MobileRead Forums - View Single Post

knc1 · 10-04-2013, 03:47 PM

People have asked me:
"How do you even get started when faced with a blob of bits?"

Answer #1: You do a lot of guessing, and hope to get lucky.

Answer #2: Very similar to answer #1, only you get a jump start by: RTFM.

First known point: The SoC is a **machine** until it gets hold of some external program code, it operates in a known, fixed, manner.

Second known point: Which machine? npoland provided that information among his first posts.
The Freescale i.MX6 series of application processors.

Third known point: Freescale wants their product used (or at least purchased) by people building things electronic.
So they publish documentation on the device.
(Links provided earlier in this thread.)

At the end of its internal start-up procedure, the SoC expects to load an image of executable code.
Not just any image, but one that fits a specific layout/format model.

A pictorial quote from one of the Freescale manuals:

The three Freescale SoC specific fields also have a defined layout.

The IVT:

Code:

typedef struct
{
    uint32_t        header;
    uint32_t        *entry;
    uint32_t        reserved1;
    uint32_t        *dcd;
    boot_data_t  *boot_data;
    uint32_t        *self;
    uint32_t        *csf;
    uint32_t        reserved2;
} image_vector_table_t;

The manual provides details of what is placed in those fields and how they are used.
But you can see how the names match those pointers in the picture entering from the right side.

The Boot Data type is also defined:

Code:

typedef struct
{
    uint32_t    *start;
    uint32_t    length;
    uint32_t    plugin_flag;
} boot_data_t;

Details of which are also provided in the manual.

The DCD (Device Configuration Data) is just a simple list of register addresses and register contents used to further configure the SoC hardware.

Then it is just a matter of finding that set of structures in the binary blob.
Aided in this case by knowing that the 'machine' at this point is a very simple one and that the 'image data' will be some flavor of U-Boot.

Now, loop back to Answer #1, continue.

Note 1: The same structure above is also used by the i.Mx50 series of processors, we have done that one several times before.

Note 2: The CSF pointer points to the certificate and signing data in the secure-boot format. That block is appended after the "image data" block shown above.

Note 3: If this structure was built using the Freescale tools, or just by following Freescale's directions (to use: objcopy) the padding is bytes of 0xFF (I.E: Erased flash).

10-04-2013, 03:47 PM	#87
knc1 Going Viral Posts: 17,212 Karma: 18210809 Join Date: Feb 2012 Location: Central Texas Device: No K1, PW2, KV, KOA	The life and times of a binary blob People have asked me: "How do you even get started when faced with a blob of bits?" Answer #1: You do a lot of guessing, and hope to get lucky. Answer #2: Very similar to answer #1, only you get a jump start by: RTFM. First known point: The SoC is a machine until it gets hold of some external program code, it operates in a known, fixed, manner. Second known point: Which machine? npoland provided that information among his first posts. The Freescale i.MX6 series of application processors. Third known point: Freescale wants their product used (or at least purchased) by people building things electronic. So they publish documentation on the device. (Links provided earlier in this thread.) At the end of its internal start-up procedure, the SoC expects to load an image of executable code. Not just any image, but one that fits a specific layout/format model. A pictorial quote from one of the Freescale manuals: The three Freescale SoC specific fields also have a defined layout. The IVT: Code: typedef struct { uint32_t header; uint32_t entry; uint32_t reserved1; uint32_t dcd; boot_data_t boot_data; uint32_t self; uint32_t csf; uint32_t reserved2; } image_vector_table_t; The manual provides details of what is placed in those fields and how they are used. But you can see how the names match those pointers in the picture entering from the right side. The Boot Data type is also defined: Code: typedef struct { uint32_t start; uint32_t length; uint32_t plugin_flag; } boot_data_t; Details of which are also provided in the manual. The DCD (Device Configuration Data) is just a simple list of register addresses and register contents used to further configure the SoC hardware. Then it is just a matter of finding that set of structures in the binary blob. Aided in this case by knowing that the 'machine' at this point is a very simple one and that the 'image data' will be some flavor of U-Boot. Now, loop back to Answer #1, continue. Note 1: The same structure above is also used by the i.Mx50 series of processors, we have done that one several times before. Note 2: The CSF pointer points to the certificate and signing data in the secure-boot format. That block is appended after the "image data" block shown above. Note 3: If this structure was built using the Freescale tools, or just by following Freescale's directions (to use: objcopy) the padding is bytes of 0xFF (I.E: Erased flash). Last edited by knc1; 10-05-2013 at 12:37 PM.