> However, due to the aforementioned "kamakiri" bootrom exploit, the first link of the chain is irrevocably broken.
> [...]
> But, we don't even need to use an exploit here. Both the brom and Preloader boot stages feature a USB bootloader mode, which in the r1's case will accept unsigned DA ("Download Agent") images over USB, and allow you to execute them from memory (from SRAM in the case of brom, and DRAM in the case of Preloader).
The RabbitOS developers can patch all of this by setting an efuse that instructs the bootrom to block bootloader access over USB. Moto did this a couple years ago with their MediaTek devices that were susceptible to bootrom attacks via this surface. If I remember correctly this efuse was set at the LK stage and was applied in a regular OTA firmware update.
> [...]
> But, we don't even need to use an exploit here. Both the brom and Preloader boot stages feature a USB bootloader mode, which in the r1's case will accept unsigned DA ("Download Agent") images over USB, and allow you to execute them from memory (from SRAM in the case of brom, and DRAM in the case of Preloader).
The RabbitOS developers can patch all of this by setting an efuse that instructs the bootrom to block bootloader access over USB. Moto did this a couple years ago with their MediaTek devices that were susceptible to bootrom attacks via this surface. If I remember correctly this efuse was set at the LK stage and was applied in a regular OTA firmware update.