[Developer Reference] Partitons, Functions, Security, Hardware, Kernels and Methods
Introduction
In order to condence information, I put together a condenced "lessons learned" guide from [DISCUSSION] on the boot loader and The Nook Tablet Hack Pack. This thread will cover Normal Operation, Booting from SDCard and Bootloader Exploits which alter the boot sequence. If you want to come up-to-speed on the Nook Tablet's security, read on, otherwise it is alot of information to take in.
Part I - Data, Partition Structure & Functional blocks
In this section I will outline the Partition Structure and Functional blocks of the Nook Tablet.
Hardware Configuration Hardware based input registers - Several registers inside the OMAP4430 processor are tied to physical resistors which serve as configuration bits. If you modify the resistor to be high or low, it will change the register in the device. For example, the SYSTEM_STATUS register contains 6 BOOT_MODE bits which are tied to resistors and any change to these resistors will affect the boot mode. IE. Boot from USB, MMC, MMC2 and so on.
E-Fuse and Secure Rom - The OMAP4430 begins its hardware-initiated chain-of-trust with preburnt registers/secure rom AKA E-Fuse. These E-Fuses serve as a static reference for items which we cannot change and would have severe concequences if they were chaged. They serve to identify the processor and firmware configurations in later stages of the boot sequence. By containing the Secure ROM within the processor, the secure boot sequence is effectively "hardware initiated"
Secure Boot
The following block cannot be touched by any known means outside of factory programming. IROM - Inside the OMAP4430, there is a ROM which we will refer to as IROM. This IROM cannot be modified. The IROM's function is to initialize the System-on-a-chip. This bootloader (in a nutshell) tells the OMAP4430 that it's an OMAP4430 and initializes internal memory. The primary function of the IROM is to load the X-Loader. The IROM will check the consistancy and signature of X-Loader and then execute it.
Secure Blocks
The following blocks should be considered secure as modifying a single bit will cause a failure during consistancy checking. Each of these secure blocks are signed and modification can lead to an inoperative device.
the following are references to the partitions on the internal MMC: X-Loader - Provides further initialization of the OMAP4430 including the much larger D-RAM. By initializing the D-RAM, the system is able to access a larger block of memory and load larger programs.
X-Loader is referred to by the alias xloader and can be found as a block in the following locations:
Xloader will check the consistancy and signature of U-Boot and then execute it
Das U-Boot - U-Boot is called such because it is a Universal Bootloader. It is designed to handle a wide array of chips and perform various system specific initialization tasks including initializing paripherals such as filesystems. U-Boot is where you will find the display and many other paripherals initialized. By default, U-Boot serves as a recovery as well as a bootloader. It has several options acessible through UART. It can be considered an entire operating system on it's own.
U-Boot is referred to by the alias bootloader and can be found as a block in the following locations:
U-Boot will load the recovery, then check the consistancy of the recovery partition, then load and check the consistancy of the kernel.
Recovery - This partition functions similar to the boot partition, however it is specifically designed to load up the factory partition and execute a system wipe or factory recovery depending upon its boot arguments provided by U-Boot.
Recovery can be found in the following partitions:
boot - boot is the first block which is not loaded as a program. The BOOT partition consists of a compressed Ram-disk and a kernel. The Kernel and Ramdisk function together in order to bring up the Linux environment. The Kernel handles "drivers" while the Ramdisk handles files. This is an extremely complex block and would require a rather large volume of literature to explain. The Kernel completes the boot sequence by initializing the second processor and loading required drivers into memory. At this point, the device will boot in a non-linear manner where all partitions are used simultaniously.
The Kernel and Ramdisk are aliased as boot and can be found in the following locations:
The kernel loads up userdata, media, cache, system, bootdata, and rom. Kernel finishes initialization up by loading the Android UI.
The ramdisk is mounted at /.
Unsecure Blocks ROM - The ROM partition contains serial numbers, MAC addresses as well as other general configuration information and logs.
The ROM is aliased as rom and can be found in the following locations:
bootdata - The bootdata partition contains the boot count and some configuration data which is unknown at this point. bootdata can be found in the following locations:
factory - The factory partition contains restoration scripts used by the recovery partition. The factory partition is not mounted automatically unless the device is in factory restore modes. The factory partition can be found in the following locations:
system - The system partition contains the Android layer which rides on top of the kernel. The system partition can be found in the following locations:
cache - The cache partition is used by Android to provide quick access to optimized loading data. It effectively makes apps work faster by trading filesize for processor use. It would appear that this partition is unused on the Nook Tablet but rather cache is stored in /data/cache. Cache can be found in the following locations:
media - This partition is a general purpose user storage area. It is known as the SDCard on most android devices. Media can be found in the following locations:
userdata - This partition is used for application storage. Each new application is stored in /data/app and each application can create its own folder on this partition for use during operation. This partition is aliased as "data" and can be found in the following locations:
I ignore PMs with questions that could be answered by searching. If you PM me, I probly won't respond.
Check out my developer pages. Add me to your circles on Google Plus.
Part II - Booting from SDCard
When booting from SDCard the basic structures are changed. In order to create a bootable SDCard, the basic outline is as follows.
Create an SDCard with 2 partitions
The first partition should be FAT32 and marked with the BOOT and LBA flags,
the Second partition should be EXT2, EXT3 or EXT4.
The first partition contains binary images of the X-Loader, U-Boot and Boot.bin
The X-Loader is named MLO
The U-Boot is named uboot.bin
The Boot.bin is named flashing_boot.bin
U-Boot will automically mount the ramdisk on the root of the second partition.
The nook tablet was not designed to operate past flashing_boot.bin as the Boot.bin is responsible for mounting all other partitions. Without a bootloader unlocking exploit to load a custom kernel and ramdisk, the device will boot normally from this point.
In order to change the structure , the initialization scripts must be modified and a bootloader unlock must be performed. An example of this can be found here in the first bootable SDCard: http://forum.xda-developers.com/show....php?t=1441930
I ignore PMs with questions that could be answered by searching. If you PM me, I probly won't respond.
Check out my developer pages. Add me to your circles on Google Plus.
It was my intention to perform a writeup on how to compile a custom kernel, however, LogLud has done an excellent writeup here since I made this post. See here: http://www.nooktabletdev.org/index.p...g_a_Boot_Image
I ignore PMs with questions that could be answered by searching. If you PM me, I probly won't respond.
Check out my developer pages. Add me to your circles on Google Plus.
Compiling an alternate bootloader
In order to pass custom parameters into the kernel you will need a new bootloader. I'm assuming you are using Ubuntu.
apt-get install git
git clone git://github.com/bauwks/Nook-Tablet.git
cd ./Nook-Tablet/distro/u-boot
git checkout second-uboot
PATH=/home/adam/CodeSourcery/Sourcery_G++_Lite/bin:$PATH #Change this to the path of your toolchain.
At this point, you can make your changes to the configuration and boot parameters. After you are complete, you can build it with the following.
Your new u-boot.bin will be called "flashing_boot.img" and it will be located on your desktop in a folder called "CustomBootImage".
I ignore PMs with questions that could be answered by searching. If you PM me, I probly won't respond.
Check out my developer pages. Add me to your circles on Google Plus.
Part IV - Hardware Specifications
This section covers hardware specs. I obtained some information about the hardware using Voodoo Report. This is useful for porting other flavors of Linux and configuring hardware.
Build.prop
Code:
# begin build properties
# autogenerated by buildinfo.sh
ro.build.id=GINGERBREAD
ro.build.display.id=1.4.0.1029.acclaim1_4.acclaim.rrdf.s1
ro.build.version.incremental=1.4.0
ro.build.version.sdk=10
ro.build.version.codename=REL
ro.build.version.release=2.3.4
ro.build.date=Fri Nov 11 12:38:11 PST 2011
ro.build.date.utc=1321043891
ro.build.type=user
ro.build.user=build
ro.build.host=dhabuildimage17
ro.build.tags=test-keys
ro.product.model=BNTV250
ro.product.brand=nook
ro.product.name=blaze
ro.product.overall.name=NOOKTablet
ro.product.device=blaze
ro.product.bn.devicefamily=acclaim
ro.product.board=omap4sdp
ro.product.cpu.abi=armeabi-v7a
ro.product.cpu.abi2=armeabi
ro.product.manufacturer=Barnes&Noble
ro.product.locale.language=en
ro.product.locale.region=US
ro.wifi.channels=
ro.board.platform=omap4
# ro.build.product is obsolete; use ro.product.device
ro.build.product=blaze
ro.build.sourceversion=full
ro.build.description=1.4.0.1029.acclaim1_4.acclaim.rldp.s51317
ro.build.updatetype=Full
ro.build.fingerprint=acclaim/blaze/blaze:2.3.4/GINGERBREAD/1.4.0:user/test-keys
persist.bn.kpi.enabled=0
# end build properties
# system.prop for ldp
# This overrides settings in the products/generic/system.prop file
#
# rild.libpath=/system/lib/libreference-ril.so
# rild.libargs=-d /dev/ttyS0
com.ti.omap_enhancement=true
opencore.asmd=1
keyguard.no_require_sim=1
wifi.interface=tiwlan0
dalvik.vm.heapsize=128m
#dalvik.vm.heapsize=64m
ro.sf.widthpixels=600
ro.sf.heightpixels=1024
ro.sf.lcd_density.xdpi=169.33333
ro.sf.lcd_density.ydpi=169.33333
ro.sf.hwrotation=270
ro.opengles.version=131072
# Define modem related settings
ro.radio.use-ppp no
ro.config.nocheckin yes
#define defaults for audio D/A mic and power mode
omap.audio.mic.main=AMic0
omap.audio.mic.sub=AMic1
omap.audio.power=PingPong
af.resampler.quality=3
ro.nf.profile=2
ro.nf.level=512
#
# ADDITIONAL_BUILD_PROPERTIES
#
keyguard.no_require_sim=true
ro.com.android.dateformat=MM-dd-yyyy
ro.com.android.dataroaming=true
ro.ril.hsxpa=1
ro.ril.gprsclass=10
ro.config.notification_sound=OnTheHunt.ogg
ro.config.alarm_alert=Alarm_Classic.ogg
net.bt.name=Android
dalvik.vm.stack-trace-file=/data/anr/traces.txt
Accelerometer:
vendor: kxtf9
name: kxtf9_accel
Light:
vendor: ROHM
name: BH1780gli Light sensor
Proximity:
vendor: OSRAM Opto Semiconductors
name: SFH7741 Proximity sensor
Pressure:
vendor: Bosch
name: BMP085 Pressure sensor
Temperature:
vendor: Bosch
name: BMP085 Temperature sensor
Magnetic field:
vendor: HoneyWell
name: HMC5843 3-Axis Magnetometer
Gravity:
vendor: Google Inc.
name: Gravity Sensor
Linear acceleration:
vendor: Google Inc.
name: Linear Acceleration Sensor
Rotation vector:
vendor: Google Inc.
name: Rotation Vector Sensor
GPIOs
Code:
GPIOs 0-31, gpio:
gpio-0 (mmc_cd ) in lo
gpio-4 (mmc_wp ) in hi
gpio-6 (h_SYS_DRM_MSEC ) out hi
gpio-29 (POWER ) in lo irq-189 edge-both
GPIOs 32-63, gpio:
gpio-32 (HOME ) in hi irq-192 edge-both
gpio-36 (vdd_lcdtp ) out hi
gpio-37 (ft5x06_touch ) in hi irq-197 edge-falling
gpio-38 (BOXER BL PWR EN ) out hi
gpio-39 (ft5x06_reset ) out hi
gpio-44 (BOXER CABC0 ) out lo
gpio-45 (BOXER CABC1 ) out lo
gpio-60 (max8903_gpio_chg_en ) out hi
gpio-62 (max8903_gpio_chg_flt) in hi irq-222 edge-both
gpio-63 (max8903_gpio_chg_usu) out hi
GPIOs 64-95, gpio:
gpio-65 (max17042_irq ) in hi irq-225 edge-falling
gpio-66 (kxtf9_irq ) in hi irq-226 edge-falling
gpio-81 (max8903_gpio_chg_dok) in hi
gpio-82 (max8903_gpio_chg_uok) in hi
gpio-83 (max8903_gpio_chg_ius) out hi
GPIOs 96-127, gpio:
gpio-101 (audio_codec_pwron ) out hi
gpio-102 (hsdet-gpio ) in hi irq-262 edge-both
gpio-103 (Codec Interrupt ) in hi
gpio-104 (audio_codec_reset ) out hi
gpio-114 (wifi_pwen ) out hi
gpio-115 (wifi_irq ) in hi irq-275 ?trigger?
gpio-118 (wifi_pmena ) out hi
GPIOs 128-159, gpio:
GPIOs 160-191, gpio:
gpio-173 (max8903_gpio_chg_ilm) out lo
Kernel details (including loaded kernel modules. twilan_drv required for wifi)
Code:
Linux version 2.6.35.7 (build@dhabuildimage17) (gcc version 4.4.1 (Sourcery G++ Lite 2010q1-202) ) #1 SMP PREEMPT Fri Nov 11 12:35:42 PST 2011
tiwlan_drv 973884 0 - Live 0xbf006000
fwram 916 0 - Live 0xbf000000
I ignore PMs with questions that could be answered by searching. If you PM me, I probly won't respond.
Check out my developer pages. Add me to your circles on Google Plus.
I was poking around the nook source code and saw something interesting in u-boot. When it loads a kernel/ramdisk pair into RAM, it doesn't verify the load addresses in the header. That means that I can load 2 independent payloads into anywhere I want in RAM.
What I have done is this:
* Created an SD card that the NT can boot from (contains MLO and signed u-boot.bin)
* Compiled a new u-boot without security checks and a default bootcmd to load "boot.img" off the sd card - this is my "kernel"
* created another payload which is designed to overwrite the stack so my new u-boot is called - this is my "ramdisk"
* packaged my "kernel" and "ramdisk" into an Android image and named it "flashing_boot.img" on my SD card
* boot my nook & see my (unsigned) u-boot take over the universe
(Note: my NT only tries to boot off of the SD card when it's USB is plugged in. is that expected?)
Try out a sample run with this flashing_boot.img. You should be able to unpack the original boot.img, change stuff, repack it, and boot it. I haven't tried that far myself though.
I have other goodies too but the forum won't let me post links. boooooo.
function: This flashing_boot.bin will load an unsecure U-Boot bootloader into ram which passes security checks and is executed by the Secure U-Boot. The Unsecure U-Boot will then look for a "boot.img" on the sdcard and execute it without security checks. Thereby eliminating security and "unlocking" the bootloader.
U-Boot prompt method
This method expects that you are using a stock MLO and a stock U-Boot on an SDCard. At the U-Boot prompt type the following to load a unsecure kernel named "new.flashing_boot.img" without security:
Automated "UnBrickable ModCHIP"
This method can be automated using an ATTiny4313. The ATTiny4313 costs $3 so this is an inexpensive hardware-based bootloader unlock. The following code can be compiled using Arduino IDE with ArduinoTiny Libraries set for ATTiny4313 microcontroller.
Code:
/*
Barnes and Nobel Nook Tablet UnBrickable Modchip
Copyright 2011 Adam Outler - hkvc
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
-Adam Outler adamoutler, gmail.com
*/
boolean Position[3]={true,true,true};//Place holders for operation
int inByte; //current byte
String Message=""; //current string of bytes
//begin sketch
void setup() {
Serial.begin(115200); //Initialize UART and set baud for serial
Serial.println("I are your god now");
}
void loop() {
if (Serial.available()) {
inByte = Serial.read();
if ( inByte == 10 ){
Message="";
}
else {
Message=Message +(char)inByte; //dump char into string
if (Message == "OMAP44XX SDP # "){
if ( Position[1]){
Serial.println("O hai Nook Im in ur memory");
Serial.println("mmcinit 0; fatload mmc 0:1 0x81000000 new.flashing_boot.img;");
Serial.println("Mai kernel is ur kernel");
Position[1]=(!Position[1]);
return;
} else if ( Position[2]){
Serial.println("Ur Security is my target");
Serial.println("mw.l 80e84794 e1a00000; mw.l 80e847fc e1a00000; mw.l 80e84808 e1a00000; mw.l 80e847a0 e1a00000;");
Serial.println("Ur Security is neutralized");
Position[2]=(!Position[2]);
return;
}
else if ( Position[3]){
Serial.println("boot mai kernel now");
Serial.print("booti 0x81000000");
Serial.println("k thx bai");
Position[3]=(!Position[3]);
lockup;
}
}
}
}
if (millis()>=60000){
lockup;
}
}
void lockup(){
while(true){
delay(50000);//program cannot end, only sleep
}
}
The ATTiny4313 is connected to the device in the following way:
Pin2>Uart TX
Pin3>UART RX
Pin10> Ground
Pin20>1.8v.
function: This hardware exploit sends commands into memory which null the security checks and allow the device to boot a file called "new.flashing_boot.img" without any security checks.
Conclusion
Using this information and other resources on Linux/Android hacking, you should have all the tools required to make your own custom Android ROM. It is my goal to help enable development on this device. We now have total control over the Nook Tablet.
Please let me know if there's anything I should add.D
I ignore PMs with questions that could be answered by searching. If you PM me, I probly won't respond.
Check out my developer pages. Add me to your circles on Google Plus.
GPIOs 0-31, gpio:
gpio-0 (mmc_cd ) in lo
gpio-4 (mmc_wp ) in hi
gpio-6 (h_SYS_DRM_MSEC ) out hi
gpio-29 (POWER ) in lo irq-189 edge-both
GPIOs 32-63, gpio:
gpio-32 (HOME ) in hi irq-192 edge-both
gpio-36 (vdd_lcdtp ) out hi
gpio-37 (ft5x06_touch ) in hi irq-197 edge-falling
gpio-38 (BOXER BL PWR EN ) out hi
gpio-39 (ft5x06_reset ) out hi
gpio-44 (BOXER CABC0 ) out lo
gpio-45 (BOXER CABC1 ) out lo
gpio-60 (max8903_gpio_chg_en ) out hi
gpio-62 (max8903_gpio_chg_flt) in hi irq-222 edge-both
gpio-63 (max8903_gpio_chg_usu) out hi
GPIOs 64-95, gpio:
gpio-65 (max17042_irq ) in hi irq-225 edge-falling
gpio-66 (kxtf9_irq ) in hi irq-226 edge-falling
gpio-81 (max8903_gpio_chg_dok) in hi
gpio-82 (max8903_gpio_chg_uok) in hi
gpio-83 (max8903_gpio_chg_ius) out hi
GPIOs 96-127, gpio:
gpio-101 (audio_codec_pwron ) out hi
gpio-102 (hsdet-gpio ) in hi irq-262 edge-both
gpio-103 (Codec Interrupt ) in hi
gpio-104 (audio_codec_reset ) out hi
gpio-114 (wifi_pwen ) out hi
gpio-115 (wifi_irq ) in hi irq-275 ?trigger?
gpio-118 (wifi_pmena ) out hi
GPIOs 128-159, gpio:
GPIOs 160-191, gpio:
gpio-173 (max8903_gpio_chg_ilm) out lo
.
Hmm strange that the vol up and down arnt listed. O well. Good list. I'll add it to the wiki.
Hmm strange that the vol up and down arnt listed. O well. Good list. I'll add it to the wiki.
Sent from my Galaxy Nexus using xda premium
I believe they are shared objects. I was able to get them into Ubuntu by adding the shared objects found in /etc/ folder. Volume+ and Volume- work now and didn't work before. I find this odd.
I ignore PMs with questions that could be answered by searching. If you PM me, I probly won't respond.
Check out my developer pages. Add me to your circles on Google Plus.
I believe they are shared objects. I was able to get them into Ubuntu by adding the shared objects found in /etc/ folder. Volume+ and Volume- work now and didn't work before. I find this odd.
Thats still very strange, because in order for them to be polled by the CPU they must be on the watchdog timer and on the GPIO port list, however, I'm curious if they use a linked GPIO. O well. I am currently doing massive updates to the nooktabletdev.org and I will add all of this documentation to make sure if can be used.
XDA Developer TV Producer Kevin wants to help make your … more
XDA Developers was founded by developers, for developers. It is now a valuable resource for people who want to make the most of their mobile devices, from customizing the look and feel to adding new functionality. Are you a developer?
Introducing XDA:DevCon – A Conference For Developers By Developers
>
[Developer Reference] Partitons, Functions, Security, Hardware, Kernels and Methods
Print
Email
[Developer Reference] Partitons, Functions, Security, Hardware, Kernels and Methods
View Profile
View Forum Posts
Follow on Twitter
Follow on Google+
View GitHub profile
Linear Mode
