Bootloaders¶

Introduction¶

In order to run free software bootloaders, we need the ability to run the code we want at boot.

However in most smartphones and many tablets use code signature at boot, which prevent us to run free software bootloader.

In practice:

Some system on a chip either don't implement code signature or the implementation is not used or tested.
For some other system on a chip, it's up to the device vendor to choose to implement code signature or not.
For some system on a chip, we don't know any devices not enforcing code signature, but we don't know who decided to enforce the code signature.

Device and documentation	Freedom situation	Boot order
Samsung Nexus S (GT-I902x)	Proprietary, Signed on the tested devices	?->USB->?->eMMC->?
Samsung Galaxy S2 (GT-I9100)	Proprietary, probably Signed	?
Samsung Galaxy S2 (GT-I9100G)	* Unsigned on some devices * Signed on some devices	?
Samsung Galaxy Tab 2	Proprietary, signed	?->USB->?->eMMC->?
LG Optimus black (p970)	unsigned, can be replaced with upstream u-boot	eMMC(MMC2)->USB
Galaxy SIII (I9300) Galaxy SIII 4G (I9305) Galaxy Note II (N7100) Galaxy Note II 4G (N7105)	* Proprietary, Signed * There is work in progress to understand if we can avoid the signature	?->eMMC->?->USB->?
Golden Delicous GTA04	unsigned, free software	* Aux not pressed during boot: ? * Aux pressed during boot: ?->SD->?->NAND SYS_BOOT0 = 1 SYS_BOOT1 = 1 SYS_BOOT2 = 1 SYS_BOOT3 = 1 SYS_BOOT4 = 1 SYS_BOOT5 = AUX button SYS_BOOT6 = 1 But cannot find Reference manual for the DM370
Pinephone	Unsigned free software bootloader
Librem5	Unsigned bootloader, nonfree DDR4 controller firmware

Other devices with free software and unsigned bootloaders:

Openmoko GTA01 and GTA02: cannot run Replicant (only has 128M of RAM, armv4t).
Many single board computers: They are not very practical to use as a smartphone or tablet, though they could be added along the way to Replicant 9 if there is some interest
Older PDA like the OMAP4 Blaze: Check if they can easily be found: they were very expensive. Also check the upstream status. See TargetsEvaluation for such devices.

Other:

Optimus 3D: There is probably a leaked key for signing the bootloader
FindDevicesWithUnsignedBootloaedrs: Project to find devices with free software bootloader at a very large scale

SOC and documentation	Freedom situation
OMAP	* No known bug * Some devices are not signed
Exynos 4	* Some or all devices are signed * work in progress to understand if it's possible to bypass the signature
BroadcomVideoCore	The SOCs have the ability to check signatures
TegraBootrom	* Not all devices use code signature * Boot from USB is possible thanks to fusee_gelee * Code can be appended to the bootrom by writing in a fuse area. Could that be used to disable code signature ?
IMX 5 and 6	* Not all devices are signed * Thanks to Ref_QBVR2017-0001.txt it's possible to bypass signatures anyway, and maybe load code through USB too

Some of the tools below can also be used to find devices that don't have restricted boot.

Tool	Uses	supported hardware	Pakckages	Howto
omap-usb-boot	* checking if the device is has restricted boot * Loading bootloaders from USB * booting on a different boot media	OMAP3, OMAP4, OMAP5	Parabola , Archlinux through AUR	* check if the device has restricted boot through USB
omap-u-boot-utils	* Loading bootloaders from USB * Loading bootloaders from the UART	OMAP3, OMAP4	Parabola , Archlinux through AUR	?
crucible	* checking fuses settings	i.MX53, i.MX6DL, i.MX6DQ, i.MX6SL, i.MX6SLL, i.MX6SX, i.MX6UL, i.MX6ULL, i.MX6ULZ, i.MX7D, i.MX7ULP	TODO	TODO
cbootimage	* Generate images * Dump images (including signatures?)	Tegra ?	Parabola , Archlinux through AUR
tegrarcm	* Load bootloaders from USB	Tegra ?	TODO	TODO
0xFFFF	* Load signed bootloaders (-c) from USB	OMAP3430 and OMAP3630 Might be easy to add more OMAP3 by just commenting code in cold-flash.c	TODO, patch for libusb1	TODO
sunxi-tools	?	Allwinner SOCs?	Parabola, archlinux	TODO