Some initial information about Trustzone on smdk4412 devices
There are various news stories from some years back that the Galaxy S3 is the first Exynos device generation with a TEE implementation called Mobicore. My research so far confirms this claim but there is more that needs to be checked.
Mobicore has some user space parts (not included in Replicant), a dedicated kernel driver and the TEE implementation seems to be called Mobicore OS.
some information: https://www.sensepost.com/blog/2013/a-software-level-analysis-of-trustzone-os-and-trustlets-in-samsung-galaxy-phone/
It's main and probably sole purpose on factory images is DRM related and linked to the PlayReady trustlet that is used by the Samsung VideoHub app.
Kernel side
The kernel has the config CONFIG_ARM_TRUSTZONE
. It is enabled for i9300 and n7100, but not for i9100 and n7000. The i9300 does not boot with a kernel that has this config disabled.
There is also the config CONFIG_EXYNOS_CONTENT_PATH_PROTECTION
that is probably needed for the video DRM.
The Mobicore driver resides in drivers/gud
and is in charge of talking to the TEE. I only skimmed over the code so far, but it seems to contain some useful information about the interface.
What could be done to improve the situation:
Partitions
The EFS partition contains some files related the PlayReady truslet in drm/playready
.
Mobicore OS seems to have its own partition which is called TZSW. If this partition is not present on i9100 and n7000, then this may be another hint that there is no TEE implementation running on these devices.
PIT print from heimdall:
--- Entry #1 ---
Binary Type: 0 (AP)
Device Type: 2 (MMC)
Identifier: 81
Attributes: 5 (Read/Write)
Update Attributes: 1 (FOTA)
Partition Block Size/Offset: 1734
Partition Block Count: 312
File Offset (Obsolete): 0
File Size (Obsolete): 0
Partition Name: TZSW
Flash Filename: tz.img
FOTA Filename:
Running strings against tz.img from a factory image reveals some strings that confirm that it contains at least parts of Mobicore OS:
MobiCore/MTK: ### SYSTEM HALT, code=%x
*** <t MTK, Build: Oct 3 2013, 15:42:44 ***
*** jenkins-Samsung-Pegasus-Release-Rebuild-27 ###
RTM Exception: ### MOBICORE HALT ###
CR Exception: ### MOBICORE HALT ###
SIGABRT: Abnormal termination
: Heap memory corrupted
SIGRTMEM: Out of heap memory
tbase-200_Exynos_4X12_V006_Patch1
N10__cxxabiv117__class_type_infoE
N10__cxxabiv117__pbase_type_infoE
N10__cxxabiv119__pointer_type_infoE
N10__cxxabiv120__si_class_type_infoE
N10__cxxabiv121__vmi_class_type_infoE
N10__cxxabiv123__fundamental_type_infoE
St10bad_typeid
St13bad_exception
St9exception
St9type_info
The bootloader makes some checks on the TZSW partition. Strings from the bootloader:
s5p_check_tzsw
%s: invalid tzsw type! dummy?
I was not able to access the TZSW partition from Replicant. It seems to be hidden. I also couldn't make heimdall accept a modified or empty tz.img. It would be interesting if the system boots with a non-functional TZSW image. Another option would be to patch Heimdall in order to make it possible to format the TZSW partition.