Replicant

h1. Bootloaders

h2. Introduction

In order to run free software bootloaders, we need the ability to run the code we want at boot.

However in most smartphones and many tablets use code signature at boot, which prevent us to run free software bootloader.

In practice:

* Some system on a chip either don't implement code signature or the implementation is not used or tested.

* For some other system on a chip, it's up to the device vendor to choose to implement code signature or not.

* For some system on a chip, we don't know any devices not enforcing code signature, but we don't know who decided to enforce the code signature.

h2. Devices configurations

|_. Device and documentation |_. Freedom situation |_. Boot order |

| [[NexusSI902xBootloader| Samsung Nexus S (GT-I902x)]] | Proprietary, Signed on the tested devices | ?->USB->?->eMMC->? |

| [[I9100Bootloader| Samsung Galaxy S2 (GT-I9100)]] | Proprietary, probably Signed | ? |

| [[I9100GBootloader| Samsung Galaxy S2 (GT-I9100G)]] | * Unsigned on some devices

* Signed on some devices | ? |

| [[GalaxyTab2Bootloader| Samsung Galaxy Tab 2]] | Proprietary, signed | ?->USB->?->eMMC->? |

| [[OptimusBlackBootloader| LG Optimus black (p970)]] | unsigned, can be replaced with upstream u-boot | eMMC(MMC2)->USB |

| Galaxy SIII (I9300)

Galaxy SIII 4G (I9305)

Galaxy Note II (N7100)

Galaxy Note II 4G (N7105) | * Proprietary, Signed

* There is work in progress to understand if we can avoid the signature | ?->eMMC->?->USB->? |

| Golden Delicous GTA04 | unsigned, free software | * Aux not pressed during boot: ?

* Aux pressed during boot: ?->SD->?->NAND

SYS_BOOT0 = 1

SYS_BOOT1 = 1

SYS_BOOT2 = 1

SYS_BOOT3 = 1

SYS_BOOT4 = 1

SYS_BOOT5 = AUX button

SYS_BOOT6 = 1 

But cannot find Reference manual for the DM370 |

| Pinephone | Unsigned free software bootloader | |

| Librem5 | Unsigned bootloader, nonfree DDR4 controller firmware | |

Other devices with free software and unsigned bootloaders:

* Openmoko GTA01 and GTA02: cannot run Replicant (only has 128M of RAM, armv4t).

* Many single board computers: They are not very practical to use as a smartphone or tablet, though they could be added along the way to Replicant 9 if there is some interest

* Older PDA like the OMAP4 Blaze: Check if they can *easily* be found: they were very expensive. Also check the upstream status. See [[TargetsEvaluation]] for such devices.

Other:

* Optimus 3D: There is probably a leaked key for signing the bootloader

* [[FindDevicesWithUnsignedBootloaedrs]]: Project to find devices with free software bootloader at a very large scale

h2. System on a chip

|_. SOC and documentation |_. Freedom situation |

| [[OMAPBootrom|OMAP]] | * No known bug

* Some devices are not signed |

| [[Exynos4Bootrom|Exynos 4]] | * Some or all devices are signed

* work in progress to understand if it's possible to bypass the signature |

| [[BroadcomVideoCore]] | The SOCs have the ability to check signatures |

| [[TegraBootrom]] | * Not all devices use code signature

* Boot from USB is possible thanks to "fusee_gelee":https://github.com/Qyriad/fusee-launcher/blob/master/report/fusee_gelee.md

* Code can be appended to the bootrom by writing in a fuse area. Could that be used to disable code signature ? |

| IMX 5 and 6 | * Not all devices are signed

* Thanks to "Ref_QBVR2017-0001.txt":https://github.com/f-secure-foundry/usbarmory/blob/master/software/secure_boot/Security_Advisory-Ref_QBVR2017-0001.txt it's possible to bypass signatures anyway, and maybe load code through USB too |

h2. Links to cathegorize:

* https://www.theiphonewiki.com/ has a list of "Bootrom security issues":https://www.theiphonewiki.com/wiki/Bootrom for apple devices.

* "Ti Nspire":https://hackspire.org ? RSA exponent issues?

== See also ==

* [[Upstream]]