A small correction: IPQ40xx is made by Qualcomm not Broadcom and that feature is called QSEE instead. :) If my memory is right, Qualcomm verify SBL (SBL is a binary provided by Qualcomm to bootstrap some basic modules like RAM controller and load U-boot) in their bootrom before bootrom starts SBL, SBL will then verify U-boot and refuse to boot if U-boot doesn't pass the signature checking. As for how U-boot verify firmware this depends on implementation of the manufacturer. Since the RSA pubkey is burnt into SoC instead of an external flash, this guaranteed that anyone can't replace the U-boot with an unsigned one.
(I agree that this is an unrelated topic here and I'll just stop further discussion about this. Michael Holstein <[email protected]> 于2018年8月20日周一 下午11:08写道: > > that feature is called TXE (it's also in the Pi's Broadcom SoC) and it > doesn't "prevent" it "complicates", particularly in this > implementation. > You're correct on your GPL comment. But they did it before and didn't > release source either, so whoever has ownership should at least ask > them pretty-please. > > There's a workaround to this little problem (wearing the work hat, I'd > call that a decent security problem in how TXE and uBoot interact in > Broadcom's implementation), this being another discussion, and > unrelated. > > -Michael. > > On Mon, Aug 20, 2018 at 10:26 AM, Chuanhong Guo <[email protected]> wrote: > > GPL doesn't prevent the manufacturer from blocking third-party > > firmware being installed on their router. > > They just need to provide GPL code for their firmware (and they don't > > need to explicitly submit their device support to OpenWrt project.) > > BTW: It seemed that the bootrom of Qualcomm IPQ40xx comes from other > > Qualcomm Android chips and contains some security features that > > preventing unauthorized firmware to be installed on their router. An > > RSA pubkey can be burnt in to SoC and SoC bootrom will verify contents > > on flash before booting it. If this feature is used by the > > manufacturer you'll be impossible to flash any third-party firmware on > > this router. > > Michael Holstein <[email protected]> 于2018年8月20日周一 下午9:41写道: > >> > >> I was finally frustrated at these Engenus/Saneo units and found the > >> serial port and got into uBoot and looked at the image .. it's yours > >> .. but oddly, you don't support it all. > >> > >> Well gee, that's curious, it seems somebody's breaking the rules, and > >> it isn't you. > >> > >> I'd nastygram Engenius and make them post the GPL contrib so you have > >> the BLOB for the Broacdom IPQ4019 that's in there. This is the > >> EAP1250/1300 (identical except for where RJ45 port is) .. there are > >> 100 others that use this board (I ran the board ID through the FCC API > >> if you want all the makes/models). > >> > >> Here's your goods let me know if you want anything else .. I'm going > >> to build the image for it and flash but since they broke the rules to > >> begin with I'm dumping the flash and using the FDT to help modernize. > >> > >> These are cool because they are dual radio soft APs that are PoE and > >> AC wave 2. A 3 pack is $160 on Amazon. With OpenWISP you can do most > >> anything shy of a college campus > >> > >> ahywho ..here's all the proof you need. They didn't even bother to > >> change the name. > >> > >> I'm not a contributor I just do lots of embedded work and this made me > >> mad. Note that the you've already noticed this on the Engenius 300 > >> (the wiki poings out the factory firmware is openwrt) > >> > >> Company contact/owner is easiest found via their FCC filings : most > >> recent one from > >> company president > >> > >> https://fccid.io/A8J-EAP1300/Letter/Confidentiality-Request-3409208 > >> > >> Cheers, > >> > >> -Michael. > >> > >> PS: It looks like they locked the UART from which I obtained this in > >> u-boot from allowing interrupt so I'm going to poke about and find out > >> how to get in there. I know this can be done but it's first I've seen > >> it done .. The uBoot is reworked from Saneo, per the version string. > >> > >> Anyone have a clever tip on that work-around? .. If I can get console > >> at u-Boot I can skip a couple steps. > >> > >> ---snip---. > >> > >> bootm 0x84000000#configÉ4 > >> > >> ## Booting kernel from FIT Image at 84000000 ... > >> Using 'configÉ4' configuration > >> Trying 'kernelÉ1' kernel subimage > >> Description: ARM OpenWrt Linux-3.14.43 <<<<<<<< LOL OKAY COUGH IT UP > >> Type: Kernel Image > >> Compression: gzip compressed > >> Data Start: 0x840000e4 > >> Data Size: 3180186 Bytes = 3 MiB > >> Architecture: ARM > >> OS: t Linux > >> Load Address: 0x80208000 > >> Entry Point: 0x80208000 > >> Hash algo: crc32 > >> Hash value: 34c16a99 > >> Hash algo: sha1 > >> Hash value: 620a666c88729f60ee5b3f90fa261ed2bb3de6cb > >> Verifying Hash Integrity ... crc32+ sha1+ OK > >> > >> ## Flattened Device Tree from FIT Image at 84000000 > >> Using 'configÉ4' configuration > >> Trying 'fdtÉ4' FDT blob subimage > >> Description: ARM OpenWrt qcom-ipq40xx-ap.dkxx device tree blob > >> Type: Flat Device Tree > >> Compression: uncompressed > >> Data Start: 0x84325520 > >> Data Size: 33495 Bytes = 32.7 KiB > >> Architecture: ARM > >> Hash algo: crc32 > >> Hash value: 19be728a > >> Hash algo: sha1 > >> Hash value: 633f6dbf948179ecf1f72f737981d2b38fabe6ee > >> Verifying Hash Integrity ... crc32+ sha1+ OK > >> Booting using the fdt blob at 0x84325520 > >> Uncompressing Kernel Image ... OK > >> > >> Loading Device Tree to 86ff4000, end 86fff2d6 ... > >> > >> And guilty party : > >> > >> Linux version 3.14.43 (root@liwei) (gcc version 4.8.3 20140106 > >> (prerelease) (Linaro GCC 4.8-2014.01) ) #1 SMP PREEMPT Tue Jan 30 > >> 18:20:10 CST 2018 > >> > >> [ 0.000000] CPU: ARMv7 Processor [410fc075] revision 5 (ARMv7), > >> cr=10c5387d > >> > >> [ 0.000000] CPU: PIPT / VIPT nonaliasing data cache, VIPT aliasing > >> instruction cache > >> > >> [ 0.000000] Machine model: Qualcomm Technologies, Inc. IPQ40xx/EAP1250 > >> > >> _______________________________________________ > >> openwrt-devel mailing list > >> [email protected] > >> https://lists.openwrt.org/mailman/listinfo/openwrt-devel _______________________________________________ openwrt-devel mailing list [email protected] https://lists.openwrt.org/mailman/listinfo/openwrt-devel
