/*************************************************************************** * Copyright (c) 2003-2010, Broadcom Corporation * All Rights Reserved * Confidential Property of Broadcom Corporation * * THIS SOFTWARE MAY ONLY BE USED SUBJECT TO AN EXECUTED SOFTWARE LICENSE * AGREEMENT BETWEEN THE USER AND BROADCOM. YOU HAVE NO RIGHT TO USE OR * EXPLOIT THIS MATERIAL EXCEPT SUBJECT TO THE TERMS OF SUCH AN AGREEMENT. * * $brcm_Workfile: $ * $brcm_Revision: $ * $brcm_Date: $ * * Module Description: * * Revision History: * * $brcm_Log: $ * * ***************************************************************************/ #include "fast_heap.h" #include "memc_access.h" #undef print_string #include "xmodem.h" #include "zlib.h" #include "bchp_sun_top_ctrl.h" #include "ramheader.h" #include "bchp_vcxo_ctl_config_fsm.h" #include "bchp_bspi.h" #define HEAP_START_ADDRESS ((unsigned long)&(_end)) /* allow up to 3 mb comressed image */ #define COMPRESSED_BUFFER_SIZE 0x300000 #define BL_UART UARTA #define RAM_TEXT_BASE 0x80016000 #define RAM_TEXT_SIZE (0x01000000 - 0x16000) #define XPT_OTP_MC1_BASE 0xb053802c #if defined(RSA_BITS) #define SIGNATURE_SIZE (RSA_BITS/8) #else #define SIGNATURE_SIZE 0x80 #endif extern void clear_all_d_cache(void); extern void invalidate_all_i_cache(void); /* copy memory block from word aligned src to word aligned destination with word aligned size. All pointer and size must be 4 bytes aligned */ extern void aligned_copy(void * src, void * dst, unsigned int n); static int decompress(unsigned char *in_buf, unsigned int in_size, unsigned char * out_buf, unsigned int out_size); static void run_compressed(unsigned char * data, unsigned int len); static unsigned char * skip_headers(unsigned char * image); static int authenticate_image(unsigned char * image); static unsigned int image_size(unsigned char * image); extern unsigned int _ram_image_start; extern unsigned int _end; extern unsigned int __start_s3; void print_string(char *s) { while (*s) { print_char(*s++); } return; } void *memset(void *dest,int c,size_t count) { uint8_t *d = dest; for(;count>0;count--) { *d++ = c; } return dest; } void bootloader_main(void) { unsigned char * compressed_image; unsigned char * compressed_flash; int rc; unsigned int * boot_mode; unsigned int * addr; unsigned int val; print_string("\r\nS3 " __DATE__":" __TIME__ "\r\n"); fast_heap_init(HEAP_START_ADDRESS); boot_mode = (unsigned int *)(0xB0000000 + BCHP_SUN_TOP_CTRL_UNCLEARED_SCRATCH); /* set spi flash clock */ addr = (unsigned int *)(0xB0000000 + BCHP_VCXO_CTL_CONFIG_FSM_PLL_NEXT_CFG_3A); val = *addr; /* possible flash speeds in MHz: 0x0b00:118, 0x2B00:32.4, 0x1200:72, 0x0c00:108, 0x0a00:129.6, 0x0900:144, 0x0800:162 */ val = (val & 0xFFFF00FF) | 0x1200 | 0x80000000; *addr = val; addr = (unsigned int *)(0xB0000000 + BCHP_VCXO_CTL_CONFIG_FSM_PLL_UPDATE); //val = *addr; //val |= 1; *addr = 1; /* set flash to dual mode */ addr = (unsigned int *)(0xB0000000 + BCHP_BSPI_STRAP_OVERRIDE_CTRL); val = 0x3; *addr = val; /* GPIO 100 PAD CTRL */ /* set it in bootloader instead to avoid pop sound when enable the Raptor */ addr = (unsigned int *)(0xB0000000 | BCHP_SUN_TOP_CTRL_PIN_MUX_PAD_CTRL_8); val = *addr; val &= ~(BCHP_SUN_TOP_CTRL_PIN_MUX_PAD_CTRL_8_gpio_100_pad_ctrl_MASK); val |= (BCHP_SUN_TOP_CTRL_PIN_MUX_PAD_CTRL_8_gpio_100_pad_ctrl_PULL_UP << BCHP_SUN_TOP_CTRL_PIN_MUX_PAD_CTRL_8_gpio_100_pad_ctrl_SHIFT); *addr = val; try_again: compressed_image = malloc(COMPRESSED_BUFFER_SIZE); // __asm__("1: b 1b; nop;"); if(0xff == (*boot_mode & 0xff)){ print_string("Use xmodem send to send image: "); rc = xmodem_receive(BL_UART, compressed_image); sleep(SLEEP_1_SEC); }else{ flash_map_info_t *fmap; unsigned int isize; print_string("\r\nAuthenticating DTA code..."); fmap = (flash_map_info_t *)((unsigned int)&__start_s3 + 20); if(fmap->fmap_magic == FMAP_MAGIC){ compressed_flash = (unsigned char *)(fmap->image0_offset + FLASH_BASE); }else{ compressed_flash = (unsigned char *)&_ram_image_start; } /* for sharf we must copy code to ram as sharf can not read from bspi */ isize = image_size(compressed_flash); if(0 != isize) aligned_copy(compressed_flash, compressed_image, isize); // __asm__("1: b 1b; nop;"); rc = authenticate_image(compressed_image); /* process result of the authentication here */ if(0 == rc){ rc = COMPRESSED_BUFFER_SIZE; }else{ rc = -1; if(((*(uint32_t*)XPT_OTP_MC1_BASE) & 4) == 0){ print_char('-'); rc = COMPRESSED_BUFFER_SIZE; } } } if(0 < rc){ print_string("OK\r\n"); compressed_image = skip_headers(compressed_image); if(NULL != compressed_image) run_compressed(compressed_image, rc); }else{ print_string("FAILED\r\n"); __asm__("wait"); } /* This is for debugging and development only, production bootloader should reboot */ fast_heap_init(HEAP_START_ADDRESS); *boot_mode = 0xff; goto try_again; } typedef void (*entry_t)(void); void run_compressed(unsigned char * data, unsigned int len) { int rc; unsigned char * text; entry_t entry; text = (unsigned char *)RAM_TEXT_BASE; print_string("Decompressing..."); rc = decompress(data, len, text, RAM_TEXT_SIZE); if(rc > 0){ print_string("OK\r\n"); clear_all_d_cache(); invalidate_all_i_cache(); entry = (entry_t) RAM_TEXT_BASE; entry(); }else{ print_string("DECOMPRESS FAILED\r\n"); } } int decompress(unsigned char *in_buf, unsigned int in_size, unsigned char * out_buf, unsigned int out_size) { z_stream strm; int ret; memset(&strm,0,sizeof(strm)); strm.avail_in = in_size; strm.next_in = in_buf; strm.avail_out = out_size; strm.next_out = out_buf; ret = inflateInit2(&strm, 15+32); if (ret == Z_OK) { ret = inflate(&strm, Z_FINISH); inflateEnd(&strm); if ((ret == Z_STREAM_END) || (ret == Z_OK)) { return strm.total_out; } else if (ret > 0) { return -ret; } } return ret; } #define ZID1 0x1f #define ZID2 0x8b /* We have 2 headers to skip from compressed data, boot order header and application header, to get to the compressed data. */ unsigned char * skip_headers(unsigned char * image) { unsigned char * data; boot_header_t * bh; application_info_header_t * ah; unsigned int offset; data = NULL; offset = 0; if((ZID1 == image[0]) && (ZID2 == image[1])){ /* image pointing to zlib data */ data = image; goto ExitFunc; } bh = (boot_header_t*)image; if(CHIP_ID == bh->chip_id){ /* skip boot header if found */ offset = sizeof(boot_header_t); } ah = (application_info_header_t *)(&image[offset]); if((CHIP_ID != ah->chip_id) || (DTA_MAGIC != ah->dta_magic)){ /* app header or boot header not found */ goto ExitFunc; } offset += sizeof(application_info_header_t); if((ZID1 == image[offset]) && (ZID2 == image[offset+1])){ /* image pointing to zlib data */ data = &image[offset]; } ExitFunc: return data; } #include "signature.c" extern unsigned int oem_key[]; /* my test key generated from privkey2048.pem */ unsigned long broadcom_test_key2[] = { 0xc743ee55,0xb3143b8d,0xb427ecb5,0xf31cc652, 0x3760d7d7,0xb1c8a2b7,0x4f853b90,0x9ae6fba0, 0x6d750313,0x33bfb2d9,0x5fb5e078,0xe65b01ce, 0xab976eb2,0x1cab3054,0x807b0111,0x9758d712, 0x315760c5,0x4312a951,0xea31d43f,0xdaee15ff, 0xfb432017,0x54d4762d,0x191b4950,0x95ed9b0c, 0xe89b47b7,0xb3c41116,0x9b294f0e,0xb84662cb, 0x63405466,0x49b70d4d,0x69fff19f,0x4804b8e0, 0x080965f5,0xe8765ab5,0xf5dbbf20,0xdd70df30, 0xf51644a3,0x900eba4d,0x1e9a9670,0x60518e67, 0x3a1038cb,0xb8fe6752,0x75b86eff,0x107a9a47, 0xcce14416,0x7d47ffd8,0xdd30fcfc,0x79b30b7c, 0xa2ba451c,0x0716442e,0x2d912f8a,0x6a31e3fc, 0x92bf8d4c,0x24112f41,0xaf6bc6b1,0x3b9a1925, 0x87a104f2,0x2e1793c2,0x79e7c4d7,0x535b8cbe, 0xe6f4debd,0xbaf2a446,0x8a4d7c5d,0x22508e73, }; #define KSEG0_KSEG1(x) ((0x20000000) | (unsigned long)(x)) unsigned int app_signature[SIGNATURE_SIZE/4]; unsigned int key1_copy[SIGNATURE_SIZE/4]; int authenticate_image(unsigned char * image) { void * app_signature_address; boot_header_t * bh; application_info_header_t * ah; unsigned int offset; int rc; unsigned long signed_size; /* by default authentication fails */ rc = 1; offset = 0; bh = (boot_header_t*)image; if(CHIP_ID == bh->chip_id){ /* skip boot header if found */ offset = sizeof(boot_header_t); } ah = (application_info_header_t *)(&image[offset]); if((CHIP_ID != ah->chip_id) || (DTA_MAGIC != ah->dta_magic)){ /* app header or boot header not found */ goto ExitFunc; } /* ah now points to application image */ /* find signature address. image size does not include header */ signed_size = sizeof(application_info_header_t) + ah->image_size; app_signature_address = (void *)((unsigned int)ah + signed_size); aligned_copy(app_signature_address, app_signature, SIGNATURE_SIZE); // aligned_copy(oem_key, key1_copy, SIGNATURE_SIZE); aligned_copy(broadcom_test_key2, key1_copy, SIGNATURE_SIZE); rc = signature_check((unsigned long)ah, signed_size, (unsigned long)app_signature, (unsigned long)key1_copy); ExitFunc: return rc; } unsigned int image_size(unsigned char * image) { boot_header_t * bh; application_info_header_t * ah; unsigned int offset; unsigned int isize; isize = 0; offset = 0; bh = (boot_header_t*)image; if(CHIP_ID == bh->chip_id){ /* skip boot header if found */ offset = sizeof(boot_header_t); } ah = (application_info_header_t *)(&image[offset]); if((CHIP_ID != ah->chip_id) || (DTA_MAGIC != ah->dta_magic)){ /* app header or boot header not found */ goto ExitFunc; } /* ah now points to application image */ offset += sizeof(application_info_header_t); /* image size does not include headers, signature */ isize = offset + ah->image_size + SIGNATURE_SIZE; ExitFunc: return isize; } /* Please do not remove! */ /* Local Variables: */ /* mode: C */ /* indent-tabs-mode: nil */ /* End: */