Unveiling the Samsung Galaxy back-door

Yesterday, we disclosed our findings about the Samsung Galaxy back-door, an anti-feature found in Samsung Galaxy devices that lets the modem access the files stored on the device. For a complete statement about the issue, you can refer to the article we published at the Free Software Foundation’s website. A technical description of the issue is available on a dedicated page of the Replicant wiki, along with more information regarding the back-door.

The information spread out very quickly and we’re glad the press is finding interest in such matters as privacy and unjust control over one’s computing. This demonstrates yet another time why free software is essential and how a single piece of proprietary software can compromise a whole device.

We have yet to hear from Samsung about this issue, as we are hoping that the reason for the presence of this back-door will be clarified. In that regard, we’d be very glad to work with Samsung in order to make things right, for instance through releasing free software or documentation that would make it easy for community Android versions to get rid of the incriminated blob.

Update: Several sources, including Samsung, claim this is a non-issue. A complementary statement to address these claims was issued at Paul Kocialkowski’s personal blog.

Replicant 4.2 kicks out!

We’ve been working very hard over the past few months to push Replicant to a newer Android version: the work started when CyanogenMod released version 10.1.3, based on the latest Android 4.2 code, back in September 2013. Bringing Replicant to a new Android version is a really big piece of work, especially given that the project only counts one active developer (however, we have hopes to see more people getting involved in the future)! The biggest motivation for the new version is to allow us to port Replicant to newer devices, that were not supported by Android 4.0, upon which Replicant 4.0 is based. Aside of that, Replicant 4.2 also brings the various improvements that come along with Android 4.2 and CyanogenMod 10.1.

All the devices that were supported by Replicant 4.0 were successfully ported to version 4.2, but some devices encounter serious slowness issues that are yet to be resolved. On the bright side of things, support for a new device was added, the Galaxy Note 2 N7100, which is mostly similar to the already supported Galaxy S 3. That was only made possible thanks to the generous donations that were made to the project, which enable us to buy devices for the current developer to work on. We are looking forward to adding support for even more devices in the future as well! Our wiki was updated to reflect the status of the supported devices as of the Replicant 4.2 release and features updated installation and usage guides. The Replicant SDK was also updated and is available for download.

The Replicant website and wiki were also cleaned up a bit during the preparation of this release. Our blog shall now only be used for posting updated on the project while our wiki holds the core informations about Replicant. As a reminder, please do not use the comment section of this blog to ask general-purpose questions, but use our forums or mailing-list instead!

This release also puts the emphasis on security: given the recent concerns that raised up concerning wide-scale surveillance from governments and certain companies, we though it would be good to make Replicant more bullet-proof. The Replicant 4.2 images for devices are now built in the userdebug fashion, which ensures a better level of security, the shipped system applications are signed with our own private keys, for which we provide the certificates and the releases are signed with our very own GPG release key. It is encouraged that you check the authenticity of the Replicant images or binaries before installing anything you downloaded!

As usual, you can checkout the complete changelog, download the images from the ReplicantImages page and find installation instructions as well as build guides on the Replicant wiki.

About the Fairphone

Over the past months, we have been asked a lot whether Replicant is going to be running on the Fairphone. The goal behind Fairphone, as its name suggests, is to build a phone that is “fair”. This covers a lot of different aspects that the Fairphone company took care of: such topics as using fair and conflict-free resources, ensuring that all workers along the supply chain get a fair wage, improving the handling of electronic waste, being transparent about the cost of each part of the device, its technical specifications and encouraging open and flexible designs.
We are really glad to see a company producing electronic devices taking care of such many important aspects as social conditions of workers, ecology and handling of e-waste as well as transparency and being “technically open”.

What we are especially interested in, at the Replicant project, is how good the device will be when it comes to software freedom. Hence, we have spent some time investigating the device, even though it is not out yet. Thanks to the cooperation of Fairphone, we were able to draw a quite complete picture of it.

The Fairphone will ship with a modified Android 4.2 version. An overlay interface was developed for the device and should be released as free software, but what we are really interested in is the parts that deal with the hardware. First, the Linux kernel source code for the device will be released (it is copyleft software so this is an obligation). It will also be possible to build the kernel from source and install it on the device without the need to sign the kernel with the manufacturer’s key. Actually, there should be no signature check on the Fairphone for the kernel or the bootloaders. Some of the bootloaders (maybe all of them; we cannot tell for sure at this point) are free software and it should be able to replace them with a free build. We are a bit worried that the tools to flash the Fairphone may be proprietary, but if the bootloaders are free and/or there is root access out of the box, there will be ways to work around this problem. On the system side, some of the libraries that deal with the hardware have been released as free software for devices that use the same platform (Mediatek 6589), so the basic required features such as audio will likely work. We are also confident we will be able to handle the modem with free software (that means telephony and such will work).
Fairphone is really trying hard to get Mediatek to release as many components as free software as possible, but they don’t have the source in their own hands and nor can they decide to make it free software themselves, so it may take some time to arrive or eventually not succeed.

However, things are not looking so good when it comes to evaluating the platform that was chosen for the Fairphone: the modem is embedded in the System on a Chip (SoC) which leads us to believe that it is poorly isolated from the rest of the platform and could access critical components such as storage, RAM, GPS and audio (microphone) of the device. If this was to be the case (we can only speculate about what the truth actually is), it would mean that the Fairphone is fatally flawed for security as it makes it possible for the phone to be converted to a remote spying device.

In conclusion, we think it will be possible to have Replicant working on the Fairphone and the bootloaders (that are not part of the operating system) may even be free software, but we believe it is seriously compromised security-wise because of the poor modem isolation.
However, Fairphone seems definitely interested in doing things right on the software freedom side and helping us get Replicant running on the device!

Replicant 4.0 0005 images release

Another couple of months passed by, bringing its share of improvements to Replicant 4.0, so we felt it was time to release a new batch of images. First thing’s first, let’s talk a bit about the fundraising program we launched thanks to the Free Software Foundation: it was a huge success! Over $20,000 were collected over the past two months, thanks to your help. We really didn’t expect that much money and it will greatly cover for our needs, which include buying new devices and covering for travel-related expenses, allowing us to attend events such as FOSDEM. On a sad note, we are more and more looking for new developers to get involved in the project: both GNUtoo and I are very busy and cannot contribute to the project as much as we’d like to, so things will keep moving a bit slowly, compared to what it used to be.

However, this new batch comes with a good share of improvements: the Galaxy Note (first generation, international GSM model) was added to the list of supported devices with this release (thanks to your financial support that enabled us to buy the device), which brings that list up to 10 devices. Camera support was added to the Galaxy S3 and other smaller improvements were made as well. As usual, you can checkout the complete changelog, download the images from the ReplicantImages page and find installation instructions as well as build guides on the Replicant wiki.

Since we received complaints about the Replicant installation process, all the guides were rewritten to be device-specific and include clear and step-by-step instructions, which should make it easier for everyone to install Replicant on their device. Moreover, the newly-launched forums and our mailing list make it possible to get help from our community, about the installation or anything else you want to talk about!

Opening the Replicant Forums

It seems that we are asked way too many questions in the comment section of each page/post we write. Most of the time, the question is not relevant to the page and/or was already answered somewhere else.

Thus, we decided it would be better to open forums so that anyone can find answers both from us and from the community. Please, direct your inquiries to the forums if there is no particular reason to contact us privately via our contact e-mail address or to use the comment sections of our blog. The mailing-list and IRC are also good places for general-purpose questions since they are public, but it appears that many prefer to use web-based interfaces.

Registration was also made easier, since new accounts activation doesn’t require a manual confirmation from us anymore.

We hope the forums will help bring help and support, from and to the community.

Announcing the Free Software Foundation fundraising program for Replicant

Over the last few years, we have been asked countless times how one could make a donation to the project. Until very recently, it was not at all possible but thanks to the hard work of the Free Software Foundation team, especially John Sullivan and Zak Rogoff, it is now possible for the FSF to accept donations on the behalf of the Replicant project.

Donations will help us buy new devices and port Replicant to them as well as help us attend free software events to promote Replicant at. Devices donations can be accepted as well but we carefully select the devices we want to work on, based on how much they respect freedom, so we might decline some offers.

You might want to consider making a donation to our project, any amount will help, from the FSF directed donations page for Replicant.
Bitcoin donations are also accepted, at the following address: 13tgjejUJ6NtQVX9HvKz8svdcuWPNwgr5T

We also badly need new developers to help us bring Replicant to more and more devices as well as improve the status of the currently-supported devices. As a group effort, Replicant has better chances to succeed and bring freedom to mobile phone users. We are currently a team of two developers with less and less time to get involved in the project and bring new features. Becoming a developer is not even that hard: we have developer and porting guides available to make it easier for you to get started and we’ll be there to guide you all along. Even non-technical people can help to some extent, covering tasks such as building up documentation or writing announcements for the project if they’re good enough at it.

Please get in touch with us if you’re interested. The best way to start is most likely to get a Replicant-supported device and start hacking on it and if you prove serious enough, we might even use some of the donations money to provide you with a new device to port Replicant to!

Replicant 4.0 0004 images release

The last months have been rather calm for Replicant development, no big changes or improvements were made. That doesn’t mean the project stalled: instead, we added support for some new devices. The previous set of images added support for the Galaxy Tab 2 10.1/7.0 in their 3G versions and we were requested to provide images for the WiFi-only flavors of these tablets as well. Since it only requires very little work, we were able to quickly fulfill that request, even though we couldn’t test it ourselves (you’re more than welcome to spot and report issues about these devices).

However, the biggest part of what motivated us to build and release new images is the support for the Galaxy S3 device in its international GT-I9300 GSM version (not the LTE one or any other country-specific variant). Currently, only graphics acceleration, camera and GPS support are missing (some other features may need non-free firmwares that run on separate chips). A couple of other things are also missing due to technical limitations (NFC, FM radio).

We are still trying hard to bring Replicant to the Goldelico GTA04, but it couldn’t make it to that release either as we still need help bringing a reliable Android kernel to that platform (DM37x).

A more complete changelog is also available, highlighting in details what was changed. Special thanks to the team at CyanogenMod who fixed EXIF in the free Galaxy S2 camera module implementation I wrote but was too lazy to correctly implement EXIF into.

You can download the images from the ReplicantImages page and find installation instructions as well as build guides on the Replicant wiki.

Replicant 4.0 0003 images release

It has been two months since the last images release and we decided that it was time to release another batch of images. These are still based on Android 4.0. First, it comes with support for the Galaxy Tab 2 10.1 & 7.0 tablets, both in GSM/3G versions: these tablets are pretty much phones with bigger screens. There is still room for improvement regarding these tablets in Replicant, but they have reached a state of usability, even though they are particularly slow in portrait mode.

Other minor fixes for other devices are included in this release, especially stability fixes regarding the Radio Interface Layer. The full changelog is available for more details.

We are now working to bring Replicant support to other devices such as the Goldelico GTA04.

You can download the images from the ReplicantImages page and find installation instructions as well as build guides on the Replicant wiki.

Replicant 4.0 0002 images release

Since some progress was made lately, we decided to release a new set of images.

The new features available in this release are mostly camera support for the Galaxy S2, accelerometers support for the Nexus S and Galaxy S2 and RIL (telephony) improvements for all devices. A more detailed changelog is also available.

We are working to bring Replicant 4.0 support to more devices, such as the Goldelico GTA04 and the Samsung Galaxy Tab 2 (both 7.0 and 10.1 GSM versions).

You can download the images from the ReplicantImages page and find installation instructions as well as build guides on the Replicant wiki.

Replicant 4.0 SDK release

It was brought to our attention that the Android SDK is now being released under an overall proprietary software license. In the past, we already had to release a free software SDK, back in Replicant 2.2 times, because the Android SDK was shipping with the non-free Google APIs. More recent SDK updates made these APIs only plug-ins that weren’t shipped with the SDK and it was made clear that these components were non-free while all the license files we could find on the Android SDK package were free software licenses.

However now Google decided to put an overall non-free license for the SDK, which brings back the need of having a fully free Replicant SDK. Since our only SDK release is getting old (it was API level 8), we built an SDK package from Replicant 4.0 sources, that is API level 15.

You can download the SDK from the ReplicantSDK page, find an installation and usage guide as well as the build instructions on the wiki.