Exynos4Bootrom » History » Version 15
Denis 'GNUtoo' Carikli, 11/05/2019 11:11 AM
Don't load the huge image
1 | 1 | Denis 'GNUtoo' Carikli | h1. Exynos4 Bootrom |
---|---|---|---|
2 | 11 | Denis 'GNUtoo' Carikli | |
3 | {{toc}} |
||
4 | 1 | Denis 'GNUtoo' Carikli | |
5 | h2. Background information |
||
6 | |||
7 | The Replicant project wants to support devices with free software bootloaders, but most/all the smartphones and tablets supported by Replicant do check the signature of the first stage bootloader. |
||
8 | |||
9 | A presentation on the situation of some of the devices supported by Replicant was made at the Replicant contributors meeting in July 2019. The "presentation slides":https://ftp.osuosl.org/pub/replicant/conferences/replicant-contributors-meeting-july-2019-france/replicant-and-bootloaders.pdf and "video":https://ftp.osuosl.org/pub/replicant/conferences/replicant-contributors-meeting-july-2019-france/replicant-and-bootloaders.webm are available. |
||
10 | |||
11 | 14 | Denis 'GNUtoo' Carikli | h3. Exynos 4 signature check |
12 | 1 | Denis 'GNUtoo' Carikli | |
13 | The Exynos4 bootrom has a strange way to check the signatures: |
||
14 | * The first stage bootloader is encrypted |
||
15 | * The signature check is not very clear[1] |
||
16 | * The header that holds the key has a "func_ptr_BaseAddr" field[1]. |
||
17 | |||
18 | 14 | Denis 'GNUtoo' Carikli | h2. Attempts |
19 | 1 | Denis 'GNUtoo' Carikli | |
20 | 14 | Denis 'GNUtoo' Carikli | h3. xboot |
21 | 1 | Denis 'GNUtoo' Carikli | |
22 | 14 | Denis 'GNUtoo' Carikli | "xboot":https://github.com/xboot/xboot is an OS that is supposed to run as the BL1 on a board that has the the Exynos 4412. |
23 | 4 | Kurtis Hanna | |
24 | 14 | Denis 'GNUtoo' Carikli | There is "an attempt to port it and run it on the Galaxy SIII":https://github.com/xboot/xboot/issues/21 but it didn't succeed yet. |
25 | 8 | Kurtis Hanna | |
26 | 14 | Denis 'GNUtoo' Carikli | h3. func_ptr_BaseAddr |
27 | 1 | Denis 'GNUtoo' Carikli | |
28 | 14 | Denis 'GNUtoo' Carikli | If the xboot attempt doesn't work we could also try to understand with qemu[2] or a developement board that has JTAG, if func_ptr_BaseAddr is somehow used by the bootrom when verifying the BL1. |
29 | |||
30 | Testing with qemu[2] is probably way more easy than using the JTAG. |
||
31 | |||
32 | If it is we might be able to replace the bootrom check function. |
||
33 | |||
34 | 1 | Denis 'GNUtoo' Carikli | fn1. https://fredericb.info/2018/03/emulating-exynos-4210-bootrom-in-qemu.html |
35 | |||
36 | 3 | Denis 'GNUtoo' Carikli | fn2. https://github.com/frederic/qemu-exynos-bootrom |
37 | 1 | Denis 'GNUtoo' Carikli | |
38 | 14 | Denis 'GNUtoo' Carikli | h3. Other tests to attempt |
39 | 1 | Denis 'GNUtoo' Carikli | |
40 | 14 | Denis 'GNUtoo' Carikli | * Try to understand better the scheme used to check the signature. |
41 | * Try to see if the fuses can still be written (zeroed) and see whether it's computationally feasible to compute the private key for a zeroed fuses hash. |
||
42 | * Try to understand why encryption is used. |
||
43 | 6 | Denis 'GNUtoo' Carikli | |
44 | 14 | Denis 'GNUtoo' Carikli | h2. HOWTO |
45 | |||
46 | h3. Loading a bootloader from SD |
||
47 | |||
48 | 6 | Denis 'GNUtoo' Carikli | When booting Parabola with a Replicant 9 kernel on a Galaxy SIII (i9300), it is possible to erase the bootloader to make the device boot from the microSD instead. |
49 | |||
50 | This could be used to do some testing, for instance to see if the BL1 signature can somehow be bypassed, however as no free software bootloaders do exist yet (u-boot relies on nonfree and non-redistributable software), this is not very useful yet. |
||
51 | |||
52 | If you really want to erase the bootloader (your device will be broken and will never boot anymore), you could run the following: |
||
53 | |||
54 | <pre> |
||
55 | # echo 0 > /sys/class/block/mmcblk2boot0/force_ro |
||
56 | # ddrescue -f /dev/zero /dev/mmcblk2boot0 |
||
57 | GNU ddrescue 1.24 |
||
58 | Press Ctrl-C to interrupt |
||
59 | ipos: 4194 kB, non-trimmed: 0 B, current rate: 4194 kB/s |
||
60 | opos: 4194 kB, non-scraped: 0 B, average rate: 4194 kB/s |
||
61 | non-tried: 9223 PB, bad-sector: 0 B, error rate: 0 B/s |
||
62 | rescued: 4194 kB, bad areas: 0, run time: 0s |
||
63 | pct rescued: 0.00%, read errors: 0, remaining time: n/a |
||
64 | time since last successful read: n/a |
||
65 | Copying non-tried blocks... Pass 1 (forwards) |
||
66 | ddrescue: Write error: No space left on device |
||
67 | </pre> |
||
68 | |||
69 | And then verify that it's erased: |
||
70 | <pre> |
||
71 | 1 | Denis 'GNUtoo' Carikli | # hexdump -C /dev/mmcblk2boot0 |
72 | 6 | Denis 'GNUtoo' Carikli | 00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| |
73 | * |
||
74 | 00400000 |
||
75 | |||
76 | </pre> |
||
77 | |||
78 | Also verify that the following partitions are also erased: |
||
79 | * mmcblk2boot1 |
||
80 | * BOTA0 |
||
81 | * BOTA1 |
||
82 | |||
83 | I'm not sure what BOTA0 and BOTA1 are but they were already blank in my case. |
||
84 | 12 | Denis 'GNUtoo' Carikli | |
85 | 14 | Denis 'GNUtoo' Carikli | h3. Recovering from a bad bootloader |
86 | 12 | Denis 'GNUtoo' Carikli | |
87 | Note that I didn't manage yet to go from u-boot to s-boot. |
||
88 | |||
89 | Requirements: |
||
90 | 15 | Denis 'GNUtoo' Carikli | * A supported device, either: |
91 | ** i9300 |
||
92 | ** i9305 |
||
93 | 12 | Denis 'GNUtoo' Carikli | * A programable PSU or another human that can help you |
94 | * A serial cable |
||
95 | * Very thin/precise multimeter probes that you connect together |
||
96 | |||
97 | HOWTO: |
||
98 | * Prepare a microSD with u-boot |
||
99 | * Disassemble the device and connect the device to a programable PSU. The PSU has to be off |
||
100 | ** VCC is available on the battery connector |
||
101 | ** GND is available at many places |
||
102 | 1 | Denis 'GNUtoo' Carikli | * Make sure that the PSU will go to the right voltage when set to on |
103 | 12 | Denis 'GNUtoo' Carikli | * script the PSU power on, for instance wait 10 seconds before power on |
104 | 15 | Denis 'GNUtoo' Carikli | * With the multimeter probes, short the resistor that is indicated on this picture: attachment:i9300_resistor.jpg |
105 | 12 | Denis 'GNUtoo' Carikli | |
106 | You then should have u-boot running which can boot Parabola, so you can then easily recover. |
||
107 | |||
108 | Note that to run Parabola you need to make sure that you use an MBR and no gpt as u-boot is to be put at the second 512B block. |