Archive

Posts Tagged ‘bootloader’

Hacking ARM TrustZone / Secure Boot on Amlogic S905 SoC

October 6th, 2016 4 comments

Amlogic S905 processor used in many Android TV boxes and ODROID-C2 development board implements ARM TrustZone security extensions to run a Trusted Execution Environment (TEE) used for DRM & other security features.

amlogic-s905-security

He explains the steps they went through and how they managed to exploit vulnerability to bypass secure boot in a detailed technical blog post.

They first started by looking for info in Amlogic S905 datasheet, but most info about TrustZone had been removed from the public version. So not that much help here except a potential address for BOM Root (ROMBOOT_START   0xD9040000). The next step was to connect the UART pins in order to access the serial console, but he could not read the BootROM from there most probably because you can’t access secure code from an non-secure memory.

However, a closer look at the boot log lead them to find the bootloaders were based on the ARM Trusted Firmware (ATF) reference implementation, which include BL1x (BootROM in SoC), BL2, and BL3x bootloaders as shown in the diagram below.

arm-trusted-firmware-architecture

At this point everything becomes much more technical, as he explains various attempts using U-Boot bootloader, SMC (Secure Monitor Call) interface, and bypassing the Secure Boot chain. The first attempt was a non-stater, the second could have been exploitable but might have required some expert skills and time, but the third one was successful after an analysis of  the mechanism used by BL2 to parse and authenticate the BL31 image, and finding out the cryptographic code came from OSS PolarSSL/mbed TLS project.

Further reverse-engineering of the “authentication” header revealed that BL2 is only using SHA-256 hash to verify the integrity of the firmware, and that there’s no actually authentication. To confirm their findings, they customized a BL31 firmware, updated the SHA-256 hash (using aml-bootloader-tool script), and it would boot, and eventually they managed to dump the BootROM from Amlogic S905 SoC.

That’s the conclusion:

The S905 SoC provides hardware features to support Secure Boot, however OEMs can still choose to enable it or not. But even when Secure Boot is enforced, a flaw in the current version of Amlogic’s BL2 allows to bypass it. So Trusted Execution Environment cannot be trusted. The good news is BL2 can be patched, unlike BootROM.

Raspberry Pi Bootloader License Precludes it to Run on Competing Broadcom BCM283x Boards

July 19th, 2016 17 comments

Yesterday I wrote about ArduCAM Raspberry Pi compatible module, that packs most of the features of Raspberry Pi Zero or Pi Compute module into a 24x24mm board, and is based on Broadcom BCM2835 processor. One person also started a thread on Raspberry Pi forums about the tiny module, and one of the Raspberry Pi engineer and forum moderator replied that will would breach the bootloader license.

Raspberry_Pi_Bootloader_LicenseThe important part is the sentence highlighted above:

This software may only be used for the purpose of developing for, running or using a Raspberry Pi device.

ArduCAM module is only Raspberry Pi compatible, so it would indeed breach the license, and you can get into troubles if you planned to use that module in a commercial project, especially in countries where IP protection is taking seriously.

This raises a few questions. First why did the Raspberry Pi foundation chose that restrictive license? The obvious answer would be to protect there investment, but it’s also possible that since the bootloader and firmware is related to the GPU, video codec license may also have been a part of the decision.

The other issues is that after ordering 5K Broadcom BCM2835 processors for the first run of their ODROID-W module, Broadcom decided not to sell the processor anymore to Hardkernel subsequently. The exact reason is not known, but there are speculations that it was because of the Raspberry Pi foundation, and the license above may have been a reason for it. So could this also happen to ArduCAM? In theory yes, but If I’m not mistaken the company is based in China, and there are multiple smaller distributors, but it may not be quite as easy for Broadcom to block them.

The final question I has is whether it could possible to legally use the board without using the bootloader. Maybe… thanks to Kristina Brooks work on an open source bootloader for Raspberry Pi, released under BSD and GPLv2+, and not including any “Raspberry Pi only” conditions. There are some serious caveats such as no support for video codecs (licenses are part of it too), and while it can boot Linux, some things are broken.

If you are based in mainland China, and your customers are all based there, you probably don’t have to care about any of this, but in the western world, commercial projects should probably keep using official Raspberry Pi parts, or other solutions not involving Broadcom processors, nor official Raspberry Pi OS images.

Preliminary Open Source Bootloader for Raspberry Pi Boards Released

May 16th, 2016 9 comments

Raspberry Pi boards require a closed-source binary to boot. I understand it this is handled by VideoCore IV GPU,  and so  far the Raspberry Pi foundation are not release source code for the bootloader, possibly due to legal reason (e.g. NDA to Broadcom). But I noticed people chatting about an open source bootloader for Raspberry Pi on sunxi-linux IRC channel.

Raspberry_Pi-3

The bootloaded called rpi-open-firmware has been developed by Kristina Brooks (christinaa), who previously did some work on the VideoCore IV GPU, as you can see on her blog and github account.

Kristina describe the project as follows:

This is a small firmware for RPi VPU (VideoCore4) versions 1/2/3 that is capable of initializing VPU PLL (PLLC), UART, SDRAM and ARM itself. It’s intended to be used instead of stock bootcode.bin on RPi’s SD card. You need to have UART to see anything meaningful as far as output goes.

This has been tested on RPi1 Model B (Hynix PoP DDR), RPi 2 Model B and RPi 3 Model B (both Elpida DDR).

Bear in mind that this is all work in progress, and it’s not capable of booting Linux right now. The media part of the VPU is also not handled by this driver, and probably never will. There are multiple license used for the code, with some source  licensed under “Broadcom Corporation”, which the license explains is itself released under a BSD 3-Clause License, as well as code released under GPLv2+.

You can check the code and instructions on Github. There’s also a discussion in Hacker News with some more bits of info.

MYiR Tech Announces Low Cost Rico and Z-turn Boards Powered by TI AM437x and Xilinx Zynq-7010 SoCs

March 3rd, 2015 7 comments

Shenzhen based MYIR Tech has just launched two new single board computers with Rico board featuring Texas Instruments Sitara AM437x ARM Cortex A9 industrial processor, and Z-Turn board based on Xilinx Zynq-7010 ARM Cortex A9 + FPGA SoC. Both boards sell for $99 in single quantity.

Rico Board

Rico_BoardSpecifications:

  • SoC – Texas Instruments AM4379 single core ARM Cortex A9 processor @ 1.0GHz with PowerVR SGX530 GPU, and 4x PRU @ 200 MHz. Other AM437x on request.
  • System Memory – 512MB DDR3 (Options: 256MB or 1GB)
  • Storage – 4GB eMMC, 256 or 512 MB NAND flash (reserved), 16MB QSPI flash, 32KB EEPROM, and micro SD slot
  • Video Output – HDMI and LCD interfaces (LCD connector located on bottom of the board).
  • Connectivity  – 10/100/1000 Mbps Ethernet
  • USB – 1x mini USB 2.0 device port, 1x USB 2.0 host post
  • Camera – 2x 30-pin camera interface
  • Debugging – 1x debug serial port, 1x 20-pin JTAG interface, 1x 14-pin JTAG interface
  • Expansion Headers – 2x 40-pin headers with access to 2x SPI, 2x I2C, 2x CAN, 4x UARTs, 1x MMC, and 8x ADC
  • Misc – 4x buttons (reset, power, and 2x user), 5x LEDs (reset, power, and 3x user), boot selection jumpers
  • Power Supply – 5V/2A power barrel
  • Dimensions – 100 x 65 x 1.6  mm (8-layer PCB)
  • Temperature Range – 0 to 70°C

Rico_Board_DescriptionThe company provides a Linux 3.14.0 SDK for the board with the source code for the bootloaders (SPL and U-boot), the kernel and relevant drivers, and buildroot build system, as well as a complete hardware development kit that includes a Rico Board, various cables, a 4GB micro SD card, a 5V/2A power adapter, and an optional 7-inch LCD Module with capacitive touch screen. Source code is provided with a CD that comes with the board.

You can find more information and order the board or kit on MYiR Tech Rico Board product page. The kit sells for $139, and you’ll need to add $99 for the 7″ touchscreen display.

Z-Turn Board

Z-Turn_Board
MYS-XC7010 / MYS-XC7020 boards specifications:

  • SoC – Xilinx XC7Z010-1CLG400C (Zynq-7010) with two ARM Cortex A9 cores @ 667 MHz, Artix-7 FPGA fabric with 28K logic cells, 17,600 LUTs, 80 DSP slices. Zilinx Zynq-7020 optional.
  • System Memory – 1 GB of DDR3 SDRAM (2 x 512MB, 32-bit)
  • Storage – 16MB SPI flash, 512 NAND flash (reserved), and a micro SD slot
  • Video Output – HDMI up to 1080p
  • Connectivity – 10/100/1000M Ethernet
  • USB – 1x mini USB 2.0 OTG port
  • Debugging – USB-UART debug interface, 14-pin JTAG interface
  • User I/O (via two SMT female connector on the bottom of the board) – 90/106 user I/O (7010/7020), configurable as up to 39 LVDS pairs, or I/Os such as SPI. I2C, LCD, camera, CAN, Ethernet, etc…
  • Sensors – 3-axis acceleration sensor and temperature sensor
  • Misc – CAN interface, 2x buttons (reset and user), boot selection jumpers, 5x LEDs, 1x Buzzer
  • Power – 5V via USB, or 5V/2V power barrel
  • Dimensions – 102 x 63 x 1.6 mm (8-layer PCB)

Z-Turn_Board_Description
A Linux 3.15.0 SDK is provided with gcc 4.6.1, a binary bootloader, the source code for the kernel and drivers, and a minimal ramdisk and Ubuntu Desktop 12.04 root file systems.

MYiR Tech newsletter claims the board sells for $99, but on the product page, you’ll only find a complete kit with the board, cables, a 4GB micro SD card, a power supply, and CD for source code and documentation for $139, the same price as the TI Sitara kit. Z-Turn board is somewhat similar to the $189 ($125 for education) ZYBO board, so it’s probably the most cost-effective Zynq board available to date.

AllWinner Linux-sunxi Community Presentation and Status Report – FOSDEM 2014

February 17th, 2014 11 comments

Oliver Schinagl, a member of linux-sunxi community working on open source kernel and bootloader for AllWinner SoCs, has given a presentation of the community at FOSDEM 2014 to give an overview, and show what progress has been made to date. I’ll write a summary in this post, but if you want to watch the video and/or access the slides scroll down at the bottom of the post.

AllWinner_sunxi-linux_fosdem_2014After explaining what sunxi is, and introducing himself, he gave some information about AllWinner and their SoCs:

  • Founded in 2007 in Zhuhai, Chiang now with 550 employees including 450+ engineers
  • 15% market share in 2013 for tablet SoCs, only behind Apple.
  • Products: F-series SoC (2010), A10 (2011), A13, A10s (2012), and A20 (2013). (cnsoft He skipped A31(s) and A80 here as they are not really supported by the community).
  • They list “Open Source Source” and “GPLv3” in their marketing materials although they clearly violate GPL in some part of the code. Progress is slowly being made however.

Sunxi community was born out of arm-netbook community working on EOMA68 boards in order to specifically target AllWinner SoCs, and now count over 600 mailing list subscribers (Google Group), 130 in IRC (#linux-sunxi), but only around 20 active developers.

Oliver then talks about the progress and status of different part of the software:

  • Bootloader
    • U-boot (lichee) NAND-only released by AllWinner, but requiring boot0/boot1 that were binary only until a source code release recently.
    • U-boot (sunxi) MMC / SDCard only, developed by the community, and preferred bootloader as it boots from SD card.
    • Barebox
    • Initial work on Coreboot
  • Operating Systems – Linux, FreeBSD, Tizen, Firefox OS and Minix (Interest only)
  • Distributions:
    • Fedora 18/19 maintained by a Red Hat employee in his spare time, and the best supported distro right now according to Oliver
    • Others – Linaro ALIP, Arch / Gentoo, Debian / (X)Ubuntu, (Xen).

Interestingly one important OS is missing: Android. The main reason is because there’s no community around Android with sunxi, but there’s still minimal work being done on Replicant/CyanogenMod, and AllWinner SDK for Android has been released.

He then goes through the different Linux kernel and branches on linux-sunxi github repo:

  • Lichee 3.0, 3.3 and 3.4 (with some 3.8 backport) from AllWinner. Some code in 3.4 version comes from sunxi linux work
  • Sunxi 3.0 (deprecated), 3.4 (maintenance), experimental 3.10 (Long term support kernel, likely to be used by Android 5.0, with AllWinner SoC support in mainline, and features like KVM and CMA),
  • Mainline kernel with two branches: sunxi-devel (latest code) and sunxi-next (with patches accepted into mainline). All mainline work has been done by the community, with no involvement from AllWinner. Currently CPU, interrupts, Timers, RTC, Watchdog (also used for reset), Ethernet and I2C are working, and you can boot a headless server. More info @ http://linux-sunxi.org/Linux_mainlining_effort.

He also talked of FEX files, the configuration files for AllWinner SoCs, that have a functionality similar to device tree, and in kernel 3.10 both device tree and fex files are supported. There’s also a tool called sunxi-babelfish that converts fex files into device tree files.

That’s all of the open source software part of the talk, and next is a list of hardware for playing around with AllWinner SoCs:

  • Olimex LIME board, fully open source hardware
  • Cubieboard 1 & 2, with schematics (PDF), but not all files to be fully open source hardware
  • EOMA68 / Improv. Improv, the baseboard, is open source hardware, but EOMA68 is not yet, although it should become open source hardware once the company (QiMod) gets back its initial investment
  • If you don’t have one of the three development platform above, you can also use one of the many tablets, media players, or HDMI TV stick available on the market.

AllWinner based device are unbrickable, as they can always to booted from a micro SD or SD card, and if no SD card is available, you can use FEL-mode to access the board via USB.

So all in all there’s currently good support for sun4i (A10), sun5i (A10s and A13) and sun7i (A20) SoCs, and it could even become FSF endorsable, but nothing is perfect, as the community is not really involved in A31, A31s and A80 development as these are based on PowerVR GPU, with no hope of ever getting open source GPU drivers in Linux, and there are binary blobs with Mali GPU (3D), GPS, and touchscreen drivers, and the Boot ROM (BROM) and CedarX libraries (APU/VPU) are only available in binary format.  There’s however work on open source Mali GPU driver (Limare) which could be usable this year, and there’s reverse engineering work being done for video decoding.

Oliver shows a demo of hardware video playback with a 100% open source implementation, capable of even playing files not supporting by the official binary only version, and gets a around of applause when he announces the complete presentation was done on an AllWinner board.

The talks ends with detailing the different ways you can contribute to the community: editing the Wiki, adding new supported devices, helping porting AOSP, CyanogenMod, Ubuntu Touch or Firefox OS, and submitting kernel patches.

The presentation slides are available here.

Geniatech Releases ATV510B Source Code, Teases Dual and Quad Core ATV130 and ATV180 mini PCs

June 7th, 2013 3 comments

XBMCHUB (not affiliated with XBMC) reports that Geniatech has released the Android and Linux source code for ATV510B, one of Geniatech set-top boxes based on AML8726-M3 Cortex A9 processor.

ATV510B is the design used by devices such as Pivos XIOS DS, Jynxbox Android HD, Sumvision Cyclone Nano M3, and MyGica ATV510B Enjoy TV Nano 3, among others. Pivos has made U-boot, Linux and XBMC source code available in github for a little while now, but this new release is a pretty large file (2.39 GB) called xbmcandroid_com-ics-base-M3-20121212.tar.bz2 that includes Android 4.0 source including the kernel and the bootloader. This source code should work with “stvmc” hardware, as found in build.prop’s ro.product.name or ro.product.device keys. I haven’t looked into details, but here’s the content of the root directory of the archive:

Android_4.0_Source_Code_AMLogic

On a separate note, Geniatech also showed the picture below on their Facebook page, with 2 new Android TV Sticks: one based on AML8726-MX with MHL support called ATV130, and the other powered by AML8726-M8 quad core processor called ATV180.

Geniatech_ATV130_ATV180

ATV130 just looks like an improved design from ATV120, found in products like Droid Stick A2, but ATV180 is a completely new design with AMLogic quad core Cortex A9 processor @ 1.6 to 2.0 GHz, 2GB RAM, 2 to 32 GB Flash, Bluetooth and Wi-Fi. That’s all the public information there’s available for now. AMLogic is quite popular in set-top box form factors, but never really took off in mini PCs, we’ll see if these upcoming products can change that.

Booting Linux in Less Than 1 Second in AllWinner A10 Devices? Yes! You Can!

April 22nd, 2013 6 comments

threewater, a Chinese developer, has just posted a very interesting demo on linux-sunxi mailing list showing a device based on AllWinner A10 boot linux within 0.85s, and if you add a Qt app, the total time is just about 1.2s.

This appears to be a custom hardware (EM6000), but we do know it’s based on AllWinner A10, comes with 512 MB RAM, and 4GB NAND Flash. On the software side, the device runs kernel 3.4 from linux-sunxi, with a customized version of uboot, a squashfs rootfs, and a Qt 4.7.4 app showing a gauge. Both the rootfs (7MB) and the kernel (2MB) have been compressed with LZO. All that boots from NAND flash for optimal speed.

The 1.2 second time includes kernel + rootfs + app time, and the total time is a bit longer, but this is still impressive. Here’s the boot log:

If you just boot to the command line, it’s even faster:

This is not the first time, people have implemented ultra fast boot on ARM hardware, an example is a ~400ms boot on the Beagleboard, but it’s still nice to see what can be achieved thanks to developers’ communities such as linux-sunxi.

The complete details and/or binary files are not available at this time, but if you are interested in Linux fast boot, you may considering checking Adeneo Embedded presentation at ELCE 2012 who did something very similar on Freescale i.MX51 & i.MX 6Q hardware.

VIA Announces $79 APC Rock & $99 APC Paper Cortex A9 Board and PC

January 17th, 2013 7 comments

Following the launch of the $49 APC ARM11 board as a Raspberry Pi alternative last year, VIA has just announced two new APC products based on a WonderMedia WM8950 Cortex A9 processor:

  • APC Rock – $79 Android board
  • APC Paper – $99 Android PC with a case made of recycled cardboard
APC Rock

APC Rock

Both products run Android 4.0 (ICS) and mostly share the same specifications:

  • SoC – VIA WonderMedia WM8950 ARM Cortex-A9 @800Mhz + Mali-400 GPU
  • System Memory – 512 DDR3 SDRAM
  • Storage – 4GB NAND Flash + microUSB slot
  • Video Output – HMDI (Rock & Paper) and VGA (Rock only)
  • Audio I/O – Audio out / Mic in combo
  • Ethernet – 10/100 Mbps
  • USB – USB 2.0 (x2) and microUSB (OTG)
  • 20-pin ARM-JTAG header
  • Extra GPIO, SPI and I2C busses on a header
  • Dimensions (Board) – 170 x 85mm (W x H), Neo-ITX Standard.
APC Paper

APC Paper

APC Paper is basically the same as APC Rock, except it lacks VGA, but comes with a cardboard casing. $20 for a piece of cardboard seems expensive to me…

Documentation, mechanical files, firmware, as well as bootloader, and kernel source codes are available at http://apc.io/library. The ARM11 to Cortex A9 means it will be able to run Ubuntu and other variants (ALIP, lubuntu…), although performance will be limited by the lowly 512 MB of system memory.

APC Rock can be purchased now for US$79, and APC Paper is expected to begin shipping in March of 2013 for US$99. You’ll also have to add between $16 to $25 for shipping depending where you live.