10:56 <f_> What I find a bit strange is everything is encrypted. There is absolutely no AMLC header after BL2.

10:56 <f_> Nothing except gibberish.

10:57 <f_> Just curious, has anyone seen this behaviour before?

12:00 <chewitt> I thought the whole point of 'secure boot' was to encrypt everything, no?

12:20 <f_> chewitt: I think it might be optional for secureboot

12:22 <f_> At least for BL2

12:22 <f_> *BL1->BL2

12:24 <f_> chewitt: Though I would've expected the AES key for the rest to also be stored in efuses or something, but that's only the case for BL2

18:12 <hexdump0815> f_: if you want to have some other encrypted bootblocks to play with - the s10 max plus (s905x2) ones from here are: https://github.com/hexdump0815/u-boot-misc/tree/master/misc.gxy/dump-in.dd

18:12 <f_> hah

18:13 <f_> hexdump0815: You can get the AES key for BL2 decryption if your box does not lock USB mode behind a password

18:15 <f_> A vulnerability in the bootROM makes dumping whatever you want in SRAM easy. Specifically, there's a copy of OTP memory (efuse) at 0xd9013c00. So: The key is at 0xd9013c50 and the IV is just after, at 0xd9013c70

18:15 <f_> so you can simply dump that, then feed those to openssl to decrypt BL2 :)

18:16 <f_> I think I should document that clearly. Second.