Promising Linux Phones

Here is a thread to discuss Linux phones

What are your experiences? What’s next?

Anyone paying attention to the Pinephone? Thought I would share some info on it as I recently received one to kick off the mobile forum discussion

Pinephone is a really cool project. The makers: Pine64 (https://www.pine64.org) work on/build/provide a variety of Arm processor based SBC’s and laptops.

Now they have delved into the Linux Smartphone area They even included hardware kill switches on the back:

pinephoneKillswitches1019×764 425 KB

Also in the red square are 6 ‘pogo pins’ to allow hackers/makers to make add on hardware (slide keyboard in the works).

One really cool part is the open source bootloader’s ability to run as many operating systems as you like off microsdcards (there is also 16gb internal storage). Needless to say there are a variety of operating systems already out/mostly stable for it already and I have done a couple videos reviewing them since getting the phone:

Unboxing video + Ubuntu Touch display:

Here is a look at Mobian OS (Debian Mobile) + Termshark sniffer:

Manjaro’s Linux OS for Pinephone:

Installing/running WiPri, a script I wrote on the phone (various mac address/hostname randomization features/experimental txpower strength variations) and working :

What works on most operating systems:

• calls work both ways
• cellular data/internet works
• sms texting works both ways
• Bluetooth headphones work for me
• Wifi works

Pretty impressive this early on in dev. This phone holds promise for pentesting purposes. The only downside on that end is monitor mode not being available on provided firmware (word is it is capable if someone reverse engineers).

I thought this Phone would be of interest to the Parrot community.

Anyone else have a Pinephone yet? Or a Librem 5?

This is a wonderful thing, and so is Graphene OS. They rock.
If it gets proper support for Monitor mode and packet injection related stuffs, damn it will be cool.
I wonder is Parrot Developers are developing something like Kali Nethunter. That will be solid rock.

I would like to go to “secure phone” instead of something like “pentest phone”.

1. Are you sure you want to use terminal on a phone? It is acceptable. But how about GUI app, …?
2. Raspberry Pi is a thing. Use it for pentesting is still better than a phone.
3. Make custom devices by using arduino.

Personally I love using terminal on the phone but am already using Geany IDE on it for the GUI end On command line ssh (I feel safer admining my network than Android/iPhone)/full Debian administration toolbase/apt repository. When I have the choice (for Pinephone esp) I prefer terminal for apps that do not need a gui for multiple reasons: easier to integrate flag commands into other scripts/combinations with ease/1 liners, lower resources (Pinephone has the Allwinner SoC and Mali400 GPU- released in 2014 it isn’t the best on resources 2gb ram).

Much more usable ime than a pi with a touch screen/battery bluetooth keyboard. The keyboard is just better and easier to use. Some programs do not fit window properly yet but week by week it improves. CRUST power management is nice (up to 24hour idle with modem on, 100hr idle modem off).

I am with you on having a “secure phone” over pentest phone. What i mean is for only $150 you could get one to use as a fully custom personal phone to secure/privatize (further than Android/iPhone whose updates recently installed extra tracking features in the background- sending bluetooth packets that may or may not be used against the user to build social network/identify/location profiles whether you opt in or not). This is where kill switches also help ensure no giveaway beacons are released.

At this low price many could afford a 2nd Pinephone as a “project phone”.

For pentesting/Redteam purposes a smartphone stands out less than a raspberry pi box. Has all the capability of a pi plus added working cellular modem + multiple extra built in sensors that could be put to creative use in various projects: proximity sensor, magnetometer, gyroscope, accelerometer.

I don’t intend to use this one for pentesting but I do see potential for many projects including the pogo pins/usb c (allowing add ons like monitor mode NICs to be inserted/rtl-sdr/sdr- working radio terminal commands/gui apps exist).

Right now the only one with working LUKS encryption is Postmarket OS. This is the one on sale on the pine64 website. I may flash this to the emmc in near future. There are of course extra issues for those who do not take care to secure it (compared to default non root Android/iPhone).

Yeah, in terms of privacy, security, and freedom, phones like librem 5, intact phone are good to go type. Librem5’s OS has sandbox mode and it is really good.

Yes I have actually used PureOS on Pinephone! PureOS is nice and snappy. You can tell they put some work into it.

Sandboxing is available on Pinephone as well Libertine on Ubuntutouch/Firejail for Mobian. Many apps come sandboxed by default.

Here is a comparison including Pinephone/Librem:

https://www.wikizero.com/en/List_of_open-source_mobile_phones

Pine64 has been very open about everything including detailing where they couldn’t get around firmware blobs (but attempted to compartmentalize where possible): https://www.pine64.org/2020/01/24/setting-the-record-straight-pinephone-misconceptions/

Really cool to here your guys’ thoughts on this. I saw the release and have been thinking about making the switch. I think this just helped me make that jump

I’ve been in the market for a replacement mobile phone for a bit now, obviously security is a main issue for my consideration. Most of the “new” mobile devices fail on issue 1 - inability to remove the battery. I have been looking at the PinePhone as well as the Librem 5 options both of which look interesting - I really like the manual kill switches to disable the usual tracking vulnerabilities. While there is a notable difference between the 2 as far as pricing, the librem 5 being the more expensive is on par with most new phones.

My big issue is that I want to get away from the Big Brother all seeing eye as much as possible. Currently I use an older phone (Galaxy S4) because I can still remove the battery when I want to be sure it is offline. Admittedly, I also use a carry pouch that is RFID secure when in “sensitive” environments. My intentions are to get a mobile solution that does not submit to the encryption weaknesses that is being imposed by more and more governments.

Thoughts, ideas and suggestions appreciated - I already know some would consider me a bit paranoid, but just because someone is paranoid does not mean they are not out to get you.

well librem 5 do fulfill your needs. It does have removable battery, user-replaceable battery.

Librem 5 is nice and to be quite honest, if I wasn’t above my budget I would have gotten one of those as well.

Here are areas where Librem 5 shines over Pinephone:

• removable/replaceable hardware cards
• FSF approval
• killswitches for certain internal sensors not covered on Pinephone killswitches
• extra gig of ram/more storage (although Pinephone now has 3gb option + double storage for $50 extra).

Not sure on status of Librem 5 for calls/text but I do know they mention plans of being first Linux phone with native encryption for dialing out (of course you would need a compatible receiving phone to make e2e work for the call).

EDIT: decided to change title to Promising Linux Phones to make more appropriate for different phones.

I have heard good things about the N900 but apparently dev has been stalled on latest version.

I’m new to Linux and one of the things that’s drawing me to it is the privacy aspect of it. I’m just getting used to Parrot, and also ordered a Pinephone but haven’t received it yet. Some things have come to mind though and I don’t know if my concerns are justified. Shortly after buying a Huawei laptop I started to hear all types of things about how the company was putting back doors in their products, especially the products they were selling to Europe used for wireless communication. I realize that any country/government has the ability to do this, including the US, but after purchasing the Pinephone and seeing that it’s coming from China, the thing with Huawei came to mind. While the kill switches are a great idea, how can we know that the devices can be trusted? If ARM linux versions can be installed, and trusted that is one thing, but there must be extra stuff on the phones related to the hardware for cell service. I’m not saying this to bring criticism to the company manufacturing them, but rather because privacy is important to me, it’s one of the things that’s drawn me to linux and that phone, and also because my understanding of this stuff probably isn’t on par with that of most of you on this fourm.

Also, there’s this law in the US that I hear they are trying to pass called the LAED Act, which to my understanding would require companies to start implementing back doors into their products and also lowering encryption standards. If a law like this is passed, and phones such as the Pinephone or Purism’s Librem 5 are being used in the US, do you think firmware updates or anything would be forced upon these devices causing them to be less secure, negating one of the primary purposes for which they are being marketed and sold?

What we do know is laws not yet passed won’t apply to hardware we purchase today- so I say make hay while the sun shines (buy older hardware for safekeeping if able/worried about future of tech).

Hardware brings risk no matter where it comes from. The way I look at it is this: a device with smaller market leaves less incentive to backdoor. Android/iOS are by far the biggest markets, and make more sense for those types of groups to target.

The open source community is usually pretty good at finding funny acting hardware (where possible) and such a small user pool would make it all not really be worth all the trouble (hopefully).

LTE modem is a closed off box (on Pinephone not sharing same board as cpu- connected by usb) and the way I look at it is this (no matter what OS): phones should not be trusted for security where a computer is available to do the job.

That said, I am still going to encrypt my Pinephone, take precautions, and try to stay aware of possible limitations.

I suggest the same for everyone.

RightToPrivacy, thanks for the response. I’m a firm believer that if the government wants to get into something they have the ability to. I’m sure they have resources far beyond what most have imagined. Even the US legislators were unaware of what was taking place with the Snowden leak, so I wouldn’t be at all surprised if the legislators who drafted the yet to be passed LAED Act are unaware of current tech in use that already does most of what the Act seeks to achieve, or at least work arounds to achieving the same means. I personally don’t have anything I’d be worried about the government getting into, but it’s still the concept, and not knowing who or what government is in control. Way to many attempts to overreach into things that US politicians on both sides have been working toward that they shouldn’t be. Thanks again