Exynos4Bootrom » History » Version 2
Denis 'GNUtoo' Carikli, 08/19/2019 10:34 PM
| 1 | 1 | Denis 'GNUtoo' Carikli | h1. Exynos4 Bootrom |
|---|---|---|---|
| 2 | |||
| 3 | h2. Background information |
||
| 4 | |||
| 5 | The Replicant project wants to support devices with free software bootloaders, but most/all the smartphones and tablets supported by Replicant do check the signature of the first stage bootloader. |
||
| 6 | |||
| 7 | A presentation on the situation of some of the devices supported by Replicant was made at the Replicant contributors meeting in July 2019. The "presentation slides":https://ftp.osuosl.org/pub/replicant/conferences/replicant-contributors-meeting-july-2019-france/replicant-and-bootloaders.pdf and "video":https://ftp.osuosl.org/pub/replicant/conferences/replicant-contributors-meeting-july-2019-france/replicant-and-bootloaders.webm are available. |
||
| 8 | |||
| 9 | h2. Exynos 4 signature check |
||
| 10 | |||
| 11 | The Exynos4 bootrom has a strange way to check the signatures: |
||
| 12 | * The first stage bootloader is encrypted |
||
| 13 | * The signature check is not very clear[1] |
||
| 14 | * The header that holds the key has a "func_ptr_BaseAddr" field[1]. |
||
| 15 | |||
| 16 | h2. Tests to attempt |
||
| 17 | |||
| 18 | * Test with qemu if func_ptr_BaseAddr is somehow used by the bootrom, when verifying the BL1. |
||
| 19 | * Try to understand better the scheme used to check the signature. |
||
| 20 | * Try to see if the fuses can still be written (zeroed) and see weather it'd computationally feasible to compute the private key for a zeroed fuses hash. |
||
| 21 | 2 | Denis 'GNUtoo' Carikli | * Try to understand why encryption is used. |
| 22 | 1 | Denis 'GNUtoo' Carikli | |
| 23 | h2. Test setup |
||
| 24 | |||
| 25 | Either qemu[1] or a development board with JTAG can be used to do the test. |
||
| 26 | |||
| 27 | Testing with qemu is probably way more easy. |
||
| 28 | |||
| 29 | fn1. https://fredericb.info/2018/03/emulating-exynos-4210-bootrom-in-qemu.html |