[Replicant] Report from 36C3

dllud dllud at riseup.net
Wed Jan 8 15:22:07 UTC 2020


Between December 27th and 30th, 5 Replicant contributors (GNUtoo,
GrimKriegor, dllud, Putti and JeremyRand) attended the 36th Chaos
Communication Congress (36C3)[1] in Leipzig.

Thanks to the great people from the Critical Decentralization
Cluster[2] (CDC), namely parasew, txmr, nevvton and rehrar, Replicant
was able to host an assembly[3] at the event.

The assembly was quite a success and had visitors all around the
clock.

Such was possible also thanks to the contributions of adfeno, who
prepared the promotional media (banner and flyers)[4] used during the
event (photos attached), and the FSF staff, whom were super-flexible
and able to ship stickers to us on a really tight schedule.

The Replicant stickers were quite a success, and we soon realized that
the 300 we took were too few. They had to be carefully managed
starting on day 1 of the event. Next time we are surely taking many
more.

Replicant's assembly allowed us to connect with lots of people that
wanted to learn more about Replicant, or otherwise had interesting
ideas and suggestions to share with us:

* Someone let us know about Cellebrite[5], an Israeli company that
  sells mobile phone data extraction kiosks under the brand 'Universal
  Forensic Extraction Device' (UFED)[6].

  UFED is advertised as being compatible with several thousands of
  different devices[7], possibly including those supported by
  Replicant.

  According to that person, UFED works by exploiting know as well as
  undisclosed vulnerabilities (zero-days) in the USB stack and in
  Android in order to by-pass screen locks and other protective
  measures.

  UFED is used by several law enforcement agencies in the US, as well
  as in Turkey, the United Arab Emirates and Russia[8]. We were
  informed that France is purchasing 2000 UFED kiosks for its law
  enforcement.

* We were visited by Ralf Staudemeyer alongside with some of his
  students. Ralf is a professor at Hochschule Schmalkalden that
  currently teaches a course on IT-security and privacy, and is very
  supportive of Replicant.

  Ralf currently has 2 Librem5 phones at his lab, and one of his
  students, Tobias[9], whom has experience porting devices to
  LineageOS, is willing to start working on the Librem5 port for
  Replicant 9.

* As F-Droid packages are not compliant with the GNU Free System
  distribution guidelines(FSDG)[10], Replicant already took the
  decision to remove F-Droid in the next Replicant 6 release, and the
  patch for that has already been merged.

  As in the long term, we want to bring back a (modified) version of
  F-Droid, we need a way to have a repository compliant with the FSDG
  guidelines.

  We discussed with some F-Droid contributors about that issue:
  - Even if F-Droid packages definitions allow to define
    anti-features, the ones F-Droid currently have[11] are not
    sufficient to deduce if a given package is compliant with the FSDG
    guidelines.

    For instance F-Droid itself doesn't have any nonfree addons, or
    other anti-features, and yet it's not compliant with the FSDG
    guidelines as some of the packages (like Yalp[12]) in the
    repositories being configured are not compliant with such
    guidelines.

    The F-Droid contributors told us that to make the discussion go
    forward we would need to open a bug on the f-droid data repository
    to discuss the specifics details on how to deal with this issue.

* There was an assembly about MNT reform close to the Replicant
  assembly.

  The MNT Reform is a project to make a laptop that is fully
  free software with "all firmware, hardware, and software" being
  "Free & Open Source"[14].

  Unfortunately they switched from an I.MX6 to an I.MX8M[15]. This
  means that the device cannot be booted with free software anymore
  as booting now depends on a nonfree firmware for the DDR4
  controller.

  The Librem5[16] has the same issue as Purism also switched from the
  I.MX6 to an I.MX8.

  One of the people working on MNT reform told us that since they were
  busy working to make the laptop, they might look into the reverse
  engineering of the firmware once the laptop is done.

* Near the Replicant assembly was the assembly for ImplicitCAD[17].

  It's a CAD tool similar to OpenSCAD, but unlike OpenSCAD that uses
  its own description language for describing 3D object, ImplicitCAD
  uses Haskell.  One of the people involved in ImplicitCAD also works
  on a free software replacement for the Raspberry PI nonfree
  bootloader[18].

  According to her, the free replacement can now reliably boot on the
  SD on one Raspberry PI model, but it still lacks Ethernet, USB, and
  display support.

* We also discussed about our work to make the bootloader for the
  Samsung Galaxy SII and Galaxy Note II fully free with the same
  ImplicitCAD contributor.

  As our research was still on very early stages, and that a lot is
  left to try, she expressed some interest in working on it and has
  already started looking for half-broken devices to try things on.

  For more background in the current status of the bootloader, we did
  a presentation on the topic in the Replicant Contributors' meeting in
  Paris in 2019[19].

* Someone visiting the Replicant assembly also asked about the
  Shiftphone.

  We took the time to review the devices but all had a modem that was
  in the same System On a Chip that was running Android.

  Replicant decided not to support devices with modems that are not
  isolated and it would be too much work to guarantee that the modem
  is isolated in cases like that.

  The devices we reviewed were also added in the TargetsEvaluation
  wiki page[20], as that page is now also used to keep track of
  devices that Replicant doesn't want to support or can't support for
  various reasons.

* We received a much welcomed visit from Michiel (NLnet).

  The long minutes we stole out of Michiel's busy schedule were
  diligently used to let him know about the current status of the
  work on Replicant, and our hopes and ambitions for the near future.

  Michiel shared with us good news coming from the other projects that
  NLnet is sponsoring. It seems that things are moving in the right
  direction, and that in a 5 years term, getting free hardware fit to
  build a smartphone may actually be achievable.

Replicant contributors also gave a few talks about Replicant and
related topics in several spots around the congress.

The most important talks were aimed at finding ways to solve specific
issues that Replicant and some other projects in the wider Free and
Open Source community were having.

They sparked interesting discussions where we leaned many new things:

* Android’s build system is messier than your distro’s[21][22]

  Attendees shared with us news about the Bazel[23] build system from
  Google, which is being now pushed for usage outside Google, namely
  to build Android apps.

  Bazel BUILD files were the basis for the Android.bp (Blueprint)
  files[24]. Unfortunately Bazel is tailor-made to the Google's
  monorepo approach[25][26], meaning it comes exactly with the same
  assumption as Blueprint: all projects needed in an Android build
  would need to use it as their own build system.

  On a more positive note, lrvick from hashbang showed us the
  aosp-build[27] project which strives to create an AOSP build system
  that is customizable and thus potentially fit for many different
  Android distros, such as Replicant.

  It builds the external components such as the kernel using their own
  build system and later includes them into the final build image.
  It may turn out to be a solution for the issue we have been having
  with external components such as kernel, Mesa and SwiftShader.

* The chromium mess meets Android[28][29]

  The general consensus after hearing most opinions in the room was
  that approach #3, getting apps to use GeckoView themselves, is a no
  go as we anticipated.

  Besides having to learn a new API, GeckoView would also bring in a
  20 MiB bloat to any app. Such could be dealt with by having
  GeckoView as a system lib much like WebView.

  Unfortunately, no other Android distro would have a built-in
  GeckoView besides Replicant, meaning that apps would have to carry
  it anyway to be able to run elsewhere.

  Regarding approach #2, the GeckoView shim, some people warned us
  that it will be slower than WebView. We acknowledge that fact but
  still feel that the degraded performance is only but a little price
  to pay for software freedom.

Two more general presentations on Replicant were made as well:

* Introduction to Replicant[30][31].

* Extending the lifetime of smartphones with Replicant[32][33].

  In order to prepare the presentation on making Replicant
  sustainable, we looked again at the devices supported by LineageOS
  and we found that some devices had both removable batteries and a
  dedicated modem that is not in the System On a Chip that is running
  Android, but we didn't look into it in more details.

  As the supported devices pages of the LineageOS wiki are generated
  from some description in yaml, we wrote a script to generate a list of
  devices that are not yet known to be bad[34].

  All the devices found use a Qualcomm APQ System On a Chip that doesn't
  have an integrated modem.

  For more details in why having a dedicated modem is important, see
  the Replicant Freedom and privacy/security issues
  documentation[35] and the ModemIsolationResearch wiki page[36].

As expected, the 36C3 ran their own cellular network, so like with the
CCCamp, we also tested Replicant on that network, and everything went
fine on Replicant side.

References:
-----------
[1] https://events.ccc.de/congress/2019/wiki/index.php/Main_Page
[2] https://decentral.community/
[3] https://events.ccc.de/congress/2019/wiki/index.php/Assembly:Replicant
[4]
https://redmine.replicant.us/projects/replicant/wiki/PromotionalMedia#section-5
[5] https://www.cellebrite.com
[6] https://www.cellebrite.com/en/ufed-ultimate/
[7]
https://cf-media.cellebrite.com/wp-content/uploads/2019/02/ReleaseNotes_UFED_7.15.pdf
[8]
https://www.vice.com/en_us/article/aekqjj/cellebrite-sold-phone-hacking-tech-to-repressive-regimes-data-suggests
[9] https://github.com/ngc4622
[10] https://www.gnu.org/distros/free-system-distribution-guidelines.html
[11] https://f-droid.org/wiki/page/Antifeatures
[12] Yalp[13] is a package manager that is meant to download applications
from the Google Play store. Not all applications in the Google Play Store
are fully free software.
[13] https://f-droid.org/en/packages/com.github.yeriomin.yalpstore/
[14] https://www.crowdsupply.com/mnt/reform
[15] https://www.crowdsupply.com/mnt/reform/updates/re-introducing-reform
[16] https://puri.sm/products/librem-5/
[17] http://www.implicitcad.org
[18] https://github.com/cleverca22/rpi-open-firmware/
[19] The presentation is available online:
- Video:
https://ftp.osuosl.org/pub/replicant/conferences/replicant-contributors-meeting-july-2019-france/replicant-and-bootloaders.webm
- PDF:
https://ftp.osuosl.org/pub/replicant/conferences/replicant-contributors-meeting-july-2019-france/replicant-and-bootloaders.pdf
[20] https://redmine.replicant.us/projects/replicant/wiki/TargetsEvaluation
[21]
https://events.ccc.de/congress/2019/wiki/index.php/Session:Android%27s_build_system_is_messier_than_your_distro%27s
[22] https://git.replicant.us/contrib/hominoid/buildsystem-presentation/
[23] https://www.bazel.build/
[24] https://source.android.com/setup/build
[25]
https://stackoverflow.com/questions/29245787/what-are-the-differences-between-bazel-and-gradle
[26]
https://stackoverflow.com/questions/54016644/what-is-the-added-advantage-of-using-bazel-over-gradle
[27] https://github.com/hashbang/aosp-build
[28]
https://events.ccc.de/congress/2019/wiki/index.php/Session:The_chromium_mess_meets_Android
[29] https://git.replicant.us/contrib/hominoid/webview-presentation/
[30] https://frab.riat.at/en/36C3/public/events/130
[31]
https://git.replicant.us/contrib/GNUtoo/presentations/tree/36c3/Replicant_introduction
[32]
https://media.ccc.de/v/36c3-oio-169-extending-the-lifetime-of-smartphones-with-replicant-a-fully-free-android-distribution
[33]
https://git.replicant.us/contrib/GNUtoo/presentations/tree/36c3/Replicant_sustainability
[34]
https://git.replicant.us/replicant/vendor_replicant-scripts/tree/research
[35] http://www.replicant.us/freedom-privacy-security-issues.php
[36]
https://redmine.replicant.us/projects/replicant/wiki/ModemIsolationResearch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: assembly.jpg
Type: image/jpeg
Size: 854622 bytes
Desc: not available
URL: <http://lists.osuosl.org/pipermail/replicant/attachments/20200108/f6673e57/attachment-0006.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: banner+catchphrase.jpg
Type: image/jpeg
Size: 858586 bytes
Desc: not available
URL: <http://lists.osuosl.org/pipermail/replicant/attachments/20200108/f6673e57/attachment-0007.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: catchphrase1.jpg
Type: image/jpeg
Size: 791740 bytes
Desc: not available
URL: <http://lists.osuosl.org/pipermail/replicant/attachments/20200108/f6673e57/attachment-0008.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: catchphrase2.jpg
Type: image/jpeg
Size: 797215 bytes
Desc: not available
URL: <http://lists.osuosl.org/pipermail/replicant/attachments/20200108/f6673e57/attachment-0009.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: flyers.jpg
Type: image/jpeg
Size: 845927 bytes
Desc: not available
URL: <http://lists.osuosl.org/pipermail/replicant/attachments/20200108/f6673e57/attachment-0010.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: stickers.jpg
Type: image/jpeg
Size: 911775 bytes
Desc: not available
URL: <http://lists.osuosl.org/pipermail/replicant/attachments/20200108/f6673e57/attachment-0011.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.osuosl.org/pipermail/replicant/attachments/20200108/f6673e57/attachment-0001.asc>


More information about the Replicant mailing list