Bootloader: Difference between revisions
→Boot9 startup: name of register |
No edit summary |
||
| Line 122: | Line 122: | ||
* Then the instruction/data access permissions for the MPU regions are setup. | * Then the instruction/data access permissions for the MPU regions are setup. | ||
* Lastly bitmask 0x0005707d is orred in the cp15 control register. | * Lastly bitmask 0x0005707d is orred in the cp15 control register. | ||
== Boot9 main() == | |||
The following functions are called: LT_ffff2024(), LT_ffff1ff8(), pxi_init(), rsa_init(), initialize_rsakeyslots_pubk(), crypto_initialize(), and aesengine_reset(). | |||
Then AES keyslot 0x3F is setup: aesengine_setnormalkey(0x3f, 5, ptr) is called. ptr on retail(CFG_UNITINFO check) is 0xffffd6e0, 0xffffd700 for devunit. Then essentially, aesengine_setctr(5, ptr+0x10) is executed. | |||
Then AES keyslot 0x3f is selected. | |||
When calling the following functions, if any of them return zero, it will immediately jump to setting ptr to 0x10012000(otp), otherwise when all of them return non-zero ptr = sp+0x94. otp_decrypt(sp+4), otp_verify(sp+4), initialize_consoleunique_itcm(sp+4, 0x07ffb800). | |||
Then the following is executed: initialize_aeskeys_wrap(ptr, 0x70); | |||
Then sp+4 size 0x100 is cleared to zero. | |||
... | |||
NAND firm-boot code-block, is described below. Note that boot9 is basically hard-coded to use deviceid NAND, not SD. | |||
{ | |||
timer_updatestoredstate() is called, then the AES keyslot for NAND-FIRM is selected(0x6). | |||
Then LT_ffff56c8() is called, if that returns non-zero the statuscode variable is set to ~2 then it jumps to NAND_BOOTEND. | |||
Then LT_ffff5774(0x201) is called, if that returns non-zero the statuscode variable is set to ~1 then it jumps to NAND_BOOTEND. | |||
Then fsdriver_setup_mmc() is called. Then nand_findfirmpartition_loadfirm(0) is called, with the statuscode variable set to the retval. | |||
Executes a loop which runs 8 times: write the output from get_errorcode_arrayentry_xfff005e8(loopindex) to u8 0x1fffe000+0x10+loopindex(copy the array of 32bit error-codes for all 8 NCSD partitions initialized by nand_findfirmpartition_loadfirm() to the array of 8bit entries at 0x1fffe000+0x10). | |||
NAND_BOOTEND: | |||
Then the statuscode variable is written to u8 0x1fffe000+0xc. | |||
Then LT_ffff5690(0x201, 0x1fffe018, 0x1fffe01c) is called. | |||
Then LT_ffff5644() is called. | |||
Then timer_updatestoredstate() is called. | |||
When statuscode==0 for success, it jumps to FIRMLOAD_END. Otherwise, it continues to the next code-block. | |||
} | |||
Wifi spi-flash firm-boot code-block, executed when no FIRM was loaded successfully so far. | |||
{ | |||
timer_updatestoredstate() is called. | |||
Then spi_wififlash_cmdgetstatusreg(sp+0x100) is executed. When bit0 of the output u8 at sp+0x100 is clear, it will continue this code-block, otherwise it will set the statuscode variable to ~1 then jump to SPIFLASH_BOOTEND. | |||
Then fsdriver_setup_wififlash() is called. | |||
Here read_firmhdr_validate_loadfirm(0, 2) is called, with the statuscode variable set to the retval. | |||
SPIFLASH_BOOTEND: | |||
Then the statuscode variable is written to u8 0x1fffe000+0xe. | |||
Then timer_updatestoredstate() is called. | |||
When statuscode==0 for success, it jumps to FIRMLOAD_END. Otherwise, it executes writenormalkey_keyslot3f(), then jumps to FIRMLOAD_FAILURE. | |||
} | |||
FIRMLOAD_END: | |||
Here it calls firmhdr_getarm11_entrypoint() and firmhdr_getarm9_entrypoint(). Immediately after calling each function it checks if the retval is 0, if so it then jumps to FIRMLOAD_FAILURE. | |||
After calling initialize_x07ffbd00_x07ffc100_rsakeyslotsprivk(), it jumps to FIRMLOAD_EXIT. | |||
FIRMLOAD_FAILURE: | |||
Here it clears 0x07ffb800 size 0x3c70 to zero, endaddr = 0x07fff470. | |||
Then it continues to FIRMLOAD_EXIT. | |||
FIRMLOAD_EXIT: | |||
Here firmboot() is called, which should never return. The instruction after this bl is a call for panic(). | |||
== Boot Procedure == | == Boot Procedure == | ||