tiny4412下的Exynos4412 iROM 启动分析

参考文档Android_Exynos4412_iROM_Secure_Booting_Guide_Ver.1.00.00

（网上并没有真正的4412iROM文档，我是参考4212和s5pv210以及现有启动文件制作源码分析得出下面所有结论的）

一、iROM 验证BL1流程

1.拷贝bl1到内存

2.用checksum验证bl1完整性

3.（可选）解密bl1

4.跳转到bl1 运行

iROM code(iROM Bootloader) of Exynos4212 confirms to download the BL1 image with checksum, verifies

the integrity of the secure BL1 image, decrypts the secure BL1 image, and then iROM goes to BL1.

二、BL1 验证 BL2

5.bl1 是三星提供当然有机会可以试着自己写。这个是8k bytes

6.三星提供的bl1会引导bl2到iRAM。它对bl2有如下要求：

@ bl2在烧录位置上固定在bl1之后,大小为14k.

@ 最后一个4字节是之前的checksum。

------------------------------

| | |

| bl1 8k | bl2 14k |....

| | |

------------------------------

for(i = 0;i < (14 * 1024) - 4;i++)

{

checksum += (unsigned char)(Buf[i]);

}

*(unsigned int*)(Buf+i) = checksum;

三、SD CARD 内的存储

# sd_fusing /dev/sdx app_path

# sdcard 512bytes/section first sec must be reserved

# reserved(0 sec) bl1 8k(1-16 sec) bl2 14k(17-44 sec)

-------------------------------------

| | | |

|512b | bl1 8k | bl2 14k |.....

| | | |

-------------------------------------

所以，在尚未有有效方法通过u-boot的串口、USB、以太网接口将程序直接download到 DRAM中的情况下：

生成位置无关码，伪装成bl2 烧写到sd card 是裸机运行的一个替代方式。

四、裸机烧录bl1 bl2

使用appdir下配置好的sd_fusing_bl1_bl2.sh和sd_fusing_bl2.sh

sd_fusing_bl2.sh /dev/sdb bl2name

1.提前准备好bl1（E4412_N.bl1.bin）

2.提前准备好bl2（根据E4412_N.bl1.bin的需要，bl2被设计成14k大小，0至14k-2 是主体部分，有效字节顺序填充，无效空白字节填0x00,最后一个字节（14k-1）填写校验和）

3.烧录bl1,bl2到sd卡。

note：sd卡的一页512bit

section 0 被保留

section 1-16 烧录bl1

section 17-44 烧录bl2

命令如下：

(for bl1): dd iflag=dsync oflag=dsync bs=512 if=./E4412_N.bl1.bin of=/dev/sdX seek=1

(for bl2): dd iflag=dsync oflag=dsync bs=512 if=./bl2.bin of=/dev/sdX seek=17

五、参考代码

1.V310-EVT1-mkbl2_from_app.c

/*
* Copyright (c) 2010 Samsung Electronics Co., Ltd.
*              http://www.samsung.com/ *
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
* published by the Free Software Foundation.
*/

#include <stdio.h>
#include <string.h>
#include <stdlib.h>

int main (int argc, char *argv[])
{
FILE		*fp;
unsigned char	src;
char		*Buf, *a;
int		BufLen;
int		nbytes, fileLen;
unsigned int	checksum = 0;
int		i;

if (argc != 4)
{
printf("Usage: mkbl1 <source file> <destination file> <size> \n");/*因为没有bl1源码，依据已有的成功案例，size被我写死为14*1024*/
return -1;
}

BufLen = atoi(argv[3]);
BufLen = 14*1024;/*因为没有bl1源码，依据已有的成功案例，size被我写死为14*1024*/
Buf = (char *)malloc(BufLen);
memset(Buf, 0x00, BufLen);

fp = fopen(argv[1], "rb");
if( fp == NULL)
{
printf("source file open error\n");
free(Buf);
return -1;
}
#if 0
fseek(fp, 0L, SEEK_END);
fileLen = ftell(fp);
fseek(fp, 0L, SEEK_SET);

if ( BufLen > fileLen )
{
printf("Usage: unsupported size\n");
free(Buf);
fclose(fp);
return -1;
}
#endif
nbytes = fread(Buf, 1, BufLen, fp);

if ( nbytes <0 )
{
printf("source file read error\n");
free(Buf);
fclose(fp);
return -1;
}

fclose(fp);

for(i = 0;i < (14 * 1024) - 4;i++)
{
checksum += (unsigned char)(Buf[i]);
}
*(unsigned int*)(Buf+i) = checksum;

fp = fopen(argv[2], "wb");
if (fp == NULL)
{
printf("destination file open error\n");
free(Buf);
return -1;
}

a	= Buf;
nbytes	= fwrite( a, 1, BufLen, fp);

if ( nbytes != BufLen )
{
printf("destination file write error\n");
free(Buf);
fclose(fp);
return -1;
}

free(Buf);
fclose(fp);

return 0;
}

2. sd_fusing_bl1_bl2.sh

#
# Copyright (C) 2011 Samsung Electronics Co., Ltd.
#              http://www.samsung.com/ #
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 as
# published by the Free Software Foundation.
#
####################################
# sd_fusing /dev/sdx app_path
# sdcard 512bytes/section first sec must be reserved
# reserved(0 sec) bl1 8k(1-16 sec) bl2 14k(17-44 sec)
if [ -z $1 ]
then
echo "usage: ./sd_fusing.sh <SD Reader's device file> <app_path>"
exit 0
fi

if [ -b $1 ]
then
echo "$1 reader is identified."
else
echo "$1 is NOT identified."
exit 0
fi

if [ -z $2 ]
then
echo "usage: ./sd_fusing.sh <SD Reader's device file> <app_path>"
exit 0
fi

if [ -f $2 ]
then
echo "$2 path is identified."
else
echo "$2 is NOT identified as a app_path."
exit 0
fi
####################################
#<verify device>

BDEV_NAME=`basename $1`
BDEV_SIZE=`cat /sys/block/${BDEV_NAME}/size`

if [ ${BDEV_SIZE} -le 0 ]; then
echo "Error: NO media found in card reader."
exit 1
fi

if [ ${BDEV_SIZE} -gt 32000000 ]; then
echo "Error: Block device size (${BDEV_SIZE}) is too large"
exit 1
fi

####################################
# check files

#E4412_UBOOT=../../u-boot.bin
MKBL2=./mkbl2

if [ ! -f $2 ]; then
echo "Error: app NOT found, please build it & try again."
exit -1
fi

if [ ! -f ${MKBL2} ]; then
echo "Error: can not find host tool - mkbl2, stop."
exit -1
fi

#<make bl2>
${MKBL2} $2 bl2.bin 14336

####################################
# fusing images

signed_bl1_position=1
bl2_position=17
#uboot_position=49
#tzsw_position=705

#<BL1 fusing>
echo "---------------------------------------"
echo "BL1 fusing"
dd iflag=dsync oflag=dsync if=./E4412_N.bl1.bin of=$1 seek=$signed_bl1_position

#<BL2 fusing>
echo "---------------------------------------"
echo "BL2 fusing"
dd iflag=dsync oflag=dsync if=./bl2.bin of=$1 seek=$bl2_position

#<u-boot fusing>
#echo "---------------------------------------"
#echo "u-boot fusing"
#dd iflag=dsync oflag=dsync if=${E4412_UBOOT} of=$1 seek=$uboot_position

#<TrustZone S/W fusing>
#echo "---------------------------------------"
#echo "TrustZone S/W fusing"
#dd iflag=dsync oflag=dsync if=./E4412_tzsw.bin of=$1 seek=$tzsw_position

#<flush to disk>
sync

####################################
#<Message Display>
echo "---------------------------------------"
echo "Image is fused successfully."
echo "Eject SD card and insert it again."