The application OS is basically irrelevant when talking about cell communications. They'd have to design their own boards to even have a chance at isolating the "baseband" processor - to say nothing of controlling its behavior, especially as carriers want to keep its workings secret for "security"
Most phones (anything CDMA, or most everything LTE) use a Qualcomm SOC, with both the baseband and application processor sharing the same memory space. This is a recipe for anything on the application processor being pwned beyond recognition.
The last time I played with Qualcomm/CDMA (around 2007), I used proprietary software (QPST) to do undocumented incantations to clone an ESN from one phone to another. When I called the number, both rang. Picking both up led to hearing the conversation in both. This tells you precisely how good their idea of "encryption" is.
The entire Qualcomm ecosystem is a black box, and is there even a remote chance they don't have a partnership with the NSA? I'm sure San Diego is seen as a key national security interest - if it weren't "secured" by the NSA, then China/Russia intelligence would do so (or an uppity colony looking for a leg up).
I'll happily eat these words when there's an open source GSM or CDMA stack, portable hardware to run it, and the ability to pay for network access anonymously. But fr now, I see Wifi/Mifi as the only plausible way forward.
Can you provide some technical documentation that supports your assertion that the baseband and the application processor are sharing memory space? I thought they use different processors that are supporting essentially independent operating systems.
They're independent operating environments, but that doesn't mean their memories are isolated.
It's commonly accepted that most mobile SoCs operate this way. See the diagram/text on page 2 of https://www.usenix.org/system/files/conference/woot12/woot12... . To the extent that a specific Qualcomm processor might avoid such a design, it's impossible to know due to their longstanding culture of security through obscurity.
AFAIK, the Raspberry Pi is setup the same way, with the black box GPU being the master of the CPU that is commonly used to run Linux. This setup is only less problematic because the GPU lacks an unobservable network link.
Models like the Samsung i9300 have the modem chipset as an independent unit, although I've seen a block diagram indicating that the eMMC flash and modem RAM are in the same package, which is worrying.
Modern Qualcomm basebands are restricted by an MMU and isolated from the main OS. Carriers wanted this because baseband exploits were such a common way for phones to get rooted. Additionally they have been hardened considerably in recent times, apparently modern Qualcomm basebands are much, much harder to hack than they once were. And they run now on a proprietary CPU design called, I think, Hexagon, which makes even just disassembling the thing a bit tricky.
I can believe this, because they do have an interest in preventing any random party from taking over a phone. Unfortunately, there is a large gap between being resistant to exploits, and convincing the world that you're resistant to exploits through open review.
BTW do you mean "rooting" in the longstanding sense of general exploitation, or in the recent narrow sense of the owner of a device obtaining control of it? There's of course an overlap between these two, but insight into the specific business motivation would be interesting.
being from San Diego, i can state that SAIC is right physically down the street from any number of qualcomm campus buildings. also note, that while i am not a conspiracy guy, the security community there has always been fairly tight, a lot of the top feeders know each other, and there are a lot of interworking groups, guilds, clubs, that would easily lend themselves to partnerships, cooperations, things like that. i am just saying not to rule it out.
with T-mobile and iOS, I have wifi calling. I would not be opposed if it turned off the cell antenna whenever I could instead make and receive calls over wifi.
Most phones (anything CDMA, or most everything LTE) use a Qualcomm SOC, with both the baseband and application processor sharing the same memory space. This is a recipe for anything on the application processor being pwned beyond recognition.
The last time I played with Qualcomm/CDMA (around 2007), I used proprietary software (QPST) to do undocumented incantations to clone an ESN from one phone to another. When I called the number, both rang. Picking both up led to hearing the conversation in both. This tells you precisely how good their idea of "encryption" is.
The entire Qualcomm ecosystem is a black box, and is there even a remote chance they don't have a partnership with the NSA? I'm sure San Diego is seen as a key national security interest - if it weren't "secured" by the NSA, then China/Russia intelligence would do so (or an uppity colony looking for a leg up).
I'll happily eat these words when there's an open source GSM or CDMA stack, portable hardware to run it, and the ability to pay for network access anonymously. But fr now, I see Wifi/Mifi as the only plausible way forward.