Attend XDA's Second Annual Developer Conference, XDA:DevCon 2014!
5,785,614 Members 43,933 Now Online
XDA Developers Android and Mobile Development Forum

[DISCUSSION] on the boot loader [CRACKED!]

Tip us?
 
Indirect
Old
(Last edited by Indirect; 10th January 2012 at 01:35 PM.)
#1  
Recognized Contributor - OP
Thanks Meter 2,953
Posts: 2,323
Join Date: Mar 2011
Location: Florida

 
DONATE TO ME
Default [DISCUSSION] on the boot loader [CRACKED!]

Alright, now that Adamoutler finally posted (I was waiting on that) I can now explain what we're going to try to do. You all know the unbrickable mod for a few samsung devices? The guy who did that wants to help us out but he needs a nook tablet. Anyway, what it does is completely disable hardware security and allows the flashing of a new bootloader. That's about as simple as I can make it. I would love to see this happen so hopefully, we can make it.

Question is, who's giving up a tablet?

Note:
Code:
This is not a thread to come in and complain saying that you're going to take it back. That's not our problem nor is it our concern. We need a place where we can have organized information about the bootloader and you telling us "I HATE IT, I need to return it!" doesn't help that.



My Google Plus account
My Twitter
Shiftless evo shift developer
Nook Tablet developer-found root (here)

Quote:
Without developers this place would not be called XDA-Developers but something else, e.g Mobile Phone User Support Services For Ungrateful Nerds.
Developed on the following devices: Evo View, Nook Tablet, Evo Shift, Nexus S 4G (private), Evo 4G (private), Mytouch 4g Slide, Evo LTE, HTC One (In Progress), Moto X
The Following 4 Users Say Thank You to Indirect For This Useful Post: [ Click to Expand ]
 
liquidzoo
Old
#2  
liquidzoo's Avatar
Senior Member
Thanks Meter 189
Posts: 910
Join Date: Mar 2010
Location: Florence, AZ
If someone (me) wanted to get involved in this, how would I go about doing so? I know enough about linux, but nothing about Android programming. Is there somewhere I can start learning? I'd like to contribute to this if I am able.
 
hobbit19
Old
(Last edited by hobbit19; 6th December 2011 at 05:53 PM.)
#3  
Senior Member
Thanks Meter 192
Posts: 175
Join Date: Oct 2007
Location: Ryazan
http://forum.xda-developers.com/show....php?t=1366215
+
http://forum.xda-developers.com/show....php?t=1378919
I think you can through the service mode to replace the keys which the employee to sign the firmware and tested.
 
boomn
Old
(Last edited by boomn; 6th December 2011 at 09:19 PM.)
#4  
Senior Member
Thanks Meter 83
Posts: 272
Join Date: Feb 2011
Quote:
Originally Posted by hobbit19 View Post
http://forum.xda-developers.com/show....php?t=1366215
+
http://forum.xda-developers.com/show....php?t=1378919
I think you can through the service mode to replace the keys which the employee to sign the firmware and tested.
According to information from TI about the M-Shield security features of this chip, the "secure on-chip keys (E-Fuse) are OEM-specific, one-time-programmable keys accessible only from inside the secure environment for authentication and encryption". Protecting against that kind of key replacement is a big part of how this chip was designed. Finding out the private is likely to be the only way to create valid signed images of our own

Here is the source for that quote.
 
nookabee
Old
#5  
Junior Member
Thanks Meter 3
Posts: 21
Join Date: Dec 2011
Quote:
Originally Posted by Indirect View Post
Botnets are typically used under illegal reasons / methods. Im not talking about seti@home, im talking about stormworm, etc.

Sent by breaking the sound barrier
I know what you mean, but what _I_ mean is that botnets CAN be used for other things than illegal hacking and malicious intent. They can replace a supercomputer, as Seti@home proves. I think I have seen a similar initiatives for cancer research and DNA research, though I don't know the names of those projects.
 
AndrewTL
Old
#6  
Junior Member
Thanks Meter 3
Posts: 14
Join Date: Nov 2011
Post notes

Hopefully this doesn't lead to any red herrings. I haven't been looking at this stuff very long.

"arm.com" has some info on the processor.
TI licensed the processor design from ARM. It's an ASIC, not really a cpu chip.
You have to agree to a non-disclosure to see the docs on arm.com.
After reading about it, not sure that the dual cpu is actually getting used like folks think. There may be two systems actually running.
The arm docs hint that it may be the hash key that actually gets stored on the asic not a private key and that there may be more than one. TI may have designed in their own protocol which is the M-Shield trademark.
TI doesn't exactly give out much info on it. The ARM site is a lot more informative. It doesn't cost anything to access it other than giving away your email address and agreeing to the nondisclosure.
In particular look for these documents:
DDI0406C_arm_architecture_reference_manual.pdf
DEN0013B_cortex_a_series_PG.pdf (chapter 26)
PRD29-GENC-009492C_trustzone_security_whitepaper.pdf

You can also review the source code for the tablet.
See the following exerpts:

distro\x-loader\lib\board.c
image.image = 2;
image.val = 99;
SEC_ENTRY_Std_Ppa_Call ( PPA_SERV_HAL_BN_CHK , 1 , &image );
if ( image.val == 0 )
{
/* go run U-Boot and never return */
printf("Starting OS Bootloader from %s ...\n", boot_dev_name);
((init_fnc_t *)CFG_LOADADDR)();
}

distro\u-boot\common\cmd_bootm.c
function do_bootm
...

U32 SEC_ENTRY_Std_Ppa_Call (U32 appl_id, U32 inNbArg, ...);
\x-loader\board\omap4430sdp\omap4430sdp.c
...

There are several calls to the SEC_ENTRY_Std_Ppa_Call function.
One (or two) for each image block being loaded.
I think these are the calls to the security layer..
SEC_ENTRY_Std_Ppa_Call ( PPA_SERV_HAL_BN_CHK ,...

They took the crc32 validation out in various places in the code. I suspect that if it is a signed key that if the image doesn't process out to the end key, then the crc2 would have failed anyway.
Has anyone actually checked what the "key" is? Could it be a crc or checksum?

The "_BN_" I assume is for barnes and noble.

Looking at "omap4_hs.h", it looks like that function can do a callback into the secure area and execute up to 32 different functions, though I'm guessing from the list in the file that BN only added two - INIT and CHK.
There is also a reference in that file to "Development CEK". Could this be the private key? Not the hash, just one part of the key? I'm by no means up on crypto algorithms.


/*
Defines from MShield-DK 1.2.0 api_ppa_ref.h
Make sure these align with the existing services in PPA.
*/
// Number of APIs
#define NB_MAX_API_HAL 32

// command / api keys
PPA_SERV_HAL_CPAUTOLOAD
PPA_SERV_HAL_CPINIT
PPA_SERV_HAL_CPSWRV
PPA_SERV_HAL_CPMSV
PPA_SERV_HAL_CPREPORT
PPA_SERV_HAL_CPCEK
PPA_SERV_HAL_TEST_API
PPA_SERV_HAL_BN_INIT
PPA_SERV_HAL_BN_CHK

/* Development CEK */
#define CEK_3 0x01234567 //127_96
#define CEK_2 0x89ABCDEF // 95_64
#define CEK_1 0x11121314 // 63_32
#define CEK_0 0x15161718 // 31_0

Another question I have, what level of GPL does android use?
The simple fact that they linked in the M-Shield function calls may be enough to force the release of that source as well. The latest GPL has a pretty nasty copy left. It may be in that archive already too. I haven't gotten through much of it yet.

And is it true that this tablet has a different wifi chip and thus doesn't have the fm and bluetooth available to it?

The brute force idea might work except that you'd have to do it on a nook tablet. You have to validate a data block using that function call.
Figuring out how to automate it through that security layer might be a bit troublesome. If you could call that function directly, maybe, but I suspect that it is only accessible from one side of the architecture. But that might also be why the tablet has so much memory dedicated to B&N and not split evenly. Maybe the bigger chunk of the memory is all in the secure side?

I have to say the OMAP4 is a pretty neat layout. Has a huge potential for corporate ethical abuse but technically it really is cool. They are going through a lot of hoops to keep this tablet locked down. I found one whitepaper on the netflix issue. Netflix apparently has a whole massive requirements list and this was the first tablet to meet it. I'm not sure netflix isn't overvaluing their product. There are other ways they could have done this versus locking the whole tablet down. They could have put the netflix app as a service in the secure side and just signed that part of the application. They could have still allowed the secondary bootloader in the unsecure area to be whatever the user wanted. I don't think they thought through the ethical notions of it all. But maybe they did and they just want to control something like apple is doing. Apple was defeated once by a lower cost, open architecture. History will repeat itself. It's a shame B&N's didn't go that route instead. If it wasn't for this one issue, they would have had a much better platform to work from than the fire.
The Following 3 Users Say Thank You to AndrewTL For This Useful Post: [ Click to Expand ]
bx19 Old
#7  
Guest
Thanks Meter 0
Posts: n/a
Asking others for the info / ideas on bootloader isn't related to development. Hence moved to general
cheers,
 
AdamOutler
Old
#8  
AdamOutler's Avatar
Recognized Developer
Thanks Meter 9,610
Posts: 5,193
Join Date: Feb 2011
Location: Louisiana

 
DONATE TO ME
I've been sitting back watching this thread for a while now. It's time to stop this foolishness. First off, the first post was started with absolutely no information.. basically 'you know what would be cool?'.. then the rest of the discussion has been a bunch of randomness. Why has not a single person mentioned the datasheets for the processor or memory? Why has Boone posted a memory dump of IROM? This thread contains nothing useful.

UnBrickable mod is the way to go. Put a device in my hands and ill enable it to boot from USB or sdcard. The device uses a hardware initiates boot chain. This chain can be broken at the hardware level.

This is an omap4430 device right?

Give me a device. Rebellos and I will locate the boot mode 5 pin which unlocks the boot from one NAND. We will then require an interceptor bootloader which is where Rebellos specializes. Once we hardware unlock the device and the interceptor bootloader is in place, the device will accept an insecure bootloader flash.
Flash with Odin on Windows, Linux and Mac. Use JOdin3, Available in a web browser or offline
Check out my developer pages. Add me to your circles on Google Plus.
Wanna see the longest Linux BASH script ever made? click here.
The Following 9 Users Say Thank You to AdamOutler For This Useful Post: [ Click to Expand ]
 
Indirect
Old
(Last edited by Indirect; 8th December 2011 at 03:20 AM.)
#9  
Recognized Contributor - OP
Thanks Meter 2,953
Posts: 2,323
Join Date: Mar 2011
Location: Florida

 
DONATE TO ME
Adam, I can try and get you a nook tablet.

Also, I was waiting for you to post that. I wanted to leave this up to the community to see what could be thought of. Surprised hardware modification never came up. :|



My Google Plus account
My Twitter
Shiftless evo shift developer
Nook Tablet developer-found root (here)

Quote:
Without developers this place would not be called XDA-Developers but something else, e.g Mobile Phone User Support Services For Ungrateful Nerds.
Developed on the following devices: Evo View, Nook Tablet, Evo Shift, Nexus S 4G (private), Evo 4G (private), Mytouch 4g Slide, Evo LTE, HTC One (In Progress), Moto X
 
Loglud
Old
#10  
Senior Member
Thanks Meter 442
Posts: 199
Join Date: Jul 2011

 
DONATE TO ME
Quote:
Originally Posted by AdamOutler View Post
I've been sitting back watching this thread for a while now. It's time to stop this foolishness. First off, the first post was started with absolutely no information.. basically 'you know what would be cool?'.. then the rest of the discussion has been a bunch of randomness. Why has not a single person mentioned the datasheets for the processor or memory? Why has Boone posted a memory dump of IROM? This thread contains nothing useful.

UnBrickable mod is the way to go. Put a device in my hands and ill enable it to boot from USB or sdcard. The device uses a hardware initiates boot chain. This chain can be broken at the hardware level.

This is an omap4430 device right?

Give me a device. Rebellos and I will locate the boot mode 5 pin which unlocks the boot from one NAND. We will then require an interceptor bootloader which is where Rebellos specializes. Once we hardware unlock the device and the interceptor bootloader is in place, the device will accept an insecure bootloader flash.
I figured youd be here when the final specs on the Nexus Prime were released, and they used the OMAP4460 which is ironically very simmalir to the OMAP4430.
Thanks for your help and let us know if theres anything we can help you with.

THREAD CLOSED
Subscribe
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes