08-19-2024, 02:54 PM | #1 |
Evangelist
Posts: 479
Karma: 2390534
Join Date: Jun 2020
Location: Somewhere in the Universe
Device: Kobo Libra, Glo HD, Touch C/B, Mini, Glo, Aura SE, Clara HD, KT
|
Kobo Libra Colour is using Secure Boot
I guess this was bound to happen some day... but is also extremely contradictory with Kobo's "Right to repair" philosophy that honestly just seems like the dumbest thing ever said, at least considering what I have discovered.
Code:
## Checking Image at 41000000 ... FIT image found FIT description: U-Boot fitImage for Poky (Yocto Project Reference Distro)/4.9/aud8113tp1 Image 0 (kernel@1) Description: Linux kernel Type: Kernel Image Compression: uncompressed Data Start: 0x410000fc Data Size: 14675968 Bytes = 14 MiB Architecture: ARM OS: Linux Load Address: 0x40008000 Entry Point: 0x40008000 Hash algo: sha256 Hash value: 2bae18998544ca39a2cbfe1bcc1a4408ba876db3b470a98689503fee7795d447 Image 1 (fdt@1) Description: aud8113tp1-E70T00-A0x00.dtb Type: Flat Device Tree Compression: uncompressed Data Start: 0x41dff224 Data Size: 47831 Bytes = 46.7 KiB Architecture: ARM Load Address: 0x44000000 Hash algo: sha256 Hash value: 7db67257f744a64c42f62fe0e7ef343e1ea5ec0e00a6e1726b78f15075a3bab5 Default Configuration: 'conf@1' Configuration 0 (conf@1) Description: Boot Linux kernel with FDT blob Kernel: kernel@1 FDT: fdt@1 Sign algo: sha256,rsa2048:dev Sign value: b8f687f70f33eb5597a3ac8d1e4e754d6287ad77a9cfd5dd9082c92ff198e1fd277464ab0141a71fe451fd66fe3780a67efdd0d3d7e77b6fa681ead844e46d10283499f5303c6c312dbca66fe76163f5cf57135b3667c17c80c8301afe40d3289e8272612a8da57462a884a6c41a88290cbd1309ea2aeac0e2abc820a286116f5ba371bfd1f06a7aecea106b2bbcd2c85527d5acf76270dcc7d2f7d5d15d434e3b2845fd8f3ebf770d353adffb156d266d82b5f719608115ec4b65460b7b14d07d234a4dfe92f0a4c560da7092f0dc340a57006f7285ed370d 808bd9b77423e25efd116e463b051c491dec2ece5a5ef96f137007bf81200b50190b239404acec For the less techies out there: this means more locking down from Kobo's end, basically putting them a step closer to Amazon's extremely agressive practices in the jailbreaking world. This also means that porting Quill OS/InkBox OS to these new devices is currently impossible/very difficult. I am just angry at them now... |
08-19-2024, 02:56 PM | #2 |
Connoisseur
Posts: 90
Karma: 3892
Join Date: Feb 2022
Device: Kobo nia
|
Clarification:
Previous kobo's didn't have this and everything was fine. |
Advert | |
|
08-19-2024, 05:13 PM | #3 |
Resident Curmudgeon
Posts: 76,305
Karma: 136006010
Join Date: Nov 2006
Location: Roslindale, Massachusetts
Device: Kobo Libra 2, Kobo Aura H2O, PRS-650, PRS-T1, nook STR, PW3
|
It could be that went the older devices get 4.39.xxx, we'll also get secure boot.
|
08-20-2024, 08:28 AM | #4 | |
Addict
Posts: 202
Karma: 146236
Join Date: Oct 2022
Device: Kobo Clara HD
|
Quote:
I still have a laptop that lets me set Secure Boot or not. Hopefully Kobo has allowed this, since they didn't seem to be against SideloadedMode? e.g, my chromebook has the option to run in Developer's mode, which allowed me to install MXLinux which was what made me choose to buy the device. EDIT : Ahhh, this link says amazon was able to turn on secure boot over the air, if I understand correctly (probably not https://xdaforums.com/t/mod-dev-medi...4232377/page-6 Last edited by elinkser; 08-20-2024 at 02:23 PM. Reason: ota |
|
08-20-2024, 11:10 AM | #5 |
Evangelist
Posts: 479
Karma: 2390534
Join Date: Jun 2020
Location: Somewhere in the Universe
Device: Kobo Libra, Glo HD, Touch C/B, Mini, Glo, Aura SE, Clara HD, KT
|
Secure Boot is mainly due to the fact that the new devices are using a MediaTek SoC (the older ones were using the Freescale/i.MX platform) Whether or not it was Kobo's will to include it, it got there anyway, either because it was the standard for such boards and the devs were too lazy to change it, or maybe it really was a thought-out decision.
Either way, it is pretty disappointing. We are currently trying to find ways to circumvent that restriction as I am writing. |
Advert | |
|
08-20-2024, 11:15 AM | #6 |
Evangelist
Posts: 430
Karma: 41524
Join Date: Sep 2011
Device: Kobo Libra 2 & Clara BW
|
Will this let them restrict patching, nickelmenu, etc?
|
08-20-2024, 12:47 PM | #7 |
Evangelist
Posts: 479
Karma: 2390534
Join Date: Jun 2020
Location: Somewhere in the Universe
Device: Kobo Libra, Glo HD, Touch C/B, Mini, Glo, Aura SE, Clara HD, KT
|
Not yet. But who knows what they are planning...
|
08-20-2024, 02:33 PM | #8 |
Addict
Posts: 202
Karma: 146236
Join Date: Oct 2022
Device: Kobo Clara HD
|
Although, I believe it is the same device (edit: family) as for the Ellipsa2e, so that bodes well.
https://en.m.wikipedia.org/wiki/Kobo_eReader Unfortunately, it's not one of the PostmarketOs supported devices: https://wiki.postmarketos.org/wiki/Category:MediaTek Reading up on it it seems complicated to bypass and many experienced devs have bricked their expensive devices. I saw an old guide to the boot process if any one is interested. http://www.lieberbiber.de/2015/07/04...and-preloader/ Good luck - you're braver than me! Last edited by elinkser; 10-08-2024 at 07:07 AM. Reason: device family |
08-20-2024, 03:55 PM | #9 |
Evangelist
Posts: 479
Karma: 2390534
Join Date: Jun 2020
Location: Somewhere in the Universe
Device: Kobo Libra, Glo HD, Touch C/B, Mini, Glo, Aura SE, Clara HD, KT
|
Thanks for the link.
|
08-20-2024, 04:45 PM | #10 |
Junior Member
Posts: 2
Karma: 10
Join Date: Aug 2024
Device: Kobo Libra Colour, Kobo Glo HD
|
For work with MTK processors: https://mtktool.com/
|
08-20-2024, 04:48 PM | #11 |
Evangelist
Posts: 479
Karma: 2390534
Join Date: Jun 2020
Location: Somewhere in the Universe
Device: Kobo Libra, Glo HD, Touch C/B, Mini, Glo, Aura SE, Clara HD, KT
|
Thanks for the link too. Do you know if any of these tools have a chance of working with the obscure series of MT8512/MT8110/MT8113 processors?
|
08-20-2024, 05:04 PM | #12 |
Junior Member
Posts: 2
Karma: 10
Join Date: Aug 2024
Device: Kobo Libra Colour, Kobo Glo HD
|
|
08-20-2024, 05:15 PM | #13 |
Evangelist
Posts: 479
Karma: 2390534
Join Date: Jun 2020
Location: Somewhere in the Universe
Device: Kobo Libra, Glo HD, Touch C/B, Mini, Glo, Aura SE, Clara HD, KT
|
Thanks again for the link. You are welcome to join our effort to find a workaround (I see you have a Libra Colour too). Any help is appreciated...
https://discord.com/invite/uSWtWbY23m |
08-21-2024, 06:35 AM | #14 |
cosiñeiro
Posts: 1,320
Karma: 2200073
Join Date: Apr 2014
Device: BQ Cervantes 4
|
It isn't a big deal (yet!). I doubt it will be an issue for running third party apps in the long run, but more on that later.
Docs to grasp the architecture of Mediatek secure boot: https://mediatek.gitlab.io/aiot/doc/...cure-boot.html That's probably what Kobo or its OEM follow for this board. The key is to understand that secure boot/verified boot is a chain of trust that starts in BootROM and can go up to the root filesystem, efectively locking the system if that's the intention of the manufacturer. On a regular computer the chain of trust ends with the 2nd stage bootloader, which needs to be signed with Microsoft approved keys. On chromebooks it goes up to the root filesystem via dm-verity. The way chromebooks and android implement verified boot is the "standard" way on linux OSes and the route to follow for third party OEMs. If kobo wants to do this they need to: 1. pass the hash key of the read-only rootfs as a kernel command line argument (thus available in /proc/cmdline) 2. the kernel will then verify the block device isn't tampered. That's doable and there's nothing wrong with it but there're other clues that would point they're trying to achieve verified boot on kobos: A/B root: because updating anything in the AP, such as the final reader application, involves, at least, a new hash for the new rootfs. Things might go wrong with an update so the ability to fallback to a previous version is a must in those cases. Two kernels: even when kobo rarely updated a kernel on a production device, you must want two slots for two different kernels (even if both contain the same) to implement A/B root properly. Two root filesystems. Even with a full chain of trust up to the linux userspace, that doesn't mean the device is locked (the kernel really is!). It is up to the the manufacturer to provide a different, not "dm-veritied" filesystem for storage persistence. Overlayfs might also be used to make a regular linux system to play nice with read-only rootfs. |
08-21-2024, 06:40 AM | #15 |
cosiñeiro
Posts: 1,320
Karma: 2200073
Join Date: Apr 2014
Device: BQ Cervantes 4
|
We still don't now if SecureBoot is enabled (via efuse) on that board. The BSP might provide an u-boot source tree that's able to deal with verified boot but that isn't enough to enforce the chain of trust.
If uboot verifies the kernel but nothing verifies uboot it should be possible to overwrite uboot entirely. Also we don't know what happens if the kernel signature doesn't match. Since u/NiMa has access to the serial port I would suggest to check: 1. If uboot prompt is available 2. There's no watchdog to trigger a reset on the AP after a few seconds standing at the uboot prompt 3. Try to load a kernel image to ram and jump to it, see what uboot does. |
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Kobo Stylus 1 compatibility with Libra Colour? | shyhermit | Kobo Reader | 46 | 09-20-2024 02:47 PM |
Kobo Libra Colour Support | xtin | Devices | 75 | 08-13-2024 07:28 PM |
Kobo Libra Colour color saturation | Pausen | Kobo Reader | 19 | 05-16-2024 01:59 PM |
Kobo Libra Colour - customizations? | jaydee34983 | Kobo Reader | 9 | 05-10-2024 04:25 PM |
Kobo Libra Colour and Calibre | khalleron | Kobo Reader | 2 | 05-04-2024 01:29 AM |