Skip to content

Freescale Bootloader

ckuethe edited this page Dec 11, 2014 · 5 revisions

A UsbArmory with no BootableSdCard will identify as "SE Blank Rita". You can then use the FreescaleBootloader to inject uBoot (or other executable code) into memory.

# lsusb -d 15a2:004e -v

Bus 001 Device 021: ID 15a2:004e Freescale Semiconductor, Inc. 
Device Descriptor:
|__ bLength                18
|__ bDescriptorType         1
|__ bcdUSB               2.00
|__ bDeviceClass            0 (Defined at Interface level)
|__ bDeviceSubClass         0 
|__ bDeviceProtocol         0 
|__ bMaxPacketSize0        64
|__ idVendor           0x15a2 Freescale Semiconductor, Inc.
|__ idProduct          0x004e 
|__ bcdDevice            0.01
|__ iManufacturer           1 Freescale SemiConductor Inc 
|__ iProduct                2 SE Blank RITA
|__ iSerial                 0 
|__ bNumConfigurations      1
|__ Configuration Descriptor:
    |__ bLength                 9
    |__ bDescriptorType         2
    |__ wTotalLength           32
    |__ bNumInterfaces          1
    |__ bConfigurationValue     1
    |__ iConfiguration          4 Freescale Flash
    |__ bmAttributes         0xc0
    |   |__ Self Powered
    |__ MaxPower               10mA
    |__ Interface Descriptor:
        |__ bLength                 9
        |__ bDescriptorType         4
        |__ bInterfaceNumber        0
        |__ bAlternateSetting       0
        |__ bNumEndpoints           2
        |__ bInterfaceClass       255 Vendor Specific Class
        |__ bInterfaceSubClass     64 
        |__ bInterfaceProtocol      1 
        |__ iInterface              5 Freescale Flash
        |__ Endpoint Descriptor:
        |   |__ bLength                 7
        |   |__ bDescriptorType         5
        |__ bEndpointAddress     0x01  EP 1 OUT
        |__ bmAttributes            2
        |   |__ Transfer Type            Bulk
        |__ Synch Type               None
        |__ Usage Type               Data
        |__ wMaxPacketSize     0x0200  1x 512 bytes
        |__ bInterval               0
        |__ Endpoint Descriptor:
            |__ bLength                 7
            |__ bDescriptorType         5
            |__ bEndpointAddress     0x82  EP 2 IN
            |__ bmAttributes            2
            |   |__ Transfer Type            Bulk
            |__ Synch Type               None
            |__ Usage Type               Data
            |__ wMaxPacketSize     0x0200  1x 512 bytes
            |__ bInterval               0
Device Qualifier (for other device speed):
|__ bLength                10
|__ bDescriptorType         6
|__ bcdUSB               2.00
|__ bDeviceClass            0 (Defined at Interface level)
|__ bDeviceSubClass         0 
|__ bDeviceProtocol         0 
|__ bMaxPacketSize0        64
|__ bNumConfigurations      1
Device Status:     0x0000
|__ (Bus Powered)

Make udev create a nice device node

# echo 'ATTRS{idVendor}=="15a2", ATTRS{idProduct}=="004e", GROUP="plugdev", MODE="0660", SYMLINK+="freescale-imx-%k"' |sudo tee -a /etc/udev/rules.d/42-freescale.rules
# udevadm control --reload-rules

Download and compile imx_usb_loader, connect your SerialConsole, then inject uBoot. If all goes well, the uBoot prompt will appear on the SerialConsole

# ./imx_usb ../uboot/u-boot.imx 
config file <./imx_usb.conf>
vid=0x066f pid=0x3780 file_name=mx23_usb_work.conf
vid=0x15a2 pid=0x004f file_name=mx28_usb_work.conf
vid=0x15a2 pid=0x0052 file_name=mx50_usb_work.conf
vid=0x15a2 pid=0x0054 file_name=mx6_usb_work.conf
vid=0x15a2 pid=0x0061 file_name=mx6_usb_work.conf
vid=0x15a2 pid=0x0063 file_name=mx6_usb_work.conf
vid=0x15a2 pid=0x0041 file_name=mx51_usb_work.conf
vid=0x15a2 pid=0x004e file_name=mx53_usb_work.conf
vid=0x15a2 pid=0x006a file_name=vybrid_usb_work.conf
vid=0x066f pid=0x37ff file_name=linux_gadget.conf
config file <./mx53_usb_work.conf>
parse ./mx53_usb_work.conf
15a2:004e(mx53) bConfigurationValue =1
Interface 0 claimed
HAB security state: development mode (0xf0f0f0f0)
== work item
filename ../uboot/u-boot.imx
load_size 0 bytes
load_addr 0x00000000
dcd 1
clear_dcd 0
plug 1
jump_mode 2
jump_addr 0x00000000
== end work item
main dcd length 1a0
sub dcd length 19c

loading binary file(../uboot/u-boot.imx) to 777ff400, skip=0, fsize=3ac00 type=aa

<<<240640, 240640 bytes>>>
HAB security state: development mode (0x88888888)
  • https://github.com/boundarydevices/imx_usb_loader
  • https://community.freescale.com/docs/DOC-1639
  • http://atose.org/?page_id=205
  • http://www.mobileread.com/forums/archive/index.php/t-162643.html
  • http://wiki.mobileread.com/wiki/Kindle_Touch_Hacking#Boot_over_USB_HID_serial_.2F_USB_downloader_mode
  • http://lists.infradead.org/pipermail/barebox/2013-May/014805.html
Clone this wiki locally