Version 7 - History - Exynos4Bootrom - Replicant

Exynos4Bootrom » History » Version 7

Kurtis Hanna, 09/21/2019 06:55 PM
changed from to form

-Denis 'GNUtoo'  Carikli
+h1. Exynos4 Bootrom
 h2. Background information
 The Replicant project wants to support devices with free software bootloaders, but most/all the smartphones and tablets supported by Replicant do check the signature of the first stage bootloader.
 A presentation on the situation of some of the devices supported by Replicant was made at the Replicant contributors meeting in July 2019. The "presentation slides":https://ftp.osuosl.org/pub/replicant/conferences/replicant-contributors-meeting-july-2019-france/replicant-and-bootloaders.pdf and "video":https://ftp.osuosl.org/pub/replicant/conferences/replicant-contributors-meeting-july-2019-france/replicant-and-bootloaders.webm are available.
 h2. Exynos 4 signature check
 The Exynos4 bootrom has a strange way to check the signatures:
 * The first stage bootloader is encrypted
 * The signature check is not very clear[1]
 * The header that holds the key has a "func_ptr_BaseAddr" field[1].
 h2. Tests to attempt
-Denis 'GNUtoo'  Carikli
+* Test with qemu[2] if func_ptr_BaseAddr is somehow used by the bootrom, when verifying the BL1.
-Denis 'GNUtoo'  Carikli
+* Try to understand better the scheme used to check the signature.
-Kurtis Hanna
+* Try to see if the fuses can still be written (zeroed) and see whether it's computationally feasible to compute the private key for a zeroed fuses hash.
-Denis 'GNUtoo'  Carikli
+* Try to understand why encryption is used.
 Denis 'GNUtoo'  Carikli
 h2. Test setup
-Denis 'GNUtoo'  Carikli
+Either qemu[2] or a development board with JTAG can be used to do the test.
 Denis 'GNUtoo'  Carikli
-Denis 'GNUtoo'  Carikli
+Testing with qemu[2] is probably way more easy.
 Denis 'GNUtoo'  Carikli
 fn1. https://fredericb.info/2018/03/emulating-exynos-4210-bootrom-in-qemu.html
 Kurtis Hanna
-Denis 'GNUtoo'  Carikli
+fn2. https://github.com/frederic/qemu-exynos-bootrom
 Denis 'GNUtoo'  Carikli
-Kurtis Hanna
+h2. Loading a bootloader from SD
 Denis 'GNUtoo'  Carikli
 When booting Parabola with a Replicant 9 kernel on a Galaxy SIII (i9300), it is possible to erase the bootloader to make the device boot from the microSD instead.
 This could be used to do some testing, for instance to see if the BL1 signature can somehow be bypassed, however as no free software bootloaders do exist yet (u-boot relies on nonfree and non-redistributable software), this is not very useful yet.
 If you really want to erase the bootloader (your device will be broken and will never boot anymore), you could run the following:
 <pre>
 # echo 0 > /sys/class/block/mmcblk2boot0/force_ro
 # ddrescue -f /dev/zero /dev/mmcblk2boot0
 GNU ddrescue 1.24
 Press Ctrl-C to interrupt
      ipos:    4194 kB, non-trimmed:        0 B,  current rate:   4194 kB/s
      opos:    4194 kB, non-scraped:        0 B,  average rate:   4194 kB/s
 non-tried:    9223 PB,  bad-sector:        0 B,    error rate:       0 B/s
   rescued:    4194 kB,   bad areas:        0,        run time:          0s
 pct rescued:    0.00%, read errors:        0,  remaining time:         n/a
                               time since last successful read:         n/a
 Copying non-tried blocks... Pass 1 (forwards)
 ddrescue: Write error: No space left on device
 </pre>
 And then verify that it's erased:
 <pre>
 # hexdump -C /dev/mmcblk2boot0
 00000000  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+*
 00400000
 </pre>
 Also verify that the following partitions are also erased:
 * mmcblk2boot1
 * BOTA0
 * BOTA1
 I'm not sure what BOTA0 and BOTA1 are but they were already blank in my case.

Project

General

Profile

Replicant

Exynos4Bootrom » History » Version 7