Some little technical blog

Sierra Wireless EM7345: Who’s spying on us?

carrier-iq
Quite a long time ago, I found an interesting AT command for Sierra Wireless EM7345. The command is “AT+XCIQ”. There’s the following text string in EM7345 firmware file (it is present in any version so far): +XCIQ CIQ: Carrier IQ enable/disable.

Let’s try to get “help” about this command:

 

So, we can suppose that 0 disables this Carrier IQ feature, and 1 enables it.

Let’s read the current setting of this feature:

Looks like it’s on by default. Let’s try to switch it off?

NOTE: If you’re running firmware earlier than 1522.02, don’t enter the following command!

If we try to enter:

i.e try to disable Carrier IQ, EM7345 will have a fatal crash and reboot into boot flashing mode and it will be stuck there for good. Symptoms will be exactly as I described in my previous post, and you would need to unbrick it using the method I described in the same post: https://zukota.com/how-to-revive-your-bricked-sierra-wireless-em7345/

So, Carrier IQ is always on and if you try to turn it off using the above AT command, that will kill the device!

With firmware version 1522.02, AT+XCIQ=0 returns OK and there’s no fatal crash like in previous firmware versions. Also AT+XCIQ now accepts 3 possible values with 1522.02 firmware:

So, 0 must be disable, 1 enable, and what is 2? Any value gets OK response and there’s no any error. Can Carrier IQ be really disabled or enabled using the above values? Who knows… If you don’t know what Carrier IQ is, fear and read:

Carrier IQ and Your Phone: Everything You Need to Know

Carrier IQ Tracking Scandal Spirals Out of Control

There’s not much in the news now, all seems quiet, but they definitely are looking for more stealthie ways to do their dirty business. At first, it used to be just an app in your Android phone, though using some stealth techniques, but still an ordinary app. You could block, patch, firewall, sniff, analyze it to any of your like.

But now, it is not in your phone, now it is sitting at the very firmware of your LTE device, it can analyze your internet traffic, extract your passwords and private data, do man in the middle attacks, report back home and whatever they want. Looking at the firmware dump file and the strings, one can say that there’s a complete TCP/IP stack implemeted and it is functioning on its own, independently from your OS and firewall.

And it’s perfectly undetectable, if, for example, they put someting like this in your Ethernet card or router, it can be detected on the next router where the traffic is going thru. But in our case, where are you gonna sniff packets generated by EM7345? That can be done only on a cellular carrier’s network equipment, and no one has access to that… except cellular carriers themselves.

If we take a look in a HEX editor at the EM7345 firmware file, version 1522 (and all previous versions as well) we can find the following:

ciq

We can see that firmware was compiled with “metrics_client_ciq.lib”, “metrics_engine.lib”, “metrics_client_em.lib” libraries. And I wonder what “metrics” are being sent to Carrier IQ from my Lenovo laptop? If you do just a trivial text search for “Carrier IQ” or “ciq” in the EM7345 firmware file, you will find a plenty of strings that speak of itself: we can definitely say that Carrier IQ functionalty is active and working in all EM7345 devices.

So who’s spying on us when we go online using an ultra-fast LTE network? Whose decision was it to embed this dreaded Carrier IQ into EM7345 firmware? The truth is out there. Use your brain and take care.

11 Responses to Sierra Wireless EM7345: Who’s spying on us?

  • Thanks for posting this! If this is true I wont be using any Lenovo devices anymore.

    If I have understand correctly EM7345 is made specifically for Lenovo based on their requirements and specifications. Lenovo is also responsible for this firmware.

    • I’m not sure who’s writing firmware for it, but for example Dell Wireless 5810e module (which in fact is Telit LN930, which in turn is the same hardware as EM7345) has the same Carrier IQ libraries compiled in their firmware. Telit and Sierra Wireless use different cryptographic signatures in their firmware so you cannot cross-flash, but other than that their firmwares appear to be very close to each other, including version numbers. It appears that Intel used some other company to write firmware for all products based on XMM7160 chipset, according to this news: http://www.tomshardware.com/news/intel-4g-lte-advanced-modems,26115.html. It seems to be some Egyptian company SySDSoft (acquired by Intel now) that is writing firmware for all XMM7160 based products out there and it’s them who put Carrier IQ there.

    • BS and attempt to save face I’d say.
      The latest 1522 and all previous firmware contain Carrier IQ libraries compiled into the main firmware image.

      We can see that image was compiled with “metrics_client_ciq.lib”, “metrics_client_em.lib”, “metrics_engine.lib”.
      The statement “The software used by the ThinkPad EM7345 has not enabled any metric data collection and does not use or contain the Carrier IQ firmware. All functionality is disabled by default.” is ridiculous because all those library modules are present in the image file. If all those libraries are doing nothing, then why to compile them into firmware? Just open the firmware file in any HEX editor and you’ll see. Nice try Lenovo.

  • You can also do this on Linux using the following command:

    minicom -b 9600 -D /dev/ttyACM0

    Depending on your system configuration, you may need to do this either as root or with a user account that is member of the uucp group (for example on Arch Linux). Also note that you may need to use another /dev/ttyACMx device if you have other serial interfaces connected to your laptop.

    After minicom has started, just enter the desired command, for example “AT+XCIQ=0”, and press the return key. Note that you will not see what you type, but only get a response after pressing the return key.

  • AT+XCIQ has no response on 1612.00 firmware.

    AT+XCIQ=?
    ERROR
    AT+XCIQ?
    ERROR

Leave a Reply

Your email address will not be published. Required fields are marked *