English

Fairphone Baseband OS / firmware?

firmware
Tags: #<Tag:0x00007fefc8dbbdb0>

#1

Hi, considering the Fairphone ideals of open design and user ownership, I was wondering what baseband processor you use for the current generation phones, especially now that the vulnerabilities of most existing—closed source—baseband OSes are thought to be widely exploited by interceptor towers. If it’s an unknown/closed source OS, what priority would you give to using more open and secure baseband firmware for upcoming phone models?


#2

Anyone? Surely the designers can answer this? I really don’t want to believe the principles are just hype.


#3

Hi @teppe,

Places you could look for the info:

Personally I don’t know enough about this topic to be of any help. If you can’t find the info in the above mentioned docs you could always inquire about it through Support.


#4

Your principles may not be Fairphone’s principles.


#5

I’d say those are exactly Fairphone’s principles, just read the start page of fairphone.com:

So unless Fairphone had to sign some top-secret contract to keep this info under disclosure, I’d say @teppe is totally right in asking about it. And even in the case they can’t make this information public, they could at least say that. No harm in asking, right?


#6

My response was slightly harsh, but mostly so because of the insinuation that all that FairPhone stands for becomes meaningless just because the baseband drivers are not available (something that is true for most phones).


#7

[quote=“Kris_S, post:3, topic:1228”]
Hi @teppe,

Places you could look for the info:

Personally I don’t know enough about this topic to be of any help. If you can’t find the info in the above mentioned docs you could always inquire about it through Support.[/quote]
Thank you, I appreciate it. I’m still looking around to try to work this out, but I think it’s probably part of the MediaTek (MT6589) chipset, who FairPhone have managed to secure some source code from before. Unfortunately, MediaTek are said have particularly bad baseband firmware.

[quote=“Jerry, post:6, topic:1228, full:true”]
My response was slightly harsh, but mostly so because of the insinuation that all that FairPhone stands for becomes meaningless just because the baseband drivers are not available (something that is true for most phones).
[/quote]I hope that my asking the question in the first place shows that I have good faith FairPhone will look into it (and as I say, I want to believe in the company!), but what’s true for mainstream smartphones manufacturers is really no get-out clause, since FairPhone was set up (as I understand it) to try to avoid their bad practices. In terms of open and free design and security, proprietary closed-source baseband seems to be one of the major existing problems. This doesn’t undermine any of the rest of their ethical framework.

One project I’ve come across while looking into this that might be a solution is OsmocomBB (an open source baseband replacement, mostly for Calypso based phones, but also at least some MediaTek).


#8

I am really happy this discussion turned productive. I understand @Jerry’s concern as well as @teppe question. I agree basebands in smartphones (or any phone) are of concern, i do not believe this is a problem Fairphone can solve. This is rather something the a relevant part of the whole mobile industry has to be interested in solving. As far as i know, this is something even most “open” phones fall short - including Firefox OS and Jolla.

So there might be no harm in asking, but i do not think this problem makes any of Fairphones principles “hype”.


#9

I concur with @Jerry and even more with @ben. In the sense that while I think that @teppe’s concern is legitimate (yes, the baseband really should be secure), we also need to have a high dose of realism. @ben rightly points out that this is an industry-wide problem that Fairphone can’t solve on its own. And even if technical solutions do come available (which I would applaud), it is still my personal opinion that FP shouldn’t be in the vanguard to implement them. My reasoning is that FP already occupies a niche “device-wise” (different business model, sales & distribution method, ethical values as core selling point, etc.) compared to most smartphones, that to couple it with niche “software-wise” would risk narrowing the customer base so much that it might hurt the project in the longer term (don’t forget that a project like FP needs a critical mass of customers in order to be effective).

Slightly harsh or not, @Jerry is right I believe. Or with a bit more nuance: their interpretation of generally-formulated principles may be different than your interpretation. One thing we (the more technically-oriented members of the FP community) tend to forget, was that FP was founded by people with little prior knowledge of smartphones (some hadn’t even owned one before). So they formulated a general set of principles before having thought out what this would mean for the technical implementation. Probably they have spent a lot of more on that thought process by now, but that also means they are now confronted with a lot of practical limitations. E.g. my guess is they never would have thought they would be so dependent on a chipset manufacturer for the whole software side of their FP ideas/principles.

Or alternatively: their priorities in implementing those principles may be different than your priorities. And talking about priorities: I don’t think better baseband firmware should be on top of the list, given that FP is still grappling with providing updates for the main OS (which has far more immediate security benefits for most users). Which in turn will be a critical factor in determining whether they really have produced a phone that is built to last.


#10

Thanks @ben and @Fisher_AZ for that additional information/explanation. I also understand now what you where trying to say @Jerry.
I’d like to add that I haven’t even been aware of there being a problem with this before. This leads me to believe a big part of the FP community also does not know about this (at least I think the less technically-oriented make up a big part). So I leave it up to you guys to estimate whether this is something Fairphone could/should tackle, but I definitely think this topic deserves more awareness. So I’m glad it was brought up on here!
However, generally I believe Fairphone should strengthen what they already accomplished before taking up new issues, whatever those may be, there’s still a lot to pick from…


#11

First let me say it’s refreshing to see a forum on the big bad Internet where people actually listen to each other and are capable of having an insightful discussion about a topic :smile:

Anyway, I do think teppe is raising a valid point. What I’m slightly worried about though, is that people are jumping to Fairphone because they hope they get a device that’s entirely open and can be tinkered with all they like. Somehow, having a Google-free platform with open software, an open OS and open drivers has become more important to people than what FairPhone was initially started up for: problems in mining the raw materials, problems in production, problems in the end-of-life process of phones and trying to change the way we see our phones (as throwaway products).

Now everyone has different priorities with what they think is important, but for me personally, I think the stuff FairPhone is doing now in Congo, China and Ghana is much more important than whether or not I’m under the influence of big brother Google, or if I’m running the latest Android version or if I’m able to compile my own chipset drivers and run those instead of MediaTek’s proprietary nonsense. Frankly, those sound like first-world-problems to me.

Thing is, if you want open, secure and free (as in America), there are alternatives. It would be great to see all these things integrated in a single device, and possibly, one day, we’ll get there, but for now, those aren’t top priority for FairPhone and I think they shouldn’t be. I find it slightly worrying that people are getting riled up about not having the latest Android OS or not being able to run Firefox OS more so than about people dying in Congo getting tantalum out of mines under gunpoint.

Sure, these issues aren’t mutually exclusive. A phone-company can work on all those issues, but not when you’re just 30 man strong with an installed base of less than 50,000 units. That’s the reality of it right now.


#12

Tell that to Mr. Snowden! Only secure and free means of communication in the US would be carrier pigeons…

But otherwise I agree fully with what you say…


#13

[quote=“Jerry, post:11, topic:1228”]
First let me say it’s refreshing to see a forum on the big bad Internet where people actually listen to each other and are capable of having an insightful discussion about a topic :smile:[/quote]I’m with you on that brother! :wink: It’s been very helpful to get a picture of how far along on its goals Fairphone is, and what its strengths are compared to others in a market where there’s most likely never going to be a 100% perfect product.

Unlike @ben and @Fisher_AZ I think any company—including Fairphone—could be market leaders and effect this change by investing in a small team of developers for a few months or less. OsmocomBB shows the groundwork has already been done, and in practice I think Fairphone is probably more likely than the giants to implement something like it: that likelihood depends entirely on the team.

I would also agree that sourcing ethical components is massively the most important thing, but from what I can see of the structure of the company, there are people whose job it is purely to look into the tech side of the phone too. Far from putting potential customers off (unlike a user OS—like Android—the baseband is to all intents invisible: no-one except hackers would spot the difference, it wouldn’t become any more “nichey”), imagine the PR coup if they could implement the first ever smartphone with secure, open source baseband. Of all the people who would then buy it out of concern for privacy, security or love of the open source movement, many of their opinions about ethical products as viable alternatives might well begin to change as a result. I really think investment (granted, medium and long term) is the best way to look at this.

[quote=“kgha, post:12, topic:1228”]
Only secure and free means of communication in the US would be carrier pigeons…
[/quote]…wearing tiny tin hats! :laughing:


#14

I dunno man, suddenly packet loss starts to sound like a really serious issue…


#15

Really useful discussion :thumbsup:, but just wanted to point out that you may not get a response from the official Fairphone team, as these are community forums. The team do try to keep in touch with the community, but may not respond directly.

If it gets to point where you think you need an official answer you can flag to the community mods and we’ll do our best to get a response. Alternatively you could contact support directly and update here with any response


#16

There are regulatory compliance issues with baseband firmware (eg FCC in the US, OFCOM in the UK, others in other countries) which will take you far more than a few months to sort out. I don’t know the details - I’m a software guy, not a lawyer - but this has to be worked out separately for each regulatory body, by guys with expensive suits, not coders.


#17

I’d be really interested in the official response if you could ask the team!

Ah, I think I’d managed to forget I’d heard that. :frowning: I wish, whether fancy suits of not, they’d at least do their jobs and only approve reliable secure firmware, regardless of if they’re under pressure to approve exploitable code or not.


#18

Hi,

I like the discussion very much here and I a sure we can give some insights into what we can and will do later(but not right now). Working on an open/secure baseband is not one of them. We have to realize why Fairphone does (try) to open source things and what Fairphone’s roles is here.


#19

Hi. I wanted to write this to the Fairphone team but couldn’t find a contact address, and it’s too long for a tweet. I know this is firstly a forum between users, but I’m hoping that posting here might at least be a first step.

Context: I am not yet a Fairphone owner, in fact not even a smartphone owner as I’m very unhappy with the way the market has evolved into a state where users are not really in control of the devices they bought. I can’t see myself using a standard Android device except for testing purposes. Needless to say, Apple and Windows devices are even less of an option. I appreciate that Fairphone went further than mainstream phone makers towards opening their phone to its users, and reading the latest blog post on Fairphone’s approach to software has made me more hopeful that the new Fairphone might offer a degree of freedom that will enable me to fully embrace it. I am a software developer, but know next to nothing about hardware. I’m also a volunteer at Digitalcourage, a German NGO that deals with digital rights, but here I’m writing personally.

I am writing about something I’ve seen on a page from the Tor project about Android security and privacy. I quote from https://blog.torproject.org/blog/mission-impossible-hardening-android-security-and-privacy#Hardware:

If you truly wish to secure your mobile device from remote compromise, it is necessary to carefully select your hardware. First and foremost, it is absolutely essential that the carrier’s baseband firmware is completely isolated from the rest of the platform. Because your cell phone baseband does not authenticate the network (in part to allow roaming), any random hacker with their own cell network can exploit these backdoors and use them to install malware on your device.

While there are projects underway to determine which handsets actually provide true hardware baseband isolation, at the time of this writing there is very little public information available on this topic. […]

The page then goes on to discuss some seemingly exotic and inconvenient ways of achieving this separation. This is clearly an issue that is not yet served well and would need more attention from hardware makers. I understand that the Fairphone project is dependent on its suppliers, but I was wondering if there is a chance that this issue could be raised with suppliers as part of the search for the next Fairphone platform.

Thanks for reading, and for any replies.


#20

Hi, I could not insist more on this crucial matter.

Currently, it exists two categories of smartphones : the ones which control its user through the baseband, and the neo900 (which aim to sandbox the baseband)(and which is not exactly ‘existing’ yet).

Here is Edward Snowden explaining on the BBC why we should free ourselves from baseband chips : http://www.bbc.com/news/uk-34444233

Here is a Wired paper explaining how neo900 project is working to circumvent the problem : http://www.wired.com/2013/11/neo900/

Regarding FairPhone, my 1st concern was about Free Software operating system. I suggested to work for free during a year to port Firefox OS on FairPhone but were considered seriously. One year latter, reading that Sailfish OS will be supported, I’m back :smile:

A Free Software operating system can’t hold its promess if it is in the shadow of another OS controlling the phone. This issue may be less known for the moment, but is also far more a concern. A great work have been accomplish between FP1 and FP2, it’s impressive. So we know you can do it. Please, change the world once again, and have control over basebands a thing that comes true with your next phones or modules.

Here is a project of open base band chip if it can help : https://bb.osmocom.org/trac/