Matthew GarrettYou: (implements secure boot)
Me: (jams screwdriver into NAND pins, receives u-boot prompt)
Me: (jams screwdriver into NAND pins, receives u-boot prompt)
I don't remember where I first read about shorting pins while u-boot is reading the kernel to force it to drop to a prompt, but I have hacked *so* many devices with that knowledge, so thank you whoever it was
Steve@mjg59 it’s a story as old as the hills, this trick was used back in the original Xbox days to force it to read the firmware from the LPC port instead of the NAND
Rogan Dawes@lilstevie @mjg59 and can be used with I.MX6 (and likely other NXP) devices to access Serial Download Protocol functionality in the boot rom by simply prevent it from validating u-boot in the first place.
@RoganDawes @mjg59 SDP is theoretically still covered by secureboot though. CVE-2017-7932 and CVE-2017-7936 are fixed in imx6’s manufactured after a certain date in late 2017 (I don’t recall exact date, and I think the document that states it is under an NDA that I’m not willing to violate)
@lilstevie @mjg59 Yes, it is still subject to HAB. Fortunately for me, my current target is using chips from before the fixes you describe!
@lilstevie @mjg59 Still trying to figure out how to get a basic U-Boot to execute via SDP, but hopefully I'll get it right eventually! Ideally I want to get a version that will allow me to update environment variables and enable the console in the native U-Boot. Then I can add some mw commands to neuter the factory U-Boot's response to an HAB failure, and simply continue to boot an unsigned image.
Daniel Bohrer@RoganDawes @lilstevie @mjg59 also, speaking from an inside developer's perspective, many products are not using HAB at all, sometimes probably also because of the GPLv3 tivoisation clause