NexusSI902xBootloader » History » Version 3
Paul Kocialkowski, 02/08/2015 02:17 PM
| 1 | 1 | Paul Kocialkowski | h1. Nexus S (I902x) Bootloader |
|---|---|---|---|
| 2 | |||
| 3 | 3 | Paul Kocialkowski | The Nexus S (I902x) comes with a bootrom and a set of two proprietary bootloaders. The bootrom: internal ROM (iROM) is stored read-only on the S5PC110 SoC chip. It loads the first bootloader: Samsung Primitive Bootloader (PBL), which loads the Samsung Secondary Bootloader (SBL). These bootloaders are proprietary software. |
| 4 | 1 | Paul Kocialkowski | |
| 5 | 3 | Paul Kocialkowski | More information on the booting sequence is available on the S5PC110 User Manual, section 2 (system), part 6 (booting sequence). |
| 6 | |||
| 7 | h2. Boot device priority |
||
| 8 | |||
| 9 | The S5PC110 bootrom (iROM) allows booting from various devices such as NAND, MMC, eMMC, UART and USB. The boot device priority is selected using the Operating Mode (OM) pins. Boolean values for each pin depend on the voltage applied to the pin: a positive voltage represents a logical 1 while ground represents a logical 0. |
||
| 10 | |||
| 11 | h3. On-board resistors |
||
| 12 | |||
| 13 | OM pins are set to boolean values using pull-up (logical 1) and pull-down (logical 0) resistors. The Nexus S (I902x) schematics show all the possible resistors connected to the pins. Only a few are actually populated on the board: |
||
| 14 | |||
| 15 | Resistors highlighted in green are not populated on the board. Hence, the actual layout is the following: |
||
| 16 | |||
| 17 | | |_. XOM5 |_. XOM4 |_. XOM3 |_. XOM2 |_. XOM1 |_. XOM0 | |
||
| 18 | | Pull-up resistor | N/A | N/A | R429 | N/A | N/A | R435 | |
||
| 19 | | Pull-down resistor | R448 | R447 | N/A | R445 | R444 | N/A | |
||
| 20 | | Boolean value | 0 | 0 | 1 | 0 | 0 | 1 | |
||
| 21 | |||
| 22 | According to the S5PC110 User Manual, section 2 (system), part 6.2.4 (OM pin configuration), table 6-3, this indicates OnenandMux as first boot device. |
||
| 23 | |||
| 24 | 1 | Paul Kocialkowski | h2. Secure boot |
| 25 | |||
| 26 | 3 | Paul Kocialkowski | According to the S5PC110 User Manual |
| 27 | |||
| 28 | 1 | Paul Kocialkowski | The bootrom and the bootloaders appear to be implementing secure boot mechanisms that enforce signature checks on each bootloader. |
| 29 | However, there is no signature check enforced regarding the Linux kernel. |
||
| 30 | |||
| 31 | Changing a single byte on the first bootloader ended up in the system refusing to boot. In addition, a few messages from the bootloaders output suggest that such signature checks are enforced: @IROM e-fused - Secure Boot Version@. |
||
| 32 | |||
| 33 | Since signature checks are enforced by the bootrom and provided that there is apparently no easy way of replacing the public key the signatures are checked against, running a free software bootloader on the Nexus S (I902x) seems impossible. |
||
| 34 | 3 | Paul Kocialkowski | |
| 35 | // mention that it will jump to the next one |
||
| 36 | 1 | Paul Kocialkowski | |
| 37 | h2. Stock bootloaders output |
||
| 38 | |||
| 39 | <pre> |
||
| 40 | ----------------------------------------------------------- |
||
| 41 | Samsung Primitive Bootloader (PBL) v3.0 |
||
| 42 | Copyright (C) Samsung Electronics Co., Ltd. 2006-2010 |
||
| 43 | ----------------------------------------------------------- |
||
| 44 | |||
| 45 | Muxed [[OneNAND]] 512MB (0x50) Sync |
||
| 46 | Scanning Bad Block ....... |
||
| 47 | Bad Block 77 (5) |
||
| 48 | Bad Block 295 (5) |
||
| 49 | Bad Block 1232 (5) |
||
| 50 | Bad Block 1646 (5) |
||
| 51 | Bad Block 1831 (5) |
||
| 52 | Bad Block 2047 (0) |
||
| 53 | SBL loadding success |
||
| 54 | |||
| 55 | Set cpu clk. from 400MHz to 800MHz. |
||
| 56 | OM=0x9, device=OnenandMux(Audi) |
||
| 57 | IROM e-fused - Secure Boot Version. |
||
| 58 | |||
| 59 | ----------------------------------------------------------- |
||
| 60 | Samsung Secondary Bootloader (SBL) v3.0 |
||
| 61 | Copyright (C) Samsung Electronics Co., Ltd. 2006-2010 |
||
| 62 | |||
| 63 | Board Name: HERRING REV 52 |
||
| 64 | Build On: Jan 20 2011 17:19:41 |
||
| 65 | ----------------------------------------------------------- |
||
| 66 | |||
| 67 | MMC SEM16G 15188 MB |
||
| 68 | Re_partition: magic code(0x0) |
||
| 69 | Muxed [[OneNAND]] 512MB (0x50) Sync |
||
| 70 | Scanning Bad Block ....... |
||
| 71 | Bad Block 77 (5) |
||
| 72 | Bad Block 295 (5) |
||
| 73 | Bad Block 1232 (5) |
||
| 74 | Bad Block 1646 (5) |
||
| 75 | Bad Block 1831 (5) |
||
| 76 | Bad Block 2047 (0) |
||
| 77 | Partitions loading success |
||
| 78 | Read image(PARAM) from flash ....... |
||
| 79 | Done |
||
| 80 | init_fuel_gauge: vcell = 4083mV, soc = 94 |
||
| 81 | PMIC_IRQ1 = 0xc0 |
||
| 82 | PMIC_IRQ2 = 0x0 |
||
| 83 | PMIC_IRQ3 = 0x0 |
||
| 84 | PMIC_IRQ4 = 0x0 |
||
| 85 | PMIC_STATUS1 = 0x0 |
||
| 86 | PMIC_STATUS2 = 0x0 |
||
| 87 | PMIC_STATUS3 = 0x0 |
||
| 88 | PMIC_STATUS4 = 0x0 |
||
| 89 | PMIC_STATUS5 = 0x0 |
||
| 90 | PMIC_SMPL = 0x0 |
||
| 91 | Key scan = 0x0 |
||
| 92 | message.command = |
||
| 93 | message.status = |
||
| 94 | message.recovery = |
||
| 95 | |||
| 96 | BOOT_MODE_NORMAL (SW_RST(0x00000004), INFORM(0x000000ee)) |
||
| 97 | LCD ID = 0x0060a953 |
||
| 98 | Done |
||
| 99 | Kernel(boot.img) read success from partition no.5 |
||
| 100 | Setting param.serialnr = 0x3733bab6 0x6de200ec |
||
| 101 | Setting param.board_rev = 0x34 |
||
| 102 | Setting param.cmdline = console=ttyFIQ0 no_console_suspend androidboot.serialno=3733BAB66DE200EC androidboot.bootloader=I9020XXKA3 androidboot.baseband=I9020XXKB3 androidboot.info=0x4,0xee,1 androidboot.carrier=EUR gain_code=3 s3cfb.bootloaderfb=0x34a00000 mach-herring.lcd_type=0x00000000 oem_state=unlocked |
||
| 103 | Setting param.initrd_start = 0x31000000, param.initrd_size = 0x23265 |
||
| 104 | |||
| 105 | Starting kernel at 0x30008000... |
||
| 106 | |||
| 107 | Uncompressing Linux... done, booting the kernel. |
||
| 108 | </pre> |