Project

General

Profile

GTI9100GBootloaderFreedom » History » Version 54

Denis 'GNUtoo' Carikli, 03/28/2020 11:56 PM

1 1 Denis 'GNUtoo' Carikli
h1. I9100GBootloader
2
3 9 Denis 'GNUtoo' Carikli
{{toc}}
4 3 Denis 'GNUtoo' Carikli
5 37 Denis 'GNUtoo' Carikli
h2. Documentation TODO
6 1 Denis 'GNUtoo' Carikli
7 38 Denis 'GNUtoo' Carikli
TODO:
8
* check the device's OMAP4 the sram size limit in the TRM.
9
* check the load address / memory mapping of MLO in case of USB boot or boot from eMMC in the TRM.
10
* Check mmc1 booting constraint (card size, look if < 4GiB works) in the TRM
11
* Read the TRM sections about SYS_BOOT and booting
12
* Check if we can find new strings in leviathan's blog or proofs that he really flashed MLO
13 28 Denis 'GNUtoo' Carikli
14 37 Denis 'GNUtoo' Carikli
h2. Findings, TODO and status
15 1 Denis 'GNUtoo' Carikli
16 37 Denis 'GNUtoo' Carikli
See [[OMAPBootrom]] for more information on the OMAP restricted boot.
17
18
* I've extracted the MLO but I'm unsure of its size and when I sent it through USB to the bootrom it failed. It might be because of the sram size limit but anyway as I don't know how to parse signatures yet (I need to look at the wiki for breaking motorolla restricted boot) I'm unsure of the exact binary size to send. Once I can parse that stuff, I will know the exact size of the signed area and so of the binary.
19
* I've not managed to get any difference by booting from mmc1
20
* I've not dumped yet the usual register for booting configuration like SYS_BOOT
21 29 Denis 'GNUtoo' Carikli
22
Last news 27/03/2919:
23
hpagseddy and GNUtoo tried several tests on their respective devices, and the device always ended up going to the battery charging screen:
24
* Building xloader and loaing it with omap-usb-boot through USB
25
* Same with the addition of a for(;;) loop in the code to see if it hangs (it's supposed to if the code runs)
26
* Same but with the watchdog being configured to reboot after 1 second (it's supposed to reboot if the code is correct and runs)
27
28
hpagseddy and GNUtoo also found that when using odin to flash the MLO partition, odin interface makes the user think that the MLO partition was flashed correctly, while odin didn't flash anything. That may be due to the partition being set Read-Only and/or to the "File Offset" and "File Size" being 0.
29
<pre>
30
-- Entry #0 ---
31
Binary Type: 0 (AP)
32
Device Type: 2 (MMC)
33
Identifier: 1
34
Attributes: 0 (Read-Only)
35
Update Attributes: 0
36
Partition Block Size/Offset: 0
37
Partition Block Count: 0
38
File Offset (Obsolete): 0
39
File Size (Obsolete): 0
40
Partition Name: X-loader
41
Flash Filename: MLO
42
FOTA Filename: 
43
</pre>
44
45 30 Denis 'GNUtoo' Carikli
We know that nothing was successfuly flashed as we dumped MLO, and verified that the binary was signed by looking if it contained the strings that indicate that (PRIMAPP, KEYS, CertPK_)
46 23 Denis 'GNUtoo' Carikli
47 32 Denis 'GNUtoo' Carikli
h2. MLO versions
48
49 36 Denis 'GNUtoo' Carikli
As MLO is under the GPLv2+, its binaries are also under that license.
50
51
This means that if the binaries are not signed, they are legally speaking and practically speaking free software. So if we find the full and corresponding source code (which is or was probably distributed by Samsung on opensource.samsung.com) we can use them and redistribute them very easily.
52
53
As for the signed versions, while we can legally distribute them as well, as they are legally under a free software license, they are signed with keys that users don't have. If users don't have the ability to run modified version then they are practically speaking not free software.
54
55
Weather or not the binaries also work on unsigned devices and if they can be modified on such devices remains to be tested.
56
57 52 Denis 'GNUtoo' Carikli
|_. Device |_. Android version |_. String | Signed | Reference | Updates history |
58 1 Denis 'GNUtoo' Carikli
| ? | ? | Texas Instruments X-Loader 1.41 (Jan 11 2012 - 23:25:41) | ? | "leviathan's blog":https://blog.the-leviathan.ch/?p=408 |
59 52 Denis 'GNUtoo' Carikli
| I9100G_CHN_CHN | Android 2.3.6 | Texas Instruments X-Loader 1.41 (Mar 20 2012 - 11:20:26) | Yes | GNUtoo's device | * It came with the signed unmodified stock OS
60
* A custom recovery for 2.3.6 found on XDA was installed
61
* The bootloader wasn't touched
62
* Beside KERNEL, and RECOVERY, the rest of the partitions were left untouched |
63 53 Denis 'GNUtoo' Carikli
| I9100G_CHN_CHN | Android 4.1.2 | Texas Instruments X-Loader 1.41 (Jun 27 2013 - 18:34:17) | Yes | hpagseddy's device | * It came with Android 4.0.4
64
* It was upgraded to 4.1.2 and many community custom distributions were installed |
65 32 Denis 'GNUtoo' Carikli
66 11 Denis 'GNUtoo' Carikli
h2. How to check if you have a signed bootloader
67 3 Denis 'GNUtoo' Carikli
68 11 Denis 'GNUtoo' Carikli
h3. How to check from the bootloader interface to install the recovery.
69 7 Denis 'GNUtoo' Carikli
70 8 Denis 'GNUtoo' Carikli
To do that you need to get into the ODIN MODE that is typically used to install the Replicant recovery:
71 1 Denis 'GNUtoo' Carikli
72 7 Denis 'GNUtoo' Carikli
# Start the device by holding the following key combination: *Volume down, Select, Power*,
73
# Hold the key combination until the device shows a *Warning* message.
74
# Confirm that you want to download a custom OS using volume up
75
# Make sure the device is in *Downloading* mode
76
77
When this is done, it should show some text:
78
<pre>
79
ODIN MODE
80
PRODUCT NAME: GT-I9100G_CHN_CHN
81
</pre>
82
83 10 Denis 'GNUtoo' Carikli
Here CHN_CHN probably refers to the Chinese version. And it looks like that version has a signed bootloader: According to "a thread on the XDA developers forum":https://forum.xda-developers.com/galaxy-s2/development/guide-repair-totally-sleep-dead-boot-t1701471 "Means that you own a chinese bootloader locked I9100G. You can't flash any other bootloader than the chinese one."
84 1 Denis 'GNUtoo' Carikli
85 12 Denis 'GNUtoo' Carikli
h3. How to check with command line utilities
86 5 Denis 'GNUtoo' Carikli
87 54 Denis 'GNUtoo' Carikli
See [[FindOMAPDevicesWithUnsignedBootloderFromUSB]] for how to do that.
88 9 Denis 'GNUtoo' Carikli
89 11 Denis 'GNUtoo' Carikli
h3. Using the Android version or other devices properties?
90 9 Denis 'GNUtoo' Carikli
91 15 Denis 'GNUtoo' Carikli
"hpagseddy/i9100g_xloader":https://github.com/hpagseddy/i9100g_xloader is based on "ths-backup/i9100g_xloader":https://github.com/ths-backup/i9100g_xloader which has an ics (Icecream Sandwitch, an Android version) branch only. According to hpagseddy, that branch is also used for Android Jelly brean.
92 9 Denis 'GNUtoo' Carikli
93
It's still unclear if there is some correlation between Android version and signed bootloaders.
94
95
The device that was given to [[People#Denis-GNUtoo-Carikli|GNUtoo]] that has a signed bootloader also has the following characteristics:
96
97
*Software state*: Running the stock OS, unmodified
98
*Android version*: Android 2.3.6
99
*Baseband version*: IG9100GZCLC2
100
*Build number*: GINGERBREAD.ZCLC2
101
*Kernel version*: 2.6.35.7 se.infra@SEI-30#2
102
103 18 Denis 'GNUtoo' Carikli
According to "a thread on XDA":https://forum.xda-developers.com/galaxy-s2/development/bootloader-t1754158 there is a corelation between the @Baseband version@ and the geographic zone that is targeted. And as we can see above, the @Build number@ seem to be related to the @Baseband version@ as well. While the list of baseband versions is incomplete, we can still use it to avoid the Chinese version (CHN_CHN) which has a signed bootloader. 
104 17 Denis 'GNUtoo' Carikli
105
At this point it's also still unclear if any of the other characteristics above correlate to signed or unsigned bootloaders.
106 2 Denis 'GNUtoo' Carikli
107 20 Denis 'GNUtoo' Carikli
As the binaries are under the GPLv2 or later, It would also be a good idea to collect all of them, match them with the device characteristics like the @Build@ number and @Baseband version@, and verify if they are signed or not with some free software tool.
108 19 Denis 'GNUtoo' Carikli
109 21 Denis 'GNUtoo' Carikli
We could even publish the unsigned versions. As for the signed versions, if they cannot run on devices that don't enforce bootloader signatures, it would probably not be a good idea to publish them as the binaries wouldn't respect the 4 freedoms, but we can still check with the FSF if they have good ideas on that point.
110
111 47 Denis 'GNUtoo' Carikli
h2. Online resources
112 44 Denis 'GNUtoo' Carikli
113
* "[GUIDE]Switch between Chinese I9100G & international I9100G SafeWay":https://forum.xda-developers.com/galaxy-s2/development/guide-switch-chinese-i9100g-t1916623 : Nothing conclusive. That guide applies only to the CHN_CHN version. Here people are booting signed MLO from USB to switch the second stage bootloader from the chinese version to the international version. That doesn't tell if other version of the device have signed or unsigned MLO.
114 49 Denis 'GNUtoo' Carikli
* "[GUIDE][GT-I9100G]Repair Totally Sleep/Dead Boot Mode Via USB":https://forum.xda-developers.com/galaxy-s2/development/guide-repair-totally-sleep-dead-boot-t1701471 : It's not clear if it brings any information. Here we know that on the chinese versions "You can't flash any other bootloader than the chinese one." but it's not clear why. There is also logs from a tool, which is proprietary, that is meant to load code from USB but it's not super clear where the information it prints comes from (the files? the interaction with the SOC?). TODO: re-read the logs output from this tool and try to understand what's going on.
115 46 Denis 'GNUtoo' Carikli
* Leviathan's blog with "I9100G, boot loader and UART":https://blog.the-leviathan.ch/?p=408 and "USB on Samsung Galaxy S2 (I9100G)":https://blog.the-leviathan.ch/?p=405 : After searching with a search engine in the blog, theses were the only 2 posts about the bootloader. There is no indication that an unsigned version of MLO was built and flashed to that device.
116 50 Denis 'GNUtoo' Carikli
* http://forum.gsmhosting.com/vbb/f777/guide-samsung-gt-i9100g-usb-boot-repair-1488048/index3.html TODO: look into it
117 44 Denis 'GNUtoo' Carikli
118 1 Denis 'GNUtoo' Carikli
h2. TODO
119
120 16 Denis 'GNUtoo' Carikli
* Document the various firmware version mentioned here: https://www.sammobile.com/samsung/galaxy-s2/firmware/#GT-I9100G
121 1 Denis 'GNUtoo' Carikli
* Understand how to get unsigned versions (Android version, serial number, etc)
122 13 Denis 'GNUtoo' Carikli
* Get a device with an unsigned bootloader and u-boot and ask samsung for source code
123 14 Denis 'GNUtoo' Carikli
* Check the boot order on unsigned devices (is it possible to boot from USB easily?)
124 6 Denis 'GNUtoo' Carikli
* Try to boot the xloader nevertheless, as the device could be in some "verify but not enforce mode" for signatures