From time to time customers ask us:
You are using Chinese SOCs. I’ve heard that Chinese government forces all Chinese vendors to place back-doors in their SOCs which to spy on you. Can you guarantee that your Linux boards have no back doors to spy on us”
I already posted about Linux-Sunxi community, which develops the Allwinner SOC mainline Linux support. What I forgot to mention is that most of the SOC features and tuning they do is done almost without any official help or documentation from Allwinner and based mostly on tips from Allwinner employees and reverse engineering.
I do remember A20 CAN module was not mention at all as existent in Allwinner datasheets at the beginning and Linux-Sunxi developers found it while hacking the chip.
So I will have to disappoint people, who believe in such myths that no, A20 chips are for quite some time now and there is nothing hidden inside, even the Boot ROM which resides in the SOC internal ROM code and is executed first is disassembled and known code.
This for sure do not give any warranty that these SOCs are bug free and that someone latter may not find and exploit some bugs (I already wrote about the level of the SOC software developers in my previous post) and to create back door to install malware or spyware, but this is not done intentional and IMO above the capacity of the software developers working in the SOC vendors.
I still do remember Allwinner released few years ago SDK where they were forgotten to remove the debug flags and if you send message “rootmydevice” to /proc/sunxi_debug/sunxi_debug, you get root privileges, but was this intentional and forced by Chinese government? I doubt so.
We build our Linux Images from Armbian project sources using their repositories and our images has MD5, so if you load our Linux Images and use in our boards we are sure there are no back doors. I know the guys who are behind Armbian project and I can guarantee they do not work for the Chinese government.
Now you can say if you found undocumented CAN inside the SOC, there may be other undocumented modules as well which to spy on us. Yes, this is possible, but even if there are such hidden resources the software we run on the SOC does not take advantage of them and activate them, you can always monitor your USB/LAN etc traffic packets and see what information go outside the chip and so far for the last 6 years A20 is existent no one ever has detected such suspicious traffic.
olimex 
May 14, 2019 @ 12:41:44
“Everything what can be done in software, can be done in hardware”.
I think it’s not really difficult to make a backdoor in a SOC what does not have to be activated.
Many people do not trust hardware anymore, that’s a reason we want open hardware. But that’s a long difficult way to go, I hope something like LowRisc will bring real open SOCs. I think Allwinner is usable now, but not the future. I hope Olimex will look at open source SOCs to make boards for them.
May 14, 2019 @ 16:37:31
After watching this video, you might find, that backdoors in the SoC are not necessary for sophisticated adversaries: https://www.bunniestudios.com/blog/?p=5519
May 14, 2019 @ 16:50:29
nice video, adding spying hardware is always more expensive approach and involves vendors, distributors etc etc in the chain to get you
May 14, 2019 @ 20:53:25
1. “even if there are such hidden resources the software we run on the SOC does not take advantage of them”
2. “you can always monitor your USB/LAN etc traffic packets”
1. You don’t need the Linux kernel to know about the backdoors if they have their own firmware 😉 That’s how things like Intel ME work – a separate computing core + ROM with code (compressed).
2. And these have direct access to the peripherals, so Linux would not have a way to detect the usage of RAM, Ethernet, USB, etc
May 14, 2019 @ 21:42:35
correct but there are other tools which can monitor the traffic outside the board
May 15, 2019 @ 10:59:41
You can monitor the traffic outside the board, but you cannot monitor if a “special feature” is listening and waits for some “magic packet” to be enabled.
May 15, 2019 @ 11:49:19
I agree that if someone wants to implement hidden spyware in the silicone it’s possible, but let’s not forget that all these additional features come at a cost of the silicon. All Chinese SOCs are designed to be produced cheap. Adding fancy spyware just add cost to their silicon. Not to mention they do not innovate too much just buy and use IP from ARM. When you sell your SOC for $10-30 like Western SOC vendors do this may not be a problem, but when you sell for $2-3 even $0.10 price increase eats significant % of you profit.
May 14, 2019 @ 22:57:38
Re 1. – Raspberry Pi is even worse, I would call it directly scaring.
Read the section “The real brain …”:
https://ownyourbits.com/2019/02/02/whats-wrong-with-the-raspberry-pi/
May 16, 2019 @ 00:06:52
Wow, thanks for that link
May 15, 2019 @ 23:32:02
I probably wouldn’t trust the RNGs, but then again I wouldn’t trust a non-Chinese one alone either.
May 20, 2019 @ 14:03:26
> “We build our Linux Images from Armbian project sources using their repositories and our images has MD5”
MD5 hashes do not provide any security!
It was shown to be susceptible to certain attacks back in 2004, see https://en.wikipedia.org/wiki/MD5#Overview_of_security_issues
SHA1 is not that much better and should not be used as well, a practical chosen-prefix attack was shown in 2019, see https://en.wikipedia.org/w/index.php?title=SHA-1§ion=9#Birthday-Near-Collision_Attack_-_first_practical_chosen-prefix_attack
@olimex: Please publish SHA256 and SHA3 hashes in the future.