Difference between revisions of "Startup"

From Exploitee.rs
Jump to navigationJump to search
Line 4: Line 4:




CEFDK Bootloader is loaded from NAND from "cefdk". This contains an encrypted bootloader ,that has a 256bit rsa signature attached. First bit is a public key, second bit is the actual signature.
CEFDK Bootloader is loaded from NAND from "cefdk". This contains an encrypted bootloader, that has a 256bit rsa signature attached. First bit is a public key, second bit is the actual signature.


This signature is checked somewhere in the SOC / "Burnt on" / Master intel key
This signature is checked somewhere in the SOC / "Burnt on" / Master intel key

Revision as of 16:41, 2 August 2011

CE4100 Startup

Logitech Revue (this page doesn't look nice, sorry- need to get my ideas out)


CEFDK Bootloader is loaded from NAND from "cefdk". This contains an encrypted bootloader, that has a 256bit rsa signature attached. First bit is a public key, second bit is the actual signature.

This signature is checked somewhere in the SOC / "Burnt on" / Master intel key

Once this loads, it boots kernel from flash (or usb). Kernel header has two 256 byte chunks of data, followed by typical ANDROID! magic.

First bit is as follows:

Public key, for test/eng kernel is listed below (located in kernel/recovery images at 0x94 ish)

                            
50cf 2661 2cac 7569 4f59 125b aa4d 07ad
e1dc 7420 1b2c ef9a 165e 2b40 9ad6 a87d
ef27 1dc3 00e4 6b1b 840f 3f24 b2c4 83fb
8a25 6258 6767 1754 81f7 7953 b208 6d47
af68 dd2d 27cc ddb4 a253 3763 4253 1213
b1f7 d615 4fb1 105a 0a17 56ee 95c4 321a
8397 9e45 4f95 ab2a a7c9 5f68 e02c 0d99
ff0b b36d 77dc f4c6 f6d1 2d96 8daa 7eea
4dee c4bb 0b88 c480 dcd8 3454 7e3e d659
98d4 5ced 378a d421 cec7 eb44 a32a e65f
858d f232 dc90 5da6 86f2 f16f 60b1 efd3
0e4a c8e7 579a f337 fbf7 e4ef 646e f02d
1621 f271 9de3 0757 9f69 0e41 f138 d660
f081 e4b0 995a 0661 cef2 0be7 610e 31e6
c2d7 1fec 8d64 926c 2a2a fbbb 777b e430
f6b2 5cda 5674 07cd 4c58 a3ff c625 6953


This is confirmed by looking into the leaked ENG bootloader (cefdk-logitech_ka3.bin), which the same data can be found (0x3a1c0 ish):

                            
50cf 2661 2cac 7569 4f59 125b aa4d 07ad
e1dc 7420 1b2c ef9a 165e 2b40 9ad6 a87d
ef27 1dc3 00e4 6b1b 840f 3f24 b2c4 83fb
8a25 6258 6767 1754 81f7 7953 b208 6d47
af68 dd2d 27cc ddb4 a253 3763 4253 1213
b1f7 d615 4fb1 105a 0a17 56ee 95c4 321a
8397 9e45 4f95 ab2a a7c9 5f68 e02c 0d99
ff0b b36d 77dc f4c6 f6d1 2d96 8daa 7eea
4dee c4bb 0b88 c480 dcd8 3454 7e3e d659
98d4 5ced 378a d421 cec7 eb44 a32a e65f
858d f232 dc90 5da6 86f2 f16f 60b1 efd3
0e4a c8e7 579a f337 fbf7 e4ef 646e f02d
1621 f271 9de3 0757 9f69 0e41 f138 d660
f081 e4b0 995a 0661 cef2 0be7 610e 31e6
c2d7 1fec 8d64 926c 2a2a fbbb 777b e430
f6b2 5cda 5674 07cd 4c58 a3ff c625 6953

This was tested by attempting to modify the kernel (failure to boot), or by replacing a retail kernel with a test one (it fails, bad keys)