Project

General

Profile

Actions

Exynos4Bootrom » History » Revision 19

« Previous | Revision 19/28 (diff) | Next »
Denis 'GNUtoo' Carikli, 12/20/2019 10:34 AM
Add more explanation on the setup


Exynos4 Bootrom

Background information

The Replicant project wants to support devices with free software bootloaders, but most/all the smartphones and tablets supported by Replicant do check the signature of the first stage bootloader.

A presentation on the situation of some of the devices supported by Replicant was made at the Replicant contributors meeting in July 2019. The presentation slides and video are available.

Exynos 4 signature check

The Exynos4 bootrom has a strange way to check the signatures:
  • The first stage bootloader is encrypted
  • The signature check is not very clear1
  • The header that holds the key has a "func_ptr_BaseAddr" field1.

Attempts

xboot

xboot is an OS that is supposed to run as the BL1 on a board that has the the Exynos 4412.

There is an attempt to port it and run it on the Galaxy SIII but it didn't succeed yet.

func_ptr_BaseAddr

If the xboot attempt doesn't work we could also try to understand with qemu2 or a developement board that has JTAG, if func_ptr_BaseAddr is somehow used by the bootrom when verifying the BL1.

Testing with qemu2 is probably way more easy than using the JTAG.

If it is we might be able to replace the bootrom check function.

1 https://fredericb.info/2018/03/emulating-exynos-4210-bootrom-in-qemu.html

2 https://github.com/frederic/qemu-exynos-bootrom

Other tests to attempt

  • Try to understand better the scheme used to check the signature.
  • Try to see if the fuses can still be written (zeroed) and see whether it's computationally feasible to compute the private key for a zeroed fuses hash.
  • Try to understand why encryption is used.

HOWTO

Loading a bootloader from SD

When booting Parabola with a Replicant 9 kernel on a Galaxy SIII (i9300), it is possible to erase the bootloader to make the device boot from the microSD instead.

This could be used to do some testing, for instance to see if the BL1 signature can somehow be bypassed, however as no free software bootloaders do exist yet (u-boot relies on nonfree and non-redistributable software), this is not very useful yet.

If you really want to erase the bootloader (your device will be broken and will never boot anymore), you could run the following:

# echo 0 > /sys/class/block/mmcblk2boot0/force_ro
# ddrescue -f /dev/zero /dev/mmcblk2boot0
GNU ddrescue 1.24
Press Ctrl-C to interrupt
     ipos:    4194 kB, non-trimmed:        0 B,  current rate:   4194 kB/s
     opos:    4194 kB, non-scraped:        0 B,  average rate:   4194 kB/s
non-tried:    9223 PB,  bad-sector:        0 B,    error rate:       0 B/s
  rescued:    4194 kB,   bad areas:        0,        run time:          0s
pct rescued:    0.00%, read errors:        0,  remaining time:         n/a
                              time since last successful read:         n/a
Copying non-tried blocks... Pass 1 (forwards)
ddrescue: Write error: No space left on device

And then verify that it's erased:

# hexdump -C /dev/mmcblk2boot0
00000000  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00400000

Also verify that the following partitions are also erased:
  • mmcblk2boot1
  • BOTA0
  • BOTA1

I'm not sure what BOTA0 and BOTA1 are but they were already blank in my case.

Recovering from a bad bootloader

Note that I didn't manage yet to go from u-boot to s-boot.

Requirements:
  • A supported device, either:
    • i9300
    • i9305
    • n7100
    • n7105
  • A programable PSU or another human that can help you
  • A serial cable
  • Very thin/precise multimeter probes that you connect together: probes.jpg
HOWTO:
  • Prepare a microSD with u-boot
  • Disassemble the device
  • Connect the device to a programable PSU. The PSU has to be off
  • Connect the serial cable
  • Make sure that the device, serial cable, and connection to the PSU don't move. Example: n7100_bench.jpg You could also use cardboard and tape.
    • VCC is available on the battery connector
    • GND is available at many places
  • Make sure that the PSU will go to the right voltage when set to on
  • script the PSU power on, for instance wait 10 seconds before power on. For example:
    $ on(){ sigrok-cli -d korad-kaxxxxp:conn=/dev/ttyACM0 --set --config enabled=on ;}
    $ off(){ sigrok-cli -d korad-kaxxxxp:conn=/dev/ttyACM0 --set --config enabled=off ;}
    $ off
    $ sleep 10 ; on
    
  • With the multimeter probes, short the resistor.

You then should have u-boot running which can boot Parabola, so you can then easily recover.

Note that to run Parabola you need to make sure that you use an MBR and no gpt as u-boot is to be put at the second 512B block.

Updated by Denis 'GNUtoo' Carikli almost 5 years ago · 19 revisions

Also available in: PDF HTML TXT