In the quest to find the best open-standard 4G modem to replace the popular but old Osmocom, hackers at the 33rd Chaos Computer Congress selected the Quectel EC20 mini PCI-e card, which uses the Qualcomm MDM9615 chip, which is also used in the Apple iPhone 5. But while exploring and documenting all the features of the chip, they stumbled on an amazing find: the modem chip itself runs Linux and even uses parts of Android (ADB and Fastboot) in order to update the firmware.
Harald ‘LaF0rge’ Welte and Holger ‘zecke’ Freyther explained in a presentation how they needed a modem for the Internet of Things to create self-contained 3G/4G devices without the need or cost of an additional processor, as basic functions can run on the modem CPU core itself.
What they discovered when asking for firmware updates with the supplier is that the MDM9615 runs Linux and uses Android tools for the actual update process. The two found a number of undocumented pins that were used for audio or a UART (serial port). Tinkering with the serial port yielded a Linux login prompt, and the password was lightly obfuscated in the update file. Later they managed to establish a full root ADB shell connection to the modem.
After many emails with Quectel trying to get the source code and explaining how the GPL works, the two did manage to get a kernel to build. The source code is maintained by Qualcomm at codeaurora, but with almost no documentation and thousands of branches, it is virtually impossible to pick the right one. LaF0rge concluded that the modem was not GPL compliant – for instance, it uses Busybox but with no Busybox license.
LaF0rge and Zecke found many design quirks, such as a separate userspace daemon which spawns processes to flash the modem lights (instead of using the kernel which could do the same without all that overhead), which not a particularly energy efficient design. The baseband software seems to be fully open and not locked down with any kind of signature, and Layer 2 network data is fully accessible.
The team is now working on a fully open source software stack for the MDM9615 that would do away with all the proprietary Qualcomm software.
LaF0rge said that he has not checked the chip in the iPhone 5 whether it runs Linux, but it is possible that it could run other software as well.
The full presentation can be found here.