[OpenWrt-Devel] GPL Violation to chase + Engenius/Senao firmware non-update

Chuanhong Guo gch981213 at gmail.com
Mon Aug 20 11:34:33 EDT 2018


A small correction: IPQ40xx is made by Qualcomm not Broadcom and that
feature is called QSEE instead. :)
If my memory is right, Qualcomm verify SBL (SBL is a binary provided
by Qualcomm to bootstrap some basic modules like RAM controller and
load U-boot) in their bootrom before bootrom starts SBL, SBL will then
verify U-boot and refuse to boot if U-boot doesn't pass the signature
checking. As for how U-boot verify firmware this depends on
implementation of the manufacturer. Since the RSA pubkey is burnt into
SoC instead of an external flash, this guaranteed that anyone can't
replace the U-boot with an unsigned one.

(I agree that this is an unrelated topic here and I'll just stop
further discussion about this.
Michael Holstein <moholstein at gmail.com> 于2018年8月20日周一 下午11:08写道:
>
> that feature is called TXE (it's also in the Pi's Broadcom SoC) and it
> doesn't "prevent" it "complicates", particularly in this
> implementation.
> You're correct on your GPL comment. But they did it before and didn't
> release source either, so whoever has ownership should at least ask
> them pretty-please.
>
> There's a workaround to this little problem (wearing the work hat, I'd
> call that a decent security problem in how TXE and uBoot interact in
> Broadcom's implementation), this being another discussion, and
> unrelated.
>
> -Michael.
>
> On Mon, Aug 20, 2018 at 10:26 AM, Chuanhong Guo <gch981213 at gmail.com> wrote:
> > GPL doesn't prevent the manufacturer from blocking third-party
> > firmware being installed on their router.
> > They just need to provide GPL code for their firmware (and they don't
> > need to explicitly submit their device support to OpenWrt project.)
> > BTW: It seemed that the bootrom of Qualcomm IPQ40xx comes from other
> > Qualcomm Android chips and contains some security features that
> > preventing unauthorized firmware to be installed on their router. An
> > RSA pubkey can be burnt in to SoC and SoC bootrom will verify contents
> > on flash before booting it. If this feature is used by the
> > manufacturer you'll be impossible to flash any third-party firmware on
> > this router.
> > Michael Holstein <moholstein at gmail.com> 于2018年8月20日周一 下午9:41写道:
> >>
> >> I was finally frustrated at these Engenus/Saneo units and found the
> >> serial port and got into uBoot and looked at the image .. it's yours
> >> .. but oddly, you don't support it all.
> >>
> >> Well gee, that's curious, it seems somebody's breaking the rules, and
> >> it isn't you.
> >>
> >> I'd nastygram Engenius and make them post the GPL contrib so you have
> >> the BLOB for the Broacdom IPQ4019 that's in there. This is the
> >> EAP1250/1300 (identical except for where RJ45 port is) .. there are
> >> 100 others that use this board (I ran the board ID through the FCC API
> >> if you want all the makes/models).
> >>
> >> Here's your goods let me know if you want anything else .. I'm going
> >> to build the image for it and flash but since they broke the rules to
> >> begin with I'm dumping the flash and using the FDT to help modernize.
> >>
> >> These are cool because they are dual radio soft APs that are PoE and
> >> AC wave 2. A 3 pack is $160 on Amazon. With OpenWISP you can do most
> >> anything shy of a college campus
> >>
> >> ahywho ..here's all the proof you need. They didn't even bother to
> >> change the name.
> >>
> >> I'm not a contributor I just do lots of embedded work and this made me
> >> mad. Note that the you've already noticed this on the Engenius 300
> >> (the wiki poings out the factory firmware is openwrt)
> >>
> >> Company contact/owner is easiest found via their FCC filings : most
> >> recent one from
> >> company president
> >>
> >> https://fccid.io/A8J-EAP1300/Letter/Confidentiality-Request-3409208
> >>
> >> Cheers,
> >>
> >> -Michael.
> >>
> >> PS: It looks like they locked the UART from which I obtained this in
> >> u-boot from allowing interrupt so I'm going to poke about and find out
> >> how to get in there. I know this can be done  but it's first I've seen
> >> it done .. The uBoot is reworked from Saneo, per the version string.
> >>
> >> Anyone have a clever tip on that work-around? .. If I can get console
> >> at u-Boot I can skip a couple steps.
> >>
> >> ---snip---.
> >>
> >> bootm 0x84000000#configÉ4
> >>
> >> ## Booting kernel from FIT Image at 84000000 ...
> >>    Using 'configÉ4' configuration
> >>    Trying 'kernelÉ1' kernel subimage
> >>      Description:  ARM OpenWrt Linux-3.14.43 <<<<<<<< LOL OKAY COUGH IT UP
> >>      Type:         Kernel Image
> >>      Compression:  gzip compressed
> >>      Data Start:   0x840000e4
> >>      Data Size:    3180186 Bytes = 3 MiB
> >>      Architecture: ARM
> >>      OS:  t        Linux
> >>      Load Address: 0x80208000
> >>      Entry Point:  0x80208000
> >>      Hash algo:    crc32
> >>      Hash value:   34c16a99
> >>      Hash algo:    sha1
> >>      Hash value:   620a666c88729f60ee5b3f90fa261ed2bb3de6cb
> >>    Verifying Hash Integrity ... crc32+ sha1+ OK
> >>
> >> ## Flattened Device Tree from FIT Image at 84000000
> >>    Using 'configÉ4' configuration
> >>    Trying 'fdtÉ4' FDT blob subimage
> >>      Description:  ARM OpenWrt qcom-ipq40xx-ap.dkxx device tree blob
> >>      Type:         Flat Device Tree
> >>      Compression:  uncompressed
> >>      Data Start:   0x84325520
> >>      Data Size:    33495 Bytes = 32.7 KiB
> >>      Architecture: ARM
> >>      Hash algo:    crc32
> >>      Hash value:   19be728a
> >>      Hash algo:    sha1
> >>      Hash value:   633f6dbf948179ecf1f72f737981d2b38fabe6ee
> >>    Verifying Hash Integrity ... crc32+ sha1+ OK
> >>    Booting using the fdt blob at 0x84325520
> >>    Uncompressing Kernel Image ... OK
> >>
> >>    Loading Device Tree to 86ff4000, end 86fff2d6 ...
> >>
> >> And guilty party :
> >>
> >> Linux version 3.14.43 (root at liwei) (gcc version 4.8.3 20140106
> >> (prerelease) (Linaro GCC 4.8-2014.01) ) #1 SMP PREEMPT Tue Jan 30
> >> 18:20:10 CST 2018
> >>
> >> [    0.000000] CPU: ARMv7 Processor [410fc075] revision 5 (ARMv7), cr=10c5387d
> >>
> >> [    0.000000] CPU: PIPT / VIPT nonaliasing data cache, VIPT aliasing
> >> instruction cache
> >>
> >> [    0.000000] Machine model: Qualcomm Technologies, Inc. IPQ40xx/EAP1250
> >>
> >> _______________________________________________
> >> openwrt-devel mailing list
> >> openwrt-devel at lists.openwrt.org
> >> https://lists.openwrt.org/mailman/listinfo/openwrt-devel

_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel


More information about the openwrt-devel mailing list