Open Source Phone Hardware (concept)

“apple is secure” they said…
“apple is private” they said…
In light of the recently discovered iPhone backdoor:

see also:


While there are hardened and more private versions of Android: Graphene, Copperhead, Calyx, Divest, Replicant, Lineage, etc… Comparison of Android ROMs:

These only cover the software side of things. It doesn’t matter how secure the software is when the hardware can not be trusted.

The PinePhone might be the closest thing available currently. But the processor and cellular chip are still proprietary as far as I understand.


This is less about the specific specs (eg: >= 4GB RAM) and more about need for open and auditable hardware and software from top to bottom. I know normies don’t seem to care, but clearly there is a desire and a market for such a device.

Required features:

  • open source hardware (no hardware backdoors)
  • unlocked bootloader: run OS of choice
  • ability to securely lock and unlock bootloader
  • repairable: easily replaceable battery and screen
  • SD card slot: the exclusion of expandable storage is a ploy to push cloud
  • Headphone jack: it’s removal was premature. It’s not “brave”, its a ploy to sell inferior bluetooth devices. Bluetooth is also another attack vector…
  • RISK-V?!?!

My dream phone might be something like a Fairphone that runs GrapheneOS (or some flavor of mobile Linux when those begin to mature) with the PinePhone’s physical dip switches.


I don’t know anything about manufacturing or product design. But this idea has been rolling around in my head for a while.

  • Could such a thing exist?
  • What might it look like?
  • What features would be required?

A sister thread to: Open Source Printer (concept)

2 Likes

Remember also how sim cards themselves also have their own microprocessors and apps and secret commands. Yes, sim cards have apps…

Its the peripherals that cannot be trusted either.

https://simhacks.github.io/defcon-21/

I am trying to recall some paper or defcon where the Sim card or Qualcomm cellular chips can bypass the OS and read RAM directly? edit: still looking for source…cant remember

I think the PinePhone is the only device that allows you to flash FOSS firmware on the LTE modem (with very few blobs). If you want a fully free phone, replicant is there (but it requires really old hardware, like galaxy s3 and nexus one kinda stuff).

The PinePhone’s hardware switches are really small. I wish they’d taken a mixed approach between these small switches for fine-control and bigger switches, like the librem5 for camera + mic, bt + wifi and modem (the small switches for each one independently).

Graphene is the only serious android distro that is aimed for security. Calyx and Lineage are fine, but not as hardened as graphene.

Until RISC-V becomes good enough to run a full-fledged OS without being dog-slow (even with a basic interface like sxmo), or until Power ISA silicon becomes low power consuming enough, then it’ll be a while until we have an open hardware phone.

If you really care about privacy and security, you don’t get a phone. Particularly modems are atrocious (in Europe and Asia you also need to have a licensed modem firmware, making it basically illegal to flash the modem’s open firmware on the pinephone).

I’m pretty sure in a few year we’ll be able to build decently powerful phones using a platform like what we have today with Raspberry Pi CM4 (and other CM4 form-factor board designs from Radxa and others). It might come with a modem which you could just disconnect (like you can on the pinephone). That way, you can change the CPU, RAM and storage (or maybe have the storage in eMMC form-factor on the main board, not on the CM4), but keep the other components (like battery and screen).

And depending on what kind of daughter board for CPU and RAM you go with, you can get varying degrees of openness (risc-v) or performance (qualcomm / broadcomm eeww, or rockchip / amlogic, although they aren’t far from the previous).

1 Like

This isn’t exactly practical in modern life. People need to communicate.

My habits with phones have changed over the years as I’ve gone from CyanogenMod, to Lineage and now Graphene. All degoogled of course. And use web browser instead of apps. eg: look up weather on your local preferred weather website instead of installing some bloated unnecessary garbage wasting battery life pinging the weather 50+ times a day…

In my opinion it won’t exist in any usable capacity beyond fringe because there is hardly any money to be made. It’s unfortunate but the reality is most people don’t care about their privacy on a phone. Or at least, they don’t value their privacy more than the UX.

1 Like

I reject your reality and substitute my own!

I think when you ask someone if they like to be spied on, generally the answer is no. And I’m not talking about the “i have nothing to hide” crowd. Even granny wants privacy.

To put to paper more so the specs I’d look for:

  • 5G antenna
  • OLED display >= 60 Hz
  • software compatible with 2FA applications (keepass)
  • apple pay / google pay for a software wallet and payment
  • battery life that lasts at least >= 10 hours

Anything less than that is a severe downgrade IMO and will be just dreadful to use day in day out.

1 Like

I would agree with you as well. However, what people say vs what they do is different.

Lots of people of would say X, but in reality they do Y. Its an interesting phenomenon.

2 Likes

I would maybe add explicitly no support for GSM/3G. I know some places still use it, but its inherently insecure and fake base stations like to downgrade protocal to 3G so they can MTIM. 3G is obsolete and needs to go away.

1 Like

The thing is we have this entire 2G/3G network thats basically not utilized now.

It would be ripe for lame/dumb things to get OTA updates this way.

Feels like a waste to just throw it all away.

I’m all for security but its a shame to not find a way to enrich what we have to suite our needs.

1 Like

Interesting point. I’m all for reduce/reuse/recycle. Anything to reduce e-waste…

@PhaseLockedLoop you’re a smart guy.

What would be a good use case for repurposing the 2G/3G spectrum? (assuming we could plug the security holes)

My first guess would be always-on stuff related to scientific equipment / infrastructure.

The spectrum is still in use. Its the modulation thats changed. Id say expand the amount available to the new phones. The towers are shutting that down so that particular modulation (cdma and certain gsm) isnt going to be broadcast. Thing is though the frequency allocation didnt change

You may need to clarify the question

1 Like

I am not very knowledgeable in the field of radio waves so please bear with my ignorance.

What I believe my ask to be is that if new phones are going to be on the higher G’s, then what happens to all the lower G’s?

Do they just get deprecated and turned off? Could we use them for something else (low priority?) without shutting them down? Or does it make more sense to actually shut them off. Why or why not?

Thank you

The phones will no longer see the control plane signal from the tower and wont be able to function. The frequency that they used to operate on will be used by the new signals aka 5G NR or 5g sub gig. They just wont be able to speak the same language as everyone else so to speak.

This. It opens the frequency up to being able to use ofdma and high density 5g modulation across the allocation. Thus more devices. For the few frequencies that wont be in use. Only thing I can think of is stuff that breaks fcc law hahaha

Most 3g phones affected are wayyyy too old to get used but the ones that have 4g will be able to handle the switch over just fine since they will still be able to talk

4 Likes

We used to not be able to call each other unless both parties were home (or home + a public telephone). You don’t need to be online 24/7.

Same. I used to carry 1 phone, then I used to carry 2, then back to 1 and now, if I don’t need my phone for GPS, I just leave it home. If I get a missed call or a text message, it can wait.

Unless you have a sickly relative or loved one you are taking care of and need to be able to respond immediately, then you don’t need to carry your phone with you.

I’m kinda starting to carry more devices again: phone + separate 5G hotspot (I downgraded my phone plan and got a separate internet plan, so I can give internet to more than just my phone, because my phone’s hotspot only have dial-up speeds to other things, despite me particularly paying for a hotspot enabled plan - you can tell I wasn’t happy about that). But I’m thinking of either dropping the phone and using a SIM-less one, or getting a PinePhone Pro and just disabling the GSM modem (phones without SIM have so much longer battery lives).

I might be carrying a PPP with me, if I can just disable all toggles. I never know when I might want to go places I’ve never been randomly.

My plan is also to get other devices (SBCs) running Lineage and leaving them at home and using a Pi-Hole through the internet to access them. That’d basically give me some amount of compartmentalization and they won’t have access to hardware like GPS, wifi or BT to constantly track whatever I’m doing (not that I wouldn’t trust Graphene with that, but not having the hardware in the first place is even better - I’m also hoping to get a phone with graphene, or maybe a pixel tablet or something).

1 Like

That is what killed RIM in 2007.
They had secure, then came shiny rectangle with touch and that was that…

All the reliance on some stupid App for the most basic things makes this increasingly hard.

1 Like

Its not about being online 24/7. It’s all the other things that are being required that makes not owning a device increasingly difficult.

2FA for example. Say your work requires you to install some authenticator app. Even some online games are requiring a phone number!

You could argue for a dumb phone, but then you lose maps. People need to get around. Theres OpenStreetMap, or can use the web version of google maps in the browser.


I was gifted a govee rgb light. Cannot use them without some garbage app that I don’t want on my phone. I used an old unused device to play around with them and it forced an online account! Why tf do i need to talk to the internet to turn on a light, locally over bluetooth? This is not acceptable. So I put my regular bulbs back in.

Plus I just don’t like “smart” home crap. I’ll never let my TV touch the internet. In fact I was thinking of opening it up and running a jumper from the wifi antenna to ground, or placing a dummy load so it doesn’t try to auto-connect to some open network that walks by in range.

Why is it that smart things are so dumb

2 Likes

So where are we with this currently? What is the best RISK-V chip currently available (for a mobile device)?

I’m currently looking at the Milk-V Mars SoC as a reference board that looks vaguely small form factor and low power.

What kind of reliance? Are you talking about banking programs? Just install them on a secondary device on a confined / dedicated user. Or are you talking stuff like Uber? Indeed, even calling a taxi is not that straight forward (I know not everyone can afford cars and bikes aren’t fine for all weather conditions).

But just like I said, you don’t have to have these installed on your main device.

Same thing applies. Install it on a different device. Heck, my company asked me to install MS Authenticator. I slapped that inside a BlissOS VM that I power on whenever I actually need to log into something. So don’t give me that about trusting proprietary programs on your private device (I find it particularly egregious when your work asks you to install work-related stuff on your personal devices and if I can get away with requesting a phone from them to do it, then I will, or else I find workarounds like VMs).

I love OSMAnd! It’s been really good for me for quite a while. A bit inaccurate when it comes to searching, but I get away by searching nearby addresses, then using the option to point on the map to where I want to go. I also don’t like some routes it takes me through, so I just put a different, close-by destination and then I get to those spots from there.

That’s horrible. I’d even give such a thing back. All the lights I bought for require no software (have a physical remote).

Good. We shouldn’t just use something because we got them for free. Next thing you know, you’ll be forced to pay a subscription to turn on the lights in your house! Slippery slope is not a fallacy!

Not very far. At least, I’m not aware anyone worked on a phone main board for CM4.

Milk-V Mars CM is the only RISC-V Compute Module I know of.

And the only “mobile” (as in, portable, battery-powered devices) that use a CM are mostly DIY game consoles (which shouldn’t be too far off from modding into a phone, with a modem).

1 Like