6,264
edits
Changes
Jump to navigation
Jump to search
Line 122:
Line 122: + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
no edit summary
* Then the instruction/data access permissions for the MPU regions are setup.
* Then the instruction/data access permissions for the MPU regions are setup.
* Lastly bitmask 0x0005707d is orred in the cp15 control register.
* Lastly bitmask 0x0005707d is orred in the cp15 control register.
== Boot9 main() ==
The following functions are called: LT_ffff2024(), LT_ffff1ff8(), pxi_init(), rsa_init(), initialize_rsakeyslots_pubk(), crypto_initialize(), and aesengine_reset().
Then AES keyslot 0x3F is setup: aesengine_setnormalkey(0x3f, 5, ptr) is called. ptr on retail(CFG_UNITINFO check) is 0xffffd6e0, 0xffffd700 for devunit. Then essentially, aesengine_setctr(5, ptr+0x10) is executed.
Then AES keyslot 0x3f is selected.
When calling the following functions, if any of them return zero, it will immediately jump to setting ptr to 0x10012000(otp), otherwise when all of them return non-zero ptr = sp+0x94. otp_decrypt(sp+4), otp_verify(sp+4), initialize_consoleunique_itcm(sp+4, 0x07ffb800).
Then the following is executed: initialize_aeskeys_wrap(ptr, 0x70);
Then sp+4 size 0x100 is cleared to zero.
...
NAND firm-boot code-block, is described below. Note that boot9 is basically hard-coded to use deviceid NAND, not SD.
{
timer_updatestoredstate() is called, then the AES keyslot for NAND-FIRM is selected(0x6).
Then LT_ffff56c8() is called, if that returns non-zero the statuscode variable is set to ~2 then it jumps to NAND_BOOTEND.
Then LT_ffff5774(0x201) is called, if that returns non-zero the statuscode variable is set to ~1 then it jumps to NAND_BOOTEND.
Then fsdriver_setup_mmc() is called. Then nand_findfirmpartition_loadfirm(0) is called, with the statuscode variable set to the retval.
Executes a loop which runs 8 times: write the output from get_errorcode_arrayentry_xfff005e8(loopindex) to u8 0x1fffe000+0x10+loopindex(copy the array of 32bit error-codes for all 8 NCSD partitions initialized by nand_findfirmpartition_loadfirm() to the array of 8bit entries at 0x1fffe000+0x10).
NAND_BOOTEND:
Then the statuscode variable is written to u8 0x1fffe000+0xc.
Then LT_ffff5690(0x201, 0x1fffe018, 0x1fffe01c) is called.
Then LT_ffff5644() is called.
Then timer_updatestoredstate() is called.
When statuscode==0 for success, it jumps to FIRMLOAD_END. Otherwise, it continues to the next code-block.
}
Wifi spi-flash firm-boot code-block, executed when no FIRM was loaded successfully so far.
{
timer_updatestoredstate() is called.
Then spi_wififlash_cmdgetstatusreg(sp+0x100) is executed. When bit0 of the output u8 at sp+0x100 is clear, it will continue this code-block, otherwise it will set the statuscode variable to ~1 then jump to SPIFLASH_BOOTEND.
Then fsdriver_setup_wififlash() is called.
Here read_firmhdr_validate_loadfirm(0, 2) is called, with the statuscode variable set to the retval.
SPIFLASH_BOOTEND:
Then the statuscode variable is written to u8 0x1fffe000+0xe.
Then timer_updatestoredstate() is called.
When statuscode==0 for success, it jumps to FIRMLOAD_END. Otherwise, it executes writenormalkey_keyslot3f(), then jumps to FIRMLOAD_FAILURE.
}
FIRMLOAD_END:
Here it calls firmhdr_getarm11_entrypoint() and firmhdr_getarm9_entrypoint(). Immediately after calling each function it checks if the retval is 0, if so it then jumps to FIRMLOAD_FAILURE.
After calling initialize_x07ffbd00_x07ffc100_rsakeyslotsprivk(), it jumps to FIRMLOAD_EXIT.
FIRMLOAD_FAILURE:
Here it clears 0x07ffb800 size 0x3c70 to zero, endaddr = 0x07fff470.
Then it continues to FIRMLOAD_EXIT.
FIRMLOAD_EXIT:
Here firmboot() is called, which should never return. The instruction after this bl is a call for panic().
== Boot Procedure ==
== Boot Procedure ==