Project

General

Profile

Actions

Exynos4Bootrom » History » Revision 3

« Previous | Revision 3/28 (diff) | Next »
Denis 'GNUtoo' Carikli, 08/19/2019 10:35 PM


Exynos4 Bootrom

Background information

The Replicant project wants to support devices with free software bootloaders, but most/all the smartphones and tablets supported by Replicant do check the signature of the first stage bootloader.

A presentation on the situation of some of the devices supported by Replicant was made at the Replicant contributors meeting in July 2019. The presentation slides and video are available.

Exynos 4 signature check

The Exynos4 bootrom has a strange way to check the signatures:
  • The first stage bootloader is encrypted
  • The signature check is not very clear1
  • The header that holds the key has a "func_ptr_BaseAddr" field1.

Tests to attempt

  • Test with qemu2 if func_ptr_BaseAddr is somehow used by the bootrom, when verifying the BL1.
  • Try to understand better the scheme used to check the signature.
  • Try to see if the fuses can still be written (zeroed) and see weather it'd computationally feasible to compute the private key for a zeroed fuses hash.
  • Try to understand why encryption is used.

Test setup

Either qemu2 or a development board with JTAG can be used to do the test.

Testing with qemu2 is probably way more easy.

1 https://fredericb.info/2018/03/emulating-exynos-4210-bootrom-in-qemu.html
fn2. https://github.com/frederic/qemu-exynos-bootrom

Updated by Denis 'GNUtoo' Carikli about 5 years ago · 3 revisions

Also available in: PDF HTML TXT