Skip to content

Samsung S10 TEEGRIS

Samsung S10 TEEGRIS TrustZone OS

Source
- Use Root exploit
- Dump disk with dd
- memory is still mapped to /dev/mem
- Dump memory with viewmem tool
- Dump Fuses by flashing a new kernel that does sets the CLK_SECKEY flag in the CLK_GATE_IP_PERIR register.
- Then the memory can be dumped with viewmem

Reverse-engineering Broadcom wireless chipsets

S-Boot bootloader image layout.

0x00000000: probably EPBL (early primitive bootloader) with some USB support
0x00013C00: ACPM (Access Control and Power Management?)
0x00027800: some PM-related code
0x0004CC00: some tables with PM parameters
... -> either charger mode code or PMIC firmware
0x000A4000: BL2, the actual s-boot
0x0019E000: TEEGRIS SPKG (CSMC)
0x0019E02B: TEEGRIS SPKG ELF start (cut from here to load into the dissasembler). This probably stands for "Crypto SMC" or "Checkpoint SMC". This handles some SMC calls from the bootloader as part of Secure Boot for Linux.
0x001ACE00: TEEGRIS SPKG (FP_CSMC)
0x001ACE2B: TEEGRIS FP_CSMC (ELF header). My guess is that it's related to the Fingerprint sensor because all it does is set some registers in the GPIO block and USI block (whatever it is).
0x00264000: TEEGRIS kernel, relocate to 0xfffffffff0000000 to resolve relocations
0x0029e000: EL1 VBAR for TEEGRIS kernel. fffffffff0041630: syscall table, first entry is zero.
0x002D4000: startup_loader package
0x002D4028: startup_loader ELF start. This one's invoked by S-Boot to read the TEEGRIS kernel either from Linux kernel via shared memory or from the LZ4 archive compiled into S-Boot.

Running Exynos 4210 BootROM in QEMU

qemu-system-arm -machine smdkc210 -cpu cortex-a9 -s -S -bios ./bootrom.bin  -sd ./mmc_boot.img