mfgtools: UUU not working on closed i.MX 6UL EVK

Hi,

I’m experiencing issues with UUU tool in Ubuntu 18.04 as it’s not working (it waits indefinitely) on closed i.MX 6UL EVK.

Screenshot of uuu waiting

The script we’re using is given below:

uuu_version 1.2.39

SDP: boot -f uboot_signed.imx

FB: ucmd setenv fastboot_dev mmc
FB: ucmd setenv mmcdev 1
FB: ucmd mmc dev 1
FB: flash bootloader uboot_signed.imx
FB: Done

The same script is working fine (flashed bootloader in SD Card) in a open, secure board and uboot_signed.imx is also manually verified to be working.

The fastboot parameters are as follows:

CONFIG_FASTBOOT_BUF_ADDR=0x83800000
CONFIG_FASTBOOT_BUF_SIZE=0x40000000

Detailed log is given below to aid in your diagnostics:

$uuu -v ./signed_write_boot_sd.lst 
uuu (Universal Update Utility) for nxp imx chips -- libuuu_1.4.43-0-ga9c099a

Build in config:
	Pctl	 Chip		 Vid	 Pid	 BcdVersion
	==================================================
	SDPS:	 MX8QXP		 0x1fc9	 0x012f	 [0x0002..0xffff]
	SDPS:	 MX8QM		 0x1fc9	 0x0129	 [0x0002..0xffff]
	SDPS:	 MX8DXL		 0x1fc9	 0x0147
	SDPS:	 MX28		 0x15a2	 0x004f
	SDPS:	 MX815		 0x1fc9	 0x013e
	SDPS:	 MX865		 0x1fc9	 0x0146
	SDP:	 MX7D		 0x15a2	 0x0076
	SDP:	 MX6Q		 0x15a2	 0x0054
	SDP:	 MX6D		 0x15a2	 0x0061
	SDP:	 MX6SL		 0x15a2	 0x0063
	SDP:	 MX6SX		 0x15a2	 0x0071
	SDP:	 MX6UL		 0x15a2	 0x007d
	SDP:	 MX6ULL		 0x15a2	 0x0080
	SDP:	 MX6SLL		 0x1fc9	 0x0128
	SDP:	 MX7ULP		 0x1fc9	 0x0126
	SDP:	 MXRT106X	 0x1fc9	 0x0135
	SDP:	 MX8MM		 0x1fc9	 0x0134
	SDP:	 MX8MQ		 0x1fc9	 0x012b
	SDPU:	 SPL		 0x0525	 0xb4a4	 [0x0000..0x04ff]
	SDPV:	 SPL1		 0x0525	 0xb4a4	 [0x0500..0x9998]
	SDPU:	 SPL		 0x0525	 0xb4a4	 [0x9999..0x9999]
	SDPU:	 SPL		 0x3016	 0x1001	 [0x0000..0x04ff]
	SDPV:	 SPL1		 0x3016	 0x1001	 [0x0500..0x9998]
	FBK:	 		 0x066f	 0x9afe
	FBK:	 		 0x066f	 0x9bff
	FB:	 		 0x0525	 0xa4a5
	FB:	 		 0x18d1	 0x0d02
	FB:	 		 0x3016	 0x0001
Wait for Known USB Device Appear...
New USB Device Attached at 1:124
1:124>Start Cmd:SDP: boot -f uboot_signed.imx
6400%1:124>Okay (2.276s)

_Originally posted by @danie007 in https://github.com/NXPmicro/mfgtools/issues/153#issuecomment-725909075_

CC @tkmozhi

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Comments: 21 (10 by maintainers)

Most upvoted comments

Fixed with CSF tweak 🌈

@jynik thank you for your providing useful insights ✌🏾. However, I had to make some minor changes to get it boot on a closed i.MX 6SX SABRE-SD.

My sequence:

  1. Cleared DCD pointer on u-boot.imx
dd if=/dev/zero of=u-boot.imx.cleardcd seek=12 bs=1 count=4 conv=notrunc
  1. Appended separate authentication block for DCD (from OCRAM)
Blocks = 0x877FF400 0x00 0x97C00 "u-boot.imx.cleardcd", \
#        Separate DCD block authentication
         0x910000 0x2C 0x220 "u-boot.imx.cleardcd"
  1. Concatenated the original u-boot.imx and the CSF binary
  2. Boot with -cleardcd flag on UUU tool

@nxpfrankli you could have point us to the HABv4 closed chip support on UUU.pdf that contain the useful information. See the excerpt below 👇🏽: Screenshot from 2021-12-22 11-27-56

So… it’s not really a UUU bug/issue insomuch as added steps apparently being necessary?

I too feel this now 😬

CC @tkmozhi

+4
danie007 on Dec 22, 2021

Update - Solved

To answer my own question: Yes, to boot a signed image on an i.MX6ULL, one must prepare a special image for booting over SDP. As @jmonkman noted, this requires changes to the CSF and metadata in the “imx” image that is signed.

So… it’s not really a UUU bug/issue insomuch as added steps apparently being necessary? Kudos to y’all whose breadcrumbs helped me understand this after reading docs for hours.

Details

We begin with an “imx” image produced by U-Boot. My image normally would boot directly from NAND, with the DCD taking care of the DDR initialization.

$ cat u-boot-dtb.imx.log
Image Type:   Freescale IMX Boot Image
Image Ver:    2 (i.MX53/6/7 compatible)
Mode:         DCD
Data Size:    356448 Bytes = 348.09 KiB = 0.34 MiB
Load Address: 877ff420
Entry Point:  87800000
HAB Blocks:   0x877ff400 0x00000000 0x00054c00
DCD Blocks:   0x00910000 0x0000002c 0x000001e8

When booting from NAND, I can simply follow the signing instructions included in the U-Boot docs and/or the NXP CST documentation.

However, when attempting to boot via SDP I need to account for the fact that the DCD will be copied into OCRAM @ 0x910000, and that the DCD address in the authenticated IVT will be zeroized.

This requires a CSF whose Authenticate Data section includes the 3 separate writes that will occur when using UUU:

[Authenticate Data]
    # Key slot index used to authenticate the image data
    Verification index = 2
    # Authenticate Start Address, Offset, Length and file

    # 3 sections to verify signature over:
    # IVT + Boot Data: Offset 0, Len 0x2c  (Fixed)
    # DCD: Offset 0x2C, Len 0x1e8  (From imx.log file emitted by U-Boot build)
    # Image Data: Offset 0xc00, Len <rest of image>
    Blocks =  0x877ff400 0x00000000 0x0000002c "u-boot-dtb.imx.cleardcd",\
              0x00910000 0x0000002c 0x000001e8 "u-boot-dtb.imx.cleardcd",\
              0x87800000 0x00000c00 0x00054000 "u-boot-dtb.imx.cleardcd"

Here, u-boot-dtb.imx.cleardcd is the u-boot-dtb.imx image produced by U-Boot, with the DCD pointer zeroized.

I then concatenated the original u-boot-dtb.imx and the CSF binary into a u-boot-dtb.imx.signed, and then booted that with UUU as follows:

uuu SDP: boot -f ./u-boot-dtb.imx.signed -cleardcd

This boots – but I still have some heebie jeebies here and need to further convince myself that all “attacker controlled” data that needs to be covered by a signature validation in fact is. I’m generally not thrilled by the idea of having separate signed images for recovery over SDP. (Don’t sign permissive images with production keys, folks! 😉 )

But alas, I’m not really sure what NXP’s intended flow is supposed to be here on the i.MX6ULL and friends is.

Original message (for posterity)

@jmonkman - With the UUU code as-provided, do you still need to construct a special CSF for SDP-based boot and sign an image with the DCD pointer in the IVT zeroized? (I am under the impressions that this has to be necessary in i.MX6ULL, but still looking for a good example.)

What you describe doing sounds similar in Appendix E: Freescale Manufacturing Tool of a 10/2015 version of AN4581, which was removed in later revisions…

@nxpfrankli - Any chance you could take a look at my preceding posts and comment further?

+2
jynik on Mar 16, 2021

@danie007 - Does my previous post apply at all?

If not, would you mind sharing a some screenshots (redacted if as needed) of a Wireshark usbmon capture showing the summary of the SDP HID transfers? This probably won’t show much, beyond confirming that the timeout occurs upon sending the jump operation that’ll kick off what probably ends up being an auth failure?

+1
jynik on Dec 19, 2021
Read more comments on GitHub
← nx-extensions: React/Ionic NX (0 , project_configuration_1.shouldDefaultToUsingStandaloneConfigs) is not a function
node-http2-proxy: Cluster support (Bug??) →