GTI9100GBootloaderFreedom » History » Revision 27

Revision 26 (Denis 'GNUtoo' Carikli, 03/25/2020 04:57 AM) → Revision 27/56 (Denis 'GNUtoo' Carikli, 03/25/2020 04:59 AM)

h1. I9100GBootloader 


 h2. Findings, TODO and status 

 * The I9100G of hpagseddy is unsigned but the omap-usb-tool says the soc is in HS mode. 
 * If I recall well, the string was verified by hpagseddy, so MLO was flashed and ran 
 * MLO was flashed through heimdall frmo Android 4.x bootloader's odin mode 
 * GNUtoo laptop works fine with heimdall with Android 2.3.6 bootloader while GNUtoo desktop doesn't 
 ** The device can easily be stuck in "PC screen mode" with the Android 2.3.6 bootloader, so beware if your computer doesn't manage to talk to heimdall in that mode 
 ** It might be related to USB timings or to the unfinished coreboot port for the F2A85M-PRO or the fact that I don't use nonfree firmware/fpga binary for the USB3 on the F2A85M-PRO so the machine is stuck on USB2 with USB3 hardware and I've no idea if that has some impacts or not. My laptop is a Thinkpad X200 with USB2. 

 We need to solve this OMAP HS mystery: 
 * I've looked at u-boot, barebox, linux, crucible and I didn't find any driver or code for fuses for any OMAP SOC. 
 * GNUtoo is in Paris where we're confined in our homes due to COVID-19 and I can't afford to brick my GT-I9100G 
 * It might be due to the fuses having been programmed with the hash of a key / certificate but not being in enforcing mode. 
 * The website for breaking motorolla restricted boot is only about OMAP3 devices but it contains infos on the structure of signed MLO 
 * I've tried loading hpagseddy's MLO from USB with omap-usb-tool and I cound't validate that the code ran: 
 ** I tried playing with the WDT (easy) => no difference 
 ** I tried printing something to the UART in a for(;;) loop => no difference 
 * I've extracted the MLO but I'm unsure of its size and when I sent it through USB to the bootrom it failed. It might be because of the sram size limit but anyway as I don't know how to parse signatures yet (I need to look at the wiki for breaking motorolla restricted boot) I'm unsure of the exact binary size to send. Once I can parse that stuff, I will know the exact size of the signed area and so of the binary. 
 * I've not managed to get any difference by booting from mmc1 
 * I've not dumped yet the usual register for booting configuration like SYS_BOOT 

 TODO while reading the TRM: 
 * check the device's OMAP4 the sram size limit 
 * check the load address / memory mapping of MLO in case of USB boot or boot from eMMC. 
 * Check mmc1 booting constraint (card size, look if < 4GiB works) 
 * Read about SYS_BOOT and booting, though fuse infos is most probably missing 

 * If infos about fuses are ever found, ideally found: 
 * Ideally write drivers and upstream them in Linux, u-boot, Barebox and crucible 
 * Look if crucible is good for adding infos about OM pins, SYS_BOOT etc. Not sure if Linux exports such registers and where 

 h2. How to check if you have a signed bootloader 

 h3. How to check from the bootloader interface to install the recovery. 

 To do that you need to get into the ODIN MODE that is typically used to install the Replicant recovery: 

 # Start the device by holding the following key combination: *Volume down, Select, Power*, 
 # Hold the key combination until the device shows a *Warning* message. 
 # Confirm that you want to download a custom OS using volume up 
 # Make sure the device is in *Downloading* mode 

 When this is done, it should show some text: 

 Here CHN_CHN probably refers to the Chinese version. And it looks like that version has a signed bootloader: According to "a thread on the XDA developers forum": "Means that you own a chinese bootloader locked I9100G. You can't flash any other bootloader than the chinese one." 

 h3. How to check with command line utilities 

 To get the bootrom to try to boot on USB, you need to do the following: 
 * Connect the USB cable to the device but make sure it's not connected on the computer. 
 * Power off the device 
 * Connect the USB cable 

 If we do that, we get the following in the kernel log of your laptop: 
 usb 1-1: new high-speed USB device number 24 using ehci-pci 
 usb 1-1: unable to get BOS descriptor or descriptor too short 
 usb 1-1: New USB device found, idVendor=0451, idProduct=d00f, bcdDevice= 0.00 
 usb 1-1: New USB device strings: Mfr=33, Product=37, SerialNumber=0 
 usb 1-1: Product: OMAP4430 
 usb 1-1: Manufacturer: Texas Instruments 

 Note that your kernel might need to be compiled with CONFIG_USB_ANNOUNCE_NEW_DEVICES=y 
 to print that. In Parabola CONFIG_USB_ANNOUNCE_NEW_DEVICES=y is enabled. 

 We can also try to get a bit more infos with omap-usb-boot: 
 $ sudo omap-usb-boot -v -w boot invalidbootmedia 
 Finding and opening USB device 
 Found and opened omap4 USB device: OMAP4430 
 ASIC device id: 4430, HS device 
 Booting from device invalidbootmedia... 
 Booting device invalidbootmedia not found 
 Booting from device failed 

 Here we know the device is signed because it's a "HS device". 
 If it was not signed it would print "GP device" instead. 

 h3. Using the Android version or other devices properties? 

 "hpagseddy/i9100g_xloader": is based on "ths-backup/i9100g_xloader": which has an ics (Icecream Sandwitch, an Android version) branch only. According to hpagseddy, that branch is also used for Android Jelly brean. 

 It's still unclear if there is some correlation between Android version and signed bootloaders. 

 The device that was given to [[People#Denis-GNUtoo-Carikli|GNUtoo]] that has a signed bootloader also has the following characteristics: 

 *Software state*: Running the stock OS, unmodified 
 *Android version*: Android 2.3.6 
 *Baseband version*: IG9100GZCLC2 
 *Build number*: GINGERBREAD.ZCLC2 
 *Kernel version*: se.infra@SEI-30#2 

 According to "a thread on XDA": there is a corelation between the @Baseband version@ and the geographic zone that is targeted. And as we can see above, the @Build number@ seem to be related to the @Baseband version@ as well. While the list of baseband versions is incomplete, we can still use it to avoid the Chinese version (CHN_CHN) which has a signed bootloader.  

 At this point it's also still unclear if any of the other characteristics above correlate to signed or unsigned bootloaders. 

 As the binaries are under the GPLv2 or later, It would also be a good idea to collect all of them, match them with the device characteristics like the @Build@ number and @Baseband version@, and verify if they are signed or not with some free software tool. 

 We could even publish the unsigned versions. As for the signed versions, if they cannot run on devices that don't enforce bootloader signatures, it would probably not be a good idea to publish them as the binaries wouldn't respect the 4 freedoms, but we can still check with the FSF if they have good ideas on that point. 

 h2. Source code 

 * This got rebuilt and flashed, and it worked on the device it was tested on. 

 h2. TODO 

 * Document the various firmware version mentioned here: 
 * Understand how to get unsigned versions (Android version, serial number, etc) 
 * Get a device with an unsigned bootloader and u-boot and ask samsung for source code 
 * Check the boot order on unsigned devices (is it possible to boot from USB easily?) 
 * Try to boot the xloader nevertheless, as the device could be in some "verify but not enforce mode" for signatures