Project

General

Profile

Exynos4Bootrom » History » Version 27

Denis 'GNUtoo' Carikli, 02/21/2023 03:53 PM
ADd GT-N7100, tested with the setup mentioned in this page and the nonfree u-boot

1 1 Denis 'GNUtoo' Carikli
h1. Exynos4 Bootrom
2 11 Denis 'GNUtoo' Carikli
3
{{toc}}
4 1 Denis 'GNUtoo' Carikli
5
h2. Background information
6
7
The Replicant project wants to support devices with free software bootloaders, but most/all the smartphones and tablets supported by Replicant do check the signature of the first stage bootloader.
8
9
A presentation on the situation of some of the devices supported by Replicant was made at the Replicant contributors meeting in July 2019. The "presentation slides":https://ftp.osuosl.org/pub/replicant/conferences/replicant-contributors-meeting-july-2019-france/replicant-and-bootloaders.pdf and "video":https://ftp.osuosl.org/pub/replicant/conferences/replicant-contributors-meeting-july-2019-france/replicant-and-bootloaders.webm are available.
10
11 14 Denis 'GNUtoo' Carikli
h3. Exynos 4 signature check
12 1 Denis 'GNUtoo' Carikli
13
The Exynos4 bootrom has a strange way to check the signatures:
14
* The first stage bootloader is encrypted
15
* The signature check is not very clear[1]
16
* The header that holds the key has a "func_ptr_BaseAddr" field[1].
17
18 14 Denis 'GNUtoo' Carikli
h2. Attempts
19 1 Denis 'GNUtoo' Carikli
20 14 Denis 'GNUtoo' Carikli
h3. xboot
21 1 Denis 'GNUtoo' Carikli
22 14 Denis 'GNUtoo' Carikli
"xboot":https://github.com/xboot/xboot is an OS that is supposed to run as the BL1 on a board that has the the Exynos 4412.
23 4 Kurtis Hanna
24 14 Denis 'GNUtoo' Carikli
There is "an attempt to port it and run it on the Galaxy SIII":https://github.com/xboot/xboot/issues/21 but it didn't succeed yet.
25 8 Kurtis Hanna
26 14 Denis 'GNUtoo' Carikli
h3. func_ptr_BaseAddr
27 1 Denis 'GNUtoo' Carikli
28 14 Denis 'GNUtoo' Carikli
If the xboot attempt doesn't work we could also try to understand with qemu[2] or a developement board that has JTAG, if func_ptr_BaseAddr is somehow used by the bootrom when verifying the BL1.
29
30
Testing with qemu[2] is probably way more easy than using the JTAG.
31
32
If it is we might be able to replace the bootrom check function.
33
34 1 Denis 'GNUtoo' Carikli
fn1. https://fredericb.info/2018/03/emulating-exynos-4210-bootrom-in-qemu.html
35
36 3 Denis 'GNUtoo' Carikli
fn2. https://github.com/frederic/qemu-exynos-bootrom
37 1 Denis 'GNUtoo' Carikli
38 24 Denis 'GNUtoo' Carikli
h3. JTAG, fuses and EMMC RPMB
39
40
According to "a post on the gsmhosting.com forum":https://forum.gsmhosting.com/vbb/f672/regarding-knox-s4-1775213/ :
41
<pre>
42
 Threr are 2 types of devices exist.
43
44
1. EXYNOS Devices with JTAG Disabled ( GT-I9300,GT-I9500,GT-N7100 etc.)
45
46
    KNOX Warranty bit are stored inside of RPMB area in eMMC
47
    Downgrade protection byte are stored in RPMB.
48
</pre>
49
50
So if that's true for most common devices and that we don't find a way to re-enable the JTAG we probably cannot use it to load bootloaders and/or to experiement with the hardware on these devices.
51
52
However it's probably still possible to use JTAG on some devboards.
53
54
The thing we can learn from this post is also that unlocking the device probably don't change the Exynos 4 fuses. I wonder why it is implemented this way when other devices use fuses. And for the devices that use fuses, what is the fuse bit used for? Is it to prevent the fuses to have all bits be modified to zero or 1 and which would make it easier to compute the private key? Does the Qualcomm SOCs have a more granular approach to fuses? How does the Management Engine which also burn fuses at runtime handle that?
55
56 14 Denis 'GNUtoo' Carikli
h3. Other tests to attempt
57 1 Denis 'GNUtoo' Carikli
58 14 Denis 'GNUtoo' Carikli
* Try to understand better the scheme used to check the signature.
59
* Try to see if the fuses can still be written (zeroed) and see whether it's computationally feasible to compute the private key for a zeroed fuses hash.
60
* Try to understand why encryption is used.
61 6 Denis 'GNUtoo' Carikli
62 20 Denis 'GNUtoo' Carikli
h2. Other
63
64 26 Denis 'GNUtoo' Carikli
h3. Running the GT-I9100 bootrom in qemu
65
66
There has been "some work from new Replicant contributor(s)":https://github.com/frederic/qemu-exynos-bootrom/pull/1/files to package a qemu version that can run the Galaxy SII (GT-I9100) bootrom.
67
68
It's a docker file based on Ubuntu 16.04 LTS (Xenial Xerus), but it's probably possible to use Trisquel 8.0 LTS (Flidas) instead.
69
70
See the "Emulating Exynos 4210 BootROM in QEMU":https://www.fredericb.info/2018/03/emulating-exynos-4210-bootrom-in-qemu.html for more background information on the topic.
71
72 20 Denis 'GNUtoo' Carikli
h3. Rebooting to u-boot
73
74
On several SOCs families you can override the boot pins through register writes.
75
76
For instance on the OMAP 3630 you have a register for that at 0x48002910 which is publicly documented in its technical reference manual. 
77
78
Not all the system on a chip have something like that.
79
80
If registers to do that are found for the Exynos 4412, rebooting directly to u-boot from s-boot should be pretty easy to do.
81
82
The "i9300_emmc_toolbox":https://github.com/oranav/i9300_emmc_toolbox.git project can execute code in s-boot, and we can easily write C code to be executed in it.
83
84
Some examples are provided in the shellcode directory.
85
86
So it would be trivial to write to a register and use the already provided reboot function.
87
88 21 Denis 'GNUtoo' Carikli
TODO:
89
* Look at older Exynos SOCs datasheet to find a register for that
90
* Look at various versions of the Exynos 4412 and other documentation on that SOC
91 23 Kurtis Hanna
* See if "sboot-binwalk":https://github.com/quarkslab/sboot-binwalk, which has signatures and plugins for binwalk that were written while analyzing Samsung S6's proprietary bootloader, can be of any use in conjunction with i9300_emmc_toolbox.
92 21 Denis 'GNUtoo' Carikli
93 22 Denis 'GNUtoo' Carikli
Note that this has not been seen in use yet, including in the "Galaxy SIII repair manual":https://www.ifixit.com/Device/Samsung_Galaxy_S_III#Section_Documents , which shorts a resistor to change the boot modes. Though the Samsung branch that does the smartphones and tablets is separate from the branch doing the System on a chip. So for instance the System on a chip branch was providing SOCs to Apple for its Iphones while consumer electronics branch was at (legal) war against Apple.
94 21 Denis 'GNUtoo' Carikli
95 14 Denis 'GNUtoo' Carikli
h2. HOWTO
96
97
h3. Loading a bootloader from SD
98
99 25 dl lud
When booting Parabola with a Replicant 10 kernel on a Galaxy SIII (i9300), it is possible to erase the bootloader to make the device boot from the microSD instead.
100 6 Denis 'GNUtoo' Carikli
101
This could be used to do some testing, for instance to see if the BL1 signature can somehow be bypassed, however as no free software bootloaders do exist yet (u-boot relies on nonfree and non-redistributable software), this is not very useful yet.
102
103
If you really want to erase the bootloader (your device will be broken and will never boot anymore), you could run the following:
104
105
<pre>
106
# echo 0 > /sys/class/block/mmcblk2boot0/force_ro
107
# ddrescue -f /dev/zero /dev/mmcblk2boot0
108
GNU ddrescue 1.24
109
Press Ctrl-C to interrupt
110
     ipos:    4194 kB, non-trimmed:        0 B,  current rate:   4194 kB/s
111
     opos:    4194 kB, non-scraped:        0 B,  average rate:   4194 kB/s
112
non-tried:    9223 PB,  bad-sector:        0 B,    error rate:       0 B/s
113
  rescued:    4194 kB,   bad areas:        0,        run time:          0s
114
pct rescued:    0.00%, read errors:        0,  remaining time:         n/a
115
                              time since last successful read:         n/a
116
Copying non-tried blocks... Pass 1 (forwards)
117
ddrescue: Write error: No space left on device
118
</pre>
119
120
And then verify that it's erased:
121
<pre>
122 1 Denis 'GNUtoo' Carikli
# hexdump -C /dev/mmcblk2boot0
123 6 Denis 'GNUtoo' Carikli
00000000  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
124
*
125
00400000
126
127
</pre>
128
129
Also verify that the following partitions are also erased:
130
* mmcblk2boot1
131
* BOTA0
132
* BOTA1
133
134
I'm not sure what BOTA0 and BOTA1 are but they were already blank in my case.
135 12 Denis 'GNUtoo' Carikli
136 14 Denis 'GNUtoo' Carikli
h3. Recovering from a bad bootloader
137 12 Denis 'GNUtoo' Carikli
138
Note that I didn't manage yet to go from u-boot to s-boot.
139
140
Requirements:
141 15 Denis 'GNUtoo' Carikli
* A supported device, either:
142
** i9300
143
** i9305
144 16 Denis 'GNUtoo' Carikli
** n7100
145
** n7105
146 12 Denis 'GNUtoo' Carikli
* A programable PSU or another human that can help you
147
* A serial cable
148 19 Denis 'GNUtoo' Carikli
* Very thin/precise multimeter probes that you connect together: attachment:probes.jpg
149 12 Denis 'GNUtoo' Carikli
150
HOWTO:
151 1 Denis 'GNUtoo' Carikli
* Prepare a microSD with u-boot
152 19 Denis 'GNUtoo' Carikli
* Disassemble the device
153
* Connect the device to a programable PSU. The PSU has to be off
154
* Connect the serial cable
155
* Make sure that the device, serial cable, and connection to the PSU don't move. Example: attachment:n7100_bench.jpg You could also use cardboard and tape.
156 12 Denis 'GNUtoo' Carikli
** VCC is available on the battery connector
157
** GND is available at many places
158
* Make sure that the PSU will go to the right voltage when set to on
159 18 Denis 'GNUtoo' Carikli
* script the PSU power on, for instance wait 10 seconds before power on. For example:
160
<pre>
161
$ on(){ sigrok-cli -d korad-kaxxxxp:conn=/dev/ttyACM0 --set --config enabled=on ;}
162
$ off(){ sigrok-cli -d korad-kaxxxxp:conn=/dev/ttyACM0 --set --config enabled=off ;}
163
$ off
164
$ sleep 10 ; on
165
</pre>
166 16 Denis 'GNUtoo' Carikli
* With the multimeter probes, short the resistor.
167
** For i9300 and i9305, see this picture for finding the resistor: attachment:i9300_resistor.jpg
168 27 Denis 'GNUtoo' Carikli
** For n7100, see this picture for finding the resistor: attachment:n7100_resistor.jpg
169 17 Denis 'GNUtoo' Carikli
** For n7105, see this picture for finding the resistor: attachment:n7105_resistor.jpg
170 12 Denis 'GNUtoo' Carikli
 
171
You then should have u-boot running which can boot Parabola, so you can then easily recover.
172
173
Note that to run Parabola you need to make sure that you use an MBR and no gpt as u-boot is to be put at the second 512B block.