Rescue bricked IMX 7D in "closed" state with activated HAB boot

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Rescue bricked IMX 7D in "closed" state with activated HAB boot

1,436 Views
Deadolus
Contributor II

I have a imx 7d with activated SEC_CONFIG fuse and properly burnt SRK hash.
I have verified that my signed u-boot bootloader does not generate any errors with the hab_status command.

However, this .imx file does not successfully boot on the closed device.
Up on researching I discovered that I apparently have to alter the imx file manually and sign it differently.

The device shows up via lsusb as:

Bus 001 Device 052: ID 15a2:0076 Freescale Semiconductor, Inc. i.MX 7Solo/7Dual SystemOnChip in RecoveryMode 

 

and in dmesg it shows up as:

[18514.713751] hid-generic 0003:15A2:0076.000F: hiddev2,hidraw6: USB HID v1.10 Device [Freescale SemiConductor Inc SE Blank ULT1] on usb-0000:00:14.0-4.3.3/input0

 

My normal u-boot.csf signing configuration is

[Authenticate Data]
Verification index = 2
Blocks = 0x877ff400 0x00000000 BOOTLOADER_SIZE "u-boot.imx"

 

I created a special configuration as described in these forums which looks like this

[Authenticate Data]
Verification index = 2
#Blocks = 0x877ff400 0x00000000 0x00070c00 "u-boot.imx"
#Blocks = 0x877ff400 0x00000000 BOOTLOADER_SIZE "u-boot.imx"
# 3 sections to verify signature over:
# IVT + Boot Data: Offset 0, Len 0x2c (Fixed)
# DCD: Offset 0x2C, Len 0x1c4 (From imx.log file emitted by U-Boot build)
# Image Data: Offset 0xc00, Len <rest of image>
#e.g. for u-boot.imx of size 0x00074c00, log:
#752:HAB Blocks: 0x877ff400 0x00000000 0x00074c00
#753:DCD Blocks: 0x0000002c 0x00910000 0x000001c4
#Blocks = 0x877ff400 0x00000000 0x0000002c "u-boot.imx",\
# 0x00910000 0x0000002c 0x000001c4 "u-boot.imx",\
# 0x87800000 0x00000c00 0x00074000 "u-boot.imx"
Blocks = 0x877ff400 0x00000000 0x0000002c "u-boot.imx",\
0x00910000 0x0000002c 0x000001c4 "u-boot.imx",\
0x87800000 0x00000c00 0x00074000 "u-boot.imx"

 

I tried to create the special recovery bootloader as follows (generateKeys.sh is signing the imx file)

 #Clear DCD for special bootloader signing
./setClearDcd.sh clear_dcd_addr u-boot/u-boot.imx
./generateKeys.sh -b
./setClearDcd.sh set_dcd_addr u-boot/u-boot.imx
cat u-boot/u-boot.imx u-boot_out/csf.bin > u-boot_out/u-boot_dcdcleared.imx

 

However, I seem to have no luck in producing such a file, all my attempts are failing and I can not recover the bricked device.

Can you please provide detailed directions how I can get a special bootloader file to rescue a bricked device from a working and successfully signed u-boot imx image?

 

Links to users with similar issues:

https://github.com/nxp-imx/mfgtools/issues/235

https://community.toradex.com/t/cannot-update-secured-uboot-after-having-closed-device-bricked-devic...

Labels (1)
Tags (4)
0 Kudos
Reply
5 Replies

1,284 Views
Deadolus
Contributor II

@hector_delgadoany news on this?

0 Kudos
Reply

1,264 Views
hector_delgado
NXP TechSupport
NXP TechSupport

Hi @Deadolus ,

If you didn't block serial download mode on your board, you should be able to flash the board (with an authenticated image) using UUU as you'd normally do. 

If serial download was blocked through it's fuse, then there's no way to recover the device.

Let me know if this was of any help.

Best regards,
Hector.

0 Kudos
Reply

1,409 Views
hector_delgado
NXP TechSupport
NXP TechSupport

Hi @Deadolus ,

I hope you're doing well! Could you help me with the following?:

1. Could you please share your complete .csf file?

2. Help me confirming HAB and DCD blocks:

  • Since U-Boot v2017.01 a build log containing the U-Boot and DCD addresses and lengths is available just after building U-Boot:
    $ cat u-boot-dtb.imx.log
    Let me know the output for the previous command. The resulting blocks for HAB and DCD should be the only ones included in the Authenticate Data section for your .csf file.

Also, for i.MX7D, due to an erratum, the UUU download DCD address (0x00911000) is not aligned with the DCD address in u-boot (0x00910000), there are two options:
• use the command to specify the DCD address, uuu boot -f u-boot-signed.imx -dcdaddr 0x00911000
• change the csf DCD address when signing the u-boot: Blocks = 0x00911000 0x0000002c 0x000001c4 "u-boot-dtb.imx.

I'd recommend reviewing the UUU documentation Section 5.2 HABv4 closed chip support (https://github.com/nxp-imx/mfgtools/releases/download/uuu_1.5.125/UUU.pdf)

Regarding the special bootloader to recover a closed/bricked device, I'm currently researching the topic in order to give you any possible solution. Thank you.

Best regards,
Hector.

0 Kudos
Reply

1,364 Views
Deadolus
Contributor II

Hi hector,

Here's the output from u-boot (compiled via yocto):

Image Type: Freescale IMX Boot Image
Image Ver: 2 (i.MX53/6/7 compatible)
Mode: DCD
Data Size: 487520 Bytes = 476.09 KiB = 0.46 MiB
Load Address: 877ff420
Entry Point: 87800000
HAB Blocks: 0x877ff400 0x00000000 0x00074c00
DCD Blocks: 0x0000002c 0x00910000 0x000001c4

here's my normal csf file.

[Header]
Version = 4.2
Hash Algorithm = sha256
Engine = ANY
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS

[Install SRK]
File = "../SRK_1_2_3_4_table.bin"
Source index = 0

[Install CSFK]
File = "../crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate CSF] # use defaults from header

[Unlock]
Engine = CAAM
Features = RNG

[Install Key]
# Key slot index used to authenticate the key to be installed
Verification index = 0
# Key to install
Target index = 2
File = "../crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate Data]
Verification index = 2
Blocks = 0x877ff400 0x00000000 BOOTLOADER_SIZE "u-boot.imx"

 

 

I tried to create a special rescue image with this csf file:

[Header]
Version = 4.2
Hash Algorithm = sha256
Engine = ANY
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS

[Install SRK]
File = "../SRK_1_2_3_4_table.bin"
Source index = 0

[Install CSFK]
File = "../crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate CSF] # use defaults from header

[Unlock]
Engine = CAAM
Features = RNG

[Install Key]
# Key slot index used to authenticate the key to be installed
Verification index = 0
# Key to install
Target index = 2
File = "../crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate Data]
Verification index = 2
#Blocks = 0x877ff400 0x00000000 0x00070c00 "u-boot.imx"
#Blocks = 0x877ff400 0x00000000 BOOTLOADER_SIZE "u-boot.imx"
# 3 sections to verify signature over:
# IVT + Boot Data: Offset 0, Len 0x2c (Fixed)
# DCD: Offset 0x2C, Len 0x1c4 (From imx.log file emitted by U-Boot build)
# Image Data: Offset 0xc00, Len <rest of image>
#e.g. for u-boot.imx of size 0x00074c00, log:
#752:HAB Blocks: 0x877ff400 0x00000000 0x00074c00
#753:DCD Blocks: 0x0000002c 0x00910000 0x000001c4
#Blocks = 0x877ff400 0x00000000 0x0000002c "u-boot.imx",\
# 0x00910000 0x0000002c 0x000001c4 "u-boot.imx",\
# 0x87800000 0x00000c00 0x00074000 "u-boot.imx"
Blocks = 0x877ff400 0x00000000 0x0000002c "u-boot.imx",\
0x00910000 0x0000002c 0x000001c4 "u-boot.imx",\
0x87800000 0x00000c00 0x00074000 "u-boot.imx"

I think I set up everything correctly:

U-boot works in open mode, in closed mode it worked with a well signed bootloader.
With a differently signed bootloader I now have the bricked device.

I also stumbled over the imx7d errata before and have added the dcdaddr manually,
but I always get:

Wait for Known USB Device Appear...
>Start Cmd:SDP: boot -f Gateway_F5_00_RS_00_TS_000_geberit-1.46-19-g039f51a_u-boot_signed.imx -dcdaddr 0x00911000
New USB Device Attached at 1:433
1:433>Fail HID(W):LIBUSB_ERROR_TIMEOUT(2.006s)

Error: HID(W):LIBUSB_ERROR_TIMEOUT

 

Which seems to inidicate that the flashing did not succeed and HAB did not accept my bootloader.

I guess this is because, as indicated by the links, I have to tweak a working bootloader for HAB to accept it via hab_failsafe mode.
Have you had success in getting some information from within your support sytem on how to actually create such a special bootloader?

0 Kudos
Reply

1,253 Views
kef2
Senior Contributor V

Yes, you need special csf for secure uuu boot.

As @hector_delgado mentioned, you need to change DCD start address in CSF to 0x911000, though U-boot log claims it is 910000

 

Blocks = 0x877ff400 0x00000000 0x0000002c "u-boot.imx",\
0x00910000 0x0000002c 0x000001c4 "u-boot.imx",\
0x87800000 0x00000c00 0x00074000 "u-boot.imx"

 

 

Actually you don't need to eliminate DCD block from original image @0x877ff400. It could be like this:

 

Blocks = 0x877ff400 0x00000000 0x0074c000 "u-boot.imx",\
0x00911000 0x0000002c 0x000001c4 "u-boot.imx"

 

 

Edit: you don't need to call any scripts for uuu, just special signed image with different csf. Using older usbimx loader indeed would requires zeroing DCD address in IVT and using default DCD address in RAM 910000. So uuu, usdbimx and native boot do require differently signed U-Boot images.

0 Kudos
Reply