Get best of the week

S805-B processor software protection (secured boot)

We will talk about a way to protect software that is implemented in the processor itself. For experiments, I chose the Comigo Quattro multimedia console. The goal is to launch your Linux kernel.

Short review


At first glance, the console software is a clone of Android. Access over ssh is closed. It works only with a valid subscription from a distributor. Stock firmware is fully encrypted. Everything is dull, like in a tank.

Training


First of all, I got acquainted in detail with the technical description of the processor. Two things pleased me: the processor had a UART interface and it supported loading the system from different sources (USB, SD, etc.), which could be configured externally using the configuration register. On board the console there was also a place for an mSD card, but the connector was not soldered. In order to find the spots of the configuration register and the UART pins, I had to solder the processor and ring the tracks. When all the contacts were found, I connected the UART adapter and launched the console. The screen flashed U-Boot. The system boot was interrupted by pressing keys and U-Boot entered the input mode, but did not react to any keys except enter. And this loophole was also closed.

U-boot
QA5:A;SVN:B72;POC:17F;STS:0;BOOT:0;INIT:0;READ:0;CHECK:0;PASS:0;
no sdio debug board detected
TE : 1583722
BT : 19:30:15 Apr 13 2015
PMU:NONE
##### VDDEE voltage = 0x044c

CPU clock is 792MHz

DDR mode: 32 bit mode
DDR size: 1GB
DDR check: Pass!
DDR clock: 792MHz with 2T mode
DDR pll bypass: Disabled
DDR init use : 13644 us

HHH
Boot From SDIO C
SD_boot_type: 00000002
card_type: 00000003
0x0000009f
Aml log : M8-R2048 TPL pass!
ucl decompress...pass
0x12345678
Boot from internal device 1st tSD/fSD on SDIO C

TE : 1867612

System Started


==================COMIGO BOOTLOADER==================
==========12fc92:S:Enc (Apr 13 2015 - 19:29:55)==========

clr h-ram
DRAM:  1 GiB
relocation Offset is: 2febc000
show partition table:
part: 0, name :       logo, size : 800000
part: 1, name : recovery_bak, size : 1000000
part: 2, name :   recovery, size : 1000000
part: 3, name :       boot, size : 1000000
part: 4, name :     system, size : 32000000
part: 5, name :       data, size : 8c000000
part: 6, name :      cache, size : 20800000
part: 7, name :    sec_gpt, size : end
aml_card_type=0x100
MMC:   out reg=c1108058,value=fffcf800
out reg=c1108058,value=fffcfa00
[mmc_register] add mmc dev_num=0, port=1, if_type=6
[mmc_register] add mmc dev_num=1, port=2, if_type=6
SDIO Port B: 0, SDIO Port C: 1
power init
out reg=c110804c,value=dfffffff
IR init done!
register usb cfg[0][1] = 3ff6fcf4
register usb cfg[2][0] = 3ff72a6c
NAND:  EMMC BOOT: not init nand
do not init nand : cause boot_device_flag without nand
get_boot_device_flag: init_ret -1
get_boot_device_flag EMMC BOOT:
init_part
Emmckey: Access range is illegal!
Emmckey: Access range is illegal!
Unknown partition type on device 'SDIO Port C'
Device 'SDIO Port C' wp size=8388608 port=2
[mmc_init] SDIO Port C:1, if_type=6, initialized OK!
mmc_device_init
mmc_get_partition_table
Start mmc_get_partition_table
Partition table get from SPL is :
        name                        offset              size              flag
===================================================================================
   0: pri_gpt                            0            800000                  0
   1: env                           800000            800000                  0
   2: reserved                     1000000           4000000                  0
   3: logo                         5000000            800000                  1
   4: recovery_bak                 5800000           1000000                  1
   5: recovery                     6800000           1000000                  1
   6: boot                         7800000           1000000                  1
   7: system                       8800000          32000000                  1
   8: data                        3a800000          8c000000                  4
   9: cache                       c6800000          20800000                  2
  10: sec_gpt                     eb800000            800000                  0
mmc read lba=0x8000, blocks=0x1
mmc read lba=0x8001, blocks=0x1
mmc_read_partition_tbl: mmc read partition OK!
eMMC/TSD partition table have been checked OK!
i=0,register --- emmc_key
MMC BOOT, emmc_env_relocate_spec : env_relocate_spec 59
set_storage_device_flag: store 2
[imgread]Secure kernel sz 0x5b36a0
Aml log : M8-R2048 IMG pass!
vpu clk_level in dts: 3
set vpu clk: 182150000Hz, readback: 182150000Hz(0x701)
Net:   Meson_Ethernet
init suspend firmware done. (ret:0)
cvbs trimming.1.v5: 0xa0, 0x0
upgrade_comigo_environment: expect 6 active 6
init_comigo_environment
type:flash,start to read mac...
device init start
aml_keys: version 0 can not be init 3ff72c68
current storer:emmc_key
flash init key ok!!
init flash success
all key names list are(ret=18):
uuid
serialno
mac
4:3:3:0:3:a:4:2:3:3:3:a:3:3:3:9:3:a:3:0:3:2:3:a:3:1:4:6:3:a:3:4:3:9:
mac is: 43:30:3a:42:33:3a:33:39:3a:30:32:3a:31:46:3a:34:39:
read ok!!
read mac success,mac=C0:B3:39:02:1F:49
androidboot.mac is exist in bootargs, mac=C0:B3:39:02:1F:49 androidboot.serialno=A0652602C5706198 androidboot.uuid=4a3842462f47694d364b6f544d3236596b34374e3977
BOARD VERSION=2
reboot_mode=charging
hdcp get form storage medium: auto
don't found keyname,uboot_key_read:1634
prefetch hdcp keys from auto failed
AKSV invalid
hdmi tx power init
mode = 6  vic = 4
set HDMI vic: 4
mode is: 6
viu chan = 1
config HPLL
config HPLL done
reconfig packet setting done
key save in emmc
key size=44
the key name is :
the key data is :4a3842462f47694d364b6f544d3236596b34374e3977
key size=32
the key name is :serialno
the key data is :41303635323630324335373036313938
A0652602C5706198
efuse version is not selected.
Hit ENTER key to stop autoboot:  1 tstc enter

exit abortboot: 1
COMIGO#


It was impossible to do anything with the original U-Boot at this stage, and I decided to check the boot from the mSD card. To do this, I soldered the connector and connected a pair of contacts of the configuration register with the mass, so that the processor loaded the system from the card. The new U-Boot was from the experimental board ODROID-C, which was based on the same processor.





Having collected all this, I inserted the SD card, turned on the console and ... I saw this:

SERIAL:4;STS:0;BOOT:1;INIT:0;READ:0;CHECK:FFFFBF00;USB:3;

And this text was repeated every second again and again. The processor was not going to load my U-Boot at all and it upset me.

Search for a reason


It became clear to me that secured boot was activated in the processor and it checked the code for authenticity before starting it. The CHECK: FFFFBF00 parameter indicated that the code downloaded from the mSD card more than completely for some reason did not suit the processor. For comparison, the download of the original began in turn like this:

QA5:A;SVN:B72;POC:17F;STS:0;BOOT:0;INIT:0;READ:0;CHECK:0;PASS:0;

What did the processor check? I was hoping to find this answer in the U-Boot courses for AMLogic. After a short search, I saw that the SPL part of U-Boot ends up with such a structure

   typedef struct {
      unsigned int   nSizeH;         ///4@0
      struct st_secure{
         unsigned int   nORGFileLen;  ///4@4
         unsigned int   nSkippedLen;  ///4@8
         unsigned int   nHASHLength;  ///4@12
         unsigned int   nAESLength;   ///4@16
         unsigned char   szHashKey[32];//32@20
         unsigned char   szTmCreate[24];   //24@52
         unsigned char   szReserved[60];   //60@76
      }secure; //136@136
      unsigned char   szAES_Key_IMG[60];//60@136
      unsigned char   szTmCreate[48];   //48@196
      unsigned int   nSizeT;         ///4@244
      unsigned int   nVer;           ///4@248
      unsigned int   unAMLID;        ///4@252
   }st_aml_chk_blk; //256

A small digression. Two-stage system boot is often used on embedded hardware. Those. The processor ROM first loads a small part of the code (the so-called SPL) and transfers control to it. That, in turn, after the main settings, loads the second, most (TPL) and transfers control to it. Well, after final settings, TPL loads the kernel and starts it.

Looking ahead, I’ll say that the SPL itself consists of 32 KB, at the end of which is the st_aml_chk_blk structure, which in decrypted form looks like this:


Therefore, the processor uses this data block to check the SPL.

Looking for a solution


To get the processor to load my U-Boot, I tried many options. But all of them did not bring the desired result - the processor stubbornly issued CHECK: FFFFBF00. I gradually came to the conclusion that the protection was 100% done and there were no holes.

After another unsuccessful attempt, I left the prefix and went to the kitchen (for tea, of course), thinking about connecting the JTAG, and when I returned, I was waiting for this result:

SERIAL:4;STS:0;BOOT:1;INIT:0;READ:0;CHECK:FFFFBF00;USB:3;SERIAL:4;STS:0;BOOT:1;INIT:0;READ:0;CHECK:FFFFBF00;USB:3;SERIAL:4;STS:0;BOOT:1;INIT:0;READ:0;CHECK:FFFFBF00;USB:3;SERIAL:4;STS:0;BOOT:1;INIT:0;READ:0;CHECK:FFFFBF00;USB:3;SERIAL:4;STS:0;BOOT:1;INIT:0;READ:0;CHECK:FFFFBF00;USB:3;SERIAL:4;STS:0;BOOT:1;INIT:0;READ:0;CHECK:FFFFBF00;USB:3;SERIAL:4;STS:0;BOOT:1;INIT:0;READ:0;CHECK:0;PASS:1;
-----------------------------------------------------------------------
* Welcome to Hardkernel's ODROID-C... (Built at 19:33:00 Dec  8 2014) *
-----------------------------------------------------------------------
CPU : AMLogic S805
MEM : 1024MB (DDR3@792MHz)
BID : <Unknown>
S/N :
***** Warning!! *****************************************************
* This board have not been autorized or product keys are not valid. *
* Please contact with Hardkernel or your distributor                *
*********************************************************************

Oh how! After some time (it was about 40 seconds), the processor returned CHECK: 0; PASS: 1; and loaded my U-boot. Of course, it hung afterwards, but it did not matter, access to the system was obtained.

Analysis


First of all, I wrote a program that dumped the ROM of the processor and fuse (this is a piece of memory in the processor that can only be flashed once. This is where the AES, public RSA keys and some processor configurations are stored). Having thus obtained the AES key, I decrypted the original U-Boot and analyzed the ROM. The principle of loading the SPL was as follows: ROM first read the configuration from the fuse and save it as a variable. Next, he loaded 32 KB from a flash drive into memory and looked what the configuration showed for a signature check and encryption. In our case, ROM then read the exponent e and module N from the fuse, collected PublicKey (e, N) with which it decrypted st_aml_chk_blk, then resolved sha2 from SPL without st_aml_chk_blk and compared what happened with the key from st_aml_chk_blk.And in the event of a discrepancy, he did not take further action (it is not possible to make a new signature, since it is impossible to register a new RSA public key in fuse, well, of course, we do not have a distributor's private key either). So what made the processor execute my SPL? The signature didn’t match in any way ...
To support RSA, the ROM included (with high probability) the PolarSSL library (having examined ROM, I found parallels to the resources of this library). But he supported the AES algorithm at the hardware level, if my memory serves me right. ROM controlled free memory using its own mechanism (something like malloc and memfree). Before calling functions from the PolarSSL library, the ROM allocated a certain piece of memory to it, but in some cases did not always release it. For example, when the RSA function fell off due to the inability to decrypt the invalid block that I used in my SPL in this attempt. What happened? ROM allocated memory, tried to decrypt my fake signature, forgot to free the memory, threw a CHECK: FFFFBF00 error and the cycle repeated. At one point, another piece of new memory erased a variable from fuse,which ROM saved at the very beginning. In the next cycle, this variable already had a value of 0, which meant: just load everything you have and run it.
Further, in principle, there was nothing interesting. I redid the original U-Boot, removed the TPL check, the bootm command kernel check, and activated Hush Interpreter so that it would respond to the commands. Having decrypted the kernel and assembled the minimum on BusyBox, I launched Linux from the redone U-Boot, which started to load in 40 seconds.

Original U-Boot with Terminal On
==================COMIGO BOOTLOADER==================
==========395456:S:Enc (Nov 03 2015 - 19:33:53)==========

clr h-ram
DRAM:  1 GiB
relocation Offset is: 2febc000
show partition table:
part: 0, name :       logo, size : 800000
part: 1, name : recovery_bak, size : 1000000
part: 2, name :   recovery, size : 1000000
part: 3, name :       boot, size : 1000000
part: 4, name :     system, size : 32000000
part: 5, name :       data, size : 8c000000
part: 6, name :      cache, size : 20800000
part: 7, name :    sec_gpt, size : end
aml_card_type=0x100
MMC:   out reg=c1108058,value=fffffdff
out reg=c1108058,value=ffffffff
[mmc_register] add mmc dev_num=0, port=1, if_type=6
[mmc_register] add mmc dev_num=1, port=2, if_type=6
SDIO Port B: 0, SDIO Port C: 1
power init
out reg=c110804c,value=dfffffff
IR init done!
register usb cfg[0][1] = 3ff6fd14
register usb cfg[2][0] = 3ff72a8c
NAND:  CARD BOOT: not init nand
do not init nand : cause boot_device_flag without nand
get_boot_device_flag: init_ret -1
get_boot_device_flag CARD BOOT:
BOOT FROM CARD? env_relocate_spec
SF: Unsupported manufacturer 00
Failed to initialize SPI flash at 0:2
Unknown command 'nand' - try 'help'
init_part
Emmckey: Access range is illegal!
Emmckey: Access range is illegal!
Unknown partition type on device 'SDIO Port C'
Device 'SDIO Port C' wp size=8388608 port=2
[mmc_init] SDIO Port C:1, if_type=6, initialized OK!
mmc_device_init
mmc_get_partition_table
Start mmc_get_partition_table
Partition table get from SPL is :
        name                        offset              size              flag
===================================================================================
   0: pri_gpt                            0            800000                  0
   1: env                           800000            800000                  0
   2: reserved                     1000000           4000000                  0
   3: logo                         5000000            800000                  1
   4: recovery_bak                 5800000           1000000                  1
   5: recovery                     6800000           1000000                  1
   6: boot                         7800000           1000000                  1
   7: system                       8800000          32000000                  1
   8: data                        3a800000          8c000000                  4
   9: cache                       c6800000          20800000                  2
  10: sec_gpt                     eb800000            800000                  0
mmc read lba=0x8000, blocks=0x1
mmc read lba=0x8001, blocks=0x1
mmc_read_partition_tbl: mmc read partition OK!
eMMC/TSD partition table have been checked OK!
i=0,register --- emmc_key
Device: SDIO Port C
Manufacturer ID: 0
OEM: 0
Name: ETran Speed: 25000000
Rd Block Len: 512
MMC version 4.0
High Capacity: Yes
Capacity: 3959422976
Boot Part Size: 2097152
Bus Width: 4-bit
MMC BOOT, emmc_env_relocate_spec env_relocate_spec 77
set_storage_device_flag: store 3
Err imgread(L129):Fmt unsupported!genFmt 0x0 != 0x3
check dts: FDT_ERR_BADMAGIC, load default vpu parameters
vpu clk_level = 3
set vpu clk: 182150000Hz, readback: 182150000Hz(0x701)
Net:   Meson_Ethernet
msg:====>upgrade_step=0<=====
init_part
[mmc_init] SDIO Port B:0, if_type=7, initialized OK!
Device: SDIO Port B
Manufacturer ID: 0
OEM: 0
Name: Tran Speed: 20000000
Rd Block Len: 512
SD version 2.0
High Capacity: Yes
Capacity: 15523119104
Boot Part Size: 0
Bus Width: 4-bit

** Unable to use mmc 0:1 for fatload **
init suspend firmware done. (ret:0)
cvbs trimming.1.v5: 0xa0, 0x0
upgrade_comigo_environment: expect 9 active 9
init_comigo_environment
type:flash,start to read mac...
device init start
aml_keys: version 0 can not be init 3ff72c88
current storer:emmc_key
flash init key ok!!
init flash success
all key names list are(ret=18):
uuid
serialno
mac
4:3:3:0:3:a:4:2:3:3:3:a:3:3:3:9:3:a:3:0:3:1:3:a:3:3:3:5:3:a:3:0:3:5:
mac is: 43:30:3a:42:33:3a:33:39:3a:30:31:3a:33:35:3a:30:35:
read ok!!
read mac success,mac=C0:B3:39:01:35:05
androidboot.mac is exist in bootargs, mac=C0:B3:39:01:35:05 androidboot.serialno=A0651002B9205401 androidboot.uuid=48304142556a6c66367a5450774c6d6671692f737241
BOARD VERSION=2
reboot_mode=charging
hdcp get form storage medium: auto
don't found keyname,uboot_key_read:1634
prefetch hdcp keys from auto failed
hdmi tx power init
mode = 6  vic = 4
set HDMI vic: 4
mode is: 6
viu chan = 1
config HPLL
config HPLL done
reconfig packet setting done
Err imgread(L526):head magic error
There is no valid bmp file at the given address
key save in emmc
don't found keyname,uboot_key_read:1634
read error!!
Saving Environment to eMMC...
BOOT FROM CARD?
SF: Unsupported manufacturer 00
Failed to initialize SPI flash at 0:2
Unknown command 'nand' - try 'help'
Device: SDIO Port C
Manufacturer ID: 0
OEM: 0
Name: ETran Speed: 25000000
Rd Block Len: 512
MMC version 4.0
High Capacity: Yes
Capacity: 3959422976
Boot Part Size: 2097152
Bus Width: 4-bit
MMC BOOT, emmc_saveenv saveenv 119
mmc save env ok
key size=44
the key name is :
the key data is :48304142556a6c66367a5450774c6d6671692f737241
key size=32
the key name is :serialno
the key data is :41303635313030324239323035343031
A0651002B9205401
efuse version is not selected.
Hit ENTER key to stop autoboot:  1 tstc enter

WELCOME>
WELCOME>version

395456:S:Enc (Nov 03 2015 - 19:33:53)
arm-none-eabi-gcc (Sourcery G++ Lite 2010q1-188) 4.4.1
GNU ld (Sourcery G++ Lite 2010q1-188) 2.19.51.20090709
WELCOME>



ODROID kernel boot with new TPL
U-boot-00000-ge6d5633(odroidc@e6d5633f) (Feb 12 2016 - 19:16:57)

I2C:   clear pinmux reg1[24]=0
clear pinmux reg1[1]=0
out reg=c1108058,value=ffffffff
set output en 0xc1108054[21]=0
set output val 0xc1108058[21]=0
clear pinmux reg1[25]=0
clear pinmux reg8[12]=0
clear pinmux reg1[3]=0
clear pinmux reg1[2]=0
set output en 0xc1108054[20]=1
clear pinmux reg1[24]=0
clear pinmux reg1[1]=0
out reg=c1108058,value=ffffffff
set output en 0xc1108054[21]=0
set output val 0xc1108058[21]=0
clear pinmux reg1[25]=0
clear pinmux reg8[12]=0
clear pinmux reg1[3]=0
clear pinmux reg1[2]=0
out reg=c1108058,value=ffffffff
set output en 0xc1108054[20]=0
set output val 0xc1108058[20]=0
clear pinmux reg1[25]=0
clear pinmux reg8[12]=0
clear pinmux reg1[3]=0
clear pinmux reg1[2]=0
set output en 0xc1108054[20]=1
clear pinmux reg1[24]=0
clear pinmux reg1[1]=0
out reg=c1108058,value=ffdfffff
set output en 0xc1108054[21]=0
set output val 0xc1108058[21]=0
clear pinmux reg1[24]=0
clear pinmux reg1[1]=0
out reg=c1108058,value=ffffffff
set output en 0xc1108054[21]=0
set output val 0xc1108058[21]=0
clear pinmux reg1[24]=0
clear pinmux reg1[1]=0
out reg=c1108058,value=ffdfffff
set output en 0xc1108054[21]=0
set output val 0xc1108058[21]=0
clear pinmux reg1[24]=0
clear pinmux reg1[1]=0
out reg=c1108058,value=ffffffff
set output en 0xc1108054[21]=0
set output val 0xc1108058[21]=0
clear pinmux reg1[24]=0
clear pinmux reg1[1]=0
out reg=c1108058,value=ffdfffff
set output en 0xc1108054[21]=0
set output val 0xc1108058[21]=0
clear pinmux reg1[24]=0
clear pinmux reg1[1]=0
out reg=c1108058,value=ffffffff
set output en 0xc1108054[21]=0
set output val 0xc1108058[21]=0
clear pinmux reg1[24]=0
clear pinmux reg1[1]=0
out reg=c1108058,value=ffdfffff
set output en 0xc1108054[21]=0
set output val 0xc1108058[21]=0
clear pinmux reg1[24]=0
clear pinmux reg1[1]=0
out reg=c1108058,value=ffffffff
set output en 0xc1108054[21]=0
set output val 0xc1108058[21]=0
clear pinmux reg1[24]=0
clear pinmux reg1[1]=0
out reg=c1108058,value=ffdfffff
set output en 0xc1108054[21]=0
set output val 0xc1108058[21]=0
clear pinmux reg1[24]=0
clear pinmux reg1[1]=0
out reg=c1108058,value=ffffffff
set output en 0xc1108054[21]=0
set output val 0xc1108058[21]=0
clear pinmux reg1[24]=0
clear pinmux reg1[1]=0
out reg=c1108058,value=ffdfffff
set output en 0xc1108054[21]=0
set output val 0xc1108058[21]=0
clear pinmux reg1[24]=0
clear pinmux reg1[1]=0
out reg=c1108058,value=ffffffff
set output en 0xc1108054[21]=0
set output val 0xc1108058[21]=0
clear pinmux reg1[24]=0
clear pinmux reg1[1]=0
out reg=c1108058,value=ffdfffff
set output en 0xc1108054[21]=0
set output val 0xc1108058[21]=0
clear pinmux reg1[24]=0
clear pinmux reg1[1]=0
out reg=c1108058,value=ffffffff
set output en 0xc1108054[21]=0
set output val 0xc1108058[21]=0
clear pinmux reg1[24]=0
clear pinmux reg1[1]=0
out reg=c1108058,value=ffdfffff
set output en 0xc1108054[21]=0
set output val 0xc1108058[21]=0
clear pinmux reg1[24]=0
clear pinmux reg1[1]=0
out reg=c1108058,value=ffffffff
set output en 0xc1108054[21]=0
set output val 0xc1108058[21]=0
clear pinmux reg1[24]=0
clear pinmux reg1[1]=0
out reg=c1108058,value=ffdfffff
set output en 0xc1108054[21]=0
set output val 0xc1108058[21]=0
clear pinmux reg1[24]=0
clear pinmux reg1[1]=0
out reg=c1108058,value=ffffffff
set output en 0xc1108054[21]=0
set output val 0xc1108058[21]=0
clear pinmux reg1[24]=0
clear pinmux reg1[1]=0
out reg=c1108058,value=ffdfffff
set output en 0xc1108054[21]=0
set output val 0xc1108058[21]=0
clear pinmux reg1[25]=0
clear pinmux reg8[12]=0
clear pinmux reg1[3]=0
clear pinmux reg1[2]=0
out reg=c1108058,value=ffcfffff
set output en 0xc1108054[20]=0
set output val 0xc1108058[20]=0
clear pinmux reg1[24]=0
clear pinmux reg1[1]=0
out reg=c1108058,value=ffefffff
set output en 0xc1108054[21]=0
set output val 0xc1108058[21]=0
clear pinmux reg1[25]=0
clear pinmux reg8[12]=0
clear pinmux reg1[3]=0
clear pinmux reg1[2]=0
set output en 0xc1108054[20]=1
clear pinmux reg1[25]=0
clear pinmux reg8[12]=0
clear pinmux reg1[3]=0
clear pinmux reg1[2]=0
set output en 0xc1108054[20]=1
clear pinmux reg1[25]=0
clear pinmux reg8[12]=0
clear pinmux reg1[3]=0
clear pinmux reg1[2]=0
set output en 0xc1108054[20]=1
ready
DRAM:  1 GiB
relocation Offset is: 2ff18000
MMC:   SDCARD: 0, eMMC: 1
IR init is done!
*** Warning - bad CRC, using default environment

mmc save env ok
vpu clk_level = 3
set vpu clk: 182150000Hz, readback: 182150000Hz(0x701)
mode = 6  vic = 4
set HDMI vic: 4
mode is: 6
viu chan = 1
config HPLL
config HPLL done
reconfig packet setting done
MMC read: dev # 0, block # 33984, count 12288 ... 12288 blocks read: OK
============================================================
Vendor: Man 035054 Snr da23a8bd Rev: 3.0 Prod: SL16G
            Type: Removable Hard Disk
            Capacity: 14804.0 MB = 14.4 GB (30318592 x 512)
------------------------------------------------------------
Partition     Start Sector     Num Sectors     Type
    1                16065         1007936       2
============================================================
MMC read: dev # 0, block # 17600, count 16384 ... 16384 blocks read: OK
## ANDROID Format IMAGE
## Booting kernel from Legacy Image at 12000000 ...
   Image Name:   Linux-3.10.33
   Image Type:   ARM Linux Kernel Image (lzo compressed)
   Data Size:    5012513 Bytes = 4.8 MiB
   Load Address: 00208000
   Entry Point:  00208000
   Verifying Checksum ... OK
    Ramdisk start addr = 0x124c8800, len = 0x14b29a
    Flat device tree start addr = 0x12614000, len = 0x45e1 magic=0xedfe0dd0
   Uncompressing Kernel Image ... OK
uboot time: 56206396 us.
Using machid 0xf81 from environment
From device tree /memory/ node aml_reserved_end property, for relocate ramdisk and fdt, relocate_addr: 0x5154001
   Loading Ramdisk to 05008000, end 0515329a ... OK
   Loading Device Tree to 05000000, end 050075e0 ... OK

Starting kernel ...

[    0.000000@0] Booting Linux on physical CPU 0x200
[    0.000000@0] Linux version 3.10.33-00262-g02f0572 (jenkins@build) (gcc version 4.9.2 20140904 (prerelease) (crosstool-NG linaro-1.13.1-4.9-2014.09 - Linaro GCC 4.9-2014.09) ) #1 SMP PREEMPT Mon Feb 22 12:44:47 KST 2016
[    0.000000@0] CPU: ARMv7 Processor [410fc051] revision 1 (ARMv7), cr=10c5387d
[    0.000000@0] CPU: PIPT / VIPT nonaliasing data cache, VIPT aliasing instruction cache
[    0.000000@0] Machine: ODROIDC, model: AMLOGIC
[    0.000000@0] physical memory start address is 0x200000
[    0.000000@0] reserved_end is e3fffff
[    0.000000@0]
[    0.000000@0] Total memory is 1022 MiB
[    0.000000@0] Reserved low memory from 0x06000000 to 0x0e3fffff, size: 132 MiB
[    0.000000@0]        mesonfb0(low)           : 0x06100000 - 0x07900000 ( 24 MiB)
[    0.000000@0]        mesonfb1(low)           : 0x07900000 - 0x07a00000 (  1 MiB)
[    0.000000@0]        deinterlace0(high)      : 0x3df00000 - 0x40000000 ( 33 MiB)
[    0.000000@0]        mesonstream0(low)       : 0x07a00000 - 0x09a00000 ( 32 MiB)
[    0.000000@0]        vdec0(low)      : 0x09a00000 - 0x0da00000 ( 64 MiB)
[    0.000000@0]        ppmgr0(high)    : 0x3bf00000 - 0x3df00000 ( 32 MiB)
[    0.000000@0]        amvideocap0(low)        : 0x0da00000 - 0x0e400000 ( 10 MiB)
[    0.000000@0] cma: CMA: reserved 8 MiB at 2f000000
[    0.000000@0] cma: Found region@0, memory base 0, size 42 MiB
[    0.000000@0] cma: CMA: reserved 44 MiB at 2c400000
[    0.000000@0] Memory policy: ECC disabled, Data cache writealloc
[    0.000000@0] Meson chip version = RevA (1B:A - 0:B72)
[    0.000000@0] PERCPU: Embedded 8 pages/cpu @c1318000 s8832 r8192 d15744 u32768
[    0.000000@0] Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 206096
[    0.000000@0] Kernel command line: root=/dev/mmcblk0p2 rw console=ttyS0,115200n8 no_console_suspend
[    0.000000@0] PID hash table entries: 4096 (order: 2, 16384 bytes)
[    0.000000@0] Dentry cache hash table entries: 131072 (order: 7, 524288 bytes)
[    0.000000@0] Inode-cache hash table entries: 65536 (order: 6, 262144 bytes)
[    0.000000@0] Memory: 64MB 16MB 731MB = 811MB total
[    0.000000@0] Memory: 755256k/755256k available, 75208k reserved, 201728K highmem
[    0.000000@0] Virtual kernel memory layout:
[    0.000000@0]     vector  : 0xffff0000 - 0xffff1000   (   4 kB)
[    0.000000@0]     fixmap  : 0xfff00000 - 0xfffe0000   ( 896 kB)
[    0.000000@0]     vmalloc : 0xf0000000 - 0xff000000   ( 240 MB)
[    0.000000@0]     lowmem  : 0xc0000000 - 0xef800000   ( 760 MB)
[    0.000000@0]     pkmap   : 0xbfe00000 - 0xc0000000   (   2 MB)
[    0.000000@0]     modules : 0xbf000000 - 0xbfe00000   (  14 MB)
[    0.000000@0]       .text : 0xc0008000 - 0xc0864328   (8561 kB)
[    0.000000@0]       .init : 0xc0865000 - 0xc089b280   ( 217 kB)
[    0.000000@0]       .data : 0xc089c000 - 0xc08fba60   ( 383 kB)
[    0.000000@0]        .bss : 0xc08fba60 - 0xc0b8b0c4   (2622 kB)
[    0.000000@0] SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=4, Nodes=1
[    0.000000@0] Preemptible hierarchical RCU implementation.



I am almost sure that this ROM error will be observed in the entire S805-B series, and maybe in future versions.

For those who wish to experiment, here is the original dump from emmc .

Source: https://habr.com/ru/post/undefined/

More articles:


All Articles