Hardware Other

EU puts pressure on smartphone manufacturers

In August of 2020, I wrote a post about how smartphone manufacturers fail to provide a long enough period of security updates to the devices they sell. Leaving the market to itself has obviously lead to planned obsolescence being the norm for Android-based devices, where it is necessary to buy a new phone every 2–3 years to stay secure. But things might change for the better. The European Commission is planning to extend [1] its Ecodesign and Energy labelling directive to also apply to smartphone (and similar) products, and with it comes requirements to reparability and minimum security update support period. Currently proposed is a 5 year period for such products, which is great news. Going further, Germany is lobbying [2] to get a 7 year support period for updates and spare parts. It will be interesting to see the outcome of this.

On a personal note, I ended up buying a new Samsung S21 phone, after Sony stopped updates for my two year old Xperia compact. The Samsung phone is too big, but I could not find a better alternative. And I will likely get at least 4 years of updates. I have no need to replace my smartphone every 2 years and contribute to such ridiculous resource waste.


  1. Heise online article (translated to English):
  2. Heise online article (translated to English):
Hardware Linux

Capture images from a webcam using ffmpeg

The examples are for Linux and access the web camera through the Video4Linux2 interface. To control web camera settings, use the tool v4l2-ctl. To list connected camera devices, you can use the command: v4l2-ctl --list-devices. On a typical Debian-ish Linux distro, you will also want to add your user to the video and audio groups, so that you can easily access the webcam from a non-desktop session.

Capture to an image file, continually overwriting it with new contents

ffmpeg -y -f v4l2 -video_size 1280x720 -i /dev/video0 \
       -r 0.2 -qscale:v 2 -update 1 /tmp/webcam.jpg
-f v4l2specify input format explicitly as capture from a Video4Linux2 device
-video_size 1280x720specify video frame size from webcam
-i /dev/video0select input device (a UVC-compatible webcam in my case)
-r 0.2set output frame rate to one per 5 seconds
-qscale:v 2set video quality [JPEG quality in this case], 2 is highest quality.
-update 1Image2 muxer option, enable in place update of image file for each video output frame
Options breakdown

Point the output file to a place served by your web server to make your camera image available on the web. The ffmpeg command will run until interrupted or killed.

Add a timestamp to captured images

ffmpeg -y -f v4l2 -video_size 1280x720 -i /dev/video0 \
       -r 0.2 \
       -vf "drawtext=text=%{localtime}:fontcolor=white@1.0:fontsize=26:borderw=1:x=980:y=25" \
       -qscale:v 2 -update 1 /tmp/webcam.jpg

Here we have inserted the drawtext video filter into the processing pipeline. We use its text expansion facilities to simply render the local time onto each video frame with filter-argument text=%{localtime}. It is placed in the top right corner of the image using the x and y arguments.

Running as background job

You can ssh to the host which has the web camera connected, and start the ffmpeg capture process as a background job:

ffmpeg -y -loglevel fatal \
       -f v4l2 -video_size 1280x720 -i /dev/video0 \
       -r 0.2 \
       -vf "drawtext=text=%{localtime}:fontcolor=white@1.0:fontsize=26:borderw=1:x=980:y=25" \
       -qscale:v 2 -update 1 /tmp/webcam.jpg \
       </dev/null &>/tmp/webcam-ffmpeg.log & disown $!

This silences ffmpeg to log only fatal errors, runs it in the background and finally detaches the process from your [bash] shell’s job control, to avoid it being killed if you log out. A more polished solution would be to create a systemd service which controls the ffmpeg webcam capture process, running as a dedicated low privilege system user.

Creating a time lapse video from a bunch of image files

As a sort of bonus chapter on this post, here is how to create a time lapse video from a bunch of captured image files. Assuming you have a directory with JPEG images named in such a way that they sort chronologically by their filenames (padded sequence numbers or timestamps), here’s how you can transform them into a video.

VP9 video in WebM container:

ffmpeg -y -f image2 -pattern_type glob -framerate 30 -i webcam-images/\*.jpg \
       -pix_fmt yuv420p -b 1500k timelapsevid.webm

H264 video in MP4 container:

ffmpeg -y -f image2 -pattern_type glob -framerate 30 -i webcam-images/\*.jpg \
       -pix_fmt yuv420p -b 1500k timelapsevid.mp4
-f image2Input demuxer is Image2, which can read image files.
-pattern_type globInstructs Image2 demuxer to treat input pattern as file name glob.
-framerate 30Set desired framerate; how many images to display per second in the resulting video.
-i webcam-images/\*.jpgSet input to a glob pattern matching the images files you would like to include in the video. Note that we do not want the shell to expand the glob, but rather pass the asterisk verbatim to ffmpeg.
-pix_fmt yuv420pSet video codec pixel format. YUV420p is selected to ensure compatibility with a broad range of decoders/players.
-b 1500kSet desired bitrate of video file.
Options breakdown

Note that all input images should have the same dimensions. Otherwise, you will likely have to add more options to ffmpeg to transform everything to a single suitable video size.

The resulting video files will be suitable for publishing on the web using the <video> tag.


Sony+Android is a security failure

My last couple of smart phones have been Sony Xperia compacts, the latest being an Xperia Compact XZ1. It is a robust piece of hardware, and it has a perfect size, with its 4.6 inch screen. I dislike big smart phones, and since they are just getting bigger every year, I plan on keeping my current phone for as long as possible. This might prove difficult, due to Sony’s lack of product support. It is already well known that Android is a failure when it comes to phone manufacturers not supporting their products with software updates for a reasonable amount of time, especially within the category of security fixes. This is just another example of the sad state of affairs, I guess.

The phone currently runs Android 9 using the latest Sony firmware version 47.2.A.11.228. Security patch level is dated September of 2019, which means my phone is missing a year’s worth of upstream security fixes to the Android operating system. For example high severity Bluetooth vulnerabilities listed on the February 2020 security bulletin like CVE-2020-0022 (aka “BlueFrag”):

On Android 8.0 to 9.0, a remote attacker within proximity can silently execute arbitrary code with the privileges of the Bluetooth daemon as long as Bluetooth is enabled. No user interaction is required and only the Bluetooth MAC address of the target devices has to be known. For some devices, the Bluetooth MAC address can be deduced from the WiFi MAC address. This vulnerability can lead to theft of personal data and could potentially be used to spread malware (Short-Distance Worm).

My phone is a critical device in my every day life, and having it hacked like this would certainly lead to a miserable few days. So now I must rigidly remember to keep Bluetooth off, which is inconvenient at best. And I must assume that many of the vulnerabilities listed from October 2019 and going forward, apply to my phone.

Sony customer support

I had picked up information that Sony was cutting support for my phone model early in 2020. Normally I would not bother interacting with large corporation customer support channels, but this time I was annoyed enough to fill out the form. As expected, it was a pain, and the form post failed a couple of times with server side errors. But eventually I got it through and then didn’t hope for anything. After all, attempting to communicate with big corporations is like screaming directly at /dev/null.

My question was regarding the security patch level of my phone and when Sony was planning to fix it, pointing out the Bluetooth vulnerabilities. Very simple. This is the first response I got, translated from Norwegian:

Thank you for contacting Sony Support. It worries us that you are worried about the update. I have confirmed your IMEI number. Your phone is running the latest version of Android. I will forward your question to a specialist to get the best possible information, and for this I need you to answer a couple of questions: 1) which mobile network operator are you using ? 2) regarding your question about security, are you using any Bluetooth accessories ?

Response #1, 22 May 2020, from Sony customer support Norway.

I followed up by providing the information requested. The second response came about a week later:

Thanks for your patience regarding the response time for your question. We understand that you are worried about the mentioned [Bluetooth] vulnerability. Today I have received a reply from a [person] responsible for this at our place, and we have no more information regarding the [firmware] update in your question.

Response #2, 1 June 2020, from Sony customer support Norway.

I am not surprised by this response, nor am I amused. The answer was too vague, so I decided to push them a little harder, by simply asking “does this mean Sony will not fix the mentioned security issues on this phone model ?”. About a week later, the third response came:

Thank you for your email. This is a question related to product development. Unfortunately we cannot answer questions directly related to product development.

Response #3, 30 June 2020, from Sony customer support Norway

At this point, customer support stops providing any references to my actual case and responds with some rubbish about product development information policies. While they could have simply said “no more soup for your phone model” in the very first response, this instead looks more like an attempt to hide behind hazy replies and using stalling tactics.

After some time, I decided to have another go, since I have an allocated case number, and it only requires me to send off an email. This time I state that I am not asking Sony to divulge any internal product development information, along with the following question: “How should I as and end-user deal with this situation, considering the security issues at hand ? Do you recommend continued use of the phone ?”. A day later another response arrives:

We cannot at this time confirm when the next update will happen for this model.

Response #4, 25 August 2020, from Sony customer support Norway

There is really no point in continuing this conversation. I replied with a simple statement of disappointment. Sony later replied with a confirmation on support period, finally:

We would like to inform you that updates on our phones stop after two years, since that is the end of the Sony product warranty period. Of course you still have the customer warranty for this product.

Response #5, 25 August 2020, from Sony customer support Norway

Ok, apparently I have a useless customer warranty on a product with security issues that will never be fixed ? Case closed.

There needs to be a distinction between product warranty period, and product lifetime and security support. A smart phone needs software updates beyond a measly two year period after product launch, just like a regular computer operating system does. Otherwise users are put at risk due to lack of security fixes.

Wasted hardware

I purchased the phone brand new in February 2018. Sony ended its software support for the model with the last update in September 2019. That’s less than two years of support since time of purchase. And my phone is in excellent condition. The built-in battery still has great capacity, the screen is mostly free from scratches, and everything works fine. The hardware is easily capable of running Android 10, and I’m willing to bet also Android 11, to be released later this year.

The hardware has a lifespan that greatly extends beyond the period that Sony is willing to provide security updates for the device. So the end user is forced to either buy a new device prematurely, or risk the consequences of continued use with an increasing number of security vulnerabilities appearing every month. Manufacturers of Android based devices really need to wake up and take responsibility for their products, their customers and the environment. Because that is certainly a guarantee today with Android: you will be left behind if you take good care of your phone and want to keep it for several years.

What are my options ?

In order of likelihood.

  1. Install a custom Android ROM like Lineage OS. But it requires work and time and comes with no guarantees that things will function properly. I am especially concerned about hardware quirks and driver issues. (Still thinking about it, though.)
  2. Continue using the outdated Sony firmware, while limiting risk by keeping Bluetooth off and taking other precations. This is where I am currently at.
  3. Buy a new Android phone. But they are all too big these days, and I am tired of the bad support.
  4. Buy a “dumb” feature-phone and leave oversized smart phones behind. The options are limited. But I suspect I would manage just fine without phone apps in my life.
  5. Buy an iPhone. I’ll give credit to Apple for their device support with software updates over time, and also selling smaller form factors. But I can never be part of Apple’s walled garden, so this is not a realistic option.