Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.mobile.android > #143660 > unrolled thread
| Started by | Gelato <gelato@.is.invalid> |
|---|---|
| First post | 2024-10-13 02:48 -0400 |
| Last post | 2024-10-14 09:11 +0100 |
| Articles | 8 — 6 participants |
Back to article view | Back to comp.mobile.android
Qualcomm firmware patches 64 Android SOCs Gelato <gelato@.is.invalid> - 2024-10-13 02:48 -0400
Re: Qualcomm firmware patches 64 Android SOCs Arno Welzel <usenet@arnowelzel.de> - 2024-10-13 11:20 +0200
Re: Qualcomm firmware patches 64 Android SOCs Andy Burns <usenet@andyburns.uk> - 2024-10-13 10:46 +0100
Re: Qualcomm firmware patches 64 Android SOCs Bill Powell <bill@anarchists.org> - 2024-10-13 15:46 +0200
Re: Qualcomm firmware patches 64 Android SOCs Arno Welzel <usenet@arnowelzel.de> - 2024-10-13 19:15 +0200
Re: Qualcomm firmware patches 64 Android SOCs Frank Slootweg <this@ddress.is.invalid> - 2024-10-13 19:42 +0000
Re: Qualcomm firmware patches 64 Android SOCs Andrews <andrews@spam.net> - 2024-10-13 23:35 +0000
Re: Qualcomm firmware patches 64 Android SOCs Andy Burns <usenet@andyburns.uk> - 2024-10-14 09:11 +0100
| From | Gelato <gelato@.is.invalid> |
|---|---|
| Date | 2024-10-13 02:48 -0400 |
| Subject | Qualcomm firmware patches 64 Android SOCs |
| Message-ID | <vefqg5$ou7$1@rasp.pasdenom.info> |
https://www.bleepingcomputer.com/news/security/qualcomm-patches-high-severity-zero-day-exploited-in-attacks/ How does Qualcomm patch these zero-day holes in their chipsets? Does the company upload a firmware patch? Does the carrier? Google?
[toc] | [next] | [standalone]
| From | Arno Welzel <usenet@arnowelzel.de> |
|---|---|
| Date | 2024-10-13 11:20 +0200 |
| Message-ID | <ln1hm3Fj0hnU1@mid.individual.net> |
| In reply to | #143660 |
Gelato, 2024-10-13 08:48: > https://www.bleepingcomputer.com/news/security/qualcomm-patches-high-severity-zero-day-exploited-in-attacks/ > > How does Qualcomm patch these zero-day holes in their chipsets? > Does the company upload a firmware patch? Does the carrier? Google? Qualcomm provides software patches for the drivers. Device manufacturers have to use these patches as part of a security update if they use the affected chipsets in their devices. -- Arno Welzel https://arnowelzel.de
[toc] | [prev] | [next] | [standalone]
| From | Andy Burns <usenet@andyburns.uk> |
|---|---|
| Date | 2024-10-13 10:46 +0100 |
| Message-ID | <ln1j83FjhjaU2@mid.individual.net> |
| In reply to | #143663 |
Arno Welzel wrote: > Gelato wrote: > >> https://www.bleepingcomputer.com/news/security/qualcomm-patches-high-severity-zero-day-exploited-in-attacks/ >> >> How does Qualcomm patch these zero-day holes in their chipsets? >> Does the company upload a firmware patch? Does the carrier? Google? > > Qualcomm provides software patches for the drivers. > > Device manufacturers have to use these patches as part of a security > update if they use the affected chipsets in their devices. It isn't crystal clear whether google play system updates can provide this type of fix, bypassing the manufacturer ...
[toc] | [prev] | [next] | [standalone]
| From | Bill Powell <bill@anarchists.org> |
|---|---|
| Date | 2024-10-13 15:46 +0200 |
| Message-ID | <vegj07$19n9l$1@matrix.hispagatos.org> |
| In reply to | #143665 |
On Sun, 13 Oct 2024 10:46:40 +0100, Andy Burns wrote: > Arno Welzel wrote: > >> Gelato wrote: >> >>> https://www.bleepingcomputer.com/news/security/qualcomm-patches-high-severity-zero-day-exploited-in-attacks/ >>> >>> How does Qualcomm patch these zero-day holes in their chipsets? >>> Does the company upload a firmware patch? Does the carrier? Google? >> >> Qualcomm provides software patches for the drivers. >> >> Device manufacturers have to use these patches as part of a security >> update if they use the affected chipsets in their devices. > > It isn't crystal clear whether google play system updates can provide > this type of fix, bypassing the manufacturer ... It that's the case, it bypasses both the carrier & manufacturer. I tried to look it up but what I found mostly was an old (defunct?) amorphous project from 2020 called treble, which doesn't say much. https://www.qualcomm.com/news/releases/2020/12/qualcomm-and-google-announce-collaboration-extend-android-os-support-and This person implies it's an OS release by the phone's vendor but he could be wrong as his question applies to a prior August update & not this one. https://forum.sailfishos.org/t/how-are-firmware-updates-for-the-phone-hardware-are-done/1571 Whatever method Qualcomm used to update Android chipset firmware, it seems that the method used today will change later this year based on this. https://timesofindia.indiatimes.com/technology/mobiles-tabs/this-is-how-qualcomm-plans-to-make-android-updates-easier-and-faster/articleshow/111402161.cms More than one article echoed the sentiment that firmware updates lack clarity in how they're being done between Qualcomm and the user's phone. https://www.androidpolice.com/qualcomm-teases-announcement-easier-android-updates/
[toc] | [prev] | [next] | [standalone]
| From | Arno Welzel <usenet@arnowelzel.de> |
|---|---|
| Date | 2024-10-13 19:15 +0200 |
| Message-ID | <ln2dhcFng2tU1@mid.individual.net> |
| In reply to | #143665 |
Andy Burns, 2024-10-13 11:46: > Arno Welzel wrote: > >> Gelato wrote: >> >>> https://www.bleepingcomputer.com/news/security/qualcomm-patches-high-severity-zero-day-exploited-in-attacks/ >>> >>> How does Qualcomm patch these zero-day holes in their chipsets? >>> Does the company upload a firmware patch? Does the carrier? Google? >> >> Qualcomm provides software patches for the drivers. >> >> Device manufacturers have to use these patches as part of a security >> update if they use the affected chipsets in their devices. > It isn't crystal clear whether google play system updates can provide > this type of fix, bypassing the manufacturer ... I doubt, that system drivers can be updates using Google Play services. Usually this must be installed as an update of the installed system itself. -- Arno Welzel https://arnowelzel.de
[toc] | [prev] | [next] | [standalone]
| From | Frank Slootweg <this@ddress.is.invalid> |
|---|---|
| Date | 2024-10-13 19:42 +0000 |
| Message-ID | <vehesn.238.1@ID-201911.user.individual.net> |
| In reply to | #143670 |
Arno Welzel <usenet@arnowelzel.de> wrote: > Andy Burns, 2024-10-13 11:46: > > > Arno Welzel wrote: > > > >> Gelato wrote: > >> > >>> https://www.bleepingcomputer.com/news/security/qualcomm-patches-high-severity-zero-day-exploited-in-attacks/ > >>> > >>> How does Qualcomm patch these zero-day holes in their chipsets? > >>> Does the company upload a firmware patch? Does the carrier? Google? > >> > >> Qualcomm provides software patches for the drivers. > >> > >> Device manufacturers have to use these patches as part of a security > >> update if they use the affected chipsets in their devices. > > It isn't crystal clear whether google play system updates can provide > > this type of fix, bypassing the manufacturer ... > > I doubt, that system drivers can be updates using Google Play services. > Usually this must be installed as an update of the installed system itself. Note that Andy said "Google Play system updates" (case corrections mine), not "Google Play services". "Google Play services" is the software framework, i.e. running code. "Google Play system updates" (note *system* updates) are what is distributed, i.e. 'data' (containing code). Two different animals. Google Play system updates (re: Project Mainline) can update system components. Not sure if that includes drivers, but for generic - not vendor-specific - drivers, that should be possible, considering Android is Linux-like under the hood.
[toc] | [prev] | [next] | [standalone]
| From | Andrews <andrews@spam.net> |
|---|---|
| Date | 2024-10-13 23:35 +0000 |
| Message-ID | <vehlfh$1dmi$1@nnrp.usenet.blueworldhosting.com> |
| In reply to | #143673 |
Frank Slootweg wrote on 13 Oct 2024 19:42:56 GMT : >>>> Device manufacturers have to use these patches as part of a security >>>> update if they use the affected chipsets in their devices. >>> It isn't crystal clear whether google play system updates can provide >>> this type of fix, bypassing the manufacturer ... >> >> I doubt, that system drivers can be updates using Google Play services. >> Usually this must be installed as an update of the installed system itself. > > Note that Andy said "Google Play system updates" (case corrections > mine), not "Google Play services". "Google Play services" is the > software framework, i.e. running code. "Google Play system updates" > (note *system* updates) are what is distributed, i.e. 'data' (containing > code). Two different animals. To his credit, Frank Slootweg is consistently one of the few people on this newsgroup who have a grasp of the difference in details, especially given Google marketing names almost everything "Google Play 'something'" due to inherent brand recognition that marketeers love to employ. Here is more about Android 15 Project Mainline (i.e., GP "system" updates). <https://www.androidheadlines.com/2024/04/android-15-could-update-your-phones-nfc-stack-through-google-play.html> "When an update to a Project Mainline module is available, Google will push an update out to everybody through the Google Play Store using a mechanism called Google Play System Updates. Since Project Mainline modules are signed by Google, they can push out updates to Mainline modules even on devices from other manufacturers." Notice though that the case sensitivity was mashed up by the author of that article as Frank has noted the naming & case differences quite nicely. Unfortunately, nothing about Project Treble (firmware updates) is in that article, although it says that there are about 40 modules in Android 15. > Google Play system updates (re: Project Mainline) can update system > components. Not sure if that includes drivers, but for generic - not > vendor-specific - drivers, that should be possible, considering Android > is Linux-like under the hood. Notice this "might" be the mechanism which Qualcomm has been using. <https://source.android.com/docs/core/ota/modular-system> "Updated Mainline modules can be packaged together and pushed to end-user devices, either by Google, using the Google Play system update feature, or by the Android partner, using a partner-provided OTA mechanism. The module package installs and rolls back atomically; either all modules that need to be updated are updated or none are updated."
[toc] | [prev] | [next] | [standalone]
| From | Andy Burns <usenet@andyburns.uk> |
|---|---|
| Date | 2024-10-14 09:11 +0100 |
| Message-ID | <ln420mFaelU1@mid.individual.net> |
| In reply to | #143660 |
Gelato wrote: > How does Qualcomm patch these zero-day holes in their chipsets? > Does the company upload a firmware patch? Does the carrier? Google? There are dozens of chipsets, with corresponding drivers <https://docs.qualcomm.com/product/publicresources/securitybulletin/september-2024-bulletin.html> I couldn't find any of the CVE numbers referred to in the system updates, but maybe I was looking at recent Pixel specific fixes, and those devices use Samsung derived SoC rather than Qualcomm?
[toc] | [prev] | [standalone]
Back to top | Article view | comp.mobile.android
csiph-web