Replicant

It's using a Qualcomm Snapdragon SoC, so we are not going to get one and port to it.

Wasn't everyone blaming Samsung and Exynos for being the personified evil? Seems to be the exact opposite in replicant from the way cm treats the devices

And that would be my daily reminder that I have to write an article on why I think exynos is great! Following this rhythm, I might even get it done at some point.

So yes, we think Exynos devices are great and we have strong arguments that back that up. However I feel too lazy for mentioning them all right now. If you're interested in these details, I'll try to write that blog post soon.

I'm trying to better understand what are the architectural problems of the Qualcomm chips. Anyone has any link/information
that can help me doing this?

From what I read one of the problems is that in MSM chips the modem has too much control of the hardware, therefore by doing
some sort of OTA update of the firmware it is possible to subvert the whole phone, like using the mic or reading from the
CPU memory.

Oppo Find 5 is using a APQ8064¹ that doesn't have an integrated modem². Does this protects the CPU ram from the modem?
It seems³ that the Find5 uses the MDM8215M chip as modem. This chip seems to
control GPS but not audio⁴. Does this prevent the modem from using audio without help from the CPU? The control of the GPS
receiver seems less of an issue since if someone can control the modem it can already triangulate the position using the cellular
network.

The info on the wiki page⁵ for the Nexus 4 (that uses the same chip as the find5) indicates that the modem "controls the
GPS, audio and perhaps NAND too" but I couldn't find out more about these statements. If the modem can do DMA (i can't find
information about which interface it uses to talk to the CPU) then I guess it can do this⁶ sort of attacks.

As a side note, for people that might be interested, the list of proprietary blobs for the find5 is quite long⁷.

[1] http://europe.oppostyle.com/find-5/8-find-5-white.html
[2] http://www.anandtech.com/show/4170/qualcomms-announces-krait-cpu-the-successor-to-scorpion
[3] http://www.oppoforums.com/threads/oppo-find-5-round-up-all-you-need-to-know.183/page-4
[4] http://www.slideshare.net/jjwu6266/qualcomm-apq8064based-smart-phone
[5] http://redmine.replicant.us/projects/replicant/wiki/TargetsEvaluation
[6] http://www.researchgate.net/publication/244484148_A_Primitive_for_Revealing_Stealthy_Peripheral-Based_Attacks_on_the_Computing_Platform%27s_Main_Memory
[7] https://github.com/CyanogenMod/android_device_oppo_find5/blob/cm-10.2/proprietary-blobs.txt

There are still too many blobs to replace and too many loaded firmwares that would mean lots of features not working out of the box. That's a major drawback, and we have better devices to work on, so we'll deal with the others first.

As for whether Qualcomm SoCs are still as bad, I agree we would need a refresh on what the facts actually are as of today, on these new SoCs. But non-free blobs are enough a reason for us not to look at these devices.

First, just to be clear, I completely understand why at this point it is not a good idea to start with a new platform and I completely
agree. I'm writing here to document my findings and better understand what it would take to do the port and if the oppo is a "good" or
"bad" hardware.

Since my last post I continued my research. I post below the new results.

By looking around the internet I found a service manual for the LG-E960 that also uses the APQ8064 but uses a different
modem, the MDM9215M. My hypothesis is that this modem and the MDM8215M that is used in the Find5 might have a quite similar
connection to the APQ since they were more or less created at the same time by Qualcomm for the same function (the difference
in the two modems is that the first supports LTE while the second doesn't).

In this device the first interesting fact (page 190) is that modem and the APQ8064 are connected to the Audio codec (WCD9310)
on a common SLIMbus [1]. This means that in principle the modem can use the mic by itself ( but maybe there is something
in the bus protocol to prevent this).

Second interesting thing is that the eMMC is connected only to the APQ chip (page 190). Moreover the pin EBI2_NAND_CS_N of the modem
is not connected (page 210). Given that the boot of the modem can happen either from NAND, HS-USB or HSIC (see the Boot config parameters
at page 210) it seems that the boot is initiated by the APQ.

Third, APQ and modem are connected with a USB HSIC² connection and by 15 other GPIO pins ( AP2MDM_VDDMIN, MDM2AP_VDDMIN, APQ2MDM_IPC1(DNI),
APQ2MDM_IPC2(DNI), APQ2MDM_IPC3(DNI), AP2MDM_STATUS, MDM2AP_STATUS, MDM2AP_HSIC_READY, AP2MDM_SOFT_RESET, RIVA_WCN_PRIORITY_B,
MDM_LTE_FRAME_SYNC_B, MDM_LTE_ACTIVE_B, AP2MDM_ERRFATAL, MDM2AP_ERRFATAL, AP2MDM_WAKEUP). By the fact that there is a AP2MDM_SOFT_RESET maybe
we have another indication that it is the APQ that bootstraps the modem and not vice-versa.

Conclusion, possibly wrong due to with my limited understanding of these technologies and difference between the LG and the OPPO devices: it seems
that a compromised modem firmware could use the mic, but the APQ can survive such compromise (provided that HSIC doesn't allow the modem to mess with the whole
memory of the APQ). Moreover the persistent storage should be protected from the modem (again, if HSIC doesn't allow the modem to mess with the memory of the APQ).

[1] https://en.wikipedia.org/wiki/SLIMbus
[2] http://www.interfacebus.com/hsic-bus-high-speed-inter-chip-usb.html