Is it possible to run libreelec on zidoo h6 pro?

  • After a lot of reading on Allwinner's secure boot documents and source code, I find something interesting:


    1. An old thread

    H3-Soc boot rom security & E-Fuse
    Hi, I bought nanopi_neo boards (for my hobby projects). I am learning about security. I am able to dump e-Fuse area at uboot stage. But i can't modify it (i…
    forum.armbian.com

    Spitfire says after he flashes all 0xff to H3's rotpk efuse, it boots. Efuse is OTP, I can not revert my efuse to 0, but I should be able to flash it again to all 0xff. Hope it also works for H6.

    2. There is a kernel driver sunxi-sysinfo in the 3.10 kernel source code which matches my board:

    https://gitee.com/nnxr/H6-BSP3.1…r/sunxi-sysinfo
    This driver exposes a file device /dev/sunxi_soc_info and 2 chararcter classes /sys/class/sys_info + /sys/class/key_info

    I tested on my board, all 3 works fine. I can get all information it is designed to give. Write function is not exposed.

    This driver uses standard arm instruction "smc #0" to switch from EL1(Kernel) to EL3(TEE).

    3. I find a EL3 smc handler source code of Allwinner
    https://github.com/Allwinner-Homl…vc_setup.c#L221

    If my board's EL3 firmware is compiled from this source code, that means I should be able to invoke smc command ARM_SVC_EFUSE_WRITE to write efuse.

    4. My board does not check Kmod's signature. So I can modify this sunxi-sysinfo driver, add some new API to invoke a smc call to write all 0xff to rotpk, compile and insmod to run it..

    5. If I succeeded, stock fw would be dead because sunxi spl only ignores rotpk if it is all 0 when it switches to uboot:

    https://github.com/Allwinner-Homl…rom_main.c#L591
    Mainline uboot-with-spl should be OK because it uses other security design.

    Of course if the chip planted sbrom is doing the same thing as this spl sbrom, the board would be a brick..

  • Update: I am able to use a ko to trigger EL3 firmware's boot from another address.

    This is my code:

    invoke_smc_fn is defined at:

    It sends an interrupt to EL3 and make the handler erase EL1 state and boot a new EL1 system.

    EL3 Handler is at:

    H6-BSP4.9-brandy/arm-trusted-firmware-1.0/services/arm/arm_svc_setup.c at ceec41bced9047a61df5caa6322376dd278aac6f · Allwinner-Homlet/H6-BSP4.9-brandy
    beta version, not final release. Contribute to Allwinner-Homlet/H6-BSP4.9-brandy development by creating an account on GitHub.
    github.com

    I use the LE u-boot-spl.bin as boot image, but it seems not working..

    Do not know whether it is wrong image format or wrong memory operation. Perhaps spl is built non-relocatable and must be put to a fixed address to start?

    Or I should try vmlinux binary directly? vmlinux is so big, I must find a contigus 22mb memory in physical memory.. kernel virtual address is killing me...

  • all right, at least the uart0 helloworld bin works

    sunxi-tools/uart0-helloworld-sdboot.c at master · linux-sunxi/sunxi-tools
    A collection of command line tools for ARM devices with Allwinner SoCs. - sunxi-tools/uart0-helloworld-sdboot.c at master · linux-sunxi/sunxi-tools
    github.com

    So at least I can make this ko load vmlinux into multiple pages of physical memory, then make a bootloader to assemble those page to 0x40008000...

    But first I will see whether I can make it jump to mainline uboot. (NOPE, mainline uboot is designed to start from EL3, but now I only have EL1)

  • permheaddamage as I said, secure boot is totally out of my league, but there are people on IRC (#linux-sunxi at OFTC) who researched it and are probably able to help you.

    Thanks Jernej,

    After I enabled CONFIG_POSITION_INDEPENDENT in uboot config and added a function to disable icache/mmu:

    Code
    ENTRY(save_boot_params)
        mrs    x0, sctlr_el1
        bic    x0, x0, #1 << 2       // clear SCTLR.C
        bic    x0, x0, #1            // clear mmu
        msr    sctlr_el1, x0
        isb
        b    save_boot_params_ret    /* back to my caller */
    ENDPROC(save_boot_params)

    I am able to boot this modified LE uboot. It has some problem to get information from the incompatible sunxi SPL.

    At least it can load the kernel file from sd card and boot it. But it stopped at that "Starting Kernel". Now it's time to see what's wrong with Kernel.

    Basicall I am using the stock firmware as a giant bootloader.. Now the sequence is:

    BL31: Stock SPL(zidoo signed)

    BL33: Stock Uboot(zidoo signed)

    Stock Kernel(zidoo signed), Now it's like BL34?

    LE Uboot(non secure), maybe BL35...

    LE Kernel(non secure)

  • I got a hint from apritzel of adding earlycon to bootargs.

    Now I get this output:

    I called disable_nonboot_cpus() in stock kernel to shutdown all other core before jumping into new uboot.

    ATF has reserved 16M secure memory at 0x48000000~0x49000000 which is not accessible by EL1. For convenience I configured CFG_SYS_SDRAM_BASE 0x80000000 and memory size 1GB. I also add /memreserve/ in dts file to leave this hole alone.