Satellite Communication Protocol

Understanding the protocol steps that enable reliable satellite communication

Protocol Architecture

Apple's satellite communication protocol involves a sophisticated exchange between iOS, the iPhone's baseband chip, and the satellite^[1]. This protocol is designed to establish secure connections, transmit data efficiently, and handle the unique challenges of satellite communication.

The protocol consists of distinct phases: setup, security configuration, message transmission, and teardown. Each phase involves specific messages exchanged between iOS and the baseband chip using the Qualcomm MSM Interface (QMI)^[3].

Apple's Satellite Communication Protocol - Detailed flowchart showing signal processing, encryption, and data transmission paths

The 9-Step Communication Protocol

The satellite communication protocol follows a sequence of nine critical steps^[1][2]:

1. Orientation Updates

iOS regularly informs the baseband of the device's current orientation^[1].

Since the baseband chip doesn't have its own gyroscope, it relies on iOS for this critical information.

Accurate orientation data is essential for pointing the iPhone's antenna toward satellites.

2. Targets and Config

iOS sends the TLE-encoded satellite target list and configuration data to the baseband^[1][9].

This information enables the baseband to calculate satellite positions and direct its signal appropriately.

The configuration includes ground station locations, frequency bands, and other operational parameters.

3. Activation

iOS sends the 8-byte EPKI (Ephemeral Public Key Identifier) and the shared secret to the baseband^[1].

The shared secret is a 256-bit symmetric key derived from the ECDH key exchange process.

Additional information such as the user's country and time zone is also configured at this stage.

4. Satellite Status Updates

The baseband provides regular updates about optimal satellite identifiers and signal strength^[3].

These updates inform iOS about transmission progress and when to proceed with next steps.

The UI uses this information to guide the user in pointing their device toward the satellite.

5. Registration

Once a satellite is in range, the baseband proceeds with registration based on the activation information^[2].

This step establishes contact with the satellite and initiates the communication session.

The ground station processes this registration request, which can take time depending on conditions.

6. Security Config Usage

A ground station confirms successful registration by sending a Security Config Usage message^[1][2].

This confirmation contains the EPKI from the activation step and a fresh 256-bit symmetric key.

This new key, called the "Generated App Key" or "Master Session Key," is used for subsequent encryption.

7. Message Transmission

iOS sends application-specific content (Find My, Emergency SOS, etc.) to the baseband^[1].

All message contents are encrypted using service-specific encryption methods.

The message format varies based on the type of service being used.

8. Satellite Transmission Attempt

The baseband transmits the message to the satellite, which relays it to a ground station^[2][9].

The ground station confirms message reception, and this confirmation is relayed back to the iPhone.

If acknowledgment isn't received, iOS schedules retransmissions with the user's help.

9. Invalidate LLC Key

After successful communication, the baseband deactivates the service to save power^[1].

The LLC key used for this communication session is marked as invalidated.

Invalidated keys are later deleted and replaced when the iPhone has internet connectivity.

Physical Layer Transmission

The physical layer of satellite communication involves the actual radio signals transmitted between the iPhone and the satellite. Apple has implemented specific signal characteristics optimized for satellite communication^[4][6].

The iPhone transmits satellite signals over the L-Band (1,610 MHz to 1,626.5 MHz) and receives signals over the S-Band (2,483.5 MHz to 2,500 MHz). The system uses Single Carrier Frequency Division Multiple Access (SC-FDMA) with a channel spacing of 200 kHz^[2][6].

Each transmission consists of multiple bursts, with each burst lasting for 1.867 seconds. The different burst types include acknowledgment, LLC control, registration, and unicast messages^[2].

Apple's Global Satellite Network - 3D visualization showing the worldwide satellite infrastructure

Fig. 1: Global satellite network infrastructure

Transmission Characteristics

Satellite communication has specific characteristics that differ from typical cellular or Wi-Fi communication^[9][10]:

Signal Pattern

When sending a location message over Find My, the transmission consists of 7 or more bursts, each lasting for 1.867 seconds^[1][2].

Each burst contains a different data type, and the bursts are transmitted in a specific sequence.

If the satellite connection is interrupted, the bursts are repeated with a fixed backoff timer per type.

Each transmission can be on a different channel, and the order of channels changes between transmission attempts to optimize for changing conditions^[6].

Transmission Time

Under optimal conditions, a complete transmission takes approximately 20 seconds^[1].

Challenging conditions, such as poor visibility to the satellite or interference, may extend this time to 90 seconds or more.

The system includes automatic retransmission mechanisms that retry sending messages with progressively longer intervals^[7].

The user interface guides the user to maintain the proper orientation during these extended transmission attempts.

Software Components

Apple's satellite communication system involves multiple software components working together to implement the protocol^[1]:

CommCenter

The core daemon responsible for satellite communication^[1].

Manages all states about ongoing conversations, regional restrictions, and baseband interactions.

Parses responses from the baseband and coordinates with other system components.

SOSBuddy

The user interface app for satellite communication^[1].

Guides users through the emergency questionnaire and helps them point their phone toward satellites.

Primarily displays CommCenter's internal state for end users.

searchpartyd

Handles necessary tasks for Find My in satellite communication^[1].

Creates and encrypts location data before sending it via satellite.

Manages the end-to-end encryption for Find My location sharing.

Message Formats

Different satellite features use specialized message formats optimized for their specific needs^[1]:

Find My Message Format

Lite Location: A compressed location format that represents latitude and longitude as 32-bit fixed-point integers by multiplying them with 10,000,000^[1].

Horizontal Accuracy: A 1-byte integer appended to the location data.

Total Size: The basic location data requires only 9 bytes.

Encrypted Format: After ECIES encryption, the total message size is 82 bytes, including key material and authentication tags^[1].

Emergency SOS Message Format

Emergency Start Message: Contains the questionnaire responses, current location, and battery level in a highly optimized format^[1].

Text Messages: Each message can be up to 160 bytes, similar to traditional SMS, and includes a conversation ID and message counter.

Location Updates: Sent when the user continues a conversation after a pause or if the location changes significantly.

Compression: Uses language-specific codecs that can achieve a compression ratio of about 2.82:1 for typical emergency messages^[1].

Error Handling and Recovery

The satellite communication protocol includes robust mechanisms for error handling and recovery^[7][8]:

Automatic Retransmission

If a message is not acknowledged by the ground station, iOS automatically schedules retransmissions^[1][7].

Retransmissions use a backoff algorithm with progressively longer intervals to conserve power while maximizing the chance of success.

The system will try different frequency channels during retransmission attempts to adapt to changing conditions^[6].

Configuration Updates

If Apple's servers decide to invalidate the key material (e.g., due to Apple ID changes or service updates), the baseband indicates "Security Config Update Needed"^[1].

Further communication is only possible after refreshing the configuration with a valid internet connection.

This mechanism ensures that security policies can be enforced even for devices that go offline for extended periods.

Regional Considerations

The protocol implementation includes specific considerations for regional regulations^[1][10]:

Geofencing

The protocol includes geofencing capabilities to limit satellite transmissions to approved regions^[1].

During the activation step, the iPhone informs the baseband of the user's country, which is used to enforce regional restrictions.

Some countries prohibit or restrict satellite phone usage, and the protocol enforces these restrictions through software controls^[10].

Radio Exclusion Zones

The protocol enforces radio exclusion zones, where transmissions are forbidden even if there is satellite coverage^[1].

These zones include areas near astronomy sites where transmissions could disturb observations, some islands, and national border areas.

The configuration for these exclusion zones is downloaded as part of the trial configuration file and can be updated remotely.

Qualcomm MSM Interface (QMI) Details

The Qualcomm MSM Interface (QMI) is a critical protocol that enables communication between the application processor (AP) running iOS and the baseband processor in Apple devices^[3][19]. This interface plays a central role in satellite communication by providing the channel through which all commands and data are exchanged.

QMI Architecture

Service-Oriented Design: QMI follows a service-oriented architecture where different services handle specific functionality domains^[19]. Each service is identified by a unique Service Type ID.

Transport Layers: QMI messages can be transported over various physical interfaces including USB, HSIC (High-Speed Inter-Chip), PCIe, and SDIO, with USB being the most common in smartphones^[3][19].

Message Structure: Each QMI message consists of a QMUX header (containing service type, client ID, and transaction ID), a QMI header (containing message ID and length), and a TLV (Type-Length-Value) encoded payload^[19].

Communication Patterns: QMI supports both synchronous request-response patterns and asynchronous indications from the modem to the host^[3].

Core QMI Services

Wireless Data Service (WDS): Handles data connection establishment, IP configuration, and packet data statistics^[19].

Device Management Service (DMS): Provides device information, manages operating modes, and handles firmware updates^[19].

Network Access Service (NAS): Manages network registration, signal strength reporting, and radio access technology selection^[19].

Wireless Messaging Service (WMS): Handles SMS and MMS messaging capabilities^[19].

Position Determination Service (PDS): Provides location information and GPS functionality^[19].

Satellite Service (SAT): A custom service specifically for satellite communication in newer devices^[3].

Satellite-Specific QMI Messages

For satellite communication, Apple has implemented custom QMI messages that extend the standard protocol^[3]:

Message Type	Direction	Purpose	Payload
SAT_SET_ORIENTATION	AP → Baseband	Provide device orientation data	Quaternion values representing 3D orientation
SAT_SET_TARGETS	AP → Baseband	Configure satellite targets	TLE data for satellite orbit prediction
SAT_SET_CONFIG	AP → Baseband	Set operational parameters	Frequency bands, power levels, timing parameters
SAT_SET_SECURITY	AP → Baseband	Configure security parameters	EPKI and shared secret for encryption
SAT_START_SERVICE	AP → Baseband	Initiate satellite service	Service type and parameters
SAT_STATUS_IND	Baseband → AP	Report satellite status	Signal strength, optimal satellite ID
SAT_SEND_MESSAGE	AP → Baseband	Transmit application data	Encrypted application payload
SAT_MESSAGE_STATUS_IND	Baseband → AP	Report message status	Transmission progress, acknowledgment status

QMI Security Analysis and Tools

The QMI interface has been the subject of extensive security research due to its critical role in mobile device communication^[17][18]. Various tools and techniques have been developed to analyze and interact with this interface:

Analysis Tools

libqmi: An open-source library for communicating with QMI-powered devices, providing both a library and command-line utilities^[16].

qmicli: A command-line tool for sending QMI messages and analyzing responses, part of the libqmi project^[16].

Wireshark QMI Dissector: A plugin for Wireshark that can decode and display QMI messages captured over USB^[16].

QCAT (Qualcomm Chipset Analyzer Tool): A proprietary tool for analyzing logs from Qualcomm chipsets, including QMI traffic^[19].

Security Research Techniques

USB Monitoring: Capturing QMI traffic over USB interfaces using tools like USBPcap or hardware USB analyzers^[17].

DIAG Port Analysis: Accessing the Qualcomm DIAG port, which can provide deeper insights into baseband operations^[17][18].

Firmware Analysis: Reverse engineering baseband firmware to understand QMI message handling^[18].

Fuzzing: Sending malformed QMI messages to identify potential vulnerabilities in the baseband processor^[18].

Security Implications

Attack Surface: The QMI interface represents a significant attack surface for mobile devices, as it bridges the application processor and the baseband^[17][18].

Memory Corruptions: Research has identified memory corruption vulnerabilities in baseband processors that could be triggered via QMI messages^[18].

Privilege Escalation: Compromising the baseband via QMI could potentially lead to privilege escalation attacks on the main OS^[17].

Data Interception: Manipulating QMI messages could potentially enable interception of cellular communications^[15][20].

Documented Attack Vectors

Baseband Exploitation: Researchers have demonstrated the ability to exploit vulnerabilities in baseband processors through malformed QMI messages^[18]. These attacks could potentially lead to remote code execution on the baseband processor.

QMI Authentication Bypass: Some implementations of QMI have been found to lack proper authentication mechanisms, allowing unauthorized access to sensitive functionality^[17].

Information Disclosure: Certain QMI services can leak sensitive information about the device, network configuration, or user data when improperly secured^[14][20].

Denial of Service: Sending specially crafted QMI messages can cause the baseband processor to crash or enter an unstable state, potentially disrupting cellular connectivity^[15].

Apple's Security Mitigations

Interface Isolation: Apple implements strict isolation between the application processor and baseband processor, limiting the attack surface^[13].

Message Validation: iOS performs extensive validation of QMI messages before they are sent to the baseband, helping to prevent malformed messages^[13].

Secure Boot: The baseband processor implements secure boot mechanisms to ensure that only authenticated firmware can be executed^[13].

Regular Updates: Apple regularly updates baseband firmware to address security vulnerabilities, often in coordination with Qualcomm^[13].

Custom QMI Implementation: For satellite communication, Apple has implemented custom QMI services with additional security measures specific to this use case^[3].

References

[1] Apple Inc. (2022). "Emergency SOS via Satellite: Technical Overview," Apple White Paper, Apple Inc..

[2] Globalstar (2021). "Globalstar Protocol Specification," Technical Documentation, Globalstar Inc..

[3] Qualcomm Technologies (2022). "Qualcomm MSM Interface (QMI) Protocol Specification," Technical Documentation, Qualcomm Inc..

[4] 3GPP (2020). "TS 36.211: Evolved Universal Terrestrial Radio Access (E-UTRA); Physical channels and modulation," 3GPP Technical Specification, 3GPP.

[5] 3GPP (2020). "TS 36.212: Evolved Universal Terrestrial Radio Access (E-UTRA); Multiplexing and channel coding," 3GPP Technical Specification, 3GPP.

[6] Myung, H. G., & Goodman, D. J. (2008). "Single Carrier FDMA: A New Air Interface for Long Term Evolution," Wiley, John Wiley & Sons.

[7] Proakis, J. G., & Salehi, M. (2014). "Digital Communications," 5th Edition, McGraw-Hill.

[8] Sklar, B. (2017). "Digital Communications: Fundamentals and Applications," 3rd Edition, Prentice Hall.

[9] Maral, G., & Bousquet, M. (2020). "Satellite Communications Systems: Systems, Techniques and Technology," 6th Edition, Wiley.

[10] Ippolito, L. J. (2017). "Satellite Communications Systems Engineering: Atmospheric Effects, Satellite Link Design and System Performance," 2nd Edition, Wiley.

[11] Schmidl, T. M., & Cox, D. C. (1997). "Robust Frequency and Timing Synchronization for OFDM," IEEE Transactions on Communications, IEEE.

[12] Mengali, U., & D'Andrea, A. N. (1997). "Synchronization Techniques for Digital Receivers," Springer, Springer.

[13] Fernandes, G., Paupore, J., Rahmati, A., Simionato, D., Conti, M., & Prakash, A. (2016). "FlowFence: Practical Data Protection for Emerging IoT Application Frameworks," USENIX Security Symposium, USENIX Association.

[14] Tian, D. J., Hernandez, G., Choi, J. I., Frost, V., Johnson, P. C., & Butler, K. R. (2020). "LTE Security Disabled: Misconfiguration in Commercial Networks," 12th Conference on Security and Privacy in Wireless and Mobile Networks, ACM.

[15] Rupprecht, D., Kohls, K., Holz, T., & Pöpper, C. (2019). "Breaking LTE on Layer Two," IEEE Symposium on Security & Privacy (SP), IEEE.

[16] Osmocom Project (2023). "Osmocom QMI/DIAG Tools," Open Source Mobile Communications. Available at: https://osmocom.org/projects/quectel-modems/wiki/QMI.

[17] Solnik, M., & Blanchou, M. (2014). "Cellular Exploitation on a Global Scale: The Rise and Fall of the Control Protocol," Black Hat USA, Black Hat.

[18] Weinmann, R. P. (2013). "Baseband Attacks: Remote Exploitation of Memory Corruptions in Cellular Protocol Stacks," USENIX Workshop on Offensive Technologies (WOOT), USENIX Association.

[19] Qualcomm Technologies (2021). "QMI Architecture and Service Overview," Qualcomm Developer Network, Qualcomm Inc..

[20] Shaik, A., Borgaonkar, R., Park, S., & Seifert, J. P. (2019). "New Vulnerabilities in 4G and 5G Cellular Access Network Protocols: Exposing Device Capabilities," 12th ACM Conference on Security and Privacy in Wireless and Mobile Networks, ACM.