Closed fxsheep closed 1 year ago
All the devices under "Tested devices" have (firmware) secure boot disabled. This means it does not really matter which EL3/TZ firmware they used originally, since you can simply flash the tz
firmware from other devices without issues.
I'm aware of three distinct TZ firmware versions for MSM8916:
Secure EL1 is always AArch32 as far as I know.
The TZ firmware version is typically related to the OS used on the device:
If your device has (firmware) secure boot disabled I would recommend flashing the tz.mbn
from the DragonBoard 410c firmware package (together with qhypstub or the hyp.mbn
from there). I believe it should work with any version of the SBL1 firmware. I have used this approach on the Huawei Ascend G7 which normally has AArch32 TZ provided by Huawei.
Additional note: The syscall (scm) interface of the AArch64 TZ is different from the AArch32 version. The aboot
firmware also needs to be compatible with that. I know one device where using lk1st was necessary because the original aboot
was not compatible with the AArch64 TZ.
If your device has (firmware) secure boot enabled then there is likely little you can do without finding some exploit to load a custom TZ firmware. :/
Hope that helps. :)
Found some MSM8916 devices shipped with trustzone firmware running entirely in AArch32 mode (both EL3 and Secure EL1)
There are two possible reasons for this. One is that QC switched to pure-AA32 TZBSP on LA at some point. Another is devices under
Tested devices
are actually using WP firmware, which has AA64 TZ(EL3-only) and HYP.According to ARMv8-A spec, if EL3 runs in AArch32, then all lower ELs have to run under AA32 as well. Therefore, devices with these TZ firmwares, when flashed with qhypstub, won't boot anymore.
Possible solutions: