Firmware Risks

There are closed source components (like firmware and bootloaders) in every phone, and they are dangerous. It seems next to impossible to replace them with open source components, and it won't be feasible any time soon for postmarketOS. Yet, this is an interesting topic, so this page provides links for deeper insight into the topic. For packaging instructions, see Device_specific_package

What can we do?

 * Binary patch security holes in firmware (e.g. with nexmon). This seems to be the best approach we have since there won't be open firmware for all these components any time soon.
 * Document whether firmware is partially based on open source code and try to reverse engineer the proprietary bits, like @McBitter does for his Mediatek device!
 * Document which firmware components exist in your devices
 * Document which of these have known security issues
 * Learn more about the circumstances, in which the security bugs can be exploited. Example: Possibly an exploit in the wifi module can only be exploited, after we loaded the wifi firmware.
 * Use alternative components, that are plugged in via USB, and therefore do not have access to the device's memory
 * Connect to people who know more about this topic to get more help
 * Consider bricking insecure components through firmware security holes on purpose, just to make sure that they aren't a risk anymore.

Bootloaders

 * BootStomp "a bootloader vulnerability finder" (also check the references at the bottom of README.md!)
 * 34c3 talk

hboot (HTC)

 * hbootdbg pdf presentation slides
 * hboot-tools
 * Nexus 9: Low level boot process analysis and demo nvtboot -&gt; tos -&gt; hboot -&gt; demo code

sboot (Samsung)

 * Arbitrary Code Exec in the Samsung Bootloader
 * 34c3 - eMMc hacking, or: how I fixed long-dead Galaxy S3

Cellular modems

 * Qualcomm based cellular data modems with Linux

Wi-Fi modems

 * Broadpwn: Remotely Compromising Android and iOS via a Bug in Broadcom's Wi-Fi Chipsets (note: doesn't affect necessarily older firmware/chips versions)
 * nexmon: "Firmware Patching Framework for Broadcom/Cypress WiFi Chips that enables Monitor Mode, Frame Injection and much more"
 * Please be careful "mainline" linux-firmware brcm blobs might be outdated. These files often link to cypress (cyfw) files since 2021. E.g. CVE-2019-15126 is fixed nowadays. Make sure to check Google's tree if handling such hardware.

Security risks

 * Coolreaper (PDF report), discovered in 2014, is a backdoor software that Coolpad (sixth larger manufacturer of smartphones in the world) operated and installed in their stock Android ROMs.

CoolReaper can perform the following tasks:


 * Download, install, or activate any Android application without user consent or notification
 * Clear user data, uninstall existing applications, or disable system applications
 * Notify users of a fake over-the-air (OTA) update that doesn’t update the device, but installs unwanted applications
 * Send or insert arbitrary SMS or MMS messages into the phone.
 * Dial arbitrary phone numbers
 * Upload information about device, its location, application usage, calling and SMS history to a Coolpad server