<bauen1>
smaeul: there's a 2nd attack that does not require a valid toc0, only the magic must match
<bauen1>
but iirc the quick test you did didn't result in hijacking the pc
<bauen1>
so maybe it doesn't work
<bauen1>
not being able to enter secure mode from fel is actually kind of what i want lol
<bauen1>
i suspected that it wasn't really possible to mess with secure boot without bricking a board
<bauen1>
but you've already tried a board with an empty rotpk hash so i just need to try with a valid rotpk
<bauen1>
i also suspect that code running on the ar100 is always in secure mode, so maybe that is a possible attack vector
<bauen1>
and (if you have an fpga) you could always try to power-glitch the image verification
<bauen1>
DMA shouldn't be possible if the (presumably existing) SPC is configured correctly
<bauen1>
this is funny, on the one side it would be bad for my use case if we can find a way to enter secure mode, on the other hand i don't fancy bricking my only h64
<bauen1>
arm cores also have some form of debug, but i believe that is initially disabled
<bauen1>
and iirc there's some code in at least the h3 fel enter code that disables it
<bauen1>
but it might be worth a shot
ric96 has joined #linux-sunxi
jeandet has joined #linux-sunxi
arnd has joined #linux-sunxi
<bauen1>
the h5 sbrom also copies some informationn related to the rotpk to 0x10000 before entering fel (if it isn't overwritten) so dumping memory even from fel might reveal some helpful information
pdp7 has joined #linux-sunxi
ccaione has joined #linux-sunxi
steev has joined #linux-sunxi
warpme_ has joined #linux-sunxi
charco has joined #linux-sunxi
<bauen1>
smaeul: but maybe you can add the brom dump ?
lvrp16 has joined #linux-sunxi
Benjojo has joined #linux-sunxi
narmstrong has joined #linux-sunxi
aliosa27 has joined #linux-sunxi
iamfrankenstein has joined #linux-sunxi
ullbeking has joined #linux-sunxi
<bauen1>
also looks like the usb on the pinephone is wired to the usb-otg, makes it a bit hard to "disable" (i.e. burn) fel on the a53
asdf28 has joined #linux-sunxi
steev has quit [Ping timeout: 272 seconds]
steev has joined #linux-sunxi
cmeerw has joined #linux-sunxi
JohnDoe_71Rus has joined #linux-sunxi
lurchi_ is now known as lurchi__
The_Loko has joined #linux-sunxi
rex_victor has quit [Ping timeout: 272 seconds]
karme` has joined #linux-sunxi
karme` has left #linux-sunxi [#linux-sunxi]
Net147_ has quit [Quit: Quit]
Net147 has joined #linux-sunxi
msimpson has joined #linux-sunxi
iamfrankenstein has quit [Quit: iamfrankenstein]
victhor has joined #linux-sunxi
cnxsoft has joined #linux-sunxi
cnxsoft1 has quit [Read error: Connection reset by peer]
lurchi__ is now known as lurchi_
_whitelogger has joined #linux-sunxi
rex_victor has joined #linux-sunxi
apritzel has joined #linux-sunxi
victhor has quit [Quit: Leaving]
gaston1980 has joined #linux-sunxi
jbrown has joined #linux-sunxi
chewitt has quit [Read error: Connection reset by peer]
<Ashleee>
RE tftpboot -- I can confirm that during the lost packet even ping gets lost
<smaeul>
bauen1: which brom dump? H6 NBROM is already posted. I cannot access H6 SBROM because I can only access FEL, and I can't switch BROMs from NS mode
hanni76 has quit [Remote host closed the connection]
<apritzel>
smaeul: how do you switch the BROM mappings? Is that documented somewhere? I was under the impression that starting in secure boot mode would leave the SBROM mapped?
<smaeul>
apritzel: no, FEL is implemented in NBROM, so entering fell switches between them
nashpa has quit [Ping timeout: 256 seconds]
<apritzel>
ah, I see. That explains why FEL reads of the BROM area gave me the same results between normal and secure-fuse-burnt A64
<apritzel>
so does reading (and dumping) the BROM from a TOC0 image work?
<smaeul>
on A64/H5, it's bit 31 of 0x1c000f0: 0 => SBROM, 1 => NBROM. the bit is ignored and RAZ when secure boot is disabled
<apritzel>
smaeul: do you happen to know how this switching works? My guess was that the SoC always boots with the SBROM mapped, then checks the secure fuse and switches to the NSBROM immediately when this is not burnt?
<apritzel>
from U-Boot even? So from non-secure world?
<smaeul>
right
<smaeul>
apritzel: I don't think it loads SBROM at all without the fuse. the BROM toggle bit is ignored, and most of the initial setup logic is duplicated between the two BROMs
yann has quit [Remote host closed the connection]
<apritzel>
I see, thanks
gnarface has quit [Quit: Leaving]
victhor has quit [Remote host closed the connection]
netlynx has quit [Quit: Ex-Chat]
lurchi_ is now known as lurchi__
yann has joined #linux-sunxi
tuxillo has quit [Ping timeout: 260 seconds]
tuxillo has joined #linux-sunxi
gsz has quit [Quit: Konversation terminated!]
sunshavi has quit [Read error: Connection reset by peer]
damex has quit [Read error: Connection reset by peer]
AneoX has quit [Ping timeout: 260 seconds]
AneoX has joined #linux-sunxi
damex has joined #linux-sunxi
apritzel has quit [Ping timeout: 256 seconds]
damex_ has joined #linux-sunxi
damex has quit [Ping timeout: 272 seconds]
sunshavi has joined #linux-sunxi
damex_ has quit [Read error: Connection reset by peer]
damex has joined #linux-sunxi
rojiro has quit [Ping timeout: 240 seconds]
rojiro has joined #linux-sunxi
damex_ has joined #linux-sunxi
apritzel has joined #linux-sunxi
damex has quit [Ping timeout: 240 seconds]
xzz53 has quit [Ping timeout: 258 seconds]
xzz53 has joined #linux-sunxi
akaWolf has quit [Ping timeout: 264 seconds]
sunshavi has quit [Read error: Connection reset by peer]