Bootloaders

Introduction

In order to run free software bootloaders, we need the ability to run the code we want at boot. However in most smartphones and many tablets use code signature at boot, which prevent us to run free software bootloader.

This usually works by hardcoding the hash of a public key either in the rom code that loads the bootloader, or in one time programmable fuses that are then used by the rom code to check the bootloader.

If the signature don't match, the bootloader is not executed, so the device can't boot.

In practice:

Devices configurations

Device and documentation Bootloader freedom situation Boot order
Samsung Nexus S (GT-I902x) Proprietary, Signed on the tested devices ?->USB->?->eMMC->?
Samsung Galaxy S2 (GT-I9100) Proprietary, probably Signed ?
Samsung Galaxy S2 (GT-I9100G) Signed on some devices
No unsigned devices found yet
?
Samsung Galaxy Tab 2 Proprietary, signed ?->USB->?->eMMC->?
LG Optimus black (p970) Unsigned, can be replaced with upstream u-boot eMMC(MMC2)->USB
Galaxy SIII (I9300)
Galaxy SIII 4G (I9305)
Galaxy Note II (N7100)
Galaxy Note II 4G (N7105)
* Proprietary, Signed
* There is work in progress to understand if we can avoid bypass the signature checks
?->eMMC->?->USB->?
Golden Delicous GTA04 Unsigned, free software * Aux not pressed during boot: ?
* Aux pressed during boot: ?->SD->?->NAND
SYS_BOOT0 = 1
SYS_BOOT1 = 1
SYS_BOOT2 = 1
SYS_BOOT3 = 1
SYS_BOOT4 = 1
SYS_BOOT5 = AUX button
SYS_BOOT6 = 1
But cannot find Reference manual for the DM370
Pinephone Unsigned free software
Librem5 Unsigned bootloader, nonfree DDR4 controller firmware
Other devices with free software and unsigned bootloaders: Other:

System on a chip

SOC and documentation Freedom situation
OMAP * No known bug
* Some devices are not signed
* Undocumented? (probably a very good sign if it's the case)
Exynos 4 * Some or all devices are signed
* work in progress to understand if it's possible to bypass the signature
Exynos 8890 and 8895 * Boot from USB is possible thanks to exynos-usbdl (documentation)
BroadcomVideoCore The SOCs have the ability to check signatures
TegraBootrom * Not all devices use code signature
* Boot from USB is possible thanks to fusee_gelee
* Code can be appended to the bootrom by writing in a fuse area. Could that be used to disable code signature ?
IMX 5 and 6 * Not all devices are signed
* Thanks to Ref_QBVR2017-0001.txt it's possible to bypass signatures anyway, and maybe load code through USB too

Tools

Some of the tools below can also be used to find devices that don't have restricted boot.

Tool Uses supported hardware Pakckages Howto
omap-usb-boot * checking if the device is has restricted boot
* Loading bootloaders from USB
* booting on a different boot media
OMAP3, OMAP4, OMAP5 Parabola , Archlinux through AUR * check if the device has restricted boot through USB
omap-u-boot-utils * Loading bootloaders from USB
* Loading bootloaders from the UART
OMAP3, OMAP4 Parabola , Archlinux through AUR ?
crucible * checking fuses settings i.MX53, i.MX6DL, i.MX6DQ, i.MX6SL, i.MX6SLL, i.MX6SX, i.MX6UL, i.MX6ULL, i.MX6ULZ, i.MX7D, i.MX7ULP TODO TODO
cbootimage * Generate images
* Dump images (including signatures?)
Tegra ? Parabola , Archlinux through AUR
tegrarcm * Load bootloaders from USB Tegra ? TODO TODO
0xFFFF * Load signed bootloaders (-c) from USB OMAP3430 and OMAP3630
Might be easy to add more OMAP3 by just commenting code in cold-flash.c
TODO, patch for libusb1 TODO
sunxi-tools ? Allwinner SOCs? Parabola, Archlinux TODO
ifdtool * Check if there is a Management Engine firmware Intel x86 ? ?
intelmetool * Check if there is a Management Engine firmware, check if the BIOS region is signed (Bootguard) Intel x86 ? ?
TODO:

Links to cathegorize:

TODO

See also