A-GNSS MSB with TLS on EG25-G

AndreySV · October 30, 2024, 11:57pm

I’m struggling with TLS on supl.google.com.

$ mmcli -m any --command='AT+QGPSCFG="plane"'
response: '+QGPSCFG: "plane",1'
$ mmcli -m any --command='AT+QGPSSUPLURL?'
response: '+QGPSSUPLURL: "supl.google.com:7275"'
$ mmcli -m any --command='AT+QGPS=2'
response: ''
$ mmcli -m any --command='AT+QGPSGNMEA="GSV"'
response: ''
$ mmcli -m any --command='AT+QGPSGNMEA="GSV"'
response: ''
$ mmcli -m any --command='AT+QGPSGNMEA="GSV"'
response: ''

I’ve tried to upload https://secure.globalsign.net/cacert/Root-R1.crt to the modem and import it using following command. Is it the right certificate to upload?

$ mmcli -m any --command='AT+QGPSSUPLCA="RAM:Root-R1.crt"'
response: ''

Unfortunately nothing has changed. I still don’t see any GSV messages in the output.

if SUPL is configured without TLS (supl.google.com:7276 and plane,0), then everything works and I get

$ mmcli -m any --command='AT+QGPSGNMEA="GSV"'
response: '+QGPSGNMEA: $GPGSV,4,1,13,05,01,037,,07,12,322,,08,22,296,,10,28,187,,1*64
+QGPSGNMEA: $GPGSV,4,2,13,13,19,039,,15,27,073,,16,41,229,,18,51,084,,1*6F
+QGPSGNMEA: $GPGSV,4,3,13,23,57,146,,26,17,205,,27,54,281,,29,,,,1*50
+QGPSGNMEA: $GPGSV,4,4,13,30,09,352,,1*58'

What do I need to get SUPL working with supl.google.com:7275?

AndreySV · October 31, 2024, 8:51pm

I setup supl proxy to check, whether modem connects to the server.
I see modem tries to establish TLSv1.1 (it’s an old and deprecated protocol, that modern servers don’t support anymore) and modem closes connection after receiving ‘Certificate’ by sending ‘Close Notify’ alert.

Is only TLSv1.1 supported?
Why modem closes connection?

AndreySV · August 5, 2025, 9:32pm

@lyman-Q Is it possible to use SSL (7275) with supl.google.com?

herbert.pan-Q · August 10, 2025, 6:43am

It supports TLS 1.2; I suggest you export all the AT logs.

AndreySV · August 18, 2025, 9:08pm

I wrote simple python script for testing SUPL.
load_supl_ssl_test.py (2.1 KB)

Here is test without SSL. You see that there are non-empty GSV messages after start.

$ sudo python3 load_supl_ssl_test.py 
open serial port
Check modem talk to us
AT
[b'\r\n', b'OK\r\n']
AT+QGPSEND
[b'\r\n', b'+CME ERROR: 505\r\n']
AT+QGPSXTRA=0
[b'\r\n', b'OK\r\n']
AT+QGPSDEL=3
[b'\r\n', b'OK\r\n']
AT+QGPSDEL=0
[b'\r\n', b'OK\r\n']
AT+QGPSXTRADATA?
[b'\r\n', b'+CME ERROR: 509\r\n']
AT+QFDEL="RAM:data.bin"
[b'\r\n', b'OK\r\n']
upload file to the modem
AT+QFUPL="RAM:data.bin",889
[b'\r\n', b'CONNECT\r\n']
[b'+QFUPL: 889,6b94\r\n', b'\r\n', b'OK\r\n']
set supl ca to file we uploaded
AT+QGPSSUPLCA="RAM:data.bin"
[b'\r\n', b'OK\r\n']
write configuration
AT+QGPSCFG="plane",0
[b'\r\n', b'OK\r\n']
AT+QGPSSUPLURL="supl.google.com:7276"
[b'\r\n', b'OK\r\n']
read configuration
AT+QGPSCFG="suplver"
[b'\r\n', b'+QGPSCFG: "suplver",2\r\n', b'\r\n', b'OK\r\n']
AT+QGPSCFG="plane"
[b'\r\n', b'+QGPSCFG: "plane",0\r\n', b'\r\n', b'OK\r\n']
AT+QGPSSUPLURL?
[b'\r\n', b'+QGPSSUPLURL: "supl.google.com:7276"\r\n', b'\r\n', b'OK\r\n']
start GNSS receiver (MSB)
AT+QGPS=2
[b'\r\n', b'OK\r\n']
AT+QGPSGNMEA="GSV"
[b'\r\n', b'+QGPSGNMEA: $GPGSV,3,1,12,01,00,007,,03,09,026,,06,31,104,,11,13,140,,1*6B\r\n', b'+QGPSGNMEA: $GPGSV,3,2,12,12,62,253,,17,21,052,,19,45,067,,22,08,087,,1*68\r\n', b'+QGPSGNMEA: $GPGSV,3,3,12,24,49,181,,25,30,265,,28,01,313,,32,29,302,,1*60\r\n', b'\r\n', b'OK\r\n']
AT+QGPSGNMEA="GSV"
[b'\r\n', b'+QGPSGNMEA: $GPGSV,3,1,12,01,00,007,,03,09,026,,06,31,104,,11,13,140,,1*6B\r\n', b'+QGPSGNMEA: $GPGSV,3,2,12,12,62,253,,17,21,052,,19,45,067,,22,08,087,,1*68\r\n', b'+QGPSGNMEA: $GPGSV,3,3,12,24,49,181,,25,30,265,,28,01,313,,32,29,302,,1*60\r\n', b'\r\n', b'OK\r\n']
AT+QGPSGNMEA="GSV"
[b'\r\n', b'+QGPSGNMEA: $GPGSV,3,1,12,01,00,007,,03,09,026,,06,31,104,,11,13,140,,1*6B\r\n', b'+QGPSGNMEA: $GPGSV,3,2,12,12,62,253,,17,21,052,,19,45,067,,22,08,087,,1*68\r\n', b'+QGPSGNMEA: $GPGSV,3,3,12,24,49,181,,25,30,265,,28,01,313,,32,29,302,,1*60\r\n', b'\r\n', b'OK\r\n']
AT+QGPSGNMEA="GSV"
[b'\r\n', b'+QGPSGNMEA: $GPGSV,3,1,12,01,00,007,,03,09,026,,06,31,104,,11,13,140,,1*6B\r\n', b'+QGPSGNMEA: $GPGSV,3,2,12,12,62,253,,17,21,052,,19,45,067,,22,08,087,,1*68\r\n', b'+QGPSGNMEA: $GPGSV,3,3,12,24,49,181,,25,30,265,,28,01,313,,32,29,302,,1*60\r\n', b'\r\n', b'OK\r\n']
AT+QGPSGNMEA="GSV"
[b'\r\n', b'+QGPSGNMEA: $GPGSV,3,1,12,01,00,007,,03,09,026,,06,31,104,,11,13,140,,1*6B\r\n', b'+QGPSGNMEA: $GPGSV,3,2,12,12,62,253,,17,21,052,,19,45,067,,22,08,087,,1*68\r\n', b'+QGPSGNMEA: $GPGSV,3,3,12,24,49,181,,25,30,265,,28,01,313,,32,29,302,,1*60\r\n', b'\r\n', b'OK\r\n']
stop GNSS receiver
AT+QGPSEND
[b'\r\n', b'OK\r\n']
AT+QGPSDEL=3
[b'\r\n', b'OK\r\n']
AT+QGPSDEL=0
[b'\r\n', b'OK\r\n']
close serial port

Here is test without SSL. GSV messages are empty.

$ sudo python3 load_supl_ssl_test.py --ssl
open serial port
Check modem talk to us
AT
[b'\r\n', b'OK\r\n']
AT+QGPSEND
[b'\r\n', b'+CME ERROR: 505\r\n']
AT+QGPSXTRA=0
[b'\r\n', b'OK\r\n']
AT+QGPSDEL=3
[b'\r\n', b'OK\r\n']
AT+QGPSDEL=0
[b'\r\n', b'OK\r\n']
AT+QGPSXTRADATA?
[b'\r\n', b'+CME ERROR: 509\r\n']
AT+QFDEL="RAM:data.bin"
[b'\r\n', b'OK\r\n']
upload file to the modem
AT+QFUPL="RAM:data.bin",889
[b'\r\n', b'CONNECT\r\n']
[b'+QFUPL: 889,6b94\r\n', b'\r\n', b'OK\r\n']
set supl ca to file we uploaded
AT+QGPSSUPLCA="RAM:data.bin"
[b'\r\n', b'OK\r\n']
write configuration
AT+QGPSCFG="plane",1
[b'\r\n', b'OK\r\n']
AT+QGPSSUPLURL="supl.google.com:7275"
[b'\r\n', b'OK\r\n']
read configuration
AT+QGPSCFG="suplver"
[b'\r\n', b'+QGPSCFG: "suplver",2\r\n', b'\r\n', b'OK\r\n']
AT+QGPSCFG="plane"
[b'\r\n', b'+QGPSCFG: "plane",1\r\n', b'\r\n', b'OK\r\n']
AT+QGPSSUPLURL?
[b'\r\n', b'+QGPSSUPLURL: "supl.google.com:7275"\r\n', b'\r\n', b'OK\r\n']
start GNSS receiver (MSB)
AT+QGPS=2
[b'\r\n', b'OK\r\n']
AT+QGPSGNMEA="GSV"
[b'\r\n', b'OK\r\n']
AT+QGPSGNMEA="GSV"
[b'\r\n', b'OK\r\n']
AT+QGPSGNMEA="GSV"
[b'\r\n', b'OK\r\n']
AT+QGPSGNMEA="GSV"
[b'\r\n', b'OK\r\n']
AT+QGPSGNMEA="GSV"
[b'\r\n', b'OK\r\n']
stop GNSS receiver
AT+QGPSEND
[b'\r\n', b'OK\r\n']
AT+QGPSDEL=3
[b'\r\n', b'OK\r\n']
AT+QGPSDEL=0
[b'\r\n', b'OK\r\n']
close serial port

This file is used for uploading as SUPL CA http://secure.globalsign.com/cacert/root-r1.crt
Is it the correct one?

@herbert.pan-Q any hints, what could be wrong here?

AndreySV · August 18, 2025, 10:08pm

When I setup my own server for debugging, I see only TLS 1.1 connection attempts in wireshark.

herbert.pan-Q · August 19, 2025, 1:38am

Please provide the version of your current firmware.

AT+QGMR

AndreySV · August 19, 2025, 7:45am

EG25GGBR07A08M2G_30.007.30.007

I’ve looked at release notes of A0.300.A0.300 and couldn’t find anything related to this problem in the changelog.

AndreySV · August 19, 2025, 5:23pm

I’ve tested TLSv1.2 support in firmware using AT+QSSL* commands and could successfully establish connection to my test server and supl.google.com. I see with wireshark, that connection uses TLSv1.2 and could confirm, that firmware supports TLSv1.2. The question is why TLSv1.1 is used for supl connection? Is there any way to enforce TLSv1.2?

Here is my test script
load_ssl_test.py (1.4 KB)