Hacker News new | past | comments | ask | show | jobs | submit login
HTC Willfully Violates the GPL in T-Mobile's New G2 Android Phone (freedom-to-tinker.com)
138 points by peter123 on Oct 11, 2010 | hide | past | web | favorite | 51 comments

What I don't understand is why phone manufactures are even worried about rooting. If it's about service and warranty, they can simply make it clear that replacing the OS voids the warranty and they won't provide service for the phone.

Besides warranty and service costs, what else are they so worried about that they feel it necessary to add these protection measures?

Surely the percent of customers that root/mod a phone is so small that it's not worth the man-power and engineering to try to "fix" the problem. It seems there must be some other concern they are trying to resolve that escapes me.

Most people preached the benefits of rooting make a very compelling case. And often this case is to very dumb people. Dumb people like to complain. Loudly.

Remember from their perspective, 99% of all the feedback they get back (that they don't have to pay for) is negative. Therefore, they are solely concentrated on reducing that negative feedback by preventing failure in the first place. They view these protections as a way of doing that. It reduces the need for a larger support department and therefore their bottom line.

Of course, this ignores the fact that by making the methods for circumventing these protections more complex, they are creating a more error-prone process, and therefore a large support volume. But whatever, I didn't say it had to make sense.

The same is true of bookshelves, cordless drills, computers, and anything else that people can buy. Someone will always find a way to fuck up the assembly, modifications, or general use. But there is no EULA on my bookshelf saying I can't modify it.

So why are mobile phones different?

(My guess: "because we can". Nobody has figured out how to make a bookshelf that I can't put something too heavy on. But people have figured out how to ensure I can only run Verizon's adware on my phone, so they don't cripple my bookshelf but they do cripple my phone. Follow up question: why does the market allow this? Nobody would buy a crippled bookshelf with an EULA.)

Before and at the time of purchase most people don't think about the EULA or it's consequences. It's merely part of the shrink wrap that needs to be removed to enjoy the shiny new product.

Perhaps if it were something consequential instead of something to click through it would actually affect peoples habits.

Most EULAs are atrocious. I shouldn't need to hire a lawyer to buy a consumer product.

The people making these products probably don't want them heavily enforced either. If things actually got to that point nobody would buy their products.

I think they like the current status: you technically owe them your first born but still buy their products. If you do anything they don't like, they can stop you. But people still buy their stuff. Its the best of both worlds for them.

"The people making these products probably don't want them heavily enforced either. If things actually got to that point nobody would buy their products."

That's exactly my point. There currently isn't anything that forces the consumer realize what they are getting themselves into. If they did, they probably wouldn't be buying the products.

Is your follow-up question rhetorical? Nevertheless: the market isn't rational. Plus people are used to skipping over EULAs and not reading contracts. Plus the people that actually care are a minority. Etc. etc.

Carrier control, most likely. I'm sure HTC are being lobbied hard by carriers who want to be able to use artificial restrictions to segment their offerings.

Exactly. Phone manufactures are in the pocket of the carriers (as google proved with the Nexus one, you can't sell phones without carrier relations) and carriers don't like rooting as it limited their options to block certain software and services (e.g. VOIP / tethering).

Perhaps it's setting things up for the future, but the carrier in question here, T Mobile, is notable for its openness in not blocking tethering or voip.

I should imagine the decision about how much protection is applied to the system is made long before the device is accepted on various carriers. Ok, this is a 'made for T-mobile' device, but its likely it will appear in almost the same form on other carriers under another name and HTC branding. So, it would be easier to build in the protection other networks want at this this early stage.

It needn't be T-Mobile to have prodded HTC in this direction. In fact, it's more likely to have been another carrier who said "We'll only start to carry this phone if you lock it down like this."

I guess it's because virus writers also to try to root the devices to install rootkits. I'm quite in favor of requiring hardware mods (although I'd prefer a jumper...) to modify the OS.

Pushing the jumper idea further, It should hard reset the phone from read only memory when flipped back to "not root".

But they can do that now already, just like the regular phone-rooting hackers.

The article mentioned that the new version needed hardware hacking to root. Maybe at one point a software hack will be found, I don't know. I'm just saying that there is a legitimate reason to lock down the software, especially for a mass market product like a phone.

Has anyone really ever seen a real phone virus?


You'll note it only hit jailbroken iPhones.

Is it really a virus if it has to guess your root account's password to work?

Yes it is. It takes advantage of a known vulnerability to spread.

You can't expect a non technical person to understand the importance of strong, unique passwords. Most people can't remember more than one (and a simple one, at that).

I don't really see from that article what the issue is. It just tries to SSH into your phone, and if you left the default root password, ta-da, it's in; then it tries to use your phone to SSH into other people's phones.

Is there some part of the story missing here? The only vulnerability I see is that foolish people are allowed to run SSH servers on their phone.

Well if you don't see the potential vulnerability in that, I guess there's no point arguing. Back when Linux distro's shipped with all services enabled out of the box, and sometimes with default passwords, people used to say "oh that's not a real problem, it's the stupid users." Well maybe so, but that doesn't reduce the amount of rooted boxes. So as people wised up, and the hardliners were told to shut it, things moved to 'secure out of the box' (for some definitions of 'secure') setups. Hardware-locked phones are the next step of that. There may be (misguided) commercial interests in trying to control the software; most real-world issues with a higher complexity than 'what will I have for breakfast' are multi-faceted. All that said, there is a real case to be made to control the setups of devices that are supposed to 'always work'. That's all.

It may be a small minority of people rooting their phones but from the carrier perspective they're the ones who would otherwise be willing to pay $20-$30/month for a wireless tethering plan.

This is the same false perspective as the RIAA believing a pirated copy equals a lost sale though, and we've seen how well that has worked out.

Even saying "No" costs money. Plus, some customer's tech buddy / kid will do the "upgrade" for them to make the phone "better", the customer will encounter a problem, and then the carrier's support explanation of rooting will make no sense. How often have you seen someone help someone else by changing some settings on their computer?

Often, sure. But that's no excuse for locking people out of their own hardware. Mobile platforms are the future computers for many people, and we simply cannot accept a future where the carriers and manufacturers control all aspects of computing.

I think the carriers are afraid of becoming commoditized; if their phones are open, then they really are nothing more than an ISP. If they had to compete like ordinary ISPs, price for bandwidth would become the primary selling point, and that eventually becomes a race to the bottom.

Call them, and demand that your complaint be escalated. Call back daily until this is fixed. Unlike emails which can be disregarded phone calls cost money to process. This means that the FOSS community can impose a financial cost on non-compliance without going through the courts.

I just got off the phone to HTC Australia, and apparently they'll be getting in touch. If everyone did that ...

Just bring legal action or ask the SLFC to investigate.

Only a copyright holder can bring legal action in this case. If you're just a customer, you can't bring action by yourself, as you're not a party to the violation or license agreement between HTC and the copyright holder(s).

If you've bought a G2, you are a copyright holder for the code in question.

If you buy a copy of a copyright-able work, you are a licensee. The "copyright holder" is the person who owns the legal ability to specify and grant the rights under which the work may be copied.

In the UK at least you are looked on far more favourably in the event that something does go to court if you have a paper trail of having made reasonable efforts to find a solution prior to going the legal route.

"Just bring legal action" - sadly, for most people, 'just bringing legal action' is not quite as simple as you make it sound. Not least in terms of expense.

This is only become an issue because of the new security permissions on the phone. If the phone was easily hackable nobody would be complaining.

That said HTC played some mean tricks here, such as releasing the souce for the HTC magic with bits and pieces of the vision source clearly removed. At the same time while we were trying to reverse engineer this code and the binary we saw major inconsistencies even though the disks are the same model and spec.

They(HTC & TMO) really made it hard this time but once we figure out how this works once it will likely be just as easy to hack as before.

Blog posts do not help. Take them to court.

Blog posts absolutely do help.

Good argument.

Just stating the obvious.

"within 90 to 120 days"

Maybe this tactic has something to do with product life cycle though I can't think what. Surely a phone has a longer shelf life than 3 months . .

Lately, the window of time for which a new Android phone remains the new hotness is one or two weeks. Sometimes no time at all, as a better phone will be released before another has even made it to market.

Well it may not necessarily be malicious. Maybe the developers responsible for say preparing the source tarball properly have just been given a lot of other pressing work.

There is no preparing. They don't own the code. They need to release it in exactly the same state it was in when deployed as binary. Otherwise, they are violating copyright (often referred to as pirates).

That said, I'm almost certain that the linux kernel is released under a modified form of the GPL, or at least Linus refuses to enforce parts of the GPL. Binary modules and blobs are a clear violation of GPL, but they exist in the Linux kernel to a great extent. There has been some fighting over the issue in the past.

At any rate, I know that Linus is not as adamant about freedom as RMS. He's using the GPL as a tool and not a principal. There was the whole Tivo-ization argument, where Linus supported the hardware manufacturer and RMS released GPLv3 explicitly forbidding that type of stuff.

That said, I'm almost certain that the linux kernel is released under a modified form of the GPL...

Nope, it's standard stock GPLv2-only. There's a clarification included in the COPYING file that reminds people that userspace binaries that use the documented system call interface are not considered derived works, but that's not a modification of the license; it's just included for clarity reasons.

or at least Linus refuses to enforce parts of the GPL.

Not entirely. He's stated that he doesn't believe that a kernel module is automatically a derived work of the kernel. For example, he's of the opinion that the nvidia binary driver is not a derived work of Linux because the driver core was first designed and written for a completely different OS.

Regardless, Linus Torvalds is not the last word on this: just about any kernel contributor with copyright ownership could file suit.

There is no preparing. They don't own the code. They need to release it in exactly the same state it was in when deployed as binary. Otherwise, they are violating copyright (often referred to as pirates).


Apparently it is a plain GPL, but it is not enforced. I don't know if HTC has modules in the kernel that aren't specifically written for the Linux kernel, but I would find that hard to believe. I'd be very surprised if it was enforced in the circumstance.


I wonder where they got the within the requirements of the open source community. It doesn't sound like something they would just make up.

Sounds like something their lawyers made up, perhaps?

The first comment on the post has a pretty relevant paragraph, which I think sounds plausible: Section 3(b) allows you to provide a written offer for source. I think HTC is interpreting this to mean that if you respond to their written offer for source, there's obviously going to be a delay for them to get your written request, put together the source code and send it back to you, and they've decided that 90 to 120 days is a reasonable amount of time for that.

The commenter also says it seems this is pushing it, and I agree - but HTC's lawyers clearly think it's worth the risk.

Although further comments point out that there was no written offer provided, so that section is irrelevant.

Which is surprising how? Android's aim has always been to be open for manufacturers and providers. The user-wise openness is an implementation detail and may or may not be there.

And the more time passes, the better manufacturers and carriers get acquainted with the platform, the least common Android devices will be open as far as the user is concerned.

> The user-wise openness is an implementation detail and may or may not be there.

This is not an implementation detail for the GPL.

If Google really wants Android to be open sourced, then it should be open source for users too, not just carriers. I'm pretty sure HTC did something illegal here.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact