Mbmloader
Contents
MBM loader
What is mbmloader
Strictly speaking, mbmloader((There's a (c) 2006 Motorola notice in it, since it reuses code from the older versions of mbmloader used in previous Motorola phones. This works to our advantage because some of those earlier versions have been reverse engineered in the past by yakk in his MotoMagX hack.)) is one of the first components in the boot chain. It verifies and then loads the mbm component. It checks mbmbackup for newer versions of mbm, so that mbm cannot be downgraded((this can be easily bypassed once running as root, since both mbm and mbmbackup could be downgraded at the same time)).
More generally speaking, we sometimes say "mbmloader" to refer to the whole bootstrap system, which is composed by the CH table, the Initial Software image, and mbmloader itself (inside the ISW image). For example, the mtd-hack module by janneg allows us to dump mtd00 which includes all of these, and we usually call this the "mbmloader dump" or "mbmloader CG".
mbmloader protections
It seems the mbmloader has public certificates on it (see the ISW section). These certificates don't seem to be in any recognizable format, but they conform to CSST's HS signed image format, so we can assume mbmloader is signed. We also know that both the Milestone and the Droid run in HS mode, which requires this format.
According to the CSST's use of openssl, the openssl "commands" used to generate the certificates may somehow be intercepted. Moreover, analyzing the csstcli(command line tool) and it's parameters may identify what and how the certificates are signing upon.
= mbm
What is mbm?
mbm is Motorola Boot Manager((http://wiki.openezx.org/Z6_Security)). According to the boot chain, mbmloader will pass the control to mbm after the signature embedded in mbm is verified.
How mbmloader verify mbm?
Introduction
yakk has contributed his effort to map many high level functions name for the mbmloader image. This allows easier inspection of how the verification of mbm is performed. Perhaps he has already reviewed the related portion of codes for potential vulnerability, trying to document the findings that allows continuation could be a possible way to figure out a way.
Work flow
mbm is read into address 0x8f310000.
Search for the end of signature mark(the data length suggests a sha1sum):
6B D3 98 E2 D6 F0 F8 CF FC D4 96 72 5E B3 A8 B3 6B F9 B1 16
Milestone mbmloader
now we only known only two versions of mbmloader for milestone:
Background
Accredited by yakk, idb of mbmloader with high level function names are available. Further exploration is in the progress to map more information from kernel source and technical reference manual.
Kernel source
drivers/misc/sec/sec_core.h:
#define REGISTER_ADDRESS_DIE_ID 0x4830A218 #define REGISTER_ADDRESS_MSV 0x480023B4
Searching b4 23 00 48 in mbmloader give:
ROM:87004954 EF BE AD DE dword_87004954 DCD 0xDEADBEEF ; DATA XREF: get_fuse+4�r ROM:87004954 ; sub_87004798+A�r ROM:87004958 B4 23 00 48 MSV DCD 0x480023B4 ; DATA XREF: get_fuse:loc_87004786�r ROM:8700495C 18 A2 30 48 DIE_ID DCD 0x4830A218 ; DATA XREF: sub_87004832+18�r
arch/arm/plat-omap/include/mach/omap34xx.h:
#define L4_34XX_BASE 0x48000000 #define L4_WK_34XX_BASE 0x48300000 #define L4_PER_34XX_BASE 0x49000000 #define L4_EMU_34XX_BASE 0x54000000 #define L3_34XX_BASE 0x68000000 #define OMAP3430_32KSYNCT_BASE 0x48320000 #define OMAP3430_CM_BASE 0x48004800 #define OMAP3430_PRM_BASE 0x48306800 #define OMAP343X_SMS_BASE 0x6C000000 #define OMAP343X_SDRC_BASE 0x6D000000 #define OMAP34XX_GPMC_BASE 0x6E000000 #define OMAP343X_SCM_BASE 0x48002000 #define OMAP34XX_IC_BASE 0x48200000 #define OMAP34XX_IVA_INTC_BASE 0x40000000 #define OMAP34XX_SR1_BASE 0x480C9000 #define OMAP34XX_SR2_BASE 0x480CB000 #define OMAP34XX_DSP_BASE 0x58000000
Technical Reference Manual
Abbreviation | Meaning | Reference |
---|---|---|
MSV | Model Specific Value | spruf98 p. 981, 6.6.4.47(System Control Module, Registers, GENERAL registers description), Table 6-496. CONTROL_MSV_0 |
4.14.1 CM Module Registers, Table 4-90. CM Instance Summary (spruf98 p.440)
Module Name | Base Address (hex) | Size |
---|---|---|
IVA2_CM | 0x4800 4000 | 8192 bytes |
OCP_System_Registers_CM | 0x4800 4800 | 8192 bytes |
MPU_CM | 0x4800 4900 | 8192 bytes |
CORE_CM | 0x4800 4A00 | 8192 bytes |
SGX_CM | 0x4800 4B00 | 8192 bytes |
WKUP_CM | 0x4800 4C00 | 8192 bytes |
Clock_Control_Registers_CM | 0x4800 4D00 | 8192 bytes |
DSS_CM | 0x4800 4E00 | 8192 bytes |
CAM_CM | 0x4800 4F00 | 8192 bytes |
PER_CM | 0x4800 5000 | 8192 bytes |
EMU_CM | 0x4800 5100 | 8192 bytes |
Global_Registers_CM | 0x4800 5200 | 8192 bytes |
NEON_CM | 0x4800 5300 | 8192 bytes |
USBHOST_CM | 0x4800 5400 | 8192 bytes |
6.6 System Control Module Registers Table 6-80. Instance Summary
Name | Address | Instance length |
---|---|---|
INTERFACE | 0x4800 2000 | 36 bytes |
PADCONFS | 0x4800 2030 | 564 bytes |
GENERAL | 0x4800 2270 | 767 bytes |
MEM_WKUP | 0x4800 2600 | 1K byte |
PADCONFS_WKUP | 0x4800 2A00 | 80 bytes |
GENERAL_WKUP | 0x4800 2A60 | 31 bytes |
18.8 McSPI Registers, Table 18-22. Instance Summary
Module Name | Base Address | Size |
---|---|---|
MCSPI1 | 0x4809 8000 | 4Kbytes |
MCSPI2 | 0x4809 A000 | 4Kbytes |
MCSPI3 | 0x480B 8000 | 4Kbytes |
MCSPI4 | 0x480B A000 | 4Kbytes |
Address extracted from mbmloader
Prefixed by 0x4800:
0x48002000 Control Revision 0x48002180 CONTROL_PADCONF_UART1_CTS - Configuration register for pads uart1_cts(clear to send), uart1_rx. ((spruf98 p. 870, 6.6.3.85 CONTROL_PADCONF_UART1_CTS)) 0x480021C8 CONTROL_PADCONF_MCSPI1_CLK - Configuration register for pads mcspi1_clk, mcspi1_simo 0x480022F0 Control status - SYS_BOOT and DEVICETYPE 0x480023B4 MSV - Model Specific Value, 4 bytes 0x48004000 Clock manager, Module region A, 8KB ((spruf98 p.203, Table 2-3. L4-Core Memory Space Mapping)) 0x48004904 CM_CLKEN_PLL_MPU, This register allows controlling the DPLL1 modes. ((spruf98 p.454)) 0x48004A00 Table 4-143. CM_FCLKEN1_CORE, Controls the module functional clock activity. 0x48004A10 Table 4-147. CM_ICLKEN1_CORE, Controls the modules interface clock activity. 0x48004A20 Table 4-153. CM_IDLEST1_CORE, CORE modules access availability monitoring. This register is read only and automatically updated. 0x48004B40 Table 4-177. CM_CLKSEL_SGX, SGX clock selection. 0x48004C00 4.14.1.7.1 CM_FCLKEN_WKUP, Table 4-185. CM_FCLKEN_WKUP, Controls the modules functional clock activity. 0x48004D00 Table 4-195. CM_CLKEN_PLL, This register allows controlling the DPLL3 and DPLL4 modes. 0x48004E40 Table 4-227. CM_CLKSEL_DSS, Modules clock selection. 0x48005000 Table 4-251. CM_FCLKEN_PER, Controls the modules functional clock activity. RW, WDTIMER can be enabled/disabled here. 0x48005140 Table 4-267. CM_CLKSEL1_EMU, Modules clock selection.
Prefixed by 0x4830:
0x48306000 Table 4-297. PRM Instance Summary, IVA2_PRM 0x48306D40 Table 4-387. PRM_CLKSEL, This register controls the selection of the system clock frequency. This register is reset on power-up only. RW 0x48307000 Table 4-297. PRM Instance Summary, PER_PRM 0x48307250 Table 4-456. PRM_RSTCTRL, Global software and DPLL3 reset control. This register is auto-cleared. Only write 1 is possible. A read returns 0 only. Perhaps it be used to issue a software reset? ((4.5.9.2 Global Warm Reset Sequence)) 0x48307270 Table 4-466. PRM_CLKSRC_CTRL, This register provides control over the device source clock. 0x4830A218 DIE ID, 16 bytes
Other 32-bit dword:
0x18000000 0x1F000000 0x20000000 0x208D0024 0x28000000 0x3FCFF000 0x40000000 0x40208800 SRAM 0x4020C800 SRAM 0x43FFFE01 0x4806A000 UART1 DLL_REG, 16.6 UART/IrDA/CIR Registers 0x48098000 18.8 McSPI Registers, McSPI1(Multichannel Serial Port Interface) 0x48314000 WDTIMER2, Table 15-66. WDT2 Register Summary 0x48318000 GPTIMER1, 15.3 General-Purpose (GP) Timer Registers 0x49020000 UART3 (infrared), 2.3.2.3 L4-Peripheral Memory Space Mapping, Table 2-5. L4-Peripheral Memory Space Mapping 0x5004800C 0x5005C008 0x5A827999 SHA1 c1 0x6E000000 Table 10-27. Instance Summary, GPMC. 0x6E00007C 10.1.7.2.17 GPMC_NAND_COMMAND_i, This register is not a true register, just an address location. 0x6E000084 10.1.7.2.19 GPMC_NAND_DATA_i, This register is not a true register, just an address location. 0x6E0000A8 10.1.7.2.16 GPMC_CONFIG7_i, i = 1 0x6E0001F4 10.1.7.2.24 GPMC_ECC_CONFIG, ECC configuration, RW, able to control hardware ECC. 0x6E0001F8 10.1.7.2.25 GPMC_ECC_CONTROL, ECC control, RW, able to control hardware ECC. 0x6ED9EBA1 SHA1 c2 0x76543210 0x78020000 0x7FFFFED3 0x80000000 0x80080000 0x81000000 0x81001000 0x81001080 0x81001484 0x81001888 0x81001908 0x8100192C 0x81001D2C 0x8100212C 0x810021AC 0x8100222C 0x8100322C 0x8100422C 0x8100522C 0x8100562C 0x8100762C 0x81007A14 0x81007A54 0x81007C54 0x81007C64 0x81007CE4 0x81007DE4 0x81007DF4 0x81007E04 0x8100AE40 0x85030004 0x860527A0 0x87000998 0x87009792 0x87009A08 0x87009BDC 0x87009E52 0x87009E5C 0x87009FA6 0x8700AA96 0x8700B614 0x8700B634 0x8700B664 0x8700B684 0x87014D4C 0x89ABCDEF 0x8F1BBCDC SHA1 c3 0x8F310000 mbm load address 0x8F311000 mbm offset 0x1000 0x8FFFFFFF 0x90000000 0xB17219E9 special value in mbm 0xCA62C1D6 SHA1 c4 0xDEADBEEF dummy value mark dead beef 0xF0E1D2C3 0xFC000000 0xFEDCBA98 0xFF000000 0xFFF800FF 0xFFFDD000 0xFFFFDFE1 0xFFFFF7FF 0xFFFFFC01 0xFFFFFFFD 0xFFFFFFFF