Replicant

The primary and secondary bootloaders are closer to the BIOS. The early stages setup the hardware, they chainlaod each other (primary bootloader chainloads the secondary, etc) and in the end, the last bootloader loads the kernel with a given cmdline from a specific location. This last part is more like what GRUB does.

I am betting that installing the wrong primary or secondary bootloader onto a device could well brick it.

It's actually even worse: the bootloaders are signed, so not only do they have to be device-specific and work correctly, but they also need to be signed with a particular key from the manufacturer. Sometimes, we even have the source code for the bootloader but cannot rebuild it and install it on the device because we cannot sign it. Any attempt to install such a build would brick a device (and we know that for sure since we tried). There are sometimes ways to recovery (after modifying one byte in a string on the bootloader image, the device was bricked and GNUtoo had to unsolder some resistors to make it boot from UART, where he sent a signed bootloader to make it boot).

My question is if it is possible to buy used device that is infected and not have a way to "re-install the BIOS" for lack of better wording. If that were the case then potentially any MOD that I were to put on to the device would still lend it to being compromised in a similar way to a rootkit virus?

Frankly, I don't think there are viruses for bootloaders on Android devices, because mostly, the userspace doesn't have the rights to flash the booloader partition. It could happen when installing a community ROM that would ship with its own bootloader though (but a community ROM shipping with a bootloader is very suspicious). But in any way, bootloaders are non-free, so they should be considered compromised and being just as bad as viruses. If you seek security, these devices are far from perfect.

I am a complete noob so I apologize if these problems don't exist in the mobile space or are already solved. My only frame of reference is the traditional x86 experience.

Your questions are relevant, it doesn't feel like you are asking anything obvious.

Thank you Paul. I have looked all over and only found systemic information about the Android boot process that referenced an Initial Program Loader (IPL) that handed over control to a Secondary Program Loader (SPL). Just curious, are those the canonical names of the Primary and Secondary bootloaders that I saw originally in the heimdall tutorial I found on-line?

Just wanted to say thanks again. I looked all over and only found info on the boot process, but never anyone who addressed the security & privacy issues with the bootloaders.

Thanks.

I have looked all over and only found systemic information about the Android boot process that referenced an Initial Program Loader (IPL) that handed over control to a Secondary Program Loader (SPL). Just curious, are those the canonical names of the Primary and Secondary bootloaders that I saw originally in the heimdall tutorial I found on-line?

The bootloaders are very device specific. On some platforms, there is only one bootloader that is in charge of doing all the work, and sometimes, there are 3 different bootloaders (and maybe more). How they are called changes from a platform to another. On the Samsung exynos platform, they are usually called PBL and SBL for Primary (or Primitive sometimes) BootLoader and Secondary BootLoader. Also the very first piece of software that is executed (read-only binary that is burnt in the SoC) is called the iROM (on exynos) or the bootrom (on omap), etc. So names change, but what they do is essentially the same thing.

Thank you and thanks for the detail. I appreciate it.

Sean's concern is in fact valid and I also thought about similar things in the past. When considering security, the first question here is: what is the threat? In your scenario, I think you can consider two possible threats:

1.) The manufacturer of the phone or some software vendor in between the production chain has put a compromised bootloader on your device.
2.) The previous owner of the device (or some software he installed unintentionally) has compromised the bootloader, the firmware or other parts of the device

Obviously, the most expensive way to exclude the second threat is not to buy used phones. But as Paul has explained, it seems to be very hard to put anything else than the manufacturer's bootloader on the phone, so as long as you reflash all the other parts your phone should be software-wise pretty certainly in the state as if you bought it as a new device.

Now there is another concern with used, non-nexus devices: The ROMs contain many blobs (which don't need to be signed), but the vendors usually don't distribute them for reinstalling (the nexus devices are an exception here). So in case you want to use the blobs (i.e. use GPS or Wifi on certain Replicant-supported models) you would need to find a trustworthy source for obtaining these blobs. Of course, the blobs are also contained in other aftermarket firmware distributions like CyanogenMod, but I don't have the impression that they put effort into assuring that these blobs are not compromised. The blobs are basically extracted and published by individual ROM developers. This approach is questionable from the legal perspective as well, since phone manufacturer's usually prohibit publishing the proprietary software they shipped within the devices. That's probably the reason why other projects like i.e. FirefoxOS don't publish pre-built ROM images since they would be either partly functional (like Replicant) or legally questionable (like CyanogenMod).