Difference between revisions of "Startup"

From Exploitee.rs
Jump to navigationJump to search
 
(3 intermediate revisions by the same user not shown)
Line 1: Line 1:
CE4100 Startup
== Logitech Revue Startup ==


Logitech Revue (this page doesn't look nice, sorry- need to get my ideas out)
The CEFDK Bootloader is loaded by the SOC via the NAND from the "cefdk" partition.


This file contains an encrypted bootloader, that has a 256bit header attached. Current theory is that the first bit is a 256bit rsa public key signature (or, the resulting hash sum of a flag to point to the key).


CEFDK Bootloader is loaded from NAND from "cefdk". This contains an encrypted bootloader ,that has a 256bit rsa signature attached. First bit is a public key, second bit is the actual signature.
This signature is checked against the public RSA key stored somewhere in the SOC, either in an OTP area, or a master key for every unit (probably some sort of OTP/Fuse)


This signature is checked somewhere in the SOC / "Burnt on" / Master intel key
Once this loads, and the signature is verified - the file contents are decrypted by the SOC (Somehow).
 
It will then boot the kernel from nand flash "kernel" partition (or "recovery", depending). The Kernel (and recovery) headers have two 256bit chunks of data, followed by typical ANDROID! magic.
 
The first bit, seems to either be the Logitech Public Key (or a resulting hash) as it is constant across every Retail Kernel and Recovery version (including 3.1).
 
The second bit is mostlikely the file signature, which the Public Key is used to verify against.
 
The bootloader contains this public key as well, and it may attempt to compare the Public Key stored inside of it, against the one in the Kernel file. If it matches, it will then use the key to check the file signature, and then execute the code.
 
In the case of 3.1, there is an additional layer of encryption on the Recovery (and perhaps Kernel) images. The new bootloader would have support to either pass the data to the SOC for decryption, or do it itself.


Once this loads, it boots kernel from flash (or usb). Kernel header has two 256 byte chunks of data, followed by typical ANDROID! magic.


First bit is as follows:
First bit is as follows:
Line 14: Line 24:
Public key, for test/eng kernel is listed below (located in kernel/recovery images at 0x94 ish)
Public key, for test/eng kernel is listed below (located in kernel/recovery images at 0x94 ish)


<source lang="javascript">
<pre>                          
50cf 2661 2cac 7569 4f59 125b aa4d 07ad
CF50 6126 AC2C 6975 594F 5B12 4DAA AD07
e1dc 7420 1b2c ef9a 165e 2b40 9ad6 a87d
DCE1 2074 2C1B 9AEF 5E16 402B D69A 7DA8
ef27 1dc3 00e4 6b1b 840f 3f24 b2c4 83fb
27EF C31D E400 1B6B 0F84 243F C4B2 FB83
8a25 6258 6767 1754 81f7 7953 b208 6d47
258A 5862 6767 5417 F781 5379 08B2 476D
af68 dd2d 27cc ddb4 a253 3763 4253 1213
68AF 2DDD CC27 B4DD 53A2 6337 5342 1312
b1f7 d615 4fb1 105a 0a17 56ee 95c4 321a
F7B1 15D6 B14F 5A10 170A EE56 C495 1A32
8397 9e45 4f95 ab2a a7c9 5f68 e02c 0d99
9783 459E 954F 2AAB C9A7 685F 2CE0 990D
ff0b b36d 77dc f4c6 f6d1 2d96 8daa 7eea
0BFF 6DB3 DC77 C6F4 D1F6 962D AA8D EA7E
4dee c4bb 0b88 c480 dcd8 3454 7e3e d659
EE4D BBC4 880B 80C4 D8DC 5434 3E7E 59D6
98d4 5ced 378a d421 cec7 eb44 a32a e65f
D498 ED5C 8A37 21D4 C7CE 44EB 2AA3 5FE6
858d f232 dc90 5da6 86f2 f16f 60b1 efd3
8D85 32F2 90DC A65D F286 6FF1 B160 D3EF
0e4a c8e7 579a f337 fbf7 e4ef 646e f02d
4A0E E7C8 9A57 37F3 F7FB EFE4 6E64 2DF0
1621 f271 9de3 0757 9f69 0e41 f138 d660
2116 71F2 E39D 5707 699F 410E 38F1 60D6
f081 e4b0 995a 0661 cef2 0be7 610e 31e6
81F0 B0E4 5A99 6106 F2CE E70B 0E61 E631
c2d7 1fec 8d64 926c 2a2a fbbb 777b e430
D7C2 EC1F 648D 6C92 2A2A BBFB 7B77 30E4
f6b2 5cda 5674 07cd 4c58 a3ff c625 6953
B2F6 DA5C 7456 CD07 584C FFA3 25C6 5369
</source>
</pre>      




This is confirmed by looking into the leaked ENG bootloader (cefdk-logitech_ka3.bin), which the same data can be found (0x3a1c0 ish):


This is confirmed by looking into the leaked ENG bootloader (cefdk-logitech_ka3.bin), which the same data can be found (0x3a1c0 ish):
<pre>                          
<source lang="javascript">
CF50 6126 AC2C 6975 594F 5B12 4DAA AD07
50cf 2661 2cac 7569 4f59 125b aa4d 07ad
DCE1 2074 2C1B 9AEF 5E16 402B D69A 7DA8
e1dc 7420 1b2c ef9a 165e 2b40 9ad6 a87d
27EF C31D E400 1B6B 0F84 243F C4B2 FB83
ef27 1dc3 00e4 6b1b 840f 3f24 b2c4 83fb
258A 5862 6767 5417 F781 5379 08B2 476D
8a25 6258 6767 1754 81f7 7953 b208 6d47
68AF 2DDD CC27 B4DD 53A2 6337 5342 1312
af68 dd2d 27cc ddb4 a253 3763 4253 1213
F7B1 15D6 B14F 5A10 170A EE56 C495 1A32
b1f7 d615 4fb1 105a 0a17 56ee 95c4 321a
9783 459E 954F 2AAB C9A7 685F 2CE0 990D
8397 9e45 4f95 ab2a a7c9 5f68 e02c 0d99
0BFF 6DB3 DC77 C6F4 D1F6 962D AA8D EA7E
ff0b b36d 77dc f4c6 f6d1 2d96 8daa 7eea
EE4D BBC4 880B 80C4 D8DC 5434 3E7E 59D6
4dee c4bb 0b88 c480 dcd8 3454 7e3e d659
D498 ED5C 8A37 21D4 C7CE 44EB 2AA3 5FE6
98d4 5ced 378a d421 cec7 eb44 a32a e65f
8D85 32F2 90DC A65D F286 6FF1 B160 D3EF
858d f232 dc90 5da6 86f2 f16f 60b1 efd3
4A0E E7C8 9A57 37F3 F7FB EFE4 6E64 2DF0
0e4a c8e7 579a f337 fbf7 e4ef 646e f02d
2116 71F2 E39D 5707 699F 410E 38F1 60D6
1621 f271 9de3 0757 9f69 0e41 f138 d660
81F0 B0E4 5A99 6106 F2CE E70B 0E61 E631
f081 e4b0 995a 0661 cef2 0be7 610e 31e6
D7C2 EC1F 648D 6C92 2A2A BBFB 7B77 30E4
c2d7 1fec 8d64 926c 2a2a fbbb 777b e430
B2F6 DA5C 7456 CD07 584C FFA3 25C6 5369
f6b2 5cda 5674 07cd 4c58 a3ff c625 6953
</pre>                          
</source >


This was tested by attempting to modify the kernel (failure to boot), or by replacing a retail kernel with a test one (it fails, bad keys)
This was tested by attempting to modify the kernel (failure to boot), or by replacing a retail kernel with a test one (it fails, bad keys)
------
Retail is the same. Bootloader from memdump:
<pre>
DEEF B1C8 1C92 BAE7 F05C 7C9F 424F F3A2
227E 62F6 37D7 7CB9 BB21 56B3 537A 2C80
30DC AC72 B296 9576 B760 C8C4 CE2A C0CC
9542 10A5 D201 5BE8 915D 7D99 86C1 68B6
5850 FF28 7FE5 645E 19C9 0759 6295 3299
4BEB 3181 460A BFF4 7AE6 50B5 0816 8327
08A5 D073 DD45 499C 6EC9 EAD2 4022 5135
95BE 1E5E 62D5 12EC 88B9 499E 1690 4B9B
ECEA FE87 96E6 5C34 A196 E344 12E5 E5A8
5C03 CCC6 0A70 BEBA AA61 6697 2BBB 1D9E
77CB 1CD7 8911 342F 049D 0EA4 476C 150E
E3DE E003 871D 24B1 0CC9 A885 87F3 2A30
363F EE8D 7E02 18BE 2DB0 2FF3 ED17 1983
773A 3E88 75E9 A365 F8E7 CF29 FB44 D869
1004 DAFF F426 1CD8 9EC0 BEE9 BE8B DA1C
9786 E616 92B8 C8CB 5B6F 6415 F0AD B729
</pre>
Public key in kernel header:
<pre>
DEEF B1C8 1C92 BAE7 F05C 7C9F 424F F3A2
227E 62F6 37D7 7CB9 BB21 56B3 537A 2C80
30DC AC72 B296 9576 B760 C8C4 CE2A C0CC
9542 10A5 D201 5BE8 915D 7D99 86C1 68B6
5850 FF28 7FE5 645E 19C9 0759 6295 3299
4BEB 3181 460A BFF4 7AE6 50B5 0816 8327
08A5 D073 DD45 499C 6EC9 EAD2 4022 5135
95BE 1E5E 62D5 12EC 88B9 499E 1690 4B9B
ECEA FE87 96E6 5C34 A196 E344 12E5 E5A8
5C03 CCC6 0A70 BEBA AA61 6697 2BBB 1D9E
77CB 1CD7 8911 342F 049D 0EA4 476C 150E
E3DE E003 871D 24B1 0CC9 A885 87F3 2A30
363F EE8D 7E02 18BE 2DB0 2FF3 ED17 1983
773A 3E88 75E9 A365 F8E7 CF29 FB44 D869
1004 DAFF F426 1CD8 9EC0 BEE9 BE8B DA1C
9786 E616 92B8 C8CB 5B6F 6415 F0AD B729
</pre>

Latest revision as of 00:10, 3 August 2011

Logitech Revue Startup

The CEFDK Bootloader is loaded by the SOC via the NAND from the "cefdk" partition.

This file contains an encrypted bootloader, that has a 256bit header attached. Current theory is that the first bit is a 256bit rsa public key signature (or, the resulting hash sum of a flag to point to the key).

This signature is checked against the public RSA key stored somewhere in the SOC, either in an OTP area, or a master key for every unit (probably some sort of OTP/Fuse)

Once this loads, and the signature is verified - the file contents are decrypted by the SOC (Somehow).

It will then boot the kernel from nand flash "kernel" partition (or "recovery", depending). The Kernel (and recovery) headers have two 256bit chunks of data, followed by typical ANDROID! magic.

The first bit, seems to either be the Logitech Public Key (or a resulting hash) as it is constant across every Retail Kernel and Recovery version (including 3.1).

The second bit is mostlikely the file signature, which the Public Key is used to verify against.

The bootloader contains this public key as well, and it may attempt to compare the Public Key stored inside of it, against the one in the Kernel file. If it matches, it will then use the key to check the file signature, and then execute the code.

In the case of 3.1, there is an additional layer of encryption on the Recovery (and perhaps Kernel) images. The new bootloader would have support to either pass the data to the SOC for decryption, or do it itself.


First bit is as follows:

Public key, for test/eng kernel is listed below (located in kernel/recovery images at 0x94 ish)

                            
CF50 6126 AC2C 6975 594F 5B12 4DAA AD07
DCE1 2074 2C1B 9AEF 5E16 402B D69A 7DA8 
27EF C31D E400 1B6B 0F84 243F C4B2 FB83 
258A 5862 6767 5417 F781 5379 08B2 476D 
68AF 2DDD CC27 B4DD 53A2 6337 5342 1312 
F7B1 15D6 B14F 5A10 170A EE56 C495 1A32 
9783 459E 954F 2AAB C9A7 685F 2CE0 990D 
0BFF 6DB3 DC77 C6F4 D1F6 962D AA8D EA7E 
EE4D BBC4 880B 80C4 D8DC 5434 3E7E 59D6 
D498 ED5C 8A37 21D4 C7CE 44EB 2AA3 5FE6 
8D85 32F2 90DC A65D F286 6FF1 B160 D3EF 
4A0E E7C8 9A57 37F3 F7FB EFE4 6E64 2DF0 
2116 71F2 E39D 5707 699F 410E 38F1 60D6 
81F0 B0E4 5A99 6106 F2CE E70B 0E61 E631 
D7C2 EC1F 648D 6C92 2A2A BBFB 7B77 30E4
B2F6 DA5C 7456 CD07 584C FFA3 25C6 5369 


This is confirmed by looking into the leaked ENG bootloader (cefdk-logitech_ka3.bin), which the same data can be found (0x3a1c0 ish):

                            
CF50 6126 AC2C 6975 594F 5B12 4DAA AD07
DCE1 2074 2C1B 9AEF 5E16 402B D69A 7DA8 
27EF C31D E400 1B6B 0F84 243F C4B2 FB83 
258A 5862 6767 5417 F781 5379 08B2 476D 
68AF 2DDD CC27 B4DD 53A2 6337 5342 1312 
F7B1 15D6 B14F 5A10 170A EE56 C495 1A32 
9783 459E 954F 2AAB C9A7 685F 2CE0 990D 
0BFF 6DB3 DC77 C6F4 D1F6 962D AA8D EA7E 
EE4D BBC4 880B 80C4 D8DC 5434 3E7E 59D6 
D498 ED5C 8A37 21D4 C7CE 44EB 2AA3 5FE6 
8D85 32F2 90DC A65D F286 6FF1 B160 D3EF 
4A0E E7C8 9A57 37F3 F7FB EFE4 6E64 2DF0 
2116 71F2 E39D 5707 699F 410E 38F1 60D6 
81F0 B0E4 5A99 6106 F2CE E70B 0E61 E631 
D7C2 EC1F 648D 6C92 2A2A BBFB 7B77 30E4
B2F6 DA5C 7456 CD07 584C FFA3 25C6 5369 

This was tested by attempting to modify the kernel (failure to boot), or by replacing a retail kernel with a test one (it fails, bad keys)



Retail is the same. Bootloader from memdump:

DEEF B1C8 1C92 BAE7 F05C 7C9F 424F F3A2
227E 62F6 37D7 7CB9 BB21 56B3 537A 2C80 
30DC AC72 B296 9576 B760 C8C4 CE2A C0CC 
9542 10A5 D201 5BE8 915D 7D99 86C1 68B6 
5850 FF28 7FE5 645E 19C9 0759 6295 3299 
4BEB 3181 460A BFF4 7AE6 50B5 0816 8327 
08A5 D073 DD45 499C 6EC9 EAD2 4022 5135 
95BE 1E5E 62D5 12EC 88B9 499E 1690 4B9B 
ECEA FE87 96E6 5C34 A196 E344 12E5 E5A8 
5C03 CCC6 0A70 BEBA AA61 6697 2BBB 1D9E 
77CB 1CD7 8911 342F 049D 0EA4 476C 150E 
E3DE E003 871D 24B1 0CC9 A885 87F3 2A30 
363F EE8D 7E02 18BE 2DB0 2FF3 ED17 1983 
773A 3E88 75E9 A365 F8E7 CF29 FB44 D869 
1004 DAFF F426 1CD8 9EC0 BEE9 BE8B DA1C 
9786 E616 92B8 C8CB 5B6F 6415 F0AD B729 

Public key in kernel header:

DEEF B1C8 1C92 BAE7 F05C 7C9F 424F F3A2
227E 62F6 37D7 7CB9 BB21 56B3 537A 2C80 
30DC AC72 B296 9576 B760 C8C4 CE2A C0CC 
9542 10A5 D201 5BE8 915D 7D99 86C1 68B6 
5850 FF28 7FE5 645E 19C9 0759 6295 3299 
4BEB 3181 460A BFF4 7AE6 50B5 0816 8327 
08A5 D073 DD45 499C 6EC9 EAD2 4022 5135 
95BE 1E5E 62D5 12EC 88B9 499E 1690 4B9B 
ECEA FE87 96E6 5C34 A196 E344 12E5 E5A8 
5C03 CCC6 0A70 BEBA AA61 6697 2BBB 1D9E 
77CB 1CD7 8911 342F 049D 0EA4 476C 150E 
E3DE E003 871D 24B1 0CC9 A885 87F3 2A30 
363F EE8D 7E02 18BE 2DB0 2FF3 ED17 1983 
773A 3E88 75E9 A365 F8E7 CF29 FB44 D869 
1004 DAFF F426 1CD8 9EC0 BEE9 BE8B DA1C 
9786 E616 92B8 C8CB 5B6F 6415 F0AD B729