Project

General

Profile

update MTK baseband

Added by Robin Ivetic almost 2 years ago

Hello,

Hope that I'm not violating terms of use, because topic is not regarding replicantOS, more it's security in general, but I read here security topic about cryptophone and firewall for baseband, does anyone knows some solution for protecting baseband, don't know how GrapheneOS works with baseband.

I'm the owner of phone with MTK Helio P35 (MT6765V/WA), manufacturer will not update any more OS, can I somehow update baseband, does anyone know if MTK baseband are compatible between MTK chipsets, is SnapDragon less vulnerable than MTK.

https://labs.taszk.io/articles/post/mtk_baseband_csn1_exploitation/

Robin.


Replies (3)

RE: update MTK baseband - Added by Jack K almost 2 years ago

Firstly, the Replicant project doesn't recommend nonfree firmware. On Replicant supported devices the modem firmware(s) permanently reside in a partition on the device, and so Replicant merely uses the modem firmware(s) provided by the device. The Replicant project doesn't source them from elsewhere. If they were free, Replicant would likely build them from source.

Also the phones supported by Replicant are not known to have bad modem isolation, another important factor to consider in phone security. MTK Helio P35 has its modem embedded on the SoC, so is likely to have poor isolation. Having control of the boot process would enable isolation to be guaranteed, but I imagine you do not have a free software bootloader for your device.

Finally, I don't know if it is possible to use modem firmwares from other phones, but I highly recommend you do not do that. It will probably not work, may brick your modem, and also may be illegal in your jurisdiction.

I hope that is helpful.

RE: update MTK baseband - Added by Robin Ivetic almost 2 years ago

Do you know what GrapheneOS do better than LineageOS regarding security!!!???, whole Graphene philosophy is regarding security, I follow "Replicant way" for years, but like to have phone made from one piece, hope that I'm not abusive.

"I'm the owner of phone with MTK Helio P35 (MT6765V/WA), manufacturer will not update any more OS, can I somehow update baseband, does anyone know if MTK baseband are compatible between MTK chipsets, is SnapDragon less vulnerable than MTK." 

I didn't ask correct question, what I meant, can I update MTK baseband from other manufacturer, which also uses Helio P35, you hardly can brick phone, you can always use SP flash tool from MTK, to flash manufacturer image back.

RE: update MTK baseband - Added by Denis 'GNUtoo' Carikli almost 2 years ago

With Mediatek the most promizing SOC for a free modem firmware is the MT62351 and if if I recall well there is some documentation on the Internet about the pieces missing (the DSP) in the u-boot fork that makes the modem partially work.

And that wiki might have links or information on how to update such baseband firmware with free software but that's only useful if you either intend to work on a free software replacement or do reverse engineering of modem firmwares or what to erase the baseband firmware completely.

The issue is that baseband firmwares often have calibration data somewhere, and the firmware is most likely tailored precisely to the phone you have (According to reports from users reinstalling the stock firmware and doing things like that the firmware is likely tailored to the combination of the exact hardware variant and geographic area or carrier in a geographic area).

And the issue is that with firmwares like that is that phone vendors will probably not backport the latest security fixes. And even if known bugs are more likely to be fixed in new phones, it probably still take time until a fix reaches new products (it's probably easier for the chip vendors to make variations of older firmwares than porting everything to newer OS versions and baseband stack versions until you need features that are in the newer OS and baseband stacks).

In addition, it's really trivial to find unknown bugs in some baseband.

See for instance "A walk with Shannon Walkthrough of a pwn2own baseband exploit." ("https://www.youtube.com/watch?v=6bpxrfB9ioo", https://downloads.immunityinc.com/infiltrate2018-slidepacks/amat-cama-a-walk-with-shannon/presentation.pdf).

And there might be backdoors as well, and not only in the modem.

So the solution for that device is not to try random modem firmwares in the hope that they won't contain security issues because they will likely do anyway and updating or even downgrading the modem firmware will probably not change much about that.

A better solution here would be to try to disable that modem firmware completely by erasing it or to try to port free software bootloaders and upstream kernels and try to make it hard for the modem firmware to take the control of the phone.

PostmarketOS may also have infos on Mediatek System on a chip.

[1]https://osmocom.org/projects/baseband/wiki/Mediatek_Chipset

    (1-3/3)