Open Firmware For PinePhone LTE Modem
Jun 26, 2023
In their monthly announcement, among all the cool things Pine64, they talked about the open firmware for PinePhone's LTE modem. The firmware isn't fully open – a few parts remain closed. And Pine emphasizes that they neither pre-install nor officially endorse this firmware, and PinePhones will keep shipping with the vendor-supplied modem firmware image instead.
That said, the new firmware is way more featureful – it has less bugs, more features, decreased power consumption, and its proprietary parts are few and far between. I’d like to note that, with a special build of this firmware, the PinePhone's modem can run Doom – because, well, of course.
And with all that, it's become way easier to install this firmware – there's fwupd hooks now! You can think of fwupd as the equivalent of Windows Update for firmware, except not abusive, and aimed at Linux. A perfect fit for keeping your open-source devices as functional as they can be, in other words.
What's the deal? If open firmware is that much cooler, why don't more of our phones have open firmware options available?
Phone modems are fairly complex. Your phone, numpad or "smart" alike, has a modem chip from someone like Mediatek or Qualcomm, and that chip has a reasonably powerful CPU core inside. For instance, if you take the SIM800 modem (a 2G-only modem module), it has the MT6260 chipset, which is an ARM7 single-core CPU and GSM baseband in one chip. You can think of it as an ESP8266 on steroids, but for GSM.
In the SIM800 module, this CPU acts as a "receive AT commands and do GSM things" intermediary, but it's also been used as the does-everything processor for GPS trackers, smartwatches and other GSM-connected devices. In fact, the MT6260 can run an entire Nokia 3310! The 2017 version, to be exact.
With the PinePhone modem, the situation turned out to be the same. It was quickly found that the Quectel modem ran a stripped down version of Android on its ARM core, with adb shell available over the modem's USB interface. When a few adventurous hackers started probing it and got shell access, they found tools like ffmpeg, vim, gdb and sendmail compiled in – certainly not something you’d need on a cellular modem, but hey. Firmware images got unpacked, some code got reverse-engineered, and the modem got itself a newly compiled Linux heart.
The specific chip powering the PinePhone's Quectel EC25-G LTE modem is a Qualcomm's MDM9207, with a single-core CPU and 256 MB of RAM and flash by its side – this Pine64 Wiki page will get you up to speed with the technical details. If you think about it, the PinePhone isn't a quad-core CPU device, really – it's a penta-core dual-CPU device, running two Linux installs side by side. And yes, it's not impossible that same goes for your Android phone.
Why value cellular modem firmware openness, anyway? We’ve been living quite fine without it, some might say. Turns out that open firmware for modems brings good things aplenty!
One of the most noteworthy ones is the ability to downclock the CPU core of the PinePhone modem – bringing it from 400 MHz to 100 MHz. This makes the modem consume less power, and not heat the phone up as much. The modem's configuration, for instance audio bitrates, is made more dynamic – no longer requiring a modem reboot to change audio parameters. There's all kinds of developer-friendly features like logging capabilities and testing facilities; PinePhone's integration can also be improved upon – i.e. debugging and improving call handling while the PinePhone's CPU is suspended to improve battery life further.
And, of course, Doom.
It's also possible to fix many of the problems that impede upon PinePhone's cellular capabilities – as it tends to be with cellular modems, there's plenty of firmware problems. Some of these are fixable by using a different vendor firmware image, but going between binary images and looking for the least glitchy one is an exercise in frustration. It's also possible to patch vulnerabilities, like the "render the modem inoperable" one that was exploited by the PinePhone-targeting weird piece of malware half a year ago.
This is the kind of control that large-scale phone manufactures already get over the modems they embed into phones, to be clear. An open phone project has to have this kind of control – otherwise, it is bound to be disadvantaged, purely because of reliance on proprietary firmware images with all sorts of glitches and mis-features. Without firmware modifiability, open phones have one more roadblock towards feature parity, and our technology is already quite hostile to open phones as-is.
Not everything is open in this firmware. The baseband firmware, aka the RF bits known as ADSP firmware, remains closed and not yet reverse-engineered by anyone – you’re not gonna be running OpenBTS on this modem yet.
The TrustZone kernel remains closed too – my understanding is that it's signed by Qualcomm. However, the Linux install is fresh and no longer stinks, and the Qualcomm's application stack seems to have been replaced with a more lightweight one – removing any need for closed userspace tools or drivers, too. This is a firmware you can modify to your needs in many aspects, then compile and flash yourself.
I keep listing all this background and benefits – to think of it, it's a bit unfair that I haven't answered the intro question yet. Why haven't we had modem open firmware earlier? Well, we’re finally arriving at the "why".
The open firmware for the PinePhone modem is technologically superior, and code-wise, the baseband, aka RF paths don't change. So, why not ship this firmware from the factory? Why the "not officially endorsed or recommended" thing? The answer is, Pine64 could lose regulatory approval in certain countries if endorsing or pre-installing this firmware – which is why they’re not doing either.
As it stands, one would be foolish to expect Pine64 endorsement of this firmware. They work hard to ensure that PinePhone remains certified in as many countries as possible – without pre-established networks of representation and competencies that phone manufacturers benefit from, it's a complicated task. If you’re legally able to run this firmware, godspeed – otherwise, all possible responsibility, however unlikely, shall be yours. Here on Hackaday, we revel in the freedom to do things as a private individual that you couldn't do with gear for sale.
And one such area is radio-relevant firmware. Direction from the US FCC on regular WiFi router firmware resulted in router manufacturers attempting to restrict you from installing OpenWRT. Which is to say, it should be possible for routers to remain custom firmware-friendly, but I’m not optimistic. Observing the trends over the years, noticing firmware get more and more locked down, I’ve been thinking a lot about a certain question.
It's important to understand that regulatory restrictions can be worked around by the cellular modem manufacturers. Beyond all excuses and laws, there's the question of effort. It's not impossible to open-source modem firmware with certain caveats, it's that manufacturers are not motivated to bother with the effort of making it open. Laws can be worked around – we know full well there's no shortage of legal creativity in marketing departments. The sheer lobbying power of corporations, sizeable when they stand to lose profits, isn't on display when firmware-restricting laws get passed. Why not here?
What I’ve seen used as an excuse is the sheer complexity of cellular tech – and it holds some water. These standards are complex indeed. However, it didn't take wading through cellular protocol nuances to downclock the modem's CPU frequency, or fix interfacing bugs. Some parts of it could be open, or at least open-source, and yet they’re not.
Other excuse is the regulatory compliance, and that holds some water, too – however, the conversation was never started to begin with, there was never an acknowledgement of our needs, needs that can and should be discussed. Some modems have an SDK that integrator companies can make use of, a few modems will provide you with some kind of code interpreter, even – more often than not, access to documentation for these requires an established business relationship, and then, regulatory troubles seem to not be as much of a blocker.
A lot of problems excused by regulatory compliance happen to benefit the manufacturers financially – whether through new hardware sold because of planned obsolescence, or money not spent on effort they technically aren't forced to put in. Firmware customization stays behind NDAs and business relationships, as opposed to being at least partially open and competitive. Which suits monopolistic players just fine.
Firmware openness is a question of committing to it and working through the hurdles – and if manufacturers won't put that effort in, at least we the hackers can compensate here and there. For now, if we want feature parity for open phones, we’ll have to get our reverse-engineering tools hooks-deep in proprietary firmware at some points.
You might be wondering – why specifically now, and why Pine64? There have been open-source baseband projects before, but not many of them have reached this far. Well, a good few factors played in their favour, and I’d like to talk about the primary one.
Getting hardware into hands of hackers is key to breakthroughs like these – this is what Pine64 has managed to do well. PinePhones have been shipping for over two years now, and basically everyone who wants one can get one, resulting in a fair few hackers owning an open device with a Quectel modem in it.
From there, it was a matter of time until hackers started poking at the modem! The low price also helps – while PinePhone is nothing to marvel at when compared to flagship phones, it also only costs a fraction of the price, and having Linux on it helps you squeeze out more when it comes to performance, negating the downside that’d be more significant if it were to run Android.
I would also add that having a hacker-friend phone at such a low price means that you make it accessible for specifically the kind of hackers already used to squeezing more and more out of the devices they own – for financial reasons, among others. Sometimes our skills are sharpened by need, which is one of the reasons work done by Pine64 is all that more valuable – helping a new generation of hackers access tools and playgrounds they’d previously be financially locked out of.
It could very well be that one of your personal phones is hackable in the same way – ripping out the subpar Linux build running your phone's modem and replacing it with a Linux build you have more control over. PinePhone's availability has helped us get over this hurdle, and now future projects stand to benefit from it. In fact, you can get one of these Quectel modems as a mPCIe card, and build an open-firmware modem into your own devices easily!
This firmware is not fully open, but a large portion of it is – which happens to be the portion most useful for improving PinePhone's cellular capabilities. With modifiability like this, what are we going to achieve next? And given these capabilities, what challenges will we face in the future? We don't yet know everything that will happen, but this work is good news for us.