TL;DR
- Modern computers have a program that starts the operating system, known as a bootloader
- Bootloaders can be communicated with to access storage (and sometimes RAM) directly
- They are all individual to the chipset in use.
Bootloaders explained
In its simplest form, a bootloader is a low-level software program that initialises the required hardware components and loads the operating system when the device is powered on. In the context of security, understanding the bootloader’s role and functionality is important as it serves as the gateway between the device’s hardware and its operating system.
A bootloader is typically the first piece of software that runs on a device when it is powered on. The main role of a bootloader is to load the main OS into the device’s memory. It acts as a bridge, preparing the device by setting up the necessary hardware configurations and loading the kernel.
In some architectures like Qualcomm, the Primary Bootloader (PBL) is the first stage bootloader that is stored in the ROM or on-chip memory. The PBL’s main role is to start the hardware and load the Secondary Bootloader (SBL), which is usually stored within flash storage. The SBL goes through a more comprehensive startup process, which may include security checks. It then loads the final bootloader into memory.
This final bootloader is responsible for checking the integrity of the OS image and can execute commands for recovery, an interactive environment or perform its normal boot processes. Once the bootloader has verified and set up the environment, it loads the kernel and the operating system.
The bootloader may have an interface that can allow interaction with the hardware and any storage. This is often used to develop an operating system for that platform and can be used to recover an unbootable (“bricked”) device.
Security implications
From a security perspective, the bootloader can be both a safeguard and a potential vulnerability:
- Secure Boot: Secure boot is a security feature enforced by bootloaders to ensure that only firmware signed by a trusted source is executed on the device. Its aim is to prevent unauthorized modifications to the system at boot.
- Bootloader Unlocking: Unlocking the bootloader allows for greater control over the device’s software, such as the ability to install custom operating systems. However, this also disables several security features, making the device more vulnerable to attacks.
- Root of Trust: The bootloader establishes a root of trust in the boot process. If this is compromised, it can undermine the entire security model of the device. This can allow attackers to gain persistent and privileged access to the device.
Attackers may target bootloaders to alter the operating system files and gain privileged access, which allows for complete control over the operating system, allowing for modification of system files, disabling security features and more. Because the bootloader is responsible for loading the kernel and setting up the system environment, it is a juicy target for attackers. By compromising the bootloader an attacker can bypass several security checks designed to protect the integrity of the OS.
A common vulnerability in bootloaders is the lack of proper validation of firmware images. If a bootloader does not verify the digital signatures of the firmware it loads, an attacker can replace legitimate firmware with malicious versions.
This type of attack is often referred to as a bootkit. Bootkits allow attackers to control the device from the earliest stage of the boot process. Once compromised, the attacker can install rootkits or other malware that persists even after the operating system is reinstalled.
Buffer overflow attacks are another common vulnerability in bootloaders. These happen when the bootloader does not properly check the size of data it processes, allowing an attacker to overwrite parts of the running memory. By sending malicious inputs that overflow the buffer limits an attackers can execute arbitrary code with the bootloader’s higher privileges.
Conclusion
The bootloader is an important part of how a device boots, which can be interacted with separately to the operating system and may contain vulnerabilities which could allow reading of RAM or storage.
Each chipset has their own bootloader which we will be expanding on as part of a series.
We have previously looked at some bootloaders in the dim and distant past, such as the Rockchip bootloader (https://www.pentestpartners.com/security-blog/how-to-hack-the-hudl-we-give-rockchip-a-good-seeing-to/) which was used in a number of low-cost tablets in the mid 2010s.
We have also identified vulnerabilities in the Qualcomm bootloader, https://www.pentestpartners.com/security-blog/breaking-the-android-bootloader-on-the-qualcomm-snapdragon-660/.