PINE64
Pinephone and open source firmware for baseband - Printable Version

+- PINE64 (https://forum.pine64.org)
+-- Forum: PinePhone (https://forum.pine64.org/forumdisplay.php?fid=120)
+--- Forum: General Discussion on PinePhone (https://forum.pine64.org/forumdisplay.php?fid=127)
+--- Thread: Pinephone and open source firmware for baseband (/showthread.php?tid=18262)



Pinephone and open source firmware for baseband - justneedsomedatathanks - 05-25-2023

Hi,

I recently came across these tweets related to the Pinephone: https://nitter.net/GrapheneOS/status/1611868978783084547#m

Twitter link: https://twitter.com/GrapheneOS/status/1611868978783084547

I wanted to know whether Pine64 still markets the Pinephone as having open source firmware in the baseband, and whether the company sticks by this claim, and if so, the reasoning behind it.

I can't see the original tweets by what is purportedly Pine64 staff, so I don't know a lot about this. I also couldn't find pages where Pine64 advertises the Pinephone as doing this.


RE: Pinephone and open source firmware for baseband - zetabeta - 05-26-2023

i represent me and me only, i do NOT speak behalf of the pine organization or its individual members.

my views are partial or preliminary, but i may or may not add more later.

i don't think pine organization or its members has suspicious things going on. meaning that members have not mislead buyers.

however, pinephone regular and pro has eg25g modem chip, which has its own firmware/software, which is not open source, it could be replaced by this https://github.com/the-modem-distro/pinephone_modem_sdk . even this pp sdk is not fully open source.

those claims by "grapheneos" is said by organization, which makes security hardened android for pixel phones and uses pixel's CLOSED SOURCED drivers and vendor image. and those drivers have license agreement, not open source license. even though gms (google mobile services) is removed, android even as its open source version is developed by google, also android api's and interfaces are developed and designed by google.

basically, "grapheneos" complains pinephone for its closed stuff, but then "grapheneos" is dependent on closed stuff from google.

at this point, if i still use android somewhere, graphenos is not going to be one, i may give more details later.

closed stuff here:
https://developers.google.com/android/drivers


RE: Pinephone and open source firmware for baseband - justneedsomedatathanks - 05-26-2023

(05-26-2023, 09:11 AM)zetabeta Wrote: i represent me and me only, i do NOT speak behalf of the pine organization or its individual members.

my views are partial or preliminary, but i may or may not add more later.

i don't think pine organization or its members has suspicious things going on. meaning that members have not mislead buyers.

Thank you for clarifying this.

zetabeta Wrote:however, pinephone regular and pro has eg25g modem chip, which has its own firmware/software, which is not open source, it could be replaced by this https://github.com/the-modem-distro/pinephone_modem_sdk . even this pp sdk is not fully open source.

Okay, so the Pinephone modem is not using open source software, and Pine64 is not claiming it is? Again, I couldn't find any pages or marketing text where Pine64 said it was, but presumably the GrapheneOS account is pushing back against *some* claim made at *some* point.

zetabeta Wrote:those claims by "grapheneos" is said by organization, which makes security hardened android for pixel phones and uses pixel's CLOSED SOURCED drivers and vendor image. and those drivers have license agreement, not open source license. even though gms (google mobile services) is removed, android even as its open source version is developed by google, also android api's and interfaces are developed and designed by google.

basically, "grapheneos" complains pinephone for its closed stuff, but then "grapheneos" is dependent on closed stuff from google.

at this point, if i still use android somewhere, graphenos is not going to be one, i may give more details later.

closed stuff here:
https://developers.google.com/android/drivers

I was a GrapheneOS community member at one point, and this is where I was linked to this information. I'd like to clarify that GrapheneOS is well-aware it uses non-free drivers, though it does not make this clear to its users anywhere on its website. I know this because I spent about an hour attempting to ascertain whether Google distributes its security firmware updates under a non-free license. I found this page, but this is not the same as firmware updates, as far as I'm aware (?). As someone unfamiliar with Android, this website is an absolute maze.

In any case, GrapheneOS is not claiming to be completely free software, and it doesn't view that as a good thing, because without the non-free firmware updates, it puts the device at greater risk to attacks. GrapheneOS's concern seems to be only with the truth of Pine64's statements. I wouldn't say GrapheneOS is forthright about delivering non-free updates (likely because they consider this fact completely unimportant), but they don't lie about it, which is what they are claiming Pine64 is doing.

GrapheneOS is based on the Android Open Source Project (AOSP) with significant improvements and patches related to security, and some to privacy. GrapheneOS is released under a free license apart from those third-party firmware blobs, though not as stringent as the GPL in case they later want to sell GrapheneOS phones with locked bootloaders. Could you clarify what you mean by the vendor image being non-free?

And though this topic is interesting to me, I'd still like to keep this topic focused on the subject of the baseband and whether Pine64 claims the firmware is open source or not.


RE: Pinephone and open source firmware for baseband - walter1950 - 05-27-2023

Hello,

(05-26-2023, 06:56 PM)justneedsomedatathanks Wrote: GrapheneOS is based on the Android Open Source Project (AOSP) with significant improvements and patches related to security, and some to privacy. GrapheneOS is released under a free license apart from those third-party firmware blobs, though not as stringent as the GPL in case they later want to sell GrapheneOS phones with locked bootloaders. Could you clarify what you mean by the vendor image being non-free?

And though this topic is interesting to me, I'd still like to keep this topic focused on the subject of the baseband and whether Pine64 claims the firmware is open source or not.

News from GrapheneOS:
https://discuss.grapheneos.org/d/5235-stepping-down-as-project-leader-of-grapheneos

Ciao
Walter


RE: Pinephone and open source firmware for baseband - alaraajavamma - 05-27-2023

All what I have ever heard and seen is Pine64 is really really careful when it talks about the modem and emphasizes that it cannot officially recommend alternative modem firmware. Pine64 distributes phones only with stock firmware and that is quite clearly said in every source I can find of.
And and in addition to above it is quite clearly stated how Biktorgjs firmware works and even that community build software does not advertise to be completely open source.

I have no idea where those other statements are coming from because as far as I have seen both Purism and Pine64 are very polite - even too polite if you ask from me Smile. I haven't seen an ad/claim from either of them that would directly explain exactly how a phone from another manufacturer works.

As a quick look this looks more like a misunderstanding or even a "competitor" outburst. While this is not bloody battle it is really easy to see that Graphene OS, Pine64 and Purism are all kind of chasing same target group. It is quite heavy argument to say both Pine64 and Purism as scammers.

I can change my mind if someone can show me some evidence of the statements, but right now this looks mostly like a false smear


RE: Pinephone and open source firmware for baseband - justneedsomedatathanks - 05-27-2023

(05-27-2023, 09:49 AM)alaraajavamma Wrote: All what I have ever heard and seen is Pine64 is really really careful when it talks about the modem and emphasizes that it cannot officially recommend alternative modem firmware. Pine64 distributes phones only with stock firmware and that is quite clearly said in every source I can find of.
And and in addition to above it is quite clearly stated how Biktorgjs firmware works and even that community build software does not advertise to be completely open source.

I have no idea where those other statements are coming from because as far as I have seen both Purism and Pine64 are very polite - even too polite if you ask from me Smile. I haven't seen an ad/claim from either of them that would directly explain exactly how a phone from another manufacturer works.

As a quick look this looks more like a misunderstanding or even a "competitor" outburst. While this is not bloody battle it is really easy to see that Graphene OS, Pine64 and Purism are all kind of chasing same target group. It is quite heavy argument to say both Pine64 and Purism as scammers.

I can change my mind if someone can show me some evidence of the statements, but right now this looks mostly like a false smear

Pine64 appears to be quite honest. They plaster the store page with disclaimers saying the Pinephone is not a consumer-ready product and give customers the right expectations. The worst I found was an off-hand comment on the marketing page saying the Pinephone is for you if you "work in a security-focused field", which isn't really true because of how far behind Linux is compared to both iOS and Android.

The case of Purism is quite different. Purism doesn't offer refunds, which is something you would reasonably expect if your phone had not been shipped after 6 years. They will only refund your phone after they ship it to you, which could be months or years longer. This is pretty ridiculous. Many people who paid for a Librem phone years ago have still not received it. Purism also does not advertise their phone as the beta product it is, which does not have basic features customers expect from phones. They also don't talk about the battery life. The Librem 5 is a premium product which performs very poorly against any other modern phone and they are not forthright enough about this.

Just look at the Purism subreddit for endless posts from disgruntled customers: https://old.reddit.com/r/Purism

Comparatively, Pine64 only offers the product when they have stock for it. I received my Pinephone within a month. They don't give customers false expectations about the product. The only way I think they could improve the page is by also explaining the battery life is bad, even if that's a driver problem. This is another big expectation customers have for phones, after all.

This is why I was surprised to hear Pine64 had made some false claim they are sticking to. I wanted to know their current position and their reasons for thinking that way.

My intention is not to cause drama and division, but to clear up this misunderstanding (if that's what it is). This is being used as a reason to recommend against the Pinephone in some communities, which doesn't seem right to me.

Edit: It's worth pointing out that Purism has done a lot for upstream. They've done a lot of work on Phosh which makes it easier for other GNOME contributors to work on the project. They've also contributed to organizations like Zemarmot. So as much as I disagree with their business practices, I think they've done some good for GNU/Linux as a whole.


RE: Pinephone and open source firmware for baseband - Kevin Kofler - 05-28-2023

What the posts by GrapheneOS complain about are that even in Biktorgj's modem firmware, the DSP firmware is still the same proprietary blob as in the completely proprietary firmware, and they claim that this is not properly communicated by Pine64. In the end, it all amounts to disagreeing on what "modem firmware" and/or "baseband firmware" really means (and whether they are the same thing or different things).  Biktorgj himself is pretty upfront on what his firmware replaces with Free Software and what not, in any case.


RE: Pinephone and open source firmware for baseband - justneedsomedatathanks - 05-28-2023

(05-28-2023, 12:14 AM)Kevin Kofler Wrote: What the posts by GrapheneOS complain about are that even in Biktorgj's modem firmware, the DSP firmware is still the same proprietary blob as in the completely proprietary firmware, and they claim that this is not properly communicated by Pine64. In the end, it all amounts to disagreeing on what "modem firmware" and/or "baseband firmware" really means (and whether they are the same thing or different things).  Biktorgj himself is pretty upfront on what his firmware replaces with Free Software and what not, in any case.

Thanks. As far as I can tell, there is no mention of this on the public pages of Pine64. You would have to search pretty hard to see this. This wiki page on the modem does not mention free software once, and says Pine64 also can't recommend alternative firmware: https://wiki.pine64.org/wiki/PineModems#PINE64_position_on_alternative_firmware

And then there's this line, which states, with no room for interpretation, you cannot replace the ADSP blob:

Quote:Further, there's no source for the OpenEmbedded parts, so building a new system image must be done from scratch, and retrieving the mandatory binary blobs to use the ADSP part of the modem.

(emphasis mine; Pine64 says the binary blobs are mandatory)

Seems pretty clear-cut to me. These claims from GrapheneOS are outdated at the very least and not a reason to say Pine64 is dishonest. I'll mark this thread as solved for now, but anyone else can chime in if you have more to add.

Thanks for contributing to the discussion, everyone!


RE: Pinephone and open source firmware for baseband - zetabeta - 05-28-2023

(05-27-2023, 07:54 PM)justneedsomedatathanks Wrote: Pine64 appears to be quite honest. They plaster the store page with disclaimers saying the Pinephone is not a consumer-ready product and give customers the right expectations. The worst I found was an off-hand comment on the marketing page saying the Pinephone is for you if you "work in a security-focused field", which isn't really true because of how far behind Linux is compared to both iOS and Android.

i tend to disagree little bit. i have heard that gnu/linux is lower on security than ios or android, probably mostly on app isolation, in gnu/linux world, ordinary user has quite wide permissions, where in android and ios every app is isolated more or less. however, in android and especially in ios, user are dependent on apple and google for security, it is centralized. maybe in android it can be circumvented somewhat by modifications, but still relies on google's eco system indirectly. so in gnu/linux world, if user knows the flaws, they can be fixed or circumvented, and not being dependent on apple's or google's policies.

in short, i don't think centralization bring security in longer term.



(05-28-2023, 12:14 AM)Kevin Kofler Wrote: What the posts by GrapheneOS complain about are that even in Biktorgj's modem firmware, the DSP firmware is still the same proprietary blob as in the completely proprietary firmware, and they claim that this is not properly communicated by Pine64. In the end, it all amounts to disagreeing on what "modem firmware" and/or "baseband firmware" really means (and whether they are the same thing or different things).  Biktorgj himself is pretty upfront on what his firmware replaces with Free Software and what not, in any case.

in my view, graphenos has technical truth over there, i just don't see how pixel is better on this area (or most other devices). so, it is how this technical truth is used.

graphenos boasts heavily about signing keys for graphenos. but they use google's pixel's bootloader for that. so it's dependent on google for that. even with signing keys, graphenos has control or google with bootloader, not necessarily the user. can someone build a android kernel with own signing keys and upload those keys into pixel, i think it is possible, who would do that. anyway, bootloader code is still google' code and control.

what i learned from android over the years, is that "oem unlock" is not total unlock. fastboot and bootloader may still have limitations for users. so, oem unlock is more like partial unlock.

just theorizing, if re-button is physically blocked. someone could do a special bootloader for the spi memory, and it asks either a password or has signing keys. so it guarantees secure boot for a user. and if re-button is blocked, it cannot be overrided. weirdest part is, user can vefiry spi code and flash it. this starts to sound de-centralized. (off course the re-button). personally i don't need this, but i think bootloader needs to be controlled by users.


RE: Pinephone and open source firmware for baseband - justneedsomedatathanks - 05-28-2023

(05-28-2023, 07:31 AM)zetabeta Wrote: i tend to disagree little bit. i have heard that gnu/linux is lower on security than ios or android, probably mostly on app isolation, in gnu/linux world, ordinary user has quite wide permissions, where in android and ios every app is isolated more or less. however, in android and especially in ios, user are dependent on apple and google for security, it is centralized. maybe in android it can be circumvented somewhat by modifications, but still relies on google's eco system indirectly. so in gnu/linux world, if user knows the flaws, they can be fixed or circumvented, and not being dependent on apple's or google's policies.

in short, i don't think centralization bring security in longer term.

I recommend reading this for a run-down of security flaws with GNU/Linux: https://madaidans-insecurities.github.io/linux.html

Free software developers are not particularly great at, or focused on security; they tend to be focused on making things work, and the fun stuff. Making things secure is not particularly fun. There are some great free software projects out there that are really secure, but this is the reason a considerable number of them are not. I would mention Shellshock and Heartbleed as examples of projects which had major security vulnerabilities for a long time that went unnoticed. You need regular, professional security audits to confirm your software is secure, rather than relying on drive-by contributors to get you there. They'll fix some stuff, sure...but likely not all of it.

Now, the Linux kernel has plenty of resources; more than any other free software project in the world. Some of that work has been focused on security. They're still missing exploit mitigations as mentioned in Madaidan's article and there are other problems with it, but there are certain patches you can use like the PaX patches or linux-hardened to improve the situation. Now, because we're talking about an operating system and not just the kernel here, we have to talk about userspace...which means X.org and sandboxing like Flatpak. I won't even talk about X.org. Some GNU/Linux distributions for the Pinephone run Wayland, which is much better. Compositors likely still need to do more work on security, but the protocol is a great baseline start that's far ahead of X.org.

Flatpak...needs work. It's better than nothing but nothing like the proper isolation on Android. Also, don't use it with a browser because it replaces that browser's sandboxing, which is better.

But yes, as you mention, being dependent on Google and Apple is a pretty bad situation to be in from a freedom perspective, and it has impacts on privacy and security as well.  Software Should Not Have Owners, as a certain project would say: https://www.gnu.org/philosophy/why-free.html

Using free software operating systems on an Android phone is possible, however. You can even get rid of Google Play Services, Google Services Framework, and Google Play. You can install APKs from developers directly and update them with Obtainium. Of course, some of these apps have dependencies on Google libraries and frameworks anyway...

However, you still need to update the device drivers and other firmware from the OEM to avoid being vulnerable, which are almost certainly proprietary. This problem doesn't necessarily go away even with the Pinephone. As we've covered here, there are parts of the Qectel modem which are proprietary and cannot be replaced.

...but putting all of that discussion aside, I just find Pinephones far more comfortable and fun. It's also a far more sustainable future. Rather than worrying about Google components I have to strip out, I can be confident they're not there to begin with. And I love the idea of having GNOME on my phone.