Difference between revisions of "Startup"
(One intermediate revision by the same user not shown) | |||
Line 1: | Line 1: | ||
== Logitech Revue Startup == | |||
The CEFDK Bootloader is loaded by the SOC via the NAND from the "cefdk" partition. | |||
This file contains an encrypted bootloader, that has a 256bit header attached. Current theory is that the first bit is a 256bit rsa public key signature (or, the resulting hash sum of a flag to point to the key). | |||
This signature is checked against the public RSA key stored somewhere in the SOC, either in an OTP area, or a master key for every unit (probably some sort of OTP/Fuse) | |||
Once this loads, and the signature is verified - the file contents are decrypted by the SOC (Somehow). | |||
It will then boot the kernel from nand flash "kernel" partition (or "recovery", depending). The Kernel (and recovery) headers have two 256bit chunks of data, followed by typical ANDROID! magic. | |||
The first bit, seems to either be the Logitech Public Key (or a resulting hash) as it is constant across every Retail Kernel and Recovery version (including 3.1). | |||
The second bit is mostlikely the file signature, which the Public Key is used to verify against. | |||
The bootloader contains this public key as well, and it may attempt to compare the Public Key stored inside of it, against the one in the Kernel file. If it matches, it will then use the key to check the file signature, and then execute the code. | |||
In the case of 3.1, there is an additional layer of encryption on the Recovery (and perhaps Kernel) images. The new bootloader would have support to either pass the data to the SOC for decryption, or do it itself. | |||
First bit is as follows: | First bit is as follows: | ||
Line 15: | Line 25: | ||
<pre> | <pre> | ||
CF50 6126 AC2C 6975 594F 5B12 4DAA AD07 | |||
DCE1 2074 2C1B 9AEF 5E16 402B D69A 7DA8 | |||
27EF C31D E400 1B6B 0F84 243F C4B2 FB83 | |||
258A 5862 6767 5417 F781 5379 08B2 476D | |||
68AF 2DDD CC27 B4DD 53A2 6337 5342 1312 | |||
F7B1 15D6 B14F 5A10 170A EE56 C495 1A32 | |||
9783 459E 954F 2AAB C9A7 685F 2CE0 990D | |||
0BFF 6DB3 DC77 C6F4 D1F6 962D AA8D EA7E | |||
EE4D BBC4 880B 80C4 D8DC 5434 3E7E 59D6 | |||
D498 ED5C 8A37 21D4 C7CE 44EB 2AA3 5FE6 | |||
8D85 32F2 90DC A65D F286 6FF1 B160 D3EF | |||
4A0E E7C8 9A57 37F3 F7FB EFE4 6E64 2DF0 | |||
2116 71F2 E39D 5707 699F 410E 38F1 60D6 | |||
81F0 B0E4 5A99 6106 F2CE E70B 0E61 E631 | |||
D7C2 EC1F 648D 6C92 2A2A BBFB 7B77 30E4 | |||
B2F6 DA5C 7456 CD07 584C FFA3 25C6 5369 | |||
</pre> | </pre> | ||
Line 37: | Line 47: | ||
<pre> | <pre> | ||
CF50 6126 AC2C 6975 594F 5B12 4DAA AD07 | |||
DCE1 2074 2C1B 9AEF 5E16 402B D69A 7DA8 | |||
27EF C31D E400 1B6B 0F84 243F C4B2 FB83 | |||
258A 5862 6767 5417 F781 5379 08B2 476D | |||
68AF 2DDD CC27 B4DD 53A2 6337 5342 1312 | |||
F7B1 15D6 B14F 5A10 170A EE56 C495 1A32 | |||
9783 459E 954F 2AAB C9A7 685F 2CE0 990D | |||
0BFF 6DB3 DC77 C6F4 D1F6 962D AA8D EA7E | |||
EE4D BBC4 880B 80C4 D8DC 5434 3E7E 59D6 | |||
D498 ED5C 8A37 21D4 C7CE 44EB 2AA3 5FE6 | |||
8D85 32F2 90DC A65D F286 6FF1 B160 D3EF | |||
4A0E E7C8 9A57 37F3 F7FB EFE4 6E64 2DF0 | |||
2116 71F2 E39D 5707 699F 410E 38F1 60D6 | |||
81F0 B0E4 5A99 6106 F2CE E70B 0E61 E631 | |||
D7C2 EC1F 648D 6C92 2A2A BBFB 7B77 30E4 | |||
B2F6 DA5C 7456 CD07 584C FFA3 25C6 5369 | |||
</pre> | </pre> | ||
This was tested by attempting to modify the kernel (failure to boot), or by replacing a retail kernel with a test one (it fails, bad keys) | This was tested by attempting to modify the kernel (failure to boot), or by replacing a retail kernel with a test one (it fails, bad keys) | ||
------ | |||
Retail is the same. Bootloader from memdump: | |||
<pre> | |||
DEEF B1C8 1C92 BAE7 F05C 7C9F 424F F3A2 | |||
227E 62F6 37D7 7CB9 BB21 56B3 537A 2C80 | |||
30DC AC72 B296 9576 B760 C8C4 CE2A C0CC | |||
9542 10A5 D201 5BE8 915D 7D99 86C1 68B6 | |||
5850 FF28 7FE5 645E 19C9 0759 6295 3299 | |||
4BEB 3181 460A BFF4 7AE6 50B5 0816 8327 | |||
08A5 D073 DD45 499C 6EC9 EAD2 4022 5135 | |||
95BE 1E5E 62D5 12EC 88B9 499E 1690 4B9B | |||
ECEA FE87 96E6 5C34 A196 E344 12E5 E5A8 | |||
5C03 CCC6 0A70 BEBA AA61 6697 2BBB 1D9E | |||
77CB 1CD7 8911 342F 049D 0EA4 476C 150E | |||
E3DE E003 871D 24B1 0CC9 A885 87F3 2A30 | |||
363F EE8D 7E02 18BE 2DB0 2FF3 ED17 1983 | |||
773A 3E88 75E9 A365 F8E7 CF29 FB44 D869 | |||
1004 DAFF F426 1CD8 9EC0 BEE9 BE8B DA1C | |||
9786 E616 92B8 C8CB 5B6F 6415 F0AD B729 | |||
</pre> | |||
Public key in kernel header: | |||
<pre> | |||
DEEF B1C8 1C92 BAE7 F05C 7C9F 424F F3A2 | |||
227E 62F6 37D7 7CB9 BB21 56B3 537A 2C80 | |||
30DC AC72 B296 9576 B760 C8C4 CE2A C0CC | |||
9542 10A5 D201 5BE8 915D 7D99 86C1 68B6 | |||
5850 FF28 7FE5 645E 19C9 0759 6295 3299 | |||
4BEB 3181 460A BFF4 7AE6 50B5 0816 8327 | |||
08A5 D073 DD45 499C 6EC9 EAD2 4022 5135 | |||
95BE 1E5E 62D5 12EC 88B9 499E 1690 4B9B | |||
ECEA FE87 96E6 5C34 A196 E344 12E5 E5A8 | |||
5C03 CCC6 0A70 BEBA AA61 6697 2BBB 1D9E | |||
77CB 1CD7 8911 342F 049D 0EA4 476C 150E | |||
E3DE E003 871D 24B1 0CC9 A885 87F3 2A30 | |||
363F EE8D 7E02 18BE 2DB0 2FF3 ED17 1983 | |||
773A 3E88 75E9 A365 F8E7 CF29 FB44 D869 | |||
1004 DAFF F426 1CD8 9EC0 BEE9 BE8B DA1C | |||
9786 E616 92B8 C8CB 5B6F 6415 F0AD B729 | |||
</pre> |
Latest revision as of 00:10, 3 August 2011
Logitech Revue Startup
The CEFDK Bootloader is loaded by the SOC via the NAND from the "cefdk" partition.
This file contains an encrypted bootloader, that has a 256bit header attached. Current theory is that the first bit is a 256bit rsa public key signature (or, the resulting hash sum of a flag to point to the key).
This signature is checked against the public RSA key stored somewhere in the SOC, either in an OTP area, or a master key for every unit (probably some sort of OTP/Fuse)
Once this loads, and the signature is verified - the file contents are decrypted by the SOC (Somehow).
It will then boot the kernel from nand flash "kernel" partition (or "recovery", depending). The Kernel (and recovery) headers have two 256bit chunks of data, followed by typical ANDROID! magic.
The first bit, seems to either be the Logitech Public Key (or a resulting hash) as it is constant across every Retail Kernel and Recovery version (including 3.1).
The second bit is mostlikely the file signature, which the Public Key is used to verify against.
The bootloader contains this public key as well, and it may attempt to compare the Public Key stored inside of it, against the one in the Kernel file. If it matches, it will then use the key to check the file signature, and then execute the code.
In the case of 3.1, there is an additional layer of encryption on the Recovery (and perhaps Kernel) images. The new bootloader would have support to either pass the data to the SOC for decryption, or do it itself.
First bit is as follows:
Public key, for test/eng kernel is listed below (located in kernel/recovery images at 0x94 ish)
CF50 6126 AC2C 6975 594F 5B12 4DAA AD07 DCE1 2074 2C1B 9AEF 5E16 402B D69A 7DA8 27EF C31D E400 1B6B 0F84 243F C4B2 FB83 258A 5862 6767 5417 F781 5379 08B2 476D 68AF 2DDD CC27 B4DD 53A2 6337 5342 1312 F7B1 15D6 B14F 5A10 170A EE56 C495 1A32 9783 459E 954F 2AAB C9A7 685F 2CE0 990D 0BFF 6DB3 DC77 C6F4 D1F6 962D AA8D EA7E EE4D BBC4 880B 80C4 D8DC 5434 3E7E 59D6 D498 ED5C 8A37 21D4 C7CE 44EB 2AA3 5FE6 8D85 32F2 90DC A65D F286 6FF1 B160 D3EF 4A0E E7C8 9A57 37F3 F7FB EFE4 6E64 2DF0 2116 71F2 E39D 5707 699F 410E 38F1 60D6 81F0 B0E4 5A99 6106 F2CE E70B 0E61 E631 D7C2 EC1F 648D 6C92 2A2A BBFB 7B77 30E4 B2F6 DA5C 7456 CD07 584C FFA3 25C6 5369
This is confirmed by looking into the leaked ENG bootloader (cefdk-logitech_ka3.bin), which the same data can be found (0x3a1c0 ish):
CF50 6126 AC2C 6975 594F 5B12 4DAA AD07 DCE1 2074 2C1B 9AEF 5E16 402B D69A 7DA8 27EF C31D E400 1B6B 0F84 243F C4B2 FB83 258A 5862 6767 5417 F781 5379 08B2 476D 68AF 2DDD CC27 B4DD 53A2 6337 5342 1312 F7B1 15D6 B14F 5A10 170A EE56 C495 1A32 9783 459E 954F 2AAB C9A7 685F 2CE0 990D 0BFF 6DB3 DC77 C6F4 D1F6 962D AA8D EA7E EE4D BBC4 880B 80C4 D8DC 5434 3E7E 59D6 D498 ED5C 8A37 21D4 C7CE 44EB 2AA3 5FE6 8D85 32F2 90DC A65D F286 6FF1 B160 D3EF 4A0E E7C8 9A57 37F3 F7FB EFE4 6E64 2DF0 2116 71F2 E39D 5707 699F 410E 38F1 60D6 81F0 B0E4 5A99 6106 F2CE E70B 0E61 E631 D7C2 EC1F 648D 6C92 2A2A BBFB 7B77 30E4 B2F6 DA5C 7456 CD07 584C FFA3 25C6 5369
This was tested by attempting to modify the kernel (failure to boot), or by replacing a retail kernel with a test one (it fails, bad keys)
Retail is the same. Bootloader from memdump:
DEEF B1C8 1C92 BAE7 F05C 7C9F 424F F3A2 227E 62F6 37D7 7CB9 BB21 56B3 537A 2C80 30DC AC72 B296 9576 B760 C8C4 CE2A C0CC 9542 10A5 D201 5BE8 915D 7D99 86C1 68B6 5850 FF28 7FE5 645E 19C9 0759 6295 3299 4BEB 3181 460A BFF4 7AE6 50B5 0816 8327 08A5 D073 DD45 499C 6EC9 EAD2 4022 5135 95BE 1E5E 62D5 12EC 88B9 499E 1690 4B9B ECEA FE87 96E6 5C34 A196 E344 12E5 E5A8 5C03 CCC6 0A70 BEBA AA61 6697 2BBB 1D9E 77CB 1CD7 8911 342F 049D 0EA4 476C 150E E3DE E003 871D 24B1 0CC9 A885 87F3 2A30 363F EE8D 7E02 18BE 2DB0 2FF3 ED17 1983 773A 3E88 75E9 A365 F8E7 CF29 FB44 D869 1004 DAFF F426 1CD8 9EC0 BEE9 BE8B DA1C 9786 E616 92B8 C8CB 5B6F 6415 F0AD B729
Public key in kernel header:
DEEF B1C8 1C92 BAE7 F05C 7C9F 424F F3A2 227E 62F6 37D7 7CB9 BB21 56B3 537A 2C80 30DC AC72 B296 9576 B760 C8C4 CE2A C0CC 9542 10A5 D201 5BE8 915D 7D99 86C1 68B6 5850 FF28 7FE5 645E 19C9 0759 6295 3299 4BEB 3181 460A BFF4 7AE6 50B5 0816 8327 08A5 D073 DD45 499C 6EC9 EAD2 4022 5135 95BE 1E5E 62D5 12EC 88B9 499E 1690 4B9B ECEA FE87 96E6 5C34 A196 E344 12E5 E5A8 5C03 CCC6 0A70 BEBA AA61 6697 2BBB 1D9E 77CB 1CD7 8911 342F 049D 0EA4 476C 150E E3DE E003 871D 24B1 0CC9 A885 87F3 2A30 363F EE8D 7E02 18BE 2DB0 2FF3 ED17 1983 773A 3E88 75E9 A365 F8E7 CF29 FB44 D869 1004 DAFF F426 1CD8 9EC0 BEE9 BE8B DA1C 9786 E616 92B8 C8CB 5B6F 6415 F0AD B729