I just got a Phicomm N1 box. Its hardware is almost identical to Odroid C2, popped with Amlogic S905, 2G RAM, 8G ROM, two USB2.0 ports, dual WiFi, bluetooth and HDMI. However, the stock firmware is Android and the bootloader is locked. Is there any possibility to crack into the ROM and install ALA on it? Thanks!
BTW, this device is for free in China Mainland (full price refund in 3 months, without device retrieving), so the device is very popular now.
Is the team still active in developing new devices' firmware
4 posts
• Page 1 of 1
Is the team still active in developing new devices' firmware
by ouchyoung » Wed Apr 18, 2018 1:42 am
- ouchyoung
- Posts: 21
- Joined: Fri May 10, 2013 5:26 pm
Re: Is the team still active in developing new devices' firm
by summers » Wed Apr 18, 2018 8:29 am
for the am905 it is known how to sign files for secure boot:
https://www.fredericb.info/2016/10/amlogic-s905-soc-bypassing-not-so.html
Other than that you'll need to get uboot compiled, and get a working device tree.
These are the hard steps - everything else should be simple ...
https://www.fredericb.info/2016/10/amlogic-s905-soc-bypassing-not-so.html
Other than that you'll need to get uboot compiled, and get a working device tree.
These are the hard steps - everything else should be simple ...
- summers
- Posts: 984
- Joined: Sat Sep 06, 2014 12:56 pm
Re: Is the team still active in developing new devices' firm
by ouchyoung » Thu Apr 19, 2018 3:51 am
Ah... Too complicated to me. So I will just wait for somebody to get the BL2 cracked, or wait for something leak from the manufacture...
- ouchyoung
- Posts: 21
- Joined: Fri May 10, 2013 5:26 pm
Re: Is the team still active in developing new devices' firm
by summers » Thu Apr 19, 2018 9:10 am
To my mind the point of fred's work, is about understanding how arm secure world boots.
What he tells you is the architecture of secure boot, how it is set up om the S905.
BL1 is in the chip ROM, in other words its common to all S905 devices and can't be bypassed.
On the device fred look at the standard arm secure boot was implemented; this is also the case on the odroid c2. It it probably the case on most S905 devices, they will all go through the various secure levels. I don't know that anyone is trying to reverse engineer the actual code in the secure world; its a bit like hacking a PC bios - yes some people do it, but it isn't mainstream.
What we do need to know though is how the secure world goes into BL33, that is uboot - its where the usual linux arm takes off. Now as its BL33, it needs to fit into the secure world - but what fred has learnt is how to sign blobs so that the S905 secure boot recognizes them.
Now there is no guarantee that your device boots the same way, but a not unreasonable chance that the odroid-c2 secure boot blobs would boot as far as uboot for you. Problem starts when uboot is reached, then we get questions like how is your device wired, which pins is the memory on , which pins is the eMMC, is it 4 or 8 pins for the eMMC.
All this will need setting up, some in uboot (so it boots) and some in the device tree (so that linux boots). This is where the real work lies. You could try taking the odroid-c2 blobs and uboot, attach a UART, and seeing how far it boots. Good chance you'll get into uboot. But without a device tree, linux is a no go - and I don't know the status of a device tree for your device.
Real question is who is going to do this, it needs someone with hardware, preferably someone with access to the schematics. Someone needs to care enough to do it, and I don't know who that is ...
Oh yes, this is how odroid-c2 creates the secure set up: https://github.com/TheBlueMatt/u-boot/tree/master/board/hardkernel/odroid-c2
What he tells you is the architecture of secure boot, how it is set up om the S905.
BL1 is in the chip ROM, in other words its common to all S905 devices and can't be bypassed.
On the device fred look at the standard arm secure boot was implemented; this is also the case on the odroid c2. It it probably the case on most S905 devices, they will all go through the various secure levels. I don't know that anyone is trying to reverse engineer the actual code in the secure world; its a bit like hacking a PC bios - yes some people do it, but it isn't mainstream.
What we do need to know though is how the secure world goes into BL33, that is uboot - its where the usual linux arm takes off. Now as its BL33, it needs to fit into the secure world - but what fred has learnt is how to sign blobs so that the S905 secure boot recognizes them.
Now there is no guarantee that your device boots the same way, but a not unreasonable chance that the odroid-c2 secure boot blobs would boot as far as uboot for you. Problem starts when uboot is reached, then we get questions like how is your device wired, which pins is the memory on , which pins is the eMMC, is it 4 or 8 pins for the eMMC.
All this will need setting up, some in uboot (so it boots) and some in the device tree (so that linux boots). This is where the real work lies. You could try taking the odroid-c2 blobs and uboot, attach a UART, and seeing how far it boots. Good chance you'll get into uboot. But without a device tree, linux is a no go - and I don't know the status of a device tree for your device.
Real question is who is going to do this, it needs someone with hardware, preferably someone with access to the schematics. Someone needs to care enough to do it, and I don't know who that is ...
Oh yes, this is how odroid-c2 creates the secure set up: https://github.com/TheBlueMatt/u-boot/tree/master/board/hardkernel/odroid-c2
- summers
- Posts: 984
- Joined: Sat Sep 06, 2014 12:56 pm
4 posts
• Page 1 of 1
Who is online
Users browsing this forum: No registered users and 9 guests