Is it possible to run libreelec on zidoo h6 pro?

permheaddamage · June 29, 2023 at 8:00 AM

After a lot of reading on Allwinner's secure boot documents and source code, I find something interesting:

1. An old thread

Hi, I bought nanopi_neo boards (for my hobby projects). I am learning about security. I am able to dump e-Fuse area at uboot stage. But i can't modify it (i…

forum.armbian.com

Spitfire says after he flashes all 0xff to H3's rotpk efuse, it boots. Efuse is OTP, I can not revert my efuse to 0, but I should be able to flash it again to all 0xff. Hope it also works for H6.

2. There is a kernel driver sunxi-sysinfo in the 3.10 kernel source code which matches my board:

https://gitee.com/nnxr/H6-BSP3.1…r/sunxi-sysinfo
This driver exposes a file device /dev/sunxi_soc_info and 2 chararcter classes /sys/class/sys_info + /sys/class/key_info

I tested on my board, all 3 works fine. I can get all information it is designed to give. Write function is not exposed.

This driver uses standard arm instruction "smc #0" to switch from EL1(Kernel) to EL3(TEE).

3. I find a EL3 smc handler source code of Allwinner
https://github.com/Allwinner-Homl…vc_setup.c#L221

If my board's EL3 firmware is compiled from this source code, that means I should be able to invoke smc command ARM_SVC_EFUSE_WRITE to write efuse.

4. My board does not check Kmod's signature. So I can modify this sunxi-sysinfo driver, add some new API to invoke a smc call to write all 0xff to rotpk, compile and insmod to run it..

5. If I succeeded, stock fw would be dead because sunxi spl only ignores rotpk if it is all 0 when it switches to uboot:

https://github.com/Allwinner-Homl…rom_main.c#L591
Mainline uboot-with-spl should be OK because it uses other security design.

Of course if the chip planted sbrom is doing the same thing as this spl sbrom, the board would be a brick..

permheaddamage · July 2, 2023 at 5:17 PM

Update: I am able to use a ko to trigger EL3 firmware's boot from another address.

This is my code:

Code

#define ARM_SVC_RUNNSOS                         0x8000ff04
static int sunxi_boot(phys_addr_t addr)
{
    return invoke_smc_fn(ARM_SVC_RUNNSOS, addr, 0, 0);
}

static int __init boot_init(void)
{
    printk("blob virt:0x%lx\n", bin2c_u_boot_spl_bin);
    maddr = __get_free_pages(GFP_KERNEL,get_order(32768));
    if(maddr)
    {
        printk("vmalloc_virt=0x%lx\n", maddr);
        printk("vmalloc_phys=0x%lx\n", virt_to_phys(maddr));
        memcpy(maddr, bin2c_u_boot_spl_bin, sizeof(bin2c_u_boot_spl_bin));
        sunxi_boot(virt_to_phys(maddr));
    }
    return 0;
}

Display More

invoke_smc_fn is defined at:

drivers/char/sunxi-sysinfo/smc_call.S · 南宁橡芮科技有限公司/H6-BSP3.10-linux - Gitee

Allwinner H6 BSP linux 3.10

gitee.com

It sends an interrupt to EL3 and make the handler erase EL1 state and boot a new EL1 system.

EL3 Handler is at:

H6-BSP4.9-brandy/arm-trusted-firmware-1.0/services/arm/arm_svc_setup.c at ceec41bced9047a61df5caa6322376dd278aac6f · Allwinner-Homlet/H6-BSP4.9-brandy

beta version, not final release. Contribute to Allwinner-Homlet/H6-BSP4.9-brandy development by creating an account on GitHub.

github.com

I use the LE u-boot-spl.bin as boot image, but it seems not working..

Do not know whether it is wrong image format or wrong memory operation. Perhaps spl is built non-relocatable and must be put to a fixed address to start?

Or I should try vmlinux binary directly? vmlinux is so big, I must find a contigus 22mb memory in physical memory.. kernel virtual address is killing me...

permheaddamage · July 3, 2023 at 2:02 PM

all right, at least the uart0 helloworld bin works

sunxi-tools/uart0-helloworld-sdboot.c at master · linux-sunxi/sunxi-tools

A collection of command line tools for ARM devices with Allwinner SoCs. - sunxi-tools/uart0-helloworld-sdboot.c at master · linux-sunxi/sunxi-tools

github.com

So at least I can make this ko load vmlinux into multiple pages of physical memory, then make a bootloader to assemble those page to 0x40008000...

But first I will see whether I can make it jump to mainline uboot. (NOPE, mainline uboot is designed to start from EL3, but now I only have EL1)

**jernej** · July 4, 2023 at 5:01 AM

permheaddamage as I said, secure boot is totally out of my league, but there are people on IRC (#linux-sunxi at OFTC) who researched it and are probably able to help you.

permheaddamage · July 4, 2023 at 3:29 PM

Quote from jernej

permheaddamage as I said, secure boot is totally out of my league, but there are people on IRC (#linux-sunxi at OFTC) who researched it and are probably able to help you.

Thanks Jernej,

After I enabled CONFIG_POSITION_INDEPENDENT in uboot config and added a function to disable icache/mmu:

Code

ENTRY(save_boot_params)
    mrs    x0, sctlr_el1
    bic    x0, x0, #1 << 2       // clear SCTLR.C
    bic    x0, x0, #1            // clear mmu
    msr    sctlr_el1, x0
    isb
    b    save_boot_params_ret    /* back to my caller */
ENDPROC(save_boot_params)

I am able to boot this modified LE uboot. It has some problem to get information from the incompatible sunxi SPL.

At least it can load the kernel file from sd card and boot it. But it stopped at that "Starting Kernel". Now it's time to see what's wrong with Kernel.

Basicall I am using the stock firmware as a giant bootloader.. Now the sequence is:

BL31: Stock SPL(zidoo signed)

BL33: Stock Uboot(zidoo signed)

Stock Kernel(zidoo signed), Now it's like BL34?

LE Uboot(non secure), maybe BL35...

LE Kernel(non secure)

permheaddamage · July 9, 2023 at 4:28 PM

I got a hint from apritzel of adding earlycon to bootargs.

Now I get this output:

Code

petrel-p1:/ $ su
petrel-p1:/ # insmod /storage/1803-1707/bootsd.ko
INFO:    BL3-1: Next image address = 0x93b00000
INFO:    BL3-1: Next image spsr = 0x3c5


U-Boot 2022.10 (Jul 09 2023 - 11:53:35 +0000) Allwinner Technology

CPU:   Allwinner H6 (SUN50I)
Model: Beelink GS1
DRAM:  1 GiB
Core:  53 devices, 17 uclasses, devicetree: separate
WDT:   Not starting watchdog@7020400
MMC:   mmc@4020000: 0, mmc@4022000: 1
Loading Environment from FAT... ** Bad device specification mmc 1 **
In:    serial@5000000
Out:   serial@5000000
Err:   serial@5000000
Net:   No ethernet found.
Hit any key to stop autoboot:  0
switch to partitions #0, OK
mmc0 is current device
Scanning mmc 0:1...
Found /extlinux/extlinux.conf
Retrieving file: /extlinux/extlinux.conf
1:      LibreELEC
Retrieving file: /KERNEL
append: boot=UUID=1803-1707 disk=UUID=e74196e7-acc6-47fe-9d35-e547de3eae47 quiet console=ttyS0,115200                 console=tty1 earlycon=uart,mmio32,0x05000000 memmap=128M@0x48000000
Retrieving file: /sun50i-h6-beelink-gs1.dtb
Moving Image from 0x40080000 to 0x40200000, end=417c0000
## Flattened Device Tree blob at 8fa00000
   Booting using the fdt blob at 0x8fa00000
   Loading Device Tree to 0000000089ff4000, end 0000000089fffb09 ... OK

Starting kernel ...

[    0.000000] Unable to handle kernel ttbr address size fault at virtual address 0000000040d84520
[    0.000000] Mem abort info:
[    0.000000]   ESR = 0x0000000086000000
[    0.000000]   EC = 0x21: IABT (current EL), IL = 32 bits
[    0.000000]   SET = 0, FnV = 0
[    0.000000]   EA = 0, S1PTW = 0
[    0.000000]   FSC = 0x00: ttbr address size fault
[    0.000000] [0000000040d84520] user address but active_mm is swapper
[    0.000000] Internal error: Oops: 0000000086000000 [#1] PREEMPT SMP
[    0.000000] Modules linked in:
[    0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 6.1.19 #1
[    0.000000] Hardware name: Beelink GS1 (DT)
[    0.000000] pstate: 200000c5 (nzCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[    0.000000] pc : 0x40d84520
[    0.000000] lr : paging_init+0x44c/0x598
[    0.000000] sp : ffff8000093f3d10
[    0.000000] x29: ffff8000093f3d10 x28: ffff800008f42000 x27: 0000000000000007
[    0.000000] x26: 0000000040210000 x25: ffff80000948ddb8 x24: ffff800008fc5c54
[    0.000000] x23: ffff80000954b000 x22: ffff800008f42000 x21: ffff800008fb2000
[    0.000000] x20: 00007ffff93b3000 x19: 0000000040d84520 x18: fffffbfffda39000
[    0.000000] x17: 0000000000000000 x16: 0000000000000000 x15: 00000000411c0000
[    0.000000] x14: 0040000000000041 x13: 0040000000000001 x12: ffffffffc11c0000
[    0.000000] x11: fffffbfffda39e00 x10: 0068000000000703 x9 : 0000000080000000
[    0.000000] x8 : 0000000000000001 x7 : 0068000000000f03 x6 : 0000000000000080
[    0.000000] x5 : 0000ffffc1220000 x4 : 0001000000000000 x3 : ffff800008f42000
[    0.000000] x2 : 0000000000000000 x1 : 00000000417b1000 x0 : 00007ffff93b3000
[    0.000000] Call trace:
[    0.000000]  0x40d84520
[    0.000000]  setup_arch+0x240/0x534
[    0.000000]  start_kernel+0x80/0x61c
[    0.000000]  __primary_switched+0xb4/0xbc
[    0.000000] Unable to handle kernel ttbr address size fault at virtual address 0000000040d84510
[    0.000000] Mem abort info:
[    0.000000]   ESR = 0x0000000096000000
[    0.000000]   EC = 0x25: DABT (current EL), IL = 32 bits
[    0.000000]   SET = 0, FnV = 0
[    0.000000]   EA = 0, S1PTW = 0
[    0.000000]   FSC = 0x00: ttbr address size fault
[    0.000000] Data abort info:
[    0.000000]   ISV = 0, ISS = 0x00000000
[    0.000000]   CM = 0, WnR = 0
[    0.000000] [0000000040d84510] user address but active_mm is swapper

Display More

I called disable_nonboot_cpus() in stock kernel to shutdown all other core before jumping into new uboot.

ATF has reserved 16M secure memory at 0x48000000~0x49000000 which is not accessible by EL1. For convenience I configured CFG_SYS_SDRAM_BASE 0x80000000 and memory size 1GB. I also add /memreserve/ in dts file to leave this hole alone.

Is it possible to run libreelec on zidoo h6 pro?

Similar Threads

Having Trouble While Installing This Software

M72e Tiny Lenovo - Possible solution to an old problem Error 1962: No Operating System Found

Squeezebox server (LMS) on LibreElec possible now?