Difference between revisions of "F00D"
Jump to navigation
Jump to search
Line 7: | Line 7: | ||
* [[Private:Sm modules]] | * [[Private:Sm modules]] | ||
* [[Private:Ernie Secure]] | * [[Private:Ernie Secure]] | ||
− | |||
== Reset == | == Reset == | ||
Line 30: | Line 29: | ||
| 0xE0050000 || [[Private:Bigmac]] | | 0xE0050000 || [[Private:Bigmac]] | ||
|- | |- | ||
− | | 0xE0058000 || [[Private:Key Ring Base]] | + | | 0xE0058000 || [[Private:Keyring Regs]] [[Private:Key Ring Base]] |
|- | |- | ||
| 0xE0070000 || ? | | 0xE0070000 || ? |
Revision as of 16:35, 4 September 2018
Related pages
- Private:F00D basics
- Private:Secure Kernel
- Private:Second Loader
- Private:Sm modules
- Private:Ernie Secure
Reset
Although the MeP architecture docs specify that with EVM=0, the reset/NMI vector base is at 0x00000000 it is observed that the vector base is actually at 0x00040000. However, EVA/IVA still work as expected when EVM=1. Both secure_kernel and second_loader set EVM=0 at the start. This is likely modified hardware behavior and the vector base remapping might be done when the bootrom is unmapped.
Devices
Address | Device |
---|---|
0xE0000000 | Private:Communication Ports |
0xE0010000 | F00D Reset |
0xE0020000 | ? |
0xE0030000 | Private:Key Ring Controller |
0xE0040000 | Private:Math Processor |
0xE0050000 | Private:Bigmac |
0xE0058000 | Private:Keyring Regs Private:Key Ring Base |
0xE0070000 | ? |
0xE00C0000 | ? |
0xE0010000
Address | Description |
---|---|
0xE0010000 | TZ sets to 1 then 0 and it appears F00D resets |
0xE0010004 | Read by second_loader, check against mask & 5 and & 8. Read by TZ after setting reset, checks bit 0x80000000. Seen as 0x80000005. Writing values to it from f00d does nothing. |
0xE0020000
Address | Description |
---|---|
0xE0020000 | Second_loader sets it to 0x30003, secure_kernel sets it to 0x2000F. bit 0x10000 allows ARM to reset f00d. bit 0x1 sets bootrom to load secure_kernel. |
0xE0020004 | Read by second_loader, check against 0x8000001F, also set by second_loader when setting 0x30003 above |
0xE0020020 | checked for 0 by second_loader |
0xE0020100 | 256 bit key from slot 0x602 is copied here by second_loader |
0xE0070000
Address | Description |
---|---|
0xE0070000 | Seen as 1. Set 0, then 1 after writing to 0xE0070008. |
0xE0070008 | Set to 0x020E020F in second_loader, eMMC related? |
0xE007000C | Seen as 2 |
0xE0070014 | Set to 6 under some condition in second_loader |