Analyzing the Qualcomm MSM 8974 bootrom.
The bootrom is 192k byte in size. It has bootcode for the three main subsystems of the 8974:
- the modem - qdsp4 / hexagon code
- RPM - the power manager - ARM code
- The Application cpu - ARM code
All devices I have inspected have the same bootrom. But a facitlity exists to apply patches to the bootrom via the use of special fuses.
Unfortunately the fuses in my device are configured in a way that the ‘patch’ area is not readable.
memory layout
f8002000 - app bootrom struct
fc000000-fc002c28 - RPM bootrom
fc004000-fc010000 - Modem bootrom
fc010000-fc02f800 - APP bootrom
fc02f800-fc02fa08 - RPM bootrom part2
fc100080 - bootrom error stack
There is a event log buffer at 0xFC102144
, and a fatal error buffer at 0xFC102084
which can be interrogated using the sahara protocol.
call tree
clear_bufs
apps_pbl_mc_run_init1+8
seg010:off_FC010AEC [ data for APPS_reset_entry_point ]
APPS_reset_entry_point+F0
j_APPS_reset_entry_point
init_tlb [ adding subpage ]
sub_FC020D90 [ set VBAR ]
apps_pbl_flash_init_sahara_bootloader
init0[4]
apps_pbl_mc_run_init0+30
fatal_error2+bc
init1[7]
apps_pbl_mc_run_init1+20
certificates
list of trusted roots:
CC3153A80293939B90D02D3BF8B23E0292E452FEF662C74998421ADAD42A380F
0AF165B16752D3F9F751606F6D6D0D43043B8A25B25B977911089CDFCFC37005
CB4EFE595E4903B4929F221A5DBB3AD6AFF2AF4F370027A0D666F1BD0433AF2E
C291795806E362C3A3816F7C011EE1FDE07206FA38AB1ACF6DC26408525BB235
0CD8A0A587632F7F2EB2835A9125780A21BFA069C496B9017C7DA4EE2A97C380
0F43240892D02F0DC96313C81351B40FD5029ED98FF9EC7074DDAE8B05CDC8E1
67FC423CD9599E909BA9E7CA0B77AFE2682A94796697DC8C9B407A341E36EF1C
A298D1DD4E14A40FAB85653BFC2770DEB9F41B605456C298AF2324F4803EB91D
E604F8E7E1CA5492734DD84A965FE2141F7EDB09FEED5385FB11406BF4940211
AE9E52B186913CF1F19198620697C7774E0C9E1E5EA7B9C98A261186E73E437C
9985AA32F4B114C2733DB4BAD4B1E0283E92A21D06D5D665EA1D5260BA311634
563D9CC7748BC24709AF9D2C8E49489AE749F6FBBC0FA92F10A20C3551B04D20
And a sha1 of a qualcomm CA:
AEBE6BF063261DBC7A387D8C3A1CE2395EE0CE1A
I know only the first of that certificate list. BTW, I wonder what will happen 4 years from now, when this expires.
-----BEGIN CERTIFICATE-----
MIIDljCCAn6gAwIBAgIBATANBgkqhkiG9w0BAQUFADB9MQswCQYDVQQGEwJVUzET
MBEGA1UECBMKQ2FsaWZvcm5pYTESMBAGA1UEBxMJU2FuIERpZWdvMRowGAYDVQQL
ExFDRE1BIFRlY2hub2xvZ2llczERMA8GA1UEChMIUVVBTENPTU0xFjAUBgNVBAMT
DVFDVCBSb290IENBIDEwHhcNMDQwNTE5MTgzMDQ0WhcNMjQwODE5MTgzMDQ0WjB9
MQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTESMBAGA1UEBxMJU2Fu
IERpZWdvMRowGAYDVQQLExFDRE1BIFRlY2hub2xvZ2llczERMA8GA1UEChMIUVVB
TENPTU0xFjAUBgNVBAMTDVFDVCBSb290IENBIDEwggEgMA0GCSqGSIb3DQEBAQUA
A4IBDQAwggEIAoIBAQCxG8VDbYwM8m5opIkMPQuhZKleBFeegbwM1o/Kaf/Aj1V0
q25rUg/aoGG5TxpGTGmJ8qfQMD9vFj23F+KreJHNRPotXHcy+ZjU4F6pZBgP/FOh
+qqnX6NODEm5DWJI1vxDnOiXn3lYcpKz2yAxGeguutNLDzlf4NNlgr4m5r/+t63I
yvucOBFhCPQXgRnjOzGp8a68fhQ6+Zv+NhEx3XfxByWbuYJPDP+uZXSK0o/i9G3y
BOM2QUAj4hNu5PGwaVEUKhh7jUSpGPl1lYiyYeBZxAko6Tz1UQ4gzkXzxX0fJEuC
5GYyd28HzRJzAPXyJVyMy/AH5PaN3NsFn1HIjoDNAgEDoyMwITAPBgNVHRMBAf8E
BTADAQH/MA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQUFAAOCAQEAdqZG5vOO
jGsW2sM5Q4MK314dHYp64BMHPi1sJlFH4gIuLg6jqIcw9fIgr+FiSJRkNyX2Z4Zi
v48VhDh91+4K1mEENjVA9QJkJlrpwoUIpmsG+Y/pq4GHc0MNJOvC2x6O6Hachpch
B5cgG/DaspLE/zeYvwB5pAMtHD/z5phLLmzz2PwETNgq/TGV9kA+Dgz1iZ5xs68I
UQR5wiUxMIKd2YWgxUYIeLGwvxkW254bEhegr4w/mVfhMpSLavfEnDo+BegM5F5s
wQJZeKxRWyAam22W4GEazCwcRTnht1R1K6kA/Qaf/253bg3J015jV1mX1roSphWM
oPMttea9VyIzjQ==
-----END CERTIFICATE-----
decoded with openssl:
Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, ST=California, L=San Diego, OU=CDMA Technologies, O=QUALCOMM, CN=QCT Root CA 1 Validity Not Before: May 19 18:30:44 2004 GMT Not After : Aug 19 18:30:44 2024 GMT Subject: C=US, ST=California, L=San Diego, OU=CDMA Technologies, O=QUALCOMM, CN=QCT Root CA 1 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:b1:1b:c5:43:6d:8c:0c:f2:6e:68:a4:89:0c:3d: 0b:a1:64:a9:5e:04:57:9e:81:bc:0c:d6:8f:ca:69: ff:c0:8f:55:74🆎6e:6b:52:0f:da:a0:61:b9:4f: 1a:46:4c:69:89:f2:a7:d0:30:3f:6f:16:3d:b7:17: e2🆎78:91:cd:44:fa:2d:5c:77:32:f9:98:d4:e0: 5e:a9:64:18:0f:fc:53:a1:fa:aa:a7:5f:a3:4e:0c: 49:b9:0d:62:48:d6:fc:43:9c:e8:97:9f:79:58:72: 92:b3:db:20:31:19:e8:2e:ba:d3:4b:0f:39:5f:e0: d3:65:82:be:26:e6:bf:fe:b7:ad:c8:ca:fb:9c:38: 11:61:08:f4:17:81:19:e3:3b:31:a9:f1:ae:bc:7e: 14:3a:f9:9b:fe:36:11:31:dd:77:f1:07:25:9b:b9: 82:4f:0c:ff:ae:65:74:8a:d2:8f:e2:f4:6d:f2:04: e3:36:41:40:23:e2:13:6e:e4:f1:b0:69:51:14:2a: 18:7b:8d:44:a9:18:f9:75:95:88:b2:61:e0:59:c4: 09:28:e9:3c:f5:51:0e:20:ce:45:f3:c5:7d:1f:24: 4b:82:e4:66:32:77:6f:07:cd:12:73:00:f5:f2:25: 5c:8c:cb:f0:07:e4:f6:8d:dc:db:05:9f:51:c8:8e: 80:cd Exponent: 3 (0x3) X509v3 extensions: X509v3 Basic Constraints: critical CA:TRUE X509v3 Key Usage: critical Certificate Sign, CRL Sign Signature Algorithm: sha1WithRSAEncryption 76:a6:46:e6:f3:8e:8c:6b:16:da:c3:39:43:83:0a:df:5e:1d: 1d:8a:7a:e0:13:07:3e:2d:6c:26:51:47:e2:02:2e:2e:0e:a3: a8:87:30:f5:f2:20:af:e1:62:48:94:64:37:25:f6:67:86:62: bf:8f:15:84:38:7d:d7:ee:0a:d6:61:04:36:35:40:f5:02:64: 26:5a:e9:c2:85:08:a6:6b:06:f9:8f:e9:ab:81:87:73:43:0d: 24:eb:c2:db:1e:8e:e8:76:9c:86:97:21:07:97:20:1b:f0:da: b2:92:c4:ff:37:98:bf:00:79:a4:03:2d:1c:3f:f3:e6:98:4b: 2e:6c:f3:d8:fc:04:4c:d8:2a:fd:31:95:f6:40:3e:0e:0c:f5: 89:9e:71:b3:af:08:51:04:79:c2:25:31:30:82:9d:d9:85:a0: c5:46:08:78:b1:b0:bf:19:16:db:9e:1b:12:17:a0:af:8c:3f: 99:57:e1:32:94:8b:6a:f7:c4:9c:3a:3e:05:e8:0c:e4:5e:6c: c1:02:59:78:ac:51:5b:20:1a:9b:6d:96:e0:61:1a:cc:2c:1c: 45:39:e1:b7:54:75:2b:a9:00:fd:06:9f:ff:6e:77:6e:0d:c9: d3:5e:63:57:59:97:d6:ba:12:a6:15:8c:a0:f3:2d:b5:e6:bd: 57:22:33:8d