Exynos4Bootrom » History » Revision 4

Revision 3 (Denis 'GNUtoo' Carikli, 08/19/2019 10:35 PM) → Revision 4/28 (Kurtis Hanna, 08/20/2019 03:17 PM)

h1. Exynos4 Bootrom 

 h2. Background information 

 The Replicant project wants to support devices with free software bootloaders, but most/all the smartphones and tablets supported by Replicant do check the signature of the first stage bootloader. 

 A presentation on the situation of some of the devices supported by Replicant was made at the Replicant contributors meeting in July 2019. The "presentation slides": and "video": are available. 

 h2. Exynos 4 signature check 

 The Exynos4 bootrom has a strange way to check the signatures: 
 * The first stage bootloader is encrypted 
 * The signature check is not very clear[1] 
 * The header that holds the key has a "func_ptr_BaseAddr" field[1]. 

 h2. Tests to attempt 

 * Test with qemu[2] if func_ptr_BaseAddr is somehow used by the bootrom, when verifying the BL1. 
 * Try to understand better the scheme used to check the signature. 
 * Try to see if the fuses can still be written (zeroed) and see whether it's weather it'd computationally feasible to compute the private key for a zeroed fuses hash. 
 * Try to understand why encryption is used. 

 h2. Test setup 

 Either qemu[2] or a development board with JTAG can be used to do the test. 

 Testing with qemu[2] is probably way more easy.