blob: ddf4198fd423a1e10d14b90584b8bd3999f245d5 [file] [log] [blame]
// Copyright lowRISC contributors.
// Licensed under the Apache License, Version 2.0, see LICENSE for details.
// SPDX-License-Identifier: Apache-2.0
use anyhow::{bail, ensure, Result};
use sha2::{Digest, Sha256};
use std::time::{Duration, Instant};
use thiserror::Error;
use zerocopy::AsBytes;
use crate::app::TransportWrapper;
use crate::bootstrap::{Bootstrap, BootstrapOptions, UpdateProtocol};
use crate::impl_serializable_error;
use crate::io::uart::Uart;
use crate::transport::Capability;
#[derive(AsBytes, Debug, Default)]
#[repr(C)]
struct FrameHeader {
hash: [u8; Frame::HASH_LEN],
frame_num: u32,
flash_offset: u32,
}
#[derive(AsBytes, Debug)]
#[repr(C)]
struct Frame {
header: FrameHeader,
data: [u8; Frame::DATA_LEN],
}
impl Default for Frame {
fn default() -> Self {
Frame {
header: Default::default(),
data: [0xff; Frame::DATA_LEN],
}
}
}
impl Frame {
const EOF: u32 = 0x8000_0000;
const FLASH_SECTOR_SIZE: usize = 2048;
const FLASH_SECTOR_MASK: usize = Self::FLASH_SECTOR_SIZE - 1;
const FLASH_BUFFER_SIZE: usize = 128;
const FLASH_BUFFER_MASK: usize = Self::FLASH_BUFFER_SIZE - 1;
const DATA_LEN: usize = 1024 - std::mem::size_of::<FrameHeader>();
const HASH_LEN: usize = 32;
const MAGIC_HEADER: [u8; 4] = [0xfd, 0xff, 0xff, 0xff];
const CRYPTOLIB_TELL: [u8; 4] = [0x53, 0x53, 0x53, 0x53];
/// Computes the hash in the header.
fn header_hash(&self) -> [u8; Frame::HASH_LEN] {
let frame = self.as_bytes();
let sha = Sha256::digest(&frame[Frame::HASH_LEN..]);
sha.into()
}
/// Computes the hash over the entire frame.
fn frame_hash(&self) -> [u8; Frame::HASH_LEN] {
let mut digest = Sha256::digest(self.as_bytes());
// Touch up zeroes into ones, as that is what the old chips are doing.
for b in &mut digest {
if *b == 0 {
*b = 1;
}
}
digest.into()
}
/// Creates a sequence of frames based on a `payload` binary.
fn from_payload(payload: &[u8]) -> Result<Vec<Frame>> {
// The given payload will contain up to four sections concatenated together:
// RO_A, RW_A optionally follwed by RO_B, RW_B
// Each section starts with a magic number on at least a 256 byte boundary.
// This rescue protocol uses the RW_A section only, which will start at the second
// occurrance of the magic value, and end at the third occurrence or at the end of the
// file.
ensure!(
payload.starts_with(&Self::MAGIC_HEADER),
RescueError::ImageFormatError
);
// Find second occurrence of magic value, not followed by signature of encrypted
// cryptolib.
let min_addr = match payload[256..]
.chunks(256)
.position(|c| &c[0..4] == &Self::MAGIC_HEADER && &c[4..8] != &Self::CRYPTOLIB_TELL)
{
Some(n) => (n + 1) * 256,
None => bail!(RescueError::ImageFormatError),
};
// Find third occurrence of magic value.
let max_addr = match payload[min_addr + 256..]
.chunks(256)
.position(|c| &c[0..4] == &Self::MAGIC_HEADER)
{
Some(n) => (n + 1) * 256 + min_addr,
None => payload.len(),
};
// Trim trailing 0xff bytes.
let max_addr = (payload[..max_addr]
.chunks(4)
.rposition(|c| c != &[0xff; 4])
.unwrap_or(0)
+ 1)
* 4;
let mut frames = Vec::new();
let mut frame_num = 0;
let mut addr = min_addr;
while addr < max_addr {
// Try skipping over 0xffffffff words.
let nonempty_addr = addr
+ payload[addr..]
.chunks(4)
.position(|c| c != &[0xff; 4])
.unwrap()
* 4;
let skip_addr = nonempty_addr & !Self::FLASH_SECTOR_MASK;
if skip_addr > addr && (addr == 0 || addr & Self::FLASH_BUFFER_MASK != 0) {
// Can only skip from the start or if the last addr wasn't an exact multiple of
// 128 (per H1D boot rom).
addr = skip_addr;
}
let mut frame = Frame {
header: FrameHeader {
frame_num,
flash_offset: addr as u32,
..Default::default()
},
..Default::default()
};
let slice_size = Self::DATA_LEN.min(payload.len() - addr);
frame.data[..slice_size].copy_from_slice(&payload[addr..addr + slice_size]);
frames.push(frame);
addr += Self::DATA_LEN;
frame_num += 1;
}
frames.last_mut().map(|f| f.header.frame_num |= Self::EOF);
frames
.iter_mut()
.for_each(|f| f.header.hash = f.header_hash());
Ok(frames)
}
}
#[derive(Debug, Error, serde::Serialize, serde::Deserialize)]
pub enum RescueError {
#[error("Unrecognized image file format")]
ImageFormatError,
#[error("Synchronization error communicating with boot rom")]
SyncError,
#[error("Repeated errors communicating with boot rom")]
RepeatedErrors,
}
impl_serializable_error!(RescueError);
/// Implements the UART rescue protocol of Google Ti50 firmware.
pub struct Rescue {}
impl Rescue {
/// Abort if a block has not been accepted after this number of retries.
const MAX_CONSECUTIVE_ERRORS: u32 = 50;
/// Take some measure to regain protocol synchronization, in case of this number of retries
/// of the same block.
const RESYNC_AFTER_CONSECUTIVE_ERRORS: u32 = 3;
/// Creates a new `Rescue` protocol updater from `options`.
pub fn new(_options: &BootstrapOptions) -> Self {
Self {}
}
/// Waits for some time for a character, returns None on timeout.
fn read_char(&self, uart: &dyn Uart) -> Option<char> {
let mut buf = [0u8; 1];
match uart.read_timeout(&mut buf, Duration::from_millis(100)) {
Ok(1) => Some(buf[0] as char),
Ok(_) => None,
_ => None,
}
}
/// Waits some time for data, returning true if the given string was seen in full, or false
/// as soon as a non-matching character is received or on timeout.
fn expect_string(&self, uart: &dyn Uart, s: &str) -> bool {
for expected_ch in s.chars() {
match self.read_char(uart) {
Some(ch) if ch == expected_ch => (),
_ => return false,
}
}
true
}
/// Reads and discards any characters in the receive buffer, waiting a little while for any
/// more which will also be discarded.
fn flush_rx(&self, uart: &dyn Uart) {
let mut response = [0u8; Frame::HASH_LEN];
loop {
match uart.read_timeout(&mut response, Duration::from_millis(500)) {
Ok(0) | Err(_) => break,
Ok(_) => continue,
}
}
}
/// As the 1024 byte blocks sent to the chip have no discernible header, the sender and
/// receiver could be "out of sync". This is resolved by sending one byte at a time, and
/// observing when the chip sends a response (which will be a rejection due to checksum).
fn synchronize(&self, uart: &dyn Uart) -> Result<()> {
// Most likely, only a few "extra" bytes have been sent during initial negotiation.
// Send almost a complete block in one go, and then send each of the last 16 bytes one
// at a time, slowly enough to detect a response before sending the next byte.
uart.write(&[0u8; 1008])?;
let mut response = [0u8; 1];
let limit = match uart.read_timeout(&mut response, Duration::from_millis(50)) {
Ok(0) | Err(_) => 16,
Ok(_) => {
// A response at this point must mean that more than 16 bytes had already been
// sent before entering this method. This will be resolved by doing another
// slower round of 1024 bytes with delay in between every one.
self.flush_rx(uart);
1024
}
};
for _ in 0..limit {
uart.write(&[0u8; 1])?;
match uart.read_timeout(&mut response, Duration::from_millis(50)) {
Ok(0) | Err(_) => (),
Ok(_) => {
self.flush_rx(uart);
return Ok(());
}
}
}
Err(RescueError::SyncError.into())
}
/// Reset the chip and send the magic 'r' character at the opportune moment during boot in
/// order to enter rescue more, repeat if necessary.
fn enter_rescue_mode(&self, container: &Bootstrap, uart: &dyn Uart) -> Result<()> {
// Attempt getting the attention of the bootloader.
let timeout = Duration::from_millis(2000);
for _ in 0..Self::MAX_CONSECUTIVE_ERRORS {
eprint!("Resetting...");
container.reset_pin.write(false)?; // Low active
std::thread::sleep(container.reset_delay);
container.reset_pin.write(true)?; // Release reset
let stopwatch = Instant::now();
while stopwatch.elapsed() < timeout {
if !self.expect_string(uart, "Bldr |") {
continue;
}
uart.write(&['r' as u8])?;
eprint!("a.");
while stopwatch.elapsed() < timeout {
if !self.expect_string(uart, "oops?|") {
continue;
}
uart.write(&['r' as u8])?;
eprint!("b.");
if self.expect_string(uart, "escue") {
eprintln!("c: Entered rescue mode!");
self.synchronize(uart)?;
return Ok(());
}
}
}
eprintln!(" Failed to enter rescue mode.");
}
Err(RescueError::RepeatedErrors.into())
}
}
impl UpdateProtocol for Rescue {
fn verify_capabilities(
&self,
_container: &Bootstrap,
transport: &TransportWrapper,
) -> Result<()> {
transport
.capabilities()?
.request(Capability::GPIO | Capability::UART)
.ok()?;
Ok(())
}
/// Returns false, in order to as the containing Bootstrap struct to not perform standard
/// BOOTSTRAP/RESET sequence.
fn uses_common_bootstrap_reset(&self) -> bool {
false
}
/// Performs the update protocol using the `transport` with the firmware `payload`.
fn update(
&self,
container: &Bootstrap,
transport: &TransportWrapper,
payload: &[u8],
progress: &dyn Fn(u32, u32),
) -> Result<()> {
let frames = Frame::from_payload(payload)?;
let uart = container.uart_params.create(transport)?;
self.enter_rescue_mode(container, &*uart)?;
// Send frames one at a time.
'next_block: for (idx, frame) in frames.iter().enumerate() {
for consecutive_errors in 0..Self::MAX_CONSECUTIVE_ERRORS {
eprint!("{}.", idx);
progress(frame.header.flash_offset, frame.data.len() as u32);
uart.write(frame.as_bytes())?;
let mut response = [0u8; Frame::HASH_LEN];
let mut index = 0;
while index < Frame::HASH_LEN {
let timeout = if index == 0 {
Duration::from_millis(1000)
} else {
Duration::from_millis(10)
};
match uart.read_timeout(&mut response[index..], timeout) {
Ok(0) | Err(_) => break,
Ok(n) => index += n,
}
}
if index < Frame::HASH_LEN {
eprint!("sync.");
self.synchronize(&*uart)?;
continue;
}
if response[4..].chunks(4).all(|x| x == &response[..4]) {
eprint!("sync.");
self.synchronize(&*uart)?;
} else if response == frame.frame_hash() {
continue 'next_block;
} else {
self.flush_rx(&*uart);
if consecutive_errors >= Self::RESYNC_AFTER_CONSECUTIVE_ERRORS {
eprint!("sync.");
self.synchronize(&*uart)?;
}
}
}
bail!(RescueError::RepeatedErrors);
}
// Reset, in order to leave rescue mode.
container.reset_pin.write(false)?; // Low active
std::thread::sleep(container.reset_delay);
container.reset_pin.write(true)?; // Release reset
eprintln!("Success!");
Ok(())
}
}