Project

General

Profile

Actions

Bootloaders

Introduction

In order to run free software bootloaders, we need the ability to run the code we want at boot. However in most smartphones and many tablets use code signature at boot, which prevent us to run free software bootloader.

This usually works by hardcoding the hash of a public key either in the rom code that loads the bootloader, or in one time programmable fuses that are then used by the rom code to check the bootloader.

If the signature don't match, the bootloader is not executed, so the device can't boot.

In practice:
  • Some system on a chip either don't implement code signature or the implementation is not used or tested.
  • For some other system on a chip, it's up to the device vendor to choose to implement code signature or not.
  • For some system on a chip, we don't know any devices not enforcing code signature, but we don't know who decided to enforce the code signature.
  • Some device vendors might use default key that are part of the software to sign bootloaders.

Devices configurations

Device and documentation Bootloader freedom situation Boot order
Samsung Nexus S (GT-I902x) Proprietary, Signed on the tested devices ?->USB->?->eMMC->?
Samsung Galaxy S2 (GT-I9100) Proprietary, probably Signed ?
Samsung Galaxy S2 (GT-I9100G) Signed on some devices
No unsigned devices found yet
?
Samsung Galaxy Tab 2 Proprietary, signed ?->USB->?->eMMC->?
LG Optimus black (p970) Unsigned, can be replaced with upstream u-boot eMMC(MMC2)->USB
Galaxy SIII (I9300)
Galaxy SIII 4G (I9305)
Galaxy Note II (N7100)
Galaxy Note II 4G (N7105)
* Proprietary, Signed
* There is work in progress to understand if we can avoid bypass the signature checks
?->eMMC->?->USB->?
Golden Delicous GTA04 Unsigned, free software * Aux not pressed during boot: ?
* Aux pressed during boot: ?->SD->?->NAND
SYS_BOOT0 = 1
SYS_BOOT1 = 1
SYS_BOOT2 = 1
SYS_BOOT3 = 1
SYS_BOOT4 = 1
SYS_BOOT5 = AUX button
SYS_BOOT6 = 1
But cannot find Reference manual for the DM370
Pinephone Unsigned free software
Librem5 Unsigned bootloader, nonfree DDR4 controller firmware
Other devices with free software and unsigned bootloaders:
  • Openmoko GTA01 and GTA02: cannot run Replicant (only has 128M of RAM, armv4t).
  • Many single board computers: They are not very practical to use as a smartphone or tablet, though they could be added along the way to Replicant 9 if there is some interest
  • Older PDA like the OMAP4 Blaze: Check if they can easily be found: they were very expensive. Also check the upstream status. See TargetsEvaluation for such devices.
Other:
  • Optimus 3D: There is probably a leaked key for signing the bootloader
  • FindDevicesWithUnsignedBootloaedrs: Project to find devices with free software bootloader at a very large scale

System on a chip

SOC and documentation Freedom situation
OMAP * No known bug
* Some devices are not signed
* Undocumented? (probably a very good sign if it's the case)
Exynos 4 * Some or all devices are signed
* work in progress to understand if it's possible to bypass the signature
BroadcomVideoCore The SOCs have the ability to check signatures
TegraBootrom * Not all devices use code signature
* Boot from USB is possible thanks to fusee_gelee
* Code can be appended to the bootrom by writing in a fuse area. Could that be used to disable code signature ?
IMX 5 and 6 * Not all devices are signed
* Thanks to Ref_QBVR2017-0001.txt it's possible to bypass signatures anyway, and maybe load code through USB too

Tools

Some of the tools below can also be used to find devices that don't have restricted boot.

Tool Uses supported hardware Pakckages Howto
omap-usb-boot * checking if the device is has restricted boot
* Loading bootloaders from USB
* booting on a different boot media
OMAP3, OMAP4, OMAP5 Parabola , Archlinux through AUR * check if the device has restricted boot through USB
omap-u-boot-utils * Loading bootloaders from USB
* Loading bootloaders from the UART
OMAP3, OMAP4 Parabola , Archlinux through AUR ?
crucible * checking fuses settings i.MX53, i.MX6DL, i.MX6DQ, i.MX6SL, i.MX6SLL, i.MX6SX, i.MX6UL, i.MX6ULL, i.MX6ULZ, i.MX7D, i.MX7ULP TODO TODO
cbootimage * Generate images
* Dump images (including signatures?)
Tegra ? Parabola , Archlinux through AUR
tegrarcm * Load bootloaders from USB Tegra ? TODO TODO
0xFFFF * Load signed bootloaders (-c) from USB OMAP3430 and OMAP3630
Might be easy to add more OMAP3 by just commenting code in cold-flash.c
TODO, patch for libusb1 TODO
sunxi-tools ? Allwinner SOCs? Parabola, Archlinux TODO
ifdtool * Check if there is a Management Engine firmware Intel x86 ? ?
intelmetool * Check if there is a Management Engine firmware, check if the BIOS region is signed (Bootguard) Intel x86 ? ?
TODO:
  • Add various I.MX tools
  • Add various u-boot and/or Barebox tools
  • Add Exynos tools (mk4412 or similar)

Links to cathegorize:

TODO

  • Find a way to add the fact that a device variant is signed on wikidata
  • Make sure we got the data model right to classify devices: we got pages for GT-I9100G but not GT-I9100G_CHN_CHN or the branded version for foo operator, or PCB version x.y.
See also

Updated by Denis 'GNUtoo' Carikli 8 months ago · 65 revisions