BroadcomVideoCore » History » Version 2
Denis 'GNUtoo' Carikli, 02/24/2020 03:10 AM
| 1 | 1 | Denis 'GNUtoo' Carikli | h1. BroadcomVideoCore |
|---|---|---|---|
| 2 | |||
| 3 | 2 | Denis 'GNUtoo' Carikli | h2. Devices |
| 4 | |||
| 5 | The Raspberry PI don't use code signature, but smartphones using the same SOC may have it enabled. |
||
| 6 | |||
| 7 | h2. IRC Logs to sort |
||
| 8 | |||
| 9 | 1 | Denis 'GNUtoo' Carikli | <pre> |
| 10 | 03:00 < clever> ive also cracked the signing keys on the rpi4 fully, and now know how they get generated |
||
| 11 | 03:01 < clever> so i could (in theory) re-extract them from another broadcom product in the future, with less effort |
||
| 12 | [...] |
||
| 13 | 03:01 < clever> assuming i get execute on the VPU somehow |
||
| 14 | [...] |
||
| 15 | 03:03 < clever> basically, there is 20 bytes of "salt" in the mask rom, which gets combined with 16 bytes from the OTP, to create the real 20byte hmac-sha1 |
||
| 16 | key |
||
| 17 | 03:04 < clever> you need to understand how .data gets copied from rom->ram (since its an XIP rom), and then find the code that merges the 2, to know what |
||
| 18 | offset in ram to read |
||
| 19 | [...] |
||
| 20 | 03:08 < clever> GNUtoo: but, ive also heard that the 2nd revision of the mask rom, has proper pub/priv RSA support |
||
| 21 | 03:08 < clever> if they choose to turn that on, we are screwed |
||
| 22 | [...] |
||
| 23 | 03:15 < clever> all of the broadcom chips in the pi's, have ~60 OTP registers, each 32 bits wide |
||
| 24 | [...] |
||
| 25 | 03:16 < clever> got a total of ~268 bytes of OTP |
||
| 26 | 03:16 < clever> for* |
||
| 27 | [...] |
||
| 28 | < clever> GNUtoo: i do also have some new info on the rpi4 mask rom boot order, that you might |
||
| 29 | want in the wiki |
||
| 30 | 03:19 < clever> GNUtoo: the rpi4, can boot from 3 places, in this order: #1 recovery.bin on the SD card, |
||
| 31 | #2 a tagged blob in SPI flash, #3 usb-device boot |
||
| 32 | 03:19 < clever> GNUtoo: but, you can use OTP to configure any gpio pin, to disable #1 or #2 (and you can |
||
| 33 | set 2 pins, one for each) |
||
| 34 | [...] |
||
| 35 | 03:22 < clever> 2020-02-21 16:25:14 < clever> for extra confusion, there are 2 sets of numbers for each SoC |
||
| 36 | 03:22 < clever> 2020-02-21 16:27:12 < clever> ali1234: 2838 and 2711 are both rpi4 |
||
| 37 | 03:22 < clever> 2020-02-21 16:27:47 < clever> ali1234: 2835 and 2708 are rpi1, i think |
||
| 38 | 03:22 < clever> so the rpi4 is called both bcm2838 and bcm2711 |
||
| 39 | 03:22 < clever> i think one is for the base model, and then the other for this specific implementation of the silicon and package |
||
| 40 | </pre> |