Vector table to infinite loops then jumps to 0xFC100000. If (0xFC4BE034 & 0x40) is true, then the bootROM sets the exception Meaning that in any other case than the above, the stacks for eachĪarch32 execution mode are set, and r3 to r12 are set to 0. HWIO_GCC_RESET_STATUS_ADDR, one can trigger a watchdog reset). This seems to be calledĪll 3 involved registers are writable (or in the case of Secure register at 0xFC401780 (by default, it isn’t), then theīootROM sets the exception table to infinite loops and immediately That is, with the two reset methods, if mask 0x20000 was set in the It then sets the exception vector base to 0xFC010000, and sets some
The bootROM checks if the core ID of the processor executing the code isĠ, if not, it jumps to an inifinite loop.
Scratch registers here) TPIDRURW and TPIDRPRW to the contents of The bootROM starts by setting per-thread registers (seemingly used as RAM:FC010758 90 1F 0D EE MCR TPIDRPRW, R1 RAM:FC010754 50 0F 0D EE MCR TPIDRURW, R0 The execution of the bootROM, also called PBL, starts at addressĠxFC010000, which directly jumps to 0xFC010050, thenĠxFC010054. Where different parties can sign various sub-components of the system. This certificate can sign another certificate (and so on.), orĭirectly authenticate a signature. (most of the time, in fuses), to ensure it has not been tampered with. Implicitely trusted, a hash of its public key is stored in hardware Themselves and using the public key in the bootROM. The vendor emits a root certificate, keeping the private key for
The result is a full chain of trusted components:Īccording to Qualcomm Secure Boot and Image Authentication Technical Overview document, the binary authentication is designed more or less in the following way: While modifying it may be considered feasible in theory, it is not The bootROM, is implicitely trusted, as it is most often stored on a CPUĭie. Finally, we will discuss briefly about the XPU register.Ī secure boot chain is a chain where every stage loads, authenticates
After propagating the control to the next stages of the bootchain, we patched the Qualcomm Secure Execution Environment to add a hook giving us a read/write primitive in the highest privileg level E元. This section will also explain the difficulties we encountered with the payload provided by Aleph Security, and how we managed to get around them. These blogposts served as basis for our own work.įirst of all a general overview of the Secure Boot process and especially the one used by Qualcomm is given, then by using Aleph Security's tools, we will dump the Nexus 6P and Nokia 6 bootroms in order to gain code execution in them and inject a small debugger, giving the ability to dump the whole phone from the very beginning. Tools), describing how they took over the Nokia 6 boot chain and wrote aĭebugger.
In particular,Īleph Security released a series of 5 blogposts ( aleph aleph2 aleph3 aleph4 aleph5) (alongside Have already worked on studying Qualcomm components. Given how widespread Qualcomm hardware is, as stated above, many people Two different phone models were used to perform this research: a Google