Difference between revisions of "F00D"

Revision as of 16:35, 4 September 2018

Related pages

Reset

Although the MeP architecture docs specify that with EVM=0, the reset/NMI vector base is at 0x00000000 it is observed that the vector base is actually at 0x00040000. However, EVA/IVA still work as expected when EVM=1. Both secure_kernel and second_loader set EVM=0 at the start. This is likely modified hardware behavior and the vector base remapping might be done when the bootrom is unmapped.

Devices

Address	Device
0xE0000000	Private:Communication Ports
0xE0010000	F00D Reset
0xE0020000	?
0xE0030000	Private:Key Ring Controller
0xE0040000	Private:Math Processor
0xE0050000	Private:Bigmac
0xE0058000	Private:Keyring Regs Private:Key Ring Base
0xE0070000	?
0xE00C0000	?

0xE0010000

Address	Description
0xE0010000	TZ sets to 1 then 0 and it appears F00D resets
0xE0010004	Read by second_loader, check against mask & 5 and & 8. Read by TZ after setting reset, checks bit 0x80000000. Seen as 0x80000005. Writing values to it from f00d does nothing.

0xE0020000

Address	Description
0xE0020000	Second_loader sets it to 0x30003, secure_kernel sets it to 0x2000F. bit 0x10000 allows ARM to reset f00d. bit 0x1 sets bootrom to load secure_kernel.
0xE0020004	Read by second_loader, check against 0x8000001F, also set by second_loader when setting 0x30003 above
0xE0020020	checked for 0 by second_loader
0xE0020100	256 bit key from slot 0x602 is copied here by second_loader

0xE0070000

Address	Description
0xE0070000	Seen as 1. Set 0, then 1 after writing to 0xE0070008.
0xE0070008	Set to 0x020E020F in second_loader, eMMC related?
0xE007000C	Seen as 2
0xE0070014	Set to 6 under some condition in second_loader

@@ Line 7: / Line 7: @@
 * [[Private:Sm modules]]
 * [[Private:Ernie Secure]]
-* [[Private:Keyring]]
 == Reset ==
@@ Line 30: / Line 29: @@
 | 0xE0050000 || [[Private:Bigmac]]
 |-
-| 0xE0058000 || [[Private:Key Ring Base]]
+| 0xE0058000 || [[Private:Keyring Regs]] [[Private:Key Ring Base]]
 |-
 | 0xE0070000 || ?