Supercon 2023: Jose Angel Torres On Building A Junkyard Secure Phone

If you ever wondered just what it takes to build a modern device like a phone, you should have come to last year’s Supercon and talked with [Jose Angel Torres]. He’s an engineer whose passion into investigating what makes modern devices tick is undeniable, and he tells us all about where his forays have led so far – discovering marvels that a Western hacker might not be aware of.

Six years ago, he has moved to China, having previously been responsible for making sure that their Chinese subcontractors would manufacture things in the right ways. Turns out, doing that while being separated by an ocean set up more than just the timezone barriers – they were communicating between different worlds.

[Jose] tells us of having learned Chinese on the spot, purely from communicating with people around him, and it’s no wonder he’s had the motivation! What he’s experienced is being at the heart of cycle of hardware life, where devices are manufactured, taken apart and rebuilt anew. Here’s how he tapped into that cycle, and where he’s heading now.

One day, he sat down with his phone, connected to a computer, ADB prompt open, and enabled a logging routine. He saw a myriad of debug messages scrolling past – despite the phone being, for all intents and purposes, turned off, it was still alive. That made him think – now, what makes a phone tick? Which parts of it are responsible for this activity? How much control do you have over this, and can you replace these parts?

To get to the core of these questions, he headed down into dark places, where phones are taken apart, their motherboards laid bare, people working away with hot air guns and tweezers in hand. Trays of freshly desoldered BGAs, to be put into bespoke testing jigs and verified, so that they can be repackaged into tapes anew and resold to customers unconcerned with an increased failure rate.

On the streets where blocks are entirely owned by different companies, in stores overflowing with parts you couldn’t imagine to have existed, he has met a handful of friendly faces, each introducing him to different facets of the hardware world – from Macbook repairs that are officially not supposed to happen, to full-board reverse-engineering services.

If you need a PCB taken apart layer by layer, component by component, carefully imaged, and turned into CAD files, here is where you can get this done. What about a phone? What if you wanted to rebuild a phone? Well, not only can you fully reverse-engineer its PCB here, but they have tons of custom tooling for all the even somewhat popular models.

He glanced at a Huawei phone he’s just recently had bought, and decided to use it as a case study. The Ifixit diagrams can tell you about every single component on it, but only here can you walk up to a table and see piles and bins full of all sorts of different components for this specific model. Need a specific BGA? Here’s where you get a strip of them for $10.

What if you want to recreate the entire manufacturing process for a specific phone, from schematic to test jig, complete with all the different little parts like custom antennas and shells? That’s where you refer to a reverse-engineering company. This kind of company will take an example board, desolder all components, sand off all layers to get to even the internal copper, put all that data into a digital format. All passives that are taken off? Measured with an LCR meter. All ICs? Carefully documented, and, again, you can get a strip of them for $10. After a few weeks of work, you get Gerber files and Altium sources you can modify to add any feature the board might be missing. A schematic usually not included, but you can pay for it to be rebuilt too. And, of course, you get a BOM. Now, this is most of what you need to get a batch of identical phones assembled, starting from just one.

Now, what about if you need some test fixtures for bringup? Here, you can even use a phone of the same model as a test fixture – extend the connectors with separate FPCs, and use that second phone to test any of the different components you might be working on. All of these practices tie into the smaller seller culture, where every part you buy is marked with a seller’s stamp, so you can try and bring it back for a refund if it’s faulty.

[Jose] ends by showing a small curiosity he’s found – an I2C-connected daughterboard for a certain phone lineup, that almost, just barely, fits the SAO standard, with proximity and ambient light sensors on it. If you ever wanted to build a secure phone, you want to understand it, and if you want to understand what makes a phone tick, China will give you insights from the place this phone was born.

10 thoughts on “Supercon 2023: Jose Angel Torres On Building A Junkyard Secure Phone

  1. I would like to have a totally open source smart phone with such ICs that we can trust that doesn’t do trickery behind curtains (such as the modem).

    Also I would like to see single Git repo for ALL the code. No dependencies to other libraries which could potentially inject malicious code. Everything in one place. Everything build from sources.

    A good camera, secure browser, music player, matrix messenger. That’s all I would need.

    I’m pretty sure there will be demand for this sort of product in future.

  2. Agreed @Jouni, but with so many systems-on-a-chip booting from internal, proprietary ROMs, good luck with that. Consider the battle Richard Stallman had with PC peripheral vendors who refused to open-source their driver software. At least with Linux becoming more ubiquitous, we are doing better, but these hardware vendors still vigorously defend the right to embed black-box, binary blobs into their drivers allowing updated firmware to be loaded into proprietary chip-sets. They say these opaque blobs are necessary to protect their companies’ competitive “secret sauce” or the secrets of their suppliers, NDAs in hand.

    What is needed are real incentives and rewards for openness, most likely from an evolutionary business environment that allows companies to worry less that success rests on secrecy rather than service. Maybe this will actually happen. Increasingly competent reverse engineering firms and less-than-globally-protective patent/copyright law are changing how investors invest in technology startups. And security certainly has bubbled to the top of corporate radars. So maybe big customers will start demanding openness from vendors who want to do volume business.

    But first a change from trade secret paranoia to an openness ethos has to trickle all the way down to the hardware vendors. Demand for security-oriented architectures and system may be the golden key to unlock what you are looking for. Hardware that guarantees security is not just a pipe dream.

    1. Relying on service not secrecy?

      I’d rather not rely on service. Whilst good service is great, the best manufacturers make stuff that you don’t need to rely on service for.

    2. “What is needed are real incentives and rewards for openness, most likely from an evolutionary business environment that allows companies to worry less that success rests on secrecy rather than service. Maybe this will actually happen. Increasingly competent reverse engineering firms and less-than-globally-protective patent/copyright law are changing how investors invest in technology startups. And security certainly has bubbled to the top of corporate radars. So maybe big customers will start demanding openness from vendors who want to do volume business.”

      Regulators should impose fines on undocumented hardware (chips) in the context of the “right to repair” legislation. That could also fit into a EU DMA v2.0 to allow alternative OSes to make drivers for undocumented hardware.

    3. “Consider the battle Richard Stallman had” is like saying “Consider Gadjusek’s research on kuru.” Or OJ’s search for Dr. Richard Kimball, which sadly was cut short.

  3. Jose is a massive, disrespectful fraud; he has abandoned the community that supported and paid for the Popcorn PC, leaving his family members to handle our questions and concerns. We have received zero updates or feedback on the project’s status and he has decided to continue wasting our time instead of being an adult and admitting defeat, or giving us a timeline for an update and following through with it.

    Jose, if you read this, you need to update the community of people who supported your project, whether it’s bad news or good news. We deserve better than this.

Leave a Reply to AshCancel reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.