- Background
- i.MX 6/7/8MQ/8MM
- i.MX 8MNano/ 8MPlus
- Prepare&Program images to SD Card
- 1- Prepare primary and secondarybootloader
- 2- (i.MX 6/7/8MQ/8MM) Program primary, secondary bootloader and SIT table to SD
- 2- (i.MX 8MN/8MP) Program primary, secondary bootloader to SD and Secondary table offset to fuses
- 3- Enable secondary boot mode
- (i.MX 6/7/8MQ/8MM) Enable PERSISTENT_SECONDARY_BOOT bit in SRC register
- Corrupt IVT of the primary image
- Boot unsigned/improperly signed primary image in Closed chip
- Example
- i.MX 6Q
- SRC register
- Bootloader (u-boot)
- Known Issues
Background
The ROM supports the redundant boot for an expansion device (SD/eMMC). The primary or secondary image is selected, depending on the PERSIST_SECONDARY_BOOT setting. Both boot images need to be stored on the same flash (boot source). In the scenario when either primary image is corrupted, or, the chip is in closed mode (Security Configuration Enabled) and there are failures during primary image authentication, the boot ROM turns on the PERSIST_SECONDARY_BOOT bit and performs a software reset.
NOTE: In the Security Reference Manual/Reference Manual redundant boot or secondary boot are the same - meaning the ROM has the capability to choose which image to select from the 2 images located on the same flash device.
NOTE: The i.MX 8/8X family of processors use a different container format for Secondary boot and is not discussed here.
i.MX 6/7/8MQ/8MM
If the PERSIST_SECONDARY_BOOT setting is 0, the boot ROM uses the address for the primary image.
If the PERSIST_SECONDARY_BOOT setting is 1, the boot ROM reads the secondary image table from the address on the boot media and uses the address specified in the table for the secondary image.
| Reserved (chipNum) |
| Reserved (driveType) |
| tag |
| firstSectorNumber |
| Reserved (sectorCount) |
Table 1. Secondary image table format
Where:
- The tag is used as an indication of the valid secondary image table. It must be 0x00112233
- The firstSectorNumber is the first 512-byte sector number of the secondary image
NOTE: The offset to the secondary image is calculated from the start of primary image in the flash and not the start of the flash.
For example: In i.MX6, if the secondary image offset is expected to be 4KB (0x1000), then firstSectorNumber = (0x1000 - 0x400 (primary image offset in flash))/512
For the secondary image support, the primary image must reserve the space for the secondary image table. Refer to the figures below for the layout of the typical structure on an expansion device for the respective part.
| i.MX 6/7 | i.MX 8MQ/8MM |
|---|---|
 |  |
i.MX 8MNano/ 8MPlus
In the i.MX 8MNano and i.MX 8MPlus processors, if booting from the device selected by the boot configuration pin or eFuse (Primary Device) fails, ROM will try to boot from the Secondary Image, the offset is relative to the beginning of the boot device (which is provisioned in the fuse IMG_CNTN_SET1_OFFSET).
The fuse IMG_CNTN_SET1_OFFSET (0x490[22:19]) is defined as follows:
- The secondary boot is disabled if the fuse value is bigger than 10, n = fuse value bigger than 10.
- n == 0: Offset = 4MB
- n == 2: Offset = 1MB
- Others & n <= 10 : Offset = 1MB*2^n
For the primary image offset and IVT offset details, please refer to the Primary image offset and IVT offset in the RM of the respective part.
The secondary image offset is specified by fuses, please refer to the fuse map chapter in the RM of the respective part.
Prepare & Program images to SD Card
1- Prepare primary and secondary bootloader
- Build two boot images with varying output to see the two different bootloaders boot up.
- Different timestamp
- Different output print etc..
- Rename bootloaders as u-boot.primary and u-boot.secondary for i.MX6/7 and flash.primary and flash.secondary for i.MX 8M devices.
- On a closed device, another step will be utilized to sign the images.
NOTE: The i.MX 8MQ (850D) Boot ROM processes the HDMI Firmware only once out of POR. Thus, the secondary image should not contain the HDMI Firmware.
2- (i.MX 6/7/8MQ/8MM) Program primary, secondary bootloader and SIT table to SD
The process described here programs the Secondary bootloader after the Primary bootloader at 0x1000 boundary.
The script to prepare and program the primary, secondary boot images and SIT table is attached.
- Analyze the primary image's size to align
- Prepare SIT table
- SIT Table:
#Reserved (chipNum) = 0x00000000 #Reserved (driveType) = 0x00000000 #tag = 0x00112233 #firstSectorNumber = Primary align size/512 bytes #Reserved (sectorCount) = 0x00000000
firstSectorNumber will be calculated based on the primary image's align size
- SIT Table:
- Program SIT table to SD
- i.MX 6/7
sudo dd if=sit_table of=$dev bs=512 seek=1 count=20 && sync
- i.MX 8MQ/8MM
sudo dd if=sit_table of=$dev bs=512 seek=65 count=20 && sync
- i.MX 6/7
- Program the primary image
- i.MX 6/7
sudo dd if=u-boot.primary of=$dev bs=512 seek=2 && sync
- i.MX 8MQ/8MM
sudo dd if=flash.primary of=$dev bs=1k seek=33 && sync
- i.MX 6/7
- Program the secondary image
- i.MX 6/7
sudo dd if=u-boot.secondary of=$dev bs=512 seek=<(Primary image align size/ 512) + 2> && sync
- i.MX 8MQ/8MM
sudo dd if=flash.secondary of=$dev bs=1K seek=<(Primary image align size/ 1024) + 33> && sync
- i.MX 6/7
2- (i.MX 8MN/8MP) Program primary, secondary bootloader to SD and Secondary table offset to fuses
The process described here programs the Secondary bootloader at the offset specified by the user in IMG_CNTN_SET1_OFFSET fuse.
The script to prepare and program the primary and secondary boot images is attached.
- Determine the offset at which Secondary image needs to be programmed in the boot device and program the IMG_CNTN_SET1_OFFSET fuse accordingly.
- For example: if offset required is 1MB then IMG_CNTN_SET1_OFFSET = n = 2
- Run fuse command to program the fuse:
fuse prog 2 1 00100000
- Calculate the offset in MB based on the fuse value selected (as per equation above). Let's call it Secondary_image_offset.
- Program primary image
sudo dd if=flash.primary of=$dev bs=1k seek=32 && sync
- Program secondary image
sudo dd if=flash.secondary of=$dev bs=1K seek=<Secondary_image_offset/1024> && sync
3- Enable secondary boot mode
(i.MX 6/7/8MQ/8MM) Enable PERSISTENT_SECONDARY_BOOT bit in SRC register
In u-boot, execute the following commandmw.l <SRC_GPR10_addr> 0x40000000
Corrupt IVT of the primary image
- i.MX 6/7
sudo dd if=/dev/zero of=$dev bs=1 seek=1024 count=32 && sync
- i.MX 8MQ/8MM
sudo dd if=/dev/zero of=$dev bs=1 seek=33792 count=32 && sync
- i.MX 8MN/8MP
sudo dd if=/dev/zero of=$dev bs=1 seek=32768 count=32 && sync
- i.MX 6/7
Boot unsigned/improperly signed primary image in Closed chip
Please read Known Issues section
Example
i.MX 6Q
SRC register
Bootloader (u-boot)
U-Boot 2019.04-00695-g0ef6da0 (Apr 09 2020 - 12:23:09 -0500)
CPU: Freescale i.MX6Q rev1.6 996 MHz (running at 792 MHz)
CPU: Extended Commercial temperature grade (-20C to 105C) aC
Reset cause: POR
.
.
=> md.l 20D8044 1
020d8044: 00000000
=> mw.l 20D8044 40000000
=> md.l 20D8044 1
020d8044: 40000000
=> reset
resetting ...
U-Boot 2019.04-00695-g0ef6da0 (Apr 09 2020 - 12:41:38 -0500)
CPU: Freescale i.MX6Q rev1.6 996 MHz (running at 792 MHz)
CPU: Extended Commercial temperature grade (-20C to 105C) aC
Reset cause: POR
.
.Known Issues
1- [BootROM/HABv4] - Redundant boot support is not triggered when the first image's code is tampered
