[Replicant] Question regarding a freedom respecting modem

m d mdreplicantmd at yahoo.com
Tue May 4 12:20:16 UTC 2021


 
> I'm quite glad that rebuilding the modem partition is something that
> is being worked on in Replicant as an S3 which belongs to me got
> discarded after losing the modem partition which hadn't been backed
> up properly unfortunately
> It was driving me crazy to keep that thing around, looking for info
> on returning the binary to the correct IMEI with a hexadecimal
> editor... It was very difficult.
##Currently we only support reading the IMEI from the nv_data.bin of the
##Nexus S, we cannot even change it (yet).

##So if you have any information on changing the IMEI with a hexadecimal
##editor I could try to implement it.

I can certainly look into this.
However is there something to be said about device identification with regard to radio fingerprinting as discussed in this research:

http://www.winlab.rutgers.edu/~gruteser/papers/brik_paradis.pdf

In which case it appears that even changing the IMEI would be a mixed success at anonymity. It's worth doing it for the repair of the /efs though

> Although the problem of the network still knowing a user's location
> is indeed valid, would that not be only a "philosophical" one? I
> sense that the issue is that a user does not have the option of
> separating the GPS feature of the device from the telephony part of
> it but as you said that is part of the protocol.
##This has nothing to do with the GPS. GPS chips don't need to transmit
##anything to provide you with a position, but the GPS stack in Android
##probably still retrieve data from the network to get that position
##faster.

##It's rather related to the cellular network architecture: you are
##connected to a given antenna / base station that knows at what distance
##of it you are. In addition you might move so there is a feature
##called handover that enables you to switch form one base station to the
##next one while moving. So you then have multiple base stations that
##knows the distance between you and them. With that it's trivial to get
##your position.

OK, is that distance known to the network via the RSSI?
I think this handover feature might be somewhat related to this "triangulation" method, in which case what if the device remains static from within a building next to a window. Is it possible that the station could only connect to 1 base without providing distance information between the other ones?

##I'm also unsure if there are more ways than the IMEI to identify
##devices. It's for instance possible to identify the family of WiFi
##chips being used just by looking at what is being transmitted. So it
##may be possible to still get some identifying information out of the
##device even if the IMEI has been changed.

Radio fingerprinting pointed above?

One more thing, is the function to hide caller ID one of proprietary software? I'm unable to hide my caller ID on Replicant although the function was working as expected with proprietary ROMS.
    On Friday, 23 April 2021, 15:49:39 BST, Denis 'GNUtoo' Carikli <gnutoo at cyberdimension.org> wrote:  
 
 On Sun, 18 Apr 2021 05:11:39 +0000 (UTC)
m d <mdreplicantmd at yahoo.com> wrote:
 
> The requirements for a computer attached to a phone in order to make
> the whole thing work is certainly cumbersome..
Me and Alan Carvallo De Assis tried to fix that, many years ago: we
upstreamed some support for osmocomBB compatible devices in Nuttx and I
even got the layer 1 of the GSM stack working on top of that but it
hanged while scanning for the networks. Years later I learned that
there was a bug in osmocomBB with the exact same symptoms.

The idea was to port all 3 layers on the phone.

The code I had for the layer1 was soo dirty that it needs to be re-done
properly anyway.

I rushed to get something that worked regardless of code quality as I
knew I wouldn't have the time anymore to work on it (as I just had a
full time paid job) so I was hopping that this achievement would
interest other people and that they could continue or redo that work.

Nowadays the devices have been removed from Nuttx due to the lack of
maintenance.

> I'm quite glad that rebuilding the modem partition is something that
> is being worked on in Replicant as an S3 which belongs to me got
> discarded after losing the modem partition which hadn't been backed
> up properly unfortunately
> It was driving me crazy to keep that thing around, looking for info
> on returning the binary to the correct IMEI with a hexadecimal
> editor... It was very difficult.
Currently we only support reading the IMEI from the nv_data.bin of the
Nexus S, we cannot even change it (yet).

So if you have any information on changing the IMEI with a hexadecimal
editor I could try to implement it.

> Although the problem of the network still knowing a user's location
> is indeed valid, would that not be only a "philosophical" one? I
> sense that the issue is that a user does not have the option of
> separating the GPS feature of the device from the telephony part of
> it but as you said that is part of the protocol.
This has nothing to do with the GPS. GPS chips don't need to transmit
anything to provide you with a position, but the GPS stack in Android
probably still retrieve data from the network to get that position
faster.

It's rather related to the cellular network architecture: you are
connected to a given antenna / base station that knows at what distance
of it you are. In addition you might move so there is a feature
called handover that enables you to switch form one base station to the
next one while moving. So you then have multiple base stations that
knows the distance between you and them. With that it's trivial to get
your position.

> The option of anonymity can be obtained by using prepaid simcards in
> any case. 
It can't. Your phone has an IMEI that is transmitted to the network. So
the networks sees your SIM identification and your IMEI and the
network operators can potentially store that data somewhere.

This is why there is this interest from people in burner phones.

I'm also unsure if there are more ways than the IMEI to identify
devices. It's for instance possible to identify the family of WiFi
chips being used just by looking at what is being transmitted. So it
may be possible to still get some identifying information out of the
device even if the IMEI has been changed.

So the best way of not being tracked is to turn off the modem
completely. In Replicant, the flight mode doesn't turn off the modem,
it just asks it to go in low power mode and not transmit anything.

We have a script (modem.sh) that can reboot the phone and not boot the
modem on Replicant compatible devices.

Other devices like the Pinephone or the Librem5 have hardware switches
to power off the modem.

> How would this problem of location be different to a mapping program
> which requires GPS devices, and as such knowledge of a user's GPS
> location to function?
If you take Replicant 4.2 and the GTA04, the GTA04 had the following
GPS chips:
- It had a modem with an internal GPS. The GPS antenna wasn't connected
  to that chip.
- It also had a second GPS chip for privacy reasons, and in that case
  the GPS antenna was connected to that chip.

So if you had a GTA04 where you could power off the modem (GTA04
versions bigger than A3), and you didn't power on the WiFi or
bluetooth, you could get your own position transmitting anything and
without giving your position to anyone.

There was still a very small risk as we didn't really know what the
internal firmware of the GPS chip was doing, and the GPS chip had an
antenna connected to it, but the chip and the protocol didn't need to
transmit anything to work.

Note that we have a good introduction on freedom issues in this
article: https://www.replicant.us/freedom-privacy-security-issues.php

It's also easier to contribute to it than the other part of the code of
Replicant as we have a howto that explains how to do that:
https://redmine.replicant.us/projects/replicant/wiki/DeveloperGuide#How-to-make-patches

Denis.
_______________________________________________
Replicant mailing list
Replicant at osuosl.org
https://lists.osuosl.org/mailman/listinfo/replicant
  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osuosl.org/pipermail/replicant/attachments/20210504/e180a2f4/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Untitled
Type: application/pgp-signature
Size: 849 bytes
Desc: not available
URL: <http://lists.osuosl.org/pipermail/replicant/attachments/20210504/e180a2f4/attachment.asc>


More information about the Replicant mailing list