Security/B2G/Hardware

From MozillaWiki
< Security‎ | B2G
Jump to: navigation, search

This page documents the hardware that Firefox OS runs on from a security perspective. Here you'll find information regarding SoC, bootloader access, and other security-relevant bits as they are discovered.

Sony Xperia Z3C

Sony Xperia Z3C
Component Properties Remarks
Manufacturer Sony
Model Number D5803 or D5833
SoC Qualcomm MSM8974AC
GPU Adreno 330
Mass Storage Internal, Micro SD
Wi-Fi 802.11 a/b/g/n/ac
Bluetooth 4.0
NFC yes
Flash Mode Power down, then plug USB while holding down
Fastboot Power down, then plug USB while holding up locked, unlockable on eligible devices
Debug Ports unknown requires opening the case
RIL Qualcomm RIL 1.0

Service Menu

A service menu can be accessed through the stock Android firmware by dialing *#*#7378423#*#* (*#*#SERVICE#*#*). Service Info / Configuration will tell you if unlocking the bootloader is allowed.

Bootloader Access

Fastboot is locked when it comes from the factory, but elegible devices can be unlocked on Sony's Bootloader Unlock Page. The website requires a valid e-mail address and the device's IMEI (accessible on the box or by dialing *#06#). Once unlocked, fastboot has full write access.

Flashing

The device can be flashed with Flashtool through flash mode or (fastboot when unlocked). Stock images are available through xda developers.

Orange Klif

Alcatel OneTouch Fire 2-3.5
Component Properties Remarks
Manufacturer Alcatel
Model Number 4022XX
SoC MediaTek MT6572M
GPU Adreno
Mass Storage Internal, Micro SD
Wi-Fi 802.11 b/g/n
Bluetooth 3.0
NFC no
Flash Mode automatic ~500ms after power-on
Fastboot yes read only, see description
Debug Ports 7-pin header next to the SIM socket unknown purpose (JTAG?)
RIL mtk gemini ril 1.0

Bootloader

Right after SoC power-up, there is a serial boot ROM listening on the USB port, repeatedly sending the string READY until it timeouts. If you want to interact with the boot ROM, you need to complete a handshake, else it will continue with the regular boot sequence. It communicates through a variant of the MTK Romloader Potocol.

There is a software called SP Flash Tool that can interact with MediaTek boot ROMs to dump, flash and test compatible devices given that you provide it a valid "scatter" config file. Please note that there are dozens of versions of SP Flash Tool around which may or may not be compatible.

Fastboot

Fastboot is available and active, but doesn't allow flash writing. However, flash partitions and other device info can be listed. We have access to a developer device on which fastboot mode can be entered by the following tricky sequence:

  1. Disconnect USB
  2. Remove battery
  3. Insert battery
  4. Attach back cover for button operation
  5. Hold PWR+DOWN
  6. Keep holding while the boot logo shows
  7. Wait until the screen goes black again (reboot cycle)
  8. Keep holding PWR+DOWN for two or three more seconds
  9. Release buttons
  10. Press UP
  11. If screen not showing FASTBOOT mode..., goto 5

After step 9, the device is sitting in its boot menu on a random entry, waiting for button input. Unfortunately, the screen is turned off, so you can't see what's going on.

The boot menu contains three entries:

  1. Recovery
  2. Fastboot
  3. Normal

Contrary to what the boot menu says, DOWN cycles through the menu, and UP boots the selected mode.

Recovery mode

Our developer device has a recovery mode that can be activated by the following steps:

  1. Disconnect USB cable
  2. Remove battery
  3. Insert battery
  4. Attach back cover for button operation
  5. Hold PWR + UP until boot logo shows
  6. Release buttons

Factory mode

Our developer device has a factory mode that can be activated by the following steps:

  1. Disconnect USB cable
  2. Remove battery
  3. Insert battery
  4. Attach back cover for button operation
  5. Hold PWR + DOWN until boot logo shows
  6. Release buttons

Documentation

Flame

Alcatel Flame
Component Properties Remarks
Manufacturer Alcatel
Model Number Flame
SoC Qualcomm MSM8210
GPU Adreno 302
Mass Storage Internal, Micro SD
Wi-Fi 802.11 b/g/n
Bluetooth 3.0
NFC yes
Flash Mode yes requires special USB cable
Fastboot Power + down full access
Debug Ports 6-pin header next battery unknown purpose (JTAG?)
RIL Qualcomm RIL 1.0

Fastboot

Fastboot access is unusually complete on the Flame. It even allows setting the amount of available memory for emulating memory restrictions.

Flash Mode

The Flame has a special emergency download mode that allows flashing even when its flash content has been corrupted. It requires the special USB recovery cable that is unfortunately packaged only with some Flames, and a proprietary Emergency Download Tool. The tool uploads and executes an in-memory stub that implements the fastboot protocol.

Recovery Cable

The recovery cable physically resembles a regular Type A to Micro-B USB cable, but with two modifications to the Micro-B connector:

  • Pin 4 (ID) is grounded to pin 5, turning it electrically into a Micro-A connector.
  • Pin 3 (D+) is pulled low to pin 5 by a 30 MΩ resistor.

Documentation