Bootloaders¶

Introduction¶

In order to run free software bootloaders, we need the ability to run the code we want at boot.

However in most smartphones and many tablets use code signature at boot, which prevent us to run free software bootloader.

In practice:

Some system on a chip either don't implement code signature or the implementation is not used or tested.
For some other system on a chip, it's up to the device vendor to choose to implement code signature or not.
For some system on a chip, we don't know any devices not enforcing code signature, but we don't know who decided to enforce the code signature.

Devices configurations¶

Device and documentation	Freedom situation	Boot order
Samsung Nexus S (i902x)	Proprietary, Signed on the tested devices	?->USB->?->eMMC->?
Samsung Galaxy S2 (i9100)	Proprietary, probably Signed	?
Samsung Galaxy Tab 2	Proprietary, signed	?->USB->?->eMMC->?
LG Optimus black (p970)	unsigned, can be replaced with upstream u-boot	eMMC(MMC2)->USB
Galaxy SIII (I9300) Galaxy SIII 4G (I9305) Galaxy Note II (N7100) Galaxy Note II 4G (N7105)	* Proprietary, Signed * There is work in progress to understand if we can avoid the signature	?->eMMC->?->USB->?
Golden Delicous GTA04	unsigned, free software	* Aux not pressed during boot: ? * Aux pressed during boot: ?->SD->?->NAND SYS_BOOT0 = 1 SYS_BOOT1 = 1 SYS_BOOT2 = 1 SYS_BOOT3 = 1 SYS_BOOT4 = 1 SYS_BOOT5 = AUX button SYS_BOOT6 = 1 But cannot find Reference manual for the DM370

System on a chip¶

SOC and documentation	Freedom situation
Exynos 4	* Some or all devices are signed * work in progress to understand if it's possible to bypass the signature
BroadcomVideoCore	The SOCs have the ability to check signatures
TegraBootrom	* Not all devices are signed * Boot from USB is possible thanks to fusee_gelee
IMX 5 and 6	* Not all devices are signed * Thanks to Ref_QBVR2017-0001.txt it's possible to bypass signatures anyway, and maybe load code through USB too

Other attempts that involves bypassing the bootrom¶

There have been several security issues in bootrom, which can enable to run fully free software bootloaders, that are under the user control, even on devices that are configured to enforce bootloader signatures.

The most interesting security issues is when it enables to just replace the nonfree bootloader by a free bootloader that is controlled by the user.

While being able to load a free bootloader through USB is nice, it's not enough per se as it has usability concerns: it's not convenient to need another computer each time you need to power on your smartphone or tablet.

It seems that according to a youtube video small enough USB dongles exist that implemented fusee_gelee for the Nitendo Switch.

On tegras, as the bootrom can also be patched as part of it ends up being in the fuse memory region, it may be possible to patch the bootrom to bypass the code signature and not need such dongles.

Affected SOCs	Type	Link