Difference between revisions of "Startup"

From Exploitee.rs
Jump to navigationJump to search
 
Line 1: Line 1:
CE4100 Startup
== Logitech Revue Startup ==


Logitech Revue (this page doesn't look nice, sorry- need to get my ideas out)
The CEFDK Bootloader is loaded by the SOC via the NAND from the "cefdk" partition.


This file contains an encrypted bootloader, that has a 256bit header attached. Current theory is that the first bit is a 256bit rsa public key signature (or, the resulting hash sum of a flag to point to the key).


CEFDK Bootloader is loaded from NAND from "cefdk". This contains an encrypted bootloader, that has a 256bit rsa signature attached. First bit is a public key, second bit is the actual signature.
This signature is checked against the public RSA key stored somewhere in the SOC, either in an OTP area, or a master key for every unit (probably some sort of OTP/Fuse)


This signature is checked somewhere in the SOC / "Burnt on" / Master intel key
Once this loads, and the signature is verified - the file contents are decrypted by the SOC (Somehow).
 
It will then boot the kernel from nand flash "kernel" partition (or "recovery", depending). The Kernel (and recovery) headers have two 256bit chunks of data, followed by typical ANDROID! magic.
 
The first bit, seems to either be the Logitech Public Key (or a resulting hash) as it is constant across every Retail Kernel and Recovery version (including 3.1).
 
The second bit is mostlikely the file signature, which the Public Key is used to verify against.
 
The bootloader contains this public key as well, and it may attempt to compare the Public Key stored inside of it, against the one in the Kernel file. If it matches, it will then use the key to check the file signature, and then execute the code.
 
In the case of 3.1, there is an additional layer of encryption on the Recovery (and perhaps Kernel) images. The new bootloader would have support to either pass the data to the SOC for decryption, or do it itself.


Once this loads, it boots kernel from flash (or usb). Kernel header has two 256 byte chunks of data, followed by typical ANDROID! magic.


First bit is as follows:
First bit is as follows:

Latest revision as of 00:10, 3 August 2011

Logitech Revue Startup

The CEFDK Bootloader is loaded by the SOC via the NAND from the "cefdk" partition.

This file contains an encrypted bootloader, that has a 256bit header attached. Current theory is that the first bit is a 256bit rsa public key signature (or, the resulting hash sum of a flag to point to the key).

This signature is checked against the public RSA key stored somewhere in the SOC, either in an OTP area, or a master key for every unit (probably some sort of OTP/Fuse)

Once this loads, and the signature is verified - the file contents are decrypted by the SOC (Somehow).

It will then boot the kernel from nand flash "kernel" partition (or "recovery", depending). The Kernel (and recovery) headers have two 256bit chunks of data, followed by typical ANDROID! magic.

The first bit, seems to either be the Logitech Public Key (or a resulting hash) as it is constant across every Retail Kernel and Recovery version (including 3.1).

The second bit is mostlikely the file signature, which the Public Key is used to verify against.

The bootloader contains this public key as well, and it may attempt to compare the Public Key stored inside of it, against the one in the Kernel file. If it matches, it will then use the key to check the file signature, and then execute the code.

In the case of 3.1, there is an additional layer of encryption on the Recovery (and perhaps Kernel) images. The new bootloader would have support to either pass the data to the SOC for decryption, or do it itself.


First bit is as follows:

Public key, for test/eng kernel is listed below (located in kernel/recovery images at 0x94 ish)

                            
CF50 6126 AC2C 6975 594F 5B12 4DAA AD07
DCE1 2074 2C1B 9AEF 5E16 402B D69A 7DA8 
27EF C31D E400 1B6B 0F84 243F C4B2 FB83 
258A 5862 6767 5417 F781 5379 08B2 476D 
68AF 2DDD CC27 B4DD 53A2 6337 5342 1312 
F7B1 15D6 B14F 5A10 170A EE56 C495 1A32 
9783 459E 954F 2AAB C9A7 685F 2CE0 990D 
0BFF 6DB3 DC77 C6F4 D1F6 962D AA8D EA7E 
EE4D BBC4 880B 80C4 D8DC 5434 3E7E 59D6 
D498 ED5C 8A37 21D4 C7CE 44EB 2AA3 5FE6 
8D85 32F2 90DC A65D F286 6FF1 B160 D3EF 
4A0E E7C8 9A57 37F3 F7FB EFE4 6E64 2DF0 
2116 71F2 E39D 5707 699F 410E 38F1 60D6 
81F0 B0E4 5A99 6106 F2CE E70B 0E61 E631 
D7C2 EC1F 648D 6C92 2A2A BBFB 7B77 30E4
B2F6 DA5C 7456 CD07 584C FFA3 25C6 5369 


This is confirmed by looking into the leaked ENG bootloader (cefdk-logitech_ka3.bin), which the same data can be found (0x3a1c0 ish):

                            
CF50 6126 AC2C 6975 594F 5B12 4DAA AD07
DCE1 2074 2C1B 9AEF 5E16 402B D69A 7DA8 
27EF C31D E400 1B6B 0F84 243F C4B2 FB83 
258A 5862 6767 5417 F781 5379 08B2 476D 
68AF 2DDD CC27 B4DD 53A2 6337 5342 1312 
F7B1 15D6 B14F 5A10 170A EE56 C495 1A32 
9783 459E 954F 2AAB C9A7 685F 2CE0 990D 
0BFF 6DB3 DC77 C6F4 D1F6 962D AA8D EA7E 
EE4D BBC4 880B 80C4 D8DC 5434 3E7E 59D6 
D498 ED5C 8A37 21D4 C7CE 44EB 2AA3 5FE6 
8D85 32F2 90DC A65D F286 6FF1 B160 D3EF 
4A0E E7C8 9A57 37F3 F7FB EFE4 6E64 2DF0 
2116 71F2 E39D 5707 699F 410E 38F1 60D6 
81F0 B0E4 5A99 6106 F2CE E70B 0E61 E631 
D7C2 EC1F 648D 6C92 2A2A BBFB 7B77 30E4
B2F6 DA5C 7456 CD07 584C FFA3 25C6 5369 

This was tested by attempting to modify the kernel (failure to boot), or by replacing a retail kernel with a test one (it fails, bad keys)



Retail is the same. Bootloader from memdump:

DEEF B1C8 1C92 BAE7 F05C 7C9F 424F F3A2
227E 62F6 37D7 7CB9 BB21 56B3 537A 2C80 
30DC AC72 B296 9576 B760 C8C4 CE2A C0CC 
9542 10A5 D201 5BE8 915D 7D99 86C1 68B6 
5850 FF28 7FE5 645E 19C9 0759 6295 3299 
4BEB 3181 460A BFF4 7AE6 50B5 0816 8327 
08A5 D073 DD45 499C 6EC9 EAD2 4022 5135 
95BE 1E5E 62D5 12EC 88B9 499E 1690 4B9B 
ECEA FE87 96E6 5C34 A196 E344 12E5 E5A8 
5C03 CCC6 0A70 BEBA AA61 6697 2BBB 1D9E 
77CB 1CD7 8911 342F 049D 0EA4 476C 150E 
E3DE E003 871D 24B1 0CC9 A885 87F3 2A30 
363F EE8D 7E02 18BE 2DB0 2FF3 ED17 1983 
773A 3E88 75E9 A365 F8E7 CF29 FB44 D869 
1004 DAFF F426 1CD8 9EC0 BEE9 BE8B DA1C 
9786 E616 92B8 C8CB 5B6F 6415 F0AD B729 

Public key in kernel header:

DEEF B1C8 1C92 BAE7 F05C 7C9F 424F F3A2
227E 62F6 37D7 7CB9 BB21 56B3 537A 2C80 
30DC AC72 B296 9576 B760 C8C4 CE2A C0CC 
9542 10A5 D201 5BE8 915D 7D99 86C1 68B6 
5850 FF28 7FE5 645E 19C9 0759 6295 3299 
4BEB 3181 460A BFF4 7AE6 50B5 0816 8327 
08A5 D073 DD45 499C 6EC9 EAD2 4022 5135 
95BE 1E5E 62D5 12EC 88B9 499E 1690 4B9B 
ECEA FE87 96E6 5C34 A196 E344 12E5 E5A8 
5C03 CCC6 0A70 BEBA AA61 6697 2BBB 1D9E 
77CB 1CD7 8911 342F 049D 0EA4 476C 150E 
E3DE E003 871D 24B1 0CC9 A885 87F3 2A30 
363F EE8D 7E02 18BE 2DB0 2FF3 ED17 1983 
773A 3E88 75E9 A365 F8E7 CF29 FB44 D869 
1004 DAFF F426 1CD8 9EC0 BEE9 BE8B DA1C 
9786 E616 92B8 C8CB 5B6F 6415 F0AD B729