0
KennyBertone

Orange pi pc plus - completely disable SD boot to protect emmc code

Recommended Posts

Hi all,

 

I recently purchased an orange pi after developing on the raspberry pi (just for convenience). I got it mainly because the integrated memory could be a real asset both because SD are faulty when making lots of memory accesses and emmc can provide a nice layer of code protection when giving the board to somebody else.

 

I set-up everything without issue and I used the nand-sata-install to move everything to emmc...it worked like a charm. I then placed all my proprietary code on emmc and executed without issues. Problem is, I can obviously still insert an SD card and then mount the emmc and access my code since the SD is booted before the emmc.

 

1. Is it possible to change this boot order or to just completely disable SD boot and thus deliver an emmc only device to a client?

2. How does the boot for H3 works? I read about u-boot and similar but it is not very clear to me what is the boot sequence and where it starts from.

3. As an alternative, should I just unsolder the SD tray or is there any other HW mod I could do to block sd cards?

 

I considered (and I will probably use it for some other layers of protection) using some encryption, but in general that uses lots of resources.

 

Any help would be really appreciated, thanks in advance.

Share this post


Link to post
Share on other sites
7 minutes ago, KennyBertone said:

1. Is it possible to change this boot order or to just completely disable SD boot and thus deliver an emmc only device to a client?

Not without irreversible HW modifications

 

9 minutes ago, KennyBertone said:

2. How does the boot for H3 works?

https://linux-sunxi.org/BROM

 

9 minutes ago, KennyBertone said:

3. As an alternative, should I just unsolder the SD tray or is there any other HW mod I could do to block sd cards?

SD is not the only way to bypass eMMC boot, you can erase eMMC boot signature and boot from SPI or FEL mode, and I doubt unsoldering the SD slot would stop an experienced user from soldering it back

Share this post


Link to post
Share on other sites

Thanks for the quick replies!

 

1 hour ago, zador.blood.stained said:

Not without irreversible HW modifications

Irreversible HW modifications are not a big issue in my case...I just need to understand what we are talking about and how to disable SD booting.

 

 

1 hour ago, zador.blood.stained said:

erase eMMC boot signature and boot from SPI or FEL mode

Could you expand a bit on this? How would it work and what should I do?

Yeah, I know that unsoldering is not a huge move, but it is somehow more bothering and problematic to standard users compared to SW measures. I am really trying to add as many layer of "boring protections" as possible...any idea is very welcome!

 

 

1 hour ago, zador.blood.stained said:

Thanks for the boot info, it helps understanding the sequence.

Share this post


Link to post
Share on other sites
On 29.10.2017 at 2:07 AM, KennyBertone said:

I just need to understand what we are talking about and how to disable SD booting.

Desolder SD card slot, optionally cut/remove soldering pads and put some epoxy glue on top.

 

On 29.10.2017 at 2:07 AM, KennyBertone said:

Could you expand a bit on this? How would it work and what should I do?

Mainly you should not expect to build a 100% efficient protection against an experienced hardware and software hacker that is based only on hardware modifications (at least on Allwinner based boards).

If you get write access to eMMC (from OS, u-boot or just by unsoldering it) or can interrupt the boot sequence (by cutting or shorting eMMC data, clock lines or power supply) BROM will move to the next available boot sources (SPI flash and FEL mode) so you would be able to load a different OS and get access to eMMC bypassing any protective measures like password protection or disabling serial console).

 

 

Share this post


Link to post
Share on other sites

Hi KennyBertone,

 

I am stuck at a similar issue , where I need to disable SD card boot in a nano Pi device. It uses Allwinner H3 processor.

 

Can you please help me on this with your findings and were you able to disable the SD card ?

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
0