Project

General

Profile

OMAPBootrom » History » Version 15

Denis 'GNUtoo' Carikli, 03/29/2020 12:46 AM

1 1 Denis 'GNUtoo' Carikli
h1. OMAPBootrom
2
3 8 Denis 'GNUtoo' Carikli
h2. Generic documentation
4
5
TODO: Read the various TRM and push the info to wikidata:
6
* check the various SOCs the sram size limit in the TRM.
7
* check the load address / memory mapping of MLO in case of USB boot or boot from eMMC in the TRM.
8
* Check mmc1 booting constraint (card size, look if < 4GiB works) in the TRM
9
10
Also:
11
* Read the TRM sections about SYS_BOOT and booting and document that, ideally write a tool for it, or upstream the code in some other tool.
12
13 6 Denis 'GNUtoo' Carikli
h2. Documentation
14
15 2 Denis 'GNUtoo' Carikli
The "droiddevelopers website":http://droiddevelopers.org has some information on trying to use bugs run free software on several Motorola devices.
16
17
| Device | SOC |
18
| "Motorola Milestone":https://en.wikipedia.org/wiki/Motorola_Milestone | OMAP 3430 |
19 3 Denis 'GNUtoo' Carikli
| "Motorola Milestone 2":https://en.wikipedia.org/wiki/Motorola_Milestone_2| OMAP 3630 |
20 1 Denis 'GNUtoo' Carikli
| "Motorola Defy (MB525)":https://en.wikipedia.org/wiki/Motorola_Defy | OMAP3630? |
21 6 Denis 'GNUtoo' Carikli
| Motorola Defy+ (MB526) | OMAP3 (which one?) |
22
23
That website has many information:
24
* It has documentation on the structure of signed MLOs
25 2 Denis 'GNUtoo' Carikli
26 7 Denis 'GNUtoo' Carikli
TODO:
27
* Read droiddevelopers more to understand restricted boot better.
28
* Also the OMAP wiki might have some information on OMAP restricted boot.
29
* Also look if there is substancial information in the Technical Reference Manual (TRM) about fuses but that's unlikely.
30
31 5 Denis 'GNUtoo' Carikli
h2. Code
32 1 Denis 'GNUtoo' Carikli
33 7 Denis 'GNUtoo' Carikli
* As march 2020, there are no fuses driver or code for any OMAP in either u-boot, Barebox, Linux, or crucible.
34 1 Denis 'GNUtoo' Carikli
* U-boot documentation mention TI tools that have to be obtained after signing an NDA
35 7 Denis 'GNUtoo' Carikli
* TODO: check if chipsec has infos on OMAP fuses
36 5 Denis 'GNUtoo' Carikli
37
h2. Possible attacks
38
39
* Even if it's unlikely, once we understand the OMAP restricted boot better, we could check if some devices are signed but not in enforcing mode.
40 4 Denis 'GNUtoo' Carikli
41 12 Denis 'GNUtoo' Carikli
h2. Simply replacing the SOC with a GP version
42 1 Denis 'GNUtoo' Carikli
43 12 Denis 'GNUtoo' Carikli
On IRC there was some interest in replacing the SOC by simply unsoldering it and resoldering a GP OMAP.
44
45 15 Denis 'GNUtoo' Carikli
For some SOCs like the Allwinner A20, "it looks relatively easy to do":https://olimex.wordpress.com/2014/05/29/bga-chips-soldering-and-replacement-tutorial/ . That is probably not the case for every SOCs as simply soldering a SOC can be really complicated sometimes (look for reballing for more details on how things can go wrong, and how it's typically repaired).
46
47 12 Denis 'GNUtoo' Carikli
TODO:
48 14 Denis 'GNUtoo' Carikli
* Identify the very precise SOC and make sure that POP are not needed!!! IT's a pain to find factories that still know how to do that. See the "issue that the GTA04":http://laforge.gnumonks.org/blog/20170306-gta04-omap3_pop_soldering/ and the Neo900 are having with that.
49 13 Denis 'GNUtoo' Carikli
* Find a way to test the device once the SOC has been replaced for the very first time: We can compile the Xloader source code and load that, and get some prints on the UART, however we need to make sure that we can work in tandem with the person doing the SOC swap in order to validate that everything works together. If not, that person might just restore the normal bootloader and declare the "reparation" a success for instance. Or the person might expect the display to work or to have the stock bootloader which might not even work in GP mode because we don't have TrustZone there. The downstream Linux might not even work either because of TrustZone and the upstream Linux might lack a display driver for instance.
50 12 Denis 'GNUtoo' Carikli
* Write code that init the display and probably does a complete test of the device to make it easier for people that swap the OMAPs to check if the device works.
51 13 Denis 'GNUtoo' Carikli
* Find how to handle the amount of work combined with the insecurity of the supply chain for the OMAPs: If we buy only 1 OMAP and do a lot of work, and when the work is done we can't find any anymore, it would not be a good idea. If we buy a lot and nobody does the work it won't be a good idea either. We don't want to force people to work on things either as it would be a very strong attack on their freedom.
52 1 Denis 'GNUtoo' Carikli
53
Devices:
54 12 Denis 'GNUtoo' Carikli
* It's probably easier to start with a Galaxy SII (GT-I9100G) as it has a microSD slot and that the UART is exported through the USB connector. The microSD slot could be used to boot over the microSD easily.
55 13 Denis 'GNUtoo' Carikli
* We need to check the upstream status of that device
56
* Replicant 6.0 support is not that important because if we get rid of TrustZone we will probably not be able to run the downstream kernel.
57 9 Denis 'GNUtoo' Carikli
58 1 Denis 'GNUtoo' Carikli
h2. Links
59
60
* http://www.droid-developers.org : This attempts to run user code on several Motorolla smartphones. It includes analysis of the boot chain:
61
** "Application_Processor_Boot_ROM":http://www.droid-developers.org/wiki/Application_Processor_Boot_ROM
62
** "Booting_chain":http://www.droid-developers.org/wiki/Booting_chain