Exynos4 Bootrom¶

Background information¶

The Replicant project wants to support devices with free software bootloaders, but most/all the smartphones and tablets supported by Replicant do check the signature of the first stage bootloader.

A presentation on the situation of some of the devices supported by Replicant was made at the Replicant contributors meeting in July 2019. The presentation slides and video are available.

Exynos 4 signature check¶

The Exynos4 bootrom has a strange way to check the signatures:

The first stage bootloader is encrypted
The signature check is not very clear¹
The header that holds the key has a "func_ptr_BaseAddr" field¹.

Tests to attempt¶

Test with qemu² if func_ptr_BaseAddr is somehow used by the bootrom, when verifying the BL1.
Try to understand better the scheme used to check the signature.
Try to see if the fuses can still be written (zeroed) and see whether it's computationally feasible to compute the private key for a zeroed fuses hash.
Try to understand why encryption is used.

Test setup¶

Either qemu² or a development board with JTAG can be used to do the test.

Testing with qemu² is probably way more easy.

¹ https://fredericb.info/2018/03/emulating-exynos-4210-bootrom-in-qemu.html
fn2. https://github.com/frederic/qemu-exynos-bootrom