25C3: Nothing to hide
   25th Chaos Communication Congress
   December 27th to 30th, 2008
   bcc Berliner Congress Center, Berlin, Germany

This year, I was for third time at Berlin for Chaos Communication Congress and concluded that predictions for 2009 and beyond shouldn't be based on magic ball - you can just extrapolate from things that was presented at 25C3. So, I borrowed William Gibson's quote for title of this post.

Digital hacking

PowerLineCommunications (PLC, or ethernet-over-powerlines) is really coming. There are devices available in MediaMart and/or Saturn, and IEEE is in process of standardization. Face it: we are moving towards world in which we will have just one cable between device and wall for both power and ethernet (up to 200Mb/s).
FAIFA: A first open source PLC tool is good introduction to field and example of tool to see parts of network.

Chip Reverse Engineering is easier than ever. If you are designing hardware system and depend on security through obscurity (hope that nobody will be able to read your chip design) this is just no longer truth. We know that from last year's 25C3 Mifare presentation, but this year we saw that it's getting so easy that you really have to have enough silicon to provide real security.
Watch Chip Reverse Engineering for overview of tools which we have available today.

RF fingerprinting enables us to detect hardware differences between devices which is result of small imperfections in manufacturing which enables us to identify devices from same manufacturing run.
Watch RF fingerprinting of RFID to find out how that works for 802.11 devices and RFID passports.

While we are on security topics, it seems that php is getting taint support if only for security analysys. Vulnerability discovery in encrypted closed source PHP applications provides fascinating step-by-step introduction into php reverse engineering from php opcodes back to source code. I can't wait for release of tools mentioned in talk!

Hacking telecommunications

Although I'm not really interested in hacking of iPhone (because I don't believe in closed devices) it was interesting that only single weak link in security (even before boot loader) can bring whole system down.
Hacking the iPhone explains how they did it, and interesting part is that they have some knowledge of broadband part (needed to implement sim unlock) which might be also useful for other devices.

Anatomy of smartphone hardware is great introduction into smart phone class devices.

Harald Welte who did this lecture and who we know from iptables, Openmoko and Sputnik is now moving to Running his own GSM network by attaching Siemens BS-11 microBTS (base transciver station, that park on telco poole) to Linux using A-bis telco protocol.
Running your own GSM network and presentation files are essential material to understand why it's bad idea to forget that device needs to (cryptographically secure) verify is it connecting to right network. If you put all your intelligence and trust in network itself, you will get 3000+ pages of documentation but not security.

DECT network and phones are designed after GSM, and they can check for validity of network. Unfortunately, with cheap 23 EUR card, you can be your own base station and ask phone to ignore encryption if you want to. This involved reverse engineering chip's encryption (I told you it's easy tease days) and writing linux driver for PCMCIA card, Hardware part of lecture is in german, but slides are in english, and even without that part it's really interesting.

Advanced memory forensics: The Cold Boot Attacks provided overview of technique and special attention to crypto keys recovery from partially decayed memory. video

Console Hacking 2008: Wii Fail once more reinforced my feeling that you can't really design completely secure system. video
On the other hand, I really liked idea that Play Station 3 is only console which hasn't been hacked just because it can run Linux natively. As we all know from MD5 considered harmful today where researchers created MD5 collision for CA which got enough mention already.

coreboot: Beyond The Final Frontier is nice introduction to free bios replacement which includes utility to flash bios on most motherboards under linux called Flashrom which I must give a try. video

Scalable Swarm Robotics sometimes it really important to make real robots to test in real world. video

State of the world

One of benefits of CCC is that you can also hear a lot of topics unrelated to digital hacking.

Climate Change - State of the Science which provides great overview and points to possible solutions giving us at least some hope.
I bet you didn't know that half of people in Berlin doesn't own car...
Since there isn't official recording of lecture, I'm providing mirror of Climate Change - State of the Science stream dump for future reference.

Flying for free introduced me to wonderful world of gliders which reminded me a lot to boat sailing but in 3D.
Mirror of stream dump from Flying for free will introduce you to bits of magic that birds knew all along...

Not Soy Fast: Genetically Modified, Resource Greedy, and coming to a Supermarket Near You explains a lot about soy that we or our animals eat. video

Life is a Holodeck! is one of rear lectures that I would really like to see myself because streams of holograms can't bring you real 3D feeling...
Although presenter HoloClaus is somewhat stiff at beginning it is nice overview of technologies used and current state of art which involves computer rendering of 3D objects in full color with resolution of 500 lines per millimeter. Of course, you can also make holograms from real objects if you want to have 2 tons heavy stand for it, special laboratory and SOP which includes:

• put object on 2T stand
• go to coffee for 20 minutes so it can sattle
• press button to take H1 hologram

Work which involves coffee as part of it can't be that bad :-) video.

Back to somewhat computer related topic, All your base(s) are belong to us provided me with update on current state of the art in DNA sequencers. video

Wikileaks is archival side for whistleblowers. video

See you at CCC next year?

All in all it was well spend time (and much more interesting that OSCON 2008, at least for me. Conference was very crowded, and I ended up listening to all lectures over stream and/or recording. However, being in Berlin is unique experience, but it doesn't make sense for less than 10 days, so I won't make this mistake again (hopefully) :-)

Finally, I have waited long enough to have binary driver for GPS available.

After installing it I wrote a small script which enables you to show GPS data on screen:

• install gllin driver
• ipkg install vte
• install /home/root/gps.sh script below:

  #!/bin/sh
  
  if [ ! -z "$START_TERM" ] ; then
  
  gllin=/home/root/gllin/gllin
  
  echo "*** starting gllin"
  
  $gllin &
  
  sleep 3
  
  file="/media/card/`date +%Y-%m-%d`.$$"
  
  echo "*** creating log $file"
  
  cat /tmp/nmeaNP | tee $file
  
  killall gllin
  
  kill `ps ax | grep cat | grep nmea | awk '{ print $1 }'`
  
  DISPLAY=:0 /etc/init.d/xserver-nodm start
  
  else
  
  /etc/init.d/gsmd stop
  
  echo 0 > /sys/bus/platform/devices/gta01-pm-gsm.0/power_on
  
  START_TERM=1 DISPLAY=:0 vte -c $0
  
  fi
  
  

  
  
• create /usr/share/applications/gps.desktop icon so you can start GPS tracking from GUI:
  

  
  
  [Desktop Entry]
  
  Encoding=UTF-8
  
  Name=GPS
  
  Comment=GPS trace output
  
  Exec=/home/root/gps.sh
  
  Icon=openmoko-terminal
  
  Terminal=false
  
  Type=Application
  
  Categories=GTK;Application;Utilities
  
  MimeType=text/x-vcard;
  
  SingleInstance=true
  
  StartupNotify=true
  
  

  
  

This combination will shutdown gsm part (to preserve power), create new trace file on /media/card/date.pid and open terminal with output so you can see what is going on (openmoko-terminal2 doesn't want to accept commands, so you need to install vte for this to work. vte on the other hand doesn't accept any arguments, so we need hack with START_TERM environment variable. OOH, mrxvt crashes X server when you kill it so it wan't an option.

Happy GPS hacking...

Few days ago I decided to run ipkg update ; ipkg upgrade on my moko, and this didn't end up quite well. For a start, I managed to fill root filesystem, and while I tried to remove almost everything that I didn't use, I ended up with non-working unit.

Since I'm following qemu-neo1973 tree and testing images in emulator, I decided to re-flash with latest image. This proved to be very bad since latest image doesn't have gsm drivers, so moko dies on splash screen making device unusable (ssh isn't started at that point so I couldn't connect to it -- If I only had development board...)

Most interesting (and scary) thing were error messages from jffs2 which led me to beleve that my device has developed additional bad blocks. So, I started reading wiki and dumped my bad-blocks table (dump from u-boot prompt):

GTA01Bv4 # nand bad

Device 0 bad blocks:

  00070000

  00ab0000

  00f00000

  03ff0000

  03ff4000

  03ff8000

  03ffc000

Last four entries are bad-block table itself, but my device really has bad block. I wasn't able to access additional fields which would tell me if they are factory bad of developed in use...

Since I suspected that my device is completely broken (selecting factory default option in u-boot didn't help) I decided to try re-flash with different image. I went to wiki, selected another u-boot/boot/root images and flash them using following commands described in wiki:

dfu-util -a u-boot -R -D u-boot-gta01bv4-r12_0_2632_0.bin
dfu-util -a kernel -R -D uImage-2.6.22.5-moko11+svnr3238-r8-neo1973.bin
dfu-util -a rootfs -R -D OpenMoko-scaredycat-openmoko-devel-image-glibc-ipk-P1-Snapshot-20071118-fic-gta01.rootfs.jffs2

After a looong wait (it's a USB 1.1 device) I must report that I'm actually amazed by amount of progress. New home screen, working browser and media player!

However, I still can't make any calls (this will take a bit more fiddling) and file dialogs are just unusable (too big and with too much options) and I still can't type on any screen orientation.

Google's announcement of Android platform provoked me to think about leaving OpenMoko on the shelf with other toys for which I don't have time any more, but when I saw new software upgrade I have to re-consider this.

1. OpenMoko is here: I have the device, it exists in hardware
2. qemu-neo1973 just got very good GSM emulator (you can select emulated GSM network, send messages and calls to emulated phone) which will probably bring GSM and SMS functionality to good shape real-soon-now(tm)

To replace my aging Nokia I need following:

1. working phone (voice calls) - almost there, but not quite :-)
2. SMS messaging - there is beginning of it in GUI, but no real functionality
3. keyboard on which I can type with my big fingers

This brings me back to my plans: since I can't develop anything for GPS until there is binary (sigh!) driver available I would probably want to write almost full-screen 3*4 keyboard just like the one on regular cell phones. This would allow me to actually use device with my fingers.

I probably won't have time to scratch this itch in current year, so if there is anything similar (T9 implementation or even something similar to xstroke which worked well for me on Zaurus) I would love to hear about it.

For quite a long time I was complaining (in person) how nice and half-usable my OpenMoko is. However, thanks to few great hints I'm now make a dial out and dial in.

First, you will really want to install cu package. It contains old UUCP serial tool which will be much more unseful than you might think! Think of cu as cat for console.

Turn on your OpenMoko (while holding AUX button) and type following:

chown uucp:uucp /dev/ttyACM0 ; cu -l /dev/ttyACM0

You might try to just run cu as root, but it still doesn't work (for me) without chown first. If someone could say me to make this automatic, I would be grateful. So, dear lazyweb, I'm quite sure that there is some udev option for that, and if you know what, drop me a note. If not, this might become topic for another post.

Then, change boot parametars:

GTA01Bv4 # setenv bootargs_base rootfstype=jffs2 root=/dev/mtdblock4 console=tty0 loglevel=8
GTA01Bv4 # saveenv                
Saving Environment to NAND...
Erasing Nand...Writing to Nand... done
GTA01Bv4 # boot               

NAND read: device 0 offset 0x44000, size 0x1fc000

 2080768 bytes read: OK                          

## Booting image at 32000000 ...

   Image Name:   OpenMoko Kernel Image Neo1973(GT

   Created:      2007-08-31  11:29:10 UTC        

   Image Type:   ARM Linux Kernel Image (gzip compressed)

   Data Size:    1637653 Bytes =  1.6 MB                 

   Load Address: 30008000               

   Entry Point:  30008000

   Verifying Checksum ... OK

This will disable output on serial console which in interfering with gsmd that tries to open serial port to communicate with GSM part.

This is my journey so far... Now I have to wait for my poor old desktop to compile all packages to get freshest copies on my Neo...

After four (4) weeks of waiting from the moment credit card has been charged, it finally arrived. It seems that shipping GSM-like devices to Croatia as person (as opposed to company) isn't something envisioned by Hrvatske agencije za telekomunikacije so we had to get additional papers (most of which I don't have) and in the end they settled with hardware specification of Neo1973 from OpenMoko wiki.

I must say that people all over the process where helpful and nice: we had to communicate much more with them then I hoped, but in the end it worked out o.k.

And now several obligatory pictures (hopefully not redundant :-)

After that I got rootfs flashed and I now have new (semi-functional) phone :-)

root@fic-gta01:~$ cat /proc/cpuinfo 
Processor       : ARM920T rev 0 (v4l)
BogoMIPS        : 132.71
Features        : swp half thumb 
CPU implementer : 0x41
CPU architecture: 4T
CPU variant     : 0x1
CPU part        : 0x920
CPU revision    : 0
Cache type      : write-back
Cache clean     : cp15 c7 ops
Cache lockdown  : format A
Cache format    : Harvard
I size          : 16384
I assoc         : 64
I line length   : 32
I sets          : 8
D size          : 16384
D assoc         : 64
D line length   : 32
D sets          : 8

Hardware        : GTA01

Revision        : 0240

Serial          : 0000000000000000

root@fic-gta01:~$ free

             total       used       free     shared    buffers     cached

Mem:        126644      52604      74040          0         84      39100

-/+ buffers/cache:      13420     113224

Swap:            0          0          0

root@fic-gta01:~$ df

Filesystem           1k-blocks      Used Available Use% Mounted on

/dev/mtdblock4           62576     42572     20004  68% /

tmpfs                       40         0        40   0% /mnt/.psplash

/dev/mtdblock4           62576     42572     20004  68% /dev/.static/dev

tmpfs                     2048        64      1984   3% /dev

tmpfs                    63320         4     63316   0% /tmp

tmpfs                    63320       116     63204   0% /var/volatile

tmpfs                    63320        16     63304   0% /dev/shm

tmpfs                    63320         0     63320   0% /media/ram

/dev/mmcblk0p1          495168         0    495168   0% /media/card

Relevant parts:

This message has been automatically generated with regard to the
progress of your order at the OpenMoko online store (http://direct.openmoko.com/).

Your credit card has now been charged by the following amount:

Subtotal: $300 USD

Shipping: $102.49 USD

Total: $402.49 USD

Please note that this amount might be less than what was originally

mentioned in the webshop, since we meanwhile got better shipping rates!

This means that we will now send out your order ASAP.

You will receive another status update once the order has been sent out.

Shipping is really less than first estimate of $147, and I'm waiting for second mail :-)

Finally OpenMoko is is available for order. So, I ordered mine yesterday. Still no confirmation e-mail, but let's be hopeful.

On a side note, on-line store yesterday didn't have selection of model (black/gray or white/orange) so I didn't made a pick. Today there is choice, but I somehow hope that mine will be black :-). But, it doesn't really matter...

People who know me shouldn't be surprised that I would buy a phone which real demonstration is answering a phone call from command line (on device which doesn't have a keyboard!) - just look at
this video from 1:15:00 or so and you will know why you really want this device :-)

Here are some of fun stuff which I would like to hack on:

• record GPS route and on second occasion estimate arrival time (even integrate with calendar with option to send apology sms 5 minutes before time with estimate of your arrival :-)
• make all kind of confirmations and informations using speech synthesis... I usually listen to podcasts so it would be real nice to have it mute and read you incoming sms
• sms sorter, initial reason for buying a phone which can run perl
• blue tooth keyboard - seems like no-brainer, but I don't really know much about blue tooth devices

I have been somewhat busy with other stuff in my life (including writing compressed filesystem using gzip with fuse -- but that is topic for another post), so I just managed to update my svn checkout of openmoko before by main build server started freezing again. Oh, it seems that constant kernel updates won't be enough to create stable development machine...

But, than I looked around and found out that I can have simple (emulated) openmoko environment by just installing qemu-neo1973. I went so far to install it on Toshiba Tecra with touch screen to get a feel for user interface. I can guess that hacking this device will be fun.