Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]


Groups > comp.mobile.android > #143660 > unrolled thread

Qualcomm firmware patches 64 Android SOCs

Started byGelato <gelato@.is.invalid>
First post2024-10-13 02:48 -0400
Last post2024-10-14 09:11 +0100
Articles 8 — 6 participants

Back to article view | Back to comp.mobile.android


Contents

  Qualcomm firmware patches 64 Android SOCs Gelato <gelato@.is.invalid> - 2024-10-13 02:48 -0400
    Re: Qualcomm firmware patches 64 Android SOCs Arno Welzel <usenet@arnowelzel.de> - 2024-10-13 11:20 +0200
      Re: Qualcomm firmware patches 64 Android SOCs Andy Burns <usenet@andyburns.uk> - 2024-10-13 10:46 +0100
        Re: Qualcomm firmware patches 64 Android SOCs Bill Powell <bill@anarchists.org> - 2024-10-13 15:46 +0200
        Re: Qualcomm firmware patches 64 Android SOCs Arno Welzel <usenet@arnowelzel.de> - 2024-10-13 19:15 +0200
          Re: Qualcomm firmware patches 64 Android SOCs Frank Slootweg <this@ddress.is.invalid> - 2024-10-13 19:42 +0000
            Re: Qualcomm firmware patches 64 Android SOCs Andrews <andrews@spam.net> - 2024-10-13 23:35 +0000
    Re: Qualcomm firmware patches 64 Android SOCs Andy Burns <usenet@andyburns.uk> - 2024-10-14 09:11 +0100

#143660 — Qualcomm firmware patches 64 Android SOCs

FromGelato <gelato@.is.invalid>
Date2024-10-13 02:48 -0400
SubjectQualcomm firmware patches 64 Android SOCs
Message-ID<vefqg5$ou7$1@rasp.pasdenom.info>
https://www.bleepingcomputer.com/news/security/qualcomm-patches-high-severity-zero-day-exploited-in-attacks/

How does Qualcomm patch these zero-day holes in their chipsets?
Does the company upload a firmware patch? Does the carrier? Google?

[toc] | [next] | [standalone]


#143663

FromArno Welzel <usenet@arnowelzel.de>
Date2024-10-13 11:20 +0200
Message-ID<ln1hm3Fj0hnU1@mid.individual.net>
In reply to#143660
Gelato, 2024-10-13 08:48:

> https://www.bleepingcomputer.com/news/security/qualcomm-patches-high-severity-zero-day-exploited-in-attacks/
> 
> How does Qualcomm patch these zero-day holes in their chipsets?
> Does the company upload a firmware patch? Does the carrier? Google?

Qualcomm provides software patches for the drivers.

Device manufacturers have to use these patches as part of a security
update if they use the affected chipsets in their devices.

-- 
Arno Welzel
https://arnowelzel.de

[toc] | [prev] | [next] | [standalone]


#143665

FromAndy Burns <usenet@andyburns.uk>
Date2024-10-13 10:46 +0100
Message-ID<ln1j83FjhjaU2@mid.individual.net>
In reply to#143663
Arno Welzel wrote:

> Gelato wrote:
> 
>> https://www.bleepingcomputer.com/news/security/qualcomm-patches-high-severity-zero-day-exploited-in-attacks/
>>
>> How does Qualcomm patch these zero-day holes in their chipsets?
>> Does the company upload a firmware patch? Does the carrier? Google?
> 
> Qualcomm provides software patches for the drivers.
> 
> Device manufacturers have to use these patches as part of a security
> update if they use the affected chipsets in their devices.
It isn't crystal clear whether google play system updates can provide 
this type of fix, bypassing the manufacturer ...

[toc] | [prev] | [next] | [standalone]


#143668

FromBill Powell <bill@anarchists.org>
Date2024-10-13 15:46 +0200
Message-ID<vegj07$19n9l$1@matrix.hispagatos.org>
In reply to#143665
On Sun, 13 Oct 2024 10:46:40 +0100, Andy Burns wrote:

> Arno Welzel wrote:
> 
>> Gelato wrote:
>> 
>>> https://www.bleepingcomputer.com/news/security/qualcomm-patches-high-severity-zero-day-exploited-in-attacks/
>>>
>>> How does Qualcomm patch these zero-day holes in their chipsets?
>>> Does the company upload a firmware patch? Does the carrier? Google?
>> 
>> Qualcomm provides software patches for the drivers.
>> 
>> Device manufacturers have to use these patches as part of a security
>> update if they use the affected chipsets in their devices.
> 
> It isn't crystal clear whether google play system updates can provide 
> this type of fix, bypassing the manufacturer ...

It that's the case, it bypasses both the carrier & manufacturer.

I tried to look it up but what I found mostly was an old (defunct?)
amorphous project from 2020 called treble, which doesn't say much.
https://www.qualcomm.com/news/releases/2020/12/qualcomm-and-google-announce-collaboration-extend-android-os-support-and

This person implies it's an OS release by the phone's vendor but he could
be wrong as his question applies to a prior August update & not this one.
https://forum.sailfishos.org/t/how-are-firmware-updates-for-the-phone-hardware-are-done/1571

Whatever method Qualcomm used to update Android chipset firmware, it seems
that the method used today will change later this year based on this.
https://timesofindia.indiatimes.com/technology/mobiles-tabs/this-is-how-qualcomm-plans-to-make-android-updates-easier-and-faster/articleshow/111402161.cms

More than one article echoed the sentiment that firmware updates lack
clarity in how they're being done between Qualcomm and the user's phone.
https://www.androidpolice.com/qualcomm-teases-announcement-easier-android-updates/ 

[toc] | [prev] | [next] | [standalone]


#143670

FromArno Welzel <usenet@arnowelzel.de>
Date2024-10-13 19:15 +0200
Message-ID<ln2dhcFng2tU1@mid.individual.net>
In reply to#143665
Andy Burns, 2024-10-13 11:46:

> Arno Welzel wrote:
> 
>> Gelato wrote:
>>
>>> https://www.bleepingcomputer.com/news/security/qualcomm-patches-high-severity-zero-day-exploited-in-attacks/
>>>
>>> How does Qualcomm patch these zero-day holes in their chipsets?
>>> Does the company upload a firmware patch? Does the carrier? Google?
>>
>> Qualcomm provides software patches for the drivers.
>>
>> Device manufacturers have to use these patches as part of a security
>> update if they use the affected chipsets in their devices.
> It isn't crystal clear whether google play system updates can provide 
> this type of fix, bypassing the manufacturer ...

I doubt, that system drivers can be updates using Google Play services.
Usually this must be installed as an update of the installed system itself.

-- 
Arno Welzel
https://arnowelzel.de

[toc] | [prev] | [next] | [standalone]


#143673

FromFrank Slootweg <this@ddress.is.invalid>
Date2024-10-13 19:42 +0000
Message-ID<vehesn.238.1@ID-201911.user.individual.net>
In reply to#143670
Arno Welzel <usenet@arnowelzel.de> wrote:
> Andy Burns, 2024-10-13 11:46:
> 
> > Arno Welzel wrote:
> > 
> >> Gelato wrote:
> >>
> >>> https://www.bleepingcomputer.com/news/security/qualcomm-patches-high-severity-zero-day-exploited-in-attacks/
> >>>
> >>> How does Qualcomm patch these zero-day holes in their chipsets?
> >>> Does the company upload a firmware patch? Does the carrier? Google?
> >>
> >> Qualcomm provides software patches for the drivers.
> >>
> >> Device manufacturers have to use these patches as part of a security
> >> update if they use the affected chipsets in their devices.
> > It isn't crystal clear whether google play system updates can provide 
> > this type of fix, bypassing the manufacturer ...
> 
> I doubt, that system drivers can be updates using Google Play services.
> Usually this must be installed as an update of the installed system itself.

  Note that Andy said "Google Play system updates" (case corrections
mine), not "Google Play services". "Google Play services" is the
software framework, i.e. running code. "Google Play system updates"
(note *system* updates) are what is distributed, i.e. 'data' (containing
code). Two different animals.

  Google Play system updates (re: Project Mainline) can update system
components. Not sure if that includes drivers, but for generic - not
vendor-specific - drivers, that should be possible, considering Android
is Linux-like under the hood.

[toc] | [prev] | [next] | [standalone]


#143680

FromAndrews <andrews@spam.net>
Date2024-10-13 23:35 +0000
Message-ID<vehlfh$1dmi$1@nnrp.usenet.blueworldhosting.com>
In reply to#143673
Frank Slootweg wrote on 13 Oct 2024 19:42:56 GMT :

>>>> Device manufacturers have to use these patches as part of a security
>>>> update if they use the affected chipsets in their devices.
>>> It isn't crystal clear whether google play system updates can provide 
>>> this type of fix, bypassing the manufacturer ...
>> 
>> I doubt, that system drivers can be updates using Google Play services.
>> Usually this must be installed as an update of the installed system itself.
> 
>   Note that Andy said "Google Play system updates" (case corrections
> mine), not "Google Play services". "Google Play services" is the
> software framework, i.e. running code. "Google Play system updates"
> (note *system* updates) are what is distributed, i.e. 'data' (containing
> code). Two different animals.

To his credit, Frank Slootweg is consistently one of the few people on this
newsgroup who have a grasp of the difference in details, especially given
Google marketing names almost everything "Google Play 'something'" due to
inherent brand recognition that marketeers love to employ.

Here is more about Android 15 Project Mainline (i.e., GP "system" updates).
 <https://www.androidheadlines.com/2024/04/android-15-could-update-your-phones-nfc-stack-through-google-play.html>
  "When an update to a Project Mainline module is available, 
   Google will push an update out to everybody through the 
   Google Play Store using a mechanism called Google Play System Updates. 
   Since Project Mainline modules are signed by Google, they can push out 
   updates to Mainline modules even on devices from other manufacturers."

Notice though that the case sensitivity was mashed up by the author of that
article as Frank has noted the naming & case differences quite nicely.

Unfortunately, nothing about Project Treble (firmware updates) is in that
article, although it says that there are about 40 modules in Android 15.
 
>   Google Play system updates (re: Project Mainline) can update system
> components. Not sure if that includes drivers, but for generic - not
> vendor-specific - drivers, that should be possible, considering Android
> is Linux-like under the hood.

Notice this "might" be the mechanism which Qualcomm has been using.
 <https://source.android.com/docs/core/ota/modular-system>

  "Updated Mainline modules can be packaged together and pushed to
   end-user devices, either by Google, using the Google Play system update 
   feature, or by the Android partner, using a partner-provided OTA 
   mechanism. The module package installs and rolls back atomically;
   either all modules that need to be updated are updated or none
   are updated."

[toc] | [prev] | [next] | [standalone]


#143686

FromAndy Burns <usenet@andyburns.uk>
Date2024-10-14 09:11 +0100
Message-ID<ln420mFaelU1@mid.individual.net>
In reply to#143660
Gelato wrote:

> How does Qualcomm patch these zero-day holes in their chipsets?
> Does the company upload a firmware patch? Does the carrier? Google?

There are dozens of chipsets, with corresponding drivers

<https://docs.qualcomm.com/product/publicresources/securitybulletin/september-2024-bulletin.html>

I couldn't find any of the CVE numbers referred to in the system 
updates, but maybe I was looking at recent Pixel specific fixes, and 
those devices use Samsung derived SoC rather than Qualcomm?

[toc] | [prev] | [standalone]


Back to top | Article view | comp.mobile.android


csiph-web