Exynos4Bootrom » History » Revision 4

« Previous | Revision 4/28 (diff) | Next »
Kurtis Hanna, 08/20/2019 03:17 PM
fixed some spelling

Exynos4 Bootrom

Background information

The Replicant project wants to support devices with free software bootloaders, but most/all the smartphones and tablets supported by Replicant do check the signature of the first stage bootloader.

A presentation on the situation of some of the devices supported by Replicant was made at the Replicant contributors meeting in July 2019. The presentation slides and video are available.

Exynos 4 signature check

The Exynos4 bootrom has a strange way to check the signatures:
  • The first stage bootloader is encrypted
  • The signature check is not very clear1
  • The header that holds the key has a "func_ptr_BaseAddr" field1.

Tests to attempt

  • Test with qemu2 if func_ptr_BaseAddr is somehow used by the bootrom, when verifying the BL1.
  • Try to understand better the scheme used to check the signature.
  • Try to see if the fuses can still be written (zeroed) and see whether it's computationally feasible to compute the private key for a zeroed fuses hash.
  • Try to understand why encryption is used.

Test setup

Either qemu2 or a development board with JTAG can be used to do the test.

Testing with qemu2 is probably way more easy.


Updated by Kurtis Hanna almost 5 years ago · 4 revisions

Also available in: PDF HTML TXT