tiny4412下的Exynos4412 iROM 启动分析
2016-02-21 22:27
281 查看
参考文档Android_Exynos4412_iROM_Secure_Booting_Guide_Ver.1.00.00
(网上并没有真正的4412iROM文档,我是参考4212和s5pv210以及现有启动文件制作源码分析得出下面所有结论的)
2.用checksum验证bl1完整性
3.(可选)解密bl1
4.跳转到bl1 运行
iROM code(iROM Bootloader) of Exynos4212 confirms to download the BL1 image with checksum, verifies
the integrity of the secure BL1 image, decrypts the secure BL1 image, and then iROM goes to BL1.
6.三星提供的bl1会引导bl2到iRAM。它对bl2有如下要求:
@ bl2在烧录位置上固定在bl1之后,大小为14k.
@ 最后一个4字节是之前的checksum。
------------------------------
| | |
| bl1 8k | bl2 14k |....
| | |
------------------------------
for(i = 0;i < (14 * 1024) - 4;i++)
{
checksum += (unsigned char)(Buf[i]);
}
*(unsigned int*)(Buf+i) = checksum;
# sdcard 512bytes/section first sec must be reserved
# reserved(0 sec) bl1 8k(1-16 sec) bl2 14k(17-44 sec)
-------------------------------------
| | | |
|512b | bl1 8k | bl2 14k |.....
| | | |
-------------------------------------
所以,在尚未有有效方法通过u-boot的串口、USB、以太网接口将程序直接download到 DRAM中的情况下:
生成位置无关码,伪装成bl2 烧写到sd card 是裸机运行的一个替代方式。
sd_fusing_bl2.sh /dev/sdb bl2name
1.提前准备好bl1(E4412_N.bl1.bin)
2.提前准备好bl2(根据E4412_N.bl1.bin的需要,bl2被设计成14k大小,0至14k-2 是主体部分,有效字节顺序填充,无效空白字节填0x00,最后一个字节(14k-1)填写校验和)
3.烧录bl1,bl2到sd卡。
note:sd卡的一页512bit
section 0 被保留
section 1-16 烧录bl1
section 17-44 烧录bl2
命令如下:
(for bl1): dd iflag=dsync oflag=dsync bs=512 if=./E4412_N.bl1.bin of=/dev/sdX seek=1
(for bl2): dd iflag=dsync oflag=dsync bs=512 if=./bl2.bin of=/dev/sdX seek=17
2. sd_fusing_bl1_bl2.sh
(网上并没有真正的4412iROM文档,我是参考4212和s5pv210以及现有启动文件制作源码分析得出下面所有结论的)
一、iROM 验证BL1流程
1.拷贝bl1到内存2.用checksum验证bl1完整性
3.(可选)解密bl1
4.跳转到bl1 运行
iROM code(iROM Bootloader) of Exynos4212 confirms to download the BL1 image with checksum, verifies
the integrity of the secure BL1 image, decrypts the secure BL1 image, and then iROM goes to BL1.
二、BL1 验证 BL2
5.bl1 是三星提供当然有机会可以试着自己写。这个是8k bytes6.三星提供的bl1会引导bl2到iRAM。它对bl2有如下要求:
@ bl2在烧录位置上固定在bl1之后,大小为14k.
@ 最后一个4字节是之前的checksum。
------------------------------
| | |
| bl1 8k | bl2 14k |....
| | |
------------------------------
for(i = 0;i < (14 * 1024) - 4;i++)
{
checksum += (unsigned char)(Buf[i]);
}
*(unsigned int*)(Buf+i) = checksum;
三、SD CARD 内的存储
# sd_fusing /dev/sdx app_path# sdcard 512bytes/section first sec must be reserved
# reserved(0 sec) bl1 8k(1-16 sec) bl2 14k(17-44 sec)
-------------------------------------
| | | |
|512b | bl1 8k | bl2 14k |.....
| | | |
-------------------------------------
所以,在尚未有有效方法通过u-boot的串口、USB、以太网接口将程序直接download到 DRAM中的情况下:
生成位置无关码,伪装成bl2 烧写到sd card 是裸机运行的一个替代方式。
四、裸机烧录bl1 bl2
使用appdir下配置好的sd_fusing_bl1_bl2.sh和sd_fusing_bl2.shsd_fusing_bl2.sh /dev/sdb bl2name
1.提前准备好bl1(E4412_N.bl1.bin)
2.提前准备好bl2(根据E4412_N.bl1.bin的需要,bl2被设计成14k大小,0至14k-2 是主体部分,有效字节顺序填充,无效空白字节填0x00,最后一个字节(14k-1)填写校验和)
3.烧录bl1,bl2到sd卡。
note:sd卡的一页512bit
section 0 被保留
section 1-16 烧录bl1
section 17-44 烧录bl2
命令如下:
(for bl1): dd iflag=dsync oflag=dsync bs=512 if=./E4412_N.bl1.bin of=/dev/sdX seek=1
(for bl2): dd iflag=dsync oflag=dsync bs=512 if=./bl2.bin of=/dev/sdX seek=17
五、参考代码
1.V310-EVT1-mkbl2_from_app.c/* * Copyright (c) 2010 Samsung Electronics Co., Ltd. * http://www.samsung.com/ * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 as * published by the Free Software Foundation. */ #include <stdio.h> #include <string.h> #include <stdlib.h> int main (int argc, char *argv[]) { FILE *fp; unsigned char src; char *Buf, *a; int BufLen; int nbytes, fileLen; unsigned int checksum = 0; int i; if (argc != 4) { printf("Usage: mkbl1 <source file> <destination file> <size> \n");/*因为没有bl1源码,依据已有的成功案例,size被我写死为14*1024*/ return -1; } BufLen = atoi(argv[3]); BufLen = 14*1024;/*因为没有bl1源码,依据已有的成功案例,size被我写死为14*1024*/ Buf = (char *)malloc(BufLen); memset(Buf, 0x00, BufLen); fp = fopen(argv[1], "rb"); if( fp == NULL) { printf("source file open error\n"); free(Buf); return -1; } #if 0 fseek(fp, 0L, SEEK_END); fileLen = ftell(fp); fseek(fp, 0L, SEEK_SET); if ( BufLen > fileLen ) { printf("Usage: unsupported size\n"); free(Buf); fclose(fp); return -1; } #endif nbytes = fread(Buf, 1, BufLen, fp); if ( nbytes <0 ) { printf("source file read error\n"); free(Buf); fclose(fp); return -1; } fclose(fp); for(i = 0;i < (14 * 1024) - 4;i++) { checksum += (unsigned char)(Buf[i]); } *(unsigned int*)(Buf+i) = checksum; fp = fopen(argv[2], "wb"); if (fp == NULL) { printf("destination file open error\n"); free(Buf); return -1; } a = Buf; nbytes = fwrite( a, 1, BufLen, fp); if ( nbytes != BufLen ) { printf("destination file write error\n"); free(Buf); fclose(fp); return -1; } free(Buf); fclose(fp); return 0; }
2. sd_fusing_bl1_bl2.sh
# # Copyright (C) 2011 Samsung Electronics Co., Ltd. # http://www.samsung.com/ # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 as # published by the Free Software Foundation. # #################################### # sd_fusing /dev/sdx app_path # sdcard 512bytes/section first sec must be reserved # reserved(0 sec) bl1 8k(1-16 sec) bl2 14k(17-44 sec) if [ -z $1 ] then echo "usage: ./sd_fusing.sh <SD Reader's device file> <app_path>" exit 0 fi if [ -b $1 ] then echo "$1 reader is identified." else echo "$1 is NOT identified." exit 0 fi if [ -z $2 ] then echo "usage: ./sd_fusing.sh <SD Reader's device file> <app_path>" exit 0 fi if [ -f $2 ] then echo "$2 path is identified." else echo "$2 is NOT identified as a app_path." exit 0 fi #################################### #<verify device> BDEV_NAME=`basename $1` BDEV_SIZE=`cat /sys/block/${BDEV_NAME}/size` if [ ${BDEV_SIZE} -le 0 ]; then echo "Error: NO media found in card reader." exit 1 fi if [ ${BDEV_SIZE} -gt 32000000 ]; then echo "Error: Block device size (${BDEV_SIZE}) is too large" exit 1 fi #################################### # check files #E4412_UBOOT=../../u-boot.bin MKBL2=./mkbl2 if [ ! -f $2 ]; then echo "Error: app NOT found, please build it & try again." exit -1 fi if [ ! -f ${MKBL2} ]; then echo "Error: can not find host tool - mkbl2, stop." exit -1 fi #<make bl2> ${MKBL2} $2 bl2.bin 14336 #################################### # fusing images signed_bl1_position=1 bl2_position=17 #uboot_position=49 #tzsw_position=705 #<BL1 fusing> echo "---------------------------------------" echo "BL1 fusing" dd iflag=dsync oflag=dsync if=./E4412_N.bl1.bin of=$1 seek=$signed_bl1_position #<BL2 fusing> echo "---------------------------------------" echo "BL2 fusing" dd iflag=dsync oflag=dsync if=./bl2.bin of=$1 seek=$bl2_position #<u-boot fusing> #echo "---------------------------------------" #echo "u-boot fusing" #dd iflag=dsync oflag=dsync if=${E4412_UBOOT} of=$1 seek=$uboot_position #<TrustZone S/W fusing> #echo "---------------------------------------" #echo "TrustZone S/W fusing" #dd iflag=dsync oflag=dsync if=./E4412_tzsw.bin of=$1 seek=$tzsw_position #<flush to disk> sync #################################### #<Message Display> echo "---------------------------------------" echo "Image is fused successfully." echo "Eject SD card and insert it again."
相关文章推荐
- Js实现深拷贝和浅拷贝
- andorid 短信
- 使用Clean架构开发Android应用详细指南
- An App ID with Identifier is not available. Please enter a different string
- java 多线程 CountDownLatch用法
- 工厂模式
- java基础之数组常见问题分析
- php生成图片文字水印
- 单例模式
- case...when语句使用
- PHP知识点——2
- PHP知识点——1
- C# 7 新特性-1
- 重新生成和组织索引
- 18-题目1069:查找学生信息
- python基础学习,基础语法总结
- iscsi 挂载网络存储及存储访问
- 【机房合作】单例模式实战
- Microsoft(R) Developer Studio 已停止工作 解决办法(1)
- Sublime Text 3 破解版 + 注册机 + 汉化包(转自 http://www.cnsecer.com/251.html)