Since the modem runs (only) proprietary software, devices that doesn't have any mechanism that prevent the modem from taking control of the processor running Android are a grave concern for users freedom ans security.
Because of that the Replicant project decided not to support anymore devices that don't have enough assurance that the modem is isolated. If you really want to add support for a device with a modem that is not isolated, several options are possible:When Replicant was started, the HTC Dream was the only available Android phone, and it had a Qualcomm System On a Chip (SOC) with an integrated modem. We then also added support for other very similar devices.
The System On a Chip family used by these devices was the MSM7K. While working on Replicant, very serious flaws were discovered with that System On a Chip family:Despite the huge amount of work required, when alternatives became available, we switched away from devices with this System On a Chip family because the gravity of the issues was a nightmare.
While some of the above issues have been fixed in more recent Qualcomm System On a Chip families, the increasing amount of proprietary libraries for theses new families, and the lack of strong guarantees that would prevent the modem from being able to take control of the processor running Replicant made the project ignore and discourage the use of the newer Qualcomm System On a Chip families.
Despite that, it may be possible to make sure that the modem cannot physically access and modify the Application Processor's RAM content, for instance by using the SOC IOMMU, if there is one, but that would require significant work. It would at least require:Despite that we may still accept contributions for devices with such System On a Chip, but it's best to contact the Replicant project (for instance on the mailing list or on IRC) before starting to work on that, to collectively decide how to handle that.
For instance some tablets use Qualcomm SOCs have no modems. So if the most important privacy sensitive hardware is under the control of the Application Processor, it might be possible to add support for such tablets if work is done to make sure that they can be useful without any proprietary libraries.
Having the modem and the processor running Android in separate chip, connected through a bus (like USB) that doesn't allow the modem to access the Android processor's memory offers pretty good guarantee that the modem cannot take the control of the processor running Android at a hardware level.
When the modem and the Android processor are in the same chip or when they use shared memory to communicate, and that memory is also used by the processor operating system, such guarantees are gone.
| Vendor | System on a chip | Isolation | Market share | References |
|---|---|---|---|---|
| Qualcomm | Mobile Station Modem (MSM) Snapdragon 7x30 | Bad: * The modem is in charge of loading the bootloader of the processor running Android. Because of that it can temper with that bootloader and take control of the processor running Android. * The modem can access the memory of the processor running Android, and can take control of it through that way. * The modem has access to the storage of the processor running Android, so it can take control of it through that. |
boot process | |
| Qualcomm | Snapdragon S4 | Unknown: * The modem is booted by the processor running Android (which in turn is booted by a separate boot processor called RPM) * There is not enough public documentation to understand if there is enough isolation between the modem and the processor running android. |
Boot process The Security of chip fabric page of rpw-pacsec2013-hexagon.pdf |
|
| Qualcomm | APQ* | No modem | ||
| Samsung | Exynos 4210 | No modem | ||
| Samsung | Exynos 4412 | No modem | ||
| Texas Instruments (TI) | OMAP 4460 | * No modem * Has some DSP cores (no known use as modem, typically used for audio and video decoding offload) |
This lists devices that have the modem and the processor running Android in separate chips and use shared memory between them, along with the way the processor running Android is isolated from the modem, or not.
| Vendor | Device | Isolation | References |
|---|---|---|---|
| Samsung | Nexus S | Bad | Exynos3110ModemIsolation |
| Samsung | Galaxy S | Bad | Exynos3110ModemIsolation |
| Vendor | Device | Link | Isolation | References |
|---|---|---|---|---|
| Samsung | Galaxy Nexus (I9250) | MIPI | * With MIPI it's most probably not possible for the peripheral to access the host RAM | * board-tuna.c:
#ifdef CONFIG_OMAP_HSI_DEVICE
if (TUNA_TYPE_MAGURO == omap4_tuna_get_type())
omap_hsi_init();
#endif
* modem_link_device_mipi.c |
| Galaxy Tab 2 7.0 (P31xx) | * espresso_defconfig: CONFIG_LINK_DEVICE_MIPI=y | |||
| Galaxy Tab 2 10.1 (P51xx) | ||||
| Galaxy S 3 (I9300) | HSIC | * HSIC is a subset of the USB protocol => the peripheral has no access to the host RAM * The device cannot change USB IDs without the host powering up and down the bus |
* lineageos_i9300_defconfig: CONFIG_MODEM_M0 * lineageos_i7000_defconfig: CONFIG_LINK_DEVICE_HSIC=y * lineageos_i7100_defconfig: CONFIG_MODEM_M0 * lineageos_i5100_defconfig: CONFIG_MODEM_M0 * lineageos_i9100_defconfig: CONFIG_LINK_DEVICE_HSIC=y * board-m0-modems.c |
|
| Galaxy Note (N7000) | ||||
| Galaxy Note 2 (N7100) | ||||
| Galaxy Note 8.0 (N51xx) | ||||
| Galaxy S 2 (I9100) |
See the ModemDisableResearch page for more details.
Exploiting qualcomm wlan and modem over the air (mp4 srt pdf ) is a presentation about gaining code execution in the Linux kernel by using bugs in code that runs in the modem. It shows that bypassing the IOMMU from the modem can work work in certain conditions.