Project

General

Profile

Actions

BroadcomVideoCore

Devices

The Raspberry PI don't use code signature, but smartphones using the same SOC may have it enabled.

IRC Logs to sort

03:00 < clever> ive also cracked the signing keys on the rpi4 fully, and now know how they get generated
03:01 < clever> so i could (in theory) re-extract them from another broadcom product in the future, with less effort
[...]
03:01 < clever> assuming i get execute on the VPU somehow
[...]
03:03 < clever> basically, there is 20 bytes of "salt" in the mask rom, which gets combined with 16 bytes from the OTP, to create the real 20byte hmac-sha1 
                key
03:04 < clever> you need to understand how .data gets copied from rom->ram (since its an XIP rom), and then find the code that merges the 2, to know what 
                offset in ram to read
[...]
03:08 < clever> GNUtoo: but, ive also heard that the 2nd revision of the mask rom, has proper pub/priv RSA support
03:08 < clever> if they choose to turn that on, we are screwed
[...]
03:15 < clever> all of the broadcom chips in the pi's, have ~60 OTP registers, each 32 bits wide
[...]
03:16 < clever> got a total of ~268 bytes of OTP
03:16 < clever> for*
[...]
< clever> GNUtoo: i do also have some new info on the rpi4 mask rom boot order, that you might 
                want in the wiki
03:19 < clever> GNUtoo: the rpi4, can boot from 3 places, in this order: #1 recovery.bin on the SD card, 
                #2 a tagged blob in SPI flash, #3 usb-device boot
03:19 < clever> GNUtoo: but, you can use OTP to configure any gpio pin, to disable #1 or #2 (and you can 
                set 2 pins, one for each)
[...]
03:22 < clever> 2020-02-21 16:25:14 < clever> for extra confusion, there are 2 sets of numbers for each SoC
03:22 < clever> 2020-02-21 16:27:12 < clever> ali1234: 2838 and 2711 are both rpi4
03:22 < clever> 2020-02-21 16:27:47 < clever> ali1234: 2835 and 2708 are rpi1, i think
03:22 < clever> so the rpi4 is called both bcm2838 and bcm2711
03:22 < clever> i think one is for the base model, and then the other for this specific implementation of the silicon and package

Updated by Denis 'GNUtoo' Carikli almost 3 years ago · 2 revisions

Also available in: PDF HTML TXT