Exynos4Bootrom » History » Revision 3

« Previous | Revision 3/29 (diff) | Next »
Denis 'GNUtoo' Carikli, 08/19/2019 10:35 PM

Exynos4 Bootrom¶

Background information¶

The Replicant project wants to support devices with free software bootloaders, but most/all the smartphones and tablets supported by Replicant do check the signature of the first stage bootloader.

A presentation on the situation of some of the devices supported by Replicant was made at the Replicant contributors meeting in July 2019. The presentation slides and video are available.

Exynos 4 signature check¶

The Exynos4 bootrom has a strange way to check the signatures:

The first stage bootloader is encrypted
The signature check is not very clear¹
The header that holds the key has a "func_ptr_BaseAddr" field¹.

Tests to attempt¶

Test with qemu² if func_ptr_BaseAddr is somehow used by the bootrom, when verifying the BL1.
Try to understand better the scheme used to check the signature.
Try to see if the fuses can still be written (zeroed) and see weather it'd computationally feasible to compute the private key for a zeroed fuses hash.
Try to understand why encryption is used.

Test setup¶

Either qemu² or a development board with JTAG can be used to do the test.

Testing with qemu² is probably way more easy.

¹ https://fredericb.info/2018/03/emulating-exynos-4210-bootrom-in-qemu.html
fn2. https://github.com/frederic/qemu-exynos-bootrom

Files (5)

Updated by Denis 'GNUtoo' Carikli about 6 years ago · 3 revisions

Also available in: PDF HTML TXT

i9300_resistor.jpg (3.12 MB) i9300_resistor.jpg		Denis 'GNUtoo' Carikli, 11/04/2019 02:32 PM
n7105_resistor.jpg (2.39 MB) n7105_resistor.jpg		Denis 'GNUtoo' Carikli, 11/05/2019 11:04 AM
probes.jpg (539 KB) probes.jpg		Denis 'GNUtoo' Carikli, 12/20/2019 10:23 AM
n7100_bench.jpg (635 KB) n7100_bench.jpg		Denis 'GNUtoo' Carikli, 12/20/2019 10:24 AM
n7100_resistor.jpg (3.15 MB) n7100_resistor.jpg		Denis 'GNUtoo' Carikli, 02/21/2023 03:51 PM

Project

General

Profile

Replicant

Wiki