Removing cellular RF chip to cut ties to network (Samsung/Android Kernel)

[pac_redwood]

Greetings. I'm attempting to do the unthinkable. Cut ties to the cellular network and use my Samsung device as a standalone computing platform without being connected to the BORG. I am guessing that when my Samsung s8 powers-on the radio does a warm boot prior to the Android kernel init boot. I believe the radio in my s8 is a Exynos RF 5511 SOC or similar. Prior to the Android kernel booting the Samsung radio may search for the strongest local signal, registers it's IMEI and retrieve subscription info. This is pure speculation at this point and I'm seeking clarification if you the reader have this knowledge.
What I want to accomplish is removal of the Samsung radio SOC and replace it with a cheap microcontroller (PIC32 or somesuch) that mimics the I/O of the Exynos RF 5511 and ultimately tells all upstream processes that everything is good to launch Android. The Android kernel class TelephonyManager would then be modified on my custom Android kernel to handle missing pieces.

Does anyone here have experience with Samsung s8(or similar) motherboards? What is the boot process and where can I find schematics and data flow for the radio SOC?

[Peabody]

Would this be different from just removing the SIM, turning off cellular data, and forgetting all wireless connections? 

[pac_redwood]

Yes, very different. The plan is a clean slate computing platform with no RF SOC or antenna with later plans for LoRa.

[janoc]

Then just buy a board with your desired CPU and don't mess with the phone. There are plenty of cheap ARM SBCs these days.

If you remove the baseband IC the phone will most likely not even boot anymore because that chip often does a lot of other things than just talking to the cell network. And you can't know that without seeing the vendor's documentation.

What I want to accomplish is removal of the Samsung radio SOC and replace it with a cheap microcontroller (PIC32 or somesuch) that mimics the I/O of the Exynos RF 5511 and ultimately tells all upstream processes that everything is good to launch Android. The Android kernel class TelephonyManager would then be modified on my custom Android kernel to handle missing pieces.

Good luck finding any information about that. It is all proprietary.

Does anyone here have experience with Samsung s8(or similar) motherboards? What is the boot process and where can I find schematics and data flow for the radio SOC?

Pretty much nowhere, given that this is Samsung's proprietary information. That is certainly not published. You won't get even the chip's datasheet without an NDA, much less any documentation to an actual existing phone.

[Infraviolet]

If this is an old phone otherwise destined for scrap, what abou trying to simply remove the antennas or break the traces that lead to then instead? Antenna might make a more obvious target for disconnection than the RF ICs.

[coppercone2]

Well it might save power

[RoGeorge]

Removing or replacing the radio chip seem too hard to do, both in hardware and in software.

Easiest way:
- Put the phone in Airplane mode.  That will turn off cellular radio.
- Turn off WiFi and Bluetooth.  That will turn off 2.4GHz traffic.

If not enough, disconnect the antenna or cut the traces to antenna and put a dummy load.  Or remove the power from the Tx amplifier.  Or try altering the modem partition. 

Another way could be to remove Android entirely, and install some Linux if there is any for your phone model.  Might be, search on https://forum.xda-developers.com  Usually, in an Android phone there are more proprietary binary blobs than in Linux.

No matter which method is better for you, here's a brief parallel between the Android and the Linux boot, a bird-eye view in the premise of replacing Android with Linux on a mobile platform:
https://forum.xda-developers.com/t/info-android-device-partitions-and-filesystems.3586565/
https://forum.xda-developers.com/t/info-boot-process-android-vs-linux.3785254/
https://forum.xda-developers.com/t/info-is-it-possible-to-install-windows-ios-or-linux-on-android-device.3763961/

[gabiz_ro]

Maybe just simple as flashing with another software version and omit CP file, select only BL AP and CSC

[p.larner]

sounds like the question is the rantings from a nutjob/lunatic to me.

[Melt-O-Tronic]

sounds like the question is the rantings from a nutjob/lunatic to me.

That's rude and unnecessary. 

[antenna]

last time I put firmware on a smartphone with odin, I recall the radio stuff having its own firmware package.  Can't you just install the android side without the hardware-specific radio software package?

[janoc]

last time I put firmware on a smartphone with odin, I recall the radio stuff having its own firmware package.  Can't you just install the android side without the hardware-specific radio software package?

Probably depends on a phone, but:

a) If you are recycling a phone the radio baseband will certainly have something loaded on it already. So that won't help you at all if your plan is to disable the radio (plus the power considerations, etc.)

b) Most phones won't boot without at least some functionality from the baseband because it is often doing also other, non-radio related functions. Which you can't know unless you have the manufacturer's documentation.

[AndyBeez]

Would it be easier to operate the phone inside a homemade farraday cage? Seriously, chicken fencing, nails and wire can be picked up from Home Depot for a lot less money than the price of developing a fake SOC.

If you have to, short the antenna feed capacitor to ground and/or snap off the inline RF filtering and preamp chip. There may also be a way of disabling the RF side with custom software made using the freely available Android SDK.

[RoGeorge]

In the OP it is mentioned a Samsung S8.  For Samsung phones, the flasher tool is called Odin (for Windows).  To flash a Samsung phone from Linux, there is a command line tool named Heimdall.

There are 4 distinct files to flash (for Samsung)
        - BL - Bootloader
        - AP (formerly named PDA) - Android Processor - the bigger of all 4 images to flash with Odin
        - CP (formerly named PDA) - Core Processor - modem.img
        - CSC - 'Consumer Software Customization' or 'Country Specific Code'.  The CSC binary contains the Samsung PIT file, too (Partition Information Table - not the partition table, but a description of how to partition the internal memory of the phone).

The one named CP (Core Processor) contains the radio firmware, so the name 'modem.img' (radio here means in charge with the cellular network for mobile phones, not the FM radio).  CSC might be of interest, too, because it has the configurations for radio bands, frequencies and radio services specific to each provider/country, or at least that's my understanding from when I've rooted a scrapped Samsung J5 this summer.

[Simon]

Greetings. I'm attempting to do the unthinkable. Cut ties to the cellular network and use my Samsung device as a standalone computing platform without being connected to the BORG. I am guessing that when my Samsung s8 powers-on the radio does a warm boot prior to the Android kernel init boot. I believe the radio in my s8 is a Exynos RF 5511 SOC or similar. Prior to the Android kernel booting the Samsung radio may search for the strongest local signal, registers it's IMEI and retrieve subscription info. This is pure speculation at this point and I'm seeking clarification if you the reader have this knowledge.
What I want to accomplish is removal of the Samsung radio SOC and replace it with a cheap microcontroller (PIC32 or somesuch) that mimics the I/O of the Exynos RF 5511 and ultimately tells all upstream processes that everything is good to launch Android. The Android kernel class TelephonyManager would then be modified on my custom Android kernel to handle missing pieces.

Does anyone here have experience with Samsung s8(or similar) motherboards? What is the boot process and where can I find schematics and data flow for the radio SOC?

Just take the SIM out, if this is going down conspiracy routes then just don't bother.

[Melt-O-Tronic]

I don't get all the "nutjob" and "conspiracy" comments.  What's wrong with wanting a utility tablet that doesn't waste resources on unnecessary cellular connections and doesn't send telemetry to unknown organizations?  If you're not a hypocrite, you'd damn well better bend over backward to retrofit your Arduinos, STM32's and Raspberry Pis to send telemetry to all the marketers in the world.

Try to have a little respect for others, please.  Is this how Dave Jones wants new users treated?

[Simon]

OK, FACT, don't put a SIM in it and it WON'T talk to anyone! FACT, what are you talking about?

[Wallace Gasiewicz]

Are the Samsung Tablets and phones essentially the same hardware? I do have a Samsung Galaxy tablet that is the same thing as a big Samsung Phone but came without the cell phone stuff.  It has WIFI.
So maybe it is possible to somehow separate the phone function.And then you would have a $110 tablet.

[RoGeorge]

Phones can work without any SIM inserted.

It is mandated by law, though the telephony provider will allow only emergency calls,  such as 911 in USA or 112 in EU.
https://android.stackexchange.com/questions/154651/can-an-android-phone-with-no-sim-card-make-an-emergency-call

[Melt-O-Tronic]

It would be interesting to know whether killing the cellular chip (if it's even a separate thing) would conserve power.  If simply taking the SIM out really turns off transmission (except for emergency calls), that would be pretty cool.

I have a retired Samsung phone that I keep for potentially this purpose (like a WiFi remote control or terminal).  I never thought about going so far as to kill the celluar function at the chip level, but that would be pretty cool if it's practical.  I guess I could also take it out to our remote property and use the spectrum analyzer to sniff for emissions on cellular bands to see if it amounts to anything significant.

[Simon]

Phones can work without any SIM inserted.

It is mandated by law, though the telephony provider will allow only emergency calls,  such as 911 in USA or 112 in EU.
https://android.stackexchange.com/questions/154651/can-an-android-phone-with-no-sim-card-make-an-emergency-call

Yes of course, they can, but only for emergency calls, no one will give you free data. That is why this feels like we will end up down the conspiratorial route. you disable the things in the OS - don't forget wifi, take out the SIM and forget about it, unless you need to dial 999.

[RoGeorge]

Well, you said it won't talk to anyone, then you agree that of course it would talk to emergency services. 

About turning off all radio, aside from WiFi, don't forget Bluetooth.  In my phone, Bluetooth can be turned on/off independently of airplane mode and independently of WiFi off.

To recap,
- airplane mode, to stop the cellular radio
- Wi-Fi off, to stop the wireless network
- Bluetooth off, to stop BT and BTLE
- even shorter range, turn off the near field radio (NFC)
don't know what other transmitting ways are in the most recent phones, my smartphone is ancient.

I've never tested if this means complete radio silence, or if the phone first boots normally then applies the settings only after the OS is running.

Wondering about this because, for example in my provider's router, there is a WiFi-off settings, and it even has a physical button for that (aside from the SW setting).  Though when the router boots, it still turns on the WiFi for a brief second before the WiFi-off settings are applied.  It has a LED that shows WiFi traffic, which blinks a little, and it transmits something, I've seen the Tx signal while fooling around with a PlutoSDR.

Another thing, I'm curious if a phone would still receive SMS/disaster alerts in airplane mode.  AFAIK the SMS disaster alert should work without SIM, but should it work in airplane mode?

[Bicurico]

I don't get the question. Sure you can spend a lot of time and resources to convert a Samsung S8, without guarantee that it will work in the end.

Or

You can sell it and buy a Raspberry Pi and do all you want straight immediately.

It's like: I have this old Porsche which I want to convert to off road...

[Simon]

I'm still confused about the need to absolutely guarantee that it can't access the internet to the point of castrating it. I've not yet heard of a device that has had the SIM removed doing regular communication with the internet. Same for disabled wifi and even blutooth.

[antenna]

I'm still confused about the need to absolutely guarantee that it can't access the internet to the point of castrating it. I've not yet heard of a device that has had the SIM removed doing regular communication with the internet. Same for disabled wifi and even blutooth.

Heres a situation one might want to.

I have an app that a frined and I made (mostly my ideas, mostly his coding skills) that takes a plain text message and encodes it with a segment of a locally stored and very large one-time pad and generates a QR code of the encrypted data.  The app then rewrites that section of the one-time pad with zeros.  The next thing that happens is the sender uses his networked phone to take a picture of the QR and send it to the recipient.  The recpient then takes his non-networked tablet with the app and matching key pad and grabs the encoded QR with the camera.  It then extracts what part of the one time pad to grab from the QR and proceeds to decode the rest. Once the message is decoded, it is displayed and, just like on the sending side, that portion of one-time pad is rewritten with zeros.  The only thing that ever sees the network is the encoded data, never the keys. 

I know, it is only as secure as how well we hide our tablets/SD card with key files, but due to the truly uncrackable nature of one-time pads, we thought it was worth the hassle to go offline.  We have a prearranged code we can give eachother if either of us believe someone may have physically accessed the tablets, and in that respect, I cannot tell you all the ways we figured out how to know!