I'm still in the thick of this, but I wanted to post a little about what I've discovered about the bootloader to the group, in case it gives anyone any ideas.
Here is an outline of what the bootloader does:
error(n) will be shorthand for "flash green LED n times and then start flashing it forever and hang"
code begins at 0x00000000 (flashrom start)
Initialize CPU state (enable MMU, enter supervisor mode)
copy first 0x5000 (20K) of code into external SDRAM, starting at 0xC0005000
jump to 0xC0005000
initialize UART1, set to 152000 8N1
initialize system registers: SYSCON[123], MEMCFG[12], PADDR, PADR, PEDDR, PEDR
intialize beginning of ram (0xC0000000+0x4000) to some bizzarro table of unknown purpose :)
Turn on green LED
Reset IDE drive 0, enable read look-ahead (caching)
Read partition table, or error(6)
Check partition table for 0xAA55 magic code, or error(7)
Check partition 1's drive type and make sure it's either 0x1B or <= 0x11 (?), or error(8)
Read partition 1 boot sector, or error(9)
Check bootsector for 0xAA55 magic code, or error(10)
Read in info from bootsector
Find BOOTLOADLOG *
BOOT0:
Read drive model and serial
Write "BOOT0-0 OK" to bootloadlog
Read drive signature from last sector before partition 1 starts
Log "BOOT0-1 OK" if this succeeds, otherwise write "BOOT0-1 Failed" and error(11)
Verify drive model and serial against drive signature sector
Log "BOOT0 Successful" if this succeeds, otherwise write "BOOT0-2 Failed" and jump back to start of BOOT0
BOOT9:
Verify signature of "rc.sh" against "rc.sig"
Log "BOOT9 Successful" or "BOOT9-X Failed" and jump back to BOOT0
BOOTB:
Verify signature of "phatd" against "phatd.sig"
Log "BOOTB Successful" or "BOOTB-X Failed" and jump back to BOOT0
BOOTF:
Load "linux" (kernel) into memory at 0xC0038000
Verify kernel against "linux.sig"
Log "BOOTF Successful" or "BOOTF-X Failed" and jump back to BOOT0
BOOTF:
Load "ramdisk" into memory at 0xC0C00000
Verify ramdisk against "ramdisk.sig"
Log "BOOT* Successful" or "BOOT*-X Failed" and jump back to BOOT0
Turn off green LED
Clear out memory at 0xC0023000 + 0x4000
Write kernel boot param struct at 0xC0023000
(command line = "init=/bin/bash")
Jump to kernel!
Some key notes:
* I can't figure out where it's putting this BOOTLOADLOG data. It looks like it's looking for a file in the PHTSYS partition called "BOOTLOAD.LOG", or it could be "BOOTLOADLOG" (not sure about the long filename support). I tried making a 0-byte file called BOOTLOAD.LOG, and it didn't do anything ... maybe it has to be a non-zero-byte file (as it's probably not smart enough to allocate space)
* It is using keys pulled from a table of 100 public RSA keys -- the same as in phatd and 51d. I can't figure out which key it's using -- the code that does that looks like it might be intentionally obfuscated.
I think at this point I'm going to start looking through the linux version of plsign to try to gain some insight into the sig file format, so we can figure out what key it uses for what.
Does anything here inspire anyone?
Ben
