K5 How idme tool works

[eureka]

For a long time, it was speculated that writing zeroes into some /dev/mmcblk0 areas can erase idme variables, because these areas are somewhat specially handled (maybe, write-only) and directly mapped to storage area of these variables. I think, it's not quite right.

At first, some trivial fact: idme tool (i.e. /usr/sbin/idme) initially reads current idme varables' values from various /proc files, which are created by kernel from values passed by U-Boot in memory. Here is a list of these files:

Code:

[root@kindle root]# grep /proc\/ /usr/sbin/idme
/proc/usid
/proc/mac_addr
/proc/mac_sec
/proc/board_id
/proc/bootmode
/proc/postmode

Second trivial fact: idme provides a way to change idme variables' values through writing these values to /dev/mmcblk0.

But real values aren't changed immediately after writing to /dev/mmcblk0. They are changed only on (re)boot by U-Boot. Check function idme_check_update in U-Boot sources (located at file common/cmd_idme.c). This function peeks at fixed offset of /dev/mmcblk0, checks for presence of predefined magic byte sequence (represented by characters "abcdefghhgfedcba") and then (only after acknowlegement of presence of magic sequence!) copies idme variables block from /dev/mmcblk0 to separate boot partition (where U-Boot is stored by itself) and rewrite idme variables block at /dev/mmcblk0 with zeroes.

eMMC offset and size of variables block are defined at include/configs/imx50_yoshi.h:

Code:

#define CONFIG_MMC_USERDATA_ADDR	0x3F000
#define CONFIG_MMC_USERDATA_SIZE	(5*1024)

Code:

#define CONFIG_IDME_UPDATE 1
#define CONFIG_IDME_UPDATE_ADDR 0x3f000
#define CONFIG_IDME_UPDATE_MAGIC "abcdefghhgfedcba"

Let's look at data at that offset right after reboot:

Code:

[root@kindle root]# hexdump -C -s 0x3f000 -n 5120 /dev/mmcblk0
0003f000  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00040400

All zeros.

Let's set idme variable value and then read data at that offset again (I've changed suffixes of private data values with X):

Code:

[root@kindle root]# idme -d --bootmode main
Devmode enabled
Reading vars from temp storage...
...None found, Copying vars from /proc
Setting bootmode to main
Writing new vars to temp area
You must reboot before new values will take effect
[root@kindle root]# hexdump -C -s 0x3f000 -n 5120 /dev/mmcblk0
0003f000  42 30 30 46 XX XX XX XX  XX XX XX XX XX XX XX XX  |B00FXXXXXXXXXXXX|
0003f010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
0003f030  46 30 XX XX XX XX XX XX  XX XX XX XX 00 00 00 00  |F0XXXXXXXXXX....|
0003f040  45 53 XX XX XX XX XX XX  XX XX XX XX XX XX XX XX  |ESXXXXXXXXXXXXXX|
0003f050  XX XX XX XX 00 00 00 00  00 00 00 00 00 00 00 00  |XXXX............|
0003f060  30 30 35 XX XX XX XX XX  XX XX XX XX XX XX XX XX  |005XXXXXXXXXXXXX|
0003f070  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
0003f1f0  61 62 63 64 65 66 67 68  68 67 66 65 64 63 62 61  |abcdefghhgfedcba|
0003f200  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00040000  6d 61 69 6e 00 00 00 00  00 00 00 00 00 00 00 00  |main............|
00040010  6e 6f 72 6d 61 6c 00 00  00 00 00 00 00 00 00 00  |normal..........|
00040020  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00040400

It looks like area, where idme tool write values, isn't write-only.

[geekmaster]

You should X out the hex values too. Your idme vars are still exposed in the hex dump, and can be converted from hex to ASCII easily.

Great information. Thanks.