docs update and boot flow update
This commit is contained in:
parent
a7a5bdeb7e
commit
72a50cd648
@ -291,4 +291,19 @@ If jumping into the boot BL33 function twice, the LDFW returns -. at the second
|
|||||||
[ERROR] Fail to load Secure payload
|
[ERROR] Fail to load Secure payload
|
||||||
=> Return value : -.
|
=> Return value : -.
|
||||||
|
|
||||||
|
When continuing the boot flow by jumping into cf0052f8 after recovery boot
|
||||||
|
|
||||||
|
.. code:: bash
|
||||||
|
|
||||||
|
U-Boot 2012.07-gc7c41ec14-dirty (Oct 23 2019 - 12:53:04) for SADK8890
|
||||||
|
|
||||||
|
CPU: Exynos8890 Rev2.0 [Samsung SOC on SMP Platform Base on ARM CortexA53]
|
||||||
|
MNGS_PLL = 1975MHz APOLLO_PLL = 1481MHz MIF_PLL = 1539MHz
|
||||||
|
BUS0_PLL = 1056MHz BUS1_PLL = 800MHz BUS2_PLL = 672MHz BUS3_PLL = 1872MHz
|
||||||
|
MFC_PLL = 71MHz AUD_PLL = 494MHz G3D_PLL = 650MHz DISP_PLL = 63MHz
|
||||||
|
|
||||||
|
Board: SADK8890
|
||||||
|
DRAM: 6 GiB
|
||||||
|
ECT: PARA006o
|
||||||
|
|
||||||
|
I dumped the contents of 0xcf4dfb28 to 60, which is a boot path information setter. Something in BL33 is setting this, because it is still empty (0xFF) after booting into BL2 and waiting for BL33.
|
||||||
|
@ -793,6 +793,10 @@ class ExynosDevice():
|
|||||||
#if args.MIB3:
|
#if args.MIB3:
|
||||||
# self.cd.arch_dbg.state.LR = DEBUGGER_ADDR
|
# self.cd.arch_dbg.state.LR = DEBUGGER_ADDR
|
||||||
|
|
||||||
|
if args.MIB3:
|
||||||
|
self.cd.memwrite_region(0x020553e4, b"\x1f\x50\x00\x71")
|
||||||
|
self.cd.memwrite_region(0x020553f8, b"\x1f\x50\x00\x71")
|
||||||
|
|
||||||
self.cd.restore_stack_and_jump(hijacked_fun) # Jumps to function that waits for next boot stage
|
self.cd.restore_stack_and_jump(hijacked_fun) # Jumps to function that waits for next boot stage
|
||||||
|
|
||||||
# ==== Stage 4 BL2 ====
|
# ==== Stage 4 BL2 ====
|
||||||
@ -844,6 +848,10 @@ class ExynosDevice():
|
|||||||
# Modifying return values to continue boot flow
|
# Modifying return values to continue boot flow
|
||||||
#self.cd.memwrite_region(0xcf05dea8, b"\xa0\x1f\x42\xf8")
|
#self.cd.memwrite_region(0xcf05dea8, b"\xa0\x1f\x42\xf8")
|
||||||
|
|
||||||
|
# Print boot info from cf4dfb28
|
||||||
|
print(self.cd.memdump_region(0xcf4dfb28, 0x32))
|
||||||
|
|
||||||
|
# Start boot from BL33
|
||||||
self.cd.arch_dbg.state.LR = DEBUGGER_ADDR
|
self.cd.arch_dbg.state.LR = DEBUGGER_ADDR
|
||||||
self.cd.restore_stack_and_jump(BL33_AUTH)
|
self.cd.restore_stack_and_jump(BL33_AUTH)
|
||||||
|
|
||||||
@ -852,7 +860,17 @@ class ExynosDevice():
|
|||||||
|
|
||||||
self.cd.arch_dbg.state.LR = DEBUGGER_ADDR
|
self.cd.arch_dbg.state.LR = DEBUGGER_ADDR
|
||||||
|
|
||||||
self.write_uart(DEBUGGER_ADDR, 0xcf4dfb28)th
|
self.cd.arch_dbg.state.X0 = 0x0
|
||||||
|
self.cd.restore_stack_and_jump(0xcf05dd00)
|
||||||
|
self.connect_device()
|
||||||
|
self.usb_read(0x200)
|
||||||
|
|
||||||
|
# Print something over uart
|
||||||
|
self.write_uart(DEBUGGER_ADDR, 0xcf4dfb58)
|
||||||
|
|
||||||
|
# Try to continue the bootflow
|
||||||
|
self.cd.restore_stack_and_jump(0xcf0052f8)
|
||||||
|
|
||||||
|
|
||||||
# NOT WORKING
|
# NOT WORKING
|
||||||
self.read_ufs(DEBUGGER_ADDR)
|
self.read_ufs(DEBUGGER_ADDR)
|
||||||
|
Loading…
Reference in New Issue
Block a user