTE band 8 is the same frequency range
<rqou> i wonder if the 3mhz overlap between LTE band 8 and the 33cm ham band is actually enough to run a base station
<rqou> apparently LTE band 8 permits a 1.4 mhz channel bandwidth
<rqou> so it should be possible to do a fully legal LTE band 8 base station in the US
<azonenberg> lool
<azonenberg> Can you run LTE without crypto though?
<azonenberg> and do the regs for that ham band permit digital voice?
<rqou> i don't know about LTE without crypto, but this band permits basically everything
<rqou> huh i just realized the em7455 module i was talking about actually doesn't support gsm
<rqou> it's 3g/lte only
<rqou> we need more qualcomm leaks so it can be hacked :P
<azonenberg> lol
<rqou> hey, qpst/qxdm leak regularly
<azonenberg> if i had to guess half the protocol is hard wired
<azonenberg> i doubt it's possible to convert
<azonenberg> leaks could totally allow a SDR implementation
<azonenberg> But not converting a CDMA chip to LTE :p
<rqou> afaik most of the qualcomm chips support all the modes
<rqou> they can just be disabled/enabled in some nvram
<azonenberg> if it's there and fused off? thats totally different
<rqou> e.g. the nexus 6p is supposed to support all of CDMA/EVDO/GSM/UMTS/LTE
<rqou> this module claims to only do UMTS+LTE
<rqou> it probably can do GSM too
<rqou> on a slightly different topic, why has no RE been done against ath10k?
<rqou> (the firmware blob)
amclain has quit [Quit: Leaving]
Bike has quit [Quit: more]
massi has joined ##openfpga
<rqou> offtopic: would anyone here just so happen to know where to obtain a particular file known as the "Oman Archive?"
<rqou> this came up briefly at #mtvre
<rqou> it's a 90s-era leak of N64 source code
scrts has quit [Ping timeout: 258 seconds]
scrts has joined ##openfpga
<felix_> rqou: haven't had a look at the ath10k fimrwares; i'd guess that it runs on a xtensa core; at least atheros used xtensa before
<felix_> so much stuff to reverse engineer, so little time... ;)
* felix_ looks at his collection of various stuff he wants to have a closer look at
scrts has quit [Ping timeout: 256 seconds]
scrts has joined ##openfpga
mzpx has joined ##openfpga
maaku has quit [Ping timeout: 260 seconds]
maaku has joined ##openfpga
Bike has joined ##openfpga
scrts has quit [Ping timeout: 248 seconds]
amclain has joined ##openfpga
kuldeep_ has quit [Ping timeout: 248 seconds]
scrts has joined ##openfpga
kuldeep_ has joined ##openfpga
mzpx has quit [Ping timeout: 256 seconds]
mzpx has joined ##openfpga
digshadow has quit [Ping timeout: 258 seconds]
digshadow has joined ##openfpga
massi has quit [Remote host closed the connection]
digshadow has quit [Quit: Leaving.]
digshadow has joined ##openfpga
<rqou> whitequark: goddammit
<rqou> at least my jenkins is now in a container
<rqou> i wonder if it works on the weird way i do auth?
scrts has quit [Ping timeout: 256 seconds]
<whitequark> which
<rqou> I use the Reverse Proxy Auth Plugin
scrts has joined ##openfpga
<rqou> and then have nginx do client cert auth
<rqou> trying to log in using a username+password (somehow the button still appears) actually gets a 404
<rqou> i also run jenkins under lxc (unprivileged)
<rqou> so you will need to either chain with a kernel vuln or a lxc escape+another local privilege escalation
tecepe has quit [Read error: Connection reset by peer]
<rqou> felix_: yeah, i just did some poking and it's almost certainly xtensa
<felix_> is it signed?
<rqou> almost certainly not
<felix_> nice
<rqou> it has lz77
<rqou> unfortunately my pirated copy of ida pro doesn't support xtensa
<felix_> thx
<felix_> my ida copy also doesn't have native xtensa support, but there is some external xtensa support for ide
<felix_> *ida
<rqou> as a result of esp8266?
<felix_> yes
<felix_> i'd guess that the core used in ath10k doesn't use that much extensions
<felix_> so that might work
<rqou> for various other bits, there's this thing: https://github.com/qca/open-ath9k-htc-firmware
<rqou> and also this: http://problemkaputt.de/gbatek.htm#dsiatheroswifiinternalhardware (WARNING LEAKED NDA INFO HERE)
<rqou> none of these are the same chip though
<rqou> i'm probably not going to poke it too much more for now though
<rqou> the esp8266 ida thing probably doesn't work
<rqou> ath10k uses register windows
<rqou> need to add those opcodes
<felix_> open-ath9k-htc-firmware is some xtensa based chip which is used to connect the pcie ath9k chips to a computer via usb
<felix_> meh
azonenberg_work has quit [Ping timeout: 258 seconds]
azonenberg1 has joined ##openfpga
azonenberg has quit [Remote host closed the connection]
<felix_> i should write some more architecture support for ida, but -ENOTIME :/
azonenberg1 has quit [Client Quit]
<rqou> yup
azonenberg has joined ##openfpga
<felix_> oh, in some talk about ath9k and ath10k the presenter said that ath10k isn't that different form ath9k and that the embedded microcontroller in ath10k is more of an addition and not a completely new architecture
<rqou> yeah that's what it looks like
<felix_> hm, i think i should order some ath10k card. not that i don't already have enough unfinished projects, but well...
tecepe has joined ##openfpga
<rqou> i have a Compex WLE900VX
<rqou> QCA9880 chipset
azonenberg_work has joined ##openfpga
<rqou> wishlist: master list of "useful" (whatever that means) things being RE'd
<rqou> of course something like this would instantly become unmanageable
<rqou> felix_: another useful project might be to RE the esp8266 phy
azonenberg has quit [Ping timeout: 258 seconds]
azonenberg_work has quit [Ping timeout: 260 seconds]
azonenberg_work has joined ##openfpga
<felix_> hm, has noone already reverse engineered the esp phy? i've seen rom dumps of that device so it should be doable to fully reverse engineer that
<rqou> you know you are definitely in Berkeley when you go to buy a sandwich and Prof. Umesh Vazirani gets in line behind you while discussing the election with a colleague :P
<rqou> felix_: i don't think anyone has
<rqou> i looked at it a while back and found that most of the blobs were just the mac80211 code from linux/bsd
<rqou> but i didn't look into how the phy parts worked
<felix_> the things i consider most useful to be reverse engineered would be fpga bitstreams, lte basebands, ac wifi chips and maybe the various embedded microcontrollers in current computer platforms (i doubt though that we get code execution on the management engine of current intel platforms)
<felix_> hehe, nice
<rqou> hmm i feel intel ME almost certainly has RCE bugs
<whitequark> it definitely has weird machines inside
<rqou> some ME builds have a JVM of some kind
<felix_> thats only one component which can't access much stuff directly
<rqou> i really like how if you look into the history the ARC cpu used to run the ME evolved out of the SNES coprocessor used to make Star Fox
<felix_> arc is quite widely used
<whitequark> what
<whitequark> .. huh
<rqou> "Following the success of the Super FX, its designers were split from the main company to a subsidiary called Argonaut Technology Ltd (ATL). The design was renamed to ARC and marketed as a general-purpose configurable microprocessor. Later, ATL spun off as a separate company, ARC International. "
<felix_> interesting
<felix_> yep. https://github.com/zamaudio/smutool (and guess why i wrote some basic lm32 support for radare2 ;)
<felix_> on my ida architecture support to write list are lm32, a bit more complete xtensa support and andes
<rqou> andes?
<felix_> oh and a very cool application for own code on a qualcomm baseband would be osmocom base station support for cheap lte usb sticks
<rqou> are hexagon/or1k already supported?
<rqou> oh yeah i actually did the osmocom folks a small favor a while back :P
<felix_> andes is some 32bit embedded microcontroller; i actually don't remember where i needed support for that architecture
<rqou> i helped them buy some random phones off of taobao
<felix_> not sure about hexagon suport in ida
<rqou> google suggests andes is in some mediatek thing
<felix_> yeah, or1k is used in the power management core in some allwinner chips and should also be on the list of things i want supported in ida
<felix_> hm, yeah, it was used in some wireless stuff
<whitequark> huh
<rqou> not surprised re or1k
<felix_> there's also cortus which is iirc used in the atmel wireless chip used in the new amazon dash things
<rqou> my father hired an fpga engineer in SZ and one day when discussing softcores the engineer mentioned that lots of random shit in china uses or1k
<felix_> i like lm32 more that or1k; imho cleaner architecture
<rqou> yeah agree
azonenberg has joined ##openfpga
<rqou> although at this point i'm looking at the #j-core sh2 clone
<felix_> lot of stuff in china also uses the old 8051, z80 or 6502 arch
<rqou> yes, but those are garbage and worthless :P
<felix_> yep
<rqou> if it weren't for GPLv3 uncertainties and patents, I would use the Navre AVR clone
<rqou> (for an 8-bit core)
<rqou> imho AVR is basically the only sane 8-bit arch
<felix_> small 32bit micro isn't that much bigger than an 8 bit micro, so why still bother with the 8 bit stuff?
<felix_> sure avr is one of the better 8 bit arch
<rqou> if you're using a small FPGA and trying to use as few luts as possible?
<felix_> then picoblaze or microblaze or nios2 whan on altera
<rqou> picoblaze is also terrible
<felix_> those are optimized for the fpgas of the vendors
<rqou> iirc Navre is smaller than microblaze
<rqou> 1K LUTs on S6
<felix_> haven't used picoblaze and probably won't do that
<felix_> for not too complex stuff i used some simple microcoded architectures and for most other stuff either adding some 32bit core or using the 32bit core which is already present in the system is ok
<felix_> well, not architectures but some construct made of a blockram and some slices
<cr1901_modern> My problem is picoblaze is the license and the lack of a decent assembler, not its existence :P
<felix_> https://www.fpgarelated.com/showarticle/758.php was the article which gave me the idea to use microprogrammed engines in fpga desings
mzpx has quit [Remote host closed the connection]