Exynos 4412 startup process analysis

When doing the experiment, we burned the bin file into the SD card, such as the previous assembly flow lamp experiment.

Q: Who is reading these instructions from the SD card to execute?

A: It is the code that is solidified on the internal ROM of the chip---it is called iROM, iROM is the manufacturer's pre-programmed on the chip, no source code.

iROM reads the program at a specific location on the boot device into the on-chip memory (iRAM) and executes it. This program is called and executes it. This program is called BL1 (Bootloader 1), BL1 is provided by Samsung, no source code.

BL1 reads the program at another specific location on the boot device into the on-chip memory and executes it. This is called BL2 (Bootloader 2) and is the source code we wrote.

In the assembly flow light program, we made the BL2 through the mkbl2 tool. At the time, we also gave a detailed explanation. Execute the following command:
./mkbl2 leds_on.bin bl2.bin 14336

< Br>

The more detailed startup process of iROM and BL1 is shown in the following figure (extracted from Android_Exynos4412_iROM_Secure_Booting_Guide_Ver.1.00.00.pdf):

(1) iROM: The following figure is the iROM startup flow chart
iRom Booting

As can be seen from the above figure, first close the watchdog, close the interrupt and MMU, close the data cache, open the instruction cache, clear the TLB, and then enter the other core into IDLE mode, leaving only CPU0, there is The first jump branch, IROM judges the current startup mode, is cold start or wake up, if it is awake mode, then it will jump directly to BL1, in BL1 we will judge whether it is awake mode, if it is, jump directly Go to the wake-up function, which is usually the wake-up handle of the Linux kernel. Of course, in the bare metal are cold start, sleep wakeup is generally not to pay attention to, of course, if your bare metal program needs to support sleep wakeup, you need to add the corresponding code.

Continue the analysis and set the stack space of IRQ and SVC mode. At this time, the stack address is an internal IRAM. This small piece of RAM is the external random access memory of IROM. Without this small memory, IROM cannot. In progress. The next step is to initialize the various variables used in the IROM, initialize the read-only data segment, clear the uninitialized data segment, and export some core functions. This function can be used in BL1 to get the current reset state and set the system clock. Frequency, get OM pin configuration mode, here can be started from a variety of peripherals, the specific boot mode is as follows:
OM select boot device

Our whole bare metal tutorial
are from The external SD card is started. According to the OM boot mode, the first 8K code is copied from the SD card. If the copy is successful, the checksum is verified. The first 16 bytes of BL1 are provided to the IROM to identify the BL1 related information. The specific information is as follows: (The latter tutorial
we will write a BL1 ourselves, first available with Samsung):
/** bl1 header infomation for irom** 0x0 - bl1 size* 0x4 - reserved (should be 0)* 0x8 - check sum* 0xc - reserved (should be 0)*/.word 0x2000.word 0x0.word 0x0.word 0x0

first describes the size of BL1, then there is a checksum of BL1, So how do we know the checksum of BL1, this is the compiler After the final binary file, the

made by the mk4412 program is simply to say that the iROM is to set the program running environment first (such as closing the watchdog, turning off the interrupt, closing the MMU, setting the stack, setting the stack, starting the PLL, etc.) Then; according to the OM pin to determine the boot device (NAND Flash /SD card /other), read BL1 from the inside into the iRAM; finally start BL1.

(2) BL1: The following figure shows the startup process of BL1
B1 Booting

In short, it is also setting the program running environment (initialization interrupt, setting stack, etc.); then starting from Read BL2 into iRAM on the device; finally start it.

There are several issues to be solved:

1 Where is the location on the boot device to store BL1, BL2?

2Which position to read BL1 BL2 to iRAM?

3 What is the size of BL1 and BL2?

4 How to ensure the integrity of the BL1 and BL2 programs (that is, there is no error when reading the program)?

Assuming the boot is an SD card, as shown below (only the SD card is booted here):
BL1, BL2 storage location on the SD card
BL1, BL2 storage in iRam Location

BL1 is located at 512 bytes of the SD card offset address (ie, starting from the first sector, there is one sector reserved in front, 512 bytes per sector, why keep the first sector If some students have studied the DOS partition table, they can understand the truth. The first sector is the configuration area of ​​the partition table. The iROM reads 8K bytes of data from this location. The iRAM address is 0x02021400. At the place. So BL1 can't be bigger than 8K.

IROM calculates the checksum and after verifying the pass and decrypting BL1 successfully, it can jump to BL1. At this point, IROM has been executed completely, and the authority has been handed over to BL1. Supplementary explanation, decryption BL1 is the encryption mode. Required only at startup, non-encrypted mode startup does not require decryption of BL1.

BL2 is located at the SD card offset address (512 +8K) bytes. BL1 reads 14K bytes of data from this location and exists at iRAM address 0x02023400. BL2 can't be larger than (14K – 4) bytes, and the last 4 bytes are used to store the comparison code. (In the assembly flow lamp test, we use the mkbl2 tool to make BL2. The main function of the mkbl2 tool is to calculate the check code. ).

If our program is larger than (14K – 4) bytes, then we need to intercept the preceding (14K – 4) bytes to make BL2 and burn the SD card offset address (512 +8K) words. Festival. When BL2 is started, it will read the complete program stored in another position on the SD card into the memory.