🍏 📧 🖊️ S805-B处理器软件保护（安全启动） 😑 🎦 🍝

我们将讨论一种保护处理器本身中实现的软件的方法。为了进行实验，我选择了Comigo Quattro多媒体控制台。目标是启动您的Linux内核。

简短评论

乍一看，控制台软件是Android的克隆版本。通过ssh的访问已关闭。它仅适用于分销商的有效订阅。库存固件已完全加密。一切都很沉闷，就像在坦克里一样。

训练

首先，我详细了解了处理器的技术说明。有两件事令我高兴：处理器具有UART接口，它支持从不同来源（USB，SD等）加载系统，可以使用配置寄存器在外部进行配置。在控制台上，还有一个用于放置mSD卡的位置，但未焊接连接器。为了找到配置寄存器和UART引脚的位置，我必须焊接处理器并绕线。找到所有联系人后，我连接了UART适配器并启动了控制台。屏幕闪烁U-Boot。按下键中断了系统启动，并且U-Boot进入了输入模式，但除了Enter键之外，对其他任何键均无反应。而且这个漏洞也被关闭了。

U型靴

QA5:A;SVN:B72;POC:17F;STS:0;BOOT:0;INIT:0;READ:0;CHECK:0;PASS:0;
no sdio debug board detected
TE : 1583722
BT : 19:30:15 Apr 13 2015
PMU:NONE
##### VDDEE voltage = 0x044c

CPU clock is 792MHz

DDR mode: 32 bit mode
DDR size: 1GB
DDR check: Pass!
DDR clock: 792MHz with 2T mode
DDR pll bypass: Disabled
DDR init use : 13644 us

HHH
Boot From SDIO C
SD_boot_type: 00000002
card_type: 00000003
0x0000009f
Aml log : M8-R2048 TPL pass!
ucl decompress...pass
0x12345678
Boot from internal device 1st tSD/fSD on SDIO C

TE : 1867612

System Started


==================COMIGO BOOTLOADER==================
==========12fc92:S:Enc (Apr 13 2015 - 19:29:55)==========

clr h-ram
DRAM:  1 GiB
relocation Offset is: 2febc000
show partition table:
part: 0, name :       logo, size : 800000
part: 1, name : recovery_bak, size : 1000000
part: 2, name :   recovery, size : 1000000
part: 3, name :       boot, size : 1000000
part: 4, name :     system, size : 32000000
part: 5, name :       data, size : 8c000000
part: 6, name :      cache, size : 20800000
part: 7, name :    sec_gpt, size : end
aml_card_type=0x100
MMC:   out reg=c1108058,value=fffcf800
out reg=c1108058,value=fffcfa00
[mmc_register] add mmc dev_num=0, port=1, if_type=6
[mmc_register] add mmc dev_num=1, port=2, if_type=6
SDIO Port B: 0, SDIO Port C: 1
power init
out reg=c110804c,value=dfffffff
IR init done!
register usb cfg[0][1] = 3ff6fcf4
register usb cfg[2][0] = 3ff72a6c
NAND:  EMMC BOOT: not init nand
do not init nand : cause boot_device_flag without nand
get_boot_device_flag: init_ret -1
get_boot_device_flag EMMC BOOT:
init_part
Emmckey: Access range is illegal!
Emmckey: Access range is illegal!
Unknown partition type on device 'SDIO Port C'
Device 'SDIO Port C' wp size=8388608 port=2
[mmc_init] SDIO Port C:1, if_type=6, initialized OK!
mmc_device_init
mmc_get_partition_table
Start mmc_get_partition_table
Partition table get from SPL is :
        name                        offset              size              flag
===================================================================================
   0: pri_gpt                            0            800000                  0
   1: env                           800000            800000                  0
   2: reserved                     1000000           4000000                  0
   3: logo                         5000000            800000                  1
   4: recovery_bak                 5800000           1000000                  1
   5: recovery                     6800000           1000000                  1
   6: boot                         7800000           1000000                  1
   7: system                       8800000          32000000                  1
   8: data                        3a800000          8c000000                  4
   9: cache                       c6800000          20800000                  2
  10: sec_gpt                     eb800000            800000                  0
mmc read lba=0x8000, blocks=0x1
mmc read lba=0x8001, blocks=0x1
mmc_read_partition_tbl: mmc read partition OK!
eMMC/TSD partition table have been checked OK!
i=0,register --- emmc_key
MMC BOOT, emmc_env_relocate_spec : env_relocate_spec 59
set_storage_device_flag: store 2
[imgread]Secure kernel sz 0x5b36a0
Aml log : M8-R2048 IMG pass!
vpu clk_level in dts: 3
set vpu clk: 182150000Hz, readback: 182150000Hz(0x701)
Net:   Meson_Ethernet
init suspend firmware done. (ret:0)
cvbs trimming.1.v5: 0xa0, 0x0
upgrade_comigo_environment: expect 6 active 6
init_comigo_environment
type:flash,start to read mac...
device init start
aml_keys: version 0 can not be init 3ff72c68
current storer:emmc_key
flash init key ok!!
init flash success
all key names list are(ret=18):
uuid
serialno
mac
4:3:3:0:3:a:4:2:3:3:3:a:3:3:3:9:3:a:3:0:3:2:3:a:3:1:4:6:3:a:3:4:3:9:
mac is: 43:30:3a:42:33:3a:33:39:3a:30:32:3a:31:46:3a:34:39:
read ok!!
read mac success,mac=C0:B3:39:02:1F:49
androidboot.mac is exist in bootargs, mac=C0:B3:39:02:1F:49 androidboot.serialno=A0652602C5706198 androidboot.uuid=4a3842462f47694d364b6f544d3236596b34374e3977
BOARD VERSION=2
reboot_mode=charging
hdcp get form storage medium: auto
don't found keyname,uboot_key_read:1634
prefetch hdcp keys from auto failed
AKSV invalid
hdmi tx power init
mode = 6  vic = 4
set HDMI vic: 4
mode is: 6
viu chan = 1
config HPLL
config HPLL done
reconfig packet setting done
key save in emmc
key size=44
the key name is :
the key data is :4a3842462f47694d364b6f544d3236596b34374e3977
key size=32
the key name is :serialno
the key data is :41303635323630324335373036313938
A0652602C5706198
efuse version is not selected.
Hit ENTER key to stop autoboot:  1 tstc enter

exit abortboot: 1
COMIGO#

在此阶段，用原始的U-Boot无法执行任何操作，因此我决定检查mSD卡的启动。为此，我焊接了连接器，并将配置寄存器的一对触点与质量块相连，以便处理器从卡上加载系统。新的U-Boot来自实验板ODROID-C，该板基于同一处理器。

收集完所有这些之后，我插入了SD卡，打开了控制台，然后...我看到了：

SERIAL:4;STS:0;BOOT:1;INIT:0;READ:0;CHECK:FFFFBF00;USB:3;

这段文字一次又一次地重复。处理器根本不会加载我的U-Boot，这让我不高兴。

寻找原因

对我来说，很清楚，安全启动已在处理器中激活，并且在启动之前检查了代码的真实性。CHECK：FFFFBF00参数指示由于某种原因从mSD卡下载的代码不完全完全不适合处理器。为了进行比较，依次开始下载原始文件，如下所示：

QA5:A;SVN:B72;POC:17F;STS:0;BOOT:0;INIT:0;READ:0;CHECK:0;PASS:0;

处理器检查了什么？我希望在AMLogic的U-Boot课程中找到这个答案。简短搜索后，我发现U-Boot的SPL部分最终具有这样的结构

   typedef struct {
      unsigned int   nSizeH;         ///4@0
      struct st_secure{
         unsigned int   nORGFileLen;  ///4@4
         unsigned int   nSkippedLen;  ///4@8
         unsigned int   nHASHLength;  ///4@12
         unsigned int   nAESLength;   ///4@16
         unsigned char   szHashKey[32];//32@20
         unsigned char   szTmCreate[24];   //24@52
         unsigned char   szReserved[60];   //60@76
      }secure; //136@136
      unsigned char   szAES_Key_IMG[60];//60@136
      unsigned char   szTmCreate[48];   //48@196
      unsigned int   nSizeT;         ///4@244
      unsigned int   nVer;           ///4@248
      unsigned int   unAMLID;        ///4@252
   }st_aml_chk_blk; //256

一个小题外话。两阶段系统引导通常在嵌入式硬件上使用。那些。处理器ROM首先加载一小部分代码（所谓的SPL）并将控制权转移给它。继而，在主要设置之后，加载第二个（TPL），并将控制权转移给它。好了，在完成最终设置之后，TPL加载内核并启动它。

展望未来，我将说SPL本身包含32 KB，其末尾是st_aml_chk_blk结构，其解密形式如下所示：

因此，处理器使用此数据块来检查SPL。

寻找解决方案

为了使处理器加载我的U-Boot，我尝试了许多选择。但是所有这些都没有带来期望的结果-处理器顽固地发出了CHECK：FFFFBF00。我逐渐得出结论，保护工作已100％完成，没有漏洞。

再次尝试失败后，我离开了前缀，去了厨房（当然要喝茶），考虑连接JTAG，当我返回时，我正在等待以下结果：

SERIAL:4;STS:0;BOOT:1;INIT:0;READ:0;CHECK:FFFFBF00;USB:3;SERIAL:4;STS:0;BOOT:1;INIT:0;READ:0;CHECK:FFFFBF00;USB:3;SERIAL:4;STS:0;BOOT:1;INIT:0;READ:0;CHECK:FFFFBF00;USB:3;SERIAL:4;STS:0;BOOT:1;INIT:0;READ:0;CHECK:FFFFBF00;USB:3;SERIAL:4;STS:0;BOOT:1;INIT:0;READ:0;CHECK:FFFFBF00;USB:3;SERIAL:4;STS:0;BOOT:1;INIT:0;READ:0;CHECK:FFFFBF00;USB:3;SERIAL:4;STS:0;BOOT:1;INIT:0;READ:0;CHECK:0;PASS:1;
-----------------------------------------------------------------------
* Welcome to Hardkernel's ODROID-C... (Built at 19:33:00 Dec  8 2014) *
-----------------------------------------------------------------------
CPU : AMLogic S805
MEM : 1024MB (DDR3@792MHz)
BID : <Unknown>
S/N :
***** Warning!! *****************************************************
* This board have not been autorized or product keys are not valid. *
* Please contact with Hardkernel or your distributor                *
*********************************************************************

哦！一段时间（大约40秒）后，处理器返回CHECK：0； PASS：1； PASS：1。并加载了我的U靴。当然，它随后挂起，但是没关系，可以访问该系统。

分析

首先，我编写了一个程序，转储了处理器的ROM和保险丝（这是处理器中的一块内存，只能被闪存一次。这是AES，公共RSA密钥和某些处理器配置的存储位置）。这样获得了AES密钥后，我解密了原始U-Boot并分析了ROM。加载SPL的原理如下：ROM首先从熔丝读取配置并将其另存为变量。然后，他从闪存驱动器中将32 KB的内容加载到内存中，并查看配置显示出的签名和加密验证。在我们的案例中，ROM然后从熔丝中读取指数e和模块N，收集公钥（e，N），并用它解密st_aml_chk_blk，然后在没有st_aml_chk_blk的情况下从SPL中解析sha2，并与st_aml_chk_blk的密钥进行了比较。并且在出现差异时，他没有采取进一步的行动（不可能进行新的签名，因为不可能在保险丝中注册新的RSA公钥，当然，我们也没有发行人的私钥）。那么，是什么使处理器执行我的SPL？签名完全不匹配...
为了支持RSA，PolarSSL库包含在ROM中（很有可能）（检查过ROM后，发现与该库的资源相似）。但是，如果我的记忆正确，他就在硬件级别支持AES算法。 ROM使用其自身的机制（如malloc和memfree）控制空闲内存。在从PolarSSL库调用函数之前，ROM为其分配了一定的内存，但是在某些情况下并不总是释放它。例如，当RSA功能由于无法解密此尝试中在我的SPL中使用的无效块而失效时。发生了什么？ ROM分配了内存，试图解密我的假签名，忘记释放内存，并抛出错误CHECK：FFFFBF00，然后重复该循环。某一时刻，另一块新的存储器从熔丝中擦除了一个变量，一开始保存的ROM。在下一个循环中，该变量的值已经为0，这意味着：只需加载所有内容并运行它即可。
此外，原则上没有什么有趣的。我重做了原始的U-Boot，删除了TPL检查，bootm命令内核检查，并激活了Hush Interpreter，以便它可以响应命令。解密内核并在BusyBox上组装了最低限度后，我从重做的U-Boot启动了Linux，该Linux在40秒内开始加载。

带有终端的原始U靴

==================COMIGO BOOTLOADER==================
==========395456:S:Enc (Nov 03 2015 - 19:33:53)==========

clr h-ram
DRAM:  1 GiB
relocation Offset is: 2febc000
show partition table:
part: 0, name :       logo, size : 800000
part: 1, name : recovery_bak, size : 1000000
part: 2, name :   recovery, size : 1000000
part: 3, name :       boot, size : 1000000
part: 4, name :     system, size : 32000000
part: 5, name :       data, size : 8c000000
part: 6, name :      cache, size : 20800000
part: 7, name :    sec_gpt, size : end
aml_card_type=0x100
MMC:   out reg=c1108058,value=fffffdff
out reg=c1108058,value=ffffffff
[mmc_register] add mmc dev_num=0, port=1, if_type=6
[mmc_register] add mmc dev_num=1, port=2, if_type=6
SDIO Port B: 0, SDIO Port C: 1
power init
out reg=c110804c,value=dfffffff
IR init done!
register usb cfg[0][1] = 3ff6fd14
register usb cfg[2][0] = 3ff72a8c
NAND:  CARD BOOT: not init nand
do not init nand : cause boot_device_flag without nand
get_boot_device_flag: init_ret -1
get_boot_device_flag CARD BOOT:
BOOT FROM CARD? env_relocate_spec
SF: Unsupported manufacturer 00
Failed to initialize SPI flash at 0:2
Unknown command 'nand' - try 'help'
init_part
Emmckey: Access range is illegal!
Emmckey: Access range is illegal!
Unknown partition type on device 'SDIO Port C'
Device 'SDIO Port C' wp size=8388608 port=2
[mmc_init] SDIO Port C:1, if_type=6, initialized OK!
mmc_device_init
mmc_get_partition_table
Start mmc_get_partition_table
Partition table get from SPL is :
        name                        offset              size              flag
===================================================================================
   0: pri_gpt                            0            800000                  0
   1: env                           800000            800000                  0
   2: reserved                     1000000           4000000                  0
   3: logo                         5000000            800000                  1
   4: recovery_bak                 5800000           1000000                  1
   5: recovery                     6800000           1000000                  1
   6: boot                         7800000           1000000                  1
   7: system                       8800000          32000000                  1
   8: data                        3a800000          8c000000                  4
   9: cache                       c6800000          20800000                  2
  10: sec_gpt                     eb800000            800000                  0
mmc read lba=0x8000, blocks=0x1
mmc read lba=0x8001, blocks=0x1
mmc_read_partition_tbl: mmc read partition OK!
eMMC/TSD partition table have been checked OK!
i=0,register --- emmc_key
Device: SDIO Port C
Manufacturer ID: 0
OEM: 0
Name: ETran Speed: 25000000
Rd Block Len: 512
MMC version 4.0
High Capacity: Yes
Capacity: 3959422976
Boot Part Size: 2097152
Bus Width: 4-bit
MMC BOOT, emmc_env_relocate_spec env_relocate_spec 77
set_storage_device_flag: store 3
Err imgread(L129):Fmt unsupported!genFmt 0x0 != 0x3
check dts: FDT_ERR_BADMAGIC, load default vpu parameters
vpu clk_level = 3
set vpu clk: 182150000Hz, readback: 182150000Hz(0x701)
Net:   Meson_Ethernet
msg:====>upgrade_step=0<=====
init_part
[mmc_init] SDIO Port B:0, if_type=7, initialized OK!
Device: SDIO Port B
Manufacturer ID: 0
OEM: 0
Name: Tran Speed: 20000000
Rd Block Len: 512
SD version 2.0
High Capacity: Yes
Capacity: 15523119104
Boot Part Size: 0
Bus Width: 4-bit

** Unable to use mmc 0:1 for fatload **
init suspend firmware done. (ret:0)
cvbs trimming.1.v5: 0xa0, 0x0
upgrade_comigo_environment: expect 9 active 9
init_comigo_environment
type:flash,start to read mac...
device init start
aml_keys: version 0 can not be init 3ff72c88
current storer:emmc_key
flash init key ok!!
init flash success
all key names list are(ret=18):
uuid
serialno
mac
4:3:3:0:3:a:4:2:3:3:3:a:3:3:3:9:3:a:3:0:3:1:3:a:3:3:3:5:3:a:3:0:3:5:
mac is: 43:30:3a:42:33:3a:33:39:3a:30:31:3a:33:35:3a:30:35:
read ok!!
read mac success,mac=C0:B3:39:01:35:05
androidboot.mac is exist in bootargs, mac=C0:B3:39:01:35:05 androidboot.serialno=A0651002B9205401 androidboot.uuid=48304142556a6c66367a5450774c6d6671692f737241
BOARD VERSION=2
reboot_mode=charging
hdcp get form storage medium: auto
don't found keyname,uboot_key_read:1634
prefetch hdcp keys from auto failed
hdmi tx power init
mode = 6  vic = 4
set HDMI vic: 4
mode is: 6
viu chan = 1
config HPLL
config HPLL done
reconfig packet setting done
Err imgread(L526):head magic error
There is no valid bmp file at the given address
key save in emmc
don't found keyname,uboot_key_read:1634
read error!!
Saving Environment to eMMC...
BOOT FROM CARD?
SF: Unsupported manufacturer 00
Failed to initialize SPI flash at 0:2
Unknown command 'nand' - try 'help'
Device: SDIO Port C
Manufacturer ID: 0
OEM: 0
Name: ETran Speed: 25000000
Rd Block Len: 512
MMC version 4.0
High Capacity: Yes
Capacity: 3959422976
Boot Part Size: 2097152
Bus Width: 4-bit
MMC BOOT, emmc_saveenv saveenv 119
mmc save env ok
key size=44
the key name is :
the key data is :48304142556a6c66367a5450774c6d6671692f737241
key size=32
the key name is :serialno
the key data is :41303635313030324239323035343031
A0651002B9205401
efuse version is not selected.
Hit ENTER key to stop autoboot:  1 tstc enter

WELCOME>
WELCOME>version

395456:S:Enc (Nov 03 2015 - 19:33:53)
arm-none-eabi-gcc (Sourcery G++ Lite 2010q1-188) 4.4.1
GNU ld (Sourcery G++ Lite 2010q1-188) 2.19.51.20090709
WELCOME>

使用新的TPL的ODROID内核启动

U-boot-00000-ge6d5633(odroidc@e6d5633f) (Feb 12 2016 - 19:16:57)

I2C:   clear pinmux reg1[24]=0
clear pinmux reg1[1]=0
out reg=c1108058,value=ffffffff
set output en 0xc1108054[21]=0
set output val 0xc1108058[21]=0
clear pinmux reg1[25]=0
clear pinmux reg8[12]=0
clear pinmux reg1[3]=0
clear pinmux reg1[2]=0
set output en 0xc1108054[20]=1
clear pinmux reg1[24]=0
clear pinmux reg1[1]=0
out reg=c1108058,value=ffffffff
set output en 0xc1108054[21]=0
set output val 0xc1108058[21]=0
clear pinmux reg1[25]=0
clear pinmux reg8[12]=0
clear pinmux reg1[3]=0
clear pinmux reg1[2]=0
out reg=c1108058,value=ffffffff
set output en 0xc1108054[20]=0
set output val 0xc1108058[20]=0
clear pinmux reg1[25]=0
clear pinmux reg8[12]=0
clear pinmux reg1[3]=0
clear pinmux reg1[2]=0
set output en 0xc1108054[20]=1
clear pinmux reg1[24]=0
clear pinmux reg1[1]=0
out reg=c1108058,value=ffdfffff
set output en 0xc1108054[21]=0
set output val 0xc1108058[21]=0
clear pinmux reg1[24]=0
clear pinmux reg1[1]=0
out reg=c1108058,value=ffffffff
set output en 0xc1108054[21]=0
set output val 0xc1108058[21]=0
clear pinmux reg1[24]=0
clear pinmux reg1[1]=0
out reg=c1108058,value=ffdfffff
set output en 0xc1108054[21]=0
set output val 0xc1108058[21]=0
clear pinmux reg1[24]=0
clear pinmux reg1[1]=0
out reg=c1108058,value=ffffffff
set output en 0xc1108054[21]=0
set output val 0xc1108058[21]=0
clear pinmux reg1[24]=0
clear pinmux reg1[1]=0
out reg=c1108058,value=ffdfffff
set output en 0xc1108054[21]=0
set output val 0xc1108058[21]=0
clear pinmux reg1[24]=0
clear pinmux reg1[1]=0
out reg=c1108058,value=ffffffff
set output en 0xc1108054[21]=0
set output val 0xc1108058[21]=0
clear pinmux reg1[24]=0
clear pinmux reg1[1]=0
out reg=c1108058,value=ffdfffff
set output en 0xc1108054[21]=0
set output val 0xc1108058[21]=0
clear pinmux reg1[24]=0
clear pinmux reg1[1]=0
out reg=c1108058,value=ffffffff
set output en 0xc1108054[21]=0
set output val 0xc1108058[21]=0
clear pinmux reg1[24]=0
clear pinmux reg1[1]=0
out reg=c1108058,value=ffdfffff
set output en 0xc1108054[21]=0
set output val 0xc1108058[21]=0
clear pinmux reg1[24]=0
clear pinmux reg1[1]=0
out reg=c1108058,value=ffffffff
set output en 0xc1108054[21]=0
set output val 0xc1108058[21]=0
clear pinmux reg1[24]=0
clear pinmux reg1[1]=0
out reg=c1108058,value=ffdfffff
set output en 0xc1108054[21]=0
set output val 0xc1108058[21]=0
clear pinmux reg1[24]=0
clear pinmux reg1[1]=0
out reg=c1108058,value=ffffffff
set output en 0xc1108054[21]=0
set output val 0xc1108058[21]=0
clear pinmux reg1[24]=0
clear pinmux reg1[1]=0
out reg=c1108058,value=ffdfffff
set output en 0xc1108054[21]=0
set output val 0xc1108058[21]=0
clear pinmux reg1[24]=0
clear pinmux reg1[1]=0
out reg=c1108058,value=ffffffff
set output en 0xc1108054[21]=0
set output val 0xc1108058[21]=0
clear pinmux reg1[24]=0
clear pinmux reg1[1]=0
out reg=c1108058,value=ffdfffff
set output en 0xc1108054[21]=0
set output val 0xc1108058[21]=0
clear pinmux reg1[24]=0
clear pinmux reg1[1]=0
out reg=c1108058,value=ffffffff
set output en 0xc1108054[21]=0
set output val 0xc1108058[21]=0
clear pinmux reg1[24]=0
clear pinmux reg1[1]=0
out reg=c1108058,value=ffdfffff
set output en 0xc1108054[21]=0
set output val 0xc1108058[21]=0
clear pinmux reg1[24]=0
clear pinmux reg1[1]=0
out reg=c1108058,value=ffffffff
set output en 0xc1108054[21]=0
set output val 0xc1108058[21]=0
clear pinmux reg1[24]=0
clear pinmux reg1[1]=0
out reg=c1108058,value=ffdfffff
set output en 0xc1108054[21]=0
set output val 0xc1108058[21]=0
clear pinmux reg1[25]=0
clear pinmux reg8[12]=0
clear pinmux reg1[3]=0
clear pinmux reg1[2]=0
out reg=c1108058,value=ffcfffff
set output en 0xc1108054[20]=0
set output val 0xc1108058[20]=0
clear pinmux reg1[24]=0
clear pinmux reg1[1]=0
out reg=c1108058,value=ffefffff
set output en 0xc1108054[21]=0
set output val 0xc1108058[21]=0
clear pinmux reg1[25]=0
clear pinmux reg8[12]=0
clear pinmux reg1[3]=0
clear pinmux reg1[2]=0
set output en 0xc1108054[20]=1
clear pinmux reg1[25]=0
clear pinmux reg8[12]=0
clear pinmux reg1[3]=0
clear pinmux reg1[2]=0
set output en 0xc1108054[20]=1
clear pinmux reg1[25]=0
clear pinmux reg8[12]=0
clear pinmux reg1[3]=0
clear pinmux reg1[2]=0
set output en 0xc1108054[20]=1
ready
DRAM:  1 GiB
relocation Offset is: 2ff18000
MMC:   SDCARD: 0, eMMC: 1
IR init is done!
*** Warning - bad CRC, using default environment

mmc save env ok
vpu clk_level = 3
set vpu clk: 182150000Hz, readback: 182150000Hz(0x701)
mode = 6  vic = 4
set HDMI vic: 4
mode is: 6
viu chan = 1
config HPLL
config HPLL done
reconfig packet setting done
MMC read: dev # 0, block # 33984, count 12288 ... 12288 blocks read: OK
============================================================
Vendor: Man 035054 Snr da23a8bd Rev: 3.0 Prod: SL16G
            Type: Removable Hard Disk
            Capacity: 14804.0 MB = 14.4 GB (30318592 x 512)
------------------------------------------------------------
Partition     Start Sector     Num Sectors     Type
    1                16065         1007936       2
============================================================
MMC read: dev # 0, block # 17600, count 16384 ... 16384 blocks read: OK
## ANDROID Format IMAGE
## Booting kernel from Legacy Image at 12000000 ...
   Image Name:   Linux-3.10.33
   Image Type:   ARM Linux Kernel Image (lzo compressed)
   Data Size:    5012513 Bytes = 4.8 MiB
   Load Address: 00208000
   Entry Point:  00208000
   Verifying Checksum ... OK
    Ramdisk start addr = 0x124c8800, len = 0x14b29a
    Flat device tree start addr = 0x12614000, len = 0x45e1 magic=0xedfe0dd0
   Uncompressing Kernel Image ... OK
uboot time: 56206396 us.
Using machid 0xf81 from environment
From device tree /memory/ node aml_reserved_end property, for relocate ramdisk and fdt, relocate_addr: 0x5154001
   Loading Ramdisk to 05008000, end 0515329a ... OK
   Loading Device Tree to 05000000, end 050075e0 ... OK

Starting kernel ...

[    0.000000@0] Booting Linux on physical CPU 0x200
[    0.000000@0] Linux version 3.10.33-00262-g02f0572 (jenkins@build) (gcc version 4.9.2 20140904 (prerelease) (crosstool-NG linaro-1.13.1-4.9-2014.09 - Linaro GCC 4.9-2014.09) ) #1 SMP PREEMPT Mon Feb 22 12:44:47 KST 2016
[    0.000000@0] CPU: ARMv7 Processor [410fc051] revision 1 (ARMv7), cr=10c5387d
[    0.000000@0] CPU: PIPT / VIPT nonaliasing data cache, VIPT aliasing instruction cache
[    0.000000@0] Machine: ODROIDC, model: AMLOGIC
[    0.000000@0] physical memory start address is 0x200000
[    0.000000@0] reserved_end is e3fffff
[    0.000000@0]
[    0.000000@0] Total memory is 1022 MiB
[    0.000000@0] Reserved low memory from 0x06000000 to 0x0e3fffff, size: 132 MiB
[    0.000000@0]        mesonfb0(low)           : 0x06100000 - 0x07900000 ( 24 MiB)
[    0.000000@0]        mesonfb1(low)           : 0x07900000 - 0x07a00000 (  1 MiB)
[    0.000000@0]        deinterlace0(high)      : 0x3df00000 - 0x40000000 ( 33 MiB)
[    0.000000@0]        mesonstream0(low)       : 0x07a00000 - 0x09a00000 ( 32 MiB)
[    0.000000@0]        vdec0(low)      : 0x09a00000 - 0x0da00000 ( 64 MiB)
[    0.000000@0]        ppmgr0(high)    : 0x3bf00000 - 0x3df00000 ( 32 MiB)
[    0.000000@0]        amvideocap0(low)        : 0x0da00000 - 0x0e400000 ( 10 MiB)
[    0.000000@0] cma: CMA: reserved 8 MiB at 2f000000
[    0.000000@0] cma: Found region@0, memory base 0, size 42 MiB
[    0.000000@0] cma: CMA: reserved 44 MiB at 2c400000
[    0.000000@0] Memory policy: ECC disabled, Data cache writealloc
[    0.000000@0] Meson chip version = RevA (1B:A - 0:B72)
[    0.000000@0] PERCPU: Embedded 8 pages/cpu @c1318000 s8832 r8192 d15744 u32768
[    0.000000@0] Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 206096
[    0.000000@0] Kernel command line: root=/dev/mmcblk0p2 rw console=ttyS0,115200n8 no_console_suspend
[    0.000000@0] PID hash table entries: 4096 (order: 2, 16384 bytes)
[    0.000000@0] Dentry cache hash table entries: 131072 (order: 7, 524288 bytes)
[    0.000000@0] Inode-cache hash table entries: 65536 (order: 6, 262144 bytes)
[    0.000000@0] Memory: 64MB 16MB 731MB = 811MB total
[    0.000000@0] Memory: 755256k/755256k available, 75208k reserved, 201728K highmem
[    0.000000@0] Virtual kernel memory layout:
[    0.000000@0]     vector  : 0xffff0000 - 0xffff1000   (   4 kB)
[    0.000000@0]     fixmap  : 0xfff00000 - 0xfffe0000   ( 896 kB)
[    0.000000@0]     vmalloc : 0xf0000000 - 0xff000000   ( 240 MB)
[    0.000000@0]     lowmem  : 0xc0000000 - 0xef800000   ( 760 MB)
[    0.000000@0]     pkmap   : 0xbfe00000 - 0xc0000000   (   2 MB)
[    0.000000@0]     modules : 0xbf000000 - 0xbfe00000   (  14 MB)
[    0.000000@0]       .text : 0xc0008000 - 0xc0864328   (8561 kB)
[    0.000000@0]       .init : 0xc0865000 - 0xc089b280   ( 217 kB)
[    0.000000@0]       .data : 0xc089c000 - 0xc08fba60   ( 383 kB)
[    0.000000@0]        .bss : 0xc08fba60 - 0xc0b8b0c4   (2622 kB)
[    0.000000@0] SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=4, Nodes=1
[    0.000000@0] Preemptible hierarchical RCU implementation.

我几乎可以确定，在整个S805-B系列以及以后的版本中都会发现此ROM错误。

对于那些想尝试的人，这里是emmc的原始转储。

S805-B处理器软件保护（安全启动）

简短评论

训练

寻找原因

寻找解决方案

分析

More articles: