MXRT1020-EVK bootloader+app

vladimir_dolzhe · ‎12-21-2021

Good afternoon, thanks for the help in BEE encryption on the fly. I managed to encrypt(Bee AES encryption) and sign(SRK Hash) the application with a certificate. Application is XIP image. Let's call it bootloader.

Now there is a task to launch another application with a bootloader for execution.

0x60000000..0x60031FFF - Bootloader(XIP image) 200Kb - load and work now

0x60032000..0x60400000 -APP(NON XIP image) 3,8МБ

0x60400000..0x60............ FAT16 file system(which is available by USB device). - 4Мб

The bootloader starts, it creates a usb device with a file system (which is physically located in the flash), various files can be dropped into this device, including an update of APP(NON XIP image). This part work well. Now the question is, where to download the APP(NON XIP image) and then execute it?

I create one encrypt region for the whole flash drive without FATFS part(0x60000000..0x604000000) - this is XIP image(signed with SRK hash)

image_enc ifile=flexspi_nor_edma_transfer_signed.bin ofile=flexspi_nor_edma_transfer_signed_bee_encrypted.bin base_addr=0x60000000 region0_key=0123456789abcdeffedcba9876543210 region0_arg=1,[0x60001000,0x3FF000,0] region0_lock=0 use_zero_key=1 is_boot_image=1

What memory area is my bootloader decrypted to(maybe it FLEXSPI Alias: 0x800_0000..)? is it possible to run it yourself for execution APP(NON XIP image) knowing the address of its execution in flash(0x60032400). How addresses are mapped after bee encrypt XIP image? Or is it possible to execute the flash directly from this address without copying anywhere into memory?

I don't want to create two separate encrypt regions, I only need one with the same SRK HASH(signature) and same AES key.

Second question: The customer does not need the LPC 4322. I flash my FlexSPI using USB

#Load flashloader(kinetis) to memory
sdphost -t 50000 -u 0x1fc9,0x130 write-file 0x20208000 flashloader/ivt_flashloader.bin
#Execute flashloader
sdphost -t 50000 -u 0x1fc9,0x130 jump-address 0x20208400
#Fill and configure memory for FLEXSPI NOR
blhost -u 0x15a2,0x73 fill-memory 0x2000 4 0xc0000007
blhost -u 0x15a2,0x73 configure-memory 0x9 0x2000
#Erase memory region
blhost -u 0x15a2,0x73 flash-erase-region 0x60000000 0x10000
#Write demo app
blhost -u 0x15a2,0x73 write-memory 0x60000000 flexspi_nor_edma_transfer.bin

Will there be any problems without using LPC 4322? I plan to write an update APP(NON XIP image) through my own USB device(FAT16), which is created in bootloader. Bootloader(XIP Image) will update only one time in production.

Thanks.

jeremyzhou · ‎12-21-2021

Hi,
Thank you for your interest in NXP Semiconductor products and for the opportunity to serve you.
1) What memory area is my bootloader decrypted to(maybe it FLEXSPI Alias: 0x800_0000..)?
-- The encrypted area starts 0x6000_1000 to 0x6040_0000.

2) Is it possible to run it yourself for execution APP(NON XIP image) knowing the address of its execution in flash(0x60032400).How addresses are mapped after bee encrypt XIP image? Or is it possible to execute the flash directly from this address without copying anywhere into memory?
-- It needs a secondary bootloader to jump to the application which resides 0x60032000~0x60400000, otherwise, it's impossible to run the application directly.
3) Will there be any problems without using LPC 4322?
-- No, it's okay to do it.
Have a great day,
TIC

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!

- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

View solution in original post

vladimir_dolzhe · ‎12-27-2021

Found a way to start a second app from Flash with minimal effort. The main function is jump_to_application with two parameters, the address of the execution and stack pointer. Works with both regular applications and encrypted ones:

#include <stdint.h>
#include "fsl_common.h"
#include "fsl_debug_console.h"

//#define BL_APP_VECTOR_TABLE_ADDRESS (0x60002000u)
#define BL_APP_VECTOR_TABLE_ADDRESS (0x60032000u)
#define APP_VECTOR_TABLE ((uint32_t *)BL_APP_VECTOR_TABLE_ADDRESS)

enum _vector_table_entries
{
kInitialSP = 0, //!< Initial stack pointer.
kInitialPC = 1, //!< Reset vector.
};

typedef enum _shutdown_types
{
kShutdownType_Shutdown = 0,
kShutdownType_Cleanup = 1,
kShutdownType_Reset = 2,
} shutdown_type_t;

enum _vector_table_address
{
//! @brief Address of the default vector table, which is always 0.
kDefaultVectorTableAddress = 0
};

/** \brief Clear Enabled IRQs

The function clears all device IRQs
*/
__STATIC_INLINE void NVIC_ClearEnabledIRQs(void)
{
NVIC->ICER[0] = 0xFFFFFFFF;
NVIC->ICER[1] = 0xFFFFFFFF;
NVIC->ICER[2] = 0xFFFFFFFF;
NVIC->ICER[3] = 0xFFFFFFFF;
NVIC->ICER[4] = 0xFFFFFFFF;
NVIC->ICER[5] = 0xFFFFFFFF;
NVIC->ICER[6] = 0xFFFFFFFF;
NVIC->ICER[7] = 0xFFFFFFFF;
}

/** \brief Clear All Pending Interrupts

The function clears the pending bits of all external interrupts.

*/
__STATIC_INLINE void NVIC_ClearAllPendingIRQs(void)
{
NVIC->ICPR[0] = 0xFFFFFFFF;
NVIC->ICPR[1] = 0xFFFFFFFF;
NVIC->ICPR[2] = 0xFFFFFFFF;
NVIC->ICPR[3] = 0xFFFFFFFF;
NVIC->ICPR[4] = 0xFFFFFFFF;
NVIC->ICPR[5] = 0xFFFFFFFF;
NVIC->ICPR[6] = 0xFFFFFFFF;
NVIC->ICPR[7] = 0xFFFFFFFF;
}

void init_interrupts(void)
{
// Clear any IRQs that may be enabled, we only want the IRQs we enable to be active
NVIC_ClearEnabledIRQs();
// Clear any pending IRQs that may have been set
NVIC_ClearAllPendingIRQs();
}

void shutdown_cleanup(shutdown_type_t shutdown)
{
// If we are permanently exiting the bootloader, there are a few extra things to do.
if (shutdown == kShutdownType_Shutdown)
{
#if 0
// Shutdown microseconds driver.
microseconds_shutdown();
#endif

// Disable force ROM.
#if defined(RCM_FM_FORCEROM_MASK)
RCM->FM = ((~RCM_FM_FORCEROM_MASK) & RCM->FM) | RCM_FM_FORCEROM(0);
#elif defined(SMC_FM_FORCECFG_MASK)
#if defined(SMC0)
SMC0->FM = ((~SMC_FM_FORCECFG_MASK) & SMC0->FM) | SMC_FM_FORCECFG(0);
#else
SMC->FM = ((~SMC_FM_FORCECFG_MASK) & SMC->FM) | SMC_FM_FORCECFG(0);
#endif
#endif // defined(RCM_FM_FORCEROM_MASK)

// Clear status register (bits are w1c).
#if defined(RCM_MR_BOOTROM_MASK)
RCM->MR = ((~RCM_MR_BOOTROM_MASK) & RCM->MR) | RCM_MR_BOOTROM(3);
#elif defined(SMC_MR_BOOTCFG_MASK)
#if defined(SMC0)
SMC0->MR = ((~SMC_MR_BOOTCFG_MASK) & SMC0->MR) | SMC_MR_BOOTCFG(3);
#else
SMC->MR = ((~SMC_MR_BOOTCFG_MASK) & SMC->MR) | SMC_MR_BOOTCFG(3);
#endif
#endif // defined(RCM_MR_BOOTROM_MASK)

init_interrupts();

// Set the VTOR to default.
SCB->VTOR = kDefaultVectorTableAddress;
#if 0
// Restore clock to default before leaving bootloader.
configure_clocks(kClockOption_ExitBootloader);

// De-initialize hardware such as disabling port clock gate
deinit_hardware();
#endif
// Restore global interrupt.
__enable_irq();

#if BL_FEATURE_BYPASS_WATCHDOG
// De-initialize watchdog
bootloader_watchdog_deinit();
#endif // BL_FEATURE_BYPASS_WATCHDOG
}

// Memory barriers for good measure.
__ISB();
__DSB();
}

static void jump_to_application(uint32_t applicationAddress, uint32_t stackPointer)
{
shutdown_cleanup(kShutdownType_Shutdown);
// Create the function call to the user application.
// Static variables are needed since changed the stack pointer out from under the compiler
// we need to ensure the values we are using are not stored on the previous stack
static uint32_t s_stackPointer = 0;
s_stackPointer = stackPointer;
static void (*farewellBootloader)(void) = 0;
farewellBootloader = (void (*)(void))applicationAddress;

// Set the VTOR to the application vector table address.
SCB->VTOR = (uint32_t)APP_VECTOR_TABLE;

// Set stack pointers to the application stack pointer.
__set_MSP(s_stackPointer);
__set_PSP(s_stackPointer);

// Jump to the application.
farewellBootloader();
// Dummy fcuntion call, should never go to this fcuntion call
shutdown_cleanup(kShutdownType_Shutdown);
}

void go_to_app(void)
{
uint32_t stackPointer = 0;
uint32_t applicationAddress = 0;

stackPointer = APP_VECTOR_TABLE[kInitialSP];
applicationAddress = APP_VECTOR_TABLE[kInitialPC];

PRINTF("Start application at addr =0x%X stackPointer=0x%X \r\n",applicationAddress,stackPointer);
jump_to_application(applicationAddress, stackPointer);
}

jeremyzhou · ‎12-21-2021

Hi,
Thank you for your interest in NXP Semiconductor products and for the opportunity to serve you.
1) What memory area is my bootloader decrypted to(maybe it FLEXSPI Alias: 0x800_0000..)?
-- The encrypted area starts 0x6000_1000 to 0x6040_0000.

2) Is it possible to run it yourself for execution APP(NON XIP image) knowing the address of its execution in flash(0x60032400).How addresses are mapped after bee encrypt XIP image? Or is it possible to execute the flash directly from this address without copying anywhere into memory?
-- It needs a secondary bootloader to jump to the application which resides 0x60032000~0x60400000, otherwise, it's impossible to run the application directly.
3) Will there be any problems without using LPC 4322?
-- No, it's okay to do it.
Have a great day,
TIC

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!

- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

MXRT1020-EVK bootloader+app

MXRT1020-EVK bootloader+app

i.MXRT