NexusSI902xBootloader » History » Version 6
Paul Kocialkowski, 02/08/2015 03:12 PM
| 1 | 1 | Paul Kocialkowski | h1. Nexus S (I902x) Bootloader |
|---|---|---|---|
| 2 | |||
| 3 | 5 | Paul Kocialkowski | The Nexus S (I902x) comes with a bootrom and a set of two proprietary bootloaders. The bootrom: internal ROM (iROM) is stored read-only on the S5PC110 SoC chip. It loads the first bootloader: Samsung Primitive Bootloader (PBL), which loads the second bootloader: Samsung Secondary Bootloader (SBL). These bootloaders are proprietary software. |
| 4 | 1 | Paul Kocialkowski | |
| 5 | 3 | Paul Kocialkowski | More information on the booting sequence is available on the S5PC110 User Manual, section 2 (system), part 6 (booting sequence). |
| 6 | |||
| 7 | h2. Boot device priority |
||
| 8 | |||
| 9 | The S5PC110 bootrom (iROM) allows booting from various devices such as NAND, MMC, eMMC, UART and USB. The boot device priority is selected using the Operating Mode (OM) pins. Boolean values for each pin depend on the voltage applied to the pin: a positive voltage represents a logical 1 while ground represents a logical 0. |
||
| 10 | |||
| 11 | 5 | Paul Kocialkowski | h3. Board resistors |
| 12 | 3 | Paul Kocialkowski | |
| 13 | 4 | Paul Kocialkowski | OM pins are set to boolean values using pull-up (logical 1) and pull-down (logical 0) resistors. The Nexus S (I902x) schematics show all the possible resistors connected to the pins. |
| 14 | 1 | Paul Kocialkowski | |
| 15 | 6 | Paul Kocialkowski | According to the Nexus S (I902x) Service Manual: |
| 16 | 4 | Paul Kocialkowski | !crespo_om_schematics.jpg! |
| 17 | |||
| 18 | Only a few are actually populated on the board: |
||
| 19 | 1 | Paul Kocialkowski | !{width: 50%}crespo_om_board.jpg! |
| 20 | 6 | Paul Kocialkowski | |
| 21 | According to the Nexus S (I902x) Service Manual: |
||
| 22 | 4 | Paul Kocialkowski | !{width: 50%}crespo_om_components.jpg! |
| 23 | |||
| 24 | 3 | Paul Kocialkowski | Resistors highlighted in green are not populated on the board. Hence, the actual layout is the following: |
| 25 | |||
| 26 | | |_. XOM5 |_. XOM4 |_. XOM3 |_. XOM2 |_. XOM1 |_. XOM0 | |
||
| 27 | | Pull-up resistor | N/A | N/A | R429 | N/A | N/A | R435 | |
||
| 28 | | Pull-down resistor | R448 | R447 | N/A | R445 | R444 | N/A | |
||
| 29 | | Boolean value | 0 | 0 | 1 | 0 | 0 | 1 | |
||
| 30 | |||
| 31 | According to the S5PC110 User Manual, section 2 (system), part 6.2.4 (OM pin configuration), table 6-3, this indicates OnenandMux as first boot device. |
||
| 32 | |||
| 33 | 1 | Paul Kocialkowski | h2. Secure boot |
| 34 | |||
| 35 | 5 | Paul Kocialkowski | According to the S5PC110 User Manual, section 2 (system), part 6 (booting sequence), the bootrom (iROM) found on the S5PC110 SoC implements secure boot, which is enabled depending on the value of an e-fuse: |
| 36 | <pre> |
||
| 37 | If you select secure booting, iROM code and first boot loader provide integrity checking function (that is it uses |
||
| 38 | public key algorithm) to verify loaded image. There are 160 e-fuse bits of secure boot key, and they are used to |
||
| 39 | authenticate loaded public key before the iROM’s integrity check. |
||
| 40 | </pre> |
||
| 41 | 1 | Paul Kocialkowski | |
| 42 | 5 | Paul Kocialkowski | This implies that in secure boot mode, the bootrom (iROM) will check the signature of the first bootloader and refuse to boot if the signature doesn't match the secure boot key. More information on this topic is available on the S5PC110 User Manual, section 2 (system), part 6.2.2 (booting sequence example), figure 6-2. |
| 43 | 1 | Paul Kocialkowski | |
| 44 | 5 | Paul Kocialkowski | On the Nexus S (I902x), secure boot mode appears to be enabled: changing a single byte on the first bootloader ended up in the system refusing to boot. In addition, a few messages from the bootloaders output suggest that such signature checks are enforced: @IROM e-fused - Secure Boot Version@. |
| 45 | 1 | Paul Kocialkowski | |
| 46 | 5 | Paul Kocialkowski | The first bootloader (PBL) appears to be implementing and enforcing a similar secure boot mechanism. However, there is no signature check enforced regarding the Linux kernel. |
| 47 | 3 | Paul Kocialkowski | |
| 48 | 5 | Paul Kocialkowski | Since signature checks are enforced by the bootrom and provided that there is apparently no easy way of replacing the public key the signatures are checked against, running a free software bootloader on the Nexus S (I902x) seems impossible. |
| 49 | 1 | Paul Kocialkowski | |
| 50 | h2. Stock bootloaders output |
||
| 51 | |||
| 52 | <pre> |
||
| 53 | ----------------------------------------------------------- |
||
| 54 | Samsung Primitive Bootloader (PBL) v3.0 |
||
| 55 | Copyright (C) Samsung Electronics Co., Ltd. 2006-2010 |
||
| 56 | ----------------------------------------------------------- |
||
| 57 | |||
| 58 | Muxed [[OneNAND]] 512MB (0x50) Sync |
||
| 59 | Scanning Bad Block ....... |
||
| 60 | Bad Block 77 (5) |
||
| 61 | Bad Block 295 (5) |
||
| 62 | Bad Block 1232 (5) |
||
| 63 | Bad Block 1646 (5) |
||
| 64 | Bad Block 1831 (5) |
||
| 65 | Bad Block 2047 (0) |
||
| 66 | SBL loadding success |
||
| 67 | |||
| 68 | Set cpu clk. from 400MHz to 800MHz. |
||
| 69 | OM=0x9, device=OnenandMux(Audi) |
||
| 70 | IROM e-fused - Secure Boot Version. |
||
| 71 | |||
| 72 | ----------------------------------------------------------- |
||
| 73 | Samsung Secondary Bootloader (SBL) v3.0 |
||
| 74 | Copyright (C) Samsung Electronics Co., Ltd. 2006-2010 |
||
| 75 | |||
| 76 | Board Name: HERRING REV 52 |
||
| 77 | Build On: Jan 20 2011 17:19:41 |
||
| 78 | ----------------------------------------------------------- |
||
| 79 | |||
| 80 | MMC SEM16G 15188 MB |
||
| 81 | Re_partition: magic code(0x0) |
||
| 82 | Muxed [[OneNAND]] 512MB (0x50) Sync |
||
| 83 | Scanning Bad Block ....... |
||
| 84 | Bad Block 77 (5) |
||
| 85 | Bad Block 295 (5) |
||
| 86 | Bad Block 1232 (5) |
||
| 87 | Bad Block 1646 (5) |
||
| 88 | Bad Block 1831 (5) |
||
| 89 | Bad Block 2047 (0) |
||
| 90 | Partitions loading success |
||
| 91 | Read image(PARAM) from flash ....... |
||
| 92 | Done |
||
| 93 | init_fuel_gauge: vcell = 4083mV, soc = 94 |
||
| 94 | PMIC_IRQ1 = 0xc0 |
||
| 95 | PMIC_IRQ2 = 0x0 |
||
| 96 | PMIC_IRQ3 = 0x0 |
||
| 97 | PMIC_IRQ4 = 0x0 |
||
| 98 | PMIC_STATUS1 = 0x0 |
||
| 99 | PMIC_STATUS2 = 0x0 |
||
| 100 | PMIC_STATUS3 = 0x0 |
||
| 101 | PMIC_STATUS4 = 0x0 |
||
| 102 | PMIC_STATUS5 = 0x0 |
||
| 103 | PMIC_SMPL = 0x0 |
||
| 104 | Key scan = 0x0 |
||
| 105 | message.command = |
||
| 106 | message.status = |
||
| 107 | message.recovery = |
||
| 108 | |||
| 109 | BOOT_MODE_NORMAL (SW_RST(0x00000004), INFORM(0x000000ee)) |
||
| 110 | LCD ID = 0x0060a953 |
||
| 111 | Done |
||
| 112 | Kernel(boot.img) read success from partition no.5 |
||
| 113 | Setting param.serialnr = 0x3733bab6 0x6de200ec |
||
| 114 | Setting param.board_rev = 0x34 |
||
| 115 | Setting param.cmdline = console=ttyFIQ0 no_console_suspend androidboot.serialno=3733BAB66DE200EC androidboot.bootloader=I9020XXKA3 androidboot.baseband=I9020XXKB3 androidboot.info=0x4,0xee,1 androidboot.carrier=EUR gain_code=3 s3cfb.bootloaderfb=0x34a00000 mach-herring.lcd_type=0x00000000 oem_state=unlocked |
||
| 116 | Setting param.initrd_start = 0x31000000, param.initrd_size = 0x23265 |
||
| 117 | |||
| 118 | Starting kernel at 0x30008000... |
||
| 119 | |||
| 120 | Uncompressing Linux... done, booting the kernel. |
||
| 121 | 4 | Paul Kocialkowski | </pre> |
| 122 | |||
| 123 | h2. References |
||
| 124 | |||
| 125 | * S5PC110 User Manual: http://dl.project-voodoo.org/documentation/S5PC110_EVT1_UM10.pdf |
||
| 126 | * Nexus S (I902x) Schematics: http://mobilcoms.ru/load/1-1-0-4499 |
||
| 127 | |||
| 128 | 1 | Paul Kocialkowski | *These documents are the propriety of Samsung Electronics and are not hosted by the Replicant project. However, some excerpts from these documents are provided, for the purpose of providing technical evidence of the facts that are mentioned in this page. We believe that this particular use of the copyrighted work is fair use.* |