https://blog.rickmark.me/untitled/
sbl1.mbn – Secondary Bootloader (after ROM PBL)
qdsp6sw.mbn – Qualcomm Hexagon Digital Signal Processor (non-ARM core)
tz.mbn – Qualcomm TrustZone Implementation – QSEE
hyp.mbn – Qualcomm Hypervisor Execution Environment – QHEE – EL2
xbl_cfg.mbn – For XBL (eXtensible Boot Loader) or EFI based SPL signed static data
restoresbl1.mbn – Secondary program loader (bootloader) for baseband recovery
acdb.mbn – Accessory Calibration Database (seems to be initial)
apps.mbn – Userland baseband applications
rpm.mbn – Rollback prevention manager
wdt.mbn – Watchdog Timer
mba.mbn – QURT – Qualcomm Realtime OS Kernel image
MBN Signature Format
Contains a C struct styled header, followed by hashes, a signature and a certificate chain.
MBNs are ill-designed because the ELF header contains the offset to the signature region, which signs the ELF header
creating a circular dependency.
Header Region
// Likely depends on hash type - samples found stated PK algorithm scep384r1 having a signature size of 384 - deterministic noncing? // does this lead to a potential leak of private key with double nonce values? typedef struct { char* hash[HASH_TYPE_SIZE]; // Unfortuantly they used all zeros to encode an empty region instead of hash of zeros... // This seems to always be true of the signature area (b01) but also of other regions? } mbn_hash_row_t; typedef enum { kSHA2_384 = 0x06; } mbn_hash_type_t; typedef struct { uint32_t hash_rows; // Number of hash rows - samples with 0 have hashes but no signature... and 0xFFFFFFFF for // pk_hash. It also has hash rows, perhaps its a problem via multiple verification paths? mbn_hash_type_t hash_type; // 6 - SHA2-384? uint32_t = 0 uint32_t = 0 uint32_t hash_and_signature_size; // Little endian - data following header and extra uint32_t hash_size; // size in bytes of hash type row size * rows - signature follows uint32_t pk_hash_one? = 0xFFFFFFFF / 0xA803708F uint32_t signature_size; // Size of ASN.1 signature following hash list uint32_t pk_hash_two? = 0xFFFFFFFF / 0xA803708F // Usually matches pk_hash_one uint32_t some_size; // Some header item size or possibly align value? uint32_t = 0; uint32_t extra_size; // Seems to be 0x78 bytes long... 64bit extension? char* extra[extra_size]; mbn_hash_row_t hashes[hash_rows]; } mbn_header_t; typedef struct {