12:14 <GXL-BL2> Hi, has anyone managed to load/disassemble 2019 Amlogic GXL BL2 that is compiled with AArch32? I dont think IDA/Ghidra is handling it well.

12:14 <f_> GXL-BL2: I never bothered

12:15 <f_> But when I tried just setting arch correctly did the trick

12:16 <f_> in any case I just went with the older AArch64 ones

12:16 <f_> given they seemed to be working just fine

12:18 <f_> GXL-BL2: why? Is there something in AArch32 bl2 that's not in the older AArch64 BL2? Well, there are obviously differences, but I'm interested to know which you're interested in

12:18 <GXL-BL2> Thank you for your reply

12:18 <f_> you're welcome!

12:20 <GXL-BL2> im currently working on rooting xiaomi android box. its with gxl. My goal is to modify BL2 (disable Secure Boot and Anti Roll Back)

12:20 <f_> Which box is it?

12:21 <GXL-BL2> Current state is that, I am able to run unsigned code with BL0 exploit, Already decrypted BL2 with dumped AES256 key

12:21 <GXL-BL2> MDZ-16-AB

12:21 <f_> xiaomi-once/mi box 3?

12:21 <f_> (also, it's BL1, BL0 isn't a thing in amlogic world)

12:22 <GXL-BL2> correct. thanks for pointing, ill say BL1 from now on ;)

12:22 <f_> I did do that kind of stuff on a Mi TV Stick before

12:22 <f_> but I didn't bother modifying BL2, instead I used my wip u-boot-spl thing with adjustments to work on TV Stick

12:23 <f_> that, coupled with mainline u-boot and mainline tf-a BL31 as well as some bl30 from some radxa repo, made me able to boot

12:23 <f_> but I didn't do anything wrt android, for these experiments I just dumped the eMMC for research and wiped the whole thing

12:24 <f_> (because frankly I'm not interested in working with android)

12:27 <GXL-BL2> my goal is to root it while BL32 (TEE) is in function as well. To do this, I need to modify BL2. I only worked on latest BL2 which is compiled with AArch32. Maybe I should check older firmware's BL2

12:29 <GXL-BL2> so I was hoping to be able to disassemble it properly so I can edit them but it seems to be not able to do it with IDA/Ghidra somehow

12:29 <GXL-BL2> it just cant reference any strings

12:32 <GXL-BL2> I just checked oldest firmware that I can get for the target. Its still compiled with AArch32, damn it :(

12:34 <GXL-BL2> I found this IRC channel from this page. https://moin.vitali64.duckdns.org/AmlogicBL2/GXL/Differences

12:34 <f_> GXL-BL2: oh it's mine ;)

12:34 <GXL-BL2> ahahahaaaha

12:35 <f_> it's outdated though, moved to https://scm.dersco.re/amlogic/reversing-gxbb-bl2.git/about

12:35 <f_> moin.vdo is getting decomissioned

12:36 <f_> Anyway I never bothered with TEE/BL32, it's not needed to boot, and all I wanted was for it to boot, so I just didn't use it

12:37 <f_> All of the secureboot checks are done in BL1 and BL2, so if you manage to get BL1 to load whatever you want as BL2 and you remove BL2's secureboot checking abilities (or just replace it completely) you can have lots of fun

12:37 <f_> Not even the SCP checks its firmware's signature and such before running it, so you can go nuts and pick whatever BL30.bin you want (provided it works for your board)

12:38 <GXL-BL2> Yes that is my goal. unfortunately, aarch32 is stopping me from disassembling, making my life to hard to patch BL2

12:39 <f_> wrt SCP: if you get a "Wrong chip" error: https://libera.catirclogs.org/linux-amlogic/2025-02-28# tl;dr get a newer BL30 :P

12:39 <f_> GXL-BL2: can you tell me which params did you tell ghidra

12:40 <GXL-BL2> "It looks like this was made to save a bit of space somehow?" When I checked BL1 of GXL, it had hardcoded max size of 0xC000, so i guess they really needed extra space

12:40 <f_> In theory BL1 only reads 0xc000

12:40 <f_> in practise you only have 0xb000 available

12:41 <GXL-BL2> because of 0x1000 @AML Header right?

12:41 <f_> yep

12:41 <f_> well, the @AML header itself isn't really 0x1000 long

12:41 <f_> but there's that padding for alignement

12:41 <f_> the bootrom loads everything in one go

12:42 <GXL-BL2> yeap yeap, and for ghida question, i mostly use IDA, ghidra is just for backup.

12:42 <f_> Oh, ok. I'm not familiar with IDA, always used ghidra

12:43 <GXL-BL2> i should get close with Ghidra haha

12:45 <f_> but like, my aquaman-bl2 dump which is AArch32 bl2 (and a very new version, even), just setting aarch32 and the correct base address (0xd9001000) did the trick

12:45 <f_> And I get stuff like this:

12:45 <f_> https://ircb.dersco.re/uploads/funderscore/3b9b12c1-f_-paste.txt

12:47 <f_> (didn't do much with aquaman-bl2, there wasn't much interesting)

12:47 <GXL-BL2> Thanks for the tip, its almost 6am here. i will try ghidra again with aarch32 tomorrow!

12:47 <f_> alright ^^

21:31 <GXL_BL2> Q. for BL1(AArch64) to execute AArch32 BL2, doesnt BL1 supossed to run like SPSR_EL3?

21:32 <f_> you mean run in el3?

21:32 <GXL_BL2> yeap

21:32 <f_> BL1 runs in EL3 yes

21:33 <f_> er, *at EL3

21:33 <f_> (english moment)

21:38 <GXL_BL2> just noticed, s905x(lepotato) and s905x-h(xiaomi ATV) has different BL1

21:38 <lvrp16> Dolby license?

21:43 <f_> o'rly?

21:43 <f_> lvrp16: can't be that I think

21:44 <f_> TV Stick's BL1 is identical to lepotato/lafrite BL1

21:44 <f_> and that is an S805Y-H

21:45 <lvrp16> No idea then.

21:45 <f_> yeah that's pretty interesting and weird

21:45 <f_> GXL_BL2: any chance you can dump it so I can have a little look at it?

21:45 <GXL_BL2> im trying to asm diff them atm. Im not sure if they would implement Dolby license in BL1

21:47 <GXL_BL2> @f_, its already in public, ill paste github link very shortly

21:47 <f_> ok nice

21:47 <f_> thanks

21:51 <GXL_BL2> https://github.com/Zenofex/SoC-BootROMs/blob/main/amlogic/amlogic.s905x.bin

21:54 <GXL_BL2> it says s905x but i confirmed that its exactally same hash as one that I dumped from xiaomi which is s905x-h