1. Forum
  2. Usenet
  3. COMP.MOBILE.ANDROID

  • Qualcomm firmware patches 64 Android SOCs

    From Gelato@21:1/5 to All on Sun Oct 13 02:48:33 2024
    https://www.bleepingcomputer.com/news/security/qualcomm-patches-high-severity-zero-day-exploited-in-attacks/

    How does Qualcomm patch these zero-day holes in their chipsets?
    Does the company upload a firmware patch? Does the carrier? Google?

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Andy Burns@21:1/5 to Arno Welzel on Sun Oct 13 10:46:40 2024
    Arno Welzel wrote:

    Gelato wrote:

    https://www.bleepingcomputer.com/news/security/qualcomm-patches-high-severity-zero-day-exploited-in-attacks/

    How does Qualcomm patch these zero-day holes in their chipsets?
    Does the company upload a firmware patch? Does the carrier? Google?

    Qualcomm provides software patches for the drivers.

    Device manufacturers have to use these patches as part of a security
    update if they use the affected chipsets in their devices.
    It isn't crystal clear whether google play system updates can provide
    this type of fix, bypassing the manufacturer ...

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Arno Welzel@21:1/5 to All on Sun Oct 13 11:20:04 2024
    Gelato, 2024-10-13 08:48:

    https://www.bleepingcomputer.com/news/security/qualcomm-patches-high-severity-zero-day-exploited-in-attacks/

    How does Qualcomm patch these zero-day holes in their chipsets?
    Does the company upload a firmware patch? Does the carrier? Google?

    Qualcomm provides software patches for the drivers.

    Device manufacturers have to use these patches as part of a security
    update if they use the affected chipsets in their devices.

    --
    Arno Welzel
    https://arnowelzel.de

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Bill Powell@21:1/5 to Andy Burns on Sun Oct 13 15:46:41 2024
    On Sun, 13 Oct 2024 10:46:40 +0100, Andy Burns wrote:

    Arno Welzel wrote:

    Gelato wrote:

    https://www.bleepingcomputer.com/news/security/qualcomm-patches-high-severity-zero-day-exploited-in-attacks/

    How does Qualcomm patch these zero-day holes in their chipsets?
    Does the company upload a firmware patch? Does the carrier? Google?

    Qualcomm provides software patches for the drivers.

    Device manufacturers have to use these patches as part of a security
    update if they use the affected chipsets in their devices.

    It isn't crystal clear whether google play system updates can provide
    this type of fix, bypassing the manufacturer ...

    It that's the case, it bypasses both the carrier & manufacturer.

    I tried to look it up but what I found mostly was an old (defunct?)
    amorphous project from 2020 called treble, which doesn't say much. https://www.qualcomm.com/news/releases/2020/12/qualcomm-and-google-announce-collaboration-extend-android-os-support-and

    This person implies it's an OS release by the phone's vendor but he could
    be wrong as his question applies to a prior August update & not this one. https://forum.sailfishos.org/t/how-are-firmware-updates-for-the-phone-hardware-are-done/1571

    Whatever method Qualcomm used to update Android chipset firmware, it seems
    that the method used today will change later this year based on this. https://timesofindia.indiatimes.com/technology/mobiles-tabs/this-is-how-qualcomm-plans-to-make-android-updates-easier-and-faster/articleshow/111402161.cms

    More than one article echoed the sentiment that firmware updates lack
    clarity in how they're being done between Qualcomm and the user's phone. https://www.androidpolice.com/qualcomm-teases-announcement-easier-android-updates/

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Arno Welzel@21:1/5 to All on Sun Oct 13 19:15:24 2024
    Andy Burns, 2024-10-13 11:46:

    Arno Welzel wrote:

    Gelato wrote:

    https://www.bleepingcomputer.com/news/security/qualcomm-patches-high-severity-zero-day-exploited-in-attacks/

    How does Qualcomm patch these zero-day holes in their chipsets?
    Does the company upload a firmware patch? Does the carrier? Google?

    Qualcomm provides software patches for the drivers.

    Device manufacturers have to use these patches as part of a security
    update if they use the affected chipsets in their devices.
    It isn't crystal clear whether google play system updates can provide
    this type of fix, bypassing the manufacturer ...

    I doubt, that system drivers can be updates using Google Play services.
    Usually this must be installed as an update of the installed system itself.

    --
    Arno Welzel
    https://arnowelzel.de

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Frank Slootweg@21:1/5 to Arno Welzel on Sun Oct 13 19:42:56 2024
    Arno Welzel <[email protected]> wrote:
    Andy Burns, 2024-10-13 11:46:

    Arno Welzel wrote:

    Gelato wrote:

    https://www.bleepingcomputer.com/news/security/qualcomm-patches-high-severity-zero-day-exploited-in-attacks/

    How does Qualcomm patch these zero-day holes in their chipsets?
    Does the company upload a firmware patch? Does the carrier? Google?

    Qualcomm provides software patches for the drivers.

    Device manufacturers have to use these patches as part of a security
    update if they use the affected chipsets in their devices.
    It isn't crystal clear whether google play system updates can provide
    this type of fix, bypassing the manufacturer ...

    I doubt, that system drivers can be updates using Google Play services. Usually this must be installed as an update of the installed system itself.

    Note that Andy said "Google Play system updates" (case corrections
    mine), not "Google Play services". "Google Play services" is the
    software framework, i.e. running code. "Google Play system updates"
    (note *system* updates) are what is distributed, i.e. 'data' (containing
    code). Two different animals.

    Google Play system updates (re: Project Mainline) can update system components. Not sure if that includes drivers, but for generic - not vendor-specific - drivers, that should be possible, considering Android
    is Linux-like under the hood.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Andrews@21:1/5 to Frank Slootweg on Sun Oct 13 23:35:14 2024
    Frank Slootweg wrote on 13 Oct 2024 19:42:56 GMT :

    Device manufacturers have to use these patches as part of a security
    update if they use the affected chipsets in their devices.
    It isn't crystal clear whether google play system updates can provide
    this type of fix, bypassing the manufacturer ...

    I doubt, that system drivers can be updates using Google Play services.
    Usually this must be installed as an update of the installed system itself.

    Note that Andy said "Google Play system updates" (case corrections
    mine), not "Google Play services". "Google Play services" is the
    software framework, i.e. running code. "Google Play system updates"
    (note *system* updates) are what is distributed, i.e. 'data' (containing code). Two different animals.

    To his credit, Frank Slootweg is consistently one of the few people on this newsgroup who have a grasp of the difference in details, especially given Google marketing names almost everything "Google Play 'something'" due to inherent brand recognition that marketeers love to employ.

    Here is more about Android 15 Project Mainline (i.e., GP "system" updates).
    <https://www.androidheadlines.com/2024/04/android-15-could-update-your-phones-nfc-stack-through-google-play.html>
    "When an update to a Project Mainline module is available,
    Google will push an update out to everybody through the
    Google Play Store using a mechanism called Google Play System Updates.
    Since Project Mainline modules are signed by Google, they can push out
    updates to Mainline modules even on devices from other manufacturers."

    Notice though that the case sensitivity was mashed up by the author of that article as Frank has noted the naming & case differences quite nicely.

    Unfortunately, nothing about Project Treble (firmware updates) is in that article, although it says that there are about 40 modules in Android 15.

    Google Play system updates (re: Project Mainline) can update system components. Not sure if that includes drivers, but for generic - not vendor-specific - drivers, that should be possible, considering Android
    is Linux-like under the hood.

    Notice this "might" be the mechanism which Qualcomm has been using.
    <https://source.android.com/docs/core/ota/modular-system>

    "Updated Mainline modules can be packaged together and pushed to
    end-user devices, either by Google, using the Google Play system update
    feature, or by the Android partner, using a partner-provided OTA
    mechanism. The module package installs and rolls back atomically;
    either all modules that need to be updated are updated or none
    are updated."

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Andy Burns@21:1/5 to Gelato on Mon Oct 14 09:11:01 2024
    Gelato wrote:

    How does Qualcomm patch these zero-day holes in their chipsets?
    Does the company upload a firmware patch? Does the carrier? Google?

    There are dozens of chipsets, with corresponding drivers

    <https://docs.qualcomm.com/product/publicresources/securitybulletin/september-2024-bulletin.html>

    I couldn't find any of the CVE numbers referred to in the system
    updates, but maybe I was looking at recent Pixel specific fixes, and
    those devices use Samsung derived SoC rather than Qualcomm?

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)