search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Merge pull request #1335 from rad1game/patch-1
[RRG-proxmark3.git] / bootrom / bootrom.c
blob0cf135fa0ceffa173ef607662dc76c110fc5c24d
1 //-----------------------------------------------------------------------------
2 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
3 // at your option, any later version. See the LICENSE.txt file for the text of
4 // the license.
5 //-----------------------------------------------------------------------------
6 // Main code for the bootloader
7 //-----------------------------------------------------------------------------
8
9 #include "clocks.h"
10 #include "usb_cdc.h"
11
12 #include "proxmark3_arm.h"
13 #define DEBUG 0
14
15 struct common_area common_area __attribute__((section(".commonarea")));
16 uint32_t start_addr, end_addr;
17 bool bootrom_unlocked;
18 extern uint32_t _bootrom_start[], _bootrom_end[], _flash_start[], _flash_end[], _osimage_entry[];
19
20 static int reply_old(uint64_t cmd, uint64_t arg0, uint64_t arg1, uint64_t arg2, void *data, size_t len) {
21 PacketResponseOLD txcmd;
22
23 for (size_t i = 0; i < sizeof(PacketResponseOLD); i++)
24 ((uint8_t *)&txcmd)[i] = 0x00;
25
26 // Compose the outgoing command frame
27 txcmd.cmd = cmd;
28 txcmd.arg[0] = arg0;
29 txcmd.arg[1] = arg1;
30 txcmd.arg[2] = arg2;
31
32 // Add the (optional) content to the frame, with a maximum size of PM3_CMD_DATA_SIZE
33 if (data && len) {
34 len = MIN(len, PM3_CMD_DATA_SIZE);
35 for (size_t i = 0; i < len; i++) {
36 txcmd.d.asBytes[i] = ((uint8_t *)data)[i];
37 }
38 }
39
40 // Send frame and make sure all bytes are transmitted
41 return usb_write((uint8_t *)&txcmd, sizeof(PacketResponseOLD));
42 }
43
44 #if DEBUG
45 static void DbpString(char *str) {
46 uint8_t len = 0;
47 while (str[len] != 0x00)
48 len++;
49
50 reply_old(CMD_DEBUG_PRINT_STRING, len, 0, 0, (uint8_t *)str, len);
51 }
52 #endif
53
54 static void ConfigClocks(void) {
55 // we are using a 16 MHz crystal as the basis for everything
56 // slow clock runs at 32kHz typical regardless of crystal
57
58 // enable system clock and USB clock
59 AT91C_BASE_PMC->PMC_SCER |= AT91C_PMC_PCK | AT91C_PMC_UDP;
60
61 // enable the clock to the following peripherals
62 AT91C_BASE_PMC->PMC_PCER =
63 (1 << AT91C_ID_PIOA) |
64 (1 << AT91C_ID_ADC) |
65 (1 << AT91C_ID_SPI) |
66 (1 << AT91C_ID_SSC) |
67 (1 << AT91C_ID_PWMC) |
68 (1 << AT91C_ID_UDP);
69
70 mck_from_slck_to_pll();
71 }
72
73 static void Fatal(void) {
74 for (;;) {};
75 }
76
77 static void UsbPacketReceived(uint8_t *packet) {
78 bool ack = true;
79 PacketCommandOLD *c = (PacketCommandOLD *)packet;
80
81 //if ( len != sizeof(PacketCommandOLD`)) Fatal();
82
83 uint32_t arg0 = (uint32_t)c->arg[0];
84
85 switch (c->cmd) {
86 case CMD_DEVICE_INFO: {
87 ack = false;
88 arg0 = DEVICE_INFO_FLAG_BOOTROM_PRESENT |
89 DEVICE_INFO_FLAG_CURRENT_MODE_BOOTROM |
90 DEVICE_INFO_FLAG_UNDERSTANDS_START_FLASH |
91 DEVICE_INFO_FLAG_UNDERSTANDS_CHIP_INFO |
92 DEVICE_INFO_FLAG_UNDERSTANDS_VERSION;
93 if (common_area.flags.osimage_present)
94 arg0 |= DEVICE_INFO_FLAG_OSIMAGE_PRESENT;
95
96 reply_old(CMD_DEVICE_INFO, arg0, 1, 2, 0, 0);
97 }
98 break;
99
100 case CMD_CHIP_INFO: {
101 ack = false;
102 arg0 = *(AT91C_DBGU_CIDR);
103 reply_old(CMD_CHIP_INFO, arg0, 0, 0, 0, 0);
104 }
105 break;
106
107 case CMD_BL_VERSION: {
108 ack = false;
109 arg0 = BL_VERSION_1_0_0;
110 reply_old(CMD_BL_VERSION, arg0, 0, 0, 0, 0);
111 }
112 break;
113
114 case CMD_FINISH_WRITE: {
115 for (int j = 0; j < 2; j++) {
116 uint32_t flash_address = arg0 + (0x100 * j);
117 AT91PS_EFC efc_bank = AT91C_BASE_EFC0;
118 int offset = 0;
119 uint32_t page_n = (flash_address - (uint32_t)_flash_start) / AT91C_IFLASH_PAGE_SIZE;
120 if (page_n >= AT91C_IFLASH_NB_OF_PAGES / 2) {
121 page_n -= AT91C_IFLASH_NB_OF_PAGES / 2;
122 efc_bank = AT91C_BASE_EFC1;
123 // We need to offset the writes or it will not fill the correct bank write buffer.
124 offset = (AT91C_IFLASH_NB_OF_PAGES / 2) * AT91C_IFLASH_PAGE_SIZE / sizeof(uint32_t);
125 }
126 for (int i = 0 + (64 * j); i < 64 + (64 * j); i++) {
127 _flash_start[offset + i] = c->d.asDwords[i];
128 }
129
130 /* Check that the address that we are supposed to write to is within our allowed region */
131 if (((flash_address + AT91C_IFLASH_PAGE_SIZE - 1) >= end_addr) || (flash_address < start_addr)) {
132 /* Disallow write */
133 ack = false;
134 reply_old(CMD_NACK, 0, 0, 0, 0, 0);
135 } else {
136
137 efc_bank->EFC_FCR = MC_FLASH_COMMAND_KEY |
138 MC_FLASH_COMMAND_PAGEN(page_n) |
139 AT91C_MC_FCMD_START_PROG;
140 }
141
142 // Wait until flashing of page finishes
143 uint32_t sr;
144 while (!((sr = efc_bank->EFC_FSR) & AT91C_MC_FRDY));
145 if (sr & (AT91C_MC_LOCKE | AT91C_MC_PROGE)) {
146 ack = false;
147 reply_old(CMD_NACK, sr, 0, 0, 0, 0);
148 }
149 }
150 }
151 break;
152
153 case CMD_HARDWARE_RESET: {
154 usb_disable();
155 AT91C_BASE_RSTC->RSTC_RCR = RST_CONTROL_KEY | AT91C_RSTC_PROCRST;
156 }
157 break;
158
159 case CMD_START_FLASH: {
160 if (c->arg[2] == START_FLASH_MAGIC)
161 bootrom_unlocked = true;
162 else
163 bootrom_unlocked = false;
164
165 uint32_t cmd_start = c->arg[0];
166 uint32_t cmd_end = c->arg[1];
167
168 /* Only allow command if the bootrom is unlocked, or the parameters are outside of the protected
169 * bootrom area. In any case they must be within the flash area.
170 */
171 if ((bootrom_unlocked || ((cmd_start >= (uint32_t)_bootrom_end) || (cmd_end < (uint32_t)_bootrom_start))) &&
172 (cmd_start >= (uint32_t)_flash_start) &&
173 (cmd_end <= (uint32_t)_flash_end)) {
174 start_addr = cmd_start;
175 end_addr = cmd_end;
176 } else {
177 start_addr = end_addr = 0;
178 ack = false;
179 reply_old(CMD_NACK, 0, 0, 0, 0, 0);
180 }
181 }
182 break;
183
184 default: {
185 Fatal();
186 }
187 break;
188 }
189
190 if (ack)
191 reply_old(CMD_ACK, arg0, 0, 0, 0, 0);
192 }
193
194 static void flash_mode(void) {
195 start_addr = 0;
196 end_addr = 0;
197 bootrom_unlocked = false;
198 uint8_t rx[sizeof(PacketCommandOLD)];
199 common_area.command = COMMON_AREA_COMMAND_NONE;
200 if (!common_area.flags.button_pressed && BUTTON_PRESS())
201 common_area.flags.button_pressed = 1;
202
203 usb_enable();
204
205 // wait for reset to be complete?
206 for (volatile size_t i = 0; i < 0x100000; i++) {};
207
208 for (;;) {
209 WDT_HIT();
210
211 // Check if there is a usb packet available
212 if (usb_poll_validate_length()) {
213 if (usb_read(rx, sizeof(rx))) {
214 UsbPacketReceived(rx);
215 }
216 }
217
218 if (common_area.flags.button_pressed && !BUTTON_PRESS()) {
219 common_area.flags.button_pressed = 0;
220 }
221 if (!common_area.flags.button_pressed && BUTTON_PRESS()) {
222 /* Perform a reset to leave flash mode */
223 common_area.flags.button_pressed = 1;
224 usb_disable();
225 LED_B_ON();
226 AT91C_BASE_RSTC->RSTC_RCR = RST_CONTROL_KEY | AT91C_RSTC_PROCRST;
227 for (;;) {};
228 }
229 }
230 }
231
232 void BootROM(void);
233 void BootROM(void) {
234 //------------
235 // First set up all the I/O pins; GPIOs configured directly, other ones
236 // just need to be assigned to the appropriate peripheral.
237
238 // Kill all the pullups, especially the one on USB D+; leave them for
239 // the unused pins, though.
240 AT91C_BASE_PIOA->PIO_PPUDR =
241 GPIO_USB_PU |
242 GPIO_LED_A |
243 GPIO_LED_B |
244 GPIO_LED_C |
245 GPIO_LED_D |
246 GPIO_FPGA_DIN |
247 GPIO_FPGA_DOUT |
248 GPIO_FPGA_CCLK |
249 GPIO_FPGA_NINIT |
250 GPIO_FPGA_NPROGRAM |
251 GPIO_FPGA_DONE |
252 GPIO_MUXSEL_HIPKD |
253 GPIO_MUXSEL_HIRAW |
254 GPIO_MUXSEL_LOPKD |
255 GPIO_MUXSEL_LORAW |
256 GPIO_RELAY |
257 GPIO_NVDD_ON;
258 // (and add GPIO_FPGA_ON)
259 // These pins are outputs
260 AT91C_BASE_PIOA->PIO_OER =
261 GPIO_LED_A |
262 GPIO_LED_B |
263 GPIO_LED_C |
264 GPIO_LED_D |
265 GPIO_RELAY |
266 GPIO_NVDD_ON;
267 // PIO controls the following pins
268 AT91C_BASE_PIOA->PIO_PER =
269 GPIO_USB_PU |
270 GPIO_LED_A |
271 GPIO_LED_B |
272 GPIO_LED_C |
273 GPIO_LED_D;
274
275 // USB_D_PLUS_PULLUP_OFF();
276 usb_disable();
277 LED_D_OFF();
278 LED_C_ON();
279 LED_B_OFF();
280 LED_A_OFF();
281
282 // Set the first 256kb memory flashspeed
283 AT91C_BASE_EFC0->EFC_FMR = AT91C_MC_FWS_1FWS | MC_FLASH_MODE_MASTER_CLK_IN_MHZ(48);
284
285 // 9 = 256, 10+ is 512kb
286 uint8_t id = (*(AT91C_DBGU_CIDR) & 0xF00) >> 8;
287 if (id > 9)
288 AT91C_BASE_EFC1->EFC_FMR = AT91C_MC_FWS_1FWS | MC_FLASH_MODE_MASTER_CLK_IN_MHZ(48);
289
290 // Initialize all system clocks
291 ConfigClocks();
292
293 LED_A_ON();
294
295 int common_area_present = 0;
296 switch (AT91C_BASE_RSTC->RSTC_RSR & AT91C_RSTC_RSTTYP) {
297 case AT91C_RSTC_RSTTYP_WATCHDOG:
298 case AT91C_RSTC_RSTTYP_SOFTWARE:
299 case AT91C_RSTC_RSTTYP_USER:
300 /* In these cases the common_area in RAM should be ok, retain it if it's there */
301 if (common_area.magic == COMMON_AREA_MAGIC && common_area.version == 1)
302 common_area_present = 1;
303 break;
304 default: /* Otherwise, initialize it from scratch */
305 break;
306 }
307
308 if (!common_area_present) {
309 /* Common area not ok, initialize it */
310 size_t i;
311 /* Makeshift memset, no need to drag util.c into this */
312 for (i = 0; i < sizeof(common_area); i++)
313 ((char *)&common_area)[i] = 0;
314
315 common_area.magic = COMMON_AREA_MAGIC;
316 common_area.version = 1;
317 }
318 common_area.flags.bootrom_present = 1;
319
320 if ((common_area.command == COMMON_AREA_COMMAND_ENTER_FLASH_MODE) ||
321 (!common_area.flags.button_pressed && BUTTON_PRESS()) ||
322 (*_osimage_entry == 0xffffffffU)) {
323 flash_mode();
324 } else {
325 // clear button status, even if button still pressed
326 common_area.flags.button_pressed = 0;
327 // jump to Flash address of the osimage entry point (LSBit set for thumb mode)
328 __asm("bx %0\n" : : "r"(((uint32_t)_osimage_entry) | 0x1));
329 }
330 }
Proxmark3 - the RFID research Swiss army knife. Iceman firmware