Project

General

Profile

S-boot exploitation

Added by Jack K over 6 years ago

Hi all,

I read an interesting blog post about an approach that could be useful for booting Samsung devices without the TrustZone bits. I was wondering if anyone else might enjoy reading it, and might consider taking their approach to attempt liberating the bootloaders in the Samsung devices supported in Replicant? Just a thought. Anyway, link below. Do share your thoughts, people.

https://hexdetective.blogspot.co.uk/2017/02/exploiting-android-s-boot-getting.html

All the best,

Jack


Replies (14)

RE: S-boot exploitation - Added by Kurtis Hanna almost 6 years ago

Thanks for the post!

I should mention that https://forkwhiletrue.me/ has replaced all or some of s-boot with u-boot mainline on the i9300.

He posted 'U-Boot 2018.03-i9300-00017-gae73efb436-dirty (Apr 27 2018 - 16:12:54 +1000)' in the Replicant IRC and said he likely will do a blog post about this once he gets it fully working.

RE: S-boot exploitation - Added by Jack K almost 6 years ago

Exciting stuff! Can't wait for the blog post.

J

RE: S-boot exploitation - Added by Daniel Kulesz over 5 years ago

Simon recently posted an update, sounds really promising:

https://blog.forkwhiletrue.me/posts/an-almost-fully-libre-galaxy-s3/

RE: S-boot exploitation - Added by Kurtis Hanna over 5 years ago

Thanks for posting that Daniel! Super exciting! I wonder what this means, "It's also worth mentioning that LineageOS/Replicant will boot under u-boot with a kernel compiled without CONFIG_ARM_TRUSTZONE set, but the display will not work (probably because u-boot does not initialise the display)."

I asked Simon on IRC, "Do you think that u-boot can initialize the display if someone works on it, or do you think it is more likely that we won't be able to get LineageOS/Replicant to work with u-boot on the i9300?". I'll post his response here.

RE: S-boot exploitation - Added by shuckle fisher over 5 years ago

This is great stuff!

RE: S-boot exploitation - Added by Daniel Kulesz over 5 years ago

@Kurtis Hanna: Any news regarding the display issue?

And if I understand this correctly - if we were able to boot using u-boot, we could finally disable the Heimdall security hole? Or is heimdall mode independent from the boot loader?

RE: S-boot exploitation - Added by Kurtis Hanna about 5 years ago

I just added this issue on the tracker related to u-boot: https://redmine.replicant.us/issues/1906

RE: S-boot exploitation - Added by Kurtis Hanna almost 5 years ago

I don't think that forkbomb is updating his website to reflect the recent work on this, so here is a link to the newer commits that he pushed on github: https://github.com/fourkbomb/u-boot/commits/midas-2019.04

RE: S-boot exploitation - Added by Daniel Kulesz almost 5 years ago

Oh cool, thanks for sharing - didn't see that! As far as I can see from the commits the usb network console seems to work already? No mentioning of the screen, though. Any brave souls here who want to try it out?

RE: S-boot exploitation - Added by Kurtis Hanna almost 5 years ago

I really don't know the answer to the screen question, but I think that maybe it works with the mainlined kernel, but doesn't work with the older modified Samsung kernel that Replicant 6.0 uses. If someone else could chime in and provide a better understanding of the situation that'd be great.

RE: S-boot exploitation - Added by Kurtis Hanna over 4 years ago

Here's another Exynos S-boot exploit that might be able to be ported to the devices that we support: https://wikileaks.org/ciav7p1/cms/files/cadmium.pdf
It was released by Wikileaks in their Vault 7 publications.

RE: S-boot exploitation - Added by Jack K almost 4 years ago

I don't know if this is a separate exploit from the Cadmium one, but has been blogged about recently (link to blog in the Readme):

https://github.com/frederic/exynos-usbdl

It gets the Exynos BootROM to boot unsigned bootloader images. First step involves a hardware mod, but the author says software can be used (without going into detail). It is confirmed to work on Exynos 8890 & 8895 SoCs. Hopefully it is present in Exynos4. The code has to be delivered over USB - but maybe the SD card could be used instead if the exploit is modified? I don't know. If it works on Exynos4, and if SD card can be used, (a long shot, perhaps?) this would be a way of getting mainline u-boot (and therefore mainline linux) to work on Replicant-supported Exynos devices, wouldn't it? No proprietary BL1 needed...

EDIT - software method now detailed in the readme.

    (1-14/14)