Project

General

Profile

Actions

Exynos4Bootrom » History » Revision 1

Revision 1/28 | Next »
Denis 'GNUtoo' Carikli, 08/19/2019 10:31 PM
Add background information on the exynos4 signature checks


Exynos4 Bootrom

Background information

The Replicant project wants to support devices with free software bootloaders, but most/all the smartphones and tablets supported by Replicant do check the signature of the first stage bootloader.

A presentation on the situation of some of the devices supported by Replicant was made at the Replicant contributors meeting in July 2019. The presentation slides and video are available.

Exynos 4 signature check

The Exynos4 bootrom has a strange way to check the signatures:
  • The first stage bootloader is encrypted
  • The signature check is not very clear1
  • The header that holds the key has a "func_ptr_BaseAddr" field1.

Tests to attempt

  • Test with qemu if func_ptr_BaseAddr is somehow used by the bootrom, when verifying the BL1.
  • Try to understand better the scheme used to check the signature.
  • Try to see if the fuses can still be written (zeroed) and see weather it'd computationally feasible to compute the private key for a zeroed fuses hash.

Test setup

Either qemu1 or a development board with JTAG can be used to do the test.

Testing with qemu is probably way more easy.

1 https://fredericb.info/2018/03/emulating-exynos-4210-bootrom-in-qemu.html

Updated by Denis 'GNUtoo' Carikli over 4 years ago · 1 revisions

Also available in: PDF HTML TXT