alt Hacker NewsThe latest Kobos use MediaTek SoCs with locked bootloaders. The Kobo Clara BW's MT8113, for example. As far as I know, one of the early bootloaders it, BL1, refuses to execute the next bootloader (BL2) unless its signature is valid. We can get the device into a mode where BL1 waits for upload of a BL2 via USB using an exploit called Kamakiri, but in public there is neither an exploit to get BL1 to boot an arbitrary BL2, nor an authorized BL2 image to upload. See here: https://github.com/bkerler/mtkclient/issues/1332
Kobo devices have root exposed but don't let users boot their own kernels (and the kernel they ship was not compiled with kexec either).
I really don't know the reason so many devices these days don't have an unlock method. It seems predatory. Who knows where in the chain this happens... maybe it's Kobo, or maybe MediaTek won't sell you their SoCs for mass-market devices unless you lock them.
Replies
Can you just access /dev/mem or load a kernel module? Is there a SELinux policy stopping that?
If you can do either of those, it should be trivial to get kexec working by just loading it as a module.
Older Kobos sound ok though?
According to the github issue it seems to be a simple checksum step, not a true signature verification? If so there is no locked bootloader in any real sense.
If the real impediment is lack of demand or low-level development effort for any given device, that's in principle a solvable issue once projects like pmOS and Mobian choose to focus on some reasonably-available hackable hardware and bring it up to true daily driver state.