GalaxyS3I9300PrivacySecurityEvaluation » History » Version 30
Denis 'GNUtoo' Carikli, 09/06/2020 11:47 PM
update bootrom
1 | 1 | Denis 'GNUtoo' Carikli | h1. GalaxyS3I9300PrivacySecurityEvaluation |
---|---|---|---|
2 | |||
3 | 2 | Denis 'GNUtoo' Carikli | Note that this information may or may not be exhaustive. |
4 | It also may or may not contain all known issues or good point about this device. |
||
5 | 1 | Denis 'GNUtoo' Carikli | |
6 | 5 | Denis 'GNUtoo' Carikli | h2. General freedom issues on the Galaxy S 3 (I9300): |
7 | |||
8 | 26 | Denis 'GNUtoo' Carikli | * The bootloader is proprietary and signed. It's only possible to replace part of it. |
9 | 27 | Denis 'GNUtoo' Carikli | * The bootloader also loads a proprietary OS on the main CPU, in "TrustZone":https://en.wikipedia.org/wiki/Trusted_execution_environment. See "this analysis":https://sensepost.com/blog/2013/a-software-level-analysis-of-trustzone-os-and-trustlets-in-samsung-galaxy-phone/ for more details on the precise implementation for the Galaxy SIII. |
10 | 25 | Denis 'GNUtoo' Carikli | * Some peripherals do require proprietary firmwares to work. |
11 | ** See [[GalaxyS3I9300LoadedFirmwares|some of which have to be loaded by the system]]. |
||
12 | ** See also the "Missing without non-free firmwares" status in [[ReplicantStatus]]. |
||
13 | 30 | Denis 'GNUtoo' Carikli | * The bootrom is the first code that is executed. That code is stored in a read-only memory and has no free license: see "freedom-privacy-security-issues":https://www.replicant.us/freedom-privacy-security-issues.php for more details. |
14 | 28 | Denis 'GNUtoo' Carikli | * The hardware is proprietary, and we are not aware if any complete schematics is available somewhere on the Internet. |
15 | 1 | Denis 'GNUtoo' Carikli | |
16 | 5 | Denis 'GNUtoo' Carikli | h2. Modem related: |
17 | 6 | Denis 'GNUtoo' Carikli | |
18 | 5 | Denis 'GNUtoo' Carikli | The modem runs non-free software, which is loaded but not shipped by Replicant. |
19 | 29 | Denis 'GNUtoo' Carikli | * When using flight mode, The main CPU has to ask the modem to put itself in low power mode (and not transmit anymore). |
20 | ** When booting Replicant 6 in flight mode, the modem still communicates with the SIM card. |
||
21 | ** When booting Replicant 6 with the modem disabled (modem.sh off) either in flight modem or without being in flight mode, no access to the SIM card is done. |
||
22 | 1 | Denis 'GNUtoo' Carikli | * The modem is isolated: |
23 | 24 | Denis 'GNUtoo' Carikli | ** It doesn't use shared memory to communicate with the main CPU, instead it uses HSIC, which is a version of USB 2.0 meant to interface chips together directly. Here the modem also cannot change USB IDs without having the main CPU reset the HSIC bus. |
24 | 15 | Wolfgang Wiedmeyer | ** We are not aware of it being able to access the GPS, but it wouldn't be surprising if it still could (by having a direct connection to it: since no schematics are publicly available we have easy no way to check). |
25 | 3 | Denis 'GNUtoo' Carikli | ** It has no access to the other CPU peripherals. |
26 | 7 | Denis 'GNUtoo' Carikli | * "Terminal profile":https://terminal-profile.osmocom.org/decode.php?tp=ffffffff7f1f00dfff00001fa2010a860749000000000000000000000010 |
27 | 5 | Denis 'GNUtoo' Carikli | |
28 | 6 | Denis 'GNUtoo' Carikli | h2. TODO: |
29 | 5 | Denis 'GNUtoo' Carikli | |
30 | 13 | Denis 'GNUtoo' Carikli | * Investigate its terminal profile |
31 | 16 | Wolfgang Wiedmeyer | * Investigate device factory reset security in both Replicant and its recovery (Does it really wipe files?) |
32 | 14 | Denis 'GNUtoo' Carikli | * Investigate the flash layout, EMMC partitions, EMMC firmware |
33 | 23 | Denis 'GNUtoo' Carikli | * The Exynos 4412 reference manual says that the PMIC firmware can be reflashed (see the IROM_DATA_REG0 register in the subsection 8.8.1.45 of the Chapter 8 (Power Management Unit)). |