Project

General

Profile

Exynos4Bootrom » History » Version 15

Denis 'GNUtoo' Carikli, 11/05/2019 11:11 AM
Don't load the huge image

1 1 Denis 'GNUtoo' Carikli
h1. Exynos4 Bootrom
2 11 Denis 'GNUtoo' Carikli
3
{{toc}}
4 1 Denis 'GNUtoo' Carikli
5
h2. Background information
6
7
The Replicant project wants to support devices with free software bootloaders, but most/all the smartphones and tablets supported by Replicant do check the signature of the first stage bootloader.
8
9
A presentation on the situation of some of the devices supported by Replicant was made at the Replicant contributors meeting in July 2019. The "presentation slides":https://ftp.osuosl.org/pub/replicant/conferences/replicant-contributors-meeting-july-2019-france/replicant-and-bootloaders.pdf and "video":https://ftp.osuosl.org/pub/replicant/conferences/replicant-contributors-meeting-july-2019-france/replicant-and-bootloaders.webm are available.
10
11 14 Denis 'GNUtoo' Carikli
h3. Exynos 4 signature check
12 1 Denis 'GNUtoo' Carikli
13
The Exynos4 bootrom has a strange way to check the signatures:
14
* The first stage bootloader is encrypted
15
* The signature check is not very clear[1]
16
* The header that holds the key has a "func_ptr_BaseAddr" field[1].
17
18 14 Denis 'GNUtoo' Carikli
h2. Attempts
19 1 Denis 'GNUtoo' Carikli
20 14 Denis 'GNUtoo' Carikli
h3. xboot
21 1 Denis 'GNUtoo' Carikli
22 14 Denis 'GNUtoo' Carikli
"xboot":https://github.com/xboot/xboot is an OS that is supposed to run as the BL1 on a board that has the the Exynos 4412.
23 4 Kurtis Hanna
24 14 Denis 'GNUtoo' Carikli
There is "an attempt to port it and run it on the Galaxy SIII":https://github.com/xboot/xboot/issues/21 but it didn't succeed yet.
25 8 Kurtis Hanna
26 14 Denis 'GNUtoo' Carikli
h3. func_ptr_BaseAddr
27 1 Denis 'GNUtoo' Carikli
28 14 Denis 'GNUtoo' Carikli
If the xboot attempt doesn't work we could also try to understand with qemu[2] or a developement board that has JTAG, if func_ptr_BaseAddr is somehow used by the bootrom when verifying the BL1.
29
30
Testing with qemu[2] is probably way more easy than using the JTAG.
31
32
If it is we might be able to replace the bootrom check function.
33
34 1 Denis 'GNUtoo' Carikli
fn1. https://fredericb.info/2018/03/emulating-exynos-4210-bootrom-in-qemu.html
35
36 3 Denis 'GNUtoo' Carikli
fn2. https://github.com/frederic/qemu-exynos-bootrom
37 1 Denis 'GNUtoo' Carikli
38 14 Denis 'GNUtoo' Carikli
h3. Other tests to attempt
39 1 Denis 'GNUtoo' Carikli
40 14 Denis 'GNUtoo' Carikli
* Try to understand better the scheme used to check the signature.
41
* Try to see if the fuses can still be written (zeroed) and see whether it's computationally feasible to compute the private key for a zeroed fuses hash.
42
* Try to understand why encryption is used.
43 6 Denis 'GNUtoo' Carikli
44 14 Denis 'GNUtoo' Carikli
h2. HOWTO
45
46
h3. Loading a bootloader from SD
47
48 6 Denis 'GNUtoo' Carikli
When booting Parabola with a Replicant 9 kernel on a Galaxy SIII (i9300), it is possible to erase the bootloader to make the device boot from the microSD instead.
49
50
This could be used to do some testing, for instance to see if the BL1 signature can somehow be bypassed, however as no free software bootloaders do exist yet (u-boot relies on nonfree and non-redistributable software), this is not very useful yet.
51
52
If you really want to erase the bootloader (your device will be broken and will never boot anymore), you could run the following:
53
54
<pre>
55
# echo 0 > /sys/class/block/mmcblk2boot0/force_ro
56
# ddrescue -f /dev/zero /dev/mmcblk2boot0
57
GNU ddrescue 1.24
58
Press Ctrl-C to interrupt
59
     ipos:    4194 kB, non-trimmed:        0 B,  current rate:   4194 kB/s
60
     opos:    4194 kB, non-scraped:        0 B,  average rate:   4194 kB/s
61
non-tried:    9223 PB,  bad-sector:        0 B,    error rate:       0 B/s
62
  rescued:    4194 kB,   bad areas:        0,        run time:          0s
63
pct rescued:    0.00%, read errors:        0,  remaining time:         n/a
64
                              time since last successful read:         n/a
65
Copying non-tried blocks... Pass 1 (forwards)
66
ddrescue: Write error: No space left on device
67
</pre>
68
69
And then verify that it's erased:
70
<pre>
71 1 Denis 'GNUtoo' Carikli
# hexdump -C /dev/mmcblk2boot0
72 6 Denis 'GNUtoo' Carikli
00000000  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
73
*
74
00400000
75
76
</pre>
77
78
Also verify that the following partitions are also erased:
79
* mmcblk2boot1
80
* BOTA0
81
* BOTA1
82
83
I'm not sure what BOTA0 and BOTA1 are but they were already blank in my case.
84 12 Denis 'GNUtoo' Carikli
85 14 Denis 'GNUtoo' Carikli
h3. Recovering from a bad bootloader
86 12 Denis 'GNUtoo' Carikli
87
Note that I didn't manage yet to go from u-boot to s-boot.
88
89
Requirements:
90 15 Denis 'GNUtoo' Carikli
* A supported device, either:
91
** i9300
92
** i9305
93 12 Denis 'GNUtoo' Carikli
* A programable PSU or another human that can help you
94
* A serial cable
95
* Very thin/precise multimeter probes that you connect together
96
97
HOWTO:
98
* Prepare a microSD with u-boot
99
* Disassemble the device and connect the device to a programable PSU. The PSU has to be off
100
** VCC is available on the battery connector
101
** GND is available at many places
102 1 Denis 'GNUtoo' Carikli
* Make sure that the PSU will go to the right voltage when set to on
103 12 Denis 'GNUtoo' Carikli
* script the PSU power on, for instance wait 10 seconds before power on
104 15 Denis 'GNUtoo' Carikli
* With the multimeter probes, short the resistor that is indicated on this picture: attachment:i9300_resistor.jpg
105 12 Denis 'GNUtoo' Carikli
 
106
You then should have u-boot running which can boot Parabola, so you can then easily recover.
107
108
Note that to run Parabola you need to make sure that you use an MBR and no gpt as u-boot is to be put at the second 512B block.