Recover from an erased uboot image in closed mode

1,859 Views

Hi,

I have a custom imx6q board with the uboot in a SPI memory. I've saved a signed version of the uboot

in the SPI and the boot is ok. Then I've set the SRK, and I've set the closed mode to have a secured environment.

I can boot ok.

Then I wanted to test how to recover from an error in the SPI memory. Then I've erase the memory

the same way I've done to save the uboot other times. I expect to have the serial download mode

available to do that. I reset the board and I can see the message

# lsusb

Bus 002 Device 054: ID 15a2:0054 Freescale Semiconductor, Inc. i.MX6Q SystemOnChip in RecoveryMode

but when I try to send the same uboot signed image with the imx_usb_loader tool I get error an no uboot console appears:

# ./imx_usb u-boot-signed.imx

parse mx6_usb_work.conf

15a2:0054(mx6_qsb) bConfigurationValue =1

Interface 0 claimed

report 1, wrote 16 bytes, err=0

report 3, read 4 bytes, err=0

read=12 34 34 12

u-boot-signed.imx 0 0 1 0 1 2

main dcd length 2f8

sub dcd length 2f4

w3 in err=-7, last_trans=0 00 00 00 00

addr=0x021b001c, val=0x04088032

w4 in err=-7, last_trans=0 00 00 00 00

dcd_ptr=0x177ff42c

!!perform_dcd returned -7

report 1, wrote 0 bytes, err=-7

report 3, read 0 bytes, err=-7

read=00 00 00 00

report 1, wrote 0 bytes, err=-7

report 3, read 0 bytes, err=-7

read=00 00 00 00

report 1, wrote 0 bytes, err=-7

report 3, read 0 bytes, err=-7

read=00 00 00 00

report 1, wrote 0 bytes, err=-7

report 3, read 0 bytes, err=-7

read=00 00 00 00

report 1, wrote 0 bytes, err=-7

report 3, read 0 bytes, err=-7

read=00 00 00 00

report 1, wrote 0 bytes, err=-7

report 3, read 0 bytes, err=-7

read=00 00 00 00

4 in err=-7, last_trans=0 00 00 00 00

Is there some way to recover or I have to reprogram the SPI memory in other board?

Regards

5 Replies

1,116 Views

Hi,

I got the same problem when I used mfgtool to download the images into our board. I've been searching and reading a lot of documents, but I'm still not able to fix the problem. Did you get your problem fixed? If so, can you share your experience how to fix the problem? Thank you.

Best Regards.

1,116 Views

Strictly speaking the imx_usb has not been checked for signed images boot.

Nevertheless, please take a look at the following threads.

“HAB events when using imx_usb_loader”

https://community.freescale.com/message/470696#470696

“AdeneoEmbedded - Whitepaper on USB loader for i.MX6 platforms”

https://community.freescale.com/docs/DOC-99298

Have a great day,
Yuri

-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------

1,116 Views

Hi Yuri,

I don't have access to the “AdeneoEmbedded - Whitepaper on USB loader for i.MX6 platforms” link...

I've followed the instructions on 6.2 (Signing Code Downloadable with Manufacturing Tool) from app note

AN4581 with no luck. I don't have any windows workstation and I have to rely on imx_usb to do the tests.

I've generated the CSF related to u-boot.imx image with the DCD address cleared and this info in the .csf file

...

Verification index = 2

Blocks = 0x177FF400 0x0 0x4BC00 "u-boot.imx", \

0x00910000 0x2C 0x2E0 "u-boot.imx"

The parameter 0x2E0 (size of the DCD table) I'm using the given in the doc because I've been not able

to discover where it comes from.

Now I can send the u-boot-signed.imx to the board but it doesn't boot, and I don't see anything in the console.

# ./imx_usb u-boot-signed.imx

parse mx6_usb_work.conf

15a2:0054(mx6_qsb) bConfigurationValue =1

Interface 0 claimed

report 1, wrote 16 bytes, err=0

report 3, read 4 bytes, err=0

read=12 34 34 12

u-boot-signed.imx 0 0 1 0 1 2

main dcd length 2f8

sub dcd length 2f4

dcd_ptr=0x177ff42c

loading binary file(/mnt/develop/imx6unidesa/security/cst-2.3.0/u-boot/u-boot-signed.imx) to 177ff400, skip=0, fsize=4dc00 type=aa

<<<318464, 318464 bytes>>>

jumping to 0x177ff400

Anybody in Freescale can confirm the imx_usb is able or not to send a signed uboot?

Thanks!

1,116 Views

Hi,

I'll try to clarify all the steps I've done until now to try to do a serial download of a signed uboot.

Now, I'm using MFG from imx-3.10.53_1.1.0_ga-mfg-tools.tar.gz instead of using imx_usb tool.

I've specified first the steps I've done to generate the u-boot-signed.imx that I program to the SPI Flash

and boot ok if I use the 'sf' commands to program it, and then I specify the added steps to try to generate

the u-boot-signed.imx to program using serial downloader.

The u-boot-signed.imx that I can program in my SPI flash memory with 'sf' command and boots ok was generated

with the next CSF file :

-- 8<--------------------

[Header]

# CSF header and default values

Version = 4.1

Hash Algorithm = sha256

Engine = Any

Engine Configuration = 0

Certificate Format = X509

Signature Format = CMS

[Install SRK]

# Authenticate and install root public key

File = "../crts/SRK_1_2_3_4_table.bin"

Source Index = 0 # Select SRK1

[Install CSFK]

# Authenticate and install public key for use in "Authenticate CSF"

File = "../crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem"

[Authenticate CSF]

# Authenticate the CSF (this file)

[Install Key]

# Authenticate and install public key for use in "Authenticate Data"

File = "../crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem"

Verification Index = 0

Target Index = 2

# Sign padded U-boot starting at the IVT through to the end with

# length = 0x4BC00 (size of u-boot.imx before appending CSF)

# This covers the essential parts: IVT, boot data and DCD.

# Blocks have the following definition:

# Image block start address on i.MX, Offset from start of image file,

# Length of block in bytes, image data file

[Authenticate Data]

# Verify authenticity of pre-loaded data in memory

Verification index = 2

Blocks = 0x177FF400 0x0 0x4BC00 "u-boot-signed.imx"

-- 8<--------------------

Then from AN4581.pdf '6.2 Signing Code Downloadable with Manufacturing Tool' note I can read:

"The CSF description file should contain a command to sign the DCD table" then I've added

[Authenticate Data]

# Verify authenticity of pre-loaded data in memory

Verification index = 2

Blocks = 0x177FF400 0x0 0x4BC00 "u-boot-signed.imx", \

0x00910000 0x2C 0x2F8 "u-boot-signed.imx"

because:

1) DCD table is located at '0x00910000', is it ok??

2) the offset '0x2C' = DCD pointer - Start IVT table, comes from analyzing the IVT header:

# hexedit u-boot-signed.imx

00000000 D1 00 20 40 00 00 80 17 00 00 00 00 2C F4 7F 17 20 F4 7F 17 00 F4 7F 17 00 B0 84 17 00 00 00 00 00 F0 7F 17 00 E0 04 00

00000028 00 00 00 00 D2 02 F8 40 CC 02 F4 04 02 0E 07 98 00 0C 00 00 02 0E 07 58 00 00 00 00 02 0E 05 88 00 00 00 30 02 0E 05 94

...

-> 402000D1 : IVT Header

-> 17800000 : Entry uboot

-> 00000000 : Reserved

-> 177FF42C : DCD pointer = Boot data + 12 bytes (0x1c) = sizeof(boot_data_t)

-> 177FF420 : Boot data = Start IVT table + 32 bytes (0x20) = sizeof(image_vector_table_t)

-> 177FF400 : Start IVT table

-> 1784B000 : Start CFS data

3) the length '0x2F8' comes from 'imx_usb' messages

# ./imx_usb u-boot-signed.imx

...

main dcd length 2f8

sub dcd length 2f4

With this CSF file (u-boot-serialdownloader.csf) I can generate the new u-boot-signed.imx

with this script, where u-boot.imx is the clear u-boot.

-- 8< -------------------

#! /bin/bash

echo "DCD address must be cleared for signature, as mfgtool will clear it."

./mod_4_mfgtool.sh clear_dcd_addr u-boot.imx

echo "generate csf data..."

../linux64/cst --o u-boot_csf.bin < u-boot-serialdownloader.csf

echo "DCD address must be set for mfgtool to localize the DCD table."

./mod_4_mfgtool.sh set_dcd_addr u-boot.imx

echo "fill the CSF u-boot reserved block..."

objcopy -I binary -O binary --pad-to 0x2000 --gap-fill=0x00 u-boot_csf.bin u-boot_csf_pad.bin

echo "merge image and csf data..."

cat u-boot.imx u-boot_csf_pad.bin > u-boot-signed.imx

echo "remove temporary files..."

rm -rf u-boot_csf.bin u-boot_csf_pad.bin dcd_addr.bin

echo "u-boot-signed.imx is ready for serial downloader."

-- 8< -------------------

This script is the same I use to generate the u-boot-signed.imx for SPI but I've added the

calls to 'mod_4_mfgtool.sh'. This script is different from the AN4581.pdf because the offsets are

different. This is the code:

-- 8< -------------------

#!/bin/bash

# DCD address must be cleared for signature, as mfgtool will clear it.

if [ "$1" == "clear_dcd_addr" ]; then

# store the DCD address

dd if=$2 of=dcd_addr.bin bs=1 count=4 skip=12

# generate a NULL address for the DCD

dd if=/dev/zero of=zero.bin bs=1 count=4

# replace the DCD address with the NULL address

dd if=zero.bin of=$2 seek=12 bs=1 conv=notrunc

fi

# DCD address must be set for mfgtool to localize the DCD table.

if [ "$1" == "set_dcd_addr" ]; then

# restore the DCD address with the original address

dd if=dcd_addr.bin of=$2 seek=12 bs=1 conv=notrunc

rm zero.bin

fi

-- 8< -------------------

Now the DCD table pointer is in offset 12. From the previous

# hexedit u-boot-signed.imx

00000000 D1 00 20 40 00 00 80 17 00 00 00 00 2C F4 7F 17 20 F4 7F 17 00 F4 7F 17 00 B0 84 17 00 00 00 00 00 F0 7F 17 00 E0 04 00

the DCD pointer is '2C F4 7F 17'

Once I have the 'u-boot-signed.imx' prepared for serial downloader I copy it to MFG firmware files and configure the MFG 'ucl2.xml' file like

this:

-- 8< -------------------

<UCL>

<CFG>

<STATE name="BootStrap" dev="MX6Q" vid="15A2" pid="0054"/>

<STATE name="Updater" dev="MSC" vid="066F" pid="37FF"/>

</CFG>

<LIST name="SDCard" desc="Choose SD Card as media">

<CMD state="BootStrap" type="boot" body="BootStrap" file ="firmware/u-boot-signed.imx" ifdev="MX6Q">Loading signed U-boot</CMD>

<CMD state="BootStrap" type="jump" > Jumping to OS image. </CMD>

</LIST>

</UCL>

-- 8< -------------------

Then I run the MFG and click 'Start' button but nothing happens. The log is:

-- 8< -------------------

DLL version: 2.3.3

Wednesday, May 13, 2015 08:08:49 Start new logging

ModuleID[2] LevelID[10]: CMyExceptionHandler thread is running

ModuleID[2] LevelID[1]: new MxHidDeviceClass

ModuleID[2] LevelID[10]: new MxHidDevice[00CBD0B0]

ModuleID[2] LevelID[1]: *** Error: 1, Drive: A:

ModuleID[2] LevelID[10]: Device Manager thread is running

ModuleID[2] LevelID[10]: DeviceManager::DevChangeWnd::OnDeviceChange() - DEVICE_REMOVAL_EVT(\\?\USB#VID_15A2&PID_0054#6&103465e1&0&1#{a5dcbf10-6530-11d2-901f-00c04fb951ed})

ModuleID[2] LevelID[10]: DeviceManager::DevChangeWnd::OnDeviceChange() - end

ModuleID[2] LevelID[10]: DeviceManager::OnMsgDeviceEvent() - DEVICE_REMOVAL_EVT(\\?\USB#VID_15A2&PID_0054#6&103465e1&0&1#{a5dcbf10-6530-11d2-901f-00c04fb951ed})

ModuleID[2] LevelID[10]: DeviceClass::FindDeviceByUsbPath--DeviceListType_Current, _devices.size: 1

ModuleID[2] LevelID[10]: DeviceClass::FindDeviceByUsbPath--DeviceListType_Current, devInstPathToFind: USB\VID_15A2&PID_0054\6&103465E1&0&1, _deviceInstanceID: USB\VID_15A2&PID_0054\6&103465E1&0&1

ModuleID[2] LevelID[10]: DeviceClass::FindDeviceByUsbPath--DeviceListType_Current, Find the device

ModuleID[2] LevelID[10]: DeviceManager::OnMsgDeviceEvent() - DEVICE_REMOVAL_EVT,[MxHidDeviceClass] vid_15a2&pid_0054, Hub:2-Port:1

ModuleID[2] LevelID[10]: DeviceManager::OnMsgDeviceEvent() - DEVICE_REMOVAL_EVT, Notify

ModuleID[2] LevelID[10]: CmdOpreation[0]--OnDeviceChangeNotify, Volume Arrive/Remove or Device Arrive/Remove

ModuleID[2] LevelID[10]: CmdOpreation[0]--OnDeviceChangeNotify, m_p_usb_port is not NULL, so only refresh

ModuleID[2] LevelID[10]: CmdOpreation[0]--OnDeviceChangeNotify, Volume/Device Remove

ModuleID[2] LevelID[1]: CmdOpreation[0]--set m_hDeviceRemoveEvent.

ModuleID[2] LevelID[10]: CmdOpreation[0]--WaitforEvents device remove1

ModuleID[2] LevelID[10]: DeviceManager::OnMsgDeviceEvent()-DEVICE_REMOVAL_EVT, hDevCanDeleteEvent has been set

ModuleID[2] LevelID[10]: delete MxHidDevice[00CBD0B0]

ModuleID[2] LevelID[10]: DeviceManager::DevChangeWnd::OnDeviceChange() - DEVICE_ARRIVAL_EVT(\\?\USB#VID_15A2&PID_0054#6&103465e1&0&1#{a5dcbf10-6530-11d2-901f-00c04fb951ed})

ModuleID[2] LevelID[10]: DeviceManager::DevChangeWnd::OnDeviceChange() - end

ModuleID[2] LevelID[10]: DeviceManager::OnMsgDeviceEvent() - DEVICE_ARRIVAL_EVT(\\?\USB#VID_15A2&PID_0054#6&103465e1&0&1#{a5dcbf10-6530-11d2-901f-00c04fb951ed})

ModuleID[2] LevelID[10]: DeviceClass::FindDeviceByUsbPath--DeviceListType_Current, _devices.size: 0

ModuleID[2] LevelID[1]: DeviceClass::FindDeviceByUsbPath() - DeviceListType_New--index: 0

ModuleID[2] LevelID[1]: DeviceClass::FindDeviceByUsbPath() - DeviceListType_New--devPath: \\?\hid#vid_0e0f&pid_0003&mi_00#8&17be0303&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}

ModuleID[2] LevelID[1]: DeviceClass::FindDeviceByUsbPath() - DeviceListType_New--index: 1

ModuleID[2] LevelID[1]: DeviceClass::FindDeviceByUsbPath() - DeviceListType_New--devPath: \\?\hid#vid_0e0f&pid_0003&mi_01#8&2f818f48&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}

ModuleID[2] LevelID[1]: DeviceClass::FindDeviceByUsbPath() - DeviceListType_New--index: 2

ModuleID[2] LevelID[1]: DeviceClass::FindDeviceByUsbPath() - DeviceListType_New--devPath: \\?\hid#vid_15a2&pid_0054#7&35cdcdda&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}

ModuleID[2] LevelID[10]: new MxHidDevice[00CCA6D8]

ModuleID[2] LevelID[10]: DeviceClass::FindDeviceByUsbPath--DeviceListType_New, devInstPathToFind: USB\VID_15A2&PID_0054\6&103465E1&0&1, _deviceInstanceID: USB\VID_15A2&PID_0054\6&103465E1&0&1

ModuleID[2] LevelID[10]: DeviceClass::FindDeviceByUsbPath--DeviceListType_New, Find the device, Port: 1

ModuleID[2] LevelID[10]: DeviceClass::AddUsbDevice() successful USB#VID_15A2&PID_0054#6&103465E1&0&1#{A5DCBF10-6530-11D2-901F-00C04FB951ED} add to current list, retrycount: 0

ModuleID[2] LevelID[10]: DeviceManager::OnMsgDeviceEvent() - DEVICE_ARRIVAL_EVT,[MxHidDeviceClass] vid_15a2&pid_0054, Hub:2-Port:1

ModuleID[2] LevelID[10]: DeviceManager::OnMsgDeviceEvent() - DEVICE_ARRIVAL_EVT, Notify

ModuleID[2] LevelID[10]: CmdOpreation[0]--OnDeviceChangeNotify, Volume Arrive/Remove or Device Arrive/Remove

ModuleID[2] LevelID[10]: CmdOpreation[0]--OnDeviceChangeNotify, m_p_usb_port is not NULL, so only refresh

ModuleID[2] LevelID[10]: CmdOpreation[0]--OnDeviceChangeNotify, Volume/Device Arrive

ModuleID[2] LevelID[1]: CmdOpreation[0]--set m_hDeviceArriveEvent.

ModuleID[2] LevelID[10]: CmdOpreation[0]--WaitforEvents device arrive1

ModuleID[2] LevelID[10]: CmdOperation[0] device chagned and reset to state 0

ModuleID[2] LevelID[10]: ExecuteCommand--Boot[WndIndex:0], File is C:\Users\daniel\Desktop\mfgtools\Profiles\Linux\OS Firmware\firmware\u-boot-signed.imx

ModuleID[2] LevelID[10]: ExecuteCommand--Jump[WndIndex:0]

ModuleID[2] LevelID[10]: *********MxHidDevice[00CCA6D8] Jump to Ramkernel successfully!**********

ModuleID[2] LevelID[10]: CmdOperation[0], current state command has been finished and the last command is successful, so SetEvent(hDevCanDeleteEvent)

ModuleID[2] LevelID[10]: CCmdOpreation[0] thread is Closed

ModuleID[2] LevelID[10]: CCmdOpreation[0] thread is Closed

ModuleID[2] LevelID[10]: DeviceManager::OnMsgDeviceEvent() - EVENT_KILL

ModuleID[2] LevelID[10]: CMyExceptionHandler::OnMsgExceptionEvent() - KillExceptionHandlerThread

ModuleID[2] LevelID[10]: Exception Handler thread is closed

ModuleID[2] LevelID[1]: delete MxHidDeviceClass

ModuleID[2] LevelID[10]: delete MxHidDevice[00CCA6D8]

ModuleID[2] LevelID[10]: Device Manager thread is closed

-- 8< -------------------

Sorry for this long post, but I think it's needed a detailed explanation to understand it.

And now... What am I missing??

Regards

1,116 Views

Hi, are you solved this issue? I have the same problem with MFGTool and closed device. Can you share you experience? Thank you very much.

never-displayed

You must be signed in to add attachments

never-displayed

Additional options

Associated Products