The i.MX8 cannot be deblobbed

Devices based on the i.MX8 or i.MX8M (such as the Librem phone or MNT Reform) have received popular coverage recently. The number of firmware blobs involved in the bringup of these devices is often a point of discussion. At times, people have considered whether some of these blobs could be replaced with libre replacements via reverse engineering.

I can now confirm that these chips can never be fully deblobbed. The following is an excerpt from the i.MX8M Reference Manual (page 840):

6.1.6.2. HDMI image boot up

The chip also supports HDMI image boot up for HDMI firmware. In addition to the standard image, there is a special image flagged as HDMI image (see Boot data structure). And normally it will come before the standard image.

ROM will check the HDMI image viability first. If the HDMI image is present and the HDMI device is not disabled by the eFuse, it will load the image into HDMI RAM and do the authentication. The image will include both the HDMI firmware and authentication information in it.

If the authentication is succeeded, then the firmware will be started and verified. ROM will also load the HDMI/HDCP related keys and then lock it.

If the authentication is failed, then the HDMI memory will be cleared and locked. If the HDMI is disabled, ROM will release the JTAG access at early boot up stage otherwise it will be released after HDMI image processing.

After processing HDMI image, the ROM process will move to standard image boot up sequence.

The HDMI image is generated by NXP CDT tool and firmware will be provided by customer. For more details about generating HDMI image, please refer to NXP CDT user guide.

The following figure shows the HDMI image boot flow. See High-level boot sequence for standard image boot flow.

[Figure 6-20. HDMI image boot flow]

6.1.6.2.1. HDMI and A53 boot image location on boot device

The new requirement for i.MX 8M Dual/8M QuadLite/8M Quad ROM is to locate HDMI image on the boot device, load it into the HDMI block's i-ram and d-ram memories, authenticate it, and then finally locate, load, and authenticate the A53 boot image.

The chip can boot from the following boot media:

  1. eMMC/SD
  2. NAND

On the boot media, the HDMI image will be placed first followed by the A53 image. The distance between the two images is different for different types of boot media.

Since the wording is a little vague as to whether it's NXP or the customer who signs this blob, let's verify that this firmware blob is indeed signed by NXP and not the customer:

$ wget http://www.freescale.com/lgfiles/NMG/MAD/YOCTO/firmware-imx-8.0.bin

# This is a makeself-style self-extracting shell script with some shrinkwrap
# EULA attached. Sorry, not interested:
$ 7z x firmware-imx-8.0.bin
$ tar xvf firmware-imx-8.0
$ find firmware-imx-8.0 -type f | grep hdmi
firmware-imx-8.0/firmware/hdmi/cadence/signed_dp_imx8m.bin
firmware-imx-8.0/firmware/hdmi/cadence/signed_hdmi_imx8m.bin
firmware-imx-8.0/firmware/hdmi/cadence/dpfw.bin
firmware-imx-8.0/firmware/hdmi/cadence/hdmitxfw.bin
firmware-imx-8.0/firmware/hdmi/cadence/hdmirxfw.bin

# Binwalk tells us the signed blob contains an X.509 certificate:
$ cd firmware-imx-8.0/firmware/hdmi/cadence
$ binwalk signed_hdmi_imx8.bin

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
38488         0x9658          MySQL ISAM compressed data file Version 1
103636        0x194D4         Certificate in DER format (x509 v3), header length: 4, sequence length: 680

# Extract the certificate.
$ tail -c +103637 signed_hdmi_imx8.bin > x.bin
$ openssl x509 -inform der -in x.bin -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = iMX_CA@nxp.com
        Validity
            Not Before: Jan  1 00:00:00 2017 GMT
            Not After : Jan  1 00:00:00 2037 GMT
        Subject: CN = MIMX8MQ0101
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:b1:26:2e:94:29:86:5d:35:a5:ad:55:62:d7:65:
                    98:bf:18:59:fa:3d:5f:22:90:1a:cd:ca:c6:ab:26:
                    83:1e:50:62:da:8f:0f:18:b3:59:b0:e8:0a:f2:46:
                    2e:97:12:e4:81:5f:88:11:d1:38:9a:43:54:06:7a:
                    65:b6:ab:d2:9a:1c:73:27:54:4b:4c:94:51:1f:25:
                    55:0f:32:26:77:29:ca:8b:cd:96:b1:dd:60:3b:5f:
                    9d:20:7e:e9:1c:75:91:19:36:cf:6c:c6:05:5d:65:
                    9b:f0:a5:9f:27:e1:85:5d:b4:e1:6f:bc:4f:e0:2b:
                    e8:83:37:86:d0:9c:26:18:d7:f2:40:b9:2c:fc:5a:
                    92:3a:a0:85:1b:b9:be:6e:d3:e7:01:5e:ab:e5:0a:
                    1e:16:10:0b:9f:b9:e0:bc:51:42:d1:93:0a:a0:69:
                    19:a7:12:b5:f0:04:74:64:2d:11:33:2c:f7:14:1d:
                    48:8c:61:78:03:90:77:b3:8b:48:a9:38:b8:ea:0d:
                    9d:de:19:de:61:15:10:75:40:47:f1:37:db:d8:0f:
                    c3:0b:60:1a:6a:31:b3:15:0b:01:ce:82:72:80:f0:
                    29:6f:28:59:ce:a0:e0:15:3a:cd:3f:b6:4a:4e:a5:
                    73:28:bb:db:d4:f1:ab:85:97:9e:dc:6e:31:56:d9:
                    36:53
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha256WithRSAEncryption
         49:c8:f8:97:10:8b:fe:ff:7e:16:93:46:98:5e:d3:68:83:e1:
         5c:12:6f:83:bd:17:96:e0:56:89:c5:78:dc:0e:5c:fb:de:e9:
         a5:ec:ca:6a:3f:13:45:96:c3:7f:b1:ed:ae:84:cf:c3:e8:0b:
         29:72:14:14:21:ff:e8:9d:a5:c9:c8:03:0e:96:f8:91:a1:95:
         43:8d:88:2c:0c:73:ac:5a:6e:b4:3b:92:ed:d8:01:22:fb:f6:
         62:dd:68:55:dc:7a:0e:e8:ff:5f:3e:74:4c:8d:26:97:41:ec:
         a0:aa:0d:38:14:a6:c9:b3:47:b0:94:d6:21:8a:ab:75:4e:04:
         9e:20:23:65:18:4e:9f:80:f9:1b:e5:2e:ef:af:fb:32:a9:0a:
         72:b5:f4:33:26:92:78:7d:ad:9c:ed:ca:5d:53:6d:cc:d0:c9:
         ad:0f:d8:4e:26:ef:bb:3d:f4:c1:e3:30:7e:9f:97:c0:89:12:
         e5:bc:5b:26:84:9c:d8:c7:7b:98:ea:84:7c:58:00:27:7b:65:
         1d:d6:d1:50:1b:05:7c:f6:06:3c:6e:9f:56:4b:b3:28:cd:bd:
         21:db:ca:0c:16:6b:20:a2:0b:1f:87:b8:23:30:80:35:5b:fc:
         2c:2e:24:39:b2:6d:8a:20:73:2a:6c:ba:71:46:c7:42:66:b4:
         2e:09:8d:75
-----BEGIN CERTIFICATE-----
MIICqDCCAZCgAwIBAgIBATANBgkqhkiG9w0BAQsFADAZMRcwFQYDVQQDEw5pTVhf
Q0FAbnhwLmNvbTAeFw0xNzAxMDEwMDAwMDBaFw0zNzAxMDEwMDAwMDBaMBYxFDAS
BgNVBAMTC01JTVg4TVEwMTAxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAsSYulCmGXTWlrVVi12WYvxhZ+j1fIpAazcrGqyaDHlBi2o8PGLNZsOgK8kYu
lxLkgV+IEdE4mkNUBnpltqvSmhxzJ1RLTJRRHyVVDzImdynKi82Wsd1gO1+dIH7p
HHWRGTbPbMYFXWWb8KWfJ+GFXbThb7xP4CvogzeG0JwmGNfyQLks/FqSOqCFG7m+
btPnAV6r5QoeFhALn7ngvFFC0ZMKoGkZpxK18AR0ZC0RMyz3FB1IjGF4A5B3s4tI
qTi46g2d3hneYRUQdUBH8Tfb2A/DC2AaajGzFQsBzoJygPApbyhZzqDgFTrNP7ZK
TqVzKLvb1PGrhZee3G4xVtk2UwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBJyPiX
EIv+/34Wk0aYXtNog+FcEm+DvReW4FaJxXjcDlz73uml7MpqPxNFlsN/se2uhM/D
6AspchQUIf/onaXJyAMOlviRoZVDjYgsDHOsWm60O5Lt2AEi+/Zi3WhV3HoO6P9f
PnRMjSaXQeygqg04FKbJs0ewlNYhiqt1TgSeICNlGE6fgPkb5S7vr/syqQpytfQz
JpJ4fa2c7cpdU23M0MmtD9hOJu+7PfTB4zB+n5fAiRLlvFsmhJzYx3uY6oR8WAAn
e2Ud1tFQGwV89gY8bp9WS7Mozb0h28oMFmsgogsfh7gjMIA1W/wsLiQ5sm2KIHMq
bLpxRsdCZrQuCY11
-----END CERTIFICATE-----

The blob is signed by “iMX_CA@nxp.com”.

Conclusions:

  • The i.MX8(M) boot ROM searches for an NXP-signed HDMI firmware image before even attempting to boot the main cores. If it does not find this image, or it is not signed, the HDMI block will be locked until next reset.
  • Therefore, it is impossible to ever replace the HDMI blob used by this device. The device could be used without this blob, but you then forego use of the HDMI (or DisplayPort) functionality.

Note about the MNT Reform: The MNT Reform went out of its way to avoid relying on this blob for its internal display. Rather than doing the obvious thing and connecting the i.MX8M's DisplayPort interface to the Embedded DisplayPort (eDP) display panel, they connected the internal display by using the i.MX8M's MIPI DSI interface (which is unaffected by this blob) to connect to a MIPI DSI to eDP converter chip, and then to the display (indeed, the fact that they went out of their way to ensure people can use the laptop without the blob certainly warrants praise). The external HDMI port can't be used without the blob, however.

2023-04-24: Updated to note how MNT Reform is and isn't affected.