I got my hands on MOX-A unit that shows signs of tampering. I think it was just carefully re-packed and returned previous owner (loose tape, disconnected SDIO antennas, no response on default IP 192.168.1.1), but I’d still like to learn how to verify firmware matches factory version.
I see main SPI NOR pins (remember, 1.8V) are available via GPIO header, but:
a) how to power the board during the dump? Is it safe to power just the 1.8V rail?
b) are factory images of whole flash available so I can compare it?
c) how to correctly hold the CPU in reset so it cannot fake responses or affect nHold/nWP?
Serial boot looks no good because of unreliability allowing bootloader to pretend it worked.
Edited title to make this more about firmware. We can’t “fix” physically replaced chips.
Actually serial boot is using Boot ROM in CPU itself, so even if NOR was tampered with, you can boot over serial and then from U-Boot you can overwrite whole NOR or check it’s content. There is no image of whole flash, but there is a content that should be in various partitions there. But depending on the release date, there might be various versions of the image flashed in. If you want to make sure that it is in correct state, you can reflash it.
Thank you for confirming successful boot would be safe and even uboot loaded over serial will not read environment from NOR or anything.
But what about unsuccessful serial boot which video example says happens often? I expect failed serial boot will continue to NOR and NOR can then pretend serial boot was success or worse, try exploit mox-imager, minicom or my terminal emulator. Or not?
Anyway, no such risk exist with external flashers.
Thank you also for confirming whole factory images are not available online, pity. Getting just right parts for comparing looks complicated. Any suggestions better than downloading all possible versions and comparing hashes against my NOR?
I agree reflash looks more practical than this. Will secure-firmware + a53-firmware + rest of NOR wiped be enough to boot from SD (then let reForis download, verify and “update” remaining partitions)? Are there GPG or other signatures I can check so I don’t flash something worse by accident?