Exynos4Bootrom » History » Revision 3
« Previous |
Revision 3/28
(diff)
| Next »
Denis 'GNUtoo' Carikli, 08/19/2019 10:35 PM
Exynos4 Bootrom¶
Background information¶
The Replicant project wants to support devices with free software bootloaders, but most/all the smartphones and tablets supported by Replicant do check the signature of the first stage bootloader.
A presentation on the situation of some of the devices supported by Replicant was made at the Replicant contributors meeting in July 2019. The presentation slides and video are available.
Exynos 4 signature check¶
The Exynos4 bootrom has a strange way to check the signatures:- The first stage bootloader is encrypted
- The signature check is not very clear1
- The header that holds the key has a "func_ptr_BaseAddr" field1.
Tests to attempt¶
- Test with qemu2 if func_ptr_BaseAddr is somehow used by the bootrom, when verifying the BL1.
- Try to understand better the scheme used to check the signature.
- Try to see if the fuses can still be written (zeroed) and see weather it'd computationally feasible to compute the private key for a zeroed fuses hash.
- Try to understand why encryption is used.
Test setup¶
Either qemu2 or a development board with JTAG can be used to do the test.
Testing with qemu2 is probably way more easy.
1 https://fredericb.info/2018/03/emulating-exynos-4210-bootrom-in-qemu.html
fn2. https://github.com/frederic/qemu-exynos-bootrom
Updated by Denis 'GNUtoo' Carikli about 5 years ago · 3 revisions