I don't get nearly enough benefit from a smartphone to bother with any of that sort of deep aggressive reverse engineering and patching. It's not worth the time. I don't have a spare "few days every few months" that I want to dedicate to reverse engineering apps that are purpose built to work against my will.
> In other words: rather than waiting for an open-source mobile ecosystem that'll never come, we should just be treating mobile devices like we do game consoles: seeing them as something to be jailbroken, modchipped, hacked, brute-forced, overridden, key-extracted, etc. Made to do what you want, and only what you want, when you want — source-availability be damned.
Except there are far easier to use options that aren't nearly so locked down, should I want to do general purpose computing. I think the most recent game console I owned was a Wii, but I treated it largely as a fixed purpose device that did a few things well.
I generally move around with my flip phone in airplane mode, then shut down (airplane mode saves state across power cycles, so I can power it on if I want to take a picture of a flyer for some event without having it ping out). But I'll ask for a citation on "Pinging towers while powered off." I'm aware of some attacks on devices that fake a poweroff, but based on "battery state of charge when powered down" analysis (which admittedly isn't very deep), I've seen no evidence of any sort of substantial power draw when shut down - and some of the places I go, there aren't any towers nearby, so it would have to try fairly hard to reach one.
But I'm really not sure of how much of your high effort spitball here is actually things doable, or if you assume I've got the time to fully reverse engineer a modern device to, say, scramble the IMEI in the baseband (it seems like the sort of thing there wouldn't be a command to do, so that implies remote code exploits in the baseband to be able to add that capability).
> But I'll ask for a citation on "Pinging towers while powered off."
Here's circumstantial evidence pointing to the negative: that a device in airplane mode, and probably, by extension, a powered-off device, broadcast no signals:
Most people carry their mobile device with them everywhere they go and leave it connected to the mobile network at all times. While they are sitting at home and playing on their device, they are connected to their cellular carrier for convenience. They might switch to Wi-Fi while streaming videos at home, but most people still leave the cellular modem activated, which is constantly recording the location of the device. I believe this is risky behavior and a desire for extreme privacy will require you to take more extreme action.
Some of my clients' primary mobile devices have never entered their homes and have never connected to a cellular tower within five miles of their houses. This prevents their phones from announcing their home locations. If someone did figure out a mobile number, and paid a bounty hunter or private investigator to locate a device, it would not lead anyone back to a home. The last known location should be a busy intersection with no connection to anyone. In the past, some clients have used a secondary mobile device with no cellular service within the home, which only connects via Wi-Fi, but I find this complication to no longer be warranted. For most GrapheneOS users who have the discipline to control their cellular, Bluetooth, and Wi-Fi connections, I believe you can safely use your primary mobile device in the home as needed. Please allow me to explain.
I insist on preventing any devices from connecting to any cellular network while in or near my home. These connections can immediately identify someone's location. When you place the GrapheneOS device into airplane mode, the cellular connection sends _absolutely no data to any cell towers_. The ability to block the microphone and cameras from the Quick menu further calms my worries. Unlike Apple devices, airplane mode is not disabled during updates or reboots. I simply trust GrapheneOS to maintain my desired connections more than Apple.
(from Michael Bazzell's Extreme Privacy: What It Takes to Disappear, 5th edition. Emphasis mine.)
The counter-evidence I'll cite comes from language used by criminal investigators in true-crime television like Forensic Files. I recall several instances of language like "we realized that the suspect then disappeared off the grid — meaning that either the battery in their cellphone ran dry, or more likely, was removed." They never consider the possibility that the suspect powered off their phone — suggesting (to me, at least) that that's not a concern for them.
Thinking more closely about the implication of this, I think the feature I was positing probably exists, but isn't an always-active signalling feature in the way I described in my GP post. It's not that the baseband will (for a regular, non-wiretapped person) periodically reach out to ping towers while the phone is nominally off — which would indeed continue to drain the battery perceptibly.
Instead, my thinking is that one of the following two things are true:
1. Phones need to be powered on to receive an "activate persistent baseband wiretap" message; but once they do receive such a message while powered on, powering down the phone will no longer fully power down the baseband, and the baseband will instead continue to silently register itself with nearby towers.
2. Whether or not the phone is powered on, as long as the baseband receives power from the battery, the baseband will wake up every so often just enough to receive periodic announce broadcasts from nearby cell towers. And part of these periodic broadcasts, is a set of queued "system" SMS messages — broadcast to all subscribers rather than directionally-MIMOed to just the intended subscriber, but each encrypted for a specific device. (This would be, in effect, the cell tower acting a bit like a Numbers Station.) One such "system" SMS message can activate silent-persistent-baseband-wiretap mode. Once the baseband receives such a message, it will stay awake from then on, and begin actively pinging cell towers. (At which point the "system" SMS message will be considered ACKed and removed from the service provider's SMSC's system-messages queue topic.)
In either of these cases, only people actively being wiretapped would begin to experience perceptible battery drain.
In the first case, there'd be no additional battery expense for regular, non-wiretapped subscribers — the baseband would be receiving the wiretap message like it receives any other SMS, and only when it would receive other SMSes. Given that SMSCs queue SMSes, you could have a phone off for a while to prevent wiretap activation; it would only get wiretapped the moment you turn the phone back on. (But once wiretapped, turning it off would no longer help.) If criminal organizations knew this, you'd expect to see a specific pattern of use for "burner" devices from them.
In the second case, there'd naively be a barely-perceptible additional battery expense. (But maybe not — in theory, the radio could have an independent little circuit for this that is powered by the cell tower in a process similar to RFID! After all, it only needs enough smarts to recognize one particular message and tell the rest of the baseband processor to wake up. Like the "wake word" DSP on a smart speaker.)
> In other words: rather than waiting for an open-source mobile ecosystem that'll never come, we should just be treating mobile devices like we do game consoles: seeing them as something to be jailbroken, modchipped, hacked, brute-forced, overridden, key-extracted, etc. Made to do what you want, and only what you want, when you want — source-availability be damned.
Except there are far easier to use options that aren't nearly so locked down, should I want to do general purpose computing. I think the most recent game console I owned was a Wii, but I treated it largely as a fixed purpose device that did a few things well.
I generally move around with my flip phone in airplane mode, then shut down (airplane mode saves state across power cycles, so I can power it on if I want to take a picture of a flyer for some event without having it ping out). But I'll ask for a citation on "Pinging towers while powered off." I'm aware of some attacks on devices that fake a poweroff, but based on "battery state of charge when powered down" analysis (which admittedly isn't very deep), I've seen no evidence of any sort of substantial power draw when shut down - and some of the places I go, there aren't any towers nearby, so it would have to try fairly hard to reach one.
But I'm really not sure of how much of your high effort spitball here is actually things doable, or if you assume I've got the time to fully reverse engineer a modern device to, say, scramble the IMEI in the baseband (it seems like the sort of thing there wouldn't be a command to do, so that implies remote code exploits in the baseband to be able to add that capability).
It's way, way easier to just not carry a phone.