Hi,
I have a custom imx6q board with the uboot in a SPI memory. I've saved a signed version of the uboot
in the SPI and the boot is ok. Then I've set the SRK, and I've set the closed mode to have a secured environment.
I can boot ok.
Then I wanted to test how to recover from an error in the SPI memory. Then I've erase the memory
the same way I've done to save the uboot other times. I expect to have the serial download mode
available to do that. I reset the board and I can see the message
# lsusb
Bus 002 Device 054: ID 15a2:0054 Freescale Semiconductor, Inc. i.MX6Q SystemOnChip in RecoveryMode
but when I try to send the same uboot signed image with the imx_usb_loader tool I get error an no uboot console appears:
# ./imx_usb u-boot-signed.imx
parse mx6_usb_work.conf
15a2:0054(mx6_qsb) bConfigurationValue =1
Interface 0 claimed
report 1, wrote 16 bytes, err=0
report 3, read 4 bytes, err=0
read=12 34 34 12
u-boot-signed.imx 0 0 1 0 1 2
main dcd length 2f8
sub dcd length 2f4
w3 in err=-7, last_trans=0 00 00 00 00
addr=0x021b001c, val=0x04088032
w4 in err=-7, last_trans=0 00 00 00 00
dcd_ptr=0x177ff42c
!!perform_dcd returned -7
report 1, wrote 0 bytes, err=-7
report 3, read 0 bytes, err=-7
read=00 00 00 00
report 1, wrote 0 bytes, err=-7
report 3, read 0 bytes, err=-7
read=00 00 00 00
report 1, wrote 0 bytes, err=-7
report 3, read 0 bytes, err=-7
read=00 00 00 00
report 1, wrote 0 bytes, err=-7
report 3, read 0 bytes, err=-7
read=00 00 00 00
report 1, wrote 0 bytes, err=-7
report 3, read 0 bytes, err=-7
read=00 00 00 00
report 1, wrote 0 bytes, err=-7
report 3, read 0 bytes, err=-7
read=00 00 00 00
4 in err=-7, last_trans=0 00 00 00 00
Is there some way to recover or I have to reprogram the SPI memory in other board?
Regards
Hi,
I got the same problem when I used mfgtool to download the images into our board. I've been searching and reading a lot of documents, but I'm still not able to fix the problem. Did you get your problem fixed? If so, can you share your experience how to fix the problem? Thank you.
Best Regards.
Strictly speaking the imx_usb has not been checked for signed images boot.
Nevertheless, please take a look at the following threads.
“HAB events when using imx_usb_loader”
https://community.freescale.com/message/470696#470696
“AdeneoEmbedded - Whitepaper on USB loader for i.MX6 platforms”
https://community.freescale.com/docs/DOC-99298
Have a great day,
Yuri
-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------
Hi Yuri,
I don't have access to the “AdeneoEmbedded - Whitepaper on USB loader for i.MX6 platforms” link...
I've followed the instructions on 6.2 (Signing Code Downloadable with Manufacturing Tool) from app note
AN4581 with no luck. I don't have any windows workstation and I have to rely on imx_usb to do the tests.
I've generated the CSF related to u-boot.imx image with the DCD address cleared and this info in the .csf file
...
Verification index = 2
Blocks = 0x177FF400 0x0 0x4BC00 "u-boot.imx", \
0x00910000 0x2C 0x2E0 "u-boot.imx"
The parameter 0x2E0 (size of the DCD table) I'm using the given in the doc because I've been not able
to discover where it comes from.
Now I can send the u-boot-signed.imx to the board but it doesn't boot, and I don't see anything in the console.
# ./imx_usb u-boot-signed.imx
parse mx6_usb_work.conf
15a2:0054(mx6_qsb) bConfigurationValue =1
Interface 0 claimed
report 1, wrote 16 bytes, err=0
report 3, read 4 bytes, err=0
read=12 34 34 12
u-boot-signed.imx 0 0 1 0 1 2
main dcd length 2f8
sub dcd length 2f4
dcd_ptr=0x177ff42c
loading binary file(/mnt/develop/imx6unidesa/security/cst-2.3.0/u-boot/u-boot-signed.imx) to 177ff400, skip=0, fsize=4dc00 type=aa
<<<318464, 318464 bytes>>>
jumping to 0x177ff400
Anybody in Freescale can confirm the imx_usb is able or not to send a signed uboot?
Thanks!
Hi,
I'll try to clarify all the steps I've done until now to try to do a serial download of a signed uboot.
Now, I'm using MFG from imx-3.10.53_1.1.0_ga-mfg-tools.tar.gz instead of using imx_usb tool.
I've specified first the steps I've done to generate the u-boot-signed.imx that I program to the SPI Flash
and boot ok if I use the 'sf' commands to program it, and then I specify the added steps to try to generate
the u-boot-signed.imx to program using serial downloader.
The u-boot-signed.imx that I can program in my SPI flash memory with 'sf' command and boots ok was generated
with the next CSF file :
-- 8<--------------------
[Header]
# CSF header and default values
Version = 4.1
Hash Algorithm = sha256
Engine = Any
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
[Install SRK]
# Authenticate and install root public key
File = "../crts/SRK_1_2_3_4_table.bin"
Source Index = 0 # Select SRK1
[Install CSFK]
# Authenticate and install public key for use in "Authenticate CSF"
File = "../crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem"
[Authenticate CSF]
# Authenticate the CSF (this file)
[Install Key]
# Authenticate and install public key for use in "Authenticate Data"
File = "../crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem"
Verification Index = 0
Target Index = 2
# Sign padded U-boot starting at the IVT through to the end with
# length = 0x4BC00 (size of u-boot.imx before appending CSF)
# This covers the essential parts: IVT, boot data and DCD.
# Blocks have the following definition:
# Image block start address on i.MX, Offset from start of image file,
# Length of block in bytes, image data file
[Authenticate Data]
# Verify authenticity of pre-loaded data in memory
Verification index = 2
Blocks = 0x177FF400 0x0 0x4BC00 "u-boot-signed.imx"
-- 8<--------------------
Then from AN4581.pdf '6.2 Signing Code Downloadable with Manufacturing Tool' note I can read:
"The CSF description file should contain a command to sign the DCD table" then I've added
[Authenticate Data]
# Verify authenticity of pre-loaded data in memory
Verification index = 2
Blocks = 0x177FF400 0x0 0x4BC00 "u-boot-signed.imx", \
0x00910000 0x2C 0x2F8 "u-boot-signed.imx"
because:
1) DCD table is located at '0x00910000', is it ok??
2) the offset '0x2C' = DCD pointer - Start IVT table, comes from analyzing the IVT header:
# hexedit u-boot-signed.imx
00000000 D1 00 20 40 00 00 80 17 00 00 00 00 2C F4 7F 17 20 F4 7F 17 00 F4 7F 17 00 B0 84 17 00 00 00 00 00 F0 7F 17 00 E0 04 00
00000028 00 00 00 00 D2 02 F8 40 CC 02 F4 04 02 0E 07 98 00 0C 00 00 02 0E 07 58 00 00 00 00 02 0E 05 88 00 00 00 30 02 0E 05 94
...
-> 402000D1 : IVT Header
-> 17800000 : Entry uboot
-> 00000000 : Reserved
-> 177FF42C : DCD pointer = Boot data + 12 bytes (0x1c) = sizeof(boot_data_t)
-> 177FF420 : Boot data = Start IVT table + 32 bytes (0x20) = sizeof(image_vector_table_t)
-> 177FF400 : Start IVT table
-> 1784B000 : Start CFS data
3) the length '0x2F8' comes from 'imx_usb' messages
# ./imx_usb u-boot-signed.imx
...
main dcd length 2f8
sub dcd length 2f4
With this CSF file (u-boot-serialdownloader.csf) I can generate the new u-boot-signed.imx
with this script, where u-boot.imx is the clear u-boot.
-- 8< -------------------
#! /bin/bash
echo "DCD address must be cleared for signature, as mfgtool will clear it."
./mod_4_mfgtool.sh clear_dcd_addr u-boot.imx
echo "generate csf data..."
../linux64/cst --o u-boot_csf.bin < u-boot-serialdownloader.csf
echo "DCD address must be set for mfgtool to localize the DCD table."
./mod_4_mfgtool.sh set_dcd_addr u-boot.imx
echo "fill the CSF u-boot reserved block..."
objcopy -I binary -O binary --pad-to 0x2000 --gap-fill=0x00 u-boot_csf.bin u-boot_csf_pad.bin
echo "merge image and csf data..."
cat u-boot.imx u-boot_csf_pad.bin > u-boot-signed.imx
echo "remove temporary files..."
rm -rf u-boot_csf.bin u-boot_csf_pad.bin dcd_addr.bin
echo "u-boot-signed.imx is ready for serial downloader."
-- 8< -------------------
This script is the same I use to generate the u-boot-signed.imx for SPI but I've added the
calls to 'mod_4_mfgtool.sh'. This script is different from the AN4581.pdf because the offsets are
different. This is the code:
-- 8< -------------------
#!/bin/bash
# DCD address must be cleared for signature, as mfgtool will clear it.
if [ "$1" == "clear_dcd_addr" ]; then
# store the DCD address
dd if=$2 of=dcd_addr.bin bs=1 count=4 skip=12
# generate a NULL address for the DCD
dd if=/dev/zero of=zero.bin bs=1 count=4
# replace the DCD address with the NULL address
dd if=zero.bin of=$2 seek=12 bs=1 conv=notrunc
fi
# DCD address must be set for mfgtool to localize the DCD table.
if [ "$1" == "set_dcd_addr" ]; then
# restore the DCD address with the original address
dd if=dcd_addr.bin of=$2 seek=12 bs=1 conv=notrunc
rm zero.bin
fi
-- 8< -------------------
Now the DCD table pointer is in offset 12. From the previous
# hexedit u-boot-signed.imx
00000000 D1 00 20 40 00 00 80 17 00 00 00 00 2C F4 7F 17 20 F4 7F 17 00 F4 7F 17 00 B0 84 17 00 00 00 00 00 F0 7F 17 00 E0 04 00
the DCD pointer is '2C F4 7F 17'
Once I have the 'u-boot-signed.imx' prepared for serial downloader I copy it to MFG firmware files and configure the MFG 'ucl2.xml' file like
this:
-- 8< -------------------
<UCL>
<CFG>
<STATE name="BootStrap" dev="MX6Q" vid="15A2" pid="0054"/>
<STATE name="Updater" dev="MSC" vid="066F" pid="37FF"/>
</CFG>
<LIST name="SDCard" desc="Choose SD Card as media">
<CMD state="BootStrap" type="boot" body="BootStrap" file ="firmware/u-boot-signed.imx" ifdev="MX6Q">Loading signed U-boot</CMD>
<CMD state="BootStrap" type="jump" > Jumping to OS image. </CMD>
</LIST>
</UCL>
-- 8< -------------------
Then I run the MFG and click 'Start' button but nothing happens. The log is:
-- 8< -------------------
DLL version: 2.3.3
Wednesday, May 13, 2015 08:08:49 Start new logging
ModuleID[2] LevelID[10]: CMyExceptionHandler thread is running
ModuleID[2] LevelID[1]: new MxHidDeviceClass
ModuleID[2] LevelID[10]: new MxHidDevice[00CBD0B0]
ModuleID[2] LevelID[1]: *** Error: 1, Drive: A:
ModuleID[2] LevelID[10]: Device Manager thread is running
ModuleID[2] LevelID[10]: DeviceManager::DevChangeWnd::OnDeviceChange() - DEVICE_REMOVAL_EVT(\\?\USB#VID_15A2&PID_0054#6&103465e1&0&1#{a5dcbf10-6530-11d2-901f-00c04fb951ed})
ModuleID[2] LevelID[10]: DeviceManager::DevChangeWnd::OnDeviceChange() - end
ModuleID[2] LevelID[10]: DeviceManager::OnMsgDeviceEvent() - DEVICE_REMOVAL_EVT(\\?\USB#VID_15A2&PID_0054#6&103465e1&0&1#{a5dcbf10-6530-11d2-901f-00c04fb951ed})
ModuleID[2] LevelID[10]: DeviceClass::FindDeviceByUsbPath--DeviceListType_Current, _devices.size: 1
ModuleID[2] LevelID[10]: DeviceClass::FindDeviceByUsbPath--DeviceListType_Current, devInstPathToFind: USB\VID_15A2&PID_0054\6&103465E1&0&1, _deviceInstanceID: USB\VID_15A2&PID_0054\6&103465E1&0&1
ModuleID[2] LevelID[10]: DeviceClass::FindDeviceByUsbPath--DeviceListType_Current, Find the device
ModuleID[2] LevelID[10]: DeviceManager::OnMsgDeviceEvent() - DEVICE_REMOVAL_EVT,[MxHidDeviceClass] vid_15a2&pid_0054, Hub:2-Port:1
ModuleID[2] LevelID[10]: DeviceManager::OnMsgDeviceEvent() - DEVICE_REMOVAL_EVT, Notify
ModuleID[2] LevelID[10]: CmdOpreation[0]--OnDeviceChangeNotify, Volume Arrive/Remove or Device Arrive/Remove
ModuleID[2] LevelID[10]: CmdOpreation[0]--OnDeviceChangeNotify, m_p_usb_port is not NULL, so only refresh
ModuleID[2] LevelID[10]: CmdOpreation[0]--OnDeviceChangeNotify, Volume/Device Remove
ModuleID[2] LevelID[1]: CmdOpreation[0]--set m_hDeviceRemoveEvent.
ModuleID[2] LevelID[10]: CmdOpreation[0]--WaitforEvents device remove1
ModuleID[2] LevelID[10]: DeviceManager::OnMsgDeviceEvent()-DEVICE_REMOVAL_EVT, hDevCanDeleteEvent has been set
ModuleID[2] LevelID[10]: delete MxHidDevice[00CBD0B0]
ModuleID[2] LevelID[10]: DeviceManager::DevChangeWnd::OnDeviceChange() - DEVICE_ARRIVAL_EVT(\\?\USB#VID_15A2&PID_0054#6&103465e1&0&1#{a5dcbf10-6530-11d2-901f-00c04fb951ed})
ModuleID[2] LevelID[10]: DeviceManager::DevChangeWnd::OnDeviceChange() - end
ModuleID[2] LevelID[10]: DeviceManager::OnMsgDeviceEvent() - DEVICE_ARRIVAL_EVT(\\?\USB#VID_15A2&PID_0054#6&103465e1&0&1#{a5dcbf10-6530-11d2-901f-00c04fb951ed})
ModuleID[2] LevelID[10]: DeviceClass::FindDeviceByUsbPath--DeviceListType_Current, _devices.size: 0
ModuleID[2] LevelID[1]: DeviceClass::FindDeviceByUsbPath() - DeviceListType_New--index: 0
ModuleID[2] LevelID[1]: DeviceClass::FindDeviceByUsbPath() - DeviceListType_New--devPath: \\?\hid#vid_0e0f&pid_0003&mi_00#8&17be0303&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}
ModuleID[2] LevelID[1]: DeviceClass::FindDeviceByUsbPath() - DeviceListType_New--index: 1
ModuleID[2] LevelID[1]: DeviceClass::FindDeviceByUsbPath() - DeviceListType_New--devPath: \\?\hid#vid_0e0f&pid_0003&mi_01#8&2f818f48&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}
ModuleID[2] LevelID[1]: DeviceClass::FindDeviceByUsbPath() - DeviceListType_New--index: 2
ModuleID[2] LevelID[1]: DeviceClass::FindDeviceByUsbPath() - DeviceListType_New--devPath: \\?\hid#vid_15a2&pid_0054#7&35cdcdda&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}
ModuleID[2] LevelID[10]: new MxHidDevice[00CCA6D8]
ModuleID[2] LevelID[10]: DeviceClass::FindDeviceByUsbPath--DeviceListType_New, devInstPathToFind: USB\VID_15A2&PID_0054\6&103465E1&0&1, _deviceInstanceID: USB\VID_15A2&PID_0054\6&103465E1&0&1
ModuleID[2] LevelID[10]: DeviceClass::FindDeviceByUsbPath--DeviceListType_New, Find the device, Port: 1
ModuleID[2] LevelID[10]: DeviceClass::AddUsbDevice() successful USB#VID_15A2&PID_0054#6&103465E1&0&1#{A5DCBF10-6530-11D2-901F-00C04FB951ED} add to current list, retrycount: 0
ModuleID[2] LevelID[10]: DeviceManager::OnMsgDeviceEvent() - DEVICE_ARRIVAL_EVT,[MxHidDeviceClass] vid_15a2&pid_0054, Hub:2-Port:1
ModuleID[2] LevelID[10]: DeviceManager::OnMsgDeviceEvent() - DEVICE_ARRIVAL_EVT, Notify
ModuleID[2] LevelID[10]: CmdOpreation[0]--OnDeviceChangeNotify, Volume Arrive/Remove or Device Arrive/Remove
ModuleID[2] LevelID[10]: CmdOpreation[0]--OnDeviceChangeNotify, m_p_usb_port is not NULL, so only refresh
ModuleID[2] LevelID[10]: CmdOpreation[0]--OnDeviceChangeNotify, Volume/Device Arrive
ModuleID[2] LevelID[1]: CmdOpreation[0]--set m_hDeviceArriveEvent.
ModuleID[2] LevelID[10]: CmdOpreation[0]--WaitforEvents device arrive1
ModuleID[2] LevelID[10]: CmdOperation[0] device chagned and reset to state 0
ModuleID[2] LevelID[10]: ExecuteCommand--Boot[WndIndex:0], File is C:\Users\daniel\Desktop\mfgtools\Profiles\Linux\OS Firmware\firmware\u-boot-signed.imx
ModuleID[2] LevelID[10]: ExecuteCommand--Jump[WndIndex:0]
ModuleID[2] LevelID[10]: *********MxHidDevice[00CCA6D8] Jump to Ramkernel successfully!**********
ModuleID[2] LevelID[10]: CmdOperation[0], current state command has been finished and the last command is successful, so SetEvent(hDevCanDeleteEvent)
ModuleID[2] LevelID[10]: CCmdOpreation[0] thread is Closed
ModuleID[2] LevelID[10]: CCmdOpreation[0] thread is Closed
ModuleID[2] LevelID[10]: DeviceManager::OnMsgDeviceEvent() - EVENT_KILL
ModuleID[2] LevelID[10]: CMyExceptionHandler::OnMsgExceptionEvent() - KillExceptionHandlerThread
ModuleID[2] LevelID[10]: Exception Handler thread is closed
ModuleID[2] LevelID[1]: delete MxHidDeviceClass
ModuleID[2] LevelID[10]: delete MxHidDevice[00CCA6D8]
ModuleID[2] LevelID[10]: Device Manager thread is closed
-- 8< -------------------
Sorry for this long post, but I think it's needed a detailed explanation to understand it.
And now... What am I missing??
Regards
Hi, are you solved this issue? I have the same problem with MFGTool and closed device. Can you share you experience? Thank you very much.