I now have proof that the Nook Tablet is efuse locked and bootloaders signed. We can only boot signed bootloaders, kernels, and ramdisks from microSD.
Don't buy this if you expect any real development to happen on it. The only possible way is through kexec, and that's a lot of trouble to go through considering all the other tablet options.
For what it's worth, the u-boot in the recently posted update image from the Kindle Fire does not appear to have the signed header that the one on the NT has.
Things I learned in the process:
-USB boot is enabled, as is SD boot
-I can boot from a microSD if I format it the same as for Nook Color (modified CHS, fat on p1) and copy the MLO, u-boot, and boot.img renamed to flashing_boot.img
-There is a serial port inside that will let you at the u-boot console and a shell after the OS boots
-x-loader is signed. A known-good x-loader on microsd will not even execute, and the next item in the boot list checked (emmc)
-u-boot is signed. I know this because a known-good u-boot from Pandaboard that should be close enough to boot causes x-loader to take the code path where the secure ROM call with a pointer to the image returns nonzero
-kernel and ramdisk are signed individually in the boot.img. I can modify a byte in the boot.img on the microsd that's in the middle of the kernel or the ramdisk section and u-boot will fail the same exact call that x-loader uses to validate u-boot, but this time emitting a message complaining that the image is corrupt
-Comparing the first part of u-boot grabbed from the NC, NT, and the KF, shows that the signature that's at address 0 of the KF and NC versions is seen about 300 bytes into the NT version, with some unknown junk above. I assume that's the signature, and that the call to the secure ROM returns the image pointer (which is passed by reference, a good clue) plus the size of the header.
Don't buy this if you expect any real development to happen on it. The only possible way is through kexec, and that's a lot of trouble to go through considering all the other tablet options.
For what it's worth, the u-boot in the recently posted update image from the Kindle Fire does not appear to have the signed header that the one on the NT has.
Things I learned in the process:
-USB boot is enabled, as is SD boot
-I can boot from a microSD if I format it the same as for Nook Color (modified CHS, fat on p1) and copy the MLO, u-boot, and boot.img renamed to flashing_boot.img
-There is a serial port inside that will let you at the u-boot console and a shell after the OS boots
-x-loader is signed. A known-good x-loader on microsd will not even execute, and the next item in the boot list checked (emmc)
-u-boot is signed. I know this because a known-good u-boot from Pandaboard that should be close enough to boot causes x-loader to take the code path where the secure ROM call with a pointer to the image returns nonzero
-kernel and ramdisk are signed individually in the boot.img. I can modify a byte in the boot.img on the microsd that's in the middle of the kernel or the ramdisk section and u-boot will fail the same exact call that x-loader uses to validate u-boot, but this time emitting a message complaining that the image is corrupt
-Comparing the first part of u-boot grabbed from the NC, NT, and the KF, shows that the signature that's at address 0 of the KF and NC versions is seen about 300 bytes into the NT version, with some unknown junk above. I assume that's the signature, and that the call to the secure ROM returns the image pointer (which is passed by reference, a good clue) plus the size of the header.
Last edited:
