OMAPBootrom¶

Generic documentation¶

TODO: Read the various TRM and push the info to wikidata:

• check the various SOCs the sram size limit in the TRM.
• check the load address / memory mapping of MLO in case of USB boot or boot from eMMC in the TRM.
• Check mmc1 booting constraint (card size, look if < 4GiB works) in the TRM

Also:

• Read the TRM sections about SYS_BOOT and booting and document that, ideally write a tool for it, or upstream the code in some other tool.

Documentation¶

The droiddevelopers website has some information on trying to use bugs run free software on several Motorola devices.

Device	SOC
Motorola Milestone	OMAP 3430
Motorola Milestone 2	OMAP 3630
Motorola Defy	OMAP3630?
Motorola Defy+ (MB526)	OMAP3 (which one?)

That website has many information:

• It has documentation on the structure of signed MLOs

TODO:

• Read droiddevelopers more to understand restricted boot better.
• Also the OMAP wiki might have some information on OMAP restricted boot.
• Also look if there is substancial information in the Technical Reference Manual (TRM) about fuses but that's unlikely.

Code¶

• As march 2020, there are no fuses driver or code for any OMAP in either u-boot, Barebox, Linux, or crucible.
• U-boot documentation mention TI tools that have to be obtained after signing an NDA
• TODO: check if chipsec has infos on OMAP fuses

Possible attacks¶

• Even if it's unlikely, once we understand the OMAP restricted boot better, we could check if some devices are signed but not in enforcing mode.

Links¶

• http://www.droid-developers.org : This attempts to run user code on several Motorolla smartphones. It includes analysis of the boot chain:
  • Application_Processor_Boot_ROM
  • Booting_chain