Add more explaination to the README

[herbsmn]

How exactly does this software work?

Is sboot replaced entirely, partially, or not at all?

I saw that on the Verizon version of the Note 2, which also uses the same Exynos SoC afaik, some people were able to perform an iROM Unlock and replace sboot with "a bootloader which has been modified to ignore all security checks at the highest level possible". https://forum.xda-developers.com/showthread.php?t=2043636

Does the software contained here use this iROM exploit to slip uboot in to replace all or part of sboot? If not, is this theoretically possible?

[dmarszk]

We never replaced S-Boot. We always sideloaded U-Boot from SD-card or, theoretically, through iROM USB download. Though in theory, S-Boot could be replaced. I suppose maybe that's what Adam and Ralekdev did. You would have to ask them.

It's not really an iROM exploit, but a wildcard bootloader signed by Samsung and released as a part of Odroid project. https://github.com/dmarszk/exynos4_uboot/blob/master/sd_fuse/p4412_s_fwbl1.bin The bootloader code essentially does nothing but jumping into the code glued to it, which is not signed in any way. This breaks the secure boot trust chain.

[adamoutler]

It's called an IROM unlock because it allows you to replace the bootloaders. This is the same concept as a bootloader unlock allowing you to replace the kernel.

On Sat, Apr 21, 2018 at 4:03 PM, Dominik Marszk notifications@github.com wrote:

It's not really an iROM exploit, but a wildcard bootloader signed by Samsung and released as a part of Odroid project. https://github.com/dmarszk/exynos4_uboot/blob/master/sd_ fuse/p4412_s_fwbl1.bin The bootloader code essentially does nothing but jumping into the code glued to it, which is not signed in any way. This breaks the secure boot trust chain.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/dmarszk/exynos4_uboot/issues/4#issuecomment-383325972, or mute the thread https://github.com/notifications/unsubscribe-auth/AAgOL9NrzmzhR_Zh-3rN947ilfbmYqp9ks5tq5CXgaJpZM4TeVa7 .

[herbsmn]

@dmarszk @adamoutler do you guys now if this wildcard bootloader that was released as part of the Odroid project works exclusively for the SCH-I605 (Verizon version of the N2) or does it work for the N7100 and I9300 as well? They are all Exynos 4412 AFAIK. I'm assuming that this wouldn't work for the I9100 since it is a different Exynos SoC, right?

[fourkbomb]

@dmarszk so do you use u-boot's SPL as BL2? As far as I can tell the Hardkernel u-boot uses a prebuilt BL2.

EDIT: I did a bit more looking. It seems like the smdk4212 lowlevel_init compares pc to the configured base address to detect whether or not it's running as BL2 or real u-boot? So the code just assumes that all the "bl2" code will end up in the first 14000 bytes of the u-boot executable and then uses that as BL2?

[herbsmn]

https://blog.forkwhiletrue.me/posts/u-boot-on-galaxy-s3/

[herbsmn]

This repo seems to have some private keys and tools contained within it: https://github.com/675816156/itop4412_offered_uboot/tree/master/CodeSign4SecureBoot

Do any of you happen to know what this is exactly?

[herbsmn]

It looks like xboot might have written their own libre BL1 for the Exynos4412: https://github.com/xboot/xboot/tree/master/src/arch/arm32/mach-exynos4412

Replicant is trying to get it working: https://github.com/xboot/xboot/issues/21