A state (or a carrier, in theory), doesn't need RCEs to do this. In every phone, the "actual phone", what talks to cell towers, is a separate system called the Baseband. It is a full computer, storage, memory, encryption, ... and it is under the control of carriers and through them of law enforcement and the like. It is also where the microphone and mostly the cameras are connected. The baseband then passes them through to the UI, like android or IOS. It's how carriers enforce disabling wifi when mobile data is active unless you pay extra, for example.
But it can copy the sound of a phone call to separate channels, or copy the data being sent (even on wifi), or it can activate emergency messages or broadcasts. It can also transmit audio and video when the phone is not actually in a call. That sort of thing.
In practice there are a great many different basebands and of course most states couldn't be bothered to actually write a decent system to use them (well, they tried forcing carriers to do it for them, but anyone who ever worked at a large carrier on a big project can tell you how that went), so only lowest common denominator features are in practice accessible. That means location and getting audio. But nothing is stopping countries from implementing more. I bet the NSA has something with a lot more features, for example.
No, the only part where carriers can run arbitrary code is on the sim card, which can only run javacard applets.
>It can also transmit audio and video when the phone is not actually in a call.
Source? AFAIK both iPhones and Pixels have discrete modems, which means the baseband is separated from the main processor and communicates with it via some sort of bus. It's unclear how the baseband would be able to get arbitrary audio/video when it's isolated in this manner.
Look obviously the baseband is under control of carriers. That's required since they manage spectrum, you know AT&T's "one phone could disrupt service for an entire neighborhood" argument. Which is true, btw.
This includes the power to upload code to decide which channels and timing to use.
Then it was decided to use this for law enforcement, and so audio was routed through the baseband. Other things were for carriers, like SMS management (including deleting SMS that were already shown to the user). Both to prevent apps from listening without the baseband's agreement AND to listen in without agreement from the apps.
The limit on this is that there's already many different basebands, and of course neither carriers nor states could be bothered to actually implement the backend necessary. I'd bet good money the NSA has one though.
But it can copy the sound of a phone call to separate channels, or copy the data being sent (even on wifi), or it can activate emergency messages or broadcasts. It can also transmit audio and video when the phone is not actually in a call. That sort of thing.
In practice there are a great many different basebands and of course most states couldn't be bothered to actually write a decent system to use them (well, they tried forcing carriers to do it for them, but anyone who ever worked at a large carrier on a big project can tell you how that went), so only lowest common denominator features are in practice accessible. That means location and getting audio. But nothing is stopping countries from implementing more. I bet the NSA has something with a lot more features, for example.