Supercon 2023: Jose Angel Torres On Building A Junkyard Secure Phone

If you ever wondered just what it takes to build a modern device like a phone, you should have come to last year’s Supercon and talked with [Jose Angel Torres]. He’s an engineer whose passion into investigating what makes modern devices tick is undeniable, and he tells us all about where his forays have led so far – discovering marvels that a Western hacker might not be aware of.

Six years ago, he has moved to China, having previously been responsible for making sure that their Chinese subcontractors would manufacture things in the right ways. Turns out, doing that while being separated by an ocean set up more than just the timezone barriers – they were communicating between different worlds.

[Jose] tells us of having learned Chinese on the spot, purely from communicating with people around him, and it’s no wonder he’s had the motivation! What he’s experienced is being at the heart of cycle of hardware life, where devices are manufactured, taken apart and rebuilt anew. Here’s how he tapped into that cycle, and where he’s heading now.

One day, he sat down with his phone, connected to a computer, ADB prompt open, and enabled a logging routine. He saw a myriad of debug messages scrolling past – despite the phone being, for all intents and purposes, turned off, it was still alive. That made him think – now, what makes a phone tick? Which parts of it are responsible for this activity? How much control do you have over this, and can you replace these parts?

To get to the core of these questions, he headed down into dark places, where phones are taken apart, their motherboards laid bare, people working away with hot air guns and tweezers in hand. Trays of freshly desoldered BGAs, to be put into bespoke testing jigs and verified, so that they can be repackaged into tapes anew and resold to customers unconcerned with an increased failure rate.

On the streets where blocks are entirely owned by different companies, in stores overflowing with parts you couldn’t imagine to have existed, he has met a handful of friendly faces, each introducing him to different facets of the hardware world – from Macbook repairs that are officially not supposed to happen, to full-board reverse-engineering services.

If you need a PCB taken apart layer by layer, component by component, carefully imaged, and turned into CAD files, here is where you can get this done. What about a phone? What if you wanted to rebuild a phone? Well, not only can you fully reverse-engineer its PCB here, but they have tons of custom tooling for all the even somewhat popular models.

He glanced at a Huawei phone he’s just recently had bought, and decided to use it as a case study. The Ifixit diagrams can tell you about every single component on it, but only here can you walk up to a table and see piles and bins full of all sorts of different components for this specific model. Need a specific BGA? Here’s where you get a strip of them for $10.

What if you want to recreate the entire manufacturing process for a specific phone, from schematic to test jig, complete with all the different little parts like custom antennas and shells? That’s where you refer to a reverse-engineering company. This kind of company will take an example board, desolder all components, sand off all layers to get to even the internal copper, put all that data into a digital format. All passives that are taken off? Measured with an LCR meter. All ICs? Carefully documented, and, again, you can get a strip of them for $10. After a few weeks of work, you get Gerber files and Altium sources you can modify to add any feature the board might be missing. A schematic usually not included, but you can pay for it to be rebuilt too. And, of course, you get a BOM. Now, this is most of what you need to get a batch of identical phones assembled, starting from just one.

Now, what about if you need some test fixtures for bringup? Here, you can even use a phone of the same model as a test fixture – extend the connectors with separate FPCs, and use that second phone to test any of the different components you might be working on. All of these practices tie into the smaller seller culture, where every part you buy is marked with a seller’s stamp, so you can try and bring it back for a refund if it’s faulty.

[Jose] ends by showing a small curiosity he’s found – an I2C-connected daughterboard for a certain phone lineup, that almost, just barely, fits the SAO standard, with proximity and ambient light sensors on it. If you ever wanted to build a secure phone, you want to understand it, and if you want to understand what makes a phone tick, China will give you insights from the place this phone was born.

This post was originally published on this site