Exynos4Bootrom » History » Revision 5
Revision 4 (Kurtis Hanna, 08/20/2019 03:17 PM) → Revision 5/28 (Kurtis Hanna, 08/20/2019 03:24 PM)
h1. Exynos4 Bootrom h2. Background information The Replicant project wants to support devices with free software bootloaders, but most/all the smartphones and tablets supported by Replicant do check the signature of the first stage bootloader. A presentation on the situation of some of the devices supported by Replicant was made at the Replicant contributors meeting in July 2019. The "presentation slides":https://ftp.osuosl.org/pub/replicant/conferences/replicant-contributors-meeting-july-2019-france/replicant-and-bootloaders.pdf and "video":https://ftp.osuosl.org/pub/replicant/conferences/replicant-contributors-meeting-july-2019-france/replicant-and-bootloaders.webm are available. h2. Exynos 4 signature check The Exynos4 bootrom has a strange way to check the signatures: * The first stage bootloader is encrypted * The signature check is not very clear[1] * The header that holds the key has a "func_ptr_BaseAddr" field[1]. h2. Tests to attempt * Test with qemu[2] if func_ptr_BaseAddr is somehow used by the bootrom, when verifying the BL1. * Try to understand better the scheme used to check the signature. * Try to see if the fuses can still be written (zeroed) and see whether it's computationally feasible to compute the private key for a zeroed fuses hash. * Try to understand why encryption is used. h2. Test setup Either qemu[2] or a development board with JTAG can be used to do the test. Testing with qemu[2] is probably way more easy. fn1. https://fredericb.info/2018/03/emulating-exynos-4210-bootrom-in-qemu.html fn2. https://github.com/frederic/qemu-exynos-bootrom