Exynos4Bootrom » History » Version 23
Kurtis Hanna, 01/31/2020 05:46 AM
added sboot-binwalk git link
1 | 1 | Denis 'GNUtoo' Carikli | h1. Exynos4 Bootrom |
---|---|---|---|
2 | 11 | Denis 'GNUtoo' Carikli | |
3 | {{toc}} |
||
4 | 1 | Denis 'GNUtoo' Carikli | |
5 | h2. Background information |
||
6 | |||
7 | The Replicant project wants to support devices with free software bootloaders, but most/all the smartphones and tablets supported by Replicant do check the signature of the first stage bootloader. |
||
8 | |||
9 | A presentation on the situation of some of the devices supported by Replicant was made at the Replicant contributors meeting in July 2019. The "presentation slides":https://ftp.osuosl.org/pub/replicant/conferences/replicant-contributors-meeting-july-2019-france/replicant-and-bootloaders.pdf and "video":https://ftp.osuosl.org/pub/replicant/conferences/replicant-contributors-meeting-july-2019-france/replicant-and-bootloaders.webm are available. |
||
10 | |||
11 | 14 | Denis 'GNUtoo' Carikli | h3. Exynos 4 signature check |
12 | 1 | Denis 'GNUtoo' Carikli | |
13 | The Exynos4 bootrom has a strange way to check the signatures: |
||
14 | * The first stage bootloader is encrypted |
||
15 | * The signature check is not very clear[1] |
||
16 | * The header that holds the key has a "func_ptr_BaseAddr" field[1]. |
||
17 | |||
18 | 14 | Denis 'GNUtoo' Carikli | h2. Attempts |
19 | 1 | Denis 'GNUtoo' Carikli | |
20 | 14 | Denis 'GNUtoo' Carikli | h3. xboot |
21 | 1 | Denis 'GNUtoo' Carikli | |
22 | 14 | Denis 'GNUtoo' Carikli | "xboot":https://github.com/xboot/xboot is an OS that is supposed to run as the BL1 on a board that has the the Exynos 4412. |
23 | 4 | Kurtis Hanna | |
24 | 14 | Denis 'GNUtoo' Carikli | There is "an attempt to port it and run it on the Galaxy SIII":https://github.com/xboot/xboot/issues/21 but it didn't succeed yet. |
25 | 8 | Kurtis Hanna | |
26 | 14 | Denis 'GNUtoo' Carikli | h3. func_ptr_BaseAddr |
27 | 1 | Denis 'GNUtoo' Carikli | |
28 | 14 | Denis 'GNUtoo' Carikli | If the xboot attempt doesn't work we could also try to understand with qemu[2] or a developement board that has JTAG, if func_ptr_BaseAddr is somehow used by the bootrom when verifying the BL1. |
29 | |||
30 | Testing with qemu[2] is probably way more easy than using the JTAG. |
||
31 | |||
32 | If it is we might be able to replace the bootrom check function. |
||
33 | |||
34 | 1 | Denis 'GNUtoo' Carikli | fn1. https://fredericb.info/2018/03/emulating-exynos-4210-bootrom-in-qemu.html |
35 | |||
36 | 3 | Denis 'GNUtoo' Carikli | fn2. https://github.com/frederic/qemu-exynos-bootrom |
37 | 1 | Denis 'GNUtoo' Carikli | |
38 | 14 | Denis 'GNUtoo' Carikli | h3. Other tests to attempt |
39 | 1 | Denis 'GNUtoo' Carikli | |
40 | 14 | Denis 'GNUtoo' Carikli | * Try to understand better the scheme used to check the signature. |
41 | * Try to see if the fuses can still be written (zeroed) and see whether it's computationally feasible to compute the private key for a zeroed fuses hash. |
||
42 | * Try to understand why encryption is used. |
||
43 | 6 | Denis 'GNUtoo' Carikli | |
44 | 20 | Denis 'GNUtoo' Carikli | h2. Other |
45 | |||
46 | h3. Rebooting to u-boot |
||
47 | |||
48 | On several SOCs families you can override the boot pins through register writes. |
||
49 | |||
50 | For instance on the OMAP 3630 you have a register for that at 0x48002910 which is publicly documented in its technical reference manual. |
||
51 | |||
52 | Not all the system on a chip have something like that. |
||
53 | |||
54 | If registers to do that are found for the Exynos 4412, rebooting directly to u-boot from s-boot should be pretty easy to do. |
||
55 | |||
56 | The "i9300_emmc_toolbox":https://github.com/oranav/i9300_emmc_toolbox.git project can execute code in s-boot, and we can easily write C code to be executed in it. |
||
57 | |||
58 | Some examples are provided in the shellcode directory. |
||
59 | |||
60 | So it would be trivial to write to a register and use the already provided reboot function. |
||
61 | |||
62 | 21 | Denis 'GNUtoo' Carikli | TODO: |
63 | * Look at older Exynos SOCs datasheet to find a register for that |
||
64 | * Look at various versions of the Exynos 4412 and other documentation on that SOC |
||
65 | 23 | Kurtis Hanna | * See if "sboot-binwalk":https://github.com/quarkslab/sboot-binwalk, which has signatures and plugins for binwalk that were written while analyzing Samsung S6's proprietary bootloader, can be of any use in conjunction with i9300_emmc_toolbox. |
66 | 21 | Denis 'GNUtoo' Carikli | |
67 | 22 | Denis 'GNUtoo' Carikli | Note that this has not been seen in use yet, including in the "Galaxy SIII repair manual":https://www.ifixit.com/Device/Samsung_Galaxy_S_III#Section_Documents , which shorts a resistor to change the boot modes. Though the Samsung branch that does the smartphones and tablets is separate from the branch doing the System on a chip. So for instance the System on a chip branch was providing SOCs to Apple for its Iphones while consumer electronics branch was at (legal) war against Apple. |
68 | 21 | Denis 'GNUtoo' Carikli | |
69 | 14 | Denis 'GNUtoo' Carikli | h2. HOWTO |
70 | |||
71 | h3. Loading a bootloader from SD |
||
72 | |||
73 | 6 | Denis 'GNUtoo' Carikli | When booting Parabola with a Replicant 9 kernel on a Galaxy SIII (i9300), it is possible to erase the bootloader to make the device boot from the microSD instead. |
74 | |||
75 | This could be used to do some testing, for instance to see if the BL1 signature can somehow be bypassed, however as no free software bootloaders do exist yet (u-boot relies on nonfree and non-redistributable software), this is not very useful yet. |
||
76 | |||
77 | If you really want to erase the bootloader (your device will be broken and will never boot anymore), you could run the following: |
||
78 | |||
79 | <pre> |
||
80 | # echo 0 > /sys/class/block/mmcblk2boot0/force_ro |
||
81 | # ddrescue -f /dev/zero /dev/mmcblk2boot0 |
||
82 | GNU ddrescue 1.24 |
||
83 | Press Ctrl-C to interrupt |
||
84 | ipos: 4194 kB, non-trimmed: 0 B, current rate: 4194 kB/s |
||
85 | opos: 4194 kB, non-scraped: 0 B, average rate: 4194 kB/s |
||
86 | non-tried: 9223 PB, bad-sector: 0 B, error rate: 0 B/s |
||
87 | rescued: 4194 kB, bad areas: 0, run time: 0s |
||
88 | pct rescued: 0.00%, read errors: 0, remaining time: n/a |
||
89 | time since last successful read: n/a |
||
90 | Copying non-tried blocks... Pass 1 (forwards) |
||
91 | ddrescue: Write error: No space left on device |
||
92 | </pre> |
||
93 | |||
94 | And then verify that it's erased: |
||
95 | <pre> |
||
96 | 1 | Denis 'GNUtoo' Carikli | # hexdump -C /dev/mmcblk2boot0 |
97 | 6 | Denis 'GNUtoo' Carikli | 00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| |
98 | * |
||
99 | 00400000 |
||
100 | |||
101 | </pre> |
||
102 | |||
103 | Also verify that the following partitions are also erased: |
||
104 | * mmcblk2boot1 |
||
105 | * BOTA0 |
||
106 | * BOTA1 |
||
107 | |||
108 | I'm not sure what BOTA0 and BOTA1 are but they were already blank in my case. |
||
109 | 12 | Denis 'GNUtoo' Carikli | |
110 | 14 | Denis 'GNUtoo' Carikli | h3. Recovering from a bad bootloader |
111 | 12 | Denis 'GNUtoo' Carikli | |
112 | Note that I didn't manage yet to go from u-boot to s-boot. |
||
113 | |||
114 | Requirements: |
||
115 | 15 | Denis 'GNUtoo' Carikli | * A supported device, either: |
116 | ** i9300 |
||
117 | ** i9305 |
||
118 | 16 | Denis 'GNUtoo' Carikli | ** n7100 |
119 | ** n7105 |
||
120 | 12 | Denis 'GNUtoo' Carikli | * A programable PSU or another human that can help you |
121 | * A serial cable |
||
122 | 19 | Denis 'GNUtoo' Carikli | * Very thin/precise multimeter probes that you connect together: attachment:probes.jpg |
123 | 12 | Denis 'GNUtoo' Carikli | |
124 | HOWTO: |
||
125 | 1 | Denis 'GNUtoo' Carikli | * Prepare a microSD with u-boot |
126 | 19 | Denis 'GNUtoo' Carikli | * Disassemble the device |
127 | * Connect the device to a programable PSU. The PSU has to be off |
||
128 | * Connect the serial cable |
||
129 | * Make sure that the device, serial cable, and connection to the PSU don't move. Example: attachment:n7100_bench.jpg You could also use cardboard and tape. |
||
130 | 12 | Denis 'GNUtoo' Carikli | ** VCC is available on the battery connector |
131 | ** GND is available at many places |
||
132 | * Make sure that the PSU will go to the right voltage when set to on |
||
133 | 18 | Denis 'GNUtoo' Carikli | * script the PSU power on, for instance wait 10 seconds before power on. For example: |
134 | <pre> |
||
135 | $ on(){ sigrok-cli -d korad-kaxxxxp:conn=/dev/ttyACM0 --set --config enabled=on ;} |
||
136 | $ off(){ sigrok-cli -d korad-kaxxxxp:conn=/dev/ttyACM0 --set --config enabled=off ;} |
||
137 | $ off |
||
138 | $ sleep 10 ; on |
||
139 | </pre> |
||
140 | 16 | Denis 'GNUtoo' Carikli | * With the multimeter probes, short the resistor. |
141 | ** For i9300 and i9305, see this picture for finding the resistor: attachment:i9300_resistor.jpg |
||
142 | 17 | Denis 'GNUtoo' Carikli | ** For n7105, see this picture for finding the resistor: attachment:n7105_resistor.jpg |
143 | 12 | Denis 'GNUtoo' Carikli | |
144 | You then should have u-boot running which can boot Parabola, so you can then easily recover. |
||
145 | |||
146 | Note that to run Parabola you need to make sure that you use an MBR and no gpt as u-boot is to be put at the second 512B block. |