You can't exactly do it without permission though. You need to crack the bootloader for the baseband and that's way easier said than done and immediately noticeable.
> You need to crack the bootloader for the baseband and that's way easier said than done
There have been more than enough cases of people poking holes in bootloaders, including secret services. For what it's worth, Huawei and Xiaomi can be considered as part of the Chinese CCP dictatorship and I'd expect them to have access to such exploits.
> and immediately noticeable.
How is an user supposed to notice a modified baseband firmware? The only thing that a user can see is if the device has been rooted, but with a factory-supplied backdoor even that doesn't help.
There's a difference between poking a hole the device bootloader and the baseband bootloader. The second is wayyy more lockdown and has a tiny attack surface.
A user can directly download the baseband image from the chipset using for example QFIL. Then you can check if it's signed with Qualcomm's key or another. Exploiting this would require Xiaomi to hide two baseband firmwares in the baseband firmware which isn't feasible, and it would also require them to completely rewrite the baseband bootloader instead of just exploiting it.
But even then you'd be able to read the eMMC and notice that there are two baseband firmwares. If you want to figure it out, you're free to buy any Xiaomi phone, read the eMMC, and check how many baseband images there are, then you'll be able to definitively know. Let me know if you do it.
When I said immediately noticeable I meant by Qualcomm, not by the end user though. They have contractual obligations to lock down their baseband and their licensing system relies on it so they have a large incentive.
Only when CPU is Qualcomm I think. I'm not knowledgeable with QPST/QXDM scenes but it didn't sound like firmware integrity mechanisms on qcom modems are too tight.
Of course the firmware is only Qualcomm if the modem is Qualcomm.
QPST/QXDM allows you to mess with the modems by sending it commands and changing configs yeah. But if you want to flash the firmware that's something else.
Yeah the firmware integrity mechanism are not the best, and there's definitely vulnerabilities in the firmware. But there's still no way of installing unsigned firmware on more recent devices, and I've never come across a way of running unsigned code without it being really obvious.
There was a bug recently that allowed you edit baseband memory from within the OS, but again you'll never be able to hide that from Qualcomm on a million devices.
