Difference between revisions of "F00D"
Jump to navigation
Jump to search
| Line 9: | Line 9: | ||
== Reset == | == Reset == | ||
| − | Although the MeP architecture docs specify that with EVM=0, the reset/NMI vector base is at 0x00000000 it is observed that the vector base is actually at | + | Although the MeP architecture docs specify that with EVM=0, the reset/NMI vector base is at 0x00000000 it is observed that the vector base is actually at 0x00040000. However, EVA/IVA still work as expected when EVM=1. Both secure_kernel and second_loader set EVM=0 at the start. This is likely modified hardware behavior and the vector base remapping might be done when the bootrom is unmapped. |
== Devices == | == Devices == | ||
Revision as of 06:23, 9 August 2018
Related pages
- Private:F00D basics
- Private:Secure Kernel
- Private:Second Loader
- Private:Sm modules
- Private:Ernie Secure
Reset
Although the MeP architecture docs specify that with EVM=0, the reset/NMI vector base is at 0x00000000 it is observed that the vector base is actually at 0x00040000. However, EVA/IVA still work as expected when EVM=1. Both secure_kernel and second_loader set EVM=0 at the start. This is likely modified hardware behavior and the vector base remapping might be done when the bootrom is unmapped.
Devices
| Address | Device |
|---|---|
| 0xE0000000 | Private:Communication Ports |
| 0xE0010000 | F00D Reset |
| 0xE0020000 | ? |
| 0xE0030000 | Private:Key Ring Controller |
| 0xE0040000 | Private:Math Processor |
| 0xE0050000 | Private:Bigmac |
| 0xE0058000 | Private:Key Ring Base |
| 0xE0070000 | ? |
| 0xE00C0000 | ? |
0xE0010000
| Address | Description |
|---|---|
| 0xE0010000 | TZ sets to 1 then 0 and it appears F00D resets |
| 0xE0010004 | Read by second_loader, check against mask & 5 and & 8. Read by TZ after setting reset, checks bit 0x80000000. Seen as 0x80000005. Writing values to it from f00d does nothing. |
0xE0020000
| Address | Description |
|---|---|
| 0xE0020000 | Second_loader sets it to 0x30003, secure_kernel sets it to 0x2000F. bit 0x10000 allows ARM to reset f00d. bit 0x1 sets bootrom to load secure_kernel. |
| 0xE0020004 | Read by second_loader, check against 0x8000001F, also set by second_loader when setting 0x30003 above |
| 0xE0020020 | checked for 0 by second_loader |
| 0xE0020100 | 256 bit key from slot 0x602 is copied here by second_loader |
0xE0070000
| Address | Description |
|---|---|
| 0xE0070000 | Seen as 1. Set 0, then 1 after writing to 0xE0070008. |
| 0xE0070008 | Set to 0x020E020F in second_loader, eMMC related? |
| 0xE007000C | Seen as 2 |
| 0xE0070014 | Set to 6 under some condition in second_loader |