Qualcomm modem Jamming Detection
E3V3A opened this issue · 6 comments
According to some past documents, many Qualcomm baseband processors (BP) and SoC's has a built in "Jamming Detection" feature. This is clearly not documented in any other place and I've never seen any device or software using it. It would be great to find out if this is something that we could use.
That sounds indeed interesting, @E3V3A. From the top of your head, do you remember if those past documents stated something about what happens when jamming is detected? Some quick findings:
- Baseband Attacks: Remote Exploitation of Memory Corruptions in Cellular
Protocol Stacks - From here:
Jamming Detection with AT+WJAM to detect jamming proximity and its level - XDA-Developers: [Qualcomm] Complete List of NV Items
- Patent US8208848 B2: Enhanced jamming detection
Don't be mad at me when some things might be unrelated. I am just trying to help finding information.
@SecUpwN Thanks!! That really helped. So this is what I found.
In [1] they clearly refer to the document called "WM_DEV_SEC_UGD_003". But you won't find that document by searching with any normal engines like Google or Bing. But I found it elsewhere, namely in their Jamming Library plug-in, along with example sources.
So how does it work? Just use the Sierra Wireless OEM AT command:
| Command | Answers |
|---|---|
| AT+WJAM? | +WJAM: mode \n OK |
| AT+WJAM=? | +WJAM: (list of supported _mode_s),(list of supported _threshold_s) \n OK |
| AT+WJAM=mode[,threshold] | ERROR or OK |
| Parameter | Values range | Description | Default value |
|---|---|---|---|
| mode | 0-4 | 0 - stop the jamming detection algorithm. | 1 |
| 1 - start the jamming detection algorithm. | |||
| 2 - request last final jamming status. | |||
| 3 - get the mean threshold value. | |||
| 4 - set the mean threshold value. | |||
| threshold | 0-63 | the value of the mean threshold used in the algorithm. | 40 |
The devices in question are:
------------------------------------------------
AirPrime Compatibility List FCC ID
------------------------------------------------
AirPrime Q2686 Refreshed N7NQ2686
AirPrime Q2687 Refreshed N7NQ2687
AirPrime SL6087 N7NSL6087
AirLink Fastrack Xtend EDGE (FXT009) O9EQ2687
References:
Obviously this is not directly relevant to us, unless we can find the Qualcomm QMI to enable the built-in Jamming detection on those phones using a supported baseband.
So I'm closing this as it's not a relevant issue, but worth remembering.
It would be useful to have to detect downgrade attacks. I've mentioned this previously ...
I know, but we have no idea how to activate and use this in the Qualcomm BPs...especially from Androids. Maybe we should start a signature collection campaign to have them release this info?