Since the modem runs (only) proprietary software, devices that doesn't have any mechanism that prevent the modem from taking control of the processor running Android are a grave concern for users freedom ans security.Because of that the Replicant project decided not to support anymore devices that don't have enough assurance that the modem is isolated. If you really want to add support for a device with a modem that is not isolated, several options are possible:
- The Replicant project can help you upstream the code in some other projects like Linux or LineageOS
- If the modem runs fully free software the isolation is not an issue anymore, but making the modem run fully free software would be a huge amount of work.
- It is probably possible to isolate modems with shared memory but it could require a big amount of work and/or require fully free bootloaders with IOMMU support.
History and modem shared memory¶
When Replicant was started, the HTC Dream was the only available Android phone, and it had a Qualcomm System On a Chip (SOC) with an integrated modem. We then also added support for other very similar devices.The System On a Chip family used by these devices was the MSM7K. While working on Replicant, very serious flaws were discovered with that System On a Chip family:
- The modem (which runs only non-free software) handled things that were too privacy sensitive, such as the audio CODEC, which, as I understand, makes it possible, hardware wise, for the modem to enable the microphone without the Application Processor (which ran Replicant) being involved.
- The RAM chips were shared between the CPU of the GSM modem and the SOC CPU. This was also the case for some of the supported devices that had a Samsung Exynos SOC like the Nexus S. This could enable the modem to take control of the processor running Replicant.
- The modem processor was in charge of booting the device. To do that it had to:
- Intialize all the system RAM
- Load the bootloader of the Application Processor in RAM and instruct that processor to run that code.
- The modem also handled the GPS. This is also a concern for other devices with different System On a Chip like the Nokia N900.
Despite the huge amount of work required, when alternatives became available, we switched away from devices with this System On a Chip family because the gravity of the issues was a nightmare.
While some of the above issues have been fixed in more recent Qualcomm System On a Chip families, the increasing amount of proprietary libraries for theses new families, and the lack of strong guarantees that would prevent the modem from being able to take control of the processor running Replicant made the project ignore and discourage the use of the newer Qualcomm System On a Chip families.Despite that, it may be possible to make sure that the modem cannot physically access and modify the Application Processor's RAM content, for instance by using the SOC IOMMU, if there is one, but that would require significant work. It would at least require:
- to be able to use a mainline kernel (to be able to have some trust in the code)
- to have public documentation on the System On a Chip IOMMU.
- to have people analyze the security of the IOMMU.
- to make sure that the IOMMU setup even before the RAM is even initialized. Nonfree bootloader most probably prevent that.
Despite that we may still accept contributions for devices with such System On a Chip, but it's best to contact the Replicant project (for instance on the mailing list or on IRC) before starting to work on that, to collectively decide how to handle that.
For instance some tablets use Qualcomm SOCs have no modems. So if the most important privacy sensitive hardware is under the control of the Application Processor, it might be possible to add support for such tablets if work is done to make sure that they can be useful without any proprietary libraries.
Having the modem and the processor running Android in separate chip, connected through a bus (like USB) that doesn't allow the modem to access the Android processor's memory offers pretty good guarantee that the modem cannot take the control of the processor running Android at a hardware level.
When the modem and the Android processor are in the same chip or when they use shared memory to communicate, and that memory is also used by the processor operating system, such guarantees are gone.
- Some smartphones manufacturer could connect the modem to the processor running Android with separate dedicated memory that is not used for things other than enabling them to communicate.
- IOMMUs are hardware dedicated to prevent peripherals (like a modem) from taking control of the processor (that is here running Android). To have enough guarantee, such hardware should have good technical documentation and the code using it should have good peer review (It should be good enough if it is in upstream Linux). Note that some IOMMUs are very complicated to setup in a secure way.
System on a chip¶
|System on a chip
|Mobile Station Modem (MSM) Snapdragon 7x30
* The modem is in charge of loading the bootloader of the processor running Android. Because of that it can temper with that bootloader and take control of the processor running Android.
* The modem can access the memory of the processor running Android, and can take control of it through that way.
* The modem has access to the storage of the processor running Android, so it can take control of it through that.
* The modem is booted by the processor running Android (which in turn is booted by a separate boot processor called RPM)
* There is not enough public documentation to understand if there is enough isolation between the modem and the processor running android.
The Security of chip fabric page of rpw-pacsec2013-hexagon.pdf
|Texas Instruments (TI)
| * No modem
* Has some DSP cores (no known use as modem, typically used for audio and video decoding offload)
This lists devices that have the modem and the processor running Android in separate chips and use shared memory between them, along with the way the processor running Android is isolated from the modem, or not.
Devices supported by Replicant 6.0¶
|Galaxy Nexus (I9250)
|* With MIPI it's most probably not possible for the peripheral to access the host RAM
| * board-tuna.c:
#ifdef CONFIG_OMAP_HSI_DEVICE if (TUNA_TYPE_MAGURO == omap4_tuna_get_type()) omap_hsi_init(); #endif
|Galaxy Tab 2 7.0 (P31xx)
|* espresso_defconfig: CONFIG_LINK_DEVICE_MIPI=y
|Galaxy Tab 2 10.1 (P51xx)
|Galaxy S 3 (I9300)
|* HSIC is a subset of the USB protocol => the peripheral has no access to the host RAM
* The device cannot change USB IDs without the host powering up and down the bus
|* lineageos_i9300_defconfig: CONFIG_MODEM_M0
* lineageos_i7000_defconfig: CONFIG_LINK_DEVICE_HSIC=y
* lineageos_i7100_defconfig: CONFIG_MODEM_M0
* lineageos_i5100_defconfig: CONFIG_MODEM_M0
* lineageos_i9100_defconfig: CONFIG_LINK_DEVICE_HSIC=y
|Galaxy Note (N7000)
|Galaxy Note 2 (N7100)
|Galaxy Note 8.0 (N51xx)
|Galaxy S 2 (I9100)
Powering off the modem¶
See the ModemDisableResearch page for more details.
Exploiting qualcomm wlan and modem over the air(mp4 srt pdf ) is a presentation about gaining code execution in the Linux kernel by using bugs in code that runs in the modem. It shows that bypassing the IOMMU from the modem can work work in certain conditions.
- IOMMU-resistant DMA attacks is a paper that shows two systemic vulnerabilities (the sub-page granularity vulnerability and the deferred invalidation vulnerability) that exist because common operating systems designs are not adapted to the way IOMMU hardware work (their design predate the wide availability of IOMMUs on personal computers). Because of that it is probably very difficult to fix with existing operating systems and/or hardware.