Security/B2G/Hardware: Difference between revisions

From MozillaWiki
< Security‎ | B2G
Jump to navigation Jump to search
(added Z3C flashing info)
(Orange Klif added)
Line 1: Line 1:
This page documents the hardware that Firefox OS runs on from a security perspective. Here you'll find information regarding the SoC, bootloader access, and other security-relevant bits as they are discovered.
This page documents the hardware that Firefox OS runs on from a security perspective. Here you'll find information regarding the SoC, bootloader access, and other security-relevant bits as they are discovered.


= Z3C =
= Sony Z3C =
{| border="1" cellpadding="2"
{| border="1" cellpadding="2"
|+'''Sony Z3C'''
|+'''Sony Z3C'''
Line 63: Line 63:


The device can be flashed with [http://www.flashtool.net/downloads.php Flashtool]. Stock images are available through [http://forum.xda-developers.com/z3-compact/general/list-stock-firmwares-d5803-d5833-t2906706 xda developers].
The device can be flashed with [http://www.flashtool.net/downloads.php Flashtool]. Stock images are available through [http://forum.xda-developers.com/z3-compact/general/list-stock-firmwares-d5803-d5833-t2906706 xda developers].
= Orange Klif =
{| border="1" cellpadding="2"
|+'''Alcatel OneTouch Fire 2-3.5'''
|-
! Component !! Properties !! Remarks
|-
| Manufacturer
|| Alcatel
||
|-
| Model Number
|| 4022XX
||
|-
| SoC
|| MediaTek MT6572M
||
|-
| GPU
|| Adreno
||
|-
| Mass Storage
|| Internal, Micro SD
||
|-
| Wi-Fi
|| 802.11 b/g/n
||
|-
| Bluetooth
|| 3.0
||
|-
| NFC
|| no
||
|-
| Flash Mode
|| automatic
|| ~500ms after power-on
|-
| Fastboot
|| yes
|| read only, see description
|-
| Debug Ports
|| 7-pin header next to the SIM socket
|| unknown purpose (JTAG?)
|}
== Bootloader ==
Right after SoC power-up, there is a serial boot ROM listening on the USB port, repeatedly sending the string '''READY''' until it timeouts. If you want to interact with the boot ROM, you need to complete a handshake, else it will continue with the regular boot sequence. It communicates through a variant of the [http://bb.osmocom.org/trac/wiki/MTKRomloader#no1 MTK Romloader Potocol].
There is a software called [http://androidxda.com/smart-phone-flash-tool SP Flash Tool] that can interact with MediaTek boot ROMs to dump, flash and test compatible devices given that you provide it a valid ''"scatter"'' config file. Please note that there are dozens of versions of SP Flash Tool around which may or may not be compatible.
== Fastboot ==
Fastboot is available and active, but doesn't allow flash writing. However, flash partitions and other device info can be listed. We have access to a developer device on which fastboot mode can be entered by the following tricky sequence:
# Disconnect USB
# Remove battery
# Insert battery
# Attach back cover for button operation
# Hold PWR+DOWN
# Keep holding while the boot logo shows
# Wait until the screen goes black again (reboot cycle)
# Keep holding PWR+DOWN for two or three more seconds
# Release buttons
# Press UP
# If screen not showing ''FASTBOOT mode...'', goto 5
After step 9, the device is sitting in its boot menu on a random entry, waiting for button input. Unfortunately, the screen is turned off, so you can't see what's going on.
The boot menu contains three entries:
# Recovery
# Fastboot
# Normal
Contrary to what the boot menu says, DOWN cycles through the menu, and UP boots the selected mode.
== Recovery mode ==
Our developer device has a recovery mode that can be activated by the following steps:
# Disconnect USB cable
# Remove battery
# Insert battery
# Attach back cover for button operation
# Hold PWR + UP until boot logo shows
# Release buttons
== Factory mode ==
Our developer device has a factory mode that can be activated by the following steps:
# Disconnect USB cable
# Remove battery
# Insert battery
# Attach back cover for button operation
# Hold PWR + DOWN until boot logo shows
# Release buttons
== Datasheets ==
* [https://code.google.com/p/ptmtk/source/browse/trunk/mtk_datasheet/MT6253GSMGPRSBasebandProcessorDataSheetv0.99SP1-1.pdf MT6253 Baseband Processor Datasheet] (predecessor)

Revision as of 10:22, 6 October 2015

This page documents the hardware that Firefox OS runs on from a security perspective. Here you'll find information regarding the SoC, bootloader access, and other security-relevant bits as they are discovered.

Sony Z3C

Sony Z3C
Component Properties Remarks
Manufacturer Sony
Model Number D5803 or D5833
SoC Qualcomm MSM8974AC
GPU Adreno 330
Mass Storage Internal, Micro SD
Wi-Fi 802.11 a/b/g/n/ac
Bluetooth 4.0
NFC yes
Flash Mode Power + Down
Fastboot Power + up locked, unlockable on eligible devices
Debug Ports unknown require opening the case

Service Menu

A service menu can be accessed through the stock Android firmware by dialing *#*#7378423#*#* (*#*#SERVICE#*#*). Service Info / Configuration will tell you if unlocking the bootloader is allowed.

Bootloader Access

The Fastboot is locked when it comes from the factory, but elegible devices can be unlocked on Sony's Bootloader Unlock Page. The website requires a valid e-mail address and the device's IMEI (accessible on the box or by dialing *#06#). Once unlocked, fastboot has full write access.

Flashing

The device can be flashed with Flashtool. Stock images are available through xda developers.

Orange Klif

Alcatel OneTouch Fire 2-3.5
Component Properties Remarks
Manufacturer Alcatel
Model Number 4022XX
SoC MediaTek MT6572M
GPU Adreno
Mass Storage Internal, Micro SD
Wi-Fi 802.11 b/g/n
Bluetooth 3.0
NFC no
Flash Mode automatic ~500ms after power-on
Fastboot yes read only, see description
Debug Ports 7-pin header next to the SIM socket unknown purpose (JTAG?)

Bootloader

Right after SoC power-up, there is a serial boot ROM listening on the USB port, repeatedly sending the string READY until it timeouts. If you want to interact with the boot ROM, you need to complete a handshake, else it will continue with the regular boot sequence. It communicates through a variant of the MTK Romloader Potocol.

There is a software called SP Flash Tool that can interact with MediaTek boot ROMs to dump, flash and test compatible devices given that you provide it a valid "scatter" config file. Please note that there are dozens of versions of SP Flash Tool around which may or may not be compatible.

Fastboot

Fastboot is available and active, but doesn't allow flash writing. However, flash partitions and other device info can be listed. We have access to a developer device on which fastboot mode can be entered by the following tricky sequence:

  1. Disconnect USB
  2. Remove battery
  3. Insert battery
  4. Attach back cover for button operation
  5. Hold PWR+DOWN
  6. Keep holding while the boot logo shows
  7. Wait until the screen goes black again (reboot cycle)
  8. Keep holding PWR+DOWN for two or three more seconds
  9. Release buttons
  10. Press UP
  11. If screen not showing FASTBOOT mode..., goto 5

After step 9, the device is sitting in its boot menu on a random entry, waiting for button input. Unfortunately, the screen is turned off, so you can't see what's going on.

The boot menu contains three entries:

  1. Recovery
  2. Fastboot
  3. Normal

Contrary to what the boot menu says, DOWN cycles through the menu, and UP boots the selected mode.

Recovery mode

Our developer device has a recovery mode that can be activated by the following steps:

  1. Disconnect USB cable
  2. Remove battery
  3. Insert battery
  4. Attach back cover for button operation
  5. Hold PWR + UP until boot logo shows
  6. Release buttons

Factory mode

Our developer device has a factory mode that can be activated by the following steps:

  1. Disconnect USB cable
  2. Remove battery
  3. Insert battery
  4. Attach back cover for button operation
  5. Hold PWR + DOWN until boot logo shows
  6. Release buttons

Datasheets

Retrieved from "https://wiki.mozilla.org/index.php?title=Security/B2G/Hardware&oldid=1099347"