Hosting a blog on a GPS / LTE modem

image

PinePhone GPS / WWAN / LTE Modem

While developing software on PinePhone, I came across a curious message in dmesg:

[   25.476857] modem-power serial1-0: ADB KEY is '41618099' (you can use it to unlock ADB access to the modem)

For context, I will say that the PinePhone has a modem Quectel EG25-Gin charge of GPS and wireless communications for the PinePhone. This hardware is one of the few components of a phone with closed source

When I saw this message and the mention of ADB, I immediately thought of the Android Debug Bridge, that is, the software that is commonly used to communicate with Android devices. I thought, “Of course, this cannot be the same ADB “. Well, it turns out that it is.

This post is related to article, which describes this modem in detail. It is also associated with unblocking utilitywhich prints out AT commands to provide adbd modem.

$ ./qadbkey-unlock 41618099
AT+QADBKEY="WUkkFzFSXLsuRM8t"
AT+QCFG="usbcfg",0x2C7C,0x125,1,1,1,1,1,1,0

They can be sent to the modem using screen:

# screen /dev/ttyUSB2 115200

For some reason, my input was not returning any data, but the screen session returned “OK” twice, indicating that it completed the commands successfully.

After setting up the rules udev and adb on my “host machine”, that is, on the PinePhone, the modem began to produce output for adb deviceswhich I could pass to the shell:

$ adb devices
List of devices attached
(no serial number)	device

$ adb shell
/ #

As adbd was started in root mode, I piped the output to the root shell. Excellent.

It turned out that the modem runs its own operating system, completely independent from the rest of the PinePhone operating system. With the latest updates, it runs Linux 3.18.44.

Launching the web server

For some reason, I thought it would be fun to run my blog on this device. Since we are working with limited resources (about 48MB of storage and the same amount of memory), and my blog consists of only static pages, I decided that something like nginx (no matter how lightweight) would be a waste of resources for my purpose. …

It seemed to me that it meets my requirements well darkhttpd… Single binary, no external dependencies, only execute GET and HEAD requests. Ideally.

I used the toolchain armv7l-linux-musleabihf-cross to cross-compile this server for ARMv7, and statically link it with musl. With help adb push I easily managed to transfer the binary and resources of my site to the folder /usrdata modem, to which a 50 MB partition is mounted with the ability to write.

The HTTP server works great. I decided to use ADB to open the HTTP port for my PinePhone:

$ adb forward tcp:8080 tcp:80

Since ADB-forwarded ports are bound only to the loopback interface, I manually opened it for external connections:

# sysctl -w net.ipv4.conf.all.route_localnet=1
# iptables -t nat -I PREROUTING -p tcp --dport 8080 -j DNAT --to-destination 127.0.0.1:8080

Then I was able to access my blog at http://pine:8080/… Cool!

Performance?

I ran iperf for port forwarding via ADB to check how much performance can be achieved.

$ iperf -c localhost
------------------------------------------------------------
Client connecting to localhost, TCP port 5001
TCP window size: 2.50 MByte (default)
------------------------------------------------------------
[  3] local 127.0.0.1 port 44230 connected with 127.0.0.1 port 5001
[ ID] Interval       Transfer     Bandwidth
[  3]  0.0-10.6 sec  14.4 MBytes  11.4 Mbits/sec

That is about 10 Mbps. Not great, not terrible.

The PinePhone itself is connected to the network via USB (note: for the network connection via USB to work, I had to remove two components from the board). For fun, I ran iperf and for this connection:

$ iperf -c 10.15.19.82
------------------------------------------------------------
Client connecting to 10.15.19.82, TCP port 5001
TCP window size:  136 KByte (default)
------------------------------------------------------------
[  3] local 10.15.19.100 port 58672 connected with 10.15.19.82 port 5001
[ ID] Interval       Transfer     Bandwidth
[  3]  0.0-10.4 sec  25.8 MBytes  20.7 Mbits/sec

I expected more, but it doesn’t really matter because the bottleneck is the connection being redirected through ADB.

Other reasoning

I wondered about the security of the modem. It turned out that many AT commands используют в модеме system()… I suspect that some of these AT commands may be vulnerable to command injection, but I haven’t done more research. It doesn’t really matter, since the ADB root shell is very easy to implement.

At first glance, this seems like an ideal way to ensure the resilience of malware. With root access to the host, malicious code can embed itself into the modem, allowing it to survive the host OS reinstallation, intercept communications, or track the location of the device. The damage is partially mitigated by the fact that all interaction with the host OS is done via USB and I2S, and only when the host OS initiates it, so the malicious code in the modem will not be able to directly interact with the host OS.


Advertising

Epic servers for hosting sites and more! Cheap VDS powered by the latest AMD EPYC processors and NVMe-based storage from Intel to host projects of any complexity, from corporate networks and gaming projects to landing pages and VPNs. You can create your own server configuration in a couple of clicks!

Subscribe to our chat in Telegram

Similar Posts

Leave a Reply