Matthew GarrettYou: (implements secure boot)
Me: (jams screwdriver into NAND pins, receives u-boot prompt)
Me: (jams screwdriver into NAND pins, receives u-boot prompt)
Videl SmithI don't remember where I first read about shorting pins while u-boot is reading the kernel to force it to drop to a prompt, but I have hacked *so* many devices with that knowledge, so thank you whoever it was
CRYSTL ⬡@mjg59 that's incredible
Wanja@mjg59 Wait, which ones exactly do I short? Help me out here, I'm not good with computers.
@muvlon For SPI, easiest is usually just shorting clock to ground
Steve
vince@mjg59 i suspect it gets "rediscovered" periodically, but more recently might've been @colinoflynn hacking on the Hue Bridge? http://colinoflynn.com/2016/07/getting-root-on-philips-hue-bridge-2-0/
Adam ♿@mjg59 thank you.
I̵E̶E̸E̵ ̷1̵1̸4̴9̴.̷1̷@mjg59 you have just opened up an entire world of possibilities for me....
@mjg59 it’s a story as old as the hills, this trick was used back in the original Xbox days to force it to read the firmware from the LPC port instead of the NAND
Rogan Dawes@lilstevie @mjg59 and can be used with I.MX6 (and likely other NXP) devices to access Serial Download Protocol functionality in the boot rom by simply prevent it from validating u-boot in the first place.
@RoganDawes @mjg59 SDP is theoretically still covered by secureboot though. CVE-2017-7932 and CVE-2017-7936 are fixed in imx6’s manufactured after a certain date in late 2017 (I don’t recall exact date, and I think the document that states it is under an NDA that I’m not willing to violate)
@lilstevie @mjg59 Yes, it is still subject to HAB. Fortunately for me, my current target is using chips from before the fixes you describe!
@lilstevie @mjg59 Still trying to figure out how to get a basic U-Boot to execute via SDP, but hopefully I'll get it right eventually! Ideally I want to get a version that will allow me to update environment variables and enable the console in the native U-Boot. Then I can add some mw commands to neuter the factory U-Boot's response to an HAB failure, and simply continue to boot an unsigned image.
Daniel Bohrer@RoganDawes @lilstevie @mjg59 also, speaking from an inside developer's perspective, many products are not using HAB at all, sometimes probably also because of the GPLv3 tivoisation clause
Ge0rG@lilstevie
My first memory of this is around 2001/2002 when hacking the #dbox2 set top box to free it from a bloated Java UI and give it Linux freedom. IIRC it was a proprietary boot loader back then, not u-boot, but I wasn't involved too deeply in the details
@mjg59
My first memory of this is around 2001/2002 when hacking the #dbox2 set top box to free it from a bloated Java UI and give it Linux freedom. IIRC it was a proprietary boot loader back then, not u-boot, but I wasn't involved too deeply in the details
@mjg59
@mjg59 oh that's a handy trick to know, thanks for mentioning
sebastian ⚡@mjg59 I remember a talk I attended about hacking robot vacuum cleaners. They shoved a piece of aluminium foil under one side of the BGA packaged flash to get a bootloader prompt. The funny thing was I saw the picture and it was immediately clear to me what they were doing and how it worked. Because of course if you screw up the flash you get the prompt. Happened to me a lot. I just never considered that a desirable outcome before, so I never would have thought of it as an attack vector.