-
Notifications
You must be signed in to change notification settings - Fork 20
Freescale Bootloader
ckuethe edited this page Jan 8, 2015
·
5 revisions
A UsbArmory with no bootable MicroSD will identify as "SE Blank Rita". You can then use the bootloader to inject uBoot (or other executable code) into memory.
# lsusb -d 15a2:004e -v
Bus 001 Device 021: ID 15a2:004e Freescale Semiconductor, Inc.
Device Descriptor:
|__ bLength 18
|__ bDescriptorType 1
|__ bcdUSB 2.00
|__ bDeviceClass 0 (Defined at Interface level)
|__ bDeviceSubClass 0
|__ bDeviceProtocol 0
|__ bMaxPacketSize0 64
|__ idVendor 0x15a2 Freescale Semiconductor, Inc.
|__ idProduct 0x004e
|__ bcdDevice 0.01
|__ iManufacturer 1 Freescale SemiConductor Inc
|__ iProduct 2 SE Blank RITA
|__ iSerial 0
|__ bNumConfigurations 1
|__ Configuration Descriptor:
|__ bLength 9
|__ bDescriptorType 2
|__ wTotalLength 32
|__ bNumInterfaces 1
|__ bConfigurationValue 1
|__ iConfiguration 4 Freescale Flash
|__ bmAttributes 0xc0
| |__ Self Powered
|__ MaxPower 10mA
|__ Interface Descriptor:
|__ bLength 9
|__ bDescriptorType 4
|__ bInterfaceNumber 0
|__ bAlternateSetting 0
|__ bNumEndpoints 2
|__ bInterfaceClass 255 Vendor Specific Class
|__ bInterfaceSubClass 64
|__ bInterfaceProtocol 1
|__ iInterface 5 Freescale Flash
|__ Endpoint Descriptor:
| |__ bLength 7
| |__ bDescriptorType 5
|__ bEndpointAddress 0x01 EP 1 OUT
|__ bmAttributes 2
| |__ Transfer Type Bulk
|__ Synch Type None
|__ Usage Type Data
|__ wMaxPacketSize 0x0200 1x 512 bytes
|__ bInterval 0
|__ Endpoint Descriptor:
|__ bLength 7
|__ bDescriptorType 5
|__ bEndpointAddress 0x82 EP 2 IN
|__ bmAttributes 2
| |__ Transfer Type Bulk
|__ Synch Type None
|__ Usage Type Data
|__ wMaxPacketSize 0x0200 1x 512 bytes
|__ bInterval 0
Device Qualifier (for other device speed):
|__ bLength 10
|__ bDescriptorType 6
|__ bcdUSB 2.00
|__ bDeviceClass 0 (Defined at Interface level)
|__ bDeviceSubClass 0
|__ bDeviceProtocol 0
|__ bMaxPacketSize0 64
|__ bNumConfigurations 1
Device Status: 0x0000
|__ (Bus Powered)Make udev create a nice device node
# echo 'ATTRS{idVendor}=="15a2", ATTRS{idProduct}=="004e", GROUP="plugdev", MODE="0660", SYMLINK+="freescale-imx-%k"' |sudo tee -a /etc/udev/rules.d/42-freescale.rules
# udevadm control --reload-rulesDownload and compile imx_usb_loader, connect your Serial Console, then inject uBoot. If all goes well, the uBoot prompt will appear.
# ./imx_usb ../uboot/u-boot.imx
config file <./imx_usb.conf>
vid=0x066f pid=0x3780 file_name=mx23_usb_work.conf
vid=0x15a2 pid=0x004f file_name=mx28_usb_work.conf
vid=0x15a2 pid=0x0052 file_name=mx50_usb_work.conf
vid=0x15a2 pid=0x0054 file_name=mx6_usb_work.conf
vid=0x15a2 pid=0x0061 file_name=mx6_usb_work.conf
vid=0x15a2 pid=0x0063 file_name=mx6_usb_work.conf
vid=0x15a2 pid=0x0041 file_name=mx51_usb_work.conf
vid=0x15a2 pid=0x004e file_name=mx53_usb_work.conf
vid=0x15a2 pid=0x006a file_name=vybrid_usb_work.conf
vid=0x066f pid=0x37ff file_name=linux_gadget.conf
config file <./mx53_usb_work.conf>
parse ./mx53_usb_work.conf
15a2:004e(mx53) bConfigurationValue =1
Interface 0 claimed
HAB security state: development mode (0xf0f0f0f0)
== work item
filename ../uboot/u-boot.imx
load_size 0 bytes
load_addr 0x00000000
dcd 1
clear_dcd 0
plug 1
jump_mode 2
jump_addr 0x00000000
== end work item
main dcd length 1a0
sub dcd length 19c
loading binary file(../uboot/u-boot.imx) to 777ff400, skip=0, fsize=3ac00 type=aa
<<<240640, 240640 bytes>>>
HAB security state: development mode (0x88888888)- https://github.com/boundarydevices/imx_usb_loader
- https://community.freescale.com/docs/DOC-1639
- http://atose.org/?page_id=205
- http://www.mobileread.com/forums/archive/index.php/t-162643.html
- http://wiki.mobileread.com/wiki/Kindle_Touch_Hacking
- http://lists.infradead.org/pipermail/barebox/2013-May/014805.html
- http://bunniefoo.com/novena/IMX6DQ6SDLSRM_security.pdf (describes the bootloader protocol)