The Galaxy S3 (GT-I9300) comes with a bootloader named S-Boot which is a proprietary bootloader from Samsung. In this post, I want to collect information about the possibilty to run the free bootloader U-Boot on the phone. I personally didn't work on the bootloader part, but I became interested in it when I tried to get the mainline kernel working and S-Boot prevented the mainline kernel from booting due to a bug.


U-Boot is free software. If you want to run as much free software as possible on your phone, then being able to replace the proprietary bootloader with a free one would obviously be great. A free bootloader would make it possible to control and verify which software is loaded during the boot process. In case of the Galaxy S3, it turns out that not only the Linux kernel and subsequently Android is loaded, but also a second proprietary operating system, a TrustZone implementation called Mobicore and it's not fully clear what Mobicore does. A free bootloader could make it possible to decide if something like Mobicore should be loaded or not.

A free bootloader would also make new security features like verified boot possible. The bootloader could check the signature of the kernel and the kernel could verify the integrity of the whole system. This way, it would be possible to ensure that no one and nothing has tampered with the operating system. More control over the boot process could also lead to new features that would make it a lot easier to unbrick devices that refuse to boot. For example an option that allows to boot from the SD card would be very helpful in this regard.

Is it possible?

In 2013, Dominik Marszk and Adam Outler managed to boot U-Boot from the SD card. Their U-Boot source can be found here. The Galaxy S3 tries to boot from eMMC (internal memory) first and if that fails, it attempts to boot from other possible boot devices like the SD card. In order to force booting from SD card, Adam corrupted the data transfer between CPU and eMMC by attaching a thin wire to one of the data lines that shortens the data line. After U-Boot has booted, it enters a 10 second delay to allow to release the line shortening. At this point, it's possible to talk to the U-Boot command line via UART.

These are the files they used to create the SD card. They come from ODROID-X bootloader sources which are based on Exynos4412, just like the Galaxy S3. The binary p4412_s_fwbl1.bin is especially interesting because it is a first stage bootloader that drops the secure boot process and jumps to an unsigned payload. This signed first stage bootloader also works on the Galaxy S3 because the same signing key is fused into all Exynos4412-based development boards and handhelds.

Dominik's and Adam's main problem was that they couldn't get a stock kernel image to boot. The cause was likely related to the TrustZone not getting initialized properly. They never tried a modified kernel, so this could be a place to start. I disabled the Mobicore driver in the kernel for Replicant 6.0 in an attempt to get rid of any cooperation between the kernel and TrustZone. It would be interesting if it works with this kernel.

The advantage of Dominik's and Adam's approach is the possibility to replace the proprietary bootloader S-Boot with U-Boot. A proprietary first stage bootloader is still necessary. And the second stage bootloader is created by a proprietary tool mkbl2 that is part of the U-Boot sources and was originally supplied by Samsung. The main disadvantage of their approach is the necessity to corrupt the data transfer between the CPU and eMMC which requires experience, is only suitable for development and testing purposes and has a high risk to render the device unusable if done wrong.

There is some info floating around about a recovery procedure that boots from the SD card, but replaces the existing bootloader which resides in the bootloader partition on eMMC. There are claims that it's possible to trigger this process with more recent Galaxy S3 devices by pressing the menu key, both volume keys and the power key. Otherwise, it seems to be necessary to disassemble the device and shorten a very small resistor with a pair of tweezers, according to leaked Samsung documents. This procedure could be an alternative to corrupting the data transfer between CPU and eMMC.

As part of my work with the mainline kernel on the Galaxy S3, I submitted a bootloader-related patch that allows to reboot the device in the recovery and download mode. In the discussion about the patch with the kernel maintainer Krzysztof Kozlowski, it turned out that Trats2, which is the Galaxy S3 released for Tizen, is supported by U-Boot. However, S-Boot was not replaced. Instead, U-Boot gets chainloaded after booting a (probably) adapted S-Boot image. Krzysztof's mail provides more info how the Trats2 image could be installed.

Freedom-wise, chainloading U-Boot after S-Boot is not attractive as no non-free software is replaced. But having the Linux kernel loaded by U-Boot would make working on the mainline kernel easier because I don't have to figure out all the differences between U-Boot and S-Boot and patch the kernel. The only question in this regard is whether it's less work to stick with S-Boot and work around the differences or to get U-Boot for Trats2 working with a Galaxy S3 targeting Android and avoid having to patch the kernel.

In the end, it would obviously be most rewarding if it's possible to replace S-Boot. If a signature check is enforced on S-Boot and the first and second stage bootloader are not replaceable, then there is no hope, unless the signing key gets leaked. If only the first and second stage bootloader need to be signed and S-Boot runs outside of the secure boot process, then maybe it's possible to get U-Boot working while the proprietary first and second stage bootloader stay in place. Maybe there is also some crazy way to make booting from SD card permanent while still having the internal memory accessible. So there are still some basic questions that need to be investigated.

I want to thank Dominik Marszk, Adam Outler and Krzysztof Kozlowski for providing lots of useful information which made this post possible.