http://droid-developers.org/api.php?action=feedcontributions&user=Eiyee&feedformat=atom
MILEDROPEDIA - User contributions [en]
2024-03-28T17:29:02Z
User contributions
MediaWiki 1.23.2
http://droid-developers.org/wiki/File:Sec_swrv.gz
File:Sec swrv.gz
2012-03-08T21:59:23Z
<p>Eiyee: uploaded a new version of &quot;File:Sec swrv.gz&quot;</p>
<hr />
<div></div>
Eiyee
http://droid-developers.org/wiki/EFuse
EFuse
2012-02-29T18:34:20Z
<p>Eiyee: first byte of SWRV assumed to be sbf version</p>
<hr />
<div>== Overview ==<br />
The OMAP3xxx contains (unknown value) 128-bit banks of electronically blown fuses<br />
(eFuse). This is one-time only programmable memory that is organized into N x 32-bit words -<br />
(unknown value) words are reserved by Texas Instruments and for future use. <br />
The remaining 4 words are fully user programmable, designed to allow storage of a 128-bit encryption key for secure<br />
external memory encryption.<br />
<br />
== eFuse table ==<br />
<br />
'''TODO'''<br />
<br />
{|<br />
! Index<br />
! Name<br />
! Description<br />
|-<br />
| <br />
| PRODUCTION_ID<br />
| not available yet<br />
|-<br />
|<br />
| SECURITY_ID<br />
| not available yet<br />
|}<br />
<br />
<br />
== SWRV values ==<br />
<br />
The [[Motorola sec driver]] reads 160 bit of eFuse data using the [[Secure Services]] call API_HAL_MOT_EFUSE_READ. The code names this data "SWRV" (meaning unknown). The format of this structure is mostly unknown. There are there some hints (documented below), but more data is needed to understand it in useful detail.<br />
<br />
{| border="1" cellpadding="1" cellspacing="0" style="border: 1px solid #cccccc; margin-top: 1em; margin-bottom: 1em;"<br />
! SWRV<br />
! Description<br />
|-<br />
| 0f 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 00 00<br />
| Defy ([http://forum.xda-developers.com/showpost.php?p=21492705&postcount=412 source])<br />
|-<br />
| 1f 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 00 00<br />
| Defy ME525+ model with HKTW 2.3.4 sbf and MIUI rom ([http://forum.xda-developers.com/showpost.php?p=21405389&postcount=181 source])<br />
|-<br />
| 3f 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 00 00<br />
| Defy+ 2.3.6 134-132 SBF (v6) ([http://forum.xda-developers.com/showpost.php?p=21402316&postcount=167 source])<br />
|-<br />
| 3f 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e1 00 00<br />
| Defy+ after blowing SEC_CUST_CODE ([http://forum.xda-developers.com/showpost.php?p=21410214&postcount=219 source])<br />
|-<br />
| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00<br />
| Defy Chinese unlocked/eng? ([http://forum.xda-developers.com/showpost.php?p=21434360&postcount=335 source], [http://forum.xda-developers.com/showpost.php?p=21436570&postcount=337 source2])<br />
|-<br />
| 1c 08 00 2a 18 0a 00 2a e0 fd 01 40 c4 09 00 2a 00 00 00 00<br />
| RAZR (thanks to kholk on IRC)<br />
|-<br />
| 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 00 60 00 00<br />
| Milestone XT720<br />
|}<br />
<br />
The first byte is assumed to be the sbf revision based on values found on Defy (0x0f=bl4, 0x1f=bl5, 0x3f=bl6).<br />
<br />
You can contribute SWRV values by running [[File:sec_swrv.c]] (binary [[File:sec_swrv.gz]]). The code might work on any OMAP3xxx based Motorola device. Please add a small description and note if unlocked/dev phone/replacement.<br />
<br />
The driver code includes this check for engineering and production bits in drivers/misc/sec/sec_core.c:<br />
<syntaxhighlight lang="c" line><br />
iterator = data + 4;<br />
<br />
/*HAB_ENG : 13, HAB_PROD : 14 */<br />
/*Engineering only if engineering blown and production not */<br />
if (((*iterator) & (0x3 << 13)) == (0x1 << 13))<br />
ret_val = SEC_ENGINEERING;<br />
</syntaxhighlight><br />
<br />
It also contains an enum with potential hints. The enum values are API parameters for [[Secure Services]]<br />
call API_HAL_MOT_EFUSE - and contrary to the code comment the start value does not seem to be random at all.<br />
It is unknown if there is a mapping of parameters to bits in SWRV. <br />
<br />
Calling API_HAL_MOT_EFUSE with [http://forum.xda-developers.com/showpost.php?p=21410214&postcount=219 SEC_CUST_CODE]<br />
resulted in bit 15 being set (0 -> 1).<br />
<br />
drivers/misc/sec/sec_core.h:<br />
<syntaxhighlight lang="c" line><br />
typedef enum {<br />
/*Starting with random non zero value for component type */<br />
SEC_AP_PA_PPA = 0x00000065,<br />
SEC_BP_PPA,<br />
SEC_BP_PA,<br />
SEC_ML_PBRDL,<br />
SEC_MBM,<br />
SEC_RRDL_BRDL,<br />
SEC_BPL,<br />
SEC_AP_OS,<br />
SEC_BP_OS,<br />
SEC_BS_DIS,<br />
SEC_ENG,<br />
SEC_PROD,<br />
SEC_CUST_CODE,<br />
SEC_PKC,<br />
SEC_MODEL_ID,<br />
SEC_MAX<br />
} SEC_SV_COMPONENT_T;<br />
</syntaxhighlight><br />
<br />
<br />
== EFUSE Power Domain ==<br />
<br />
EFUSE Power Domain Clock Controls<br />
<br />
'''EFUSE Power Domain Clock-Gating Control'''<br />
{| border="1" cellpadding="0" cellspacing="0" style="border: 1px solid #cccccc;"<br />
!Clock Name <br />
!Reset<br />
!Clock-Gating Control<br />
!Gating Description<br />
|-<br />
|EFUSE_ALWON_FCLK<br />
|Running<br />
|None<br />
|Active when VDD1 and VDD2 are switched on and eFuse-ready hardware signal is released<br />
|}<br />
<br />
== Reading ==<br />
<br />
For reading eFuse you need:<br />
# call 0x28 Secure Service - invalidate dcache<br />
# call 0x2a Secure Service - aux write<br />
# call 0x36 Secure Service with parameter eFuse index - API_HAL_MOT_EFUSE_READ<br />
<br />
PPA handler of EFUSE READ interrupt call<br />
<syntaxhighlight lang="ida" line><br />
ROM:86FFF06C<br />
ROM:86FFF06C ; =============== S U B R O U T I N E =======================================<br />
ROM:86FFF06C<br />
ROM:86FFF06C<br />
ROM:86FFF06C ; int __cdecl PPA_API_HAL_MOT_EFUSE_READ()<br />
ROM:86FFF06C PPA_API_HAL_MOT_EFUSE_READ ; DATA XREF: PPA_SMC_handler_SL+44�o<br />
ROM:86FFF06C ; ROM:off_86FFF5B8�o<br />
ROM:86FFF06C 000 MOV R2, R0 ; arg_3<br />
ROM:86FFF06E 000 PUSH {R4,LR} ; Push registers<br />
ROM:86FFF070 008 MOVS R1, #1 ; arg_2<br />
ROM:86FFF072 008 MOVS R0, #0x64 ; arg_1<br />
ROM:86FFF074 008 BLX PPA_interrupt_call ; Branch with Link and Exchange (immediate address)<br />
ROM:86FFF074<br />
ROM:86FFF078 008 LDR R1, =0xAF8023D4 ; Load from Memory<br />
ROM:86FFF07A 008 LDR R2, [R1] ; Load from Memory<br />
ROM:86FFF07C 008 UXTH R3, R2 ; Unsigned extend halfword to word<br />
ROM:86FFF07E 008 ORR.W R2, R3, R2,LSR#16 ; Rd = Op1 | Op2<br />
ROM:86FFF082 008 STR R2, [R0] ; Store to Memory<br />
ROM:86FFF084 008 LDR R2, [R1,#4] ; Load from Memory<br />
ROM:86FFF086 008 UXTH R3, R2 ; Unsigned extend halfword to word<br />
ROM:86FFF088 008 ORR.W R2, R3, R2,LSR#16 ; Rd = Op1 | Op2<br />
ROM:86FFF08C 008 STR R2, [R0,#4] ; Store to Memory<br />
ROM:86FFF08E 008 LDR R2, [R1,#8] ; Load from Memory<br />
ROM:86FFF090 008 UXTH R3, R2 ; Unsigned extend halfword to word<br />
ROM:86FFF092 008 ORR.W R2, R3, R2,LSR#16 ; Rd = Op1 | Op2<br />
ROM:86FFF096 008 STR R2, [R0,#8] ; Store to Memory<br />
ROM:86FFF098 008 LDR R2, [R1,#0xC] ; Load from Memory<br />
ROM:86FFF09A 008 UXTH R3, R2 ; Unsigned extend halfword to word<br />
ROM:86FFF09C 008 ORR.W R2, R3, R2,LSR#16 ; Rd = Op1 | Op2<br />
ROM:86FFF0A0 008 STR R2, [R0,#0xC] ; Store to Memory<br />
ROM:86FFF0A2 008 LDR R1, [R1,#0x10] ; Load from Memory<br />
ROM:86FFF0A4 008 UXTH R2, R1 ; Unsigned extend halfword to word<br />
ROM:86FFF0A6 008 ORR.W R1, R2, R1,LSR#16 ; Rd = Op1 | Op2<br />
ROM:86FFF0AA 008 STR R1, [R0,#0x10] ; Store to Memory<br />
ROM:86FFF0AC 008 MOVS R0, #0 ; Rd = Op2<br />
ROM:86FFF0AE 008 POP {R4,PC} ; Pop registers<br />
ROM:86FFF0AE<br />
ROM:86FFF0AE ; End of function PPA_API_HAL_MOT_EFUSE_READ<br />
ROM:86FFF0AE<br />
ROM:86FFF0AE ; ---------------------------------------------------------------------------<br />
ROM:86FFF0B0 dword_86FFF0B0 DCD 0xAF8023D4 ; DATA XREF: PPA_API_HAL_MOT_EFUSE_READ+C�r<br />
ROM:86FFF0B4<br />
</syntaxhighlight><br />
<br />
== Code Listings ==<br />
<br />
=== Fuse blowing functions ===<br />
<br />
'''Listing 1.''' Fuse blowing BS_DIS ( from mbmloader )<br />
<syntaxhighlight lang="ida" line><br />
ROM:870048AC ; =============== S U B R O U T I N E =======================================<br />
ROM:870048AC<br />
ROM:870048AC<br />
ROM:870048AC ; int __cdecl fuse_blow_BS_DIS()<br />
ROM:870048AC fuse_blow_BS_DIS<br />
ROM:870048AC 000 10 B5 PUSH {R4,LR} ; Push registers<br />
ROM:870048AE 008 10 24 MOVS R4, #0x10 ; Rd = Op2<br />
ROM:870048B0 008 01 21 MOVS R1, #1 ; value<br />
ROM:870048B2 008 6E 20 MOVS R0, #SEC_BS_DIS ; fuse_entry_number<br />
ROM:870048B4 008 FF F7 70 FF BL fuse_blow_byte ; Branch with Link<br />
ROM:870048B8 008 04 46 MOV R4, R0 ; Rd = Op2<br />
ROM:870048BA 008 20 46 MOV R0, R4 ; Rd = Op2<br />
ROM:870048BC 008 10 BD POP {R4,PC} ; Pop registers<br />
ROM:870048BC ; End of function fuse_blow_BS_DIS<br />
ROM:870048BC<br />
</syntaxhighlight><br />
<br />
'''Listing 2.''' Fuse blowing CUSTOM ( from mbmloader )<br />
<syntaxhighlight lang="ida" line><br />
ROM:870048E2 ; =============== S U B R O U T I N E =======================================<br />
ROM:870048E2<br />
ROM:870048E2<br />
ROM:870048E2 ; int __cdecl fuse_blow_CUSTOM(int fuse_entry_number, int value)<br />
ROM:870048E2 fuse_blow_CUSTOM<br />
ROM:870048E2 000 70 B5 PUSH {R4-R6,LR} ; Push registers<br />
ROM:870048E4 010 04 46 MOV R4, R0 ; Rd = Op2<br />
ROM:870048E6 010 0D 46 MOV R5, R1 ; Rd = Op2<br />
ROM:870048E8 010 10 26 MOVS R6, #0x10 ; Rd = Op2<br />
ROM:870048EA 010 A9 B2 UXTH R1, R5 ; Unsigned extend halfword to word<br />
ROM:870048EC 010 20 46 MOV R0, R4 ; fuse_entry_number<br />
ROM:870048EE 010 FF F7 53 FF BL fuse_blow_byte ; Branch with Link<br />
ROM:870048F2 010 06 46 MOV R6, R0 ; Rd = Op2<br />
ROM:870048F4 010 30 46 MOV R0, R6 ; Rd = Op2<br />
ROM:870048F6 010 70 BD POP {R4-R6,PC} ; Pop registers<br />
ROM:870048F6 ; End of function fuse_blow_CUSTOM<br />
ROM:870048F6<br />
</syntaxhighlight><br />
<br />
'''Listing 3.''' Fuse blowing PRODUCTION ( from mbmloader )<br />
<syntaxhighlight lang="ida" line><br />
ROM:870048F8<br />
ROM:870048F8 ; =============== S U B R O U T I N E =======================================<br />
ROM:870048F8<br />
ROM:870048F8<br />
ROM:870048F8 ; int __cdecl fuse_blow_PRODUCTION()<br />
ROM:870048F8 fuse_blow_PRODUCTION<br />
ROM:870048F8 000 10 B5 PUSH {R4,LR} ; Push registers<br />
ROM:870048FA 008 10 24 MOVS R4, #0x10 ; Rd = Op2<br />
ROM:870048FC 008 01 21 MOVS R1, #1 ; value<br />
ROM:870048FE 008 70 20 MOVS R0, #SEC_PROD ; fuse_entry_number<br />
ROM:87004900 008 FF F7 4A FF BL fuse_blow_byte ; Branch with Link<br />
ROM:87004904 008 04 46 MOV R4, R0 ; Rd = Op2<br />
ROM:87004906 008 20 46 MOV R0, R4 ; Rd = Op2<br />
ROM:87004908 008 10 BD POP {R4,PC} ; Pop registers<br />
ROM:87004908 ; End of function fuse_blow_PRODUCTION<br />
ROM:87004908<br />
</syntaxhighlight><br />
<br />
'''Listing 4.''' Fuse blowing ENGINEERING ( from mbmloader )<br />
<syntaxhighlight lang="ida" line><br />
ROM:8700490A<br />
ROM:8700490A ; =============== S U B R O U T I N E =======================================<br />
ROM:8700490A<br />
ROM:8700490A<br />
ROM:8700490A ; int __cdecl fuse_blow_ENGINEERING()<br />
ROM:8700490A fuse_blow_ENGINEERING ; CODE XREF: main+20<br />
ROM:8700490A 000 10 B5 PUSH {R4,LR} ; Push registers<br />
ROM:8700490C 008 10 24 MOVS R4, #0x10 ; Rd = Op2<br />
ROM:8700490E 008 01 21 MOVS R1, #1 ; value<br />
ROM:87004910 008 6F 20 MOVS R0, #SEC_ENG ; fuse_entry_number<br />
ROM:87004912 008 FF F7 41 FF BL fuse_blow_byte ; Branch with Link<br />
ROM:87004916 008 04 46 MOV R4, R0 ; Rd = Op2<br />
ROM:87004918 008 20 46 MOV R0, R4 ; Rd = Op2<br />
ROM:8700491A 008 10 BD POP {R4,PC} ; Pop registers<br />
ROM:8700491A ; End of function fuse_blow_ENGINEERING<br />
</syntaxhighlight><br />
<br />
=== Fuse reading functions ===<br />
<br />
'''Listing 2.''' Fuse reading byte (from mbmloader)<br />
<syntaxhighlight lang="ida" line><br />
ROM:8F31DB0A<br />
ROM:8F31DB0A ; =============== S U B R O U T I N E =======================================<br />
ROM:8F31DB0A<br />
ROM:8F31DB0A<br />
ROM:8F31DB0A ; int __cdecl moto_efuse_read(__int32 fuse_entry)<br />
ROM:8F31DB0A moto_efuse_read ; CODE XREF: fuse_read_SEC_MODEL_ID+6�p<br />
ROM:8F31DB0A ; fuse_read_SEC_BS_DIS+6�p ...<br />
ROM:8F31DB0A 000 PUSH {R4-R6,LR} ; Push registers<br />
ROM:8F31DB0C 010 MOV R4, R0 ; Rd = Op2<br />
ROM:8F31DB0E 010 LDR R5, =0xDEADBEEF ; Load from Memory<br />
ROM:8F31DB10 010 SUB.W R0, R4, #0x65 ; switch 16 cases<br />
ROM:8F31DB14 010 CMP R0, #0x10 ; Set cond. codes on Op1 - Op2<br />
ROM:8F31DB16 010 BCS return_ ; do nothing<br />
ROM:8F31DB16<br />
ROM:8F31DB18<br />
ROM:8F31DB18 fuse_table ; switch jump<br />
ROM:8F31DB18 010 TBB.W [PC,R0]<br />
ROM:8F31DB18<br />
ROM:8F31DB18 ; ---------------------------------------------------------------------------<br />
ROM:8F31DB1C 010 fuse_choice DCB 8 ; jump table for switch statement<br />
ROM:8F31DB1D 010 DCB 0x52<br />
ROM:8F31DB1E 010 DCB 0x52<br />
ROM:8F31DB1F 010 DCB 0x11<br />
ROM:8F31DB20 010 DCB 0x1A<br />
ROM:8F31DB21 010 DCB 0x22<br />
ROM:8F31DB22 010 DCB 0x52<br />
ROM:8F31DB23 010 DCB 0x2A<br />
ROM:8F31DB24 010 DCB 0x52<br />
ROM:8F31DB25 010 DCB 0x32<br />
ROM:8F31DB26 010 DCB 0x37<br />
ROM:8F31DB27 010 DCB 0x3D<br />
ROM:8F31DB28 010 DCB 0x43<br />
ROM:8F31DB29 010 DCB 0x52<br />
ROM:8F31DB2A 010 DCB 0x4D<br />
ROM:8F31DB2B 010 DCB 0x51<br />
ROM:8F31DB2C ; ---------------------------------------------------------------------------<br />
ROM:8F31DB2C<br />
ROM:8F31DB2C is_SEC_APP_PA_PPA ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DB2C 010 MOVS R0, #3 ; jumptable 8F31DB18 case 101<br />
ROM:8F31DB2E 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DB2E<br />
ROM:8F31DB32 010 ASRS R6, R0, #8 ; Arithmetic Shift Right<br />
ROM:8F31DB34 010 MOV R0, R6 ; count<br />
ROM:8F31DB36 010 BL standard_efuse_count ; Branch with Link<br />
ROM:8F31DB36<br />
ROM:8F31DB3A 010 MOV R5, R0 ; Rd = Op2<br />
ROM:8F31DB3C 010 B return ; Branch<br />
ROM:8F31DB3C<br />
ROM:8F31DB3E ; ---------------------------------------------------------------------------<br />
ROM:8F31DB3E<br />
ROM:8F31DB3E is_SEC_ML_PBRDL ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DB3E 010 MOVS R0, #3 ; jumptable 8F31DB18 case 104<br />
ROM:8F31DB40 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DB40<br />
ROM:8F31DB44 010 UXTB R6, R0 ; Unsigned extend byte to word<br />
ROM:8F31DB46 010 MOV R0, R6 ; count<br />
ROM:8F31DB48 010 BL standard_efuse_count ; Branch with Link<br />
ROM:8F31DB48<br />
ROM:8F31DB4C 010 MOV R5, R0 ; Rd = Op2<br />
ROM:8F31DB4E 010 B return ; Branch<br />
ROM:8F31DB4E<br />
ROM:8F31DB50 ; ---------------------------------------------------------------------------<br />
ROM:8F31DB50<br />
ROM:8F31DB50 is_SEC_MBM ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DB50 010 MOVS R0, #2 ; jumptable 8F31DB18 case 105<br />
ROM:8F31DB52 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DB52<br />
ROM:8F31DB56 010 MOV R6, R0 ; Rd = Op2<br />
ROM:8F31DB58 010 BL standard_efuse_count ; Branch with Link<br />
ROM:8F31DB58<br />
ROM:8F31DB5C 010 MOV R5, R0 ; Rd = Op2<br />
ROM:8F31DB5E 010 B return ; Branch<br />
ROM:8F31DB5E<br />
ROM:8F31DB60 ; ---------------------------------------------------------------------------<br />
ROM:8F31DB60<br />
ROM:8F31DB60 is_SEC_RRDL_BRDL ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DB60 010 MOVS R0, #1 ; jumptable 8F31DB18 case 106<br />
ROM:8F31DB62 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DB62<br />
ROM:8F31DB66 010 MOV R6, R0 ; Rd = Op2<br />
ROM:8F31DB68 010 BL standard_efuse_count ; Branch with Link<br />
ROM:8F31DB68<br />
ROM:8F31DB6C 010 MOV R5, R0 ; Rd = Op2<br />
ROM:8F31DB6E 010 B return ; Branch<br />
ROM:8F31DB6E<br />
ROM:8F31DB70 ; ---------------------------------------------------------------------------<br />
ROM:8F31DB70<br />
ROM:8F31DB70 is_SEC_AP_OS ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DB70 010 MOVS R0, #0 ; jumptable 8F31DB18 case 108<br />
ROM:8F31DB72 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DB72<br />
ROM:8F31DB76 010 MOV R6, R0 ; Rd = Op2<br />
ROM:8F31DB78 010 BL standard_efuse_count ; Branch with Link<br />
ROM:8F31DB78<br />
ROM:8F31DB7C 010 MOV R5, R0 ; Rd = Op2<br />
ROM:8F31DB7E 010 B return ; Branch<br />
ROM:8F31DB7E<br />
ROM:8F31DB80 ; ---------------------------------------------------------------------------<br />
ROM:8F31DB80<br />
ROM:8F31DB80 is_SEC_BS_DIS ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DB80 010 MOVS R0, #4 ; jumptable 8F31DB18 case 110<br />
ROM:8F31DB82 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DB82<br />
ROM:8F31DB86 010 ASRS R5, R0, #0xF ; Arithmetic Shift Right<br />
ROM:8F31DB88 010 B return ; Branch<br />
ROM:8F31DB88<br />
ROM:8F31DB8A ; ---------------------------------------------------------------------------<br />
ROM:8F31DB8A<br />
ROM:8F31DB8A is_SEC_ENG ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DB8A 010 MOVS R0, #4 ; jumptable 8F31DB18 case 111<br />
ROM:8F31DB8C 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DB8C<br />
ROM:8F31DB90 010 UBFX.W R5, R0, #0xD, #1 ; Unsigned Bit Field Extract<br />
ROM:8F31DB94 010 B return ; Branch<br />
ROM:8F31DB94<br />
ROM:8F31DB96 ; ---------------------------------------------------------------------------<br />
ROM:8F31DB96<br />
ROM:8F31DB96 is_SEC_PROD ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DB96 010 MOVS R0, #4 ; jumptable 8F31DB18 case 112<br />
ROM:8F31DB98 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DB98<br />
ROM:8F31DB9C 010 UBFX.W R5, R0, #0xE, #1 ; Unsigned Bit Field Extract<br />
ROM:8F31DBA0 010 B return ; Branch<br />
ROM:8F31DBA0<br />
ROM:8F31DBA2 ; ---------------------------------------------------------------------------<br />
ROM:8F31DBA2<br />
ROM:8F31DBA2 is_SEC_CUST_CODE ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DBA2 010 MOVS R0, #4 ; jumptable 8F31DB18 case 113<br />
ROM:8F31DBA4 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DBA4<br />
ROM:8F31DBA8 010 UBFX.W R6, R0, #8, #5 ; Unsigned Bit Field Extract<br />
ROM:8F31DBAC 010 MOV R0, R6 ; count<br />
ROM:8F31DBAE 010 BL standard_efuse_count ; Branch with Link<br />
ROM:8F31DBAE<br />
ROM:8F31DBB2 010 MOV R5, R0 ; Rd = Op2<br />
ROM:8F31DBB4 010 B return ; Branch<br />
ROM:8F31DBB4<br />
ROM:8F31DBB6 ; ---------------------------------------------------------------------------<br />
ROM:8F31DBB6<br />
ROM:8F31DBB6 is_SEC_MODEL_ID ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DBB6 010 LDR R0, =OMAP3430_MSV_ADRESS ; jumptable 8F31DB18 case 115<br />
ROM:8F31DBB8 010 LDR R0, [R0] ; Load from Memory<br />
ROM:8F31DBBA 010 UXTH R5, R0 ; Unsigned extend halfword to word<br />
ROM:8F31DBBC 010 B return ; Branch<br />
ROM:8F31DBBC<br />
ROM:8F31DBBE ; ---------------------------------------------------------------------------<br />
ROM:8F31DBBE<br />
ROM:8F31DBBE return__ ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DBBE 010 NOP ; jumptable 8F31DB18 case 116<br />
ROM:8F31DBBE<br />
ROM:8F31DBC0<br />
ROM:8F31DBC0 return_ ; CODE XREF: moto_efuse_read+C�j<br />
ROM:8F31DBC0 ; moto_efuse_read:fuse_table�j<br />
ROM:8F31DBC0 010 NOP ; do nothing<br />
ROM:8F31DBC0<br />
ROM:8F31DBC2<br />
ROM:8F31DBC2 return ; CODE XREF: moto_efuse_read+32�j<br />
ROM:8F31DBC2 ; moto_efuse_read+44�j ...<br />
ROM:8F31DBC2 010 NOP ; No Operation<br />
ROM:8F31DBC4 010 MOV R0, R5 ; Rd = Op2<br />
ROM:8F31DBC6 010 POP {R4-R6,PC} ; Pop registers<br />
ROM:8F31DBC6<br />
ROM:8F31DBC6 ; End of function moto_efuse_read<br />
ROM:8F31DBC6<br />
</syntaxhighlight><br />
<br />
'''Listing 2.''' Fuse reading word (from mbm)<br />
<syntaxhighlight lang="ida" line><br />
ROM:8F31DA9C<br />
ROM:8F31DA9C ; =============== S U B R O U T I N E =======================================<br />
ROM:8F31DA9C<br />
ROM:8F31DA9C<br />
ROM:8F31DA9C ; __int16 __fastcall fuse_read_word(int fuse_entry)<br />
ROM:8F31DA9C fuse_read_word ; CODE XREF: fuse_read+24�p<br />
ROM:8F31DA9C ; fuse_read+36�p ...<br />
ROM:8F31DA9C<br />
ROM:8F31DA9C var_30 = -0x30<br />
ROM:8F31DA9C var_28 = -0x28<br />
ROM:8F31DA9C<br />
ROM:8F31DA9C 000 F0 B5 PUSH {R4-R7,LR} ; Push registers<br />
ROM:8F31DA9E 014 87 B0 SUB SP, SP, #0x1C ; Rd = Op1 - Op2<br />
ROM:8F31DAA0 030 04 46 MOV R4, R0 ; Rd = Op2<br />
ROM:8F31DAA2 030 00 25 MOVS R5, #0 ; Rd = Op2<br />
ROM:8F31DAA4 030 4F F6 FF 77 MOVW R7, #0xFFFF ; Rd = Op2<br />
ROM:8F31DAA8 030 00 BF NOP ; No Operation<br />
ROM:8F31DAAA 030 04 E0 B loop_count ; Branch<br />
ROM:8F31DAAC ; ---------------------------------------------------------------------------<br />
ROM:8F31DAAC<br />
ROM:8F31DAAC loop_body ; CODE XREF: fuse_read_word+1C�j<br />
ROM:8F31DAAC 030 00 20 MOVS R0, #0 ; Rd = Op2<br />
ROM:8F31DAAE 030 02 A9 ADD R1, SP, #0x30+var_28 ; Rd = Op1 + Op2<br />
ROM:8F31DAB0 030 41 F8 25 00 STR.W R0, [R1,R5,LSL#2] ; Store to Memory<br />
ROM:8F31DAB4 030 6D 1C ADDS R5, R5, #1 ; Rd = Op1 + Op2<br />
ROM:8F31DAB6<br />
ROM:8F31DAB6 loop_count ; CODE XREF: fuse_read_word+E�j<br />
ROM:8F31DAB6 030 04 2D CMP R5, #4 ; Set cond. codes on Op1 - Op2<br />
ROM:8F31DAB8 030 F8 DD BLE loop_body ; Branch<br />
ROM:8F31DABA 030 00 BF NOP ; No Operation<br />
ROM:8F31DABC 030 04 2C CMP R4, #4 ; Set cond. codes on Op1 - Op2<br />
ROM:8F31DABE 030 08 D8 BHI is_higher ; Branch<br />
ROM:8F31DAC0 030 02 AB ADD R3, SP, #0x30+var_28 ; Rd = Op1 + Op2<br />
ROM:8F31DAC2 030 00 93 STR R3, [SP,#0x30+var_30] ; Store to Memory<br />
ROM:8F31DAC4 030 01 23 MOVS R3, #1 ; Rd = Op2<br />
ROM:8F31DAC6 030 07 22 MOVS R2, #7 ; Rd = Op2<br />
ROM:8F31DAC8 030 00 21 MOVS R1, #0 ; SEC_ENTRY<br />
ROM:8F31DACA 030 36 20 MOVS R0, #0x36 ; param<br />
ROM:8F31DACC 030 04 F0 F2 FD BL security_handler ; API_HAL_MOT_EFUSE_READ<br />
ROM:8F31DAD0 030 06 46 MOV R6, R0 ; Rd = Op2<br />
ROM:8F31DAD2<br />
ROM:8F31DAD2 is_higher ; CODE XREF: fuse_read_word+22�j<br />
ROM:8F31DAD2 030 1E B9 CBNZ R6, return ; Compare and Branch on Non-Zero<br />
ROM:8F31DAD4 030 02 A8 ADD R0, SP, #0x30+var_28 ; Rd = Op1 + Op2<br />
ROM:8F31DAD6 030 50 F8 24 00 LDR.W R0, [R0,R4,LSL#2] ; Load from Memory<br />
ROM:8F31DADA 030 87 B2 UXTH R7, R0 ; Unsigned extend halfword to word<br />
ROM:8F31DADC<br />
ROM:8F31DADC return ; CODE XREF: fuse_read_word:is_higher�j<br />
ROM:8F31DADC 030 38 46 MOV R0, R7 ; Rd = Op2<br />
ROM:8F31DADE 030 07 B0 ADD SP, SP, #0x1C ; Rd = Op1 + Op2<br />
ROM:8F31DAE0 014 F0 BD POP {R4-R7,PC} ; Pop registers<br />
ROM:8F31DAE0 ; End of function fuse_read_word<br />
ROM:8F31DAE0<br />
ROM:8F31DAE0 ; ---------------------------------------------------------------------------<br />
ROM:8F31DAE2 00 20 DCW 0x2000<br />
ROM:8F31DAE4 70 47 DCW 0x4770<br />
ROM:8F31DAE6<br />
</syntaxhighlight><br />
<br />
'''Listing 2.''' Fuse reading BS_DIS (from mbmloader)<br />
<syntaxhighlight lang="ida" line><br />
ROM:870048BE<br />
ROM:870048BE ; =============== S U B R O U T I N E =======================================<br />
ROM:870048BE<br />
ROM:870048BE<br />
ROM:870048BE ; int __cdecl fuse_read_BS_DIS()<br />
ROM:870048BE fuse_read_BS_DIS ; CODE XREF: check_BS_DIS+4<br />
ROM:870048BE 000 10 B5 PUSH {R4,LR} ; Push registers<br />
ROM:870048C0 008 10 24 MOVS R4, #0x10 ; Rd = Op2<br />
ROM:870048C2 008 6E 20 MOVS R0, #SEC_BS_DIS ; fuse_entry_number<br />
ROM:870048C4 008 FF F7 09 FF BL fuse_read_byte ; Branch with Link<br />
ROM:870048C8 008 00 B9 CBNZ R0, return ; Compare and Branch on Non-Zero<br />
ROM:870048CA 008 00 24 MOVS R4, #0 ; Rd = Op2<br />
ROM:870048CC<br />
ROM:870048CC return ; CODE XREF: fuse_read_BS_DIS+A<br />
ROM:870048CC 008 20 46 MOV R0, R4 ; Rd = Op2<br />
ROM:870048CE 008 10 BD POP {R4,PC} ; Pop registers<br />
ROM:870048CE ; End of function fuse_read_BS_DIS<br />
ROM:870048CE<br />
ROM:870048D0<br />
ROM:870048D0 ; =============== S U B R O U T I N E =======================================<br />
ROM:870048D0<br />
ROM:870048D0<br />
ROM:870048D0 ; int __cdecl fuse_read_SECVER(int entry_number)<br />
ROM:870048D0 fuse_read_SECVER ; CODE XREF: check_secure_version+14<br />
ROM:870048D0 000 70 B5 PUSH {R4-R6,LR} ; Push registers<br />
ROM:870048D2 010 04 46 MOV R4, R0 ; Rd = Op2<br />
ROM:870048D4 010 00 25 MOVS R5, #0 ; Rd = Op2<br />
ROM:870048D6 010 20 46 MOV R0, R4 ; fuse_entry_number<br />
ROM:870048D8 010 FF F7 FF FE BL fuse_read_byte ; Branch with Link<br />
ROM:870048DC 010 05 46 MOV R5, R0 ; Rd = Op2<br />
ROM:870048DE 010 28 46 MOV R0, R5 ; Rd = Op2<br />
ROM:870048E0 010 70 BD POP {R4-R6,PC} ; Pop registers<br />
ROM:870048E0 ; End of function fuse_read_SECVER<br />
ROM:870048E0<br />
ROM:870048E2<br />
</syntaxhighlight><br />
<br />
[[Category:Security]]</div>
Eiyee
http://droid-developers.org/wiki/Motorola_sec_driver
Motorola sec driver
2012-02-27T03:28:17Z
<p>Eiyee: very basic info</p>
<hr />
<div>The kernel source released by Motorola includes a driver module (drivers/misc/sec)<br />
that provides an interface to some [[Secure Services]] via a Linux ioctl. It allows<br />
access to API_HAL_MOT_EFUSE and API_HAL_MOT_EFUSE_READ.<br />
<br />
Code using the ioctl to query SWRV can be found here: [[File:Sec_swrv.c]]</div>
Eiyee
http://droid-developers.org/wiki/EFuse
EFuse
2012-02-27T03:19:09Z
<p>Eiyee: more swrv and a little cleanup</p>
<hr />
<div>== Overview ==<br />
The OMAP3xxx contains (unknown value) 128-bit banks of electronically blown fuses<br />
(eFuse). This is one-time only programmable memory that is organized into N x 32-bit words -<br />
(unknown value) words are reserved by Texas Instruments and for future use. <br />
The remaining 4 words are fully user programmable, designed to allow storage of a 128-bit encryption key for secure<br />
external memory encryption.<br />
<br />
== eFuse table ==<br />
<br />
'''TODO'''<br />
<br />
{|<br />
! Index<br />
! Name<br />
! Description<br />
|-<br />
| <br />
| PRODUCTION_ID<br />
| not available yet<br />
|-<br />
|<br />
| SECURITY_ID<br />
| not available yet<br />
|}<br />
<br />
<br />
== SWRV values ==<br />
<br />
The [[Motorola sec driver]] reads 160 bit of eFuse data using the [[Secure Services]] call API_HAL_MOT_EFUSE_READ. The code names this data "SWRV" (meaning unknown). The format of this structure is mostly unknown. There are there some hints (documented below), but more data is needed to understand it in useful detail.<br />
<br />
{| border="1" cellpadding="1" cellspacing="0" style="border: 1px solid #cccccc; margin-top: 1em; margin-bottom: 1em;"<br />
! SWRV<br />
! Description<br />
|-<br />
| 0f 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 00 00<br />
| Defy ([http://forum.xda-developers.com/showpost.php?p=21492705&postcount=412 source])<br />
|-<br />
| 1f 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 00 00<br />
| Defy ME525+ model with HKTW 2.3.4 sbf and MIUI rom ([http://forum.xda-developers.com/showpost.php?p=21405389&postcount=181 source])<br />
|-<br />
| 3f 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 00 00<br />
| Defy+ 2.3.6 134-132 SBF (v6) ([http://forum.xda-developers.com/showpost.php?p=21402316&postcount=167 source])<br />
|-<br />
| 3f 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e1 00 00<br />
| Defy+ after blowing SEC_CUST_CODE ([http://forum.xda-developers.com/showpost.php?p=21410214&postcount=219 source])<br />
|-<br />
| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00<br />
| Defy Chinese unlocked/eng? ([http://forum.xda-developers.com/showpost.php?p=21434360&postcount=335 source], [http://forum.xda-developers.com/showpost.php?p=21436570&postcount=337 source2])<br />
|-<br />
| 1c 08 00 2a 18 0a 00 2a e0 fd 01 40 c4 09 00 2a 00 00 00 00<br />
| RAZR (thanks to kholk on IRC)<br />
|-<br />
| 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 00 60 00 00<br />
| Milestone XT720<br />
|}<br />
<br />
You can contribute SWRV values by running [[File:sec_swrv.c]] (binary [[File:sec_swrv.gz]]). The code might work on any OMAP3xxx based Motorola device. Please add a small description and note if unlocked/dev phone/replacement.<br />
<br />
The driver code includes this check for engineering and production bits in drivers/misc/sec/sec_core.c:<br />
<syntaxhighlight lang="c" line><br />
iterator = data + 4;<br />
<br />
/*HAB_ENG : 13, HAB_PROD : 14 */<br />
/*Engineering only if engineering blown and production not */<br />
if (((*iterator) & (0x3 << 13)) == (0x1 << 13))<br />
ret_val = SEC_ENGINEERING;<br />
</syntaxhighlight><br />
<br />
It also contains an enum with potential hints. The enum values are API parameters for [[Secure Services]]<br />
call API_HAL_MOT_EFUSE - and contrary to the code comment the start value does not seem to be random at all.<br />
It is unknown if there is a mapping of parameters to bits in SWRV. <br />
<br />
Calling API_HAL_MOT_EFUSE with [http://forum.xda-developers.com/showpost.php?p=21410214&postcount=219 SEC_CUST_CODE]<br />
resulted in bit 15 being set (0 -> 1).<br />
<br />
drivers/misc/sec/sec_core.h:<br />
<syntaxhighlight lang="c" line><br />
typedef enum {<br />
/*Starting with random non zero value for component type */<br />
SEC_AP_PA_PPA = 0x00000065,<br />
SEC_BP_PPA,<br />
SEC_BP_PA,<br />
SEC_ML_PBRDL,<br />
SEC_MBM,<br />
SEC_RRDL_BRDL,<br />
SEC_BPL,<br />
SEC_AP_OS,<br />
SEC_BP_OS,<br />
SEC_BS_DIS,<br />
SEC_ENG,<br />
SEC_PROD,<br />
SEC_CUST_CODE,<br />
SEC_PKC,<br />
SEC_MODEL_ID,<br />
SEC_MAX<br />
} SEC_SV_COMPONENT_T;<br />
</syntaxhighlight><br />
<br />
<br />
== EFUSE Power Domain ==<br />
<br />
EFUSE Power Domain Clock Controls<br />
<br />
'''EFUSE Power Domain Clock-Gating Control'''<br />
{| border="1" cellpadding="0" cellspacing="0" style="border: 1px solid #cccccc;"<br />
!Clock Name <br />
!Reset<br />
!Clock-Gating Control<br />
!Gating Description<br />
|-<br />
|EFUSE_ALWON_FCLK<br />
|Running<br />
|None<br />
|Active when VDD1 and VDD2 are switched on and eFuse-ready hardware signal is released<br />
|}<br />
<br />
== Reading ==<br />
<br />
For reading eFuse you need:<br />
# call 0x28 Secure Service - invalidate dcache<br />
# call 0x2a Secure Service - aux write<br />
# call 0x36 Secure Service with parameter eFuse index - API_HAL_MOT_EFUSE_READ<br />
<br />
PPA handler of EFUSE READ interrupt call<br />
<syntaxhighlight lang="ida" line><br />
ROM:86FFF06C<br />
ROM:86FFF06C ; =============== S U B R O U T I N E =======================================<br />
ROM:86FFF06C<br />
ROM:86FFF06C<br />
ROM:86FFF06C ; int __cdecl PPA_API_HAL_MOT_EFUSE_READ()<br />
ROM:86FFF06C PPA_API_HAL_MOT_EFUSE_READ ; DATA XREF: PPA_SMC_handler_SL+44�o<br />
ROM:86FFF06C ; ROM:off_86FFF5B8�o<br />
ROM:86FFF06C 000 MOV R2, R0 ; arg_3<br />
ROM:86FFF06E 000 PUSH {R4,LR} ; Push registers<br />
ROM:86FFF070 008 MOVS R1, #1 ; arg_2<br />
ROM:86FFF072 008 MOVS R0, #0x64 ; arg_1<br />
ROM:86FFF074 008 BLX PPA_interrupt_call ; Branch with Link and Exchange (immediate address)<br />
ROM:86FFF074<br />
ROM:86FFF078 008 LDR R1, =0xAF8023D4 ; Load from Memory<br />
ROM:86FFF07A 008 LDR R2, [R1] ; Load from Memory<br />
ROM:86FFF07C 008 UXTH R3, R2 ; Unsigned extend halfword to word<br />
ROM:86FFF07E 008 ORR.W R2, R3, R2,LSR#16 ; Rd = Op1 | Op2<br />
ROM:86FFF082 008 STR R2, [R0] ; Store to Memory<br />
ROM:86FFF084 008 LDR R2, [R1,#4] ; Load from Memory<br />
ROM:86FFF086 008 UXTH R3, R2 ; Unsigned extend halfword to word<br />
ROM:86FFF088 008 ORR.W R2, R3, R2,LSR#16 ; Rd = Op1 | Op2<br />
ROM:86FFF08C 008 STR R2, [R0,#4] ; Store to Memory<br />
ROM:86FFF08E 008 LDR R2, [R1,#8] ; Load from Memory<br />
ROM:86FFF090 008 UXTH R3, R2 ; Unsigned extend halfword to word<br />
ROM:86FFF092 008 ORR.W R2, R3, R2,LSR#16 ; Rd = Op1 | Op2<br />
ROM:86FFF096 008 STR R2, [R0,#8] ; Store to Memory<br />
ROM:86FFF098 008 LDR R2, [R1,#0xC] ; Load from Memory<br />
ROM:86FFF09A 008 UXTH R3, R2 ; Unsigned extend halfword to word<br />
ROM:86FFF09C 008 ORR.W R2, R3, R2,LSR#16 ; Rd = Op1 | Op2<br />
ROM:86FFF0A0 008 STR R2, [R0,#0xC] ; Store to Memory<br />
ROM:86FFF0A2 008 LDR R1, [R1,#0x10] ; Load from Memory<br />
ROM:86FFF0A4 008 UXTH R2, R1 ; Unsigned extend halfword to word<br />
ROM:86FFF0A6 008 ORR.W R1, R2, R1,LSR#16 ; Rd = Op1 | Op2<br />
ROM:86FFF0AA 008 STR R1, [R0,#0x10] ; Store to Memory<br />
ROM:86FFF0AC 008 MOVS R0, #0 ; Rd = Op2<br />
ROM:86FFF0AE 008 POP {R4,PC} ; Pop registers<br />
ROM:86FFF0AE<br />
ROM:86FFF0AE ; End of function PPA_API_HAL_MOT_EFUSE_READ<br />
ROM:86FFF0AE<br />
ROM:86FFF0AE ; ---------------------------------------------------------------------------<br />
ROM:86FFF0B0 dword_86FFF0B0 DCD 0xAF8023D4 ; DATA XREF: PPA_API_HAL_MOT_EFUSE_READ+C�r<br />
ROM:86FFF0B4<br />
</syntaxhighlight><br />
<br />
== Code Listings ==<br />
<br />
=== Fuse blowing functions ===<br />
<br />
'''Listing 1.''' Fuse blowing BS_DIS ( from mbmloader )<br />
<syntaxhighlight lang="ida" line><br />
ROM:870048AC ; =============== S U B R O U T I N E =======================================<br />
ROM:870048AC<br />
ROM:870048AC<br />
ROM:870048AC ; int __cdecl fuse_blow_BS_DIS()<br />
ROM:870048AC fuse_blow_BS_DIS<br />
ROM:870048AC 000 10 B5 PUSH {R4,LR} ; Push registers<br />
ROM:870048AE 008 10 24 MOVS R4, #0x10 ; Rd = Op2<br />
ROM:870048B0 008 01 21 MOVS R1, #1 ; value<br />
ROM:870048B2 008 6E 20 MOVS R0, #SEC_BS_DIS ; fuse_entry_number<br />
ROM:870048B4 008 FF F7 70 FF BL fuse_blow_byte ; Branch with Link<br />
ROM:870048B8 008 04 46 MOV R4, R0 ; Rd = Op2<br />
ROM:870048BA 008 20 46 MOV R0, R4 ; Rd = Op2<br />
ROM:870048BC 008 10 BD POP {R4,PC} ; Pop registers<br />
ROM:870048BC ; End of function fuse_blow_BS_DIS<br />
ROM:870048BC<br />
</syntaxhighlight><br />
<br />
'''Listing 2.''' Fuse blowing CUSTOM ( from mbmloader )<br />
<syntaxhighlight lang="ida" line><br />
ROM:870048E2 ; =============== S U B R O U T I N E =======================================<br />
ROM:870048E2<br />
ROM:870048E2<br />
ROM:870048E2 ; int __cdecl fuse_blow_CUSTOM(int fuse_entry_number, int value)<br />
ROM:870048E2 fuse_blow_CUSTOM<br />
ROM:870048E2 000 70 B5 PUSH {R4-R6,LR} ; Push registers<br />
ROM:870048E4 010 04 46 MOV R4, R0 ; Rd = Op2<br />
ROM:870048E6 010 0D 46 MOV R5, R1 ; Rd = Op2<br />
ROM:870048E8 010 10 26 MOVS R6, #0x10 ; Rd = Op2<br />
ROM:870048EA 010 A9 B2 UXTH R1, R5 ; Unsigned extend halfword to word<br />
ROM:870048EC 010 20 46 MOV R0, R4 ; fuse_entry_number<br />
ROM:870048EE 010 FF F7 53 FF BL fuse_blow_byte ; Branch with Link<br />
ROM:870048F2 010 06 46 MOV R6, R0 ; Rd = Op2<br />
ROM:870048F4 010 30 46 MOV R0, R6 ; Rd = Op2<br />
ROM:870048F6 010 70 BD POP {R4-R6,PC} ; Pop registers<br />
ROM:870048F6 ; End of function fuse_blow_CUSTOM<br />
ROM:870048F6<br />
</syntaxhighlight><br />
<br />
'''Listing 3.''' Fuse blowing PRODUCTION ( from mbmloader )<br />
<syntaxhighlight lang="ida" line><br />
ROM:870048F8<br />
ROM:870048F8 ; =============== S U B R O U T I N E =======================================<br />
ROM:870048F8<br />
ROM:870048F8<br />
ROM:870048F8 ; int __cdecl fuse_blow_PRODUCTION()<br />
ROM:870048F8 fuse_blow_PRODUCTION<br />
ROM:870048F8 000 10 B5 PUSH {R4,LR} ; Push registers<br />
ROM:870048FA 008 10 24 MOVS R4, #0x10 ; Rd = Op2<br />
ROM:870048FC 008 01 21 MOVS R1, #1 ; value<br />
ROM:870048FE 008 70 20 MOVS R0, #SEC_PROD ; fuse_entry_number<br />
ROM:87004900 008 FF F7 4A FF BL fuse_blow_byte ; Branch with Link<br />
ROM:87004904 008 04 46 MOV R4, R0 ; Rd = Op2<br />
ROM:87004906 008 20 46 MOV R0, R4 ; Rd = Op2<br />
ROM:87004908 008 10 BD POP {R4,PC} ; Pop registers<br />
ROM:87004908 ; End of function fuse_blow_PRODUCTION<br />
ROM:87004908<br />
</syntaxhighlight><br />
<br />
'''Listing 4.''' Fuse blowing ENGINEERING ( from mbmloader )<br />
<syntaxhighlight lang="ida" line><br />
ROM:8700490A<br />
ROM:8700490A ; =============== S U B R O U T I N E =======================================<br />
ROM:8700490A<br />
ROM:8700490A<br />
ROM:8700490A ; int __cdecl fuse_blow_ENGINEERING()<br />
ROM:8700490A fuse_blow_ENGINEERING ; CODE XREF: main+20<br />
ROM:8700490A 000 10 B5 PUSH {R4,LR} ; Push registers<br />
ROM:8700490C 008 10 24 MOVS R4, #0x10 ; Rd = Op2<br />
ROM:8700490E 008 01 21 MOVS R1, #1 ; value<br />
ROM:87004910 008 6F 20 MOVS R0, #SEC_ENG ; fuse_entry_number<br />
ROM:87004912 008 FF F7 41 FF BL fuse_blow_byte ; Branch with Link<br />
ROM:87004916 008 04 46 MOV R4, R0 ; Rd = Op2<br />
ROM:87004918 008 20 46 MOV R0, R4 ; Rd = Op2<br />
ROM:8700491A 008 10 BD POP {R4,PC} ; Pop registers<br />
ROM:8700491A ; End of function fuse_blow_ENGINEERING<br />
</syntaxhighlight><br />
<br />
=== Fuse reading functions ===<br />
<br />
'''Listing 2.''' Fuse reading byte (from mbmloader)<br />
<syntaxhighlight lang="ida" line><br />
ROM:8F31DB0A<br />
ROM:8F31DB0A ; =============== S U B R O U T I N E =======================================<br />
ROM:8F31DB0A<br />
ROM:8F31DB0A<br />
ROM:8F31DB0A ; int __cdecl moto_efuse_read(__int32 fuse_entry)<br />
ROM:8F31DB0A moto_efuse_read ; CODE XREF: fuse_read_SEC_MODEL_ID+6�p<br />
ROM:8F31DB0A ; fuse_read_SEC_BS_DIS+6�p ...<br />
ROM:8F31DB0A 000 PUSH {R4-R6,LR} ; Push registers<br />
ROM:8F31DB0C 010 MOV R4, R0 ; Rd = Op2<br />
ROM:8F31DB0E 010 LDR R5, =0xDEADBEEF ; Load from Memory<br />
ROM:8F31DB10 010 SUB.W R0, R4, #0x65 ; switch 16 cases<br />
ROM:8F31DB14 010 CMP R0, #0x10 ; Set cond. codes on Op1 - Op2<br />
ROM:8F31DB16 010 BCS return_ ; do nothing<br />
ROM:8F31DB16<br />
ROM:8F31DB18<br />
ROM:8F31DB18 fuse_table ; switch jump<br />
ROM:8F31DB18 010 TBB.W [PC,R0]<br />
ROM:8F31DB18<br />
ROM:8F31DB18 ; ---------------------------------------------------------------------------<br />
ROM:8F31DB1C 010 fuse_choice DCB 8 ; jump table for switch statement<br />
ROM:8F31DB1D 010 DCB 0x52<br />
ROM:8F31DB1E 010 DCB 0x52<br />
ROM:8F31DB1F 010 DCB 0x11<br />
ROM:8F31DB20 010 DCB 0x1A<br />
ROM:8F31DB21 010 DCB 0x22<br />
ROM:8F31DB22 010 DCB 0x52<br />
ROM:8F31DB23 010 DCB 0x2A<br />
ROM:8F31DB24 010 DCB 0x52<br />
ROM:8F31DB25 010 DCB 0x32<br />
ROM:8F31DB26 010 DCB 0x37<br />
ROM:8F31DB27 010 DCB 0x3D<br />
ROM:8F31DB28 010 DCB 0x43<br />
ROM:8F31DB29 010 DCB 0x52<br />
ROM:8F31DB2A 010 DCB 0x4D<br />
ROM:8F31DB2B 010 DCB 0x51<br />
ROM:8F31DB2C ; ---------------------------------------------------------------------------<br />
ROM:8F31DB2C<br />
ROM:8F31DB2C is_SEC_APP_PA_PPA ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DB2C 010 MOVS R0, #3 ; jumptable 8F31DB18 case 101<br />
ROM:8F31DB2E 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DB2E<br />
ROM:8F31DB32 010 ASRS R6, R0, #8 ; Arithmetic Shift Right<br />
ROM:8F31DB34 010 MOV R0, R6 ; count<br />
ROM:8F31DB36 010 BL standard_efuse_count ; Branch with Link<br />
ROM:8F31DB36<br />
ROM:8F31DB3A 010 MOV R5, R0 ; Rd = Op2<br />
ROM:8F31DB3C 010 B return ; Branch<br />
ROM:8F31DB3C<br />
ROM:8F31DB3E ; ---------------------------------------------------------------------------<br />
ROM:8F31DB3E<br />
ROM:8F31DB3E is_SEC_ML_PBRDL ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DB3E 010 MOVS R0, #3 ; jumptable 8F31DB18 case 104<br />
ROM:8F31DB40 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DB40<br />
ROM:8F31DB44 010 UXTB R6, R0 ; Unsigned extend byte to word<br />
ROM:8F31DB46 010 MOV R0, R6 ; count<br />
ROM:8F31DB48 010 BL standard_efuse_count ; Branch with Link<br />
ROM:8F31DB48<br />
ROM:8F31DB4C 010 MOV R5, R0 ; Rd = Op2<br />
ROM:8F31DB4E 010 B return ; Branch<br />
ROM:8F31DB4E<br />
ROM:8F31DB50 ; ---------------------------------------------------------------------------<br />
ROM:8F31DB50<br />
ROM:8F31DB50 is_SEC_MBM ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DB50 010 MOVS R0, #2 ; jumptable 8F31DB18 case 105<br />
ROM:8F31DB52 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DB52<br />
ROM:8F31DB56 010 MOV R6, R0 ; Rd = Op2<br />
ROM:8F31DB58 010 BL standard_efuse_count ; Branch with Link<br />
ROM:8F31DB58<br />
ROM:8F31DB5C 010 MOV R5, R0 ; Rd = Op2<br />
ROM:8F31DB5E 010 B return ; Branch<br />
ROM:8F31DB5E<br />
ROM:8F31DB60 ; ---------------------------------------------------------------------------<br />
ROM:8F31DB60<br />
ROM:8F31DB60 is_SEC_RRDL_BRDL ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DB60 010 MOVS R0, #1 ; jumptable 8F31DB18 case 106<br />
ROM:8F31DB62 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DB62<br />
ROM:8F31DB66 010 MOV R6, R0 ; Rd = Op2<br />
ROM:8F31DB68 010 BL standard_efuse_count ; Branch with Link<br />
ROM:8F31DB68<br />
ROM:8F31DB6C 010 MOV R5, R0 ; Rd = Op2<br />
ROM:8F31DB6E 010 B return ; Branch<br />
ROM:8F31DB6E<br />
ROM:8F31DB70 ; ---------------------------------------------------------------------------<br />
ROM:8F31DB70<br />
ROM:8F31DB70 is_SEC_AP_OS ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DB70 010 MOVS R0, #0 ; jumptable 8F31DB18 case 108<br />
ROM:8F31DB72 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DB72<br />
ROM:8F31DB76 010 MOV R6, R0 ; Rd = Op2<br />
ROM:8F31DB78 010 BL standard_efuse_count ; Branch with Link<br />
ROM:8F31DB78<br />
ROM:8F31DB7C 010 MOV R5, R0 ; Rd = Op2<br />
ROM:8F31DB7E 010 B return ; Branch<br />
ROM:8F31DB7E<br />
ROM:8F31DB80 ; ---------------------------------------------------------------------------<br />
ROM:8F31DB80<br />
ROM:8F31DB80 is_SEC_BS_DIS ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DB80 010 MOVS R0, #4 ; jumptable 8F31DB18 case 110<br />
ROM:8F31DB82 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DB82<br />
ROM:8F31DB86 010 ASRS R5, R0, #0xF ; Arithmetic Shift Right<br />
ROM:8F31DB88 010 B return ; Branch<br />
ROM:8F31DB88<br />
ROM:8F31DB8A ; ---------------------------------------------------------------------------<br />
ROM:8F31DB8A<br />
ROM:8F31DB8A is_SEC_ENG ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DB8A 010 MOVS R0, #4 ; jumptable 8F31DB18 case 111<br />
ROM:8F31DB8C 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DB8C<br />
ROM:8F31DB90 010 UBFX.W R5, R0, #0xD, #1 ; Unsigned Bit Field Extract<br />
ROM:8F31DB94 010 B return ; Branch<br />
ROM:8F31DB94<br />
ROM:8F31DB96 ; ---------------------------------------------------------------------------<br />
ROM:8F31DB96<br />
ROM:8F31DB96 is_SEC_PROD ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DB96 010 MOVS R0, #4 ; jumptable 8F31DB18 case 112<br />
ROM:8F31DB98 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DB98<br />
ROM:8F31DB9C 010 UBFX.W R5, R0, #0xE, #1 ; Unsigned Bit Field Extract<br />
ROM:8F31DBA0 010 B return ; Branch<br />
ROM:8F31DBA0<br />
ROM:8F31DBA2 ; ---------------------------------------------------------------------------<br />
ROM:8F31DBA2<br />
ROM:8F31DBA2 is_SEC_CUST_CODE ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DBA2 010 MOVS R0, #4 ; jumptable 8F31DB18 case 113<br />
ROM:8F31DBA4 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DBA4<br />
ROM:8F31DBA8 010 UBFX.W R6, R0, #8, #5 ; Unsigned Bit Field Extract<br />
ROM:8F31DBAC 010 MOV R0, R6 ; count<br />
ROM:8F31DBAE 010 BL standard_efuse_count ; Branch with Link<br />
ROM:8F31DBAE<br />
ROM:8F31DBB2 010 MOV R5, R0 ; Rd = Op2<br />
ROM:8F31DBB4 010 B return ; Branch<br />
ROM:8F31DBB4<br />
ROM:8F31DBB6 ; ---------------------------------------------------------------------------<br />
ROM:8F31DBB6<br />
ROM:8F31DBB6 is_SEC_MODEL_ID ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DBB6 010 LDR R0, =OMAP3430_MSV_ADRESS ; jumptable 8F31DB18 case 115<br />
ROM:8F31DBB8 010 LDR R0, [R0] ; Load from Memory<br />
ROM:8F31DBBA 010 UXTH R5, R0 ; Unsigned extend halfword to word<br />
ROM:8F31DBBC 010 B return ; Branch<br />
ROM:8F31DBBC<br />
ROM:8F31DBBE ; ---------------------------------------------------------------------------<br />
ROM:8F31DBBE<br />
ROM:8F31DBBE return__ ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DBBE 010 NOP ; jumptable 8F31DB18 case 116<br />
ROM:8F31DBBE<br />
ROM:8F31DBC0<br />
ROM:8F31DBC0 return_ ; CODE XREF: moto_efuse_read+C�j<br />
ROM:8F31DBC0 ; moto_efuse_read:fuse_table�j<br />
ROM:8F31DBC0 010 NOP ; do nothing<br />
ROM:8F31DBC0<br />
ROM:8F31DBC2<br />
ROM:8F31DBC2 return ; CODE XREF: moto_efuse_read+32�j<br />
ROM:8F31DBC2 ; moto_efuse_read+44�j ...<br />
ROM:8F31DBC2 010 NOP ; No Operation<br />
ROM:8F31DBC4 010 MOV R0, R5 ; Rd = Op2<br />
ROM:8F31DBC6 010 POP {R4-R6,PC} ; Pop registers<br />
ROM:8F31DBC6<br />
ROM:8F31DBC6 ; End of function moto_efuse_read<br />
ROM:8F31DBC6<br />
</syntaxhighlight><br />
<br />
'''Listing 2.''' Fuse reading word (from mbm)<br />
<syntaxhighlight lang="ida" line><br />
ROM:8F31DA9C<br />
ROM:8F31DA9C ; =============== S U B R O U T I N E =======================================<br />
ROM:8F31DA9C<br />
ROM:8F31DA9C<br />
ROM:8F31DA9C ; __int16 __fastcall fuse_read_word(int fuse_entry)<br />
ROM:8F31DA9C fuse_read_word ; CODE XREF: fuse_read+24�p<br />
ROM:8F31DA9C ; fuse_read+36�p ...<br />
ROM:8F31DA9C<br />
ROM:8F31DA9C var_30 = -0x30<br />
ROM:8F31DA9C var_28 = -0x28<br />
ROM:8F31DA9C<br />
ROM:8F31DA9C 000 F0 B5 PUSH {R4-R7,LR} ; Push registers<br />
ROM:8F31DA9E 014 87 B0 SUB SP, SP, #0x1C ; Rd = Op1 - Op2<br />
ROM:8F31DAA0 030 04 46 MOV R4, R0 ; Rd = Op2<br />
ROM:8F31DAA2 030 00 25 MOVS R5, #0 ; Rd = Op2<br />
ROM:8F31DAA4 030 4F F6 FF 77 MOVW R7, #0xFFFF ; Rd = Op2<br />
ROM:8F31DAA8 030 00 BF NOP ; No Operation<br />
ROM:8F31DAAA 030 04 E0 B loop_count ; Branch<br />
ROM:8F31DAAC ; ---------------------------------------------------------------------------<br />
ROM:8F31DAAC<br />
ROM:8F31DAAC loop_body ; CODE XREF: fuse_read_word+1C�j<br />
ROM:8F31DAAC 030 00 20 MOVS R0, #0 ; Rd = Op2<br />
ROM:8F31DAAE 030 02 A9 ADD R1, SP, #0x30+var_28 ; Rd = Op1 + Op2<br />
ROM:8F31DAB0 030 41 F8 25 00 STR.W R0, [R1,R5,LSL#2] ; Store to Memory<br />
ROM:8F31DAB4 030 6D 1C ADDS R5, R5, #1 ; Rd = Op1 + Op2<br />
ROM:8F31DAB6<br />
ROM:8F31DAB6 loop_count ; CODE XREF: fuse_read_word+E�j<br />
ROM:8F31DAB6 030 04 2D CMP R5, #4 ; Set cond. codes on Op1 - Op2<br />
ROM:8F31DAB8 030 F8 DD BLE loop_body ; Branch<br />
ROM:8F31DABA 030 00 BF NOP ; No Operation<br />
ROM:8F31DABC 030 04 2C CMP R4, #4 ; Set cond. codes on Op1 - Op2<br />
ROM:8F31DABE 030 08 D8 BHI is_higher ; Branch<br />
ROM:8F31DAC0 030 02 AB ADD R3, SP, #0x30+var_28 ; Rd = Op1 + Op2<br />
ROM:8F31DAC2 030 00 93 STR R3, [SP,#0x30+var_30] ; Store to Memory<br />
ROM:8F31DAC4 030 01 23 MOVS R3, #1 ; Rd = Op2<br />
ROM:8F31DAC6 030 07 22 MOVS R2, #7 ; Rd = Op2<br />
ROM:8F31DAC8 030 00 21 MOVS R1, #0 ; SEC_ENTRY<br />
ROM:8F31DACA 030 36 20 MOVS R0, #0x36 ; param<br />
ROM:8F31DACC 030 04 F0 F2 FD BL security_handler ; API_HAL_MOT_EFUSE_READ<br />
ROM:8F31DAD0 030 06 46 MOV R6, R0 ; Rd = Op2<br />
ROM:8F31DAD2<br />
ROM:8F31DAD2 is_higher ; CODE XREF: fuse_read_word+22�j<br />
ROM:8F31DAD2 030 1E B9 CBNZ R6, return ; Compare and Branch on Non-Zero<br />
ROM:8F31DAD4 030 02 A8 ADD R0, SP, #0x30+var_28 ; Rd = Op1 + Op2<br />
ROM:8F31DAD6 030 50 F8 24 00 LDR.W R0, [R0,R4,LSL#2] ; Load from Memory<br />
ROM:8F31DADA 030 87 B2 UXTH R7, R0 ; Unsigned extend halfword to word<br />
ROM:8F31DADC<br />
ROM:8F31DADC return ; CODE XREF: fuse_read_word:is_higher�j<br />
ROM:8F31DADC 030 38 46 MOV R0, R7 ; Rd = Op2<br />
ROM:8F31DADE 030 07 B0 ADD SP, SP, #0x1C ; Rd = Op1 + Op2<br />
ROM:8F31DAE0 014 F0 BD POP {R4-R7,PC} ; Pop registers<br />
ROM:8F31DAE0 ; End of function fuse_read_word<br />
ROM:8F31DAE0<br />
ROM:8F31DAE0 ; ---------------------------------------------------------------------------<br />
ROM:8F31DAE2 00 20 DCW 0x2000<br />
ROM:8F31DAE4 70 47 DCW 0x4770<br />
ROM:8F31DAE6<br />
</syntaxhighlight><br />
<br />
'''Listing 2.''' Fuse reading BS_DIS (from mbmloader)<br />
<syntaxhighlight lang="ida" line><br />
ROM:870048BE<br />
ROM:870048BE ; =============== S U B R O U T I N E =======================================<br />
ROM:870048BE<br />
ROM:870048BE<br />
ROM:870048BE ; int __cdecl fuse_read_BS_DIS()<br />
ROM:870048BE fuse_read_BS_DIS ; CODE XREF: check_BS_DIS+4<br />
ROM:870048BE 000 10 B5 PUSH {R4,LR} ; Push registers<br />
ROM:870048C0 008 10 24 MOVS R4, #0x10 ; Rd = Op2<br />
ROM:870048C2 008 6E 20 MOVS R0, #SEC_BS_DIS ; fuse_entry_number<br />
ROM:870048C4 008 FF F7 09 FF BL fuse_read_byte ; Branch with Link<br />
ROM:870048C8 008 00 B9 CBNZ R0, return ; Compare and Branch on Non-Zero<br />
ROM:870048CA 008 00 24 MOVS R4, #0 ; Rd = Op2<br />
ROM:870048CC<br />
ROM:870048CC return ; CODE XREF: fuse_read_BS_DIS+A<br />
ROM:870048CC 008 20 46 MOV R0, R4 ; Rd = Op2<br />
ROM:870048CE 008 10 BD POP {R4,PC} ; Pop registers<br />
ROM:870048CE ; End of function fuse_read_BS_DIS<br />
ROM:870048CE<br />
ROM:870048D0<br />
ROM:870048D0 ; =============== S U B R O U T I N E =======================================<br />
ROM:870048D0<br />
ROM:870048D0<br />
ROM:870048D0 ; int __cdecl fuse_read_SECVER(int entry_number)<br />
ROM:870048D0 fuse_read_SECVER ; CODE XREF: check_secure_version+14<br />
ROM:870048D0 000 70 B5 PUSH {R4-R6,LR} ; Push registers<br />
ROM:870048D2 010 04 46 MOV R4, R0 ; Rd = Op2<br />
ROM:870048D4 010 00 25 MOVS R5, #0 ; Rd = Op2<br />
ROM:870048D6 010 20 46 MOV R0, R4 ; fuse_entry_number<br />
ROM:870048D8 010 FF F7 FF FE BL fuse_read_byte ; Branch with Link<br />
ROM:870048DC 010 05 46 MOV R5, R0 ; Rd = Op2<br />
ROM:870048DE 010 28 46 MOV R0, R5 ; Rd = Op2<br />
ROM:870048E0 010 70 BD POP {R4-R6,PC} ; Pop registers<br />
ROM:870048E0 ; End of function fuse_read_SECVER<br />
ROM:870048E0<br />
ROM:870048E2<br />
</syntaxhighlight><br />
<br />
[[Category:Security]]</div>
Eiyee
http://droid-developers.org/wiki/File:Pboot-defy-2.6.32.ko.gz
File:Pboot-defy-2.6.32.ko.gz
2012-02-27T01:28:47Z
<p>Eiyee: Module to trigger peripheral USB boot on Defy</p>
<hr />
<div>Module to trigger peripheral USB boot on Defy</div>
Eiyee
http://droid-developers.org/wiki/EFuse
EFuse
2012-02-24T02:01:28Z
<p>Eiyee: fix file name</p>
<hr />
<div>== Overview ==<br />
The OMAP3xxx contains (unknown value) 128-bit banks of electronically blown fuses<br />
(eFuse). This is one-time only programmable memory that is organized into N x 32-bit words -<br />
(unknown value) words are reserved by Texas Instruments and for future use. <br />
The remaining 4 words are fully user programmable, designed to allow storage of a 128-bit encryption key for secure<br />
external memory encryption.<br />
<br />
== eFuse table ==<br />
<br />
'''TODO'''<br />
<br />
{|<br />
! Index<br />
! Name<br />
! Description<br />
|-<br />
| <br />
| PRODUCTION_ID<br />
| not available yet<br />
|-<br />
|<br />
| SECURITY_ID<br />
| not available yet<br />
|}<br />
<br />
<br />
== SWRV values ==<br />
<br />
The kernel source released by Motorola includes a "sec" driver module that reads 160 bit of eFuse data (referred to as "SWRV") using [[Secure Services]] call API_HAL_MOT_EFUSE_READ.<br />
<br />
You can contribute SWRV values by running [[File:sec_swrv.c]] (binary [[File:sec_swrv.gz]]).<br />
<br />
{| border="1" cellpadding="1" cellspacing="0" style="border: 1px solid #cccccc;"<br />
! SWRV<br />
! Description<br />
|-<br />
| 0f 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 00 00<br />
| Defy ([http://forum.xda-developers.com/showpost.php?p=21492705&postcount=412 source])<br />
|-<br />
| 1f 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 00 00<br />
| Defy ME525+ model with HKTW 2.3.4 sbf and MIUI rom ([http://forum.xda-developers.com/showpost.php?p=21405389&postcount=181 source])<br />
|-<br />
| 3f 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 00 00<br />
| Defy+ 2.3.6 134-132 SBF (v6) ([http://forum.xda-developers.com/showpost.php?p=21402316&postcount=167 source])<br />
|-<br />
| 3f 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e1 00 00<br />
| Defy+ after blowing SEC_CUST_CODE ([http://forum.xda-developers.com/showpost.php?p=21410214&postcount=219 source])<br />
|-<br />
| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00<br />
| Defy Chinese unlocked/eng? ([http://forum.xda-developers.com/showpost.php?p=21434360&postcount=335 source], [http://forum.xda-developers.com/showpost.php?p=21436570&postcount=337 source2])<br />
|-<br />
| 1c 08 00 2a 18 0a 00 2a e0 fd 01 40 c4 09 00 2a 00 00 00 00<br />
| RAZR (thanks to kholk on IRC)<br />
|}<br />
<br />
The module source is in drivers/misc/sec/ in the Motorola kernel source (build with CONFIG_SEC_DRIVER=m), there is also a binary [http://dl.dropbox.com/u/31689596/sec.ko sec.ko] for Defy. The driver code includes this check for engineering and production bits (in 5th 32-bit word) in drivers/misc/sec/sec_core.c:<br />
<pre><br />
iterator = data + 4;<br />
<br />
/*HAB_ENG : 13, HAB_PROD : 14 */<br />
/*Engineering only if engineering blown and production not */<br />
if (((*iterator) & (0x3 << 13)) == (0x1 << 13))<br />
ret_val = SEC_ENGINEERING;<br />
</pre><br />
<br />
The driver also has an enum with potential hints to eFuse values in drivers/misc/sec/sec_core.h:<br />
<pre><br />
typedef enum {<br />
/*Starting with random non zero value for component type */<br />
SEC_AP_PA_PPA = 0x00000065,<br />
SEC_BP_PPA,<br />
SEC_BP_PA,<br />
SEC_ML_PBRDL,<br />
SEC_MBM,<br />
SEC_RRDL_BRDL,<br />
SEC_BPL,<br />
SEC_AP_OS,<br />
SEC_BP_OS,<br />
SEC_BS_DIS,<br />
SEC_ENG,<br />
SEC_PROD,<br />
SEC_CUST_CODE,<br />
SEC_PKC,<br />
SEC_MODEL_ID,<br />
SEC_MAX<br />
} SEC_SV_COMPONENT_T;<br />
</pre><br />
<br />
== EFUSE Power Domain ==<br />
<br />
EFUSE Power Domain Clock Controls<br />
<br />
'''EFUSE Power Domain Clock-Gating Control'''<br />
{| border="1" cellpadding="0" cellspacing="0" style="border: 1px solid #cccccc;"<br />
!Clock Name <br />
!Reset<br />
!Clock-Gating Control<br />
!Gating Description<br />
|-<br />
|EFUSE_ALWON_FCLK<br />
|Running<br />
|None<br />
|Active when VDD1 and VDD2 are switched on and eFuse-ready hardware signal is released<br />
|}<br />
<br />
== Reading ==<br />
<br />
For reading eFuse you need:<br />
# call 0x28 Secure Service - invalidate dcache<br />
# call 0x2a Secure Service - aux write<br />
# call 0x36 Secure Service with parameter eFuse index - API_HAL_MOT_EFUSE_READ<br />
<br />
PPA handler of EFUSE READ interrupt call<br />
<syntaxhighlight lang="ida" line><br />
ROM:86FFF06C<br />
ROM:86FFF06C ; =============== S U B R O U T I N E =======================================<br />
ROM:86FFF06C<br />
ROM:86FFF06C<br />
ROM:86FFF06C ; int __cdecl PPA_API_HAL_MOT_EFUSE_READ()<br />
ROM:86FFF06C PPA_API_HAL_MOT_EFUSE_READ ; DATA XREF: PPA_SMC_handler_SL+44�o<br />
ROM:86FFF06C ; ROM:off_86FFF5B8�o<br />
ROM:86FFF06C 000 MOV R2, R0 ; arg_3<br />
ROM:86FFF06E 000 PUSH {R4,LR} ; Push registers<br />
ROM:86FFF070 008 MOVS R1, #1 ; arg_2<br />
ROM:86FFF072 008 MOVS R0, #0x64 ; arg_1<br />
ROM:86FFF074 008 BLX PPA_interrupt_call ; Branch with Link and Exchange (immediate address)<br />
ROM:86FFF074<br />
ROM:86FFF078 008 LDR R1, =0xAF8023D4 ; Load from Memory<br />
ROM:86FFF07A 008 LDR R2, [R1] ; Load from Memory<br />
ROM:86FFF07C 008 UXTH R3, R2 ; Unsigned extend halfword to word<br />
ROM:86FFF07E 008 ORR.W R2, R3, R2,LSR#16 ; Rd = Op1 | Op2<br />
ROM:86FFF082 008 STR R2, [R0] ; Store to Memory<br />
ROM:86FFF084 008 LDR R2, [R1,#4] ; Load from Memory<br />
ROM:86FFF086 008 UXTH R3, R2 ; Unsigned extend halfword to word<br />
ROM:86FFF088 008 ORR.W R2, R3, R2,LSR#16 ; Rd = Op1 | Op2<br />
ROM:86FFF08C 008 STR R2, [R0,#4] ; Store to Memory<br />
ROM:86FFF08E 008 LDR R2, [R1,#8] ; Load from Memory<br />
ROM:86FFF090 008 UXTH R3, R2 ; Unsigned extend halfword to word<br />
ROM:86FFF092 008 ORR.W R2, R3, R2,LSR#16 ; Rd = Op1 | Op2<br />
ROM:86FFF096 008 STR R2, [R0,#8] ; Store to Memory<br />
ROM:86FFF098 008 LDR R2, [R1,#0xC] ; Load from Memory<br />
ROM:86FFF09A 008 UXTH R3, R2 ; Unsigned extend halfword to word<br />
ROM:86FFF09C 008 ORR.W R2, R3, R2,LSR#16 ; Rd = Op1 | Op2<br />
ROM:86FFF0A0 008 STR R2, [R0,#0xC] ; Store to Memory<br />
ROM:86FFF0A2 008 LDR R1, [R1,#0x10] ; Load from Memory<br />
ROM:86FFF0A4 008 UXTH R2, R1 ; Unsigned extend halfword to word<br />
ROM:86FFF0A6 008 ORR.W R1, R2, R1,LSR#16 ; Rd = Op1 | Op2<br />
ROM:86FFF0AA 008 STR R1, [R0,#0x10] ; Store to Memory<br />
ROM:86FFF0AC 008 MOVS R0, #0 ; Rd = Op2<br />
ROM:86FFF0AE 008 POP {R4,PC} ; Pop registers<br />
ROM:86FFF0AE<br />
ROM:86FFF0AE ; End of function PPA_API_HAL_MOT_EFUSE_READ<br />
ROM:86FFF0AE<br />
ROM:86FFF0AE ; ---------------------------------------------------------------------------<br />
ROM:86FFF0B0 dword_86FFF0B0 DCD 0xAF8023D4 ; DATA XREF: PPA_API_HAL_MOT_EFUSE_READ+C�r<br />
ROM:86FFF0B4<br />
</syntaxhighlight><br />
<br />
== Code Listings ==<br />
<br />
=== Fuse blowing functions ===<br />
<br />
'''Listing 1.''' Fuse blowing BS_DIS ( from mbmloader )<br />
<syntaxhighlight lang="ida" line><br />
ROM:870048AC ; =============== S U B R O U T I N E =======================================<br />
ROM:870048AC<br />
ROM:870048AC<br />
ROM:870048AC ; int __cdecl fuse_blow_BS_DIS()<br />
ROM:870048AC fuse_blow_BS_DIS<br />
ROM:870048AC 000 10 B5 PUSH {R4,LR} ; Push registers<br />
ROM:870048AE 008 10 24 MOVS R4, #0x10 ; Rd = Op2<br />
ROM:870048B0 008 01 21 MOVS R1, #1 ; value<br />
ROM:870048B2 008 6E 20 MOVS R0, #SEC_BS_DIS ; fuse_entry_number<br />
ROM:870048B4 008 FF F7 70 FF BL fuse_blow_byte ; Branch with Link<br />
ROM:870048B8 008 04 46 MOV R4, R0 ; Rd = Op2<br />
ROM:870048BA 008 20 46 MOV R0, R4 ; Rd = Op2<br />
ROM:870048BC 008 10 BD POP {R4,PC} ; Pop registers<br />
ROM:870048BC ; End of function fuse_blow_BS_DIS<br />
ROM:870048BC<br />
</syntaxhighlight><br />
<br />
'''Listing 2.''' Fuse blowing CUSTOM ( from mbmloader )<br />
<syntaxhighlight lang="ida" line><br />
ROM:870048E2 ; =============== S U B R O U T I N E =======================================<br />
ROM:870048E2<br />
ROM:870048E2<br />
ROM:870048E2 ; int __cdecl fuse_blow_CUSTOM(int fuse_entry_number, int value)<br />
ROM:870048E2 fuse_blow_CUSTOM<br />
ROM:870048E2 000 70 B5 PUSH {R4-R6,LR} ; Push registers<br />
ROM:870048E4 010 04 46 MOV R4, R0 ; Rd = Op2<br />
ROM:870048E6 010 0D 46 MOV R5, R1 ; Rd = Op2<br />
ROM:870048E8 010 10 26 MOVS R6, #0x10 ; Rd = Op2<br />
ROM:870048EA 010 A9 B2 UXTH R1, R5 ; Unsigned extend halfword to word<br />
ROM:870048EC 010 20 46 MOV R0, R4 ; fuse_entry_number<br />
ROM:870048EE 010 FF F7 53 FF BL fuse_blow_byte ; Branch with Link<br />
ROM:870048F2 010 06 46 MOV R6, R0 ; Rd = Op2<br />
ROM:870048F4 010 30 46 MOV R0, R6 ; Rd = Op2<br />
ROM:870048F6 010 70 BD POP {R4-R6,PC} ; Pop registers<br />
ROM:870048F6 ; End of function fuse_blow_CUSTOM<br />
ROM:870048F6<br />
</syntaxhighlight><br />
<br />
'''Listing 3.''' Fuse blowing PRODUCTION ( from mbmloader )<br />
<syntaxhighlight lang="ida" line><br />
ROM:870048F8<br />
ROM:870048F8 ; =============== S U B R O U T I N E =======================================<br />
ROM:870048F8<br />
ROM:870048F8<br />
ROM:870048F8 ; int __cdecl fuse_blow_PRODUCTION()<br />
ROM:870048F8 fuse_blow_PRODUCTION<br />
ROM:870048F8 000 10 B5 PUSH {R4,LR} ; Push registers<br />
ROM:870048FA 008 10 24 MOVS R4, #0x10 ; Rd = Op2<br />
ROM:870048FC 008 01 21 MOVS R1, #1 ; value<br />
ROM:870048FE 008 70 20 MOVS R0, #SEC_PROD ; fuse_entry_number<br />
ROM:87004900 008 FF F7 4A FF BL fuse_blow_byte ; Branch with Link<br />
ROM:87004904 008 04 46 MOV R4, R0 ; Rd = Op2<br />
ROM:87004906 008 20 46 MOV R0, R4 ; Rd = Op2<br />
ROM:87004908 008 10 BD POP {R4,PC} ; Pop registers<br />
ROM:87004908 ; End of function fuse_blow_PRODUCTION<br />
ROM:87004908<br />
</syntaxhighlight><br />
<br />
'''Listing 4.''' Fuse blowing ENGINEERING ( from mbmloader )<br />
<syntaxhighlight lang="ida" line><br />
ROM:8700490A<br />
ROM:8700490A ; =============== S U B R O U T I N E =======================================<br />
ROM:8700490A<br />
ROM:8700490A<br />
ROM:8700490A ; int __cdecl fuse_blow_ENGINEERING()<br />
ROM:8700490A fuse_blow_ENGINEERING ; CODE XREF: main+20<br />
ROM:8700490A 000 10 B5 PUSH {R4,LR} ; Push registers<br />
ROM:8700490C 008 10 24 MOVS R4, #0x10 ; Rd = Op2<br />
ROM:8700490E 008 01 21 MOVS R1, #1 ; value<br />
ROM:87004910 008 6F 20 MOVS R0, #SEC_ENG ; fuse_entry_number<br />
ROM:87004912 008 FF F7 41 FF BL fuse_blow_byte ; Branch with Link<br />
ROM:87004916 008 04 46 MOV R4, R0 ; Rd = Op2<br />
ROM:87004918 008 20 46 MOV R0, R4 ; Rd = Op2<br />
ROM:8700491A 008 10 BD POP {R4,PC} ; Pop registers<br />
ROM:8700491A ; End of function fuse_blow_ENGINEERING<br />
</syntaxhighlight><br />
<br />
=== Fuse reading functions ===<br />
<br />
'''Listing 2.''' Fuse reading byte (from mbmloader)<br />
<syntaxhighlight lang="ida" line><br />
ROM:8F31DB0A<br />
ROM:8F31DB0A ; =============== S U B R O U T I N E =======================================<br />
ROM:8F31DB0A<br />
ROM:8F31DB0A<br />
ROM:8F31DB0A ; int __cdecl moto_efuse_read(__int32 fuse_entry)<br />
ROM:8F31DB0A moto_efuse_read ; CODE XREF: fuse_read_SEC_MODEL_ID+6�p<br />
ROM:8F31DB0A ; fuse_read_SEC_BS_DIS+6�p ...<br />
ROM:8F31DB0A 000 PUSH {R4-R6,LR} ; Push registers<br />
ROM:8F31DB0C 010 MOV R4, R0 ; Rd = Op2<br />
ROM:8F31DB0E 010 LDR R5, =0xDEADBEEF ; Load from Memory<br />
ROM:8F31DB10 010 SUB.W R0, R4, #0x65 ; switch 16 cases<br />
ROM:8F31DB14 010 CMP R0, #0x10 ; Set cond. codes on Op1 - Op2<br />
ROM:8F31DB16 010 BCS return_ ; do nothing<br />
ROM:8F31DB16<br />
ROM:8F31DB18<br />
ROM:8F31DB18 fuse_table ; switch jump<br />
ROM:8F31DB18 010 TBB.W [PC,R0]<br />
ROM:8F31DB18<br />
ROM:8F31DB18 ; ---------------------------------------------------------------------------<br />
ROM:8F31DB1C 010 fuse_choice DCB 8 ; jump table for switch statement<br />
ROM:8F31DB1D 010 DCB 0x52<br />
ROM:8F31DB1E 010 DCB 0x52<br />
ROM:8F31DB1F 010 DCB 0x11<br />
ROM:8F31DB20 010 DCB 0x1A<br />
ROM:8F31DB21 010 DCB 0x22<br />
ROM:8F31DB22 010 DCB 0x52<br />
ROM:8F31DB23 010 DCB 0x2A<br />
ROM:8F31DB24 010 DCB 0x52<br />
ROM:8F31DB25 010 DCB 0x32<br />
ROM:8F31DB26 010 DCB 0x37<br />
ROM:8F31DB27 010 DCB 0x3D<br />
ROM:8F31DB28 010 DCB 0x43<br />
ROM:8F31DB29 010 DCB 0x52<br />
ROM:8F31DB2A 010 DCB 0x4D<br />
ROM:8F31DB2B 010 DCB 0x51<br />
ROM:8F31DB2C ; ---------------------------------------------------------------------------<br />
ROM:8F31DB2C<br />
ROM:8F31DB2C is_SEC_APP_PA_PPA ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DB2C 010 MOVS R0, #3 ; jumptable 8F31DB18 case 101<br />
ROM:8F31DB2E 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DB2E<br />
ROM:8F31DB32 010 ASRS R6, R0, #8 ; Arithmetic Shift Right<br />
ROM:8F31DB34 010 MOV R0, R6 ; count<br />
ROM:8F31DB36 010 BL standard_efuse_count ; Branch with Link<br />
ROM:8F31DB36<br />
ROM:8F31DB3A 010 MOV R5, R0 ; Rd = Op2<br />
ROM:8F31DB3C 010 B return ; Branch<br />
ROM:8F31DB3C<br />
ROM:8F31DB3E ; ---------------------------------------------------------------------------<br />
ROM:8F31DB3E<br />
ROM:8F31DB3E is_SEC_ML_PBRDL ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DB3E 010 MOVS R0, #3 ; jumptable 8F31DB18 case 104<br />
ROM:8F31DB40 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DB40<br />
ROM:8F31DB44 010 UXTB R6, R0 ; Unsigned extend byte to word<br />
ROM:8F31DB46 010 MOV R0, R6 ; count<br />
ROM:8F31DB48 010 BL standard_efuse_count ; Branch with Link<br />
ROM:8F31DB48<br />
ROM:8F31DB4C 010 MOV R5, R0 ; Rd = Op2<br />
ROM:8F31DB4E 010 B return ; Branch<br />
ROM:8F31DB4E<br />
ROM:8F31DB50 ; ---------------------------------------------------------------------------<br />
ROM:8F31DB50<br />
ROM:8F31DB50 is_SEC_MBM ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DB50 010 MOVS R0, #2 ; jumptable 8F31DB18 case 105<br />
ROM:8F31DB52 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DB52<br />
ROM:8F31DB56 010 MOV R6, R0 ; Rd = Op2<br />
ROM:8F31DB58 010 BL standard_efuse_count ; Branch with Link<br />
ROM:8F31DB58<br />
ROM:8F31DB5C 010 MOV R5, R0 ; Rd = Op2<br />
ROM:8F31DB5E 010 B return ; Branch<br />
ROM:8F31DB5E<br />
ROM:8F31DB60 ; ---------------------------------------------------------------------------<br />
ROM:8F31DB60<br />
ROM:8F31DB60 is_SEC_RRDL_BRDL ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DB60 010 MOVS R0, #1 ; jumptable 8F31DB18 case 106<br />
ROM:8F31DB62 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DB62<br />
ROM:8F31DB66 010 MOV R6, R0 ; Rd = Op2<br />
ROM:8F31DB68 010 BL standard_efuse_count ; Branch with Link<br />
ROM:8F31DB68<br />
ROM:8F31DB6C 010 MOV R5, R0 ; Rd = Op2<br />
ROM:8F31DB6E 010 B return ; Branch<br />
ROM:8F31DB6E<br />
ROM:8F31DB70 ; ---------------------------------------------------------------------------<br />
ROM:8F31DB70<br />
ROM:8F31DB70 is_SEC_AP_OS ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DB70 010 MOVS R0, #0 ; jumptable 8F31DB18 case 108<br />
ROM:8F31DB72 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DB72<br />
ROM:8F31DB76 010 MOV R6, R0 ; Rd = Op2<br />
ROM:8F31DB78 010 BL standard_efuse_count ; Branch with Link<br />
ROM:8F31DB78<br />
ROM:8F31DB7C 010 MOV R5, R0 ; Rd = Op2<br />
ROM:8F31DB7E 010 B return ; Branch<br />
ROM:8F31DB7E<br />
ROM:8F31DB80 ; ---------------------------------------------------------------------------<br />
ROM:8F31DB80<br />
ROM:8F31DB80 is_SEC_BS_DIS ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DB80 010 MOVS R0, #4 ; jumptable 8F31DB18 case 110<br />
ROM:8F31DB82 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DB82<br />
ROM:8F31DB86 010 ASRS R5, R0, #0xF ; Arithmetic Shift Right<br />
ROM:8F31DB88 010 B return ; Branch<br />
ROM:8F31DB88<br />
ROM:8F31DB8A ; ---------------------------------------------------------------------------<br />
ROM:8F31DB8A<br />
ROM:8F31DB8A is_SEC_ENG ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DB8A 010 MOVS R0, #4 ; jumptable 8F31DB18 case 111<br />
ROM:8F31DB8C 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DB8C<br />
ROM:8F31DB90 010 UBFX.W R5, R0, #0xD, #1 ; Unsigned Bit Field Extract<br />
ROM:8F31DB94 010 B return ; Branch<br />
ROM:8F31DB94<br />
ROM:8F31DB96 ; ---------------------------------------------------------------------------<br />
ROM:8F31DB96<br />
ROM:8F31DB96 is_SEC_PROD ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DB96 010 MOVS R0, #4 ; jumptable 8F31DB18 case 112<br />
ROM:8F31DB98 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DB98<br />
ROM:8F31DB9C 010 UBFX.W R5, R0, #0xE, #1 ; Unsigned Bit Field Extract<br />
ROM:8F31DBA0 010 B return ; Branch<br />
ROM:8F31DBA0<br />
ROM:8F31DBA2 ; ---------------------------------------------------------------------------<br />
ROM:8F31DBA2<br />
ROM:8F31DBA2 is_SEC_CUST_CODE ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DBA2 010 MOVS R0, #4 ; jumptable 8F31DB18 case 113<br />
ROM:8F31DBA4 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DBA4<br />
ROM:8F31DBA8 010 UBFX.W R6, R0, #8, #5 ; Unsigned Bit Field Extract<br />
ROM:8F31DBAC 010 MOV R0, R6 ; count<br />
ROM:8F31DBAE 010 BL standard_efuse_count ; Branch with Link<br />
ROM:8F31DBAE<br />
ROM:8F31DBB2 010 MOV R5, R0 ; Rd = Op2<br />
ROM:8F31DBB4 010 B return ; Branch<br />
ROM:8F31DBB4<br />
ROM:8F31DBB6 ; ---------------------------------------------------------------------------<br />
ROM:8F31DBB6<br />
ROM:8F31DBB6 is_SEC_MODEL_ID ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DBB6 010 LDR R0, =OMAP3430_MSV_ADRESS ; jumptable 8F31DB18 case 115<br />
ROM:8F31DBB8 010 LDR R0, [R0] ; Load from Memory<br />
ROM:8F31DBBA 010 UXTH R5, R0 ; Unsigned extend halfword to word<br />
ROM:8F31DBBC 010 B return ; Branch<br />
ROM:8F31DBBC<br />
ROM:8F31DBBE ; ---------------------------------------------------------------------------<br />
ROM:8F31DBBE<br />
ROM:8F31DBBE return__ ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DBBE 010 NOP ; jumptable 8F31DB18 case 116<br />
ROM:8F31DBBE<br />
ROM:8F31DBC0<br />
ROM:8F31DBC0 return_ ; CODE XREF: moto_efuse_read+C�j<br />
ROM:8F31DBC0 ; moto_efuse_read:fuse_table�j<br />
ROM:8F31DBC0 010 NOP ; do nothing<br />
ROM:8F31DBC0<br />
ROM:8F31DBC2<br />
ROM:8F31DBC2 return ; CODE XREF: moto_efuse_read+32�j<br />
ROM:8F31DBC2 ; moto_efuse_read+44�j ...<br />
ROM:8F31DBC2 010 NOP ; No Operation<br />
ROM:8F31DBC4 010 MOV R0, R5 ; Rd = Op2<br />
ROM:8F31DBC6 010 POP {R4-R6,PC} ; Pop registers<br />
ROM:8F31DBC6<br />
ROM:8F31DBC6 ; End of function moto_efuse_read<br />
ROM:8F31DBC6<br />
</syntaxhighlight><br />
<br />
'''Listing 2.''' Fuse reading word (from mbm)<br />
<syntaxhighlight lang="ida" line><br />
ROM:8F31DA9C<br />
ROM:8F31DA9C ; =============== S U B R O U T I N E =======================================<br />
ROM:8F31DA9C<br />
ROM:8F31DA9C<br />
ROM:8F31DA9C ; __int16 __fastcall fuse_read_word(int fuse_entry)<br />
ROM:8F31DA9C fuse_read_word ; CODE XREF: fuse_read+24�p<br />
ROM:8F31DA9C ; fuse_read+36�p ...<br />
ROM:8F31DA9C<br />
ROM:8F31DA9C var_30 = -0x30<br />
ROM:8F31DA9C var_28 = -0x28<br />
ROM:8F31DA9C<br />
ROM:8F31DA9C 000 F0 B5 PUSH {R4-R7,LR} ; Push registers<br />
ROM:8F31DA9E 014 87 B0 SUB SP, SP, #0x1C ; Rd = Op1 - Op2<br />
ROM:8F31DAA0 030 04 46 MOV R4, R0 ; Rd = Op2<br />
ROM:8F31DAA2 030 00 25 MOVS R5, #0 ; Rd = Op2<br />
ROM:8F31DAA4 030 4F F6 FF 77 MOVW R7, #0xFFFF ; Rd = Op2<br />
ROM:8F31DAA8 030 00 BF NOP ; No Operation<br />
ROM:8F31DAAA 030 04 E0 B loop_count ; Branch<br />
ROM:8F31DAAC ; ---------------------------------------------------------------------------<br />
ROM:8F31DAAC<br />
ROM:8F31DAAC loop_body ; CODE XREF: fuse_read_word+1C�j<br />
ROM:8F31DAAC 030 00 20 MOVS R0, #0 ; Rd = Op2<br />
ROM:8F31DAAE 030 02 A9 ADD R1, SP, #0x30+var_28 ; Rd = Op1 + Op2<br />
ROM:8F31DAB0 030 41 F8 25 00 STR.W R0, [R1,R5,LSL#2] ; Store to Memory<br />
ROM:8F31DAB4 030 6D 1C ADDS R5, R5, #1 ; Rd = Op1 + Op2<br />
ROM:8F31DAB6<br />
ROM:8F31DAB6 loop_count ; CODE XREF: fuse_read_word+E�j<br />
ROM:8F31DAB6 030 04 2D CMP R5, #4 ; Set cond. codes on Op1 - Op2<br />
ROM:8F31DAB8 030 F8 DD BLE loop_body ; Branch<br />
ROM:8F31DABA 030 00 BF NOP ; No Operation<br />
ROM:8F31DABC 030 04 2C CMP R4, #4 ; Set cond. codes on Op1 - Op2<br />
ROM:8F31DABE 030 08 D8 BHI is_higher ; Branch<br />
ROM:8F31DAC0 030 02 AB ADD R3, SP, #0x30+var_28 ; Rd = Op1 + Op2<br />
ROM:8F31DAC2 030 00 93 STR R3, [SP,#0x30+var_30] ; Store to Memory<br />
ROM:8F31DAC4 030 01 23 MOVS R3, #1 ; Rd = Op2<br />
ROM:8F31DAC6 030 07 22 MOVS R2, #7 ; Rd = Op2<br />
ROM:8F31DAC8 030 00 21 MOVS R1, #0 ; SEC_ENTRY<br />
ROM:8F31DACA 030 36 20 MOVS R0, #0x36 ; param<br />
ROM:8F31DACC 030 04 F0 F2 FD BL security_handler ; API_HAL_MOT_EFUSE_READ<br />
ROM:8F31DAD0 030 06 46 MOV R6, R0 ; Rd = Op2<br />
ROM:8F31DAD2<br />
ROM:8F31DAD2 is_higher ; CODE XREF: fuse_read_word+22�j<br />
ROM:8F31DAD2 030 1E B9 CBNZ R6, return ; Compare and Branch on Non-Zero<br />
ROM:8F31DAD4 030 02 A8 ADD R0, SP, #0x30+var_28 ; Rd = Op1 + Op2<br />
ROM:8F31DAD6 030 50 F8 24 00 LDR.W R0, [R0,R4,LSL#2] ; Load from Memory<br />
ROM:8F31DADA 030 87 B2 UXTH R7, R0 ; Unsigned extend halfword to word<br />
ROM:8F31DADC<br />
ROM:8F31DADC return ; CODE XREF: fuse_read_word:is_higher�j<br />
ROM:8F31DADC 030 38 46 MOV R0, R7 ; Rd = Op2<br />
ROM:8F31DADE 030 07 B0 ADD SP, SP, #0x1C ; Rd = Op1 + Op2<br />
ROM:8F31DAE0 014 F0 BD POP {R4-R7,PC} ; Pop registers<br />
ROM:8F31DAE0 ; End of function fuse_read_word<br />
ROM:8F31DAE0<br />
ROM:8F31DAE0 ; ---------------------------------------------------------------------------<br />
ROM:8F31DAE2 00 20 DCW 0x2000<br />
ROM:8F31DAE4 70 47 DCW 0x4770<br />
ROM:8F31DAE6<br />
</syntaxhighlight><br />
<br />
'''Listing 2.''' Fuse reading BS_DIS (from mbmloader)<br />
<syntaxhighlight lang="ida" line><br />
ROM:870048BE<br />
ROM:870048BE ; =============== S U B R O U T I N E =======================================<br />
ROM:870048BE<br />
ROM:870048BE<br />
ROM:870048BE ; int __cdecl fuse_read_BS_DIS()<br />
ROM:870048BE fuse_read_BS_DIS ; CODE XREF: check_BS_DIS+4<br />
ROM:870048BE 000 10 B5 PUSH {R4,LR} ; Push registers<br />
ROM:870048C0 008 10 24 MOVS R4, #0x10 ; Rd = Op2<br />
ROM:870048C2 008 6E 20 MOVS R0, #SEC_BS_DIS ; fuse_entry_number<br />
ROM:870048C4 008 FF F7 09 FF BL fuse_read_byte ; Branch with Link<br />
ROM:870048C8 008 00 B9 CBNZ R0, return ; Compare and Branch on Non-Zero<br />
ROM:870048CA 008 00 24 MOVS R4, #0 ; Rd = Op2<br />
ROM:870048CC<br />
ROM:870048CC return ; CODE XREF: fuse_read_BS_DIS+A<br />
ROM:870048CC 008 20 46 MOV R0, R4 ; Rd = Op2<br />
ROM:870048CE 008 10 BD POP {R4,PC} ; Pop registers<br />
ROM:870048CE ; End of function fuse_read_BS_DIS<br />
ROM:870048CE<br />
ROM:870048D0<br />
ROM:870048D0 ; =============== S U B R O U T I N E =======================================<br />
ROM:870048D0<br />
ROM:870048D0<br />
ROM:870048D0 ; int __cdecl fuse_read_SECVER(int entry_number)<br />
ROM:870048D0 fuse_read_SECVER ; CODE XREF: check_secure_version+14<br />
ROM:870048D0 000 70 B5 PUSH {R4-R6,LR} ; Push registers<br />
ROM:870048D2 010 04 46 MOV R4, R0 ; Rd = Op2<br />
ROM:870048D4 010 00 25 MOVS R5, #0 ; Rd = Op2<br />
ROM:870048D6 010 20 46 MOV R0, R4 ; fuse_entry_number<br />
ROM:870048D8 010 FF F7 FF FE BL fuse_read_byte ; Branch with Link<br />
ROM:870048DC 010 05 46 MOV R5, R0 ; Rd = Op2<br />
ROM:870048DE 010 28 46 MOV R0, R5 ; Rd = Op2<br />
ROM:870048E0 010 70 BD POP {R4-R6,PC} ; Pop registers<br />
ROM:870048E0 ; End of function fuse_read_SECVER<br />
ROM:870048E0<br />
ROM:870048E2<br />
</syntaxhighlight><br />
<br />
[[Category:Security]]</div>
Eiyee
http://droid-developers.org/wiki/File:Sec_swrv.gz
File:Sec swrv.gz
2012-02-24T02:00:15Z
<p>Eiyee: </p>
<hr />
<div></div>
Eiyee
http://droid-developers.org/wiki/EFuse
EFuse
2012-02-24T01:26:44Z
<p>Eiyee: add SWRV for RAZR from kholk</p>
<hr />
<div>== Overview ==<br />
The OMAP3xxx contains (unknown value) 128-bit banks of electronically blown fuses<br />
(eFuse). This is one-time only programmable memory that is organized into N x 32-bit words -<br />
(unknown value) words are reserved by Texas Instruments and for future use. <br />
The remaining 4 words are fully user programmable, designed to allow storage of a 128-bit encryption key for secure<br />
external memory encryption.<br />
<br />
== eFuse table ==<br />
<br />
'''TODO'''<br />
<br />
{|<br />
! Index<br />
! Name<br />
! Description<br />
|-<br />
| <br />
| PRODUCTION_ID<br />
| not available yet<br />
|-<br />
|<br />
| SECURITY_ID<br />
| not available yet<br />
|}<br />
<br />
<br />
== SWRV values ==<br />
<br />
The kernel source released by Motorola includes a "sec" driver module that reads 160 bit of eFuse data (referred to as "SWRV") using [[Secure Services]] call API_HAL_MOT_EFUSE_READ.<br />
<br />
{| border="1" cellpadding="1" cellspacing="0" style="border: 1px solid #cccccc;"<br />
! SWRV<br />
! Description<br />
|-<br />
| 0f 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 00 00<br />
| Defy ([http://forum.xda-developers.com/showpost.php?p=21492705&postcount=412 source])<br />
|-<br />
| 1f 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 00 00<br />
| Defy ME525+ model with HKTW 2.3.4 sbf and MIUI rom ([http://forum.xda-developers.com/showpost.php?p=21405389&postcount=181 source])<br />
|-<br />
| 3f 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 00 00<br />
| Defy+ 2.3.6 134-132 SBF (v6) ([http://forum.xda-developers.com/showpost.php?p=21402316&postcount=167 source])<br />
|-<br />
| 3f 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e1 00 00<br />
| Defy+ after blowing SEC_CUST_CODE ([http://forum.xda-developers.com/showpost.php?p=21410214&postcount=219 source])<br />
|-<br />
| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00<br />
| Defy Chinese unlocked/eng? ([http://forum.xda-developers.com/showpost.php?p=21434360&postcount=335 source], [http://forum.xda-developers.com/showpost.php?p=21436570&postcount=337 source2])<br />
|-<br />
| 1c 08 00 2a 18 0a 00 2a e0 fd 01 40 c4 09 00 2a 00 00 00 00<br />
| RAZR (thanks to kholk on IRC)<br />
|}<br />
<br />
You can contribute SWRV values by running [[File:sec_swrv.c]] (binary [[File:sec_swrv]]).<br />
<br />
The module source is in drivers/misc/sec/ in the Motorola kernel source (build with CONFIG_SEC_DRIVER=m), there is also a binary [http://dl.dropbox.com/u/31689596/sec.ko sec.ko] for Defy. The driver code includes this check for engineering and production bits (in 5th 32-bit word) in drivers/misc/sec/sec_core.c:<br />
<pre><br />
iterator = data + 4;<br />
<br />
/*HAB_ENG : 13, HAB_PROD : 14 */<br />
/*Engineering only if engineering blown and production not */<br />
if (((*iterator) & (0x3 << 13)) == (0x1 << 13))<br />
ret_val = SEC_ENGINEERING;<br />
</pre><br />
<br />
The driver also has an enum with potential hints to eFuse values in drivers/misc/sec/sec_core.h:<br />
<pre><br />
typedef enum {<br />
/*Starting with random non zero value for component type */<br />
SEC_AP_PA_PPA = 0x00000065,<br />
SEC_BP_PPA,<br />
SEC_BP_PA,<br />
SEC_ML_PBRDL,<br />
SEC_MBM,<br />
SEC_RRDL_BRDL,<br />
SEC_BPL,<br />
SEC_AP_OS,<br />
SEC_BP_OS,<br />
SEC_BS_DIS,<br />
SEC_ENG,<br />
SEC_PROD,<br />
SEC_CUST_CODE,<br />
SEC_PKC,<br />
SEC_MODEL_ID,<br />
SEC_MAX<br />
} SEC_SV_COMPONENT_T;<br />
</pre><br />
<br />
== EFUSE Power Domain ==<br />
<br />
EFUSE Power Domain Clock Controls<br />
<br />
'''EFUSE Power Domain Clock-Gating Control'''<br />
{| border="1" cellpadding="0" cellspacing="0" style="border: 1px solid #cccccc;"<br />
!Clock Name <br />
!Reset<br />
!Clock-Gating Control<br />
!Gating Description<br />
|-<br />
|EFUSE_ALWON_FCLK<br />
|Running<br />
|None<br />
|Active when VDD1 and VDD2 are switched on and eFuse-ready hardware signal is released<br />
|}<br />
<br />
== Reading ==<br />
<br />
For reading eFuse you need:<br />
# call 0x28 Secure Service - invalidate dcache<br />
# call 0x2a Secure Service - aux write<br />
# call 0x36 Secure Service with parameter eFuse index - API_HAL_MOT_EFUSE_READ<br />
<br />
PPA handler of EFUSE READ interrupt call<br />
<syntaxhighlight lang="ida" line><br />
ROM:86FFF06C<br />
ROM:86FFF06C ; =============== S U B R O U T I N E =======================================<br />
ROM:86FFF06C<br />
ROM:86FFF06C<br />
ROM:86FFF06C ; int __cdecl PPA_API_HAL_MOT_EFUSE_READ()<br />
ROM:86FFF06C PPA_API_HAL_MOT_EFUSE_READ ; DATA XREF: PPA_SMC_handler_SL+44�o<br />
ROM:86FFF06C ; ROM:off_86FFF5B8�o<br />
ROM:86FFF06C 000 MOV R2, R0 ; arg_3<br />
ROM:86FFF06E 000 PUSH {R4,LR} ; Push registers<br />
ROM:86FFF070 008 MOVS R1, #1 ; arg_2<br />
ROM:86FFF072 008 MOVS R0, #0x64 ; arg_1<br />
ROM:86FFF074 008 BLX PPA_interrupt_call ; Branch with Link and Exchange (immediate address)<br />
ROM:86FFF074<br />
ROM:86FFF078 008 LDR R1, =0xAF8023D4 ; Load from Memory<br />
ROM:86FFF07A 008 LDR R2, [R1] ; Load from Memory<br />
ROM:86FFF07C 008 UXTH R3, R2 ; Unsigned extend halfword to word<br />
ROM:86FFF07E 008 ORR.W R2, R3, R2,LSR#16 ; Rd = Op1 | Op2<br />
ROM:86FFF082 008 STR R2, [R0] ; Store to Memory<br />
ROM:86FFF084 008 LDR R2, [R1,#4] ; Load from Memory<br />
ROM:86FFF086 008 UXTH R3, R2 ; Unsigned extend halfword to word<br />
ROM:86FFF088 008 ORR.W R2, R3, R2,LSR#16 ; Rd = Op1 | Op2<br />
ROM:86FFF08C 008 STR R2, [R0,#4] ; Store to Memory<br />
ROM:86FFF08E 008 LDR R2, [R1,#8] ; Load from Memory<br />
ROM:86FFF090 008 UXTH R3, R2 ; Unsigned extend halfword to word<br />
ROM:86FFF092 008 ORR.W R2, R3, R2,LSR#16 ; Rd = Op1 | Op2<br />
ROM:86FFF096 008 STR R2, [R0,#8] ; Store to Memory<br />
ROM:86FFF098 008 LDR R2, [R1,#0xC] ; Load from Memory<br />
ROM:86FFF09A 008 UXTH R3, R2 ; Unsigned extend halfword to word<br />
ROM:86FFF09C 008 ORR.W R2, R3, R2,LSR#16 ; Rd = Op1 | Op2<br />
ROM:86FFF0A0 008 STR R2, [R0,#0xC] ; Store to Memory<br />
ROM:86FFF0A2 008 LDR R1, [R1,#0x10] ; Load from Memory<br />
ROM:86FFF0A4 008 UXTH R2, R1 ; Unsigned extend halfword to word<br />
ROM:86FFF0A6 008 ORR.W R1, R2, R1,LSR#16 ; Rd = Op1 | Op2<br />
ROM:86FFF0AA 008 STR R1, [R0,#0x10] ; Store to Memory<br />
ROM:86FFF0AC 008 MOVS R0, #0 ; Rd = Op2<br />
ROM:86FFF0AE 008 POP {R4,PC} ; Pop registers<br />
ROM:86FFF0AE<br />
ROM:86FFF0AE ; End of function PPA_API_HAL_MOT_EFUSE_READ<br />
ROM:86FFF0AE<br />
ROM:86FFF0AE ; ---------------------------------------------------------------------------<br />
ROM:86FFF0B0 dword_86FFF0B0 DCD 0xAF8023D4 ; DATA XREF: PPA_API_HAL_MOT_EFUSE_READ+C�r<br />
ROM:86FFF0B4<br />
</syntaxhighlight><br />
<br />
== Code Listings ==<br />
<br />
=== Fuse blowing functions ===<br />
<br />
'''Listing 1.''' Fuse blowing BS_DIS ( from mbmloader )<br />
<syntaxhighlight lang="ida" line><br />
ROM:870048AC ; =============== S U B R O U T I N E =======================================<br />
ROM:870048AC<br />
ROM:870048AC<br />
ROM:870048AC ; int __cdecl fuse_blow_BS_DIS()<br />
ROM:870048AC fuse_blow_BS_DIS<br />
ROM:870048AC 000 10 B5 PUSH {R4,LR} ; Push registers<br />
ROM:870048AE 008 10 24 MOVS R4, #0x10 ; Rd = Op2<br />
ROM:870048B0 008 01 21 MOVS R1, #1 ; value<br />
ROM:870048B2 008 6E 20 MOVS R0, #SEC_BS_DIS ; fuse_entry_number<br />
ROM:870048B4 008 FF F7 70 FF BL fuse_blow_byte ; Branch with Link<br />
ROM:870048B8 008 04 46 MOV R4, R0 ; Rd = Op2<br />
ROM:870048BA 008 20 46 MOV R0, R4 ; Rd = Op2<br />
ROM:870048BC 008 10 BD POP {R4,PC} ; Pop registers<br />
ROM:870048BC ; End of function fuse_blow_BS_DIS<br />
ROM:870048BC<br />
</syntaxhighlight><br />
<br />
'''Listing 2.''' Fuse blowing CUSTOM ( from mbmloader )<br />
<syntaxhighlight lang="ida" line><br />
ROM:870048E2 ; =============== S U B R O U T I N E =======================================<br />
ROM:870048E2<br />
ROM:870048E2<br />
ROM:870048E2 ; int __cdecl fuse_blow_CUSTOM(int fuse_entry_number, int value)<br />
ROM:870048E2 fuse_blow_CUSTOM<br />
ROM:870048E2 000 70 B5 PUSH {R4-R6,LR} ; Push registers<br />
ROM:870048E4 010 04 46 MOV R4, R0 ; Rd = Op2<br />
ROM:870048E6 010 0D 46 MOV R5, R1 ; Rd = Op2<br />
ROM:870048E8 010 10 26 MOVS R6, #0x10 ; Rd = Op2<br />
ROM:870048EA 010 A9 B2 UXTH R1, R5 ; Unsigned extend halfword to word<br />
ROM:870048EC 010 20 46 MOV R0, R4 ; fuse_entry_number<br />
ROM:870048EE 010 FF F7 53 FF BL fuse_blow_byte ; Branch with Link<br />
ROM:870048F2 010 06 46 MOV R6, R0 ; Rd = Op2<br />
ROM:870048F4 010 30 46 MOV R0, R6 ; Rd = Op2<br />
ROM:870048F6 010 70 BD POP {R4-R6,PC} ; Pop registers<br />
ROM:870048F6 ; End of function fuse_blow_CUSTOM<br />
ROM:870048F6<br />
</syntaxhighlight><br />
<br />
'''Listing 3.''' Fuse blowing PRODUCTION ( from mbmloader )<br />
<syntaxhighlight lang="ida" line><br />
ROM:870048F8<br />
ROM:870048F8 ; =============== S U B R O U T I N E =======================================<br />
ROM:870048F8<br />
ROM:870048F8<br />
ROM:870048F8 ; int __cdecl fuse_blow_PRODUCTION()<br />
ROM:870048F8 fuse_blow_PRODUCTION<br />
ROM:870048F8 000 10 B5 PUSH {R4,LR} ; Push registers<br />
ROM:870048FA 008 10 24 MOVS R4, #0x10 ; Rd = Op2<br />
ROM:870048FC 008 01 21 MOVS R1, #1 ; value<br />
ROM:870048FE 008 70 20 MOVS R0, #SEC_PROD ; fuse_entry_number<br />
ROM:87004900 008 FF F7 4A FF BL fuse_blow_byte ; Branch with Link<br />
ROM:87004904 008 04 46 MOV R4, R0 ; Rd = Op2<br />
ROM:87004906 008 20 46 MOV R0, R4 ; Rd = Op2<br />
ROM:87004908 008 10 BD POP {R4,PC} ; Pop registers<br />
ROM:87004908 ; End of function fuse_blow_PRODUCTION<br />
ROM:87004908<br />
</syntaxhighlight><br />
<br />
'''Listing 4.''' Fuse blowing ENGINEERING ( from mbmloader )<br />
<syntaxhighlight lang="ida" line><br />
ROM:8700490A<br />
ROM:8700490A ; =============== S U B R O U T I N E =======================================<br />
ROM:8700490A<br />
ROM:8700490A<br />
ROM:8700490A ; int __cdecl fuse_blow_ENGINEERING()<br />
ROM:8700490A fuse_blow_ENGINEERING ; CODE XREF: main+20<br />
ROM:8700490A 000 10 B5 PUSH {R4,LR} ; Push registers<br />
ROM:8700490C 008 10 24 MOVS R4, #0x10 ; Rd = Op2<br />
ROM:8700490E 008 01 21 MOVS R1, #1 ; value<br />
ROM:87004910 008 6F 20 MOVS R0, #SEC_ENG ; fuse_entry_number<br />
ROM:87004912 008 FF F7 41 FF BL fuse_blow_byte ; Branch with Link<br />
ROM:87004916 008 04 46 MOV R4, R0 ; Rd = Op2<br />
ROM:87004918 008 20 46 MOV R0, R4 ; Rd = Op2<br />
ROM:8700491A 008 10 BD POP {R4,PC} ; Pop registers<br />
ROM:8700491A ; End of function fuse_blow_ENGINEERING<br />
</syntaxhighlight><br />
<br />
=== Fuse reading functions ===<br />
<br />
'''Listing 2.''' Fuse reading byte (from mbmloader)<br />
<syntaxhighlight lang="ida" line><br />
ROM:8F31DB0A<br />
ROM:8F31DB0A ; =============== S U B R O U T I N E =======================================<br />
ROM:8F31DB0A<br />
ROM:8F31DB0A<br />
ROM:8F31DB0A ; int __cdecl moto_efuse_read(__int32 fuse_entry)<br />
ROM:8F31DB0A moto_efuse_read ; CODE XREF: fuse_read_SEC_MODEL_ID+6�p<br />
ROM:8F31DB0A ; fuse_read_SEC_BS_DIS+6�p ...<br />
ROM:8F31DB0A 000 PUSH {R4-R6,LR} ; Push registers<br />
ROM:8F31DB0C 010 MOV R4, R0 ; Rd = Op2<br />
ROM:8F31DB0E 010 LDR R5, =0xDEADBEEF ; Load from Memory<br />
ROM:8F31DB10 010 SUB.W R0, R4, #0x65 ; switch 16 cases<br />
ROM:8F31DB14 010 CMP R0, #0x10 ; Set cond. codes on Op1 - Op2<br />
ROM:8F31DB16 010 BCS return_ ; do nothing<br />
ROM:8F31DB16<br />
ROM:8F31DB18<br />
ROM:8F31DB18 fuse_table ; switch jump<br />
ROM:8F31DB18 010 TBB.W [PC,R0]<br />
ROM:8F31DB18<br />
ROM:8F31DB18 ; ---------------------------------------------------------------------------<br />
ROM:8F31DB1C 010 fuse_choice DCB 8 ; jump table for switch statement<br />
ROM:8F31DB1D 010 DCB 0x52<br />
ROM:8F31DB1E 010 DCB 0x52<br />
ROM:8F31DB1F 010 DCB 0x11<br />
ROM:8F31DB20 010 DCB 0x1A<br />
ROM:8F31DB21 010 DCB 0x22<br />
ROM:8F31DB22 010 DCB 0x52<br />
ROM:8F31DB23 010 DCB 0x2A<br />
ROM:8F31DB24 010 DCB 0x52<br />
ROM:8F31DB25 010 DCB 0x32<br />
ROM:8F31DB26 010 DCB 0x37<br />
ROM:8F31DB27 010 DCB 0x3D<br />
ROM:8F31DB28 010 DCB 0x43<br />
ROM:8F31DB29 010 DCB 0x52<br />
ROM:8F31DB2A 010 DCB 0x4D<br />
ROM:8F31DB2B 010 DCB 0x51<br />
ROM:8F31DB2C ; ---------------------------------------------------------------------------<br />
ROM:8F31DB2C<br />
ROM:8F31DB2C is_SEC_APP_PA_PPA ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DB2C 010 MOVS R0, #3 ; jumptable 8F31DB18 case 101<br />
ROM:8F31DB2E 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DB2E<br />
ROM:8F31DB32 010 ASRS R6, R0, #8 ; Arithmetic Shift Right<br />
ROM:8F31DB34 010 MOV R0, R6 ; count<br />
ROM:8F31DB36 010 BL standard_efuse_count ; Branch with Link<br />
ROM:8F31DB36<br />
ROM:8F31DB3A 010 MOV R5, R0 ; Rd = Op2<br />
ROM:8F31DB3C 010 B return ; Branch<br />
ROM:8F31DB3C<br />
ROM:8F31DB3E ; ---------------------------------------------------------------------------<br />
ROM:8F31DB3E<br />
ROM:8F31DB3E is_SEC_ML_PBRDL ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DB3E 010 MOVS R0, #3 ; jumptable 8F31DB18 case 104<br />
ROM:8F31DB40 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DB40<br />
ROM:8F31DB44 010 UXTB R6, R0 ; Unsigned extend byte to word<br />
ROM:8F31DB46 010 MOV R0, R6 ; count<br />
ROM:8F31DB48 010 BL standard_efuse_count ; Branch with Link<br />
ROM:8F31DB48<br />
ROM:8F31DB4C 010 MOV R5, R0 ; Rd = Op2<br />
ROM:8F31DB4E 010 B return ; Branch<br />
ROM:8F31DB4E<br />
ROM:8F31DB50 ; ---------------------------------------------------------------------------<br />
ROM:8F31DB50<br />
ROM:8F31DB50 is_SEC_MBM ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DB50 010 MOVS R0, #2 ; jumptable 8F31DB18 case 105<br />
ROM:8F31DB52 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DB52<br />
ROM:8F31DB56 010 MOV R6, R0 ; Rd = Op2<br />
ROM:8F31DB58 010 BL standard_efuse_count ; Branch with Link<br />
ROM:8F31DB58<br />
ROM:8F31DB5C 010 MOV R5, R0 ; Rd = Op2<br />
ROM:8F31DB5E 010 B return ; Branch<br />
ROM:8F31DB5E<br />
ROM:8F31DB60 ; ---------------------------------------------------------------------------<br />
ROM:8F31DB60<br />
ROM:8F31DB60 is_SEC_RRDL_BRDL ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DB60 010 MOVS R0, #1 ; jumptable 8F31DB18 case 106<br />
ROM:8F31DB62 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DB62<br />
ROM:8F31DB66 010 MOV R6, R0 ; Rd = Op2<br />
ROM:8F31DB68 010 BL standard_efuse_count ; Branch with Link<br />
ROM:8F31DB68<br />
ROM:8F31DB6C 010 MOV R5, R0 ; Rd = Op2<br />
ROM:8F31DB6E 010 B return ; Branch<br />
ROM:8F31DB6E<br />
ROM:8F31DB70 ; ---------------------------------------------------------------------------<br />
ROM:8F31DB70<br />
ROM:8F31DB70 is_SEC_AP_OS ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DB70 010 MOVS R0, #0 ; jumptable 8F31DB18 case 108<br />
ROM:8F31DB72 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DB72<br />
ROM:8F31DB76 010 MOV R6, R0 ; Rd = Op2<br />
ROM:8F31DB78 010 BL standard_efuse_count ; Branch with Link<br />
ROM:8F31DB78<br />
ROM:8F31DB7C 010 MOV R5, R0 ; Rd = Op2<br />
ROM:8F31DB7E 010 B return ; Branch<br />
ROM:8F31DB7E<br />
ROM:8F31DB80 ; ---------------------------------------------------------------------------<br />
ROM:8F31DB80<br />
ROM:8F31DB80 is_SEC_BS_DIS ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DB80 010 MOVS R0, #4 ; jumptable 8F31DB18 case 110<br />
ROM:8F31DB82 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DB82<br />
ROM:8F31DB86 010 ASRS R5, R0, #0xF ; Arithmetic Shift Right<br />
ROM:8F31DB88 010 B return ; Branch<br />
ROM:8F31DB88<br />
ROM:8F31DB8A ; ---------------------------------------------------------------------------<br />
ROM:8F31DB8A<br />
ROM:8F31DB8A is_SEC_ENG ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DB8A 010 MOVS R0, #4 ; jumptable 8F31DB18 case 111<br />
ROM:8F31DB8C 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DB8C<br />
ROM:8F31DB90 010 UBFX.W R5, R0, #0xD, #1 ; Unsigned Bit Field Extract<br />
ROM:8F31DB94 010 B return ; Branch<br />
ROM:8F31DB94<br />
ROM:8F31DB96 ; ---------------------------------------------------------------------------<br />
ROM:8F31DB96<br />
ROM:8F31DB96 is_SEC_PROD ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DB96 010 MOVS R0, #4 ; jumptable 8F31DB18 case 112<br />
ROM:8F31DB98 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DB98<br />
ROM:8F31DB9C 010 UBFX.W R5, R0, #0xE, #1 ; Unsigned Bit Field Extract<br />
ROM:8F31DBA0 010 B return ; Branch<br />
ROM:8F31DBA0<br />
ROM:8F31DBA2 ; ---------------------------------------------------------------------------<br />
ROM:8F31DBA2<br />
ROM:8F31DBA2 is_SEC_CUST_CODE ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DBA2 010 MOVS R0, #4 ; jumptable 8F31DB18 case 113<br />
ROM:8F31DBA4 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DBA4<br />
ROM:8F31DBA8 010 UBFX.W R6, R0, #8, #5 ; Unsigned Bit Field Extract<br />
ROM:8F31DBAC 010 MOV R0, R6 ; count<br />
ROM:8F31DBAE 010 BL standard_efuse_count ; Branch with Link<br />
ROM:8F31DBAE<br />
ROM:8F31DBB2 010 MOV R5, R0 ; Rd = Op2<br />
ROM:8F31DBB4 010 B return ; Branch<br />
ROM:8F31DBB4<br />
ROM:8F31DBB6 ; ---------------------------------------------------------------------------<br />
ROM:8F31DBB6<br />
ROM:8F31DBB6 is_SEC_MODEL_ID ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DBB6 010 LDR R0, =OMAP3430_MSV_ADRESS ; jumptable 8F31DB18 case 115<br />
ROM:8F31DBB8 010 LDR R0, [R0] ; Load from Memory<br />
ROM:8F31DBBA 010 UXTH R5, R0 ; Unsigned extend halfword to word<br />
ROM:8F31DBBC 010 B return ; Branch<br />
ROM:8F31DBBC<br />
ROM:8F31DBBE ; ---------------------------------------------------------------------------<br />
ROM:8F31DBBE<br />
ROM:8F31DBBE return__ ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DBBE 010 NOP ; jumptable 8F31DB18 case 116<br />
ROM:8F31DBBE<br />
ROM:8F31DBC0<br />
ROM:8F31DBC0 return_ ; CODE XREF: moto_efuse_read+C�j<br />
ROM:8F31DBC0 ; moto_efuse_read:fuse_table�j<br />
ROM:8F31DBC0 010 NOP ; do nothing<br />
ROM:8F31DBC0<br />
ROM:8F31DBC2<br />
ROM:8F31DBC2 return ; CODE XREF: moto_efuse_read+32�j<br />
ROM:8F31DBC2 ; moto_efuse_read+44�j ...<br />
ROM:8F31DBC2 010 NOP ; No Operation<br />
ROM:8F31DBC4 010 MOV R0, R5 ; Rd = Op2<br />
ROM:8F31DBC6 010 POP {R4-R6,PC} ; Pop registers<br />
ROM:8F31DBC6<br />
ROM:8F31DBC6 ; End of function moto_efuse_read<br />
ROM:8F31DBC6<br />
</syntaxhighlight><br />
<br />
'''Listing 2.''' Fuse reading word (from mbm)<br />
<syntaxhighlight lang="ida" line><br />
ROM:8F31DA9C<br />
ROM:8F31DA9C ; =============== S U B R O U T I N E =======================================<br />
ROM:8F31DA9C<br />
ROM:8F31DA9C<br />
ROM:8F31DA9C ; __int16 __fastcall fuse_read_word(int fuse_entry)<br />
ROM:8F31DA9C fuse_read_word ; CODE XREF: fuse_read+24�p<br />
ROM:8F31DA9C ; fuse_read+36�p ...<br />
ROM:8F31DA9C<br />
ROM:8F31DA9C var_30 = -0x30<br />
ROM:8F31DA9C var_28 = -0x28<br />
ROM:8F31DA9C<br />
ROM:8F31DA9C 000 F0 B5 PUSH {R4-R7,LR} ; Push registers<br />
ROM:8F31DA9E 014 87 B0 SUB SP, SP, #0x1C ; Rd = Op1 - Op2<br />
ROM:8F31DAA0 030 04 46 MOV R4, R0 ; Rd = Op2<br />
ROM:8F31DAA2 030 00 25 MOVS R5, #0 ; Rd = Op2<br />
ROM:8F31DAA4 030 4F F6 FF 77 MOVW R7, #0xFFFF ; Rd = Op2<br />
ROM:8F31DAA8 030 00 BF NOP ; No Operation<br />
ROM:8F31DAAA 030 04 E0 B loop_count ; Branch<br />
ROM:8F31DAAC ; ---------------------------------------------------------------------------<br />
ROM:8F31DAAC<br />
ROM:8F31DAAC loop_body ; CODE XREF: fuse_read_word+1C�j<br />
ROM:8F31DAAC 030 00 20 MOVS R0, #0 ; Rd = Op2<br />
ROM:8F31DAAE 030 02 A9 ADD R1, SP, #0x30+var_28 ; Rd = Op1 + Op2<br />
ROM:8F31DAB0 030 41 F8 25 00 STR.W R0, [R1,R5,LSL#2] ; Store to Memory<br />
ROM:8F31DAB4 030 6D 1C ADDS R5, R5, #1 ; Rd = Op1 + Op2<br />
ROM:8F31DAB6<br />
ROM:8F31DAB6 loop_count ; CODE XREF: fuse_read_word+E�j<br />
ROM:8F31DAB6 030 04 2D CMP R5, #4 ; Set cond. codes on Op1 - Op2<br />
ROM:8F31DAB8 030 F8 DD BLE loop_body ; Branch<br />
ROM:8F31DABA 030 00 BF NOP ; No Operation<br />
ROM:8F31DABC 030 04 2C CMP R4, #4 ; Set cond. codes on Op1 - Op2<br />
ROM:8F31DABE 030 08 D8 BHI is_higher ; Branch<br />
ROM:8F31DAC0 030 02 AB ADD R3, SP, #0x30+var_28 ; Rd = Op1 + Op2<br />
ROM:8F31DAC2 030 00 93 STR R3, [SP,#0x30+var_30] ; Store to Memory<br />
ROM:8F31DAC4 030 01 23 MOVS R3, #1 ; Rd = Op2<br />
ROM:8F31DAC6 030 07 22 MOVS R2, #7 ; Rd = Op2<br />
ROM:8F31DAC8 030 00 21 MOVS R1, #0 ; SEC_ENTRY<br />
ROM:8F31DACA 030 36 20 MOVS R0, #0x36 ; param<br />
ROM:8F31DACC 030 04 F0 F2 FD BL security_handler ; API_HAL_MOT_EFUSE_READ<br />
ROM:8F31DAD0 030 06 46 MOV R6, R0 ; Rd = Op2<br />
ROM:8F31DAD2<br />
ROM:8F31DAD2 is_higher ; CODE XREF: fuse_read_word+22�j<br />
ROM:8F31DAD2 030 1E B9 CBNZ R6, return ; Compare and Branch on Non-Zero<br />
ROM:8F31DAD4 030 02 A8 ADD R0, SP, #0x30+var_28 ; Rd = Op1 + Op2<br />
ROM:8F31DAD6 030 50 F8 24 00 LDR.W R0, [R0,R4,LSL#2] ; Load from Memory<br />
ROM:8F31DADA 030 87 B2 UXTH R7, R0 ; Unsigned extend halfword to word<br />
ROM:8F31DADC<br />
ROM:8F31DADC return ; CODE XREF: fuse_read_word:is_higher�j<br />
ROM:8F31DADC 030 38 46 MOV R0, R7 ; Rd = Op2<br />
ROM:8F31DADE 030 07 B0 ADD SP, SP, #0x1C ; Rd = Op1 + Op2<br />
ROM:8F31DAE0 014 F0 BD POP {R4-R7,PC} ; Pop registers<br />
ROM:8F31DAE0 ; End of function fuse_read_word<br />
ROM:8F31DAE0<br />
ROM:8F31DAE0 ; ---------------------------------------------------------------------------<br />
ROM:8F31DAE2 00 20 DCW 0x2000<br />
ROM:8F31DAE4 70 47 DCW 0x4770<br />
ROM:8F31DAE6<br />
</syntaxhighlight><br />
<br />
'''Listing 2.''' Fuse reading BS_DIS (from mbmloader)<br />
<syntaxhighlight lang="ida" line><br />
ROM:870048BE<br />
ROM:870048BE ; =============== S U B R O U T I N E =======================================<br />
ROM:870048BE<br />
ROM:870048BE<br />
ROM:870048BE ; int __cdecl fuse_read_BS_DIS()<br />
ROM:870048BE fuse_read_BS_DIS ; CODE XREF: check_BS_DIS+4<br />
ROM:870048BE 000 10 B5 PUSH {R4,LR} ; Push registers<br />
ROM:870048C0 008 10 24 MOVS R4, #0x10 ; Rd = Op2<br />
ROM:870048C2 008 6E 20 MOVS R0, #SEC_BS_DIS ; fuse_entry_number<br />
ROM:870048C4 008 FF F7 09 FF BL fuse_read_byte ; Branch with Link<br />
ROM:870048C8 008 00 B9 CBNZ R0, return ; Compare and Branch on Non-Zero<br />
ROM:870048CA 008 00 24 MOVS R4, #0 ; Rd = Op2<br />
ROM:870048CC<br />
ROM:870048CC return ; CODE XREF: fuse_read_BS_DIS+A<br />
ROM:870048CC 008 20 46 MOV R0, R4 ; Rd = Op2<br />
ROM:870048CE 008 10 BD POP {R4,PC} ; Pop registers<br />
ROM:870048CE ; End of function fuse_read_BS_DIS<br />
ROM:870048CE<br />
ROM:870048D0<br />
ROM:870048D0 ; =============== S U B R O U T I N E =======================================<br />
ROM:870048D0<br />
ROM:870048D0<br />
ROM:870048D0 ; int __cdecl fuse_read_SECVER(int entry_number)<br />
ROM:870048D0 fuse_read_SECVER ; CODE XREF: check_secure_version+14<br />
ROM:870048D0 000 70 B5 PUSH {R4-R6,LR} ; Push registers<br />
ROM:870048D2 010 04 46 MOV R4, R0 ; Rd = Op2<br />
ROM:870048D4 010 00 25 MOVS R5, #0 ; Rd = Op2<br />
ROM:870048D6 010 20 46 MOV R0, R4 ; fuse_entry_number<br />
ROM:870048D8 010 FF F7 FF FE BL fuse_read_byte ; Branch with Link<br />
ROM:870048DC 010 05 46 MOV R5, R0 ; Rd = Op2<br />
ROM:870048DE 010 28 46 MOV R0, R5 ; Rd = Op2<br />
ROM:870048E0 010 70 BD POP {R4-R6,PC} ; Pop registers<br />
ROM:870048E0 ; End of function fuse_read_SECVER<br />
ROM:870048E0<br />
ROM:870048E2<br />
</syntaxhighlight><br />
<br />
[[Category:Security]]</div>
Eiyee
http://droid-developers.org/wiki/EFuse
EFuse
2012-02-24T01:24:52Z
<p>Eiyee: </p>
<hr />
<div>== Overview ==<br />
The OMAP3xxx contains (unknown value) 128-bit banks of electronically blown fuses<br />
(eFuse). This is one-time only programmable memory that is organized into N x 32-bit words -<br />
(unknown value) words are reserved by Texas Instruments and for future use. <br />
The remaining 4 words are fully user programmable, designed to allow storage of a 128-bit encryption key for secure<br />
external memory encryption.<br />
<br />
== eFuse table ==<br />
<br />
'''TODO'''<br />
<br />
{|<br />
! Index<br />
! Name<br />
! Description<br />
|-<br />
| <br />
| PRODUCTION_ID<br />
| not available yet<br />
|-<br />
|<br />
| SECURITY_ID<br />
| not available yet<br />
|}<br />
<br />
<br />
== SWRV values ==<br />
<br />
The kernel source released by Motorola includes a "sec" driver module that reads 160 bit of eFuse data (referred to as "SWRV") using [[Secure Services]] call API_HAL_MOT_EFUSE_READ.<br />
<br />
{| border="1" cellpadding="1" cellspacing="0" style="border: 1px solid #cccccc;"<br />
! SWRV<br />
! Description<br />
|-<br />
| 0f 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 00 00<br />
| Defy ([http://forum.xda-developers.com/showpost.php?p=21492705&postcount=412 source])<br />
|-<br />
| 1f 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 00 00<br />
| Defy ME525+ model with HKTW 2.3.4 sbf and MIUI rom ([http://forum.xda-developers.com/showpost.php?p=21405389&postcount=181 source])<br />
|-<br />
| 3f 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 00 00<br />
| Defy+ 2.3.6 134-132 SBF (v6) ([http://forum.xda-developers.com/showpost.php?p=21402316&postcount=167 source])<br />
|-<br />
| 3f 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e1 00 00<br />
| Defy+ after blowing SEC_CUST_CODE ([http://forum.xda-developers.com/showpost.php?p=21410214&postcount=219 source])<br />
|-<br />
| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00<br />
| Defy Chinese unlocked/eng? ([http://forum.xda-developers.com/showpost.php?p=21434360&postcount=335 source], [http://forum.xda-developers.com/showpost.php?p=21436570&postcount=337 source2])<br />
|}<br />
<br />
You can contribute SWRV values by running [[File:sec_swrv.c]] (binary [[File:sec_swrv]]).<br />
<br />
The module source is in drivers/misc/sec/ in the Motorola kernel source (build with CONFIG_SEC_DRIVER=m), there is also a binary [http://dl.dropbox.com/u/31689596/sec.ko sec.ko] for Defy. The driver code includes this check for engineering and production bits (in 5th 32-bit word) in drivers/misc/sec/sec_core.c:<br />
<pre><br />
iterator = data + 4;<br />
<br />
/*HAB_ENG : 13, HAB_PROD : 14 */<br />
/*Engineering only if engineering blown and production not */<br />
if (((*iterator) & (0x3 << 13)) == (0x1 << 13))<br />
ret_val = SEC_ENGINEERING;<br />
</pre><br />
<br />
The driver also has an enum with potential hints to eFuse values in drivers/misc/sec/sec_core.h:<br />
<pre><br />
typedef enum {<br />
/*Starting with random non zero value for component type */<br />
SEC_AP_PA_PPA = 0x00000065,<br />
SEC_BP_PPA,<br />
SEC_BP_PA,<br />
SEC_ML_PBRDL,<br />
SEC_MBM,<br />
SEC_RRDL_BRDL,<br />
SEC_BPL,<br />
SEC_AP_OS,<br />
SEC_BP_OS,<br />
SEC_BS_DIS,<br />
SEC_ENG,<br />
SEC_PROD,<br />
SEC_CUST_CODE,<br />
SEC_PKC,<br />
SEC_MODEL_ID,<br />
SEC_MAX<br />
} SEC_SV_COMPONENT_T;<br />
</pre><br />
<br />
== EFUSE Power Domain ==<br />
<br />
EFUSE Power Domain Clock Controls<br />
<br />
'''EFUSE Power Domain Clock-Gating Control'''<br />
{| border="1" cellpadding="0" cellspacing="0" style="border: 1px solid #cccccc;"<br />
!Clock Name <br />
!Reset<br />
!Clock-Gating Control<br />
!Gating Description<br />
|-<br />
|EFUSE_ALWON_FCLK<br />
|Running<br />
|None<br />
|Active when VDD1 and VDD2 are switched on and eFuse-ready hardware signal is released<br />
|}<br />
<br />
== Reading ==<br />
<br />
For reading eFuse you need:<br />
# call 0x28 Secure Service - invalidate dcache<br />
# call 0x2a Secure Service - aux write<br />
# call 0x36 Secure Service with parameter eFuse index - API_HAL_MOT_EFUSE_READ<br />
<br />
PPA handler of EFUSE READ interrupt call<br />
<syntaxhighlight lang="ida" line><br />
ROM:86FFF06C<br />
ROM:86FFF06C ; =============== S U B R O U T I N E =======================================<br />
ROM:86FFF06C<br />
ROM:86FFF06C<br />
ROM:86FFF06C ; int __cdecl PPA_API_HAL_MOT_EFUSE_READ()<br />
ROM:86FFF06C PPA_API_HAL_MOT_EFUSE_READ ; DATA XREF: PPA_SMC_handler_SL+44�o<br />
ROM:86FFF06C ; ROM:off_86FFF5B8�o<br />
ROM:86FFF06C 000 MOV R2, R0 ; arg_3<br />
ROM:86FFF06E 000 PUSH {R4,LR} ; Push registers<br />
ROM:86FFF070 008 MOVS R1, #1 ; arg_2<br />
ROM:86FFF072 008 MOVS R0, #0x64 ; arg_1<br />
ROM:86FFF074 008 BLX PPA_interrupt_call ; Branch with Link and Exchange (immediate address)<br />
ROM:86FFF074<br />
ROM:86FFF078 008 LDR R1, =0xAF8023D4 ; Load from Memory<br />
ROM:86FFF07A 008 LDR R2, [R1] ; Load from Memory<br />
ROM:86FFF07C 008 UXTH R3, R2 ; Unsigned extend halfword to word<br />
ROM:86FFF07E 008 ORR.W R2, R3, R2,LSR#16 ; Rd = Op1 | Op2<br />
ROM:86FFF082 008 STR R2, [R0] ; Store to Memory<br />
ROM:86FFF084 008 LDR R2, [R1,#4] ; Load from Memory<br />
ROM:86FFF086 008 UXTH R3, R2 ; Unsigned extend halfword to word<br />
ROM:86FFF088 008 ORR.W R2, R3, R2,LSR#16 ; Rd = Op1 | Op2<br />
ROM:86FFF08C 008 STR R2, [R0,#4] ; Store to Memory<br />
ROM:86FFF08E 008 LDR R2, [R1,#8] ; Load from Memory<br />
ROM:86FFF090 008 UXTH R3, R2 ; Unsigned extend halfword to word<br />
ROM:86FFF092 008 ORR.W R2, R3, R2,LSR#16 ; Rd = Op1 | Op2<br />
ROM:86FFF096 008 STR R2, [R0,#8] ; Store to Memory<br />
ROM:86FFF098 008 LDR R2, [R1,#0xC] ; Load from Memory<br />
ROM:86FFF09A 008 UXTH R3, R2 ; Unsigned extend halfword to word<br />
ROM:86FFF09C 008 ORR.W R2, R3, R2,LSR#16 ; Rd = Op1 | Op2<br />
ROM:86FFF0A0 008 STR R2, [R0,#0xC] ; Store to Memory<br />
ROM:86FFF0A2 008 LDR R1, [R1,#0x10] ; Load from Memory<br />
ROM:86FFF0A4 008 UXTH R2, R1 ; Unsigned extend halfword to word<br />
ROM:86FFF0A6 008 ORR.W R1, R2, R1,LSR#16 ; Rd = Op1 | Op2<br />
ROM:86FFF0AA 008 STR R1, [R0,#0x10] ; Store to Memory<br />
ROM:86FFF0AC 008 MOVS R0, #0 ; Rd = Op2<br />
ROM:86FFF0AE 008 POP {R4,PC} ; Pop registers<br />
ROM:86FFF0AE<br />
ROM:86FFF0AE ; End of function PPA_API_HAL_MOT_EFUSE_READ<br />
ROM:86FFF0AE<br />
ROM:86FFF0AE ; ---------------------------------------------------------------------------<br />
ROM:86FFF0B0 dword_86FFF0B0 DCD 0xAF8023D4 ; DATA XREF: PPA_API_HAL_MOT_EFUSE_READ+C�r<br />
ROM:86FFF0B4<br />
</syntaxhighlight><br />
<br />
== Code Listings ==<br />
<br />
=== Fuse blowing functions ===<br />
<br />
'''Listing 1.''' Fuse blowing BS_DIS ( from mbmloader )<br />
<syntaxhighlight lang="ida" line><br />
ROM:870048AC ; =============== S U B R O U T I N E =======================================<br />
ROM:870048AC<br />
ROM:870048AC<br />
ROM:870048AC ; int __cdecl fuse_blow_BS_DIS()<br />
ROM:870048AC fuse_blow_BS_DIS<br />
ROM:870048AC 000 10 B5 PUSH {R4,LR} ; Push registers<br />
ROM:870048AE 008 10 24 MOVS R4, #0x10 ; Rd = Op2<br />
ROM:870048B0 008 01 21 MOVS R1, #1 ; value<br />
ROM:870048B2 008 6E 20 MOVS R0, #SEC_BS_DIS ; fuse_entry_number<br />
ROM:870048B4 008 FF F7 70 FF BL fuse_blow_byte ; Branch with Link<br />
ROM:870048B8 008 04 46 MOV R4, R0 ; Rd = Op2<br />
ROM:870048BA 008 20 46 MOV R0, R4 ; Rd = Op2<br />
ROM:870048BC 008 10 BD POP {R4,PC} ; Pop registers<br />
ROM:870048BC ; End of function fuse_blow_BS_DIS<br />
ROM:870048BC<br />
</syntaxhighlight><br />
<br />
'''Listing 2.''' Fuse blowing CUSTOM ( from mbmloader )<br />
<syntaxhighlight lang="ida" line><br />
ROM:870048E2 ; =============== S U B R O U T I N E =======================================<br />
ROM:870048E2<br />
ROM:870048E2<br />
ROM:870048E2 ; int __cdecl fuse_blow_CUSTOM(int fuse_entry_number, int value)<br />
ROM:870048E2 fuse_blow_CUSTOM<br />
ROM:870048E2 000 70 B5 PUSH {R4-R6,LR} ; Push registers<br />
ROM:870048E4 010 04 46 MOV R4, R0 ; Rd = Op2<br />
ROM:870048E6 010 0D 46 MOV R5, R1 ; Rd = Op2<br />
ROM:870048E8 010 10 26 MOVS R6, #0x10 ; Rd = Op2<br />
ROM:870048EA 010 A9 B2 UXTH R1, R5 ; Unsigned extend halfword to word<br />
ROM:870048EC 010 20 46 MOV R0, R4 ; fuse_entry_number<br />
ROM:870048EE 010 FF F7 53 FF BL fuse_blow_byte ; Branch with Link<br />
ROM:870048F2 010 06 46 MOV R6, R0 ; Rd = Op2<br />
ROM:870048F4 010 30 46 MOV R0, R6 ; Rd = Op2<br />
ROM:870048F6 010 70 BD POP {R4-R6,PC} ; Pop registers<br />
ROM:870048F6 ; End of function fuse_blow_CUSTOM<br />
ROM:870048F6<br />
</syntaxhighlight><br />
<br />
'''Listing 3.''' Fuse blowing PRODUCTION ( from mbmloader )<br />
<syntaxhighlight lang="ida" line><br />
ROM:870048F8<br />
ROM:870048F8 ; =============== S U B R O U T I N E =======================================<br />
ROM:870048F8<br />
ROM:870048F8<br />
ROM:870048F8 ; int __cdecl fuse_blow_PRODUCTION()<br />
ROM:870048F8 fuse_blow_PRODUCTION<br />
ROM:870048F8 000 10 B5 PUSH {R4,LR} ; Push registers<br />
ROM:870048FA 008 10 24 MOVS R4, #0x10 ; Rd = Op2<br />
ROM:870048FC 008 01 21 MOVS R1, #1 ; value<br />
ROM:870048FE 008 70 20 MOVS R0, #SEC_PROD ; fuse_entry_number<br />
ROM:87004900 008 FF F7 4A FF BL fuse_blow_byte ; Branch with Link<br />
ROM:87004904 008 04 46 MOV R4, R0 ; Rd = Op2<br />
ROM:87004906 008 20 46 MOV R0, R4 ; Rd = Op2<br />
ROM:87004908 008 10 BD POP {R4,PC} ; Pop registers<br />
ROM:87004908 ; End of function fuse_blow_PRODUCTION<br />
ROM:87004908<br />
</syntaxhighlight><br />
<br />
'''Listing 4.''' Fuse blowing ENGINEERING ( from mbmloader )<br />
<syntaxhighlight lang="ida" line><br />
ROM:8700490A<br />
ROM:8700490A ; =============== S U B R O U T I N E =======================================<br />
ROM:8700490A<br />
ROM:8700490A<br />
ROM:8700490A ; int __cdecl fuse_blow_ENGINEERING()<br />
ROM:8700490A fuse_blow_ENGINEERING ; CODE XREF: main+20<br />
ROM:8700490A 000 10 B5 PUSH {R4,LR} ; Push registers<br />
ROM:8700490C 008 10 24 MOVS R4, #0x10 ; Rd = Op2<br />
ROM:8700490E 008 01 21 MOVS R1, #1 ; value<br />
ROM:87004910 008 6F 20 MOVS R0, #SEC_ENG ; fuse_entry_number<br />
ROM:87004912 008 FF F7 41 FF BL fuse_blow_byte ; Branch with Link<br />
ROM:87004916 008 04 46 MOV R4, R0 ; Rd = Op2<br />
ROM:87004918 008 20 46 MOV R0, R4 ; Rd = Op2<br />
ROM:8700491A 008 10 BD POP {R4,PC} ; Pop registers<br />
ROM:8700491A ; End of function fuse_blow_ENGINEERING<br />
</syntaxhighlight><br />
<br />
=== Fuse reading functions ===<br />
<br />
'''Listing 2.''' Fuse reading byte (from mbmloader)<br />
<syntaxhighlight lang="ida" line><br />
ROM:8F31DB0A<br />
ROM:8F31DB0A ; =============== S U B R O U T I N E =======================================<br />
ROM:8F31DB0A<br />
ROM:8F31DB0A<br />
ROM:8F31DB0A ; int __cdecl moto_efuse_read(__int32 fuse_entry)<br />
ROM:8F31DB0A moto_efuse_read ; CODE XREF: fuse_read_SEC_MODEL_ID+6�p<br />
ROM:8F31DB0A ; fuse_read_SEC_BS_DIS+6�p ...<br />
ROM:8F31DB0A 000 PUSH {R4-R6,LR} ; Push registers<br />
ROM:8F31DB0C 010 MOV R4, R0 ; Rd = Op2<br />
ROM:8F31DB0E 010 LDR R5, =0xDEADBEEF ; Load from Memory<br />
ROM:8F31DB10 010 SUB.W R0, R4, #0x65 ; switch 16 cases<br />
ROM:8F31DB14 010 CMP R0, #0x10 ; Set cond. codes on Op1 - Op2<br />
ROM:8F31DB16 010 BCS return_ ; do nothing<br />
ROM:8F31DB16<br />
ROM:8F31DB18<br />
ROM:8F31DB18 fuse_table ; switch jump<br />
ROM:8F31DB18 010 TBB.W [PC,R0]<br />
ROM:8F31DB18<br />
ROM:8F31DB18 ; ---------------------------------------------------------------------------<br />
ROM:8F31DB1C 010 fuse_choice DCB 8 ; jump table for switch statement<br />
ROM:8F31DB1D 010 DCB 0x52<br />
ROM:8F31DB1E 010 DCB 0x52<br />
ROM:8F31DB1F 010 DCB 0x11<br />
ROM:8F31DB20 010 DCB 0x1A<br />
ROM:8F31DB21 010 DCB 0x22<br />
ROM:8F31DB22 010 DCB 0x52<br />
ROM:8F31DB23 010 DCB 0x2A<br />
ROM:8F31DB24 010 DCB 0x52<br />
ROM:8F31DB25 010 DCB 0x32<br />
ROM:8F31DB26 010 DCB 0x37<br />
ROM:8F31DB27 010 DCB 0x3D<br />
ROM:8F31DB28 010 DCB 0x43<br />
ROM:8F31DB29 010 DCB 0x52<br />
ROM:8F31DB2A 010 DCB 0x4D<br />
ROM:8F31DB2B 010 DCB 0x51<br />
ROM:8F31DB2C ; ---------------------------------------------------------------------------<br />
ROM:8F31DB2C<br />
ROM:8F31DB2C is_SEC_APP_PA_PPA ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DB2C 010 MOVS R0, #3 ; jumptable 8F31DB18 case 101<br />
ROM:8F31DB2E 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DB2E<br />
ROM:8F31DB32 010 ASRS R6, R0, #8 ; Arithmetic Shift Right<br />
ROM:8F31DB34 010 MOV R0, R6 ; count<br />
ROM:8F31DB36 010 BL standard_efuse_count ; Branch with Link<br />
ROM:8F31DB36<br />
ROM:8F31DB3A 010 MOV R5, R0 ; Rd = Op2<br />
ROM:8F31DB3C 010 B return ; Branch<br />
ROM:8F31DB3C<br />
ROM:8F31DB3E ; ---------------------------------------------------------------------------<br />
ROM:8F31DB3E<br />
ROM:8F31DB3E is_SEC_ML_PBRDL ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DB3E 010 MOVS R0, #3 ; jumptable 8F31DB18 case 104<br />
ROM:8F31DB40 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DB40<br />
ROM:8F31DB44 010 UXTB R6, R0 ; Unsigned extend byte to word<br />
ROM:8F31DB46 010 MOV R0, R6 ; count<br />
ROM:8F31DB48 010 BL standard_efuse_count ; Branch with Link<br />
ROM:8F31DB48<br />
ROM:8F31DB4C 010 MOV R5, R0 ; Rd = Op2<br />
ROM:8F31DB4E 010 B return ; Branch<br />
ROM:8F31DB4E<br />
ROM:8F31DB50 ; ---------------------------------------------------------------------------<br />
ROM:8F31DB50<br />
ROM:8F31DB50 is_SEC_MBM ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DB50 010 MOVS R0, #2 ; jumptable 8F31DB18 case 105<br />
ROM:8F31DB52 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DB52<br />
ROM:8F31DB56 010 MOV R6, R0 ; Rd = Op2<br />
ROM:8F31DB58 010 BL standard_efuse_count ; Branch with Link<br />
ROM:8F31DB58<br />
ROM:8F31DB5C 010 MOV R5, R0 ; Rd = Op2<br />
ROM:8F31DB5E 010 B return ; Branch<br />
ROM:8F31DB5E<br />
ROM:8F31DB60 ; ---------------------------------------------------------------------------<br />
ROM:8F31DB60<br />
ROM:8F31DB60 is_SEC_RRDL_BRDL ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DB60 010 MOVS R0, #1 ; jumptable 8F31DB18 case 106<br />
ROM:8F31DB62 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DB62<br />
ROM:8F31DB66 010 MOV R6, R0 ; Rd = Op2<br />
ROM:8F31DB68 010 BL standard_efuse_count ; Branch with Link<br />
ROM:8F31DB68<br />
ROM:8F31DB6C 010 MOV R5, R0 ; Rd = Op2<br />
ROM:8F31DB6E 010 B return ; Branch<br />
ROM:8F31DB6E<br />
ROM:8F31DB70 ; ---------------------------------------------------------------------------<br />
ROM:8F31DB70<br />
ROM:8F31DB70 is_SEC_AP_OS ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DB70 010 MOVS R0, #0 ; jumptable 8F31DB18 case 108<br />
ROM:8F31DB72 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DB72<br />
ROM:8F31DB76 010 MOV R6, R0 ; Rd = Op2<br />
ROM:8F31DB78 010 BL standard_efuse_count ; Branch with Link<br />
ROM:8F31DB78<br />
ROM:8F31DB7C 010 MOV R5, R0 ; Rd = Op2<br />
ROM:8F31DB7E 010 B return ; Branch<br />
ROM:8F31DB7E<br />
ROM:8F31DB80 ; ---------------------------------------------------------------------------<br />
ROM:8F31DB80<br />
ROM:8F31DB80 is_SEC_BS_DIS ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DB80 010 MOVS R0, #4 ; jumptable 8F31DB18 case 110<br />
ROM:8F31DB82 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DB82<br />
ROM:8F31DB86 010 ASRS R5, R0, #0xF ; Arithmetic Shift Right<br />
ROM:8F31DB88 010 B return ; Branch<br />
ROM:8F31DB88<br />
ROM:8F31DB8A ; ---------------------------------------------------------------------------<br />
ROM:8F31DB8A<br />
ROM:8F31DB8A is_SEC_ENG ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DB8A 010 MOVS R0, #4 ; jumptable 8F31DB18 case 111<br />
ROM:8F31DB8C 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DB8C<br />
ROM:8F31DB90 010 UBFX.W R5, R0, #0xD, #1 ; Unsigned Bit Field Extract<br />
ROM:8F31DB94 010 B return ; Branch<br />
ROM:8F31DB94<br />
ROM:8F31DB96 ; ---------------------------------------------------------------------------<br />
ROM:8F31DB96<br />
ROM:8F31DB96 is_SEC_PROD ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DB96 010 MOVS R0, #4 ; jumptable 8F31DB18 case 112<br />
ROM:8F31DB98 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DB98<br />
ROM:8F31DB9C 010 UBFX.W R5, R0, #0xE, #1 ; Unsigned Bit Field Extract<br />
ROM:8F31DBA0 010 B return ; Branch<br />
ROM:8F31DBA0<br />
ROM:8F31DBA2 ; ---------------------------------------------------------------------------<br />
ROM:8F31DBA2<br />
ROM:8F31DBA2 is_SEC_CUST_CODE ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DBA2 010 MOVS R0, #4 ; jumptable 8F31DB18 case 113<br />
ROM:8F31DBA4 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DBA4<br />
ROM:8F31DBA8 010 UBFX.W R6, R0, #8, #5 ; Unsigned Bit Field Extract<br />
ROM:8F31DBAC 010 MOV R0, R6 ; count<br />
ROM:8F31DBAE 010 BL standard_efuse_count ; Branch with Link<br />
ROM:8F31DBAE<br />
ROM:8F31DBB2 010 MOV R5, R0 ; Rd = Op2<br />
ROM:8F31DBB4 010 B return ; Branch<br />
ROM:8F31DBB4<br />
ROM:8F31DBB6 ; ---------------------------------------------------------------------------<br />
ROM:8F31DBB6<br />
ROM:8F31DBB6 is_SEC_MODEL_ID ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DBB6 010 LDR R0, =OMAP3430_MSV_ADRESS ; jumptable 8F31DB18 case 115<br />
ROM:8F31DBB8 010 LDR R0, [R0] ; Load from Memory<br />
ROM:8F31DBBA 010 UXTH R5, R0 ; Unsigned extend halfword to word<br />
ROM:8F31DBBC 010 B return ; Branch<br />
ROM:8F31DBBC<br />
ROM:8F31DBBE ; ---------------------------------------------------------------------------<br />
ROM:8F31DBBE<br />
ROM:8F31DBBE return__ ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DBBE 010 NOP ; jumptable 8F31DB18 case 116<br />
ROM:8F31DBBE<br />
ROM:8F31DBC0<br />
ROM:8F31DBC0 return_ ; CODE XREF: moto_efuse_read+C�j<br />
ROM:8F31DBC0 ; moto_efuse_read:fuse_table�j<br />
ROM:8F31DBC0 010 NOP ; do nothing<br />
ROM:8F31DBC0<br />
ROM:8F31DBC2<br />
ROM:8F31DBC2 return ; CODE XREF: moto_efuse_read+32�j<br />
ROM:8F31DBC2 ; moto_efuse_read+44�j ...<br />
ROM:8F31DBC2 010 NOP ; No Operation<br />
ROM:8F31DBC4 010 MOV R0, R5 ; Rd = Op2<br />
ROM:8F31DBC6 010 POP {R4-R6,PC} ; Pop registers<br />
ROM:8F31DBC6<br />
ROM:8F31DBC6 ; End of function moto_efuse_read<br />
ROM:8F31DBC6<br />
</syntaxhighlight><br />
<br />
'''Listing 2.''' Fuse reading word (from mbm)<br />
<syntaxhighlight lang="ida" line><br />
ROM:8F31DA9C<br />
ROM:8F31DA9C ; =============== S U B R O U T I N E =======================================<br />
ROM:8F31DA9C<br />
ROM:8F31DA9C<br />
ROM:8F31DA9C ; __int16 __fastcall fuse_read_word(int fuse_entry)<br />
ROM:8F31DA9C fuse_read_word ; CODE XREF: fuse_read+24�p<br />
ROM:8F31DA9C ; fuse_read+36�p ...<br />
ROM:8F31DA9C<br />
ROM:8F31DA9C var_30 = -0x30<br />
ROM:8F31DA9C var_28 = -0x28<br />
ROM:8F31DA9C<br />
ROM:8F31DA9C 000 F0 B5 PUSH {R4-R7,LR} ; Push registers<br />
ROM:8F31DA9E 014 87 B0 SUB SP, SP, #0x1C ; Rd = Op1 - Op2<br />
ROM:8F31DAA0 030 04 46 MOV R4, R0 ; Rd = Op2<br />
ROM:8F31DAA2 030 00 25 MOVS R5, #0 ; Rd = Op2<br />
ROM:8F31DAA4 030 4F F6 FF 77 MOVW R7, #0xFFFF ; Rd = Op2<br />
ROM:8F31DAA8 030 00 BF NOP ; No Operation<br />
ROM:8F31DAAA 030 04 E0 B loop_count ; Branch<br />
ROM:8F31DAAC ; ---------------------------------------------------------------------------<br />
ROM:8F31DAAC<br />
ROM:8F31DAAC loop_body ; CODE XREF: fuse_read_word+1C�j<br />
ROM:8F31DAAC 030 00 20 MOVS R0, #0 ; Rd = Op2<br />
ROM:8F31DAAE 030 02 A9 ADD R1, SP, #0x30+var_28 ; Rd = Op1 + Op2<br />
ROM:8F31DAB0 030 41 F8 25 00 STR.W R0, [R1,R5,LSL#2] ; Store to Memory<br />
ROM:8F31DAB4 030 6D 1C ADDS R5, R5, #1 ; Rd = Op1 + Op2<br />
ROM:8F31DAB6<br />
ROM:8F31DAB6 loop_count ; CODE XREF: fuse_read_word+E�j<br />
ROM:8F31DAB6 030 04 2D CMP R5, #4 ; Set cond. codes on Op1 - Op2<br />
ROM:8F31DAB8 030 F8 DD BLE loop_body ; Branch<br />
ROM:8F31DABA 030 00 BF NOP ; No Operation<br />
ROM:8F31DABC 030 04 2C CMP R4, #4 ; Set cond. codes on Op1 - Op2<br />
ROM:8F31DABE 030 08 D8 BHI is_higher ; Branch<br />
ROM:8F31DAC0 030 02 AB ADD R3, SP, #0x30+var_28 ; Rd = Op1 + Op2<br />
ROM:8F31DAC2 030 00 93 STR R3, [SP,#0x30+var_30] ; Store to Memory<br />
ROM:8F31DAC4 030 01 23 MOVS R3, #1 ; Rd = Op2<br />
ROM:8F31DAC6 030 07 22 MOVS R2, #7 ; Rd = Op2<br />
ROM:8F31DAC8 030 00 21 MOVS R1, #0 ; SEC_ENTRY<br />
ROM:8F31DACA 030 36 20 MOVS R0, #0x36 ; param<br />
ROM:8F31DACC 030 04 F0 F2 FD BL security_handler ; API_HAL_MOT_EFUSE_READ<br />
ROM:8F31DAD0 030 06 46 MOV R6, R0 ; Rd = Op2<br />
ROM:8F31DAD2<br />
ROM:8F31DAD2 is_higher ; CODE XREF: fuse_read_word+22�j<br />
ROM:8F31DAD2 030 1E B9 CBNZ R6, return ; Compare and Branch on Non-Zero<br />
ROM:8F31DAD4 030 02 A8 ADD R0, SP, #0x30+var_28 ; Rd = Op1 + Op2<br />
ROM:8F31DAD6 030 50 F8 24 00 LDR.W R0, [R0,R4,LSL#2] ; Load from Memory<br />
ROM:8F31DADA 030 87 B2 UXTH R7, R0 ; Unsigned extend halfword to word<br />
ROM:8F31DADC<br />
ROM:8F31DADC return ; CODE XREF: fuse_read_word:is_higher�j<br />
ROM:8F31DADC 030 38 46 MOV R0, R7 ; Rd = Op2<br />
ROM:8F31DADE 030 07 B0 ADD SP, SP, #0x1C ; Rd = Op1 + Op2<br />
ROM:8F31DAE0 014 F0 BD POP {R4-R7,PC} ; Pop registers<br />
ROM:8F31DAE0 ; End of function fuse_read_word<br />
ROM:8F31DAE0<br />
ROM:8F31DAE0 ; ---------------------------------------------------------------------------<br />
ROM:8F31DAE2 00 20 DCW 0x2000<br />
ROM:8F31DAE4 70 47 DCW 0x4770<br />
ROM:8F31DAE6<br />
</syntaxhighlight><br />
<br />
'''Listing 2.''' Fuse reading BS_DIS (from mbmloader)<br />
<syntaxhighlight lang="ida" line><br />
ROM:870048BE<br />
ROM:870048BE ; =============== S U B R O U T I N E =======================================<br />
ROM:870048BE<br />
ROM:870048BE<br />
ROM:870048BE ; int __cdecl fuse_read_BS_DIS()<br />
ROM:870048BE fuse_read_BS_DIS ; CODE XREF: check_BS_DIS+4<br />
ROM:870048BE 000 10 B5 PUSH {R4,LR} ; Push registers<br />
ROM:870048C0 008 10 24 MOVS R4, #0x10 ; Rd = Op2<br />
ROM:870048C2 008 6E 20 MOVS R0, #SEC_BS_DIS ; fuse_entry_number<br />
ROM:870048C4 008 FF F7 09 FF BL fuse_read_byte ; Branch with Link<br />
ROM:870048C8 008 00 B9 CBNZ R0, return ; Compare and Branch on Non-Zero<br />
ROM:870048CA 008 00 24 MOVS R4, #0 ; Rd = Op2<br />
ROM:870048CC<br />
ROM:870048CC return ; CODE XREF: fuse_read_BS_DIS+A<br />
ROM:870048CC 008 20 46 MOV R0, R4 ; Rd = Op2<br />
ROM:870048CE 008 10 BD POP {R4,PC} ; Pop registers<br />
ROM:870048CE ; End of function fuse_read_BS_DIS<br />
ROM:870048CE<br />
ROM:870048D0<br />
ROM:870048D0 ; =============== S U B R O U T I N E =======================================<br />
ROM:870048D0<br />
ROM:870048D0<br />
ROM:870048D0 ; int __cdecl fuse_read_SECVER(int entry_number)<br />
ROM:870048D0 fuse_read_SECVER ; CODE XREF: check_secure_version+14<br />
ROM:870048D0 000 70 B5 PUSH {R4-R6,LR} ; Push registers<br />
ROM:870048D2 010 04 46 MOV R4, R0 ; Rd = Op2<br />
ROM:870048D4 010 00 25 MOVS R5, #0 ; Rd = Op2<br />
ROM:870048D6 010 20 46 MOV R0, R4 ; fuse_entry_number<br />
ROM:870048D8 010 FF F7 FF FE BL fuse_read_byte ; Branch with Link<br />
ROM:870048DC 010 05 46 MOV R5, R0 ; Rd = Op2<br />
ROM:870048DE 010 28 46 MOV R0, R5 ; Rd = Op2<br />
ROM:870048E0 010 70 BD POP {R4-R6,PC} ; Pop registers<br />
ROM:870048E0 ; End of function fuse_read_SECVER<br />
ROM:870048E0<br />
ROM:870048E2<br />
</syntaxhighlight><br />
<br />
[[Category:Security]]</div>
Eiyee
http://droid-developers.org/wiki/File:Sec_swrv.c
File:Sec swrv.c
2012-02-24T01:21:29Z
<p>Eiyee: </p>
<hr />
<div></div>
Eiyee
http://droid-developers.org/wiki/EFuse
EFuse
2012-02-24T01:19:45Z
<p>Eiyee: link to SWRV dumper</p>
<hr />
<div>== Overview ==<br />
The OMAP3xxx contains (unknown value) 128-bit banks of electronically blown fuses<br />
(eFuse). This is one-time only programmable memory that is organized into N x 32-bit words -<br />
(unknown value) words are reserved by Texas Instruments and for future use. <br />
The remaining 4 words are fully user programmable, designed to allow storage of a 128-bit encryption key for secure<br />
external memory encryption.<br />
<br />
== eFuse table ==<br />
<br />
'''TODO'''<br />
<br />
{|<br />
! Index<br />
! Name<br />
! Description<br />
|-<br />
| <br />
| PRODUCTION_ID<br />
| not available yet<br />
|-<br />
|<br />
| SECURITY_ID<br />
| not available yet<br />
|}<br />
<br />
<br />
== SWRV values ==<br />
<br />
The kernel source released by Motorola includes a "sec" driver module that reads 160 bit of eFuse data (referred to as "SWRV") using [[Secure Services]] call API_HAL_MOT_EFUSE_READ.<br />
<br />
These values have been observed:<br />
<br />
{| border="1" cellpadding="1" cellspacing="0" style="border: 1px solid #cccccc;"<br />
! SWRV<br />
! Description<br />
|-<br />
| 0f 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 00 00<br />
| Defy ([http://forum.xda-developers.com/showpost.php?p=21492705&postcount=412 source])<br />
|-<br />
| 1f 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 00 00<br />
| Defy ME525+ model with HKTW 2.3.4 sbf and MIUI rom ([http://forum.xda-developers.com/showpost.php?p=21405389&postcount=181 source])<br />
|-<br />
| 3f 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 00 00<br />
| Defy+ 2.3.6 134-132 SBF (v6) ([http://forum.xda-developers.com/showpost.php?p=21402316&postcount=167 source])<br />
|-<br />
| 3f 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e1 00 00<br />
| Defy+ after blowing SEC_CUST_CODE ([http://forum.xda-developers.com/showpost.php?p=21410214&postcount=219 source])<br />
|-<br />
| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00<br />
| Defy Chinese unlocked/eng? ([http://forum.xda-developers.com/showpost.php?p=21434360&postcount=335 source], [http://forum.xda-developers.com/showpost.php?p=21436570&postcount=337 source2])<br />
|}<br />
<br />
You can contribute SWRV values by running [[File:sec_swrv.c]] (binary [[File:sec_swrv]]).<br />
<br />
The module source is in drivers/misc/sec/ in the Motorola kernel source (build with CONFIG_SEC_DRIVER=m), there is also a binary [http://dl.dropbox.com/u/31689596/sec.ko sec.ko] for Defy.<br />
<br />
The driver code includes this check for engineering and production bits (in 5th 32-bit word) in drivers/misc/sec/sec_core.c:<br />
<pre><br />
iterator = data + 4;<br />
<br />
/*HAB_ENG : 13, HAB_PROD : 14 */<br />
/*Engineering only if engineering blown and production not */<br />
if (((*iterator) & (0x3 << 13)) == (0x1 << 13))<br />
ret_val = SEC_ENGINEERING;<br />
</pre><br />
<br />
The driver also has an enum with potential hints to eFuse values:<br />
<br />
drivers/misc/sec/sec_core.h:<br />
<pre><br />
typedef enum {<br />
/*Starting with random non zero value for component type */<br />
SEC_AP_PA_PPA = 0x00000065,<br />
SEC_BP_PPA,<br />
SEC_BP_PA,<br />
SEC_ML_PBRDL,<br />
SEC_MBM,<br />
SEC_RRDL_BRDL,<br />
SEC_BPL,<br />
SEC_AP_OS,<br />
SEC_BP_OS,<br />
SEC_BS_DIS,<br />
SEC_ENG,<br />
SEC_PROD,<br />
SEC_CUST_CODE,<br />
SEC_PKC,<br />
SEC_MODEL_ID,<br />
SEC_MAX<br />
} SEC_SV_COMPONENT_T;<br />
</pre><br />
<br />
== EFUSE Power Domain ==<br />
<br />
EFUSE Power Domain Clock Controls<br />
<br />
'''EFUSE Power Domain Clock-Gating Control'''<br />
{| border="1" cellpadding="0" cellspacing="0" style="border: 1px solid #cccccc;"<br />
!Clock Name <br />
!Reset<br />
!Clock-Gating Control<br />
!Gating Description<br />
|-<br />
|EFUSE_ALWON_FCLK<br />
|Running<br />
|None<br />
|Active when VDD1 and VDD2 are switched on and eFuse-ready hardware signal is released<br />
|}<br />
<br />
== Reading ==<br />
<br />
For reading eFuse you need:<br />
# call 0x28 Secure Service - invalidate dcache<br />
# call 0x2a Secure Service - aux write<br />
# call 0x36 Secure Service with parameter eFuse index - API_HAL_MOT_EFUSE_READ<br />
<br />
PPA handler of EFUSE READ interrupt call<br />
<syntaxhighlight lang="ida" line><br />
ROM:86FFF06C<br />
ROM:86FFF06C ; =============== S U B R O U T I N E =======================================<br />
ROM:86FFF06C<br />
ROM:86FFF06C<br />
ROM:86FFF06C ; int __cdecl PPA_API_HAL_MOT_EFUSE_READ()<br />
ROM:86FFF06C PPA_API_HAL_MOT_EFUSE_READ ; DATA XREF: PPA_SMC_handler_SL+44�o<br />
ROM:86FFF06C ; ROM:off_86FFF5B8�o<br />
ROM:86FFF06C 000 MOV R2, R0 ; arg_3<br />
ROM:86FFF06E 000 PUSH {R4,LR} ; Push registers<br />
ROM:86FFF070 008 MOVS R1, #1 ; arg_2<br />
ROM:86FFF072 008 MOVS R0, #0x64 ; arg_1<br />
ROM:86FFF074 008 BLX PPA_interrupt_call ; Branch with Link and Exchange (immediate address)<br />
ROM:86FFF074<br />
ROM:86FFF078 008 LDR R1, =0xAF8023D4 ; Load from Memory<br />
ROM:86FFF07A 008 LDR R2, [R1] ; Load from Memory<br />
ROM:86FFF07C 008 UXTH R3, R2 ; Unsigned extend halfword to word<br />
ROM:86FFF07E 008 ORR.W R2, R3, R2,LSR#16 ; Rd = Op1 | Op2<br />
ROM:86FFF082 008 STR R2, [R0] ; Store to Memory<br />
ROM:86FFF084 008 LDR R2, [R1,#4] ; Load from Memory<br />
ROM:86FFF086 008 UXTH R3, R2 ; Unsigned extend halfword to word<br />
ROM:86FFF088 008 ORR.W R2, R3, R2,LSR#16 ; Rd = Op1 | Op2<br />
ROM:86FFF08C 008 STR R2, [R0,#4] ; Store to Memory<br />
ROM:86FFF08E 008 LDR R2, [R1,#8] ; Load from Memory<br />
ROM:86FFF090 008 UXTH R3, R2 ; Unsigned extend halfword to word<br />
ROM:86FFF092 008 ORR.W R2, R3, R2,LSR#16 ; Rd = Op1 | Op2<br />
ROM:86FFF096 008 STR R2, [R0,#8] ; Store to Memory<br />
ROM:86FFF098 008 LDR R2, [R1,#0xC] ; Load from Memory<br />
ROM:86FFF09A 008 UXTH R3, R2 ; Unsigned extend halfword to word<br />
ROM:86FFF09C 008 ORR.W R2, R3, R2,LSR#16 ; Rd = Op1 | Op2<br />
ROM:86FFF0A0 008 STR R2, [R0,#0xC] ; Store to Memory<br />
ROM:86FFF0A2 008 LDR R1, [R1,#0x10] ; Load from Memory<br />
ROM:86FFF0A4 008 UXTH R2, R1 ; Unsigned extend halfword to word<br />
ROM:86FFF0A6 008 ORR.W R1, R2, R1,LSR#16 ; Rd = Op1 | Op2<br />
ROM:86FFF0AA 008 STR R1, [R0,#0x10] ; Store to Memory<br />
ROM:86FFF0AC 008 MOVS R0, #0 ; Rd = Op2<br />
ROM:86FFF0AE 008 POP {R4,PC} ; Pop registers<br />
ROM:86FFF0AE<br />
ROM:86FFF0AE ; End of function PPA_API_HAL_MOT_EFUSE_READ<br />
ROM:86FFF0AE<br />
ROM:86FFF0AE ; ---------------------------------------------------------------------------<br />
ROM:86FFF0B0 dword_86FFF0B0 DCD 0xAF8023D4 ; DATA XREF: PPA_API_HAL_MOT_EFUSE_READ+C�r<br />
ROM:86FFF0B4<br />
</syntaxhighlight><br />
<br />
== Code Listings ==<br />
<br />
=== Fuse blowing functions ===<br />
<br />
'''Listing 1.''' Fuse blowing BS_DIS ( from mbmloader )<br />
<syntaxhighlight lang="ida" line><br />
ROM:870048AC ; =============== S U B R O U T I N E =======================================<br />
ROM:870048AC<br />
ROM:870048AC<br />
ROM:870048AC ; int __cdecl fuse_blow_BS_DIS()<br />
ROM:870048AC fuse_blow_BS_DIS<br />
ROM:870048AC 000 10 B5 PUSH {R4,LR} ; Push registers<br />
ROM:870048AE 008 10 24 MOVS R4, #0x10 ; Rd = Op2<br />
ROM:870048B0 008 01 21 MOVS R1, #1 ; value<br />
ROM:870048B2 008 6E 20 MOVS R0, #SEC_BS_DIS ; fuse_entry_number<br />
ROM:870048B4 008 FF F7 70 FF BL fuse_blow_byte ; Branch with Link<br />
ROM:870048B8 008 04 46 MOV R4, R0 ; Rd = Op2<br />
ROM:870048BA 008 20 46 MOV R0, R4 ; Rd = Op2<br />
ROM:870048BC 008 10 BD POP {R4,PC} ; Pop registers<br />
ROM:870048BC ; End of function fuse_blow_BS_DIS<br />
ROM:870048BC<br />
</syntaxhighlight><br />
<br />
'''Listing 2.''' Fuse blowing CUSTOM ( from mbmloader )<br />
<syntaxhighlight lang="ida" line><br />
ROM:870048E2 ; =============== S U B R O U T I N E =======================================<br />
ROM:870048E2<br />
ROM:870048E2<br />
ROM:870048E2 ; int __cdecl fuse_blow_CUSTOM(int fuse_entry_number, int value)<br />
ROM:870048E2 fuse_blow_CUSTOM<br />
ROM:870048E2 000 70 B5 PUSH {R4-R6,LR} ; Push registers<br />
ROM:870048E4 010 04 46 MOV R4, R0 ; Rd = Op2<br />
ROM:870048E6 010 0D 46 MOV R5, R1 ; Rd = Op2<br />
ROM:870048E8 010 10 26 MOVS R6, #0x10 ; Rd = Op2<br />
ROM:870048EA 010 A9 B2 UXTH R1, R5 ; Unsigned extend halfword to word<br />
ROM:870048EC 010 20 46 MOV R0, R4 ; fuse_entry_number<br />
ROM:870048EE 010 FF F7 53 FF BL fuse_blow_byte ; Branch with Link<br />
ROM:870048F2 010 06 46 MOV R6, R0 ; Rd = Op2<br />
ROM:870048F4 010 30 46 MOV R0, R6 ; Rd = Op2<br />
ROM:870048F6 010 70 BD POP {R4-R6,PC} ; Pop registers<br />
ROM:870048F6 ; End of function fuse_blow_CUSTOM<br />
ROM:870048F6<br />
</syntaxhighlight><br />
<br />
'''Listing 3.''' Fuse blowing PRODUCTION ( from mbmloader )<br />
<syntaxhighlight lang="ida" line><br />
ROM:870048F8<br />
ROM:870048F8 ; =============== S U B R O U T I N E =======================================<br />
ROM:870048F8<br />
ROM:870048F8<br />
ROM:870048F8 ; int __cdecl fuse_blow_PRODUCTION()<br />
ROM:870048F8 fuse_blow_PRODUCTION<br />
ROM:870048F8 000 10 B5 PUSH {R4,LR} ; Push registers<br />
ROM:870048FA 008 10 24 MOVS R4, #0x10 ; Rd = Op2<br />
ROM:870048FC 008 01 21 MOVS R1, #1 ; value<br />
ROM:870048FE 008 70 20 MOVS R0, #SEC_PROD ; fuse_entry_number<br />
ROM:87004900 008 FF F7 4A FF BL fuse_blow_byte ; Branch with Link<br />
ROM:87004904 008 04 46 MOV R4, R0 ; Rd = Op2<br />
ROM:87004906 008 20 46 MOV R0, R4 ; Rd = Op2<br />
ROM:87004908 008 10 BD POP {R4,PC} ; Pop registers<br />
ROM:87004908 ; End of function fuse_blow_PRODUCTION<br />
ROM:87004908<br />
</syntaxhighlight><br />
<br />
'''Listing 4.''' Fuse blowing ENGINEERING ( from mbmloader )<br />
<syntaxhighlight lang="ida" line><br />
ROM:8700490A<br />
ROM:8700490A ; =============== S U B R O U T I N E =======================================<br />
ROM:8700490A<br />
ROM:8700490A<br />
ROM:8700490A ; int __cdecl fuse_blow_ENGINEERING()<br />
ROM:8700490A fuse_blow_ENGINEERING ; CODE XREF: main+20<br />
ROM:8700490A 000 10 B5 PUSH {R4,LR} ; Push registers<br />
ROM:8700490C 008 10 24 MOVS R4, #0x10 ; Rd = Op2<br />
ROM:8700490E 008 01 21 MOVS R1, #1 ; value<br />
ROM:87004910 008 6F 20 MOVS R0, #SEC_ENG ; fuse_entry_number<br />
ROM:87004912 008 FF F7 41 FF BL fuse_blow_byte ; Branch with Link<br />
ROM:87004916 008 04 46 MOV R4, R0 ; Rd = Op2<br />
ROM:87004918 008 20 46 MOV R0, R4 ; Rd = Op2<br />
ROM:8700491A 008 10 BD POP {R4,PC} ; Pop registers<br />
ROM:8700491A ; End of function fuse_blow_ENGINEERING<br />
</syntaxhighlight><br />
<br />
=== Fuse reading functions ===<br />
<br />
'''Listing 2.''' Fuse reading byte (from mbmloader)<br />
<syntaxhighlight lang="ida" line><br />
ROM:8F31DB0A<br />
ROM:8F31DB0A ; =============== S U B R O U T I N E =======================================<br />
ROM:8F31DB0A<br />
ROM:8F31DB0A<br />
ROM:8F31DB0A ; int __cdecl moto_efuse_read(__int32 fuse_entry)<br />
ROM:8F31DB0A moto_efuse_read ; CODE XREF: fuse_read_SEC_MODEL_ID+6�p<br />
ROM:8F31DB0A ; fuse_read_SEC_BS_DIS+6�p ...<br />
ROM:8F31DB0A 000 PUSH {R4-R6,LR} ; Push registers<br />
ROM:8F31DB0C 010 MOV R4, R0 ; Rd = Op2<br />
ROM:8F31DB0E 010 LDR R5, =0xDEADBEEF ; Load from Memory<br />
ROM:8F31DB10 010 SUB.W R0, R4, #0x65 ; switch 16 cases<br />
ROM:8F31DB14 010 CMP R0, #0x10 ; Set cond. codes on Op1 - Op2<br />
ROM:8F31DB16 010 BCS return_ ; do nothing<br />
ROM:8F31DB16<br />
ROM:8F31DB18<br />
ROM:8F31DB18 fuse_table ; switch jump<br />
ROM:8F31DB18 010 TBB.W [PC,R0]<br />
ROM:8F31DB18<br />
ROM:8F31DB18 ; ---------------------------------------------------------------------------<br />
ROM:8F31DB1C 010 fuse_choice DCB 8 ; jump table for switch statement<br />
ROM:8F31DB1D 010 DCB 0x52<br />
ROM:8F31DB1E 010 DCB 0x52<br />
ROM:8F31DB1F 010 DCB 0x11<br />
ROM:8F31DB20 010 DCB 0x1A<br />
ROM:8F31DB21 010 DCB 0x22<br />
ROM:8F31DB22 010 DCB 0x52<br />
ROM:8F31DB23 010 DCB 0x2A<br />
ROM:8F31DB24 010 DCB 0x52<br />
ROM:8F31DB25 010 DCB 0x32<br />
ROM:8F31DB26 010 DCB 0x37<br />
ROM:8F31DB27 010 DCB 0x3D<br />
ROM:8F31DB28 010 DCB 0x43<br />
ROM:8F31DB29 010 DCB 0x52<br />
ROM:8F31DB2A 010 DCB 0x4D<br />
ROM:8F31DB2B 010 DCB 0x51<br />
ROM:8F31DB2C ; ---------------------------------------------------------------------------<br />
ROM:8F31DB2C<br />
ROM:8F31DB2C is_SEC_APP_PA_PPA ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DB2C 010 MOVS R0, #3 ; jumptable 8F31DB18 case 101<br />
ROM:8F31DB2E 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DB2E<br />
ROM:8F31DB32 010 ASRS R6, R0, #8 ; Arithmetic Shift Right<br />
ROM:8F31DB34 010 MOV R0, R6 ; count<br />
ROM:8F31DB36 010 BL standard_efuse_count ; Branch with Link<br />
ROM:8F31DB36<br />
ROM:8F31DB3A 010 MOV R5, R0 ; Rd = Op2<br />
ROM:8F31DB3C 010 B return ; Branch<br />
ROM:8F31DB3C<br />
ROM:8F31DB3E ; ---------------------------------------------------------------------------<br />
ROM:8F31DB3E<br />
ROM:8F31DB3E is_SEC_ML_PBRDL ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DB3E 010 MOVS R0, #3 ; jumptable 8F31DB18 case 104<br />
ROM:8F31DB40 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DB40<br />
ROM:8F31DB44 010 UXTB R6, R0 ; Unsigned extend byte to word<br />
ROM:8F31DB46 010 MOV R0, R6 ; count<br />
ROM:8F31DB48 010 BL standard_efuse_count ; Branch with Link<br />
ROM:8F31DB48<br />
ROM:8F31DB4C 010 MOV R5, R0 ; Rd = Op2<br />
ROM:8F31DB4E 010 B return ; Branch<br />
ROM:8F31DB4E<br />
ROM:8F31DB50 ; ---------------------------------------------------------------------------<br />
ROM:8F31DB50<br />
ROM:8F31DB50 is_SEC_MBM ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DB50 010 MOVS R0, #2 ; jumptable 8F31DB18 case 105<br />
ROM:8F31DB52 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DB52<br />
ROM:8F31DB56 010 MOV R6, R0 ; Rd = Op2<br />
ROM:8F31DB58 010 BL standard_efuse_count ; Branch with Link<br />
ROM:8F31DB58<br />
ROM:8F31DB5C 010 MOV R5, R0 ; Rd = Op2<br />
ROM:8F31DB5E 010 B return ; Branch<br />
ROM:8F31DB5E<br />
ROM:8F31DB60 ; ---------------------------------------------------------------------------<br />
ROM:8F31DB60<br />
ROM:8F31DB60 is_SEC_RRDL_BRDL ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DB60 010 MOVS R0, #1 ; jumptable 8F31DB18 case 106<br />
ROM:8F31DB62 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DB62<br />
ROM:8F31DB66 010 MOV R6, R0 ; Rd = Op2<br />
ROM:8F31DB68 010 BL standard_efuse_count ; Branch with Link<br />
ROM:8F31DB68<br />
ROM:8F31DB6C 010 MOV R5, R0 ; Rd = Op2<br />
ROM:8F31DB6E 010 B return ; Branch<br />
ROM:8F31DB6E<br />
ROM:8F31DB70 ; ---------------------------------------------------------------------------<br />
ROM:8F31DB70<br />
ROM:8F31DB70 is_SEC_AP_OS ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DB70 010 MOVS R0, #0 ; jumptable 8F31DB18 case 108<br />
ROM:8F31DB72 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DB72<br />
ROM:8F31DB76 010 MOV R6, R0 ; Rd = Op2<br />
ROM:8F31DB78 010 BL standard_efuse_count ; Branch with Link<br />
ROM:8F31DB78<br />
ROM:8F31DB7C 010 MOV R5, R0 ; Rd = Op2<br />
ROM:8F31DB7E 010 B return ; Branch<br />
ROM:8F31DB7E<br />
ROM:8F31DB80 ; ---------------------------------------------------------------------------<br />
ROM:8F31DB80<br />
ROM:8F31DB80 is_SEC_BS_DIS ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DB80 010 MOVS R0, #4 ; jumptable 8F31DB18 case 110<br />
ROM:8F31DB82 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DB82<br />
ROM:8F31DB86 010 ASRS R5, R0, #0xF ; Arithmetic Shift Right<br />
ROM:8F31DB88 010 B return ; Branch<br />
ROM:8F31DB88<br />
ROM:8F31DB8A ; ---------------------------------------------------------------------------<br />
ROM:8F31DB8A<br />
ROM:8F31DB8A is_SEC_ENG ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DB8A 010 MOVS R0, #4 ; jumptable 8F31DB18 case 111<br />
ROM:8F31DB8C 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DB8C<br />
ROM:8F31DB90 010 UBFX.W R5, R0, #0xD, #1 ; Unsigned Bit Field Extract<br />
ROM:8F31DB94 010 B return ; Branch<br />
ROM:8F31DB94<br />
ROM:8F31DB96 ; ---------------------------------------------------------------------------<br />
ROM:8F31DB96<br />
ROM:8F31DB96 is_SEC_PROD ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DB96 010 MOVS R0, #4 ; jumptable 8F31DB18 case 112<br />
ROM:8F31DB98 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DB98<br />
ROM:8F31DB9C 010 UBFX.W R5, R0, #0xE, #1 ; Unsigned Bit Field Extract<br />
ROM:8F31DBA0 010 B return ; Branch<br />
ROM:8F31DBA0<br />
ROM:8F31DBA2 ; ---------------------------------------------------------------------------<br />
ROM:8F31DBA2<br />
ROM:8F31DBA2 is_SEC_CUST_CODE ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DBA2 010 MOVS R0, #4 ; jumptable 8F31DB18 case 113<br />
ROM:8F31DBA4 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DBA4<br />
ROM:8F31DBA8 010 UBFX.W R6, R0, #8, #5 ; Unsigned Bit Field Extract<br />
ROM:8F31DBAC 010 MOV R0, R6 ; count<br />
ROM:8F31DBAE 010 BL standard_efuse_count ; Branch with Link<br />
ROM:8F31DBAE<br />
ROM:8F31DBB2 010 MOV R5, R0 ; Rd = Op2<br />
ROM:8F31DBB4 010 B return ; Branch<br />
ROM:8F31DBB4<br />
ROM:8F31DBB6 ; ---------------------------------------------------------------------------<br />
ROM:8F31DBB6<br />
ROM:8F31DBB6 is_SEC_MODEL_ID ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DBB6 010 LDR R0, =OMAP3430_MSV_ADRESS ; jumptable 8F31DB18 case 115<br />
ROM:8F31DBB8 010 LDR R0, [R0] ; Load from Memory<br />
ROM:8F31DBBA 010 UXTH R5, R0 ; Unsigned extend halfword to word<br />
ROM:8F31DBBC 010 B return ; Branch<br />
ROM:8F31DBBC<br />
ROM:8F31DBBE ; ---------------------------------------------------------------------------<br />
ROM:8F31DBBE<br />
ROM:8F31DBBE return__ ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DBBE 010 NOP ; jumptable 8F31DB18 case 116<br />
ROM:8F31DBBE<br />
ROM:8F31DBC0<br />
ROM:8F31DBC0 return_ ; CODE XREF: moto_efuse_read+C�j<br />
ROM:8F31DBC0 ; moto_efuse_read:fuse_table�j<br />
ROM:8F31DBC0 010 NOP ; do nothing<br />
ROM:8F31DBC0<br />
ROM:8F31DBC2<br />
ROM:8F31DBC2 return ; CODE XREF: moto_efuse_read+32�j<br />
ROM:8F31DBC2 ; moto_efuse_read+44�j ...<br />
ROM:8F31DBC2 010 NOP ; No Operation<br />
ROM:8F31DBC4 010 MOV R0, R5 ; Rd = Op2<br />
ROM:8F31DBC6 010 POP {R4-R6,PC} ; Pop registers<br />
ROM:8F31DBC6<br />
ROM:8F31DBC6 ; End of function moto_efuse_read<br />
ROM:8F31DBC6<br />
</syntaxhighlight><br />
<br />
'''Listing 2.''' Fuse reading word (from mbm)<br />
<syntaxhighlight lang="ida" line><br />
ROM:8F31DA9C<br />
ROM:8F31DA9C ; =============== S U B R O U T I N E =======================================<br />
ROM:8F31DA9C<br />
ROM:8F31DA9C<br />
ROM:8F31DA9C ; __int16 __fastcall fuse_read_word(int fuse_entry)<br />
ROM:8F31DA9C fuse_read_word ; CODE XREF: fuse_read+24�p<br />
ROM:8F31DA9C ; fuse_read+36�p ...<br />
ROM:8F31DA9C<br />
ROM:8F31DA9C var_30 = -0x30<br />
ROM:8F31DA9C var_28 = -0x28<br />
ROM:8F31DA9C<br />
ROM:8F31DA9C 000 F0 B5 PUSH {R4-R7,LR} ; Push registers<br />
ROM:8F31DA9E 014 87 B0 SUB SP, SP, #0x1C ; Rd = Op1 - Op2<br />
ROM:8F31DAA0 030 04 46 MOV R4, R0 ; Rd = Op2<br />
ROM:8F31DAA2 030 00 25 MOVS R5, #0 ; Rd = Op2<br />
ROM:8F31DAA4 030 4F F6 FF 77 MOVW R7, #0xFFFF ; Rd = Op2<br />
ROM:8F31DAA8 030 00 BF NOP ; No Operation<br />
ROM:8F31DAAA 030 04 E0 B loop_count ; Branch<br />
ROM:8F31DAAC ; ---------------------------------------------------------------------------<br />
ROM:8F31DAAC<br />
ROM:8F31DAAC loop_body ; CODE XREF: fuse_read_word+1C�j<br />
ROM:8F31DAAC 030 00 20 MOVS R0, #0 ; Rd = Op2<br />
ROM:8F31DAAE 030 02 A9 ADD R1, SP, #0x30+var_28 ; Rd = Op1 + Op2<br />
ROM:8F31DAB0 030 41 F8 25 00 STR.W R0, [R1,R5,LSL#2] ; Store to Memory<br />
ROM:8F31DAB4 030 6D 1C ADDS R5, R5, #1 ; Rd = Op1 + Op2<br />
ROM:8F31DAB6<br />
ROM:8F31DAB6 loop_count ; CODE XREF: fuse_read_word+E�j<br />
ROM:8F31DAB6 030 04 2D CMP R5, #4 ; Set cond. codes on Op1 - Op2<br />
ROM:8F31DAB8 030 F8 DD BLE loop_body ; Branch<br />
ROM:8F31DABA 030 00 BF NOP ; No Operation<br />
ROM:8F31DABC 030 04 2C CMP R4, #4 ; Set cond. codes on Op1 - Op2<br />
ROM:8F31DABE 030 08 D8 BHI is_higher ; Branch<br />
ROM:8F31DAC0 030 02 AB ADD R3, SP, #0x30+var_28 ; Rd = Op1 + Op2<br />
ROM:8F31DAC2 030 00 93 STR R3, [SP,#0x30+var_30] ; Store to Memory<br />
ROM:8F31DAC4 030 01 23 MOVS R3, #1 ; Rd = Op2<br />
ROM:8F31DAC6 030 07 22 MOVS R2, #7 ; Rd = Op2<br />
ROM:8F31DAC8 030 00 21 MOVS R1, #0 ; SEC_ENTRY<br />
ROM:8F31DACA 030 36 20 MOVS R0, #0x36 ; param<br />
ROM:8F31DACC 030 04 F0 F2 FD BL security_handler ; API_HAL_MOT_EFUSE_READ<br />
ROM:8F31DAD0 030 06 46 MOV R6, R0 ; Rd = Op2<br />
ROM:8F31DAD2<br />
ROM:8F31DAD2 is_higher ; CODE XREF: fuse_read_word+22�j<br />
ROM:8F31DAD2 030 1E B9 CBNZ R6, return ; Compare and Branch on Non-Zero<br />
ROM:8F31DAD4 030 02 A8 ADD R0, SP, #0x30+var_28 ; Rd = Op1 + Op2<br />
ROM:8F31DAD6 030 50 F8 24 00 LDR.W R0, [R0,R4,LSL#2] ; Load from Memory<br />
ROM:8F31DADA 030 87 B2 UXTH R7, R0 ; Unsigned extend halfword to word<br />
ROM:8F31DADC<br />
ROM:8F31DADC return ; CODE XREF: fuse_read_word:is_higher�j<br />
ROM:8F31DADC 030 38 46 MOV R0, R7 ; Rd = Op2<br />
ROM:8F31DADE 030 07 B0 ADD SP, SP, #0x1C ; Rd = Op1 + Op2<br />
ROM:8F31DAE0 014 F0 BD POP {R4-R7,PC} ; Pop registers<br />
ROM:8F31DAE0 ; End of function fuse_read_word<br />
ROM:8F31DAE0<br />
ROM:8F31DAE0 ; ---------------------------------------------------------------------------<br />
ROM:8F31DAE2 00 20 DCW 0x2000<br />
ROM:8F31DAE4 70 47 DCW 0x4770<br />
ROM:8F31DAE6<br />
</syntaxhighlight><br />
<br />
'''Listing 2.''' Fuse reading BS_DIS (from mbmloader)<br />
<syntaxhighlight lang="ida" line><br />
ROM:870048BE<br />
ROM:870048BE ; =============== S U B R O U T I N E =======================================<br />
ROM:870048BE<br />
ROM:870048BE<br />
ROM:870048BE ; int __cdecl fuse_read_BS_DIS()<br />
ROM:870048BE fuse_read_BS_DIS ; CODE XREF: check_BS_DIS+4<br />
ROM:870048BE 000 10 B5 PUSH {R4,LR} ; Push registers<br />
ROM:870048C0 008 10 24 MOVS R4, #0x10 ; Rd = Op2<br />
ROM:870048C2 008 6E 20 MOVS R0, #SEC_BS_DIS ; fuse_entry_number<br />
ROM:870048C4 008 FF F7 09 FF BL fuse_read_byte ; Branch with Link<br />
ROM:870048C8 008 00 B9 CBNZ R0, return ; Compare and Branch on Non-Zero<br />
ROM:870048CA 008 00 24 MOVS R4, #0 ; Rd = Op2<br />
ROM:870048CC<br />
ROM:870048CC return ; CODE XREF: fuse_read_BS_DIS+A<br />
ROM:870048CC 008 20 46 MOV R0, R4 ; Rd = Op2<br />
ROM:870048CE 008 10 BD POP {R4,PC} ; Pop registers<br />
ROM:870048CE ; End of function fuse_read_BS_DIS<br />
ROM:870048CE<br />
ROM:870048D0<br />
ROM:870048D0 ; =============== S U B R O U T I N E =======================================<br />
ROM:870048D0<br />
ROM:870048D0<br />
ROM:870048D0 ; int __cdecl fuse_read_SECVER(int entry_number)<br />
ROM:870048D0 fuse_read_SECVER ; CODE XREF: check_secure_version+14<br />
ROM:870048D0 000 70 B5 PUSH {R4-R6,LR} ; Push registers<br />
ROM:870048D2 010 04 46 MOV R4, R0 ; Rd = Op2<br />
ROM:870048D4 010 00 25 MOVS R5, #0 ; Rd = Op2<br />
ROM:870048D6 010 20 46 MOV R0, R4 ; fuse_entry_number<br />
ROM:870048D8 010 FF F7 FF FE BL fuse_read_byte ; Branch with Link<br />
ROM:870048DC 010 05 46 MOV R5, R0 ; Rd = Op2<br />
ROM:870048DE 010 28 46 MOV R0, R5 ; Rd = Op2<br />
ROM:870048E0 010 70 BD POP {R4-R6,PC} ; Pop registers<br />
ROM:870048E0 ; End of function fuse_read_SECVER<br />
ROM:870048E0<br />
ROM:870048E2<br />
</syntaxhighlight><br />
<br />
[[Category:Security]]</div>
Eiyee
http://droid-developers.org/wiki/EFuse
EFuse
2012-02-24T00:06:02Z
<p>Eiyee: </p>
<hr />
<div>== Overview ==<br />
The OMAP3xxx contains (unknown value) 128-bit banks of electronically blown fuses<br />
(eFuse). This is one-time only programmable memory that is organized into N x 32-bit words -<br />
(unknown value) words are reserved by Texas Instruments and for future use. <br />
The remaining 4 words are fully user programmable, designed to allow storage of a 128-bit encryption key for secure<br />
external memory encryption.<br />
<br />
== eFuse table ==<br />
<br />
'''TODO'''<br />
<br />
{|<br />
! Index<br />
! Name<br />
! Description<br />
|-<br />
| <br />
| PRODUCTION_ID<br />
| not available yet<br />
|-<br />
|<br />
| SECURITY_ID<br />
| not available yet<br />
|}<br />
<br />
<br />
== SWRV values ==<br />
<br />
The kernel source released by Motorola includes a "sec" driver module that reads 160 bit of eFuse data (referred to as "SWRV") using [[Secure Services]] call API_HAL_MOT_EFUSE_READ.<br />
<br />
These values have been observed:<br />
<br />
{| border="1" cellpadding="1" cellspacing="0" style="border: 1px solid #cccccc;"<br />
! SWRV<br />
! Description<br />
|-<br />
| 0f 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 00 00<br />
| Defy ([http://forum.xda-developers.com/showpost.php?p=21492705&postcount=412 source])<br />
|-<br />
| 1f 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 00 00<br />
| Defy ME525+ model with HKTW 2.3.4 sbf and MIUI rom ([http://forum.xda-developers.com/showpost.php?p=21405389&postcount=181 source])<br />
|-<br />
| 3f 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 00 00<br />
| Defy+ 2.3.6 134-132 SBF (v6) ([http://forum.xda-developers.com/showpost.php?p=21402316&postcount=167 source])<br />
|-<br />
| 3f 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e1 00 00<br />
| Defy+ after blowing SEC_CUST_CODE ([http://forum.xda-developers.com/showpost.php?p=21410214&postcount=219 source])<br />
|-<br />
| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00<br />
| Defy Chinese unlocked/eng? ([http://forum.xda-developers.com/showpost.php?p=21434360&postcount=335 source], [http://forum.xda-developers.com/showpost.php?p=21436570&postcount=337 source2])<br />
|}<br />
<br />
You can load the sec.ko module and contribute other values from dmesg. The module source is in drivers/misc/sec/ in the Motorola kernel source (build with CONFIG_SEC_DRIVER=m), there is also a binary [http://dl.dropbox.com/u/31689596/sec.ko sec.ko] for Defy.<br />
<br />
The driver code includes this check for engineering and production bits (in 5th 32-bit word) in drivers/misc/sec/sec_core.c:<br />
<pre><br />
iterator = data + 4;<br />
<br />
/*HAB_ENG : 13, HAB_PROD : 14 */<br />
/*Engineering only if engineering blown and production not */<br />
if (((*iterator) & (0x3 << 13)) == (0x1 << 13))<br />
ret_val = SEC_ENGINEERING;<br />
</pre><br />
<br />
The driver also has an enum with potential hints to eFuse values:<br />
<br />
drivers/misc/sec/sec_core.h:<br />
<pre><br />
typedef enum {<br />
/*Starting with random non zero value for component type */<br />
SEC_AP_PA_PPA = 0x00000065,<br />
SEC_BP_PPA,<br />
SEC_BP_PA,<br />
SEC_ML_PBRDL,<br />
SEC_MBM,<br />
SEC_RRDL_BRDL,<br />
SEC_BPL,<br />
SEC_AP_OS,<br />
SEC_BP_OS,<br />
SEC_BS_DIS,<br />
SEC_ENG,<br />
SEC_PROD,<br />
SEC_CUST_CODE,<br />
SEC_PKC,<br />
SEC_MODEL_ID,<br />
SEC_MAX<br />
} SEC_SV_COMPONENT_T;<br />
</pre><br />
<br />
== EFUSE Power Domain ==<br />
<br />
EFUSE Power Domain Clock Controls<br />
<br />
'''EFUSE Power Domain Clock-Gating Control'''<br />
{| border="1" cellpadding="0" cellspacing="0" style="border: 1px solid #cccccc;"<br />
!Clock Name <br />
!Reset<br />
!Clock-Gating Control<br />
!Gating Description<br />
|-<br />
|EFUSE_ALWON_FCLK<br />
|Running<br />
|None<br />
|Active when VDD1 and VDD2 are switched on and eFuse-ready hardware signal is released<br />
|}<br />
<br />
== Reading ==<br />
<br />
For reading eFuse you need:<br />
# call 0x28 Secure Service - invalidate dcache<br />
# call 0x2a Secure Service - aux write<br />
# call 0x36 Secure Service with parameter eFuse index - API_HAL_MOT_EFUSE_READ<br />
<br />
PPA handler of EFUSE READ interrupt call<br />
<syntaxhighlight lang="ida" line><br />
ROM:86FFF06C<br />
ROM:86FFF06C ; =============== S U B R O U T I N E =======================================<br />
ROM:86FFF06C<br />
ROM:86FFF06C<br />
ROM:86FFF06C ; int __cdecl PPA_API_HAL_MOT_EFUSE_READ()<br />
ROM:86FFF06C PPA_API_HAL_MOT_EFUSE_READ ; DATA XREF: PPA_SMC_handler_SL+44�o<br />
ROM:86FFF06C ; ROM:off_86FFF5B8�o<br />
ROM:86FFF06C 000 MOV R2, R0 ; arg_3<br />
ROM:86FFF06E 000 PUSH {R4,LR} ; Push registers<br />
ROM:86FFF070 008 MOVS R1, #1 ; arg_2<br />
ROM:86FFF072 008 MOVS R0, #0x64 ; arg_1<br />
ROM:86FFF074 008 BLX PPA_interrupt_call ; Branch with Link and Exchange (immediate address)<br />
ROM:86FFF074<br />
ROM:86FFF078 008 LDR R1, =0xAF8023D4 ; Load from Memory<br />
ROM:86FFF07A 008 LDR R2, [R1] ; Load from Memory<br />
ROM:86FFF07C 008 UXTH R3, R2 ; Unsigned extend halfword to word<br />
ROM:86FFF07E 008 ORR.W R2, R3, R2,LSR#16 ; Rd = Op1 | Op2<br />
ROM:86FFF082 008 STR R2, [R0] ; Store to Memory<br />
ROM:86FFF084 008 LDR R2, [R1,#4] ; Load from Memory<br />
ROM:86FFF086 008 UXTH R3, R2 ; Unsigned extend halfword to word<br />
ROM:86FFF088 008 ORR.W R2, R3, R2,LSR#16 ; Rd = Op1 | Op2<br />
ROM:86FFF08C 008 STR R2, [R0,#4] ; Store to Memory<br />
ROM:86FFF08E 008 LDR R2, [R1,#8] ; Load from Memory<br />
ROM:86FFF090 008 UXTH R3, R2 ; Unsigned extend halfword to word<br />
ROM:86FFF092 008 ORR.W R2, R3, R2,LSR#16 ; Rd = Op1 | Op2<br />
ROM:86FFF096 008 STR R2, [R0,#8] ; Store to Memory<br />
ROM:86FFF098 008 LDR R2, [R1,#0xC] ; Load from Memory<br />
ROM:86FFF09A 008 UXTH R3, R2 ; Unsigned extend halfword to word<br />
ROM:86FFF09C 008 ORR.W R2, R3, R2,LSR#16 ; Rd = Op1 | Op2<br />
ROM:86FFF0A0 008 STR R2, [R0,#0xC] ; Store to Memory<br />
ROM:86FFF0A2 008 LDR R1, [R1,#0x10] ; Load from Memory<br />
ROM:86FFF0A4 008 UXTH R2, R1 ; Unsigned extend halfword to word<br />
ROM:86FFF0A6 008 ORR.W R1, R2, R1,LSR#16 ; Rd = Op1 | Op2<br />
ROM:86FFF0AA 008 STR R1, [R0,#0x10] ; Store to Memory<br />
ROM:86FFF0AC 008 MOVS R0, #0 ; Rd = Op2<br />
ROM:86FFF0AE 008 POP {R4,PC} ; Pop registers<br />
ROM:86FFF0AE<br />
ROM:86FFF0AE ; End of function PPA_API_HAL_MOT_EFUSE_READ<br />
ROM:86FFF0AE<br />
ROM:86FFF0AE ; ---------------------------------------------------------------------------<br />
ROM:86FFF0B0 dword_86FFF0B0 DCD 0xAF8023D4 ; DATA XREF: PPA_API_HAL_MOT_EFUSE_READ+C�r<br />
ROM:86FFF0B4<br />
</syntaxhighlight><br />
<br />
== Code Listings ==<br />
<br />
=== Fuse blowing functions ===<br />
<br />
'''Listing 1.''' Fuse blowing BS_DIS ( from mbmloader )<br />
<syntaxhighlight lang="ida" line><br />
ROM:870048AC ; =============== S U B R O U T I N E =======================================<br />
ROM:870048AC<br />
ROM:870048AC<br />
ROM:870048AC ; int __cdecl fuse_blow_BS_DIS()<br />
ROM:870048AC fuse_blow_BS_DIS<br />
ROM:870048AC 000 10 B5 PUSH {R4,LR} ; Push registers<br />
ROM:870048AE 008 10 24 MOVS R4, #0x10 ; Rd = Op2<br />
ROM:870048B0 008 01 21 MOVS R1, #1 ; value<br />
ROM:870048B2 008 6E 20 MOVS R0, #SEC_BS_DIS ; fuse_entry_number<br />
ROM:870048B4 008 FF F7 70 FF BL fuse_blow_byte ; Branch with Link<br />
ROM:870048B8 008 04 46 MOV R4, R0 ; Rd = Op2<br />
ROM:870048BA 008 20 46 MOV R0, R4 ; Rd = Op2<br />
ROM:870048BC 008 10 BD POP {R4,PC} ; Pop registers<br />
ROM:870048BC ; End of function fuse_blow_BS_DIS<br />
ROM:870048BC<br />
</syntaxhighlight><br />
<br />
'''Listing 2.''' Fuse blowing CUSTOM ( from mbmloader )<br />
<syntaxhighlight lang="ida" line><br />
ROM:870048E2 ; =============== S U B R O U T I N E =======================================<br />
ROM:870048E2<br />
ROM:870048E2<br />
ROM:870048E2 ; int __cdecl fuse_blow_CUSTOM(int fuse_entry_number, int value)<br />
ROM:870048E2 fuse_blow_CUSTOM<br />
ROM:870048E2 000 70 B5 PUSH {R4-R6,LR} ; Push registers<br />
ROM:870048E4 010 04 46 MOV R4, R0 ; Rd = Op2<br />
ROM:870048E6 010 0D 46 MOV R5, R1 ; Rd = Op2<br />
ROM:870048E8 010 10 26 MOVS R6, #0x10 ; Rd = Op2<br />
ROM:870048EA 010 A9 B2 UXTH R1, R5 ; Unsigned extend halfword to word<br />
ROM:870048EC 010 20 46 MOV R0, R4 ; fuse_entry_number<br />
ROM:870048EE 010 FF F7 53 FF BL fuse_blow_byte ; Branch with Link<br />
ROM:870048F2 010 06 46 MOV R6, R0 ; Rd = Op2<br />
ROM:870048F4 010 30 46 MOV R0, R6 ; Rd = Op2<br />
ROM:870048F6 010 70 BD POP {R4-R6,PC} ; Pop registers<br />
ROM:870048F6 ; End of function fuse_blow_CUSTOM<br />
ROM:870048F6<br />
</syntaxhighlight><br />
<br />
'''Listing 3.''' Fuse blowing PRODUCTION ( from mbmloader )<br />
<syntaxhighlight lang="ida" line><br />
ROM:870048F8<br />
ROM:870048F8 ; =============== S U B R O U T I N E =======================================<br />
ROM:870048F8<br />
ROM:870048F8<br />
ROM:870048F8 ; int __cdecl fuse_blow_PRODUCTION()<br />
ROM:870048F8 fuse_blow_PRODUCTION<br />
ROM:870048F8 000 10 B5 PUSH {R4,LR} ; Push registers<br />
ROM:870048FA 008 10 24 MOVS R4, #0x10 ; Rd = Op2<br />
ROM:870048FC 008 01 21 MOVS R1, #1 ; value<br />
ROM:870048FE 008 70 20 MOVS R0, #SEC_PROD ; fuse_entry_number<br />
ROM:87004900 008 FF F7 4A FF BL fuse_blow_byte ; Branch with Link<br />
ROM:87004904 008 04 46 MOV R4, R0 ; Rd = Op2<br />
ROM:87004906 008 20 46 MOV R0, R4 ; Rd = Op2<br />
ROM:87004908 008 10 BD POP {R4,PC} ; Pop registers<br />
ROM:87004908 ; End of function fuse_blow_PRODUCTION<br />
ROM:87004908<br />
</syntaxhighlight><br />
<br />
'''Listing 4.''' Fuse blowing ENGINEERING ( from mbmloader )<br />
<syntaxhighlight lang="ida" line><br />
ROM:8700490A<br />
ROM:8700490A ; =============== S U B R O U T I N E =======================================<br />
ROM:8700490A<br />
ROM:8700490A<br />
ROM:8700490A ; int __cdecl fuse_blow_ENGINEERING()<br />
ROM:8700490A fuse_blow_ENGINEERING ; CODE XREF: main+20<br />
ROM:8700490A 000 10 B5 PUSH {R4,LR} ; Push registers<br />
ROM:8700490C 008 10 24 MOVS R4, #0x10 ; Rd = Op2<br />
ROM:8700490E 008 01 21 MOVS R1, #1 ; value<br />
ROM:87004910 008 6F 20 MOVS R0, #SEC_ENG ; fuse_entry_number<br />
ROM:87004912 008 FF F7 41 FF BL fuse_blow_byte ; Branch with Link<br />
ROM:87004916 008 04 46 MOV R4, R0 ; Rd = Op2<br />
ROM:87004918 008 20 46 MOV R0, R4 ; Rd = Op2<br />
ROM:8700491A 008 10 BD POP {R4,PC} ; Pop registers<br />
ROM:8700491A ; End of function fuse_blow_ENGINEERING<br />
</syntaxhighlight><br />
<br />
=== Fuse reading functions ===<br />
<br />
'''Listing 2.''' Fuse reading byte (from mbmloader)<br />
<syntaxhighlight lang="ida" line><br />
ROM:8F31DB0A<br />
ROM:8F31DB0A ; =============== S U B R O U T I N E =======================================<br />
ROM:8F31DB0A<br />
ROM:8F31DB0A<br />
ROM:8F31DB0A ; int __cdecl moto_efuse_read(__int32 fuse_entry)<br />
ROM:8F31DB0A moto_efuse_read ; CODE XREF: fuse_read_SEC_MODEL_ID+6�p<br />
ROM:8F31DB0A ; fuse_read_SEC_BS_DIS+6�p ...<br />
ROM:8F31DB0A 000 PUSH {R4-R6,LR} ; Push registers<br />
ROM:8F31DB0C 010 MOV R4, R0 ; Rd = Op2<br />
ROM:8F31DB0E 010 LDR R5, =0xDEADBEEF ; Load from Memory<br />
ROM:8F31DB10 010 SUB.W R0, R4, #0x65 ; switch 16 cases<br />
ROM:8F31DB14 010 CMP R0, #0x10 ; Set cond. codes on Op1 - Op2<br />
ROM:8F31DB16 010 BCS return_ ; do nothing<br />
ROM:8F31DB16<br />
ROM:8F31DB18<br />
ROM:8F31DB18 fuse_table ; switch jump<br />
ROM:8F31DB18 010 TBB.W [PC,R0]<br />
ROM:8F31DB18<br />
ROM:8F31DB18 ; ---------------------------------------------------------------------------<br />
ROM:8F31DB1C 010 fuse_choice DCB 8 ; jump table for switch statement<br />
ROM:8F31DB1D 010 DCB 0x52<br />
ROM:8F31DB1E 010 DCB 0x52<br />
ROM:8F31DB1F 010 DCB 0x11<br />
ROM:8F31DB20 010 DCB 0x1A<br />
ROM:8F31DB21 010 DCB 0x22<br />
ROM:8F31DB22 010 DCB 0x52<br />
ROM:8F31DB23 010 DCB 0x2A<br />
ROM:8F31DB24 010 DCB 0x52<br />
ROM:8F31DB25 010 DCB 0x32<br />
ROM:8F31DB26 010 DCB 0x37<br />
ROM:8F31DB27 010 DCB 0x3D<br />
ROM:8F31DB28 010 DCB 0x43<br />
ROM:8F31DB29 010 DCB 0x52<br />
ROM:8F31DB2A 010 DCB 0x4D<br />
ROM:8F31DB2B 010 DCB 0x51<br />
ROM:8F31DB2C ; ---------------------------------------------------------------------------<br />
ROM:8F31DB2C<br />
ROM:8F31DB2C is_SEC_APP_PA_PPA ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DB2C 010 MOVS R0, #3 ; jumptable 8F31DB18 case 101<br />
ROM:8F31DB2E 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DB2E<br />
ROM:8F31DB32 010 ASRS R6, R0, #8 ; Arithmetic Shift Right<br />
ROM:8F31DB34 010 MOV R0, R6 ; count<br />
ROM:8F31DB36 010 BL standard_efuse_count ; Branch with Link<br />
ROM:8F31DB36<br />
ROM:8F31DB3A 010 MOV R5, R0 ; Rd = Op2<br />
ROM:8F31DB3C 010 B return ; Branch<br />
ROM:8F31DB3C<br />
ROM:8F31DB3E ; ---------------------------------------------------------------------------<br />
ROM:8F31DB3E<br />
ROM:8F31DB3E is_SEC_ML_PBRDL ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DB3E 010 MOVS R0, #3 ; jumptable 8F31DB18 case 104<br />
ROM:8F31DB40 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DB40<br />
ROM:8F31DB44 010 UXTB R6, R0 ; Unsigned extend byte to word<br />
ROM:8F31DB46 010 MOV R0, R6 ; count<br />
ROM:8F31DB48 010 BL standard_efuse_count ; Branch with Link<br />
ROM:8F31DB48<br />
ROM:8F31DB4C 010 MOV R5, R0 ; Rd = Op2<br />
ROM:8F31DB4E 010 B return ; Branch<br />
ROM:8F31DB4E<br />
ROM:8F31DB50 ; ---------------------------------------------------------------------------<br />
ROM:8F31DB50<br />
ROM:8F31DB50 is_SEC_MBM ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DB50 010 MOVS R0, #2 ; jumptable 8F31DB18 case 105<br />
ROM:8F31DB52 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DB52<br />
ROM:8F31DB56 010 MOV R6, R0 ; Rd = Op2<br />
ROM:8F31DB58 010 BL standard_efuse_count ; Branch with Link<br />
ROM:8F31DB58<br />
ROM:8F31DB5C 010 MOV R5, R0 ; Rd = Op2<br />
ROM:8F31DB5E 010 B return ; Branch<br />
ROM:8F31DB5E<br />
ROM:8F31DB60 ; ---------------------------------------------------------------------------<br />
ROM:8F31DB60<br />
ROM:8F31DB60 is_SEC_RRDL_BRDL ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DB60 010 MOVS R0, #1 ; jumptable 8F31DB18 case 106<br />
ROM:8F31DB62 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DB62<br />
ROM:8F31DB66 010 MOV R6, R0 ; Rd = Op2<br />
ROM:8F31DB68 010 BL standard_efuse_count ; Branch with Link<br />
ROM:8F31DB68<br />
ROM:8F31DB6C 010 MOV R5, R0 ; Rd = Op2<br />
ROM:8F31DB6E 010 B return ; Branch<br />
ROM:8F31DB6E<br />
ROM:8F31DB70 ; ---------------------------------------------------------------------------<br />
ROM:8F31DB70<br />
ROM:8F31DB70 is_SEC_AP_OS ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DB70 010 MOVS R0, #0 ; jumptable 8F31DB18 case 108<br />
ROM:8F31DB72 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DB72<br />
ROM:8F31DB76 010 MOV R6, R0 ; Rd = Op2<br />
ROM:8F31DB78 010 BL standard_efuse_count ; Branch with Link<br />
ROM:8F31DB78<br />
ROM:8F31DB7C 010 MOV R5, R0 ; Rd = Op2<br />
ROM:8F31DB7E 010 B return ; Branch<br />
ROM:8F31DB7E<br />
ROM:8F31DB80 ; ---------------------------------------------------------------------------<br />
ROM:8F31DB80<br />
ROM:8F31DB80 is_SEC_BS_DIS ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DB80 010 MOVS R0, #4 ; jumptable 8F31DB18 case 110<br />
ROM:8F31DB82 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DB82<br />
ROM:8F31DB86 010 ASRS R5, R0, #0xF ; Arithmetic Shift Right<br />
ROM:8F31DB88 010 B return ; Branch<br />
ROM:8F31DB88<br />
ROM:8F31DB8A ; ---------------------------------------------------------------------------<br />
ROM:8F31DB8A<br />
ROM:8F31DB8A is_SEC_ENG ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DB8A 010 MOVS R0, #4 ; jumptable 8F31DB18 case 111<br />
ROM:8F31DB8C 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DB8C<br />
ROM:8F31DB90 010 UBFX.W R5, R0, #0xD, #1 ; Unsigned Bit Field Extract<br />
ROM:8F31DB94 010 B return ; Branch<br />
ROM:8F31DB94<br />
ROM:8F31DB96 ; ---------------------------------------------------------------------------<br />
ROM:8F31DB96<br />
ROM:8F31DB96 is_SEC_PROD ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DB96 010 MOVS R0, #4 ; jumptable 8F31DB18 case 112<br />
ROM:8F31DB98 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DB98<br />
ROM:8F31DB9C 010 UBFX.W R5, R0, #0xE, #1 ; Unsigned Bit Field Extract<br />
ROM:8F31DBA0 010 B return ; Branch<br />
ROM:8F31DBA0<br />
ROM:8F31DBA2 ; ---------------------------------------------------------------------------<br />
ROM:8F31DBA2<br />
ROM:8F31DBA2 is_SEC_CUST_CODE ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DBA2 010 MOVS R0, #4 ; jumptable 8F31DB18 case 113<br />
ROM:8F31DBA4 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DBA4<br />
ROM:8F31DBA8 010 UBFX.W R6, R0, #8, #5 ; Unsigned Bit Field Extract<br />
ROM:8F31DBAC 010 MOV R0, R6 ; count<br />
ROM:8F31DBAE 010 BL standard_efuse_count ; Branch with Link<br />
ROM:8F31DBAE<br />
ROM:8F31DBB2 010 MOV R5, R0 ; Rd = Op2<br />
ROM:8F31DBB4 010 B return ; Branch<br />
ROM:8F31DBB4<br />
ROM:8F31DBB6 ; ---------------------------------------------------------------------------<br />
ROM:8F31DBB6<br />
ROM:8F31DBB6 is_SEC_MODEL_ID ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DBB6 010 LDR R0, =OMAP3430_MSV_ADRESS ; jumptable 8F31DB18 case 115<br />
ROM:8F31DBB8 010 LDR R0, [R0] ; Load from Memory<br />
ROM:8F31DBBA 010 UXTH R5, R0 ; Unsigned extend halfword to word<br />
ROM:8F31DBBC 010 B return ; Branch<br />
ROM:8F31DBBC<br />
ROM:8F31DBBE ; ---------------------------------------------------------------------------<br />
ROM:8F31DBBE<br />
ROM:8F31DBBE return__ ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DBBE 010 NOP ; jumptable 8F31DB18 case 116<br />
ROM:8F31DBBE<br />
ROM:8F31DBC0<br />
ROM:8F31DBC0 return_ ; CODE XREF: moto_efuse_read+C�j<br />
ROM:8F31DBC0 ; moto_efuse_read:fuse_table�j<br />
ROM:8F31DBC0 010 NOP ; do nothing<br />
ROM:8F31DBC0<br />
ROM:8F31DBC2<br />
ROM:8F31DBC2 return ; CODE XREF: moto_efuse_read+32�j<br />
ROM:8F31DBC2 ; moto_efuse_read+44�j ...<br />
ROM:8F31DBC2 010 NOP ; No Operation<br />
ROM:8F31DBC4 010 MOV R0, R5 ; Rd = Op2<br />
ROM:8F31DBC6 010 POP {R4-R6,PC} ; Pop registers<br />
ROM:8F31DBC6<br />
ROM:8F31DBC6 ; End of function moto_efuse_read<br />
ROM:8F31DBC6<br />
</syntaxhighlight><br />
<br />
'''Listing 2.''' Fuse reading word (from mbm)<br />
<syntaxhighlight lang="ida" line><br />
ROM:8F31DA9C<br />
ROM:8F31DA9C ; =============== S U B R O U T I N E =======================================<br />
ROM:8F31DA9C<br />
ROM:8F31DA9C<br />
ROM:8F31DA9C ; __int16 __fastcall fuse_read_word(int fuse_entry)<br />
ROM:8F31DA9C fuse_read_word ; CODE XREF: fuse_read+24�p<br />
ROM:8F31DA9C ; fuse_read+36�p ...<br />
ROM:8F31DA9C<br />
ROM:8F31DA9C var_30 = -0x30<br />
ROM:8F31DA9C var_28 = -0x28<br />
ROM:8F31DA9C<br />
ROM:8F31DA9C 000 F0 B5 PUSH {R4-R7,LR} ; Push registers<br />
ROM:8F31DA9E 014 87 B0 SUB SP, SP, #0x1C ; Rd = Op1 - Op2<br />
ROM:8F31DAA0 030 04 46 MOV R4, R0 ; Rd = Op2<br />
ROM:8F31DAA2 030 00 25 MOVS R5, #0 ; Rd = Op2<br />
ROM:8F31DAA4 030 4F F6 FF 77 MOVW R7, #0xFFFF ; Rd = Op2<br />
ROM:8F31DAA8 030 00 BF NOP ; No Operation<br />
ROM:8F31DAAA 030 04 E0 B loop_count ; Branch<br />
ROM:8F31DAAC ; ---------------------------------------------------------------------------<br />
ROM:8F31DAAC<br />
ROM:8F31DAAC loop_body ; CODE XREF: fuse_read_word+1C�j<br />
ROM:8F31DAAC 030 00 20 MOVS R0, #0 ; Rd = Op2<br />
ROM:8F31DAAE 030 02 A9 ADD R1, SP, #0x30+var_28 ; Rd = Op1 + Op2<br />
ROM:8F31DAB0 030 41 F8 25 00 STR.W R0, [R1,R5,LSL#2] ; Store to Memory<br />
ROM:8F31DAB4 030 6D 1C ADDS R5, R5, #1 ; Rd = Op1 + Op2<br />
ROM:8F31DAB6<br />
ROM:8F31DAB6 loop_count ; CODE XREF: fuse_read_word+E�j<br />
ROM:8F31DAB6 030 04 2D CMP R5, #4 ; Set cond. codes on Op1 - Op2<br />
ROM:8F31DAB8 030 F8 DD BLE loop_body ; Branch<br />
ROM:8F31DABA 030 00 BF NOP ; No Operation<br />
ROM:8F31DABC 030 04 2C CMP R4, #4 ; Set cond. codes on Op1 - Op2<br />
ROM:8F31DABE 030 08 D8 BHI is_higher ; Branch<br />
ROM:8F31DAC0 030 02 AB ADD R3, SP, #0x30+var_28 ; Rd = Op1 + Op2<br />
ROM:8F31DAC2 030 00 93 STR R3, [SP,#0x30+var_30] ; Store to Memory<br />
ROM:8F31DAC4 030 01 23 MOVS R3, #1 ; Rd = Op2<br />
ROM:8F31DAC6 030 07 22 MOVS R2, #7 ; Rd = Op2<br />
ROM:8F31DAC8 030 00 21 MOVS R1, #0 ; SEC_ENTRY<br />
ROM:8F31DACA 030 36 20 MOVS R0, #0x36 ; param<br />
ROM:8F31DACC 030 04 F0 F2 FD BL security_handler ; API_HAL_MOT_EFUSE_READ<br />
ROM:8F31DAD0 030 06 46 MOV R6, R0 ; Rd = Op2<br />
ROM:8F31DAD2<br />
ROM:8F31DAD2 is_higher ; CODE XREF: fuse_read_word+22�j<br />
ROM:8F31DAD2 030 1E B9 CBNZ R6, return ; Compare and Branch on Non-Zero<br />
ROM:8F31DAD4 030 02 A8 ADD R0, SP, #0x30+var_28 ; Rd = Op1 + Op2<br />
ROM:8F31DAD6 030 50 F8 24 00 LDR.W R0, [R0,R4,LSL#2] ; Load from Memory<br />
ROM:8F31DADA 030 87 B2 UXTH R7, R0 ; Unsigned extend halfword to word<br />
ROM:8F31DADC<br />
ROM:8F31DADC return ; CODE XREF: fuse_read_word:is_higher�j<br />
ROM:8F31DADC 030 38 46 MOV R0, R7 ; Rd = Op2<br />
ROM:8F31DADE 030 07 B0 ADD SP, SP, #0x1C ; Rd = Op1 + Op2<br />
ROM:8F31DAE0 014 F0 BD POP {R4-R7,PC} ; Pop registers<br />
ROM:8F31DAE0 ; End of function fuse_read_word<br />
ROM:8F31DAE0<br />
ROM:8F31DAE0 ; ---------------------------------------------------------------------------<br />
ROM:8F31DAE2 00 20 DCW 0x2000<br />
ROM:8F31DAE4 70 47 DCW 0x4770<br />
ROM:8F31DAE6<br />
</syntaxhighlight><br />
<br />
'''Listing 2.''' Fuse reading BS_DIS (from mbmloader)<br />
<syntaxhighlight lang="ida" line><br />
ROM:870048BE<br />
ROM:870048BE ; =============== S U B R O U T I N E =======================================<br />
ROM:870048BE<br />
ROM:870048BE<br />
ROM:870048BE ; int __cdecl fuse_read_BS_DIS()<br />
ROM:870048BE fuse_read_BS_DIS ; CODE XREF: check_BS_DIS+4<br />
ROM:870048BE 000 10 B5 PUSH {R4,LR} ; Push registers<br />
ROM:870048C0 008 10 24 MOVS R4, #0x10 ; Rd = Op2<br />
ROM:870048C2 008 6E 20 MOVS R0, #SEC_BS_DIS ; fuse_entry_number<br />
ROM:870048C4 008 FF F7 09 FF BL fuse_read_byte ; Branch with Link<br />
ROM:870048C8 008 00 B9 CBNZ R0, return ; Compare and Branch on Non-Zero<br />
ROM:870048CA 008 00 24 MOVS R4, #0 ; Rd = Op2<br />
ROM:870048CC<br />
ROM:870048CC return ; CODE XREF: fuse_read_BS_DIS+A<br />
ROM:870048CC 008 20 46 MOV R0, R4 ; Rd = Op2<br />
ROM:870048CE 008 10 BD POP {R4,PC} ; Pop registers<br />
ROM:870048CE ; End of function fuse_read_BS_DIS<br />
ROM:870048CE<br />
ROM:870048D0<br />
ROM:870048D0 ; =============== S U B R O U T I N E =======================================<br />
ROM:870048D0<br />
ROM:870048D0<br />
ROM:870048D0 ; int __cdecl fuse_read_SECVER(int entry_number)<br />
ROM:870048D0 fuse_read_SECVER ; CODE XREF: check_secure_version+14<br />
ROM:870048D0 000 70 B5 PUSH {R4-R6,LR} ; Push registers<br />
ROM:870048D2 010 04 46 MOV R4, R0 ; Rd = Op2<br />
ROM:870048D4 010 00 25 MOVS R5, #0 ; Rd = Op2<br />
ROM:870048D6 010 20 46 MOV R0, R4 ; fuse_entry_number<br />
ROM:870048D8 010 FF F7 FF FE BL fuse_read_byte ; Branch with Link<br />
ROM:870048DC 010 05 46 MOV R5, R0 ; Rd = Op2<br />
ROM:870048DE 010 28 46 MOV R0, R5 ; Rd = Op2<br />
ROM:870048E0 010 70 BD POP {R4-R6,PC} ; Pop registers<br />
ROM:870048E0 ; End of function fuse_read_SECVER<br />
ROM:870048E0<br />
ROM:870048E2<br />
</syntaxhighlight><br />
<br />
[[Category:Security]]</div>
Eiyee
http://droid-developers.org/wiki/Motorola_Defy
Motorola Defy
2012-02-24T00:01:17Z
<p>Eiyee: </p>
<hr />
<div>The Motorola Defy (MB525) and Defy+ (MB526) have the same parts except for the battery.<br />
<br />
== FCC information ==<br />
FCC ID: IHDP56LC1<br />
<br />
FCC ID: IHDP56LC2<br />
<br />
FCC ID: IHDP56LC3<br />
<br />
FCC ID: IHDP56LC4 <br />
<br />
== Parts list ==<br />
<br />
From (http://http://forum.xda-developers.com/showthread.php?t=1461090), thanks to sam_24.<br />
<br />
* Ti omap3630-variant 0x36300800 ARMv7 Processor rev 2 (v7l)<br />
* PowerVR SGX 530 OpenGL<br />
<br />
=== Memory ===<br />
* SEM02G 1.82 GiB mmc1:0001 (iNAND e.MMC)<br />
* Micro SD slot mmc0:1234 , SDHC compatible<br />
<br />
=== Interfaces ===<br />
* TPS65950 power-management, audio coder/decoder, USB (OTG) high-speed transceiver,USB charger,LED drivers, ADC + RTC<br />
* LM3554 1.2A Dual LED Drivers and I2C-Compatible Interface<br />
<br />
=== Sensors ===<br />
* Bayer modul. ("red") MT9P012 - 5Mp, 1/3.2-inch Micron CMOS Image Sensor<br />
* Bayer modul. ("green") = ?<br />
* SOC modul ("green") OV5642 - cmos Image sensor<br />
<br />
* KXTF9 - Tri-axis Digital Accelerometer<br />
* AKM8973 - 3-axis electronic compass<br />
* LIS331DLH - digital motion sensor<br />
<br />
<br />
== CPU-ID/PKEY ==<br />
<br />
<pre><br />
omapinfo v.1.0.0<br />
STATE : 205 <br />
PKEY0 : c57aa19e <br />
PKEY1 : 31fe2d32 <br />
PKEY2 : 2e48bc96 <br />
PKEY3 : 15fcea7b <br />
PKEY4 : 876578f3 <br />
CPU-ID: 1b89102f <br />
</pre><br />
<br />
== Socinfo ==<br />
<br />
cat /proc/socinfo<br />
<pre><br />
SoC : OMAP3630 ES1.1<br />
IDCODE : 1b89102f<br />
Pr. ID : 00000000 00000000 000004cc cafeb891<br />
Die ID : 06027009 0160757a ffd80000 366c0001<br />
</pre><br />
<br />
== Secure Services data ==<br />
<br />
dmesg output from sec.ko on Defy+ (http://forum.xda-developers.com/showthread.php?p=21402316#post21402316).<br />
<br />
<pre><br />
SecGetSWRV = 3f 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 00 00<br />
SecGetModelId = 02 00 00 00<br />
SecGetProcID = 09 70 02 06 7a 75 60 01 00 00 d8 ff 01 00 6c 36<br />
SecProcessorType = 44<br />
</pre><br />
<br />
The first byte of [http://www.droid-developers.org/wiki/EFuse#SWRV_values SWRV] seems to be different <br />
depending on model (Defy 0x0f, Defy+ 0x3f).<br />
<br />
== Interrupts ==<br />
<br />
cat /proc/interrupts:<br />
<pre><br />
CPU0<br />
11: 1556066 INTC prcm<br />
12: 32697 INTC DMA<br />
21: 19225 INTC SGX ISR<br />
24: 0 INTC omap-iommu.0, Omap 3 Camera ISP<br />
25: 37531 INTC OMAP DSS<br />
26: 7 INTC DspBridge mailbox<br />
28: 0 INTC DspBridge iommu fault<br />
35: 18694 INTC sim<br />
37: 64884 INTC gp timer<br />
56: 27740 INTC i2c_omap<br />
57: 12138 INTC i2c_omap<br />
58: 396 INTC omap_hdq<br />
61: 33 INTC i2c_omap<br />
72: 294 INTC serial idle<br />
73: 0 INTC serial idle<br />
74: 0 INTC serial idle<br />
77: 11425 INTC ehci_hcd:usb1<br />
78: 291 INTC usbtll<br />
83: 2002 INTC mmc0<br />
86: 38332 INTC mmc1<br />
88: 0 INTC syspanic<br />
92: 23630 INTC musb_hdrc<br />
93: 23848 INTC musb_hdrc<br />
94: 2741 INTC TIWLAN_SDIO<br />
160: 4364 GPIO cpcap-irq<br />
170: 0 GPIO bu52014hfv<br />
176: 330 GPIO isl29030_als_ir<br />
182: 34 GPIO kxtf9_irq<br />
197: 1 GPIO gpio_kp<br />
199: 0 GPIO gpio_kp<br />
225: 13305 GPIO tiwlan0<br />
252: 0 GPIO lm3530_led<br />
259: 1180 GPIO qtouch_ts_int<br />
271: 0 GPIO bu52014hfv<br />
301: 0 GPIO Remote Wakeup<br />
323: 0 GPIO mmc0<br />
337: 0 GPIO gpio_keys<br />
Err: 0<br />
</pre><br />
<br />
== Iomem ==<br />
<br />
cat /proc/iomem<br />
<pre><br />
48060000-4806003f : i2c_omap.3<br />
48060000-4806003f : i2c_omap<br />
48062000-48062fff : ehci-omap.0<br />
48064000-480643ff : ehci-omap.0<br />
48064800-48064bff : ehci-omap.0<br />
4806a000-4806a3ff : omap-uart.1<br />
4806a000-4806a3ff : omap-uart<br />
4806c000-4806c3ff : omap-uart.2<br />
4806c000-4806c3ff : omap-uart<br />
48070000-4807003f : i2c_omap.1<br />
48070000-4807003f : i2c_omap<br />
48072000-4807203f : i2c_omap.2<br />
48072000-4807203f : i2c_omap<br />
48098000-480980ff : omap2_mcspi.1<br />
48098000-480980ff : omap2_mcspi.1<br />
4809a000-4809a0ff : omap2_mcspi.2<br />
4809a000-4809a0ff : omap2_mcspi.2<br />
4809c000-4809c1ff : mmci-omap-hs.0<br />
4809c000-4809c1ff : mmci-omap-hs<br />
480ab000-480acfff : musb_hdrc<br />
480ad000-480ad1ff : TIWLAN_SDIO.2<br />
480b2000-480b201c : omap_hdq.0<br />
480b4000-480b41ff : mmci-omap-hs.1<br />
480b4000-480b41ff : mmci-omap-hs<br />
480b8000-480b80ff : omap2_mcspi.3<br />
480b8000-480b80ff : omap2_mcspi.3<br />
480ba000-480ba0ff : omap2_mcspi.4<br />
480ba000-480ba0ff : omap2_mcspi.4<br />
480bc000-480bc06f : omap3isp<br />
480bc000-480bc06f : omap3isp<br />
480bc100-480bc177 : omap3isp<br />
480bc100-480bc177 : omap3isp<br />
480bc400-480bc5ef : omap3isp<br />
480bc400-480bc5ef : omap3isp<br />
480bc600-480bc6a7 : omap3isp<br />
480bc600-480bc6a7 : omap3isp<br />
480bca00-480bca47 : omap3isp<br />
480bca00-480bca47 : omap3isp<br />
480bcc00-480bcc5f : omap3isp<br />
480bcc00-480bcc5f : omap3isp<br />
480bce00-480bce9f : omap3isp<br />
480bce00-480bce9f : omap3isp<br />
480bd000-480bd0ab : omap3isp<br />
480bd000-480bd0ab : omap3isp<br />
480bd200-480bd2fb : omap3isp<br />
480bd200-480bd2fb : omap3isp<br />
480bd400-480bd4ff : omap-iommu.0<br />
480bd400-480bd4ff : omap-iommu.0<br />
480bd800-480bd96f : omap3isp<br />
480bd800-480bd96f : omap3isp<br />
480bd970-480bd977 : omap3isp<br />
480bd970-480bd977 : omap3isp<br />
48314000-4831404f : omap_wdt<br />
48314000-4831404f : omap_wdt<br />
49020000-490203ff : omap-uart.3<br />
49020000-490203ff : omap-uart<br />
70000000-70ffffff : vrfb<br />
71000000-71ffffff : vrfb<br />
72000000-72ffffff : vrfb<br />
73000000-73ffffff : vrfb<br />
74000000-74ffffff : vrfb<br />
75000000-75ffffff : vrfb<br />
76000000-76ffffff : vrfb<br />
77000000-77ffffff : vrfb<br />
78000000-78ffffff : vrfb<br />
79000000-79ffffff : vrfb<br />
7a000000-7affffff : vrfb<br />
7b000000-7bffffff : vrfb<br />
7c000000-7cffffff : vrfb<br />
7d000000-7dffffff : vrfb<br />
7e000000-7effffff : vrfb<br />
7f000000-7fffffff : vrfb<br />
80c00000-9fdfffff : System RAM<br />
80c35000-81152fff : Kernel text<br />
8117a000-813d5b0f : Kernel data<br />
8e000000-8e01ffff : ram_console.0<br />
e0000000-e0ffffff : vrfb<br />
e1000000-e1ffffff : vrfb<br />
e2000000-e2ffffff : vrfb<br />
e3000000-e3ffffff : vrfb<br />
e4000000-e4ffffff : vrfb<br />
e5000000-e5ffffff : vrfb<br />
e6000000-e6ffffff : vrfb<br />
e7000000-e7ffffff : vrfb<br />
</pre><br />
<br />
[[Category:Phones]]</div>
Eiyee
http://droid-developers.org/wiki/EFuse
EFuse
2012-02-23T23:49:49Z
<p>Eiyee: mention engineering check in sec_core.c</p>
<hr />
<div>== Overview ==<br />
The OMAP3xxx contains (unknown value) 128-bit banks of electronically blown fuses<br />
(eFuse). This is one-time only programmable memory that is organized into N x 32-bit words -<br />
(unknown value) words are reserved by Texas Instruments and for future use. <br />
The remaining 4 words are fully user programmable, designed to allow storage of a 128-bit encryption key for secure<br />
external memory encryption.<br />
<br />
== eFuse table ==<br />
<br />
'''TODO'''<br />
<br />
{|<br />
! Index<br />
! Name<br />
! Description<br />
|-<br />
| <br />
| PRODUCTION_ID<br />
| not available yet<br />
|-<br />
|<br />
| SECURITY_ID<br />
| not available yet<br />
|}<br />
<br />
<br />
== SWRV values ==<br />
<br />
The kernel source released by Motorola includes a "sec" module that reads 160 bit of eFuse data (referred to as "SWRV") using [[Secure Services]] call API_HAL_MOT_EFUSE_READ. It contains an enum with hints to eFuse values:<br />
<br />
drivers/misc/sec/sec_core.h:<br />
<pre><br />
typedef enum {<br />
/*Starting with random non zero value for component type */<br />
SEC_AP_PA_PPA = 0x00000065,<br />
SEC_BP_PPA,<br />
SEC_BP_PA,<br />
SEC_ML_PBRDL,<br />
SEC_MBM,<br />
SEC_RRDL_BRDL,<br />
SEC_BPL,<br />
SEC_AP_OS,<br />
SEC_BP_OS,<br />
SEC_BS_DIS,<br />
SEC_ENG,<br />
SEC_PROD,<br />
SEC_CUST_CODE,<br />
SEC_PKC,<br />
SEC_MODEL_ID,<br />
SEC_MAX<br />
} SEC_SV_COMPONENT_T;<br />
</pre><br />
<br />
The driver code includes this check for engineering and production bits (in 5th 32-bit word):<br />
<pre><br />
iterator = data + 4;<br />
<br />
/*HAB_ENG : 13, HAB_PROD : 14 */<br />
/*Engineering only if engineering blown and production not */<br />
if (((*iterator) & (0x3 << 13)) == (0x1 << 13))<br />
ret_val = SEC_ENGINEERING;<br />
</pre><br />
<br />
These values have been observed:<br />
<br />
{| border="1" cellpadding="1" cellspacing="0" style="border: 1px solid #cccccc;"<br />
! SWRV<br />
! Description<br />
|-<br />
| 0f 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 00 00<br />
| Defy ([http://forum.xda-developers.com/showpost.php?p=21492705&postcount=412 source])<br />
|-<br />
| 1f 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 00 00<br />
| Defy ME525+ model with HKTW 2.3.4 sbf and MIUI rom ([http://forum.xda-developers.com/showpost.php?p=21405389&postcount=181 source])<br />
|-<br />
| 3f 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 00 00<br />
| Defy+ 2.3.6 134-132 SBF (v6) ([http://forum.xda-developers.com/showpost.php?p=21402316&postcount=167 source])<br />
|-<br />
| 3f 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e1 00 00<br />
| Defy+ after blowing SEC_CUST_CODE ([http://forum.xda-developers.com/showpost.php?p=21410214&postcount=219 source])<br />
|-<br />
| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00<br />
| Defy Chinese unlocked/eng? ([http://forum.xda-developers.com/showpost.php?p=21434360&postcount=335 source], [http://forum.xda-developers.com/showpost.php?p=21436570&postcount=337 source2])<br />
|}<br />
<br />
You can load the sec.ko module and contribute other values from dmesg. The module source is in drivers/misc/sec/ in the Motorola kernel source (build with CONFIG_SEC_DRIVER=m), there is also a binary [http://dl.dropbox.com/u/31689596/sec.ko sec.ko] for Defy.<br />
<br />
== EFUSE Power Domain ==<br />
<br />
EFUSE Power Domain Clock Controls<br />
<br />
'''EFUSE Power Domain Clock-Gating Control'''<br />
{| border="1" cellpadding="0" cellspacing="0" style="border: 1px solid #cccccc;"<br />
!Clock Name <br />
!Reset<br />
!Clock-Gating Control<br />
!Gating Description<br />
|-<br />
|EFUSE_ALWON_FCLK<br />
|Running<br />
|None<br />
|Active when VDD1 and VDD2 are switched on and eFuse-ready hardware signal is released<br />
|}<br />
<br />
== Reading ==<br />
<br />
For reading eFuse you need:<br />
# call 0x28 Secure Service - invalidate dcache<br />
# call 0x2a Secure Service - aux write<br />
# call 0x36 Secure Service with parameter eFuse index - API_HAL_MOT_EFUSE_READ<br />
<br />
PPA handler of EFUSE READ interrupt call<br />
<syntaxhighlight lang="ida" line><br />
ROM:86FFF06C<br />
ROM:86FFF06C ; =============== S U B R O U T I N E =======================================<br />
ROM:86FFF06C<br />
ROM:86FFF06C<br />
ROM:86FFF06C ; int __cdecl PPA_API_HAL_MOT_EFUSE_READ()<br />
ROM:86FFF06C PPA_API_HAL_MOT_EFUSE_READ ; DATA XREF: PPA_SMC_handler_SL+44�o<br />
ROM:86FFF06C ; ROM:off_86FFF5B8�o<br />
ROM:86FFF06C 000 MOV R2, R0 ; arg_3<br />
ROM:86FFF06E 000 PUSH {R4,LR} ; Push registers<br />
ROM:86FFF070 008 MOVS R1, #1 ; arg_2<br />
ROM:86FFF072 008 MOVS R0, #0x64 ; arg_1<br />
ROM:86FFF074 008 BLX PPA_interrupt_call ; Branch with Link and Exchange (immediate address)<br />
ROM:86FFF074<br />
ROM:86FFF078 008 LDR R1, =0xAF8023D4 ; Load from Memory<br />
ROM:86FFF07A 008 LDR R2, [R1] ; Load from Memory<br />
ROM:86FFF07C 008 UXTH R3, R2 ; Unsigned extend halfword to word<br />
ROM:86FFF07E 008 ORR.W R2, R3, R2,LSR#16 ; Rd = Op1 | Op2<br />
ROM:86FFF082 008 STR R2, [R0] ; Store to Memory<br />
ROM:86FFF084 008 LDR R2, [R1,#4] ; Load from Memory<br />
ROM:86FFF086 008 UXTH R3, R2 ; Unsigned extend halfword to word<br />
ROM:86FFF088 008 ORR.W R2, R3, R2,LSR#16 ; Rd = Op1 | Op2<br />
ROM:86FFF08C 008 STR R2, [R0,#4] ; Store to Memory<br />
ROM:86FFF08E 008 LDR R2, [R1,#8] ; Load from Memory<br />
ROM:86FFF090 008 UXTH R3, R2 ; Unsigned extend halfword to word<br />
ROM:86FFF092 008 ORR.W R2, R3, R2,LSR#16 ; Rd = Op1 | Op2<br />
ROM:86FFF096 008 STR R2, [R0,#8] ; Store to Memory<br />
ROM:86FFF098 008 LDR R2, [R1,#0xC] ; Load from Memory<br />
ROM:86FFF09A 008 UXTH R3, R2 ; Unsigned extend halfword to word<br />
ROM:86FFF09C 008 ORR.W R2, R3, R2,LSR#16 ; Rd = Op1 | Op2<br />
ROM:86FFF0A0 008 STR R2, [R0,#0xC] ; Store to Memory<br />
ROM:86FFF0A2 008 LDR R1, [R1,#0x10] ; Load from Memory<br />
ROM:86FFF0A4 008 UXTH R2, R1 ; Unsigned extend halfword to word<br />
ROM:86FFF0A6 008 ORR.W R1, R2, R1,LSR#16 ; Rd = Op1 | Op2<br />
ROM:86FFF0AA 008 STR R1, [R0,#0x10] ; Store to Memory<br />
ROM:86FFF0AC 008 MOVS R0, #0 ; Rd = Op2<br />
ROM:86FFF0AE 008 POP {R4,PC} ; Pop registers<br />
ROM:86FFF0AE<br />
ROM:86FFF0AE ; End of function PPA_API_HAL_MOT_EFUSE_READ<br />
ROM:86FFF0AE<br />
ROM:86FFF0AE ; ---------------------------------------------------------------------------<br />
ROM:86FFF0B0 dword_86FFF0B0 DCD 0xAF8023D4 ; DATA XREF: PPA_API_HAL_MOT_EFUSE_READ+C�r<br />
ROM:86FFF0B4<br />
</syntaxhighlight><br />
<br />
== Code Listings ==<br />
<br />
=== Fuse blowing functions ===<br />
<br />
'''Listing 1.''' Fuse blowing BS_DIS ( from mbmloader )<br />
<syntaxhighlight lang="ida" line><br />
ROM:870048AC ; =============== S U B R O U T I N E =======================================<br />
ROM:870048AC<br />
ROM:870048AC<br />
ROM:870048AC ; int __cdecl fuse_blow_BS_DIS()<br />
ROM:870048AC fuse_blow_BS_DIS<br />
ROM:870048AC 000 10 B5 PUSH {R4,LR} ; Push registers<br />
ROM:870048AE 008 10 24 MOVS R4, #0x10 ; Rd = Op2<br />
ROM:870048B0 008 01 21 MOVS R1, #1 ; value<br />
ROM:870048B2 008 6E 20 MOVS R0, #SEC_BS_DIS ; fuse_entry_number<br />
ROM:870048B4 008 FF F7 70 FF BL fuse_blow_byte ; Branch with Link<br />
ROM:870048B8 008 04 46 MOV R4, R0 ; Rd = Op2<br />
ROM:870048BA 008 20 46 MOV R0, R4 ; Rd = Op2<br />
ROM:870048BC 008 10 BD POP {R4,PC} ; Pop registers<br />
ROM:870048BC ; End of function fuse_blow_BS_DIS<br />
ROM:870048BC<br />
</syntaxhighlight><br />
<br />
'''Listing 2.''' Fuse blowing CUSTOM ( from mbmloader )<br />
<syntaxhighlight lang="ida" line><br />
ROM:870048E2 ; =============== S U B R O U T I N E =======================================<br />
ROM:870048E2<br />
ROM:870048E2<br />
ROM:870048E2 ; int __cdecl fuse_blow_CUSTOM(int fuse_entry_number, int value)<br />
ROM:870048E2 fuse_blow_CUSTOM<br />
ROM:870048E2 000 70 B5 PUSH {R4-R6,LR} ; Push registers<br />
ROM:870048E4 010 04 46 MOV R4, R0 ; Rd = Op2<br />
ROM:870048E6 010 0D 46 MOV R5, R1 ; Rd = Op2<br />
ROM:870048E8 010 10 26 MOVS R6, #0x10 ; Rd = Op2<br />
ROM:870048EA 010 A9 B2 UXTH R1, R5 ; Unsigned extend halfword to word<br />
ROM:870048EC 010 20 46 MOV R0, R4 ; fuse_entry_number<br />
ROM:870048EE 010 FF F7 53 FF BL fuse_blow_byte ; Branch with Link<br />
ROM:870048F2 010 06 46 MOV R6, R0 ; Rd = Op2<br />
ROM:870048F4 010 30 46 MOV R0, R6 ; Rd = Op2<br />
ROM:870048F6 010 70 BD POP {R4-R6,PC} ; Pop registers<br />
ROM:870048F6 ; End of function fuse_blow_CUSTOM<br />
ROM:870048F6<br />
</syntaxhighlight><br />
<br />
'''Listing 3.''' Fuse blowing PRODUCTION ( from mbmloader )<br />
<syntaxhighlight lang="ida" line><br />
ROM:870048F8<br />
ROM:870048F8 ; =============== S U B R O U T I N E =======================================<br />
ROM:870048F8<br />
ROM:870048F8<br />
ROM:870048F8 ; int __cdecl fuse_blow_PRODUCTION()<br />
ROM:870048F8 fuse_blow_PRODUCTION<br />
ROM:870048F8 000 10 B5 PUSH {R4,LR} ; Push registers<br />
ROM:870048FA 008 10 24 MOVS R4, #0x10 ; Rd = Op2<br />
ROM:870048FC 008 01 21 MOVS R1, #1 ; value<br />
ROM:870048FE 008 70 20 MOVS R0, #SEC_PROD ; fuse_entry_number<br />
ROM:87004900 008 FF F7 4A FF BL fuse_blow_byte ; Branch with Link<br />
ROM:87004904 008 04 46 MOV R4, R0 ; Rd = Op2<br />
ROM:87004906 008 20 46 MOV R0, R4 ; Rd = Op2<br />
ROM:87004908 008 10 BD POP {R4,PC} ; Pop registers<br />
ROM:87004908 ; End of function fuse_blow_PRODUCTION<br />
ROM:87004908<br />
</syntaxhighlight><br />
<br />
'''Listing 4.''' Fuse blowing ENGINEERING ( from mbmloader )<br />
<syntaxhighlight lang="ida" line><br />
ROM:8700490A<br />
ROM:8700490A ; =============== S U B R O U T I N E =======================================<br />
ROM:8700490A<br />
ROM:8700490A<br />
ROM:8700490A ; int __cdecl fuse_blow_ENGINEERING()<br />
ROM:8700490A fuse_blow_ENGINEERING ; CODE XREF: main+20<br />
ROM:8700490A 000 10 B5 PUSH {R4,LR} ; Push registers<br />
ROM:8700490C 008 10 24 MOVS R4, #0x10 ; Rd = Op2<br />
ROM:8700490E 008 01 21 MOVS R1, #1 ; value<br />
ROM:87004910 008 6F 20 MOVS R0, #SEC_ENG ; fuse_entry_number<br />
ROM:87004912 008 FF F7 41 FF BL fuse_blow_byte ; Branch with Link<br />
ROM:87004916 008 04 46 MOV R4, R0 ; Rd = Op2<br />
ROM:87004918 008 20 46 MOV R0, R4 ; Rd = Op2<br />
ROM:8700491A 008 10 BD POP {R4,PC} ; Pop registers<br />
ROM:8700491A ; End of function fuse_blow_ENGINEERING<br />
</syntaxhighlight><br />
<br />
=== Fuse reading functions ===<br />
<br />
'''Listing 2.''' Fuse reading byte (from mbmloader)<br />
<syntaxhighlight lang="ida" line><br />
ROM:8F31DB0A<br />
ROM:8F31DB0A ; =============== S U B R O U T I N E =======================================<br />
ROM:8F31DB0A<br />
ROM:8F31DB0A<br />
ROM:8F31DB0A ; int __cdecl moto_efuse_read(__int32 fuse_entry)<br />
ROM:8F31DB0A moto_efuse_read ; CODE XREF: fuse_read_SEC_MODEL_ID+6�p<br />
ROM:8F31DB0A ; fuse_read_SEC_BS_DIS+6�p ...<br />
ROM:8F31DB0A 000 PUSH {R4-R6,LR} ; Push registers<br />
ROM:8F31DB0C 010 MOV R4, R0 ; Rd = Op2<br />
ROM:8F31DB0E 010 LDR R5, =0xDEADBEEF ; Load from Memory<br />
ROM:8F31DB10 010 SUB.W R0, R4, #0x65 ; switch 16 cases<br />
ROM:8F31DB14 010 CMP R0, #0x10 ; Set cond. codes on Op1 - Op2<br />
ROM:8F31DB16 010 BCS return_ ; do nothing<br />
ROM:8F31DB16<br />
ROM:8F31DB18<br />
ROM:8F31DB18 fuse_table ; switch jump<br />
ROM:8F31DB18 010 TBB.W [PC,R0]<br />
ROM:8F31DB18<br />
ROM:8F31DB18 ; ---------------------------------------------------------------------------<br />
ROM:8F31DB1C 010 fuse_choice DCB 8 ; jump table for switch statement<br />
ROM:8F31DB1D 010 DCB 0x52<br />
ROM:8F31DB1E 010 DCB 0x52<br />
ROM:8F31DB1F 010 DCB 0x11<br />
ROM:8F31DB20 010 DCB 0x1A<br />
ROM:8F31DB21 010 DCB 0x22<br />
ROM:8F31DB22 010 DCB 0x52<br />
ROM:8F31DB23 010 DCB 0x2A<br />
ROM:8F31DB24 010 DCB 0x52<br />
ROM:8F31DB25 010 DCB 0x32<br />
ROM:8F31DB26 010 DCB 0x37<br />
ROM:8F31DB27 010 DCB 0x3D<br />
ROM:8F31DB28 010 DCB 0x43<br />
ROM:8F31DB29 010 DCB 0x52<br />
ROM:8F31DB2A 010 DCB 0x4D<br />
ROM:8F31DB2B 010 DCB 0x51<br />
ROM:8F31DB2C ; ---------------------------------------------------------------------------<br />
ROM:8F31DB2C<br />
ROM:8F31DB2C is_SEC_APP_PA_PPA ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DB2C 010 MOVS R0, #3 ; jumptable 8F31DB18 case 101<br />
ROM:8F31DB2E 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DB2E<br />
ROM:8F31DB32 010 ASRS R6, R0, #8 ; Arithmetic Shift Right<br />
ROM:8F31DB34 010 MOV R0, R6 ; count<br />
ROM:8F31DB36 010 BL standard_efuse_count ; Branch with Link<br />
ROM:8F31DB36<br />
ROM:8F31DB3A 010 MOV R5, R0 ; Rd = Op2<br />
ROM:8F31DB3C 010 B return ; Branch<br />
ROM:8F31DB3C<br />
ROM:8F31DB3E ; ---------------------------------------------------------------------------<br />
ROM:8F31DB3E<br />
ROM:8F31DB3E is_SEC_ML_PBRDL ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DB3E 010 MOVS R0, #3 ; jumptable 8F31DB18 case 104<br />
ROM:8F31DB40 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DB40<br />
ROM:8F31DB44 010 UXTB R6, R0 ; Unsigned extend byte to word<br />
ROM:8F31DB46 010 MOV R0, R6 ; count<br />
ROM:8F31DB48 010 BL standard_efuse_count ; Branch with Link<br />
ROM:8F31DB48<br />
ROM:8F31DB4C 010 MOV R5, R0 ; Rd = Op2<br />
ROM:8F31DB4E 010 B return ; Branch<br />
ROM:8F31DB4E<br />
ROM:8F31DB50 ; ---------------------------------------------------------------------------<br />
ROM:8F31DB50<br />
ROM:8F31DB50 is_SEC_MBM ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DB50 010 MOVS R0, #2 ; jumptable 8F31DB18 case 105<br />
ROM:8F31DB52 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DB52<br />
ROM:8F31DB56 010 MOV R6, R0 ; Rd = Op2<br />
ROM:8F31DB58 010 BL standard_efuse_count ; Branch with Link<br />
ROM:8F31DB58<br />
ROM:8F31DB5C 010 MOV R5, R0 ; Rd = Op2<br />
ROM:8F31DB5E 010 B return ; Branch<br />
ROM:8F31DB5E<br />
ROM:8F31DB60 ; ---------------------------------------------------------------------------<br />
ROM:8F31DB60<br />
ROM:8F31DB60 is_SEC_RRDL_BRDL ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DB60 010 MOVS R0, #1 ; jumptable 8F31DB18 case 106<br />
ROM:8F31DB62 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DB62<br />
ROM:8F31DB66 010 MOV R6, R0 ; Rd = Op2<br />
ROM:8F31DB68 010 BL standard_efuse_count ; Branch with Link<br />
ROM:8F31DB68<br />
ROM:8F31DB6C 010 MOV R5, R0 ; Rd = Op2<br />
ROM:8F31DB6E 010 B return ; Branch<br />
ROM:8F31DB6E<br />
ROM:8F31DB70 ; ---------------------------------------------------------------------------<br />
ROM:8F31DB70<br />
ROM:8F31DB70 is_SEC_AP_OS ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DB70 010 MOVS R0, #0 ; jumptable 8F31DB18 case 108<br />
ROM:8F31DB72 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DB72<br />
ROM:8F31DB76 010 MOV R6, R0 ; Rd = Op2<br />
ROM:8F31DB78 010 BL standard_efuse_count ; Branch with Link<br />
ROM:8F31DB78<br />
ROM:8F31DB7C 010 MOV R5, R0 ; Rd = Op2<br />
ROM:8F31DB7E 010 B return ; Branch<br />
ROM:8F31DB7E<br />
ROM:8F31DB80 ; ---------------------------------------------------------------------------<br />
ROM:8F31DB80<br />
ROM:8F31DB80 is_SEC_BS_DIS ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DB80 010 MOVS R0, #4 ; jumptable 8F31DB18 case 110<br />
ROM:8F31DB82 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DB82<br />
ROM:8F31DB86 010 ASRS R5, R0, #0xF ; Arithmetic Shift Right<br />
ROM:8F31DB88 010 B return ; Branch<br />
ROM:8F31DB88<br />
ROM:8F31DB8A ; ---------------------------------------------------------------------------<br />
ROM:8F31DB8A<br />
ROM:8F31DB8A is_SEC_ENG ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DB8A 010 MOVS R0, #4 ; jumptable 8F31DB18 case 111<br />
ROM:8F31DB8C 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DB8C<br />
ROM:8F31DB90 010 UBFX.W R5, R0, #0xD, #1 ; Unsigned Bit Field Extract<br />
ROM:8F31DB94 010 B return ; Branch<br />
ROM:8F31DB94<br />
ROM:8F31DB96 ; ---------------------------------------------------------------------------<br />
ROM:8F31DB96<br />
ROM:8F31DB96 is_SEC_PROD ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DB96 010 MOVS R0, #4 ; jumptable 8F31DB18 case 112<br />
ROM:8F31DB98 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DB98<br />
ROM:8F31DB9C 010 UBFX.W R5, R0, #0xE, #1 ; Unsigned Bit Field Extract<br />
ROM:8F31DBA0 010 B return ; Branch<br />
ROM:8F31DBA0<br />
ROM:8F31DBA2 ; ---------------------------------------------------------------------------<br />
ROM:8F31DBA2<br />
ROM:8F31DBA2 is_SEC_CUST_CODE ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DBA2 010 MOVS R0, #4 ; jumptable 8F31DB18 case 113<br />
ROM:8F31DBA4 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DBA4<br />
ROM:8F31DBA8 010 UBFX.W R6, R0, #8, #5 ; Unsigned Bit Field Extract<br />
ROM:8F31DBAC 010 MOV R0, R6 ; count<br />
ROM:8F31DBAE 010 BL standard_efuse_count ; Branch with Link<br />
ROM:8F31DBAE<br />
ROM:8F31DBB2 010 MOV R5, R0 ; Rd = Op2<br />
ROM:8F31DBB4 010 B return ; Branch<br />
ROM:8F31DBB4<br />
ROM:8F31DBB6 ; ---------------------------------------------------------------------------<br />
ROM:8F31DBB6<br />
ROM:8F31DBB6 is_SEC_MODEL_ID ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DBB6 010 LDR R0, =OMAP3430_MSV_ADRESS ; jumptable 8F31DB18 case 115<br />
ROM:8F31DBB8 010 LDR R0, [R0] ; Load from Memory<br />
ROM:8F31DBBA 010 UXTH R5, R0 ; Unsigned extend halfword to word<br />
ROM:8F31DBBC 010 B return ; Branch<br />
ROM:8F31DBBC<br />
ROM:8F31DBBE ; ---------------------------------------------------------------------------<br />
ROM:8F31DBBE<br />
ROM:8F31DBBE return__ ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DBBE 010 NOP ; jumptable 8F31DB18 case 116<br />
ROM:8F31DBBE<br />
ROM:8F31DBC0<br />
ROM:8F31DBC0 return_ ; CODE XREF: moto_efuse_read+C�j<br />
ROM:8F31DBC0 ; moto_efuse_read:fuse_table�j<br />
ROM:8F31DBC0 010 NOP ; do nothing<br />
ROM:8F31DBC0<br />
ROM:8F31DBC2<br />
ROM:8F31DBC2 return ; CODE XREF: moto_efuse_read+32�j<br />
ROM:8F31DBC2 ; moto_efuse_read+44�j ...<br />
ROM:8F31DBC2 010 NOP ; No Operation<br />
ROM:8F31DBC4 010 MOV R0, R5 ; Rd = Op2<br />
ROM:8F31DBC6 010 POP {R4-R6,PC} ; Pop registers<br />
ROM:8F31DBC6<br />
ROM:8F31DBC6 ; End of function moto_efuse_read<br />
ROM:8F31DBC6<br />
</syntaxhighlight><br />
<br />
'''Listing 2.''' Fuse reading word (from mbm)<br />
<syntaxhighlight lang="ida" line><br />
ROM:8F31DA9C<br />
ROM:8F31DA9C ; =============== S U B R O U T I N E =======================================<br />
ROM:8F31DA9C<br />
ROM:8F31DA9C<br />
ROM:8F31DA9C ; __int16 __fastcall fuse_read_word(int fuse_entry)<br />
ROM:8F31DA9C fuse_read_word ; CODE XREF: fuse_read+24�p<br />
ROM:8F31DA9C ; fuse_read+36�p ...<br />
ROM:8F31DA9C<br />
ROM:8F31DA9C var_30 = -0x30<br />
ROM:8F31DA9C var_28 = -0x28<br />
ROM:8F31DA9C<br />
ROM:8F31DA9C 000 F0 B5 PUSH {R4-R7,LR} ; Push registers<br />
ROM:8F31DA9E 014 87 B0 SUB SP, SP, #0x1C ; Rd = Op1 - Op2<br />
ROM:8F31DAA0 030 04 46 MOV R4, R0 ; Rd = Op2<br />
ROM:8F31DAA2 030 00 25 MOVS R5, #0 ; Rd = Op2<br />
ROM:8F31DAA4 030 4F F6 FF 77 MOVW R7, #0xFFFF ; Rd = Op2<br />
ROM:8F31DAA8 030 00 BF NOP ; No Operation<br />
ROM:8F31DAAA 030 04 E0 B loop_count ; Branch<br />
ROM:8F31DAAC ; ---------------------------------------------------------------------------<br />
ROM:8F31DAAC<br />
ROM:8F31DAAC loop_body ; CODE XREF: fuse_read_word+1C�j<br />
ROM:8F31DAAC 030 00 20 MOVS R0, #0 ; Rd = Op2<br />
ROM:8F31DAAE 030 02 A9 ADD R1, SP, #0x30+var_28 ; Rd = Op1 + Op2<br />
ROM:8F31DAB0 030 41 F8 25 00 STR.W R0, [R1,R5,LSL#2] ; Store to Memory<br />
ROM:8F31DAB4 030 6D 1C ADDS R5, R5, #1 ; Rd = Op1 + Op2<br />
ROM:8F31DAB6<br />
ROM:8F31DAB6 loop_count ; CODE XREF: fuse_read_word+E�j<br />
ROM:8F31DAB6 030 04 2D CMP R5, #4 ; Set cond. codes on Op1 - Op2<br />
ROM:8F31DAB8 030 F8 DD BLE loop_body ; Branch<br />
ROM:8F31DABA 030 00 BF NOP ; No Operation<br />
ROM:8F31DABC 030 04 2C CMP R4, #4 ; Set cond. codes on Op1 - Op2<br />
ROM:8F31DABE 030 08 D8 BHI is_higher ; Branch<br />
ROM:8F31DAC0 030 02 AB ADD R3, SP, #0x30+var_28 ; Rd = Op1 + Op2<br />
ROM:8F31DAC2 030 00 93 STR R3, [SP,#0x30+var_30] ; Store to Memory<br />
ROM:8F31DAC4 030 01 23 MOVS R3, #1 ; Rd = Op2<br />
ROM:8F31DAC6 030 07 22 MOVS R2, #7 ; Rd = Op2<br />
ROM:8F31DAC8 030 00 21 MOVS R1, #0 ; SEC_ENTRY<br />
ROM:8F31DACA 030 36 20 MOVS R0, #0x36 ; param<br />
ROM:8F31DACC 030 04 F0 F2 FD BL security_handler ; API_HAL_MOT_EFUSE_READ<br />
ROM:8F31DAD0 030 06 46 MOV R6, R0 ; Rd = Op2<br />
ROM:8F31DAD2<br />
ROM:8F31DAD2 is_higher ; CODE XREF: fuse_read_word+22�j<br />
ROM:8F31DAD2 030 1E B9 CBNZ R6, return ; Compare and Branch on Non-Zero<br />
ROM:8F31DAD4 030 02 A8 ADD R0, SP, #0x30+var_28 ; Rd = Op1 + Op2<br />
ROM:8F31DAD6 030 50 F8 24 00 LDR.W R0, [R0,R4,LSL#2] ; Load from Memory<br />
ROM:8F31DADA 030 87 B2 UXTH R7, R0 ; Unsigned extend halfword to word<br />
ROM:8F31DADC<br />
ROM:8F31DADC return ; CODE XREF: fuse_read_word:is_higher�j<br />
ROM:8F31DADC 030 38 46 MOV R0, R7 ; Rd = Op2<br />
ROM:8F31DADE 030 07 B0 ADD SP, SP, #0x1C ; Rd = Op1 + Op2<br />
ROM:8F31DAE0 014 F0 BD POP {R4-R7,PC} ; Pop registers<br />
ROM:8F31DAE0 ; End of function fuse_read_word<br />
ROM:8F31DAE0<br />
ROM:8F31DAE0 ; ---------------------------------------------------------------------------<br />
ROM:8F31DAE2 00 20 DCW 0x2000<br />
ROM:8F31DAE4 70 47 DCW 0x4770<br />
ROM:8F31DAE6<br />
</syntaxhighlight><br />
<br />
'''Listing 2.''' Fuse reading BS_DIS (from mbmloader)<br />
<syntaxhighlight lang="ida" line><br />
ROM:870048BE<br />
ROM:870048BE ; =============== S U B R O U T I N E =======================================<br />
ROM:870048BE<br />
ROM:870048BE<br />
ROM:870048BE ; int __cdecl fuse_read_BS_DIS()<br />
ROM:870048BE fuse_read_BS_DIS ; CODE XREF: check_BS_DIS+4<br />
ROM:870048BE 000 10 B5 PUSH {R4,LR} ; Push registers<br />
ROM:870048C0 008 10 24 MOVS R4, #0x10 ; Rd = Op2<br />
ROM:870048C2 008 6E 20 MOVS R0, #SEC_BS_DIS ; fuse_entry_number<br />
ROM:870048C4 008 FF F7 09 FF BL fuse_read_byte ; Branch with Link<br />
ROM:870048C8 008 00 B9 CBNZ R0, return ; Compare and Branch on Non-Zero<br />
ROM:870048CA 008 00 24 MOVS R4, #0 ; Rd = Op2<br />
ROM:870048CC<br />
ROM:870048CC return ; CODE XREF: fuse_read_BS_DIS+A<br />
ROM:870048CC 008 20 46 MOV R0, R4 ; Rd = Op2<br />
ROM:870048CE 008 10 BD POP {R4,PC} ; Pop registers<br />
ROM:870048CE ; End of function fuse_read_BS_DIS<br />
ROM:870048CE<br />
ROM:870048D0<br />
ROM:870048D0 ; =============== S U B R O U T I N E =======================================<br />
ROM:870048D0<br />
ROM:870048D0<br />
ROM:870048D0 ; int __cdecl fuse_read_SECVER(int entry_number)<br />
ROM:870048D0 fuse_read_SECVER ; CODE XREF: check_secure_version+14<br />
ROM:870048D0 000 70 B5 PUSH {R4-R6,LR} ; Push registers<br />
ROM:870048D2 010 04 46 MOV R4, R0 ; Rd = Op2<br />
ROM:870048D4 010 00 25 MOVS R5, #0 ; Rd = Op2<br />
ROM:870048D6 010 20 46 MOV R0, R4 ; fuse_entry_number<br />
ROM:870048D8 010 FF F7 FF FE BL fuse_read_byte ; Branch with Link<br />
ROM:870048DC 010 05 46 MOV R5, R0 ; Rd = Op2<br />
ROM:870048DE 010 28 46 MOV R0, R5 ; Rd = Op2<br />
ROM:870048E0 010 70 BD POP {R4-R6,PC} ; Pop registers<br />
ROM:870048E0 ; End of function fuse_read_SECVER<br />
ROM:870048E0<br />
ROM:870048E2<br />
</syntaxhighlight><br />
<br />
[[Category:Security]]</div>
Eiyee
http://droid-developers.org/wiki/EFuse
EFuse
2012-02-23T23:40:20Z
<p>Eiyee: mention how to contribute SWRV values</p>
<hr />
<div>== Overview ==<br />
The OMAP3xxx contains (unknown value) 128-bit banks of electronically blown fuses<br />
(eFuse). This is one-time only programmable memory that is organized into N x 32-bit words -<br />
(unknown value) words are reserved by Texas Instruments and for future use. <br />
The remaining 4 words are fully user programmable, designed to allow storage of a 128-bit encryption key for secure<br />
external memory encryption.<br />
<br />
== eFuse table ==<br />
<br />
'''TODO'''<br />
<br />
{|<br />
! Index<br />
! Name<br />
! Description<br />
|-<br />
| <br />
| PRODUCTION_ID<br />
| not available yet<br />
|-<br />
|<br />
| SECURITY_ID<br />
| not available yet<br />
|}<br />
<br />
<br />
== SWRV values ==<br />
<br />
The kernel source released by Motorola includes a "sec" module that reads 160 bit of eFuse data (referred to as "SWRV") using [[Secure Services]] call API_HAL_MOT_EFUSE_READ. It contains an enum with hints to eFuse values:<br />
<br />
drivers/misc/sec/sec_core.h:<br />
<pre><br />
typedef enum {<br />
/*Starting with random non zero value for component type */<br />
SEC_AP_PA_PPA = 0x00000065,<br />
SEC_BP_PPA,<br />
SEC_BP_PA,<br />
SEC_ML_PBRDL,<br />
SEC_MBM,<br />
SEC_RRDL_BRDL,<br />
SEC_BPL,<br />
SEC_AP_OS,<br />
SEC_BP_OS,<br />
SEC_BS_DIS,<br />
SEC_ENG,<br />
SEC_PROD,<br />
SEC_CUST_CODE,<br />
SEC_PKC,<br />
SEC_MODEL_ID,<br />
SEC_MAX<br />
} SEC_SV_COMPONENT_T;<br />
</pre><br />
<br />
These values have been observed:<br />
<br />
{| border="1" cellpadding="1" cellspacing="0" style="border: 1px solid #cccccc;"<br />
! SWRV<br />
! Description<br />
|-<br />
| 0f 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 00 00<br />
| Defy ([http://forum.xda-developers.com/showpost.php?p=21492705&postcount=412 source])<br />
|-<br />
| 1f 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 00 00<br />
| Defy ME525+ model with HKTW 2.3.4 sbf and MIUI rom ([http://forum.xda-developers.com/showpost.php?p=21405389&postcount=181 source])<br />
|-<br />
| 3f 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 00 00<br />
| Defy+ 2.3.6 134-132 SBF (v6) ([http://forum.xda-developers.com/showpost.php?p=21402316&postcount=167 source])<br />
|-<br />
| 3f 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e1 00 00<br />
| Defy+ after blowing SEC_CUST_CODE ([http://forum.xda-developers.com/showpost.php?p=21410214&postcount=219 source])<br />
|-<br />
| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00<br />
| Defy Chinese unlocked/eng? ([http://forum.xda-developers.com/showpost.php?p=21434360&postcount=335 source], [http://forum.xda-developers.com/showpost.php?p=21436570&postcount=337 source2])<br />
|}<br />
<br />
You can load the sec.ko module and contribute other values from dmesg. The module source is in drivers/misc/sec/ in the Motorola kernel source (build with CONFIG_SEC_DRIVER=m), there is also a binary [http://dl.dropbox.com/u/31689596/sec.ko sec.ko] for Defy.<br />
<br />
== EFUSE Power Domain ==<br />
<br />
EFUSE Power Domain Clock Controls<br />
<br />
'''EFUSE Power Domain Clock-Gating Control'''<br />
{| border="1" cellpadding="0" cellspacing="0" style="border: 1px solid #cccccc;"<br />
!Clock Name <br />
!Reset<br />
!Clock-Gating Control<br />
!Gating Description<br />
|-<br />
|EFUSE_ALWON_FCLK<br />
|Running<br />
|None<br />
|Active when VDD1 and VDD2 are switched on and eFuse-ready hardware signal is released<br />
|}<br />
<br />
== Reading ==<br />
<br />
For reading eFuse you need:<br />
# call 0x28 Secure Service - invalidate dcache<br />
# call 0x2a Secure Service - aux write<br />
# call 0x36 Secure Service with parameter eFuse index - API_HAL_MOT_EFUSE_READ<br />
<br />
PPA handler of EFUSE READ interrupt call<br />
<syntaxhighlight lang="ida" line><br />
ROM:86FFF06C<br />
ROM:86FFF06C ; =============== S U B R O U T I N E =======================================<br />
ROM:86FFF06C<br />
ROM:86FFF06C<br />
ROM:86FFF06C ; int __cdecl PPA_API_HAL_MOT_EFUSE_READ()<br />
ROM:86FFF06C PPA_API_HAL_MOT_EFUSE_READ ; DATA XREF: PPA_SMC_handler_SL+44�o<br />
ROM:86FFF06C ; ROM:off_86FFF5B8�o<br />
ROM:86FFF06C 000 MOV R2, R0 ; arg_3<br />
ROM:86FFF06E 000 PUSH {R4,LR} ; Push registers<br />
ROM:86FFF070 008 MOVS R1, #1 ; arg_2<br />
ROM:86FFF072 008 MOVS R0, #0x64 ; arg_1<br />
ROM:86FFF074 008 BLX PPA_interrupt_call ; Branch with Link and Exchange (immediate address)<br />
ROM:86FFF074<br />
ROM:86FFF078 008 LDR R1, =0xAF8023D4 ; Load from Memory<br />
ROM:86FFF07A 008 LDR R2, [R1] ; Load from Memory<br />
ROM:86FFF07C 008 UXTH R3, R2 ; Unsigned extend halfword to word<br />
ROM:86FFF07E 008 ORR.W R2, R3, R2,LSR#16 ; Rd = Op1 | Op2<br />
ROM:86FFF082 008 STR R2, [R0] ; Store to Memory<br />
ROM:86FFF084 008 LDR R2, [R1,#4] ; Load from Memory<br />
ROM:86FFF086 008 UXTH R3, R2 ; Unsigned extend halfword to word<br />
ROM:86FFF088 008 ORR.W R2, R3, R2,LSR#16 ; Rd = Op1 | Op2<br />
ROM:86FFF08C 008 STR R2, [R0,#4] ; Store to Memory<br />
ROM:86FFF08E 008 LDR R2, [R1,#8] ; Load from Memory<br />
ROM:86FFF090 008 UXTH R3, R2 ; Unsigned extend halfword to word<br />
ROM:86FFF092 008 ORR.W R2, R3, R2,LSR#16 ; Rd = Op1 | Op2<br />
ROM:86FFF096 008 STR R2, [R0,#8] ; Store to Memory<br />
ROM:86FFF098 008 LDR R2, [R1,#0xC] ; Load from Memory<br />
ROM:86FFF09A 008 UXTH R3, R2 ; Unsigned extend halfword to word<br />
ROM:86FFF09C 008 ORR.W R2, R3, R2,LSR#16 ; Rd = Op1 | Op2<br />
ROM:86FFF0A0 008 STR R2, [R0,#0xC] ; Store to Memory<br />
ROM:86FFF0A2 008 LDR R1, [R1,#0x10] ; Load from Memory<br />
ROM:86FFF0A4 008 UXTH R2, R1 ; Unsigned extend halfword to word<br />
ROM:86FFF0A6 008 ORR.W R1, R2, R1,LSR#16 ; Rd = Op1 | Op2<br />
ROM:86FFF0AA 008 STR R1, [R0,#0x10] ; Store to Memory<br />
ROM:86FFF0AC 008 MOVS R0, #0 ; Rd = Op2<br />
ROM:86FFF0AE 008 POP {R4,PC} ; Pop registers<br />
ROM:86FFF0AE<br />
ROM:86FFF0AE ; End of function PPA_API_HAL_MOT_EFUSE_READ<br />
ROM:86FFF0AE<br />
ROM:86FFF0AE ; ---------------------------------------------------------------------------<br />
ROM:86FFF0B0 dword_86FFF0B0 DCD 0xAF8023D4 ; DATA XREF: PPA_API_HAL_MOT_EFUSE_READ+C�r<br />
ROM:86FFF0B4<br />
</syntaxhighlight><br />
<br />
== Code Listings ==<br />
<br />
=== Fuse blowing functions ===<br />
<br />
'''Listing 1.''' Fuse blowing BS_DIS ( from mbmloader )<br />
<syntaxhighlight lang="ida" line><br />
ROM:870048AC ; =============== S U B R O U T I N E =======================================<br />
ROM:870048AC<br />
ROM:870048AC<br />
ROM:870048AC ; int __cdecl fuse_blow_BS_DIS()<br />
ROM:870048AC fuse_blow_BS_DIS<br />
ROM:870048AC 000 10 B5 PUSH {R4,LR} ; Push registers<br />
ROM:870048AE 008 10 24 MOVS R4, #0x10 ; Rd = Op2<br />
ROM:870048B0 008 01 21 MOVS R1, #1 ; value<br />
ROM:870048B2 008 6E 20 MOVS R0, #SEC_BS_DIS ; fuse_entry_number<br />
ROM:870048B4 008 FF F7 70 FF BL fuse_blow_byte ; Branch with Link<br />
ROM:870048B8 008 04 46 MOV R4, R0 ; Rd = Op2<br />
ROM:870048BA 008 20 46 MOV R0, R4 ; Rd = Op2<br />
ROM:870048BC 008 10 BD POP {R4,PC} ; Pop registers<br />
ROM:870048BC ; End of function fuse_blow_BS_DIS<br />
ROM:870048BC<br />
</syntaxhighlight><br />
<br />
'''Listing 2.''' Fuse blowing CUSTOM ( from mbmloader )<br />
<syntaxhighlight lang="ida" line><br />
ROM:870048E2 ; =============== S U B R O U T I N E =======================================<br />
ROM:870048E2<br />
ROM:870048E2<br />
ROM:870048E2 ; int __cdecl fuse_blow_CUSTOM(int fuse_entry_number, int value)<br />
ROM:870048E2 fuse_blow_CUSTOM<br />
ROM:870048E2 000 70 B5 PUSH {R4-R6,LR} ; Push registers<br />
ROM:870048E4 010 04 46 MOV R4, R0 ; Rd = Op2<br />
ROM:870048E6 010 0D 46 MOV R5, R1 ; Rd = Op2<br />
ROM:870048E8 010 10 26 MOVS R6, #0x10 ; Rd = Op2<br />
ROM:870048EA 010 A9 B2 UXTH R1, R5 ; Unsigned extend halfword to word<br />
ROM:870048EC 010 20 46 MOV R0, R4 ; fuse_entry_number<br />
ROM:870048EE 010 FF F7 53 FF BL fuse_blow_byte ; Branch with Link<br />
ROM:870048F2 010 06 46 MOV R6, R0 ; Rd = Op2<br />
ROM:870048F4 010 30 46 MOV R0, R6 ; Rd = Op2<br />
ROM:870048F6 010 70 BD POP {R4-R6,PC} ; Pop registers<br />
ROM:870048F6 ; End of function fuse_blow_CUSTOM<br />
ROM:870048F6<br />
</syntaxhighlight><br />
<br />
'''Listing 3.''' Fuse blowing PRODUCTION ( from mbmloader )<br />
<syntaxhighlight lang="ida" line><br />
ROM:870048F8<br />
ROM:870048F8 ; =============== S U B R O U T I N E =======================================<br />
ROM:870048F8<br />
ROM:870048F8<br />
ROM:870048F8 ; int __cdecl fuse_blow_PRODUCTION()<br />
ROM:870048F8 fuse_blow_PRODUCTION<br />
ROM:870048F8 000 10 B5 PUSH {R4,LR} ; Push registers<br />
ROM:870048FA 008 10 24 MOVS R4, #0x10 ; Rd = Op2<br />
ROM:870048FC 008 01 21 MOVS R1, #1 ; value<br />
ROM:870048FE 008 70 20 MOVS R0, #SEC_PROD ; fuse_entry_number<br />
ROM:87004900 008 FF F7 4A FF BL fuse_blow_byte ; Branch with Link<br />
ROM:87004904 008 04 46 MOV R4, R0 ; Rd = Op2<br />
ROM:87004906 008 20 46 MOV R0, R4 ; Rd = Op2<br />
ROM:87004908 008 10 BD POP {R4,PC} ; Pop registers<br />
ROM:87004908 ; End of function fuse_blow_PRODUCTION<br />
ROM:87004908<br />
</syntaxhighlight><br />
<br />
'''Listing 4.''' Fuse blowing ENGINEERING ( from mbmloader )<br />
<syntaxhighlight lang="ida" line><br />
ROM:8700490A<br />
ROM:8700490A ; =============== S U B R O U T I N E =======================================<br />
ROM:8700490A<br />
ROM:8700490A<br />
ROM:8700490A ; int __cdecl fuse_blow_ENGINEERING()<br />
ROM:8700490A fuse_blow_ENGINEERING ; CODE XREF: main+20<br />
ROM:8700490A 000 10 B5 PUSH {R4,LR} ; Push registers<br />
ROM:8700490C 008 10 24 MOVS R4, #0x10 ; Rd = Op2<br />
ROM:8700490E 008 01 21 MOVS R1, #1 ; value<br />
ROM:87004910 008 6F 20 MOVS R0, #SEC_ENG ; fuse_entry_number<br />
ROM:87004912 008 FF F7 41 FF BL fuse_blow_byte ; Branch with Link<br />
ROM:87004916 008 04 46 MOV R4, R0 ; Rd = Op2<br />
ROM:87004918 008 20 46 MOV R0, R4 ; Rd = Op2<br />
ROM:8700491A 008 10 BD POP {R4,PC} ; Pop registers<br />
ROM:8700491A ; End of function fuse_blow_ENGINEERING<br />
</syntaxhighlight><br />
<br />
=== Fuse reading functions ===<br />
<br />
'''Listing 2.''' Fuse reading byte (from mbmloader)<br />
<syntaxhighlight lang="ida" line><br />
ROM:8F31DB0A<br />
ROM:8F31DB0A ; =============== S U B R O U T I N E =======================================<br />
ROM:8F31DB0A<br />
ROM:8F31DB0A<br />
ROM:8F31DB0A ; int __cdecl moto_efuse_read(__int32 fuse_entry)<br />
ROM:8F31DB0A moto_efuse_read ; CODE XREF: fuse_read_SEC_MODEL_ID+6�p<br />
ROM:8F31DB0A ; fuse_read_SEC_BS_DIS+6�p ...<br />
ROM:8F31DB0A 000 PUSH {R4-R6,LR} ; Push registers<br />
ROM:8F31DB0C 010 MOV R4, R0 ; Rd = Op2<br />
ROM:8F31DB0E 010 LDR R5, =0xDEADBEEF ; Load from Memory<br />
ROM:8F31DB10 010 SUB.W R0, R4, #0x65 ; switch 16 cases<br />
ROM:8F31DB14 010 CMP R0, #0x10 ; Set cond. codes on Op1 - Op2<br />
ROM:8F31DB16 010 BCS return_ ; do nothing<br />
ROM:8F31DB16<br />
ROM:8F31DB18<br />
ROM:8F31DB18 fuse_table ; switch jump<br />
ROM:8F31DB18 010 TBB.W [PC,R0]<br />
ROM:8F31DB18<br />
ROM:8F31DB18 ; ---------------------------------------------------------------------------<br />
ROM:8F31DB1C 010 fuse_choice DCB 8 ; jump table for switch statement<br />
ROM:8F31DB1D 010 DCB 0x52<br />
ROM:8F31DB1E 010 DCB 0x52<br />
ROM:8F31DB1F 010 DCB 0x11<br />
ROM:8F31DB20 010 DCB 0x1A<br />
ROM:8F31DB21 010 DCB 0x22<br />
ROM:8F31DB22 010 DCB 0x52<br />
ROM:8F31DB23 010 DCB 0x2A<br />
ROM:8F31DB24 010 DCB 0x52<br />
ROM:8F31DB25 010 DCB 0x32<br />
ROM:8F31DB26 010 DCB 0x37<br />
ROM:8F31DB27 010 DCB 0x3D<br />
ROM:8F31DB28 010 DCB 0x43<br />
ROM:8F31DB29 010 DCB 0x52<br />
ROM:8F31DB2A 010 DCB 0x4D<br />
ROM:8F31DB2B 010 DCB 0x51<br />
ROM:8F31DB2C ; ---------------------------------------------------------------------------<br />
ROM:8F31DB2C<br />
ROM:8F31DB2C is_SEC_APP_PA_PPA ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DB2C 010 MOVS R0, #3 ; jumptable 8F31DB18 case 101<br />
ROM:8F31DB2E 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DB2E<br />
ROM:8F31DB32 010 ASRS R6, R0, #8 ; Arithmetic Shift Right<br />
ROM:8F31DB34 010 MOV R0, R6 ; count<br />
ROM:8F31DB36 010 BL standard_efuse_count ; Branch with Link<br />
ROM:8F31DB36<br />
ROM:8F31DB3A 010 MOV R5, R0 ; Rd = Op2<br />
ROM:8F31DB3C 010 B return ; Branch<br />
ROM:8F31DB3C<br />
ROM:8F31DB3E ; ---------------------------------------------------------------------------<br />
ROM:8F31DB3E<br />
ROM:8F31DB3E is_SEC_ML_PBRDL ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DB3E 010 MOVS R0, #3 ; jumptable 8F31DB18 case 104<br />
ROM:8F31DB40 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DB40<br />
ROM:8F31DB44 010 UXTB R6, R0 ; Unsigned extend byte to word<br />
ROM:8F31DB46 010 MOV R0, R6 ; count<br />
ROM:8F31DB48 010 BL standard_efuse_count ; Branch with Link<br />
ROM:8F31DB48<br />
ROM:8F31DB4C 010 MOV R5, R0 ; Rd = Op2<br />
ROM:8F31DB4E 010 B return ; Branch<br />
ROM:8F31DB4E<br />
ROM:8F31DB50 ; ---------------------------------------------------------------------------<br />
ROM:8F31DB50<br />
ROM:8F31DB50 is_SEC_MBM ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DB50 010 MOVS R0, #2 ; jumptable 8F31DB18 case 105<br />
ROM:8F31DB52 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DB52<br />
ROM:8F31DB56 010 MOV R6, R0 ; Rd = Op2<br />
ROM:8F31DB58 010 BL standard_efuse_count ; Branch with Link<br />
ROM:8F31DB58<br />
ROM:8F31DB5C 010 MOV R5, R0 ; Rd = Op2<br />
ROM:8F31DB5E 010 B return ; Branch<br />
ROM:8F31DB5E<br />
ROM:8F31DB60 ; ---------------------------------------------------------------------------<br />
ROM:8F31DB60<br />
ROM:8F31DB60 is_SEC_RRDL_BRDL ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DB60 010 MOVS R0, #1 ; jumptable 8F31DB18 case 106<br />
ROM:8F31DB62 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DB62<br />
ROM:8F31DB66 010 MOV R6, R0 ; Rd = Op2<br />
ROM:8F31DB68 010 BL standard_efuse_count ; Branch with Link<br />
ROM:8F31DB68<br />
ROM:8F31DB6C 010 MOV R5, R0 ; Rd = Op2<br />
ROM:8F31DB6E 010 B return ; Branch<br />
ROM:8F31DB6E<br />
ROM:8F31DB70 ; ---------------------------------------------------------------------------<br />
ROM:8F31DB70<br />
ROM:8F31DB70 is_SEC_AP_OS ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DB70 010 MOVS R0, #0 ; jumptable 8F31DB18 case 108<br />
ROM:8F31DB72 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DB72<br />
ROM:8F31DB76 010 MOV R6, R0 ; Rd = Op2<br />
ROM:8F31DB78 010 BL standard_efuse_count ; Branch with Link<br />
ROM:8F31DB78<br />
ROM:8F31DB7C 010 MOV R5, R0 ; Rd = Op2<br />
ROM:8F31DB7E 010 B return ; Branch<br />
ROM:8F31DB7E<br />
ROM:8F31DB80 ; ---------------------------------------------------------------------------<br />
ROM:8F31DB80<br />
ROM:8F31DB80 is_SEC_BS_DIS ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DB80 010 MOVS R0, #4 ; jumptable 8F31DB18 case 110<br />
ROM:8F31DB82 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DB82<br />
ROM:8F31DB86 010 ASRS R5, R0, #0xF ; Arithmetic Shift Right<br />
ROM:8F31DB88 010 B return ; Branch<br />
ROM:8F31DB88<br />
ROM:8F31DB8A ; ---------------------------------------------------------------------------<br />
ROM:8F31DB8A<br />
ROM:8F31DB8A is_SEC_ENG ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DB8A 010 MOVS R0, #4 ; jumptable 8F31DB18 case 111<br />
ROM:8F31DB8C 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DB8C<br />
ROM:8F31DB90 010 UBFX.W R5, R0, #0xD, #1 ; Unsigned Bit Field Extract<br />
ROM:8F31DB94 010 B return ; Branch<br />
ROM:8F31DB94<br />
ROM:8F31DB96 ; ---------------------------------------------------------------------------<br />
ROM:8F31DB96<br />
ROM:8F31DB96 is_SEC_PROD ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DB96 010 MOVS R0, #4 ; jumptable 8F31DB18 case 112<br />
ROM:8F31DB98 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DB98<br />
ROM:8F31DB9C 010 UBFX.W R5, R0, #0xE, #1 ; Unsigned Bit Field Extract<br />
ROM:8F31DBA0 010 B return ; Branch<br />
ROM:8F31DBA0<br />
ROM:8F31DBA2 ; ---------------------------------------------------------------------------<br />
ROM:8F31DBA2<br />
ROM:8F31DBA2 is_SEC_CUST_CODE ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DBA2 010 MOVS R0, #4 ; jumptable 8F31DB18 case 113<br />
ROM:8F31DBA4 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DBA4<br />
ROM:8F31DBA8 010 UBFX.W R6, R0, #8, #5 ; Unsigned Bit Field Extract<br />
ROM:8F31DBAC 010 MOV R0, R6 ; count<br />
ROM:8F31DBAE 010 BL standard_efuse_count ; Branch with Link<br />
ROM:8F31DBAE<br />
ROM:8F31DBB2 010 MOV R5, R0 ; Rd = Op2<br />
ROM:8F31DBB4 010 B return ; Branch<br />
ROM:8F31DBB4<br />
ROM:8F31DBB6 ; ---------------------------------------------------------------------------<br />
ROM:8F31DBB6<br />
ROM:8F31DBB6 is_SEC_MODEL_ID ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DBB6 010 LDR R0, =OMAP3430_MSV_ADRESS ; jumptable 8F31DB18 case 115<br />
ROM:8F31DBB8 010 LDR R0, [R0] ; Load from Memory<br />
ROM:8F31DBBA 010 UXTH R5, R0 ; Unsigned extend halfword to word<br />
ROM:8F31DBBC 010 B return ; Branch<br />
ROM:8F31DBBC<br />
ROM:8F31DBBE ; ---------------------------------------------------------------------------<br />
ROM:8F31DBBE<br />
ROM:8F31DBBE return__ ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DBBE 010 NOP ; jumptable 8F31DB18 case 116<br />
ROM:8F31DBBE<br />
ROM:8F31DBC0<br />
ROM:8F31DBC0 return_ ; CODE XREF: moto_efuse_read+C�j<br />
ROM:8F31DBC0 ; moto_efuse_read:fuse_table�j<br />
ROM:8F31DBC0 010 NOP ; do nothing<br />
ROM:8F31DBC0<br />
ROM:8F31DBC2<br />
ROM:8F31DBC2 return ; CODE XREF: moto_efuse_read+32�j<br />
ROM:8F31DBC2 ; moto_efuse_read+44�j ...<br />
ROM:8F31DBC2 010 NOP ; No Operation<br />
ROM:8F31DBC4 010 MOV R0, R5 ; Rd = Op2<br />
ROM:8F31DBC6 010 POP {R4-R6,PC} ; Pop registers<br />
ROM:8F31DBC6<br />
ROM:8F31DBC6 ; End of function moto_efuse_read<br />
ROM:8F31DBC6<br />
</syntaxhighlight><br />
<br />
'''Listing 2.''' Fuse reading word (from mbm)<br />
<syntaxhighlight lang="ida" line><br />
ROM:8F31DA9C<br />
ROM:8F31DA9C ; =============== S U B R O U T I N E =======================================<br />
ROM:8F31DA9C<br />
ROM:8F31DA9C<br />
ROM:8F31DA9C ; __int16 __fastcall fuse_read_word(int fuse_entry)<br />
ROM:8F31DA9C fuse_read_word ; CODE XREF: fuse_read+24�p<br />
ROM:8F31DA9C ; fuse_read+36�p ...<br />
ROM:8F31DA9C<br />
ROM:8F31DA9C var_30 = -0x30<br />
ROM:8F31DA9C var_28 = -0x28<br />
ROM:8F31DA9C<br />
ROM:8F31DA9C 000 F0 B5 PUSH {R4-R7,LR} ; Push registers<br />
ROM:8F31DA9E 014 87 B0 SUB SP, SP, #0x1C ; Rd = Op1 - Op2<br />
ROM:8F31DAA0 030 04 46 MOV R4, R0 ; Rd = Op2<br />
ROM:8F31DAA2 030 00 25 MOVS R5, #0 ; Rd = Op2<br />
ROM:8F31DAA4 030 4F F6 FF 77 MOVW R7, #0xFFFF ; Rd = Op2<br />
ROM:8F31DAA8 030 00 BF NOP ; No Operation<br />
ROM:8F31DAAA 030 04 E0 B loop_count ; Branch<br />
ROM:8F31DAAC ; ---------------------------------------------------------------------------<br />
ROM:8F31DAAC<br />
ROM:8F31DAAC loop_body ; CODE XREF: fuse_read_word+1C�j<br />
ROM:8F31DAAC 030 00 20 MOVS R0, #0 ; Rd = Op2<br />
ROM:8F31DAAE 030 02 A9 ADD R1, SP, #0x30+var_28 ; Rd = Op1 + Op2<br />
ROM:8F31DAB0 030 41 F8 25 00 STR.W R0, [R1,R5,LSL#2] ; Store to Memory<br />
ROM:8F31DAB4 030 6D 1C ADDS R5, R5, #1 ; Rd = Op1 + Op2<br />
ROM:8F31DAB6<br />
ROM:8F31DAB6 loop_count ; CODE XREF: fuse_read_word+E�j<br />
ROM:8F31DAB6 030 04 2D CMP R5, #4 ; Set cond. codes on Op1 - Op2<br />
ROM:8F31DAB8 030 F8 DD BLE loop_body ; Branch<br />
ROM:8F31DABA 030 00 BF NOP ; No Operation<br />
ROM:8F31DABC 030 04 2C CMP R4, #4 ; Set cond. codes on Op1 - Op2<br />
ROM:8F31DABE 030 08 D8 BHI is_higher ; Branch<br />
ROM:8F31DAC0 030 02 AB ADD R3, SP, #0x30+var_28 ; Rd = Op1 + Op2<br />
ROM:8F31DAC2 030 00 93 STR R3, [SP,#0x30+var_30] ; Store to Memory<br />
ROM:8F31DAC4 030 01 23 MOVS R3, #1 ; Rd = Op2<br />
ROM:8F31DAC6 030 07 22 MOVS R2, #7 ; Rd = Op2<br />
ROM:8F31DAC8 030 00 21 MOVS R1, #0 ; SEC_ENTRY<br />
ROM:8F31DACA 030 36 20 MOVS R0, #0x36 ; param<br />
ROM:8F31DACC 030 04 F0 F2 FD BL security_handler ; API_HAL_MOT_EFUSE_READ<br />
ROM:8F31DAD0 030 06 46 MOV R6, R0 ; Rd = Op2<br />
ROM:8F31DAD2<br />
ROM:8F31DAD2 is_higher ; CODE XREF: fuse_read_word+22�j<br />
ROM:8F31DAD2 030 1E B9 CBNZ R6, return ; Compare and Branch on Non-Zero<br />
ROM:8F31DAD4 030 02 A8 ADD R0, SP, #0x30+var_28 ; Rd = Op1 + Op2<br />
ROM:8F31DAD6 030 50 F8 24 00 LDR.W R0, [R0,R4,LSL#2] ; Load from Memory<br />
ROM:8F31DADA 030 87 B2 UXTH R7, R0 ; Unsigned extend halfword to word<br />
ROM:8F31DADC<br />
ROM:8F31DADC return ; CODE XREF: fuse_read_word:is_higher�j<br />
ROM:8F31DADC 030 38 46 MOV R0, R7 ; Rd = Op2<br />
ROM:8F31DADE 030 07 B0 ADD SP, SP, #0x1C ; Rd = Op1 + Op2<br />
ROM:8F31DAE0 014 F0 BD POP {R4-R7,PC} ; Pop registers<br />
ROM:8F31DAE0 ; End of function fuse_read_word<br />
ROM:8F31DAE0<br />
ROM:8F31DAE0 ; ---------------------------------------------------------------------------<br />
ROM:8F31DAE2 00 20 DCW 0x2000<br />
ROM:8F31DAE4 70 47 DCW 0x4770<br />
ROM:8F31DAE6<br />
</syntaxhighlight><br />
<br />
'''Listing 2.''' Fuse reading BS_DIS (from mbmloader)<br />
<syntaxhighlight lang="ida" line><br />
ROM:870048BE<br />
ROM:870048BE ; =============== S U B R O U T I N E =======================================<br />
ROM:870048BE<br />
ROM:870048BE<br />
ROM:870048BE ; int __cdecl fuse_read_BS_DIS()<br />
ROM:870048BE fuse_read_BS_DIS ; CODE XREF: check_BS_DIS+4<br />
ROM:870048BE 000 10 B5 PUSH {R4,LR} ; Push registers<br />
ROM:870048C0 008 10 24 MOVS R4, #0x10 ; Rd = Op2<br />
ROM:870048C2 008 6E 20 MOVS R0, #SEC_BS_DIS ; fuse_entry_number<br />
ROM:870048C4 008 FF F7 09 FF BL fuse_read_byte ; Branch with Link<br />
ROM:870048C8 008 00 B9 CBNZ R0, return ; Compare and Branch on Non-Zero<br />
ROM:870048CA 008 00 24 MOVS R4, #0 ; Rd = Op2<br />
ROM:870048CC<br />
ROM:870048CC return ; CODE XREF: fuse_read_BS_DIS+A<br />
ROM:870048CC 008 20 46 MOV R0, R4 ; Rd = Op2<br />
ROM:870048CE 008 10 BD POP {R4,PC} ; Pop registers<br />
ROM:870048CE ; End of function fuse_read_BS_DIS<br />
ROM:870048CE<br />
ROM:870048D0<br />
ROM:870048D0 ; =============== S U B R O U T I N E =======================================<br />
ROM:870048D0<br />
ROM:870048D0<br />
ROM:870048D0 ; int __cdecl fuse_read_SECVER(int entry_number)<br />
ROM:870048D0 fuse_read_SECVER ; CODE XREF: check_secure_version+14<br />
ROM:870048D0 000 70 B5 PUSH {R4-R6,LR} ; Push registers<br />
ROM:870048D2 010 04 46 MOV R4, R0 ; Rd = Op2<br />
ROM:870048D4 010 00 25 MOVS R5, #0 ; Rd = Op2<br />
ROM:870048D6 010 20 46 MOV R0, R4 ; fuse_entry_number<br />
ROM:870048D8 010 FF F7 FF FE BL fuse_read_byte ; Branch with Link<br />
ROM:870048DC 010 05 46 MOV R5, R0 ; Rd = Op2<br />
ROM:870048DE 010 28 46 MOV R0, R5 ; Rd = Op2<br />
ROM:870048E0 010 70 BD POP {R4-R6,PC} ; Pop registers<br />
ROM:870048E0 ; End of function fuse_read_SECVER<br />
ROM:870048E0<br />
ROM:870048E2<br />
</syntaxhighlight><br />
<br />
[[Category:Security]]</div>
Eiyee
http://droid-developers.org/wiki/EFuse
EFuse
2012-02-23T23:27:22Z
<p>Eiyee: one more SWRV for defy</p>
<hr />
<div>== Overview ==<br />
The OMAP3xxx contains (unknown value) 128-bit banks of electronically blown fuses<br />
(eFuse). This is one-time only programmable memory that is organized into N x 32-bit words -<br />
(unknown value) words are reserved by Texas Instruments and for future use. <br />
The remaining 4 words are fully user programmable, designed to allow storage of a 128-bit encryption key for secure<br />
external memory encryption.<br />
<br />
== eFuse table ==<br />
<br />
{|<br />
! Index<br />
! Name<br />
! Description<br />
|-<br />
| <br />
| PRODUCTION_ID<br />
| not available yet<br />
|-<br />
|<br />
| SECURITY_ID<br />
| not available yet<br />
|}<br />
<br />
== SWRV values ==<br />
The kernel source released by Motorola includes a "sec" module that reads 160 bit of eFuse data (referred to as "SWRV") using [[Secure Services]] call API_HAL_MOT_EFUSE_READ. It contains an enum with hints to eFuse values:<br />
<br />
drivers/misc/sec/sec_core.h:<br />
<pre><br />
typedef enum {<br />
/*Starting with random non zero value for component type */<br />
SEC_AP_PA_PPA = 0x00000065,<br />
SEC_BP_PPA,<br />
SEC_BP_PA,<br />
SEC_ML_PBRDL,<br />
SEC_MBM,<br />
SEC_RRDL_BRDL,<br />
SEC_BPL,<br />
SEC_AP_OS,<br />
SEC_BP_OS,<br />
SEC_BS_DIS,<br />
SEC_ENG,<br />
SEC_PROD,<br />
SEC_CUST_CODE,<br />
SEC_PKC,<br />
SEC_MODEL_ID,<br />
SEC_MAX<br />
} SEC_SV_COMPONENT_T;<br />
</pre><br />
<br />
These values have been observed:<br />
<br />
{| border="1" cellpadding="1" cellspacing="0" style="border: 1px solid #cccccc;"<br />
! SWRV<br />
! Description<br />
|-<br />
| 0f 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 00 00<br />
| Defy ([http://forum.xda-developers.com/showpost.php?p=21492705&postcount=412 source])<br />
|-<br />
| 1f 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 00 00<br />
| Defy ME525+ model with HKTW 2.3.4 sbf and MIUI rom ([http://forum.xda-developers.com/showpost.php?p=21405389&postcount=181 source])<br />
|-<br />
| 3f 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 00 00<br />
| Defy+ 2.3.6 134-132 SBF (v6) ([http://forum.xda-developers.com/showpost.php?p=21402316&postcount=167 source])<br />
|-<br />
| 3f 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e1 00 00<br />
| Defy+ after blowing SEC_CUST_CODE ([http://forum.xda-developers.com/showpost.php?p=21410214&postcount=219 source])<br />
|-<br />
| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00<br />
| Defy Chinese unlocked/eng? ([http://forum.xda-developers.com/showpost.php?p=21434360&postcount=335 source], [http://forum.xda-developers.com/showpost.php?p=21436570&postcount=337 source2])<br />
|}<br />
<br />
<br />
== EFUSE Power Domain ==<br />
<br />
EFUSE Power Domain Clock Controls<br />
<br />
'''EFUSE Power Domain Clock-Gating Control'''<br />
{| border="1" cellpadding="0" cellspacing="0" style="border: 1px solid #cccccc;"<br />
!Clock Name <br />
!Reset<br />
!Clock-Gating Control<br />
!Gating Description<br />
|-<br />
|EFUSE_ALWON_FCLK<br />
|Running<br />
|None<br />
|Active when VDD1 and VDD2 are switched on and eFuse-ready hardware signal is released<br />
|}<br />
<br />
== Reading ==<br />
<br />
For reading eFuse you need:<br />
# call 0x28 Secure Service - invalidate dcache<br />
# call 0x2a Secure Service - aux write<br />
# call 0x36 Secure Service with parameter eFuse index - API_HAL_MOT_EFUSE_READ<br />
<br />
PPA handler of EFUSE READ interrupt call<br />
<syntaxhighlight lang="ida" line><br />
ROM:86FFF06C<br />
ROM:86FFF06C ; =============== S U B R O U T I N E =======================================<br />
ROM:86FFF06C<br />
ROM:86FFF06C<br />
ROM:86FFF06C ; int __cdecl PPA_API_HAL_MOT_EFUSE_READ()<br />
ROM:86FFF06C PPA_API_HAL_MOT_EFUSE_READ ; DATA XREF: PPA_SMC_handler_SL+44�o<br />
ROM:86FFF06C ; ROM:off_86FFF5B8�o<br />
ROM:86FFF06C 000 MOV R2, R0 ; arg_3<br />
ROM:86FFF06E 000 PUSH {R4,LR} ; Push registers<br />
ROM:86FFF070 008 MOVS R1, #1 ; arg_2<br />
ROM:86FFF072 008 MOVS R0, #0x64 ; arg_1<br />
ROM:86FFF074 008 BLX PPA_interrupt_call ; Branch with Link and Exchange (immediate address)<br />
ROM:86FFF074<br />
ROM:86FFF078 008 LDR R1, =0xAF8023D4 ; Load from Memory<br />
ROM:86FFF07A 008 LDR R2, [R1] ; Load from Memory<br />
ROM:86FFF07C 008 UXTH R3, R2 ; Unsigned extend halfword to word<br />
ROM:86FFF07E 008 ORR.W R2, R3, R2,LSR#16 ; Rd = Op1 | Op2<br />
ROM:86FFF082 008 STR R2, [R0] ; Store to Memory<br />
ROM:86FFF084 008 LDR R2, [R1,#4] ; Load from Memory<br />
ROM:86FFF086 008 UXTH R3, R2 ; Unsigned extend halfword to word<br />
ROM:86FFF088 008 ORR.W R2, R3, R2,LSR#16 ; Rd = Op1 | Op2<br />
ROM:86FFF08C 008 STR R2, [R0,#4] ; Store to Memory<br />
ROM:86FFF08E 008 LDR R2, [R1,#8] ; Load from Memory<br />
ROM:86FFF090 008 UXTH R3, R2 ; Unsigned extend halfword to word<br />
ROM:86FFF092 008 ORR.W R2, R3, R2,LSR#16 ; Rd = Op1 | Op2<br />
ROM:86FFF096 008 STR R2, [R0,#8] ; Store to Memory<br />
ROM:86FFF098 008 LDR R2, [R1,#0xC] ; Load from Memory<br />
ROM:86FFF09A 008 UXTH R3, R2 ; Unsigned extend halfword to word<br />
ROM:86FFF09C 008 ORR.W R2, R3, R2,LSR#16 ; Rd = Op1 | Op2<br />
ROM:86FFF0A0 008 STR R2, [R0,#0xC] ; Store to Memory<br />
ROM:86FFF0A2 008 LDR R1, [R1,#0x10] ; Load from Memory<br />
ROM:86FFF0A4 008 UXTH R2, R1 ; Unsigned extend halfword to word<br />
ROM:86FFF0A6 008 ORR.W R1, R2, R1,LSR#16 ; Rd = Op1 | Op2<br />
ROM:86FFF0AA 008 STR R1, [R0,#0x10] ; Store to Memory<br />
ROM:86FFF0AC 008 MOVS R0, #0 ; Rd = Op2<br />
ROM:86FFF0AE 008 POP {R4,PC} ; Pop registers<br />
ROM:86FFF0AE<br />
ROM:86FFF0AE ; End of function PPA_API_HAL_MOT_EFUSE_READ<br />
ROM:86FFF0AE<br />
ROM:86FFF0AE ; ---------------------------------------------------------------------------<br />
ROM:86FFF0B0 dword_86FFF0B0 DCD 0xAF8023D4 ; DATA XREF: PPA_API_HAL_MOT_EFUSE_READ+C�r<br />
ROM:86FFF0B4<br />
</syntaxhighlight><br />
<br />
== Code Listings ==<br />
<br />
=== Fuse blowing functions ===<br />
<br />
'''Listing 1.''' Fuse blowing BS_DIS ( from mbmloader )<br />
<syntaxhighlight lang="ida" line><br />
ROM:870048AC ; =============== S U B R O U T I N E =======================================<br />
ROM:870048AC<br />
ROM:870048AC<br />
ROM:870048AC ; int __cdecl fuse_blow_BS_DIS()<br />
ROM:870048AC fuse_blow_BS_DIS<br />
ROM:870048AC 000 10 B5 PUSH {R4,LR} ; Push registers<br />
ROM:870048AE 008 10 24 MOVS R4, #0x10 ; Rd = Op2<br />
ROM:870048B0 008 01 21 MOVS R1, #1 ; value<br />
ROM:870048B2 008 6E 20 MOVS R0, #SEC_BS_DIS ; fuse_entry_number<br />
ROM:870048B4 008 FF F7 70 FF BL fuse_blow_byte ; Branch with Link<br />
ROM:870048B8 008 04 46 MOV R4, R0 ; Rd = Op2<br />
ROM:870048BA 008 20 46 MOV R0, R4 ; Rd = Op2<br />
ROM:870048BC 008 10 BD POP {R4,PC} ; Pop registers<br />
ROM:870048BC ; End of function fuse_blow_BS_DIS<br />
ROM:870048BC<br />
</syntaxhighlight><br />
<br />
'''Listing 2.''' Fuse blowing CUSTOM ( from mbmloader )<br />
<syntaxhighlight lang="ida" line><br />
ROM:870048E2 ; =============== S U B R O U T I N E =======================================<br />
ROM:870048E2<br />
ROM:870048E2<br />
ROM:870048E2 ; int __cdecl fuse_blow_CUSTOM(int fuse_entry_number, int value)<br />
ROM:870048E2 fuse_blow_CUSTOM<br />
ROM:870048E2 000 70 B5 PUSH {R4-R6,LR} ; Push registers<br />
ROM:870048E4 010 04 46 MOV R4, R0 ; Rd = Op2<br />
ROM:870048E6 010 0D 46 MOV R5, R1 ; Rd = Op2<br />
ROM:870048E8 010 10 26 MOVS R6, #0x10 ; Rd = Op2<br />
ROM:870048EA 010 A9 B2 UXTH R1, R5 ; Unsigned extend halfword to word<br />
ROM:870048EC 010 20 46 MOV R0, R4 ; fuse_entry_number<br />
ROM:870048EE 010 FF F7 53 FF BL fuse_blow_byte ; Branch with Link<br />
ROM:870048F2 010 06 46 MOV R6, R0 ; Rd = Op2<br />
ROM:870048F4 010 30 46 MOV R0, R6 ; Rd = Op2<br />
ROM:870048F6 010 70 BD POP {R4-R6,PC} ; Pop registers<br />
ROM:870048F6 ; End of function fuse_blow_CUSTOM<br />
ROM:870048F6<br />
</syntaxhighlight><br />
<br />
'''Listing 3.''' Fuse blowing PRODUCTION ( from mbmloader )<br />
<syntaxhighlight lang="ida" line><br />
ROM:870048F8<br />
ROM:870048F8 ; =============== S U B R O U T I N E =======================================<br />
ROM:870048F8<br />
ROM:870048F8<br />
ROM:870048F8 ; int __cdecl fuse_blow_PRODUCTION()<br />
ROM:870048F8 fuse_blow_PRODUCTION<br />
ROM:870048F8 000 10 B5 PUSH {R4,LR} ; Push registers<br />
ROM:870048FA 008 10 24 MOVS R4, #0x10 ; Rd = Op2<br />
ROM:870048FC 008 01 21 MOVS R1, #1 ; value<br />
ROM:870048FE 008 70 20 MOVS R0, #SEC_PROD ; fuse_entry_number<br />
ROM:87004900 008 FF F7 4A FF BL fuse_blow_byte ; Branch with Link<br />
ROM:87004904 008 04 46 MOV R4, R0 ; Rd = Op2<br />
ROM:87004906 008 20 46 MOV R0, R4 ; Rd = Op2<br />
ROM:87004908 008 10 BD POP {R4,PC} ; Pop registers<br />
ROM:87004908 ; End of function fuse_blow_PRODUCTION<br />
ROM:87004908<br />
</syntaxhighlight><br />
<br />
'''Listing 4.''' Fuse blowing ENGINEERING ( from mbmloader )<br />
<syntaxhighlight lang="ida" line><br />
ROM:8700490A<br />
ROM:8700490A ; =============== S U B R O U T I N E =======================================<br />
ROM:8700490A<br />
ROM:8700490A<br />
ROM:8700490A ; int __cdecl fuse_blow_ENGINEERING()<br />
ROM:8700490A fuse_blow_ENGINEERING ; CODE XREF: main+20<br />
ROM:8700490A 000 10 B5 PUSH {R4,LR} ; Push registers<br />
ROM:8700490C 008 10 24 MOVS R4, #0x10 ; Rd = Op2<br />
ROM:8700490E 008 01 21 MOVS R1, #1 ; value<br />
ROM:87004910 008 6F 20 MOVS R0, #SEC_ENG ; fuse_entry_number<br />
ROM:87004912 008 FF F7 41 FF BL fuse_blow_byte ; Branch with Link<br />
ROM:87004916 008 04 46 MOV R4, R0 ; Rd = Op2<br />
ROM:87004918 008 20 46 MOV R0, R4 ; Rd = Op2<br />
ROM:8700491A 008 10 BD POP {R4,PC} ; Pop registers<br />
ROM:8700491A ; End of function fuse_blow_ENGINEERING<br />
</syntaxhighlight><br />
<br />
=== Fuse reading functions ===<br />
<br />
'''Listing 2.''' Fuse reading byte (from mbmloader)<br />
<syntaxhighlight lang="ida" line><br />
ROM:8F31DB0A<br />
ROM:8F31DB0A ; =============== S U B R O U T I N E =======================================<br />
ROM:8F31DB0A<br />
ROM:8F31DB0A<br />
ROM:8F31DB0A ; int __cdecl moto_efuse_read(__int32 fuse_entry)<br />
ROM:8F31DB0A moto_efuse_read ; CODE XREF: fuse_read_SEC_MODEL_ID+6�p<br />
ROM:8F31DB0A ; fuse_read_SEC_BS_DIS+6�p ...<br />
ROM:8F31DB0A 000 PUSH {R4-R6,LR} ; Push registers<br />
ROM:8F31DB0C 010 MOV R4, R0 ; Rd = Op2<br />
ROM:8F31DB0E 010 LDR R5, =0xDEADBEEF ; Load from Memory<br />
ROM:8F31DB10 010 SUB.W R0, R4, #0x65 ; switch 16 cases<br />
ROM:8F31DB14 010 CMP R0, #0x10 ; Set cond. codes on Op1 - Op2<br />
ROM:8F31DB16 010 BCS return_ ; do nothing<br />
ROM:8F31DB16<br />
ROM:8F31DB18<br />
ROM:8F31DB18 fuse_table ; switch jump<br />
ROM:8F31DB18 010 TBB.W [PC,R0]<br />
ROM:8F31DB18<br />
ROM:8F31DB18 ; ---------------------------------------------------------------------------<br />
ROM:8F31DB1C 010 fuse_choice DCB 8 ; jump table for switch statement<br />
ROM:8F31DB1D 010 DCB 0x52<br />
ROM:8F31DB1E 010 DCB 0x52<br />
ROM:8F31DB1F 010 DCB 0x11<br />
ROM:8F31DB20 010 DCB 0x1A<br />
ROM:8F31DB21 010 DCB 0x22<br />
ROM:8F31DB22 010 DCB 0x52<br />
ROM:8F31DB23 010 DCB 0x2A<br />
ROM:8F31DB24 010 DCB 0x52<br />
ROM:8F31DB25 010 DCB 0x32<br />
ROM:8F31DB26 010 DCB 0x37<br />
ROM:8F31DB27 010 DCB 0x3D<br />
ROM:8F31DB28 010 DCB 0x43<br />
ROM:8F31DB29 010 DCB 0x52<br />
ROM:8F31DB2A 010 DCB 0x4D<br />
ROM:8F31DB2B 010 DCB 0x51<br />
ROM:8F31DB2C ; ---------------------------------------------------------------------------<br />
ROM:8F31DB2C<br />
ROM:8F31DB2C is_SEC_APP_PA_PPA ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DB2C 010 MOVS R0, #3 ; jumptable 8F31DB18 case 101<br />
ROM:8F31DB2E 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DB2E<br />
ROM:8F31DB32 010 ASRS R6, R0, #8 ; Arithmetic Shift Right<br />
ROM:8F31DB34 010 MOV R0, R6 ; count<br />
ROM:8F31DB36 010 BL standard_efuse_count ; Branch with Link<br />
ROM:8F31DB36<br />
ROM:8F31DB3A 010 MOV R5, R0 ; Rd = Op2<br />
ROM:8F31DB3C 010 B return ; Branch<br />
ROM:8F31DB3C<br />
ROM:8F31DB3E ; ---------------------------------------------------------------------------<br />
ROM:8F31DB3E<br />
ROM:8F31DB3E is_SEC_ML_PBRDL ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DB3E 010 MOVS R0, #3 ; jumptable 8F31DB18 case 104<br />
ROM:8F31DB40 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DB40<br />
ROM:8F31DB44 010 UXTB R6, R0 ; Unsigned extend byte to word<br />
ROM:8F31DB46 010 MOV R0, R6 ; count<br />
ROM:8F31DB48 010 BL standard_efuse_count ; Branch with Link<br />
ROM:8F31DB48<br />
ROM:8F31DB4C 010 MOV R5, R0 ; Rd = Op2<br />
ROM:8F31DB4E 010 B return ; Branch<br />
ROM:8F31DB4E<br />
ROM:8F31DB50 ; ---------------------------------------------------------------------------<br />
ROM:8F31DB50<br />
ROM:8F31DB50 is_SEC_MBM ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DB50 010 MOVS R0, #2 ; jumptable 8F31DB18 case 105<br />
ROM:8F31DB52 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DB52<br />
ROM:8F31DB56 010 MOV R6, R0 ; Rd = Op2<br />
ROM:8F31DB58 010 BL standard_efuse_count ; Branch with Link<br />
ROM:8F31DB58<br />
ROM:8F31DB5C 010 MOV R5, R0 ; Rd = Op2<br />
ROM:8F31DB5E 010 B return ; Branch<br />
ROM:8F31DB5E<br />
ROM:8F31DB60 ; ---------------------------------------------------------------------------<br />
ROM:8F31DB60<br />
ROM:8F31DB60 is_SEC_RRDL_BRDL ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DB60 010 MOVS R0, #1 ; jumptable 8F31DB18 case 106<br />
ROM:8F31DB62 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DB62<br />
ROM:8F31DB66 010 MOV R6, R0 ; Rd = Op2<br />
ROM:8F31DB68 010 BL standard_efuse_count ; Branch with Link<br />
ROM:8F31DB68<br />
ROM:8F31DB6C 010 MOV R5, R0 ; Rd = Op2<br />
ROM:8F31DB6E 010 B return ; Branch<br />
ROM:8F31DB6E<br />
ROM:8F31DB70 ; ---------------------------------------------------------------------------<br />
ROM:8F31DB70<br />
ROM:8F31DB70 is_SEC_AP_OS ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DB70 010 MOVS R0, #0 ; jumptable 8F31DB18 case 108<br />
ROM:8F31DB72 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DB72<br />
ROM:8F31DB76 010 MOV R6, R0 ; Rd = Op2<br />
ROM:8F31DB78 010 BL standard_efuse_count ; Branch with Link<br />
ROM:8F31DB78<br />
ROM:8F31DB7C 010 MOV R5, R0 ; Rd = Op2<br />
ROM:8F31DB7E 010 B return ; Branch<br />
ROM:8F31DB7E<br />
ROM:8F31DB80 ; ---------------------------------------------------------------------------<br />
ROM:8F31DB80<br />
ROM:8F31DB80 is_SEC_BS_DIS ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DB80 010 MOVS R0, #4 ; jumptable 8F31DB18 case 110<br />
ROM:8F31DB82 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DB82<br />
ROM:8F31DB86 010 ASRS R5, R0, #0xF ; Arithmetic Shift Right<br />
ROM:8F31DB88 010 B return ; Branch<br />
ROM:8F31DB88<br />
ROM:8F31DB8A ; ---------------------------------------------------------------------------<br />
ROM:8F31DB8A<br />
ROM:8F31DB8A is_SEC_ENG ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DB8A 010 MOVS R0, #4 ; jumptable 8F31DB18 case 111<br />
ROM:8F31DB8C 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DB8C<br />
ROM:8F31DB90 010 UBFX.W R5, R0, #0xD, #1 ; Unsigned Bit Field Extract<br />
ROM:8F31DB94 010 B return ; Branch<br />
ROM:8F31DB94<br />
ROM:8F31DB96 ; ---------------------------------------------------------------------------<br />
ROM:8F31DB96<br />
ROM:8F31DB96 is_SEC_PROD ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DB96 010 MOVS R0, #4 ; jumptable 8F31DB18 case 112<br />
ROM:8F31DB98 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DB98<br />
ROM:8F31DB9C 010 UBFX.W R5, R0, #0xE, #1 ; Unsigned Bit Field Extract<br />
ROM:8F31DBA0 010 B return ; Branch<br />
ROM:8F31DBA0<br />
ROM:8F31DBA2 ; ---------------------------------------------------------------------------<br />
ROM:8F31DBA2<br />
ROM:8F31DBA2 is_SEC_CUST_CODE ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DBA2 010 MOVS R0, #4 ; jumptable 8F31DB18 case 113<br />
ROM:8F31DBA4 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DBA4<br />
ROM:8F31DBA8 010 UBFX.W R6, R0, #8, #5 ; Unsigned Bit Field Extract<br />
ROM:8F31DBAC 010 MOV R0, R6 ; count<br />
ROM:8F31DBAE 010 BL standard_efuse_count ; Branch with Link<br />
ROM:8F31DBAE<br />
ROM:8F31DBB2 010 MOV R5, R0 ; Rd = Op2<br />
ROM:8F31DBB4 010 B return ; Branch<br />
ROM:8F31DBB4<br />
ROM:8F31DBB6 ; ---------------------------------------------------------------------------<br />
ROM:8F31DBB6<br />
ROM:8F31DBB6 is_SEC_MODEL_ID ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DBB6 010 LDR R0, =OMAP3430_MSV_ADRESS ; jumptable 8F31DB18 case 115<br />
ROM:8F31DBB8 010 LDR R0, [R0] ; Load from Memory<br />
ROM:8F31DBBA 010 UXTH R5, R0 ; Unsigned extend halfword to word<br />
ROM:8F31DBBC 010 B return ; Branch<br />
ROM:8F31DBBC<br />
ROM:8F31DBBE ; ---------------------------------------------------------------------------<br />
ROM:8F31DBBE<br />
ROM:8F31DBBE return__ ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DBBE 010 NOP ; jumptable 8F31DB18 case 116<br />
ROM:8F31DBBE<br />
ROM:8F31DBC0<br />
ROM:8F31DBC0 return_ ; CODE XREF: moto_efuse_read+C�j<br />
ROM:8F31DBC0 ; moto_efuse_read:fuse_table�j<br />
ROM:8F31DBC0 010 NOP ; do nothing<br />
ROM:8F31DBC0<br />
ROM:8F31DBC2<br />
ROM:8F31DBC2 return ; CODE XREF: moto_efuse_read+32�j<br />
ROM:8F31DBC2 ; moto_efuse_read+44�j ...<br />
ROM:8F31DBC2 010 NOP ; No Operation<br />
ROM:8F31DBC4 010 MOV R0, R5 ; Rd = Op2<br />
ROM:8F31DBC6 010 POP {R4-R6,PC} ; Pop registers<br />
ROM:8F31DBC6<br />
ROM:8F31DBC6 ; End of function moto_efuse_read<br />
ROM:8F31DBC6<br />
</syntaxhighlight><br />
<br />
'''Listing 2.''' Fuse reading word (from mbm)<br />
<syntaxhighlight lang="ida" line><br />
ROM:8F31DA9C<br />
ROM:8F31DA9C ; =============== S U B R O U T I N E =======================================<br />
ROM:8F31DA9C<br />
ROM:8F31DA9C<br />
ROM:8F31DA9C ; __int16 __fastcall fuse_read_word(int fuse_entry)<br />
ROM:8F31DA9C fuse_read_word ; CODE XREF: fuse_read+24�p<br />
ROM:8F31DA9C ; fuse_read+36�p ...<br />
ROM:8F31DA9C<br />
ROM:8F31DA9C var_30 = -0x30<br />
ROM:8F31DA9C var_28 = -0x28<br />
ROM:8F31DA9C<br />
ROM:8F31DA9C 000 F0 B5 PUSH {R4-R7,LR} ; Push registers<br />
ROM:8F31DA9E 014 87 B0 SUB SP, SP, #0x1C ; Rd = Op1 - Op2<br />
ROM:8F31DAA0 030 04 46 MOV R4, R0 ; Rd = Op2<br />
ROM:8F31DAA2 030 00 25 MOVS R5, #0 ; Rd = Op2<br />
ROM:8F31DAA4 030 4F F6 FF 77 MOVW R7, #0xFFFF ; Rd = Op2<br />
ROM:8F31DAA8 030 00 BF NOP ; No Operation<br />
ROM:8F31DAAA 030 04 E0 B loop_count ; Branch<br />
ROM:8F31DAAC ; ---------------------------------------------------------------------------<br />
ROM:8F31DAAC<br />
ROM:8F31DAAC loop_body ; CODE XREF: fuse_read_word+1C�j<br />
ROM:8F31DAAC 030 00 20 MOVS R0, #0 ; Rd = Op2<br />
ROM:8F31DAAE 030 02 A9 ADD R1, SP, #0x30+var_28 ; Rd = Op1 + Op2<br />
ROM:8F31DAB0 030 41 F8 25 00 STR.W R0, [R1,R5,LSL#2] ; Store to Memory<br />
ROM:8F31DAB4 030 6D 1C ADDS R5, R5, #1 ; Rd = Op1 + Op2<br />
ROM:8F31DAB6<br />
ROM:8F31DAB6 loop_count ; CODE XREF: fuse_read_word+E�j<br />
ROM:8F31DAB6 030 04 2D CMP R5, #4 ; Set cond. codes on Op1 - Op2<br />
ROM:8F31DAB8 030 F8 DD BLE loop_body ; Branch<br />
ROM:8F31DABA 030 00 BF NOP ; No Operation<br />
ROM:8F31DABC 030 04 2C CMP R4, #4 ; Set cond. codes on Op1 - Op2<br />
ROM:8F31DABE 030 08 D8 BHI is_higher ; Branch<br />
ROM:8F31DAC0 030 02 AB ADD R3, SP, #0x30+var_28 ; Rd = Op1 + Op2<br />
ROM:8F31DAC2 030 00 93 STR R3, [SP,#0x30+var_30] ; Store to Memory<br />
ROM:8F31DAC4 030 01 23 MOVS R3, #1 ; Rd = Op2<br />
ROM:8F31DAC6 030 07 22 MOVS R2, #7 ; Rd = Op2<br />
ROM:8F31DAC8 030 00 21 MOVS R1, #0 ; SEC_ENTRY<br />
ROM:8F31DACA 030 36 20 MOVS R0, #0x36 ; param<br />
ROM:8F31DACC 030 04 F0 F2 FD BL security_handler ; API_HAL_MOT_EFUSE_READ<br />
ROM:8F31DAD0 030 06 46 MOV R6, R0 ; Rd = Op2<br />
ROM:8F31DAD2<br />
ROM:8F31DAD2 is_higher ; CODE XREF: fuse_read_word+22�j<br />
ROM:8F31DAD2 030 1E B9 CBNZ R6, return ; Compare and Branch on Non-Zero<br />
ROM:8F31DAD4 030 02 A8 ADD R0, SP, #0x30+var_28 ; Rd = Op1 + Op2<br />
ROM:8F31DAD6 030 50 F8 24 00 LDR.W R0, [R0,R4,LSL#2] ; Load from Memory<br />
ROM:8F31DADA 030 87 B2 UXTH R7, R0 ; Unsigned extend halfword to word<br />
ROM:8F31DADC<br />
ROM:8F31DADC return ; CODE XREF: fuse_read_word:is_higher�j<br />
ROM:8F31DADC 030 38 46 MOV R0, R7 ; Rd = Op2<br />
ROM:8F31DADE 030 07 B0 ADD SP, SP, #0x1C ; Rd = Op1 + Op2<br />
ROM:8F31DAE0 014 F0 BD POP {R4-R7,PC} ; Pop registers<br />
ROM:8F31DAE0 ; End of function fuse_read_word<br />
ROM:8F31DAE0<br />
ROM:8F31DAE0 ; ---------------------------------------------------------------------------<br />
ROM:8F31DAE2 00 20 DCW 0x2000<br />
ROM:8F31DAE4 70 47 DCW 0x4770<br />
ROM:8F31DAE6<br />
</syntaxhighlight><br />
<br />
'''Listing 2.''' Fuse reading BS_DIS (from mbmloader)<br />
<syntaxhighlight lang="ida" line><br />
ROM:870048BE<br />
ROM:870048BE ; =============== S U B R O U T I N E =======================================<br />
ROM:870048BE<br />
ROM:870048BE<br />
ROM:870048BE ; int __cdecl fuse_read_BS_DIS()<br />
ROM:870048BE fuse_read_BS_DIS ; CODE XREF: check_BS_DIS+4<br />
ROM:870048BE 000 10 B5 PUSH {R4,LR} ; Push registers<br />
ROM:870048C0 008 10 24 MOVS R4, #0x10 ; Rd = Op2<br />
ROM:870048C2 008 6E 20 MOVS R0, #SEC_BS_DIS ; fuse_entry_number<br />
ROM:870048C4 008 FF F7 09 FF BL fuse_read_byte ; Branch with Link<br />
ROM:870048C8 008 00 B9 CBNZ R0, return ; Compare and Branch on Non-Zero<br />
ROM:870048CA 008 00 24 MOVS R4, #0 ; Rd = Op2<br />
ROM:870048CC<br />
ROM:870048CC return ; CODE XREF: fuse_read_BS_DIS+A<br />
ROM:870048CC 008 20 46 MOV R0, R4 ; Rd = Op2<br />
ROM:870048CE 008 10 BD POP {R4,PC} ; Pop registers<br />
ROM:870048CE ; End of function fuse_read_BS_DIS<br />
ROM:870048CE<br />
ROM:870048D0<br />
ROM:870048D0 ; =============== S U B R O U T I N E =======================================<br />
ROM:870048D0<br />
ROM:870048D0<br />
ROM:870048D0 ; int __cdecl fuse_read_SECVER(int entry_number)<br />
ROM:870048D0 fuse_read_SECVER ; CODE XREF: check_secure_version+14<br />
ROM:870048D0 000 70 B5 PUSH {R4-R6,LR} ; Push registers<br />
ROM:870048D2 010 04 46 MOV R4, R0 ; Rd = Op2<br />
ROM:870048D4 010 00 25 MOVS R5, #0 ; Rd = Op2<br />
ROM:870048D6 010 20 46 MOV R0, R4 ; fuse_entry_number<br />
ROM:870048D8 010 FF F7 FF FE BL fuse_read_byte ; Branch with Link<br />
ROM:870048DC 010 05 46 MOV R5, R0 ; Rd = Op2<br />
ROM:870048DE 010 28 46 MOV R0, R5 ; Rd = Op2<br />
ROM:870048E0 010 70 BD POP {R4-R6,PC} ; Pop registers<br />
ROM:870048E0 ; End of function fuse_read_SECVER<br />
ROM:870048E0<br />
ROM:870048E2<br />
</syntaxhighlight><br />
<br />
[[Category:Security]]</div>
Eiyee
http://droid-developers.org/wiki/EFuse
EFuse
2012-02-23T23:17:42Z
<p>Eiyee: more SRWV</p>
<hr />
<div>== Overview ==<br />
The OMAP3xxx contains (unknown value) 128-bit banks of electronically blown fuses<br />
(eFuse). This is one-time only programmable memory that is organized into N x 32-bit words -<br />
(unknown value) words are reserved by Texas Instruments and for future use. <br />
The remaining 4 words are fully user programmable, designed to allow storage of a 128-bit encryption key for secure<br />
external memory encryption.<br />
<br />
== eFuse table ==<br />
<br />
{|<br />
! Index<br />
! Name<br />
! Description<br />
|-<br />
| <br />
| PRODUCTION_ID<br />
| not available yet<br />
|-<br />
|<br />
| SECURITY_ID<br />
| not available yet<br />
|}<br />
<br />
== SWRV values ==<br />
The kernel source released by Motorola includes a "sec" module that reads 128-bit of eFuse data (referred to as "SWRV") using [[Secure Services]] call API_HAL_MOT_EFUSE_READ. It contains an enum with hints to eFuse values:<br />
<br />
drivers/misc/sec/sec_core.h:<br />
<pre><br />
typedef enum {<br />
/*Starting with random non zero value for component type */<br />
SEC_AP_PA_PPA = 0x00000065,<br />
SEC_BP_PPA,<br />
SEC_BP_PA,<br />
SEC_ML_PBRDL,<br />
SEC_MBM,<br />
SEC_RRDL_BRDL,<br />
SEC_BPL,<br />
SEC_AP_OS,<br />
SEC_BP_OS,<br />
SEC_BS_DIS,<br />
SEC_ENG,<br />
SEC_PROD,<br />
SEC_CUST_CODE,<br />
SEC_PKC,<br />
SEC_MODEL_ID,<br />
SEC_MAX<br />
} SEC_SV_COMPONENT_T;<br />
</pre><br />
<br />
These values have been observed:<br />
<br />
{| border="1" cellpadding="0" cellspacing="0" style="border: 1px solid #cccccc;"<br />
! SRWV<br />
! Description<br />
|-<br />
| 3f 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 00 00<br />
| Defy+ 2.3.6 134-132 SBF (v6) [http://forum.xda-developers.com/showpost.php?p=21402316&postcount=167 source]<br />
|-<br />
| 3f 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e1 00 00<br />
| Defy+ after blowing SEC_CUST_CODE [http://forum.xda-developers.com/showpost.php?p=21410214&postcount=219 source]<br />
|-<br />
| 0f 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 00 00<br />
| Defy unknown [http://forum.xda-developers.com/showpost.php?p=21492705&postcount=412 source]<br />
|-<br />
| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00<br />
| Defy unknown Chinese unlocked/eng(?) [http://forum.xda-developers.com/showpost.php?p=21434360&postcount=335 source], [http://forum.xda-developers.com/showpost.php?p=21436570&postcount=337 source2]<br />
|}<br />
<br />
== EFUSE Power Domain ==<br />
<br />
EFUSE Power Domain Clock Controls<br />
<br />
'''EFUSE Power Domain Clock-Gating Control'''<br />
{| border="1" cellpadding="0" cellspacing="0" style="border: 1px solid #cccccc;"<br />
!Clock Name <br />
!Reset<br />
!Clock-Gating Control<br />
!Gating Description<br />
|-<br />
|EFUSE_ALWON_FCLK<br />
|Running<br />
|None<br />
|Active when VDD1 and VDD2 are switched on and eFuse-ready hardware signal is released<br />
|}<br />
<br />
== Reading ==<br />
<br />
For reading eFuse you need:<br />
# call 0x28 Secure Service - invalidate dcache<br />
# call 0x2a Secure Service - aux write<br />
# call 0x36 Secure Service with parameter eFuse index - API_HAL_MOT_EFUSE_READ<br />
<br />
PPA handler of EFUSE READ interrupt call<br />
<syntaxhighlight lang="ida" line><br />
ROM:86FFF06C<br />
ROM:86FFF06C ; =============== S U B R O U T I N E =======================================<br />
ROM:86FFF06C<br />
ROM:86FFF06C<br />
ROM:86FFF06C ; int __cdecl PPA_API_HAL_MOT_EFUSE_READ()<br />
ROM:86FFF06C PPA_API_HAL_MOT_EFUSE_READ ; DATA XREF: PPA_SMC_handler_SL+44�o<br />
ROM:86FFF06C ; ROM:off_86FFF5B8�o<br />
ROM:86FFF06C 000 MOV R2, R0 ; arg_3<br />
ROM:86FFF06E 000 PUSH {R4,LR} ; Push registers<br />
ROM:86FFF070 008 MOVS R1, #1 ; arg_2<br />
ROM:86FFF072 008 MOVS R0, #0x64 ; arg_1<br />
ROM:86FFF074 008 BLX PPA_interrupt_call ; Branch with Link and Exchange (immediate address)<br />
ROM:86FFF074<br />
ROM:86FFF078 008 LDR R1, =0xAF8023D4 ; Load from Memory<br />
ROM:86FFF07A 008 LDR R2, [R1] ; Load from Memory<br />
ROM:86FFF07C 008 UXTH R3, R2 ; Unsigned extend halfword to word<br />
ROM:86FFF07E 008 ORR.W R2, R3, R2,LSR#16 ; Rd = Op1 | Op2<br />
ROM:86FFF082 008 STR R2, [R0] ; Store to Memory<br />
ROM:86FFF084 008 LDR R2, [R1,#4] ; Load from Memory<br />
ROM:86FFF086 008 UXTH R3, R2 ; Unsigned extend halfword to word<br />
ROM:86FFF088 008 ORR.W R2, R3, R2,LSR#16 ; Rd = Op1 | Op2<br />
ROM:86FFF08C 008 STR R2, [R0,#4] ; Store to Memory<br />
ROM:86FFF08E 008 LDR R2, [R1,#8] ; Load from Memory<br />
ROM:86FFF090 008 UXTH R3, R2 ; Unsigned extend halfword to word<br />
ROM:86FFF092 008 ORR.W R2, R3, R2,LSR#16 ; Rd = Op1 | Op2<br />
ROM:86FFF096 008 STR R2, [R0,#8] ; Store to Memory<br />
ROM:86FFF098 008 LDR R2, [R1,#0xC] ; Load from Memory<br />
ROM:86FFF09A 008 UXTH R3, R2 ; Unsigned extend halfword to word<br />
ROM:86FFF09C 008 ORR.W R2, R3, R2,LSR#16 ; Rd = Op1 | Op2<br />
ROM:86FFF0A0 008 STR R2, [R0,#0xC] ; Store to Memory<br />
ROM:86FFF0A2 008 LDR R1, [R1,#0x10] ; Load from Memory<br />
ROM:86FFF0A4 008 UXTH R2, R1 ; Unsigned extend halfword to word<br />
ROM:86FFF0A6 008 ORR.W R1, R2, R1,LSR#16 ; Rd = Op1 | Op2<br />
ROM:86FFF0AA 008 STR R1, [R0,#0x10] ; Store to Memory<br />
ROM:86FFF0AC 008 MOVS R0, #0 ; Rd = Op2<br />
ROM:86FFF0AE 008 POP {R4,PC} ; Pop registers<br />
ROM:86FFF0AE<br />
ROM:86FFF0AE ; End of function PPA_API_HAL_MOT_EFUSE_READ<br />
ROM:86FFF0AE<br />
ROM:86FFF0AE ; ---------------------------------------------------------------------------<br />
ROM:86FFF0B0 dword_86FFF0B0 DCD 0xAF8023D4 ; DATA XREF: PPA_API_HAL_MOT_EFUSE_READ+C�r<br />
ROM:86FFF0B4<br />
</syntaxhighlight><br />
<br />
== Code Listings ==<br />
<br />
=== Fuse blowing functions ===<br />
<br />
'''Listing 1.''' Fuse blowing BS_DIS ( from mbmloader )<br />
<syntaxhighlight lang="ida" line><br />
ROM:870048AC ; =============== S U B R O U T I N E =======================================<br />
ROM:870048AC<br />
ROM:870048AC<br />
ROM:870048AC ; int __cdecl fuse_blow_BS_DIS()<br />
ROM:870048AC fuse_blow_BS_DIS<br />
ROM:870048AC 000 10 B5 PUSH {R4,LR} ; Push registers<br />
ROM:870048AE 008 10 24 MOVS R4, #0x10 ; Rd = Op2<br />
ROM:870048B0 008 01 21 MOVS R1, #1 ; value<br />
ROM:870048B2 008 6E 20 MOVS R0, #SEC_BS_DIS ; fuse_entry_number<br />
ROM:870048B4 008 FF F7 70 FF BL fuse_blow_byte ; Branch with Link<br />
ROM:870048B8 008 04 46 MOV R4, R0 ; Rd = Op2<br />
ROM:870048BA 008 20 46 MOV R0, R4 ; Rd = Op2<br />
ROM:870048BC 008 10 BD POP {R4,PC} ; Pop registers<br />
ROM:870048BC ; End of function fuse_blow_BS_DIS<br />
ROM:870048BC<br />
</syntaxhighlight><br />
<br />
'''Listing 2.''' Fuse blowing CUSTOM ( from mbmloader )<br />
<syntaxhighlight lang="ida" line><br />
ROM:870048E2 ; =============== S U B R O U T I N E =======================================<br />
ROM:870048E2<br />
ROM:870048E2<br />
ROM:870048E2 ; int __cdecl fuse_blow_CUSTOM(int fuse_entry_number, int value)<br />
ROM:870048E2 fuse_blow_CUSTOM<br />
ROM:870048E2 000 70 B5 PUSH {R4-R6,LR} ; Push registers<br />
ROM:870048E4 010 04 46 MOV R4, R0 ; Rd = Op2<br />
ROM:870048E6 010 0D 46 MOV R5, R1 ; Rd = Op2<br />
ROM:870048E8 010 10 26 MOVS R6, #0x10 ; Rd = Op2<br />
ROM:870048EA 010 A9 B2 UXTH R1, R5 ; Unsigned extend halfword to word<br />
ROM:870048EC 010 20 46 MOV R0, R4 ; fuse_entry_number<br />
ROM:870048EE 010 FF F7 53 FF BL fuse_blow_byte ; Branch with Link<br />
ROM:870048F2 010 06 46 MOV R6, R0 ; Rd = Op2<br />
ROM:870048F4 010 30 46 MOV R0, R6 ; Rd = Op2<br />
ROM:870048F6 010 70 BD POP {R4-R6,PC} ; Pop registers<br />
ROM:870048F6 ; End of function fuse_blow_CUSTOM<br />
ROM:870048F6<br />
</syntaxhighlight><br />
<br />
'''Listing 3.''' Fuse blowing PRODUCTION ( from mbmloader )<br />
<syntaxhighlight lang="ida" line><br />
ROM:870048F8<br />
ROM:870048F8 ; =============== S U B R O U T I N E =======================================<br />
ROM:870048F8<br />
ROM:870048F8<br />
ROM:870048F8 ; int __cdecl fuse_blow_PRODUCTION()<br />
ROM:870048F8 fuse_blow_PRODUCTION<br />
ROM:870048F8 000 10 B5 PUSH {R4,LR} ; Push registers<br />
ROM:870048FA 008 10 24 MOVS R4, #0x10 ; Rd = Op2<br />
ROM:870048FC 008 01 21 MOVS R1, #1 ; value<br />
ROM:870048FE 008 70 20 MOVS R0, #SEC_PROD ; fuse_entry_number<br />
ROM:87004900 008 FF F7 4A FF BL fuse_blow_byte ; Branch with Link<br />
ROM:87004904 008 04 46 MOV R4, R0 ; Rd = Op2<br />
ROM:87004906 008 20 46 MOV R0, R4 ; Rd = Op2<br />
ROM:87004908 008 10 BD POP {R4,PC} ; Pop registers<br />
ROM:87004908 ; End of function fuse_blow_PRODUCTION<br />
ROM:87004908<br />
</syntaxhighlight><br />
<br />
'''Listing 4.''' Fuse blowing ENGINEERING ( from mbmloader )<br />
<syntaxhighlight lang="ida" line><br />
ROM:8700490A<br />
ROM:8700490A ; =============== S U B R O U T I N E =======================================<br />
ROM:8700490A<br />
ROM:8700490A<br />
ROM:8700490A ; int __cdecl fuse_blow_ENGINEERING()<br />
ROM:8700490A fuse_blow_ENGINEERING ; CODE XREF: main+20<br />
ROM:8700490A 000 10 B5 PUSH {R4,LR} ; Push registers<br />
ROM:8700490C 008 10 24 MOVS R4, #0x10 ; Rd = Op2<br />
ROM:8700490E 008 01 21 MOVS R1, #1 ; value<br />
ROM:87004910 008 6F 20 MOVS R0, #SEC_ENG ; fuse_entry_number<br />
ROM:87004912 008 FF F7 41 FF BL fuse_blow_byte ; Branch with Link<br />
ROM:87004916 008 04 46 MOV R4, R0 ; Rd = Op2<br />
ROM:87004918 008 20 46 MOV R0, R4 ; Rd = Op2<br />
ROM:8700491A 008 10 BD POP {R4,PC} ; Pop registers<br />
ROM:8700491A ; End of function fuse_blow_ENGINEERING<br />
</syntaxhighlight><br />
<br />
=== Fuse reading functions ===<br />
<br />
'''Listing 2.''' Fuse reading byte (from mbmloader)<br />
<syntaxhighlight lang="ida" line><br />
ROM:8F31DB0A<br />
ROM:8F31DB0A ; =============== S U B R O U T I N E =======================================<br />
ROM:8F31DB0A<br />
ROM:8F31DB0A<br />
ROM:8F31DB0A ; int __cdecl moto_efuse_read(__int32 fuse_entry)<br />
ROM:8F31DB0A moto_efuse_read ; CODE XREF: fuse_read_SEC_MODEL_ID+6�p<br />
ROM:8F31DB0A ; fuse_read_SEC_BS_DIS+6�p ...<br />
ROM:8F31DB0A 000 PUSH {R4-R6,LR} ; Push registers<br />
ROM:8F31DB0C 010 MOV R4, R0 ; Rd = Op2<br />
ROM:8F31DB0E 010 LDR R5, =0xDEADBEEF ; Load from Memory<br />
ROM:8F31DB10 010 SUB.W R0, R4, #0x65 ; switch 16 cases<br />
ROM:8F31DB14 010 CMP R0, #0x10 ; Set cond. codes on Op1 - Op2<br />
ROM:8F31DB16 010 BCS return_ ; do nothing<br />
ROM:8F31DB16<br />
ROM:8F31DB18<br />
ROM:8F31DB18 fuse_table ; switch jump<br />
ROM:8F31DB18 010 TBB.W [PC,R0]<br />
ROM:8F31DB18<br />
ROM:8F31DB18 ; ---------------------------------------------------------------------------<br />
ROM:8F31DB1C 010 fuse_choice DCB 8 ; jump table for switch statement<br />
ROM:8F31DB1D 010 DCB 0x52<br />
ROM:8F31DB1E 010 DCB 0x52<br />
ROM:8F31DB1F 010 DCB 0x11<br />
ROM:8F31DB20 010 DCB 0x1A<br />
ROM:8F31DB21 010 DCB 0x22<br />
ROM:8F31DB22 010 DCB 0x52<br />
ROM:8F31DB23 010 DCB 0x2A<br />
ROM:8F31DB24 010 DCB 0x52<br />
ROM:8F31DB25 010 DCB 0x32<br />
ROM:8F31DB26 010 DCB 0x37<br />
ROM:8F31DB27 010 DCB 0x3D<br />
ROM:8F31DB28 010 DCB 0x43<br />
ROM:8F31DB29 010 DCB 0x52<br />
ROM:8F31DB2A 010 DCB 0x4D<br />
ROM:8F31DB2B 010 DCB 0x51<br />
ROM:8F31DB2C ; ---------------------------------------------------------------------------<br />
ROM:8F31DB2C<br />
ROM:8F31DB2C is_SEC_APP_PA_PPA ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DB2C 010 MOVS R0, #3 ; jumptable 8F31DB18 case 101<br />
ROM:8F31DB2E 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DB2E<br />
ROM:8F31DB32 010 ASRS R6, R0, #8 ; Arithmetic Shift Right<br />
ROM:8F31DB34 010 MOV R0, R6 ; count<br />
ROM:8F31DB36 010 BL standard_efuse_count ; Branch with Link<br />
ROM:8F31DB36<br />
ROM:8F31DB3A 010 MOV R5, R0 ; Rd = Op2<br />
ROM:8F31DB3C 010 B return ; Branch<br />
ROM:8F31DB3C<br />
ROM:8F31DB3E ; ---------------------------------------------------------------------------<br />
ROM:8F31DB3E<br />
ROM:8F31DB3E is_SEC_ML_PBRDL ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DB3E 010 MOVS R0, #3 ; jumptable 8F31DB18 case 104<br />
ROM:8F31DB40 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DB40<br />
ROM:8F31DB44 010 UXTB R6, R0 ; Unsigned extend byte to word<br />
ROM:8F31DB46 010 MOV R0, R6 ; count<br />
ROM:8F31DB48 010 BL standard_efuse_count ; Branch with Link<br />
ROM:8F31DB48<br />
ROM:8F31DB4C 010 MOV R5, R0 ; Rd = Op2<br />
ROM:8F31DB4E 010 B return ; Branch<br />
ROM:8F31DB4E<br />
ROM:8F31DB50 ; ---------------------------------------------------------------------------<br />
ROM:8F31DB50<br />
ROM:8F31DB50 is_SEC_MBM ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DB50 010 MOVS R0, #2 ; jumptable 8F31DB18 case 105<br />
ROM:8F31DB52 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DB52<br />
ROM:8F31DB56 010 MOV R6, R0 ; Rd = Op2<br />
ROM:8F31DB58 010 BL standard_efuse_count ; Branch with Link<br />
ROM:8F31DB58<br />
ROM:8F31DB5C 010 MOV R5, R0 ; Rd = Op2<br />
ROM:8F31DB5E 010 B return ; Branch<br />
ROM:8F31DB5E<br />
ROM:8F31DB60 ; ---------------------------------------------------------------------------<br />
ROM:8F31DB60<br />
ROM:8F31DB60 is_SEC_RRDL_BRDL ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DB60 010 MOVS R0, #1 ; jumptable 8F31DB18 case 106<br />
ROM:8F31DB62 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DB62<br />
ROM:8F31DB66 010 MOV R6, R0 ; Rd = Op2<br />
ROM:8F31DB68 010 BL standard_efuse_count ; Branch with Link<br />
ROM:8F31DB68<br />
ROM:8F31DB6C 010 MOV R5, R0 ; Rd = Op2<br />
ROM:8F31DB6E 010 B return ; Branch<br />
ROM:8F31DB6E<br />
ROM:8F31DB70 ; ---------------------------------------------------------------------------<br />
ROM:8F31DB70<br />
ROM:8F31DB70 is_SEC_AP_OS ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DB70 010 MOVS R0, #0 ; jumptable 8F31DB18 case 108<br />
ROM:8F31DB72 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DB72<br />
ROM:8F31DB76 010 MOV R6, R0 ; Rd = Op2<br />
ROM:8F31DB78 010 BL standard_efuse_count ; Branch with Link<br />
ROM:8F31DB78<br />
ROM:8F31DB7C 010 MOV R5, R0 ; Rd = Op2<br />
ROM:8F31DB7E 010 B return ; Branch<br />
ROM:8F31DB7E<br />
ROM:8F31DB80 ; ---------------------------------------------------------------------------<br />
ROM:8F31DB80<br />
ROM:8F31DB80 is_SEC_BS_DIS ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DB80 010 MOVS R0, #4 ; jumptable 8F31DB18 case 110<br />
ROM:8F31DB82 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DB82<br />
ROM:8F31DB86 010 ASRS R5, R0, #0xF ; Arithmetic Shift Right<br />
ROM:8F31DB88 010 B return ; Branch<br />
ROM:8F31DB88<br />
ROM:8F31DB8A ; ---------------------------------------------------------------------------<br />
ROM:8F31DB8A<br />
ROM:8F31DB8A is_SEC_ENG ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DB8A 010 MOVS R0, #4 ; jumptable 8F31DB18 case 111<br />
ROM:8F31DB8C 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DB8C<br />
ROM:8F31DB90 010 UBFX.W R5, R0, #0xD, #1 ; Unsigned Bit Field Extract<br />
ROM:8F31DB94 010 B return ; Branch<br />
ROM:8F31DB94<br />
ROM:8F31DB96 ; ---------------------------------------------------------------------------<br />
ROM:8F31DB96<br />
ROM:8F31DB96 is_SEC_PROD ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DB96 010 MOVS R0, #4 ; jumptable 8F31DB18 case 112<br />
ROM:8F31DB98 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DB98<br />
ROM:8F31DB9C 010 UBFX.W R5, R0, #0xE, #1 ; Unsigned Bit Field Extract<br />
ROM:8F31DBA0 010 B return ; Branch<br />
ROM:8F31DBA0<br />
ROM:8F31DBA2 ; ---------------------------------------------------------------------------<br />
ROM:8F31DBA2<br />
ROM:8F31DBA2 is_SEC_CUST_CODE ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DBA2 010 MOVS R0, #4 ; jumptable 8F31DB18 case 113<br />
ROM:8F31DBA4 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DBA4<br />
ROM:8F31DBA8 010 UBFX.W R6, R0, #8, #5 ; Unsigned Bit Field Extract<br />
ROM:8F31DBAC 010 MOV R0, R6 ; count<br />
ROM:8F31DBAE 010 BL standard_efuse_count ; Branch with Link<br />
ROM:8F31DBAE<br />
ROM:8F31DBB2 010 MOV R5, R0 ; Rd = Op2<br />
ROM:8F31DBB4 010 B return ; Branch<br />
ROM:8F31DBB4<br />
ROM:8F31DBB6 ; ---------------------------------------------------------------------------<br />
ROM:8F31DBB6<br />
ROM:8F31DBB6 is_SEC_MODEL_ID ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DBB6 010 LDR R0, =OMAP3430_MSV_ADRESS ; jumptable 8F31DB18 case 115<br />
ROM:8F31DBB8 010 LDR R0, [R0] ; Load from Memory<br />
ROM:8F31DBBA 010 UXTH R5, R0 ; Unsigned extend halfword to word<br />
ROM:8F31DBBC 010 B return ; Branch<br />
ROM:8F31DBBC<br />
ROM:8F31DBBE ; ---------------------------------------------------------------------------<br />
ROM:8F31DBBE<br />
ROM:8F31DBBE return__ ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DBBE 010 NOP ; jumptable 8F31DB18 case 116<br />
ROM:8F31DBBE<br />
ROM:8F31DBC0<br />
ROM:8F31DBC0 return_ ; CODE XREF: moto_efuse_read+C�j<br />
ROM:8F31DBC0 ; moto_efuse_read:fuse_table�j<br />
ROM:8F31DBC0 010 NOP ; do nothing<br />
ROM:8F31DBC0<br />
ROM:8F31DBC2<br />
ROM:8F31DBC2 return ; CODE XREF: moto_efuse_read+32�j<br />
ROM:8F31DBC2 ; moto_efuse_read+44�j ...<br />
ROM:8F31DBC2 010 NOP ; No Operation<br />
ROM:8F31DBC4 010 MOV R0, R5 ; Rd = Op2<br />
ROM:8F31DBC6 010 POP {R4-R6,PC} ; Pop registers<br />
ROM:8F31DBC6<br />
ROM:8F31DBC6 ; End of function moto_efuse_read<br />
ROM:8F31DBC6<br />
</syntaxhighlight><br />
<br />
'''Listing 2.''' Fuse reading word (from mbm)<br />
<syntaxhighlight lang="ida" line><br />
ROM:8F31DA9C<br />
ROM:8F31DA9C ; =============== S U B R O U T I N E =======================================<br />
ROM:8F31DA9C<br />
ROM:8F31DA9C<br />
ROM:8F31DA9C ; __int16 __fastcall fuse_read_word(int fuse_entry)<br />
ROM:8F31DA9C fuse_read_word ; CODE XREF: fuse_read+24�p<br />
ROM:8F31DA9C ; fuse_read+36�p ...<br />
ROM:8F31DA9C<br />
ROM:8F31DA9C var_30 = -0x30<br />
ROM:8F31DA9C var_28 = -0x28<br />
ROM:8F31DA9C<br />
ROM:8F31DA9C 000 F0 B5 PUSH {R4-R7,LR} ; Push registers<br />
ROM:8F31DA9E 014 87 B0 SUB SP, SP, #0x1C ; Rd = Op1 - Op2<br />
ROM:8F31DAA0 030 04 46 MOV R4, R0 ; Rd = Op2<br />
ROM:8F31DAA2 030 00 25 MOVS R5, #0 ; Rd = Op2<br />
ROM:8F31DAA4 030 4F F6 FF 77 MOVW R7, #0xFFFF ; Rd = Op2<br />
ROM:8F31DAA8 030 00 BF NOP ; No Operation<br />
ROM:8F31DAAA 030 04 E0 B loop_count ; Branch<br />
ROM:8F31DAAC ; ---------------------------------------------------------------------------<br />
ROM:8F31DAAC<br />
ROM:8F31DAAC loop_body ; CODE XREF: fuse_read_word+1C�j<br />
ROM:8F31DAAC 030 00 20 MOVS R0, #0 ; Rd = Op2<br />
ROM:8F31DAAE 030 02 A9 ADD R1, SP, #0x30+var_28 ; Rd = Op1 + Op2<br />
ROM:8F31DAB0 030 41 F8 25 00 STR.W R0, [R1,R5,LSL#2] ; Store to Memory<br />
ROM:8F31DAB4 030 6D 1C ADDS R5, R5, #1 ; Rd = Op1 + Op2<br />
ROM:8F31DAB6<br />
ROM:8F31DAB6 loop_count ; CODE XREF: fuse_read_word+E�j<br />
ROM:8F31DAB6 030 04 2D CMP R5, #4 ; Set cond. codes on Op1 - Op2<br />
ROM:8F31DAB8 030 F8 DD BLE loop_body ; Branch<br />
ROM:8F31DABA 030 00 BF NOP ; No Operation<br />
ROM:8F31DABC 030 04 2C CMP R4, #4 ; Set cond. codes on Op1 - Op2<br />
ROM:8F31DABE 030 08 D8 BHI is_higher ; Branch<br />
ROM:8F31DAC0 030 02 AB ADD R3, SP, #0x30+var_28 ; Rd = Op1 + Op2<br />
ROM:8F31DAC2 030 00 93 STR R3, [SP,#0x30+var_30] ; Store to Memory<br />
ROM:8F31DAC4 030 01 23 MOVS R3, #1 ; Rd = Op2<br />
ROM:8F31DAC6 030 07 22 MOVS R2, #7 ; Rd = Op2<br />
ROM:8F31DAC8 030 00 21 MOVS R1, #0 ; SEC_ENTRY<br />
ROM:8F31DACA 030 36 20 MOVS R0, #0x36 ; param<br />
ROM:8F31DACC 030 04 F0 F2 FD BL security_handler ; API_HAL_MOT_EFUSE_READ<br />
ROM:8F31DAD0 030 06 46 MOV R6, R0 ; Rd = Op2<br />
ROM:8F31DAD2<br />
ROM:8F31DAD2 is_higher ; CODE XREF: fuse_read_word+22�j<br />
ROM:8F31DAD2 030 1E B9 CBNZ R6, return ; Compare and Branch on Non-Zero<br />
ROM:8F31DAD4 030 02 A8 ADD R0, SP, #0x30+var_28 ; Rd = Op1 + Op2<br />
ROM:8F31DAD6 030 50 F8 24 00 LDR.W R0, [R0,R4,LSL#2] ; Load from Memory<br />
ROM:8F31DADA 030 87 B2 UXTH R7, R0 ; Unsigned extend halfword to word<br />
ROM:8F31DADC<br />
ROM:8F31DADC return ; CODE XREF: fuse_read_word:is_higher�j<br />
ROM:8F31DADC 030 38 46 MOV R0, R7 ; Rd = Op2<br />
ROM:8F31DADE 030 07 B0 ADD SP, SP, #0x1C ; Rd = Op1 + Op2<br />
ROM:8F31DAE0 014 F0 BD POP {R4-R7,PC} ; Pop registers<br />
ROM:8F31DAE0 ; End of function fuse_read_word<br />
ROM:8F31DAE0<br />
ROM:8F31DAE0 ; ---------------------------------------------------------------------------<br />
ROM:8F31DAE2 00 20 DCW 0x2000<br />
ROM:8F31DAE4 70 47 DCW 0x4770<br />
ROM:8F31DAE6<br />
</syntaxhighlight><br />
<br />
'''Listing 2.''' Fuse reading BS_DIS (from mbmloader)<br />
<syntaxhighlight lang="ida" line><br />
ROM:870048BE<br />
ROM:870048BE ; =============== S U B R O U T I N E =======================================<br />
ROM:870048BE<br />
ROM:870048BE<br />
ROM:870048BE ; int __cdecl fuse_read_BS_DIS()<br />
ROM:870048BE fuse_read_BS_DIS ; CODE XREF: check_BS_DIS+4<br />
ROM:870048BE 000 10 B5 PUSH {R4,LR} ; Push registers<br />
ROM:870048C0 008 10 24 MOVS R4, #0x10 ; Rd = Op2<br />
ROM:870048C2 008 6E 20 MOVS R0, #SEC_BS_DIS ; fuse_entry_number<br />
ROM:870048C4 008 FF F7 09 FF BL fuse_read_byte ; Branch with Link<br />
ROM:870048C8 008 00 B9 CBNZ R0, return ; Compare and Branch on Non-Zero<br />
ROM:870048CA 008 00 24 MOVS R4, #0 ; Rd = Op2<br />
ROM:870048CC<br />
ROM:870048CC return ; CODE XREF: fuse_read_BS_DIS+A<br />
ROM:870048CC 008 20 46 MOV R0, R4 ; Rd = Op2<br />
ROM:870048CE 008 10 BD POP {R4,PC} ; Pop registers<br />
ROM:870048CE ; End of function fuse_read_BS_DIS<br />
ROM:870048CE<br />
ROM:870048D0<br />
ROM:870048D0 ; =============== S U B R O U T I N E =======================================<br />
ROM:870048D0<br />
ROM:870048D0<br />
ROM:870048D0 ; int __cdecl fuse_read_SECVER(int entry_number)<br />
ROM:870048D0 fuse_read_SECVER ; CODE XREF: check_secure_version+14<br />
ROM:870048D0 000 70 B5 PUSH {R4-R6,LR} ; Push registers<br />
ROM:870048D2 010 04 46 MOV R4, R0 ; Rd = Op2<br />
ROM:870048D4 010 00 25 MOVS R5, #0 ; Rd = Op2<br />
ROM:870048D6 010 20 46 MOV R0, R4 ; fuse_entry_number<br />
ROM:870048D8 010 FF F7 FF FE BL fuse_read_byte ; Branch with Link<br />
ROM:870048DC 010 05 46 MOV R5, R0 ; Rd = Op2<br />
ROM:870048DE 010 28 46 MOV R0, R5 ; Rd = Op2<br />
ROM:870048E0 010 70 BD POP {R4-R6,PC} ; Pop registers<br />
ROM:870048E0 ; End of function fuse_read_SECVER<br />
ROM:870048E0<br />
ROM:870048E2<br />
</syntaxhighlight><br />
<br />
[[Category:Security]]</div>
Eiyee
http://droid-developers.org/wiki/EFuse
EFuse
2012-02-23T23:14:14Z
<p>Eiyee: start list of SWRV data</p>
<hr />
<div>== Overview ==<br />
The OMAP3xxx contains (unknown value) 128-bit banks of electronically blown fuses<br />
(eFuse). This is one-time only programmable memory that is organized into N x 32-bit words -<br />
(unknown value) words are reserved by Texas Instruments and for future use. <br />
The remaining 4 words are fully user programmable, designed to allow storage of a 128-bit encryption key for secure<br />
external memory encryption.<br />
<br />
== eFuse table ==<br />
<br />
{|<br />
! Index<br />
! Name<br />
! Description<br />
|-<br />
| <br />
| PRODUCTION_ID<br />
| not available yet<br />
|-<br />
|<br />
| SECURITY_ID<br />
| not available yet<br />
|}<br />
<br />
== SWRV values ==<br />
The kernel source released by Motorola includes a "sec" module that reads 128-bit of eFuse data (referred to as "SWRV") using [[Secure Services]] call API_HAL_MOT_EFUSE_READ. It contains an enum with hints to eFuse values:<br />
<br />
drivers/misc/sec/sec_core.h:<br />
<pre><br />
typedef enum {<br />
/*Starting with random non zero value for component type */<br />
SEC_AP_PA_PPA = 0x00000065,<br />
SEC_BP_PPA,<br />
SEC_BP_PA,<br />
SEC_ML_PBRDL,<br />
SEC_MBM,<br />
SEC_RRDL_BRDL,<br />
SEC_BPL,<br />
SEC_AP_OS,<br />
SEC_BP_OS,<br />
SEC_BS_DIS,<br />
SEC_ENG,<br />
SEC_PROD,<br />
SEC_CUST_CODE,<br />
SEC_PKC,<br />
SEC_MODEL_ID,<br />
SEC_MAX<br />
} SEC_SV_COMPONENT_T;<br />
</pre><br />
<br />
These values have been observed:<br />
<br />
{| border="1" cellpadding="0" cellspacing="0" style="border: 1px solid #cccccc;"<br />
! SRWV<br />
! Description<br />
|-<br />
| 3f 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 00 00<br />
| Defy+ 2.3.6 134-132 SBF (v6) [http://forum.xda-developers.com/showpost.php?p=21402316&postcount=167 source]<br />
|-<br />
| 0f 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 00 00<br />
| Defy unknown [http://forum.xda-developers.com/showpost.php?p=21492705&postcount=412 source]<br />
|-<br />
| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00<br />
| Defy unknown Chinese unlocked/eng(?) [http://forum.xda-developers.com/showpost.php?p=21434360&postcount=335 source], [http://forum.xda-developers.com/showpost.php?p=21436570&postcount=337 source2]<br />
|}<br />
<br />
== EFUSE Power Domain ==<br />
<br />
EFUSE Power Domain Clock Controls<br />
<br />
'''EFUSE Power Domain Clock-Gating Control'''<br />
{| border="1" cellpadding="0" cellspacing="0" style="border: 1px solid #cccccc;"<br />
!Clock Name <br />
!Reset<br />
!Clock-Gating Control<br />
!Gating Description<br />
|-<br />
|EFUSE_ALWON_FCLK<br />
|Running<br />
|None<br />
|Active when VDD1 and VDD2 are switched on and eFuse-ready hardware signal is released<br />
|}<br />
<br />
== Reading ==<br />
<br />
For reading eFuse you need:<br />
# call 0x28 Secure Service - invalidate dcache<br />
# call 0x2a Secure Service - aux write<br />
# call 0x36 Secure Service with parameter eFuse index - API_HAL_MOT_EFUSE_READ<br />
<br />
PPA handler of EFUSE READ interrupt call<br />
<syntaxhighlight lang="ida" line><br />
ROM:86FFF06C<br />
ROM:86FFF06C ; =============== S U B R O U T I N E =======================================<br />
ROM:86FFF06C<br />
ROM:86FFF06C<br />
ROM:86FFF06C ; int __cdecl PPA_API_HAL_MOT_EFUSE_READ()<br />
ROM:86FFF06C PPA_API_HAL_MOT_EFUSE_READ ; DATA XREF: PPA_SMC_handler_SL+44�o<br />
ROM:86FFF06C ; ROM:off_86FFF5B8�o<br />
ROM:86FFF06C 000 MOV R2, R0 ; arg_3<br />
ROM:86FFF06E 000 PUSH {R4,LR} ; Push registers<br />
ROM:86FFF070 008 MOVS R1, #1 ; arg_2<br />
ROM:86FFF072 008 MOVS R0, #0x64 ; arg_1<br />
ROM:86FFF074 008 BLX PPA_interrupt_call ; Branch with Link and Exchange (immediate address)<br />
ROM:86FFF074<br />
ROM:86FFF078 008 LDR R1, =0xAF8023D4 ; Load from Memory<br />
ROM:86FFF07A 008 LDR R2, [R1] ; Load from Memory<br />
ROM:86FFF07C 008 UXTH R3, R2 ; Unsigned extend halfword to word<br />
ROM:86FFF07E 008 ORR.W R2, R3, R2,LSR#16 ; Rd = Op1 | Op2<br />
ROM:86FFF082 008 STR R2, [R0] ; Store to Memory<br />
ROM:86FFF084 008 LDR R2, [R1,#4] ; Load from Memory<br />
ROM:86FFF086 008 UXTH R3, R2 ; Unsigned extend halfword to word<br />
ROM:86FFF088 008 ORR.W R2, R3, R2,LSR#16 ; Rd = Op1 | Op2<br />
ROM:86FFF08C 008 STR R2, [R0,#4] ; Store to Memory<br />
ROM:86FFF08E 008 LDR R2, [R1,#8] ; Load from Memory<br />
ROM:86FFF090 008 UXTH R3, R2 ; Unsigned extend halfword to word<br />
ROM:86FFF092 008 ORR.W R2, R3, R2,LSR#16 ; Rd = Op1 | Op2<br />
ROM:86FFF096 008 STR R2, [R0,#8] ; Store to Memory<br />
ROM:86FFF098 008 LDR R2, [R1,#0xC] ; Load from Memory<br />
ROM:86FFF09A 008 UXTH R3, R2 ; Unsigned extend halfword to word<br />
ROM:86FFF09C 008 ORR.W R2, R3, R2,LSR#16 ; Rd = Op1 | Op2<br />
ROM:86FFF0A0 008 STR R2, [R0,#0xC] ; Store to Memory<br />
ROM:86FFF0A2 008 LDR R1, [R1,#0x10] ; Load from Memory<br />
ROM:86FFF0A4 008 UXTH R2, R1 ; Unsigned extend halfword to word<br />
ROM:86FFF0A6 008 ORR.W R1, R2, R1,LSR#16 ; Rd = Op1 | Op2<br />
ROM:86FFF0AA 008 STR R1, [R0,#0x10] ; Store to Memory<br />
ROM:86FFF0AC 008 MOVS R0, #0 ; Rd = Op2<br />
ROM:86FFF0AE 008 POP {R4,PC} ; Pop registers<br />
ROM:86FFF0AE<br />
ROM:86FFF0AE ; End of function PPA_API_HAL_MOT_EFUSE_READ<br />
ROM:86FFF0AE<br />
ROM:86FFF0AE ; ---------------------------------------------------------------------------<br />
ROM:86FFF0B0 dword_86FFF0B0 DCD 0xAF8023D4 ; DATA XREF: PPA_API_HAL_MOT_EFUSE_READ+C�r<br />
ROM:86FFF0B4<br />
</syntaxhighlight><br />
<br />
== Code Listings ==<br />
<br />
=== Fuse blowing functions ===<br />
<br />
'''Listing 1.''' Fuse blowing BS_DIS ( from mbmloader )<br />
<syntaxhighlight lang="ida" line><br />
ROM:870048AC ; =============== S U B R O U T I N E =======================================<br />
ROM:870048AC<br />
ROM:870048AC<br />
ROM:870048AC ; int __cdecl fuse_blow_BS_DIS()<br />
ROM:870048AC fuse_blow_BS_DIS<br />
ROM:870048AC 000 10 B5 PUSH {R4,LR} ; Push registers<br />
ROM:870048AE 008 10 24 MOVS R4, #0x10 ; Rd = Op2<br />
ROM:870048B0 008 01 21 MOVS R1, #1 ; value<br />
ROM:870048B2 008 6E 20 MOVS R0, #SEC_BS_DIS ; fuse_entry_number<br />
ROM:870048B4 008 FF F7 70 FF BL fuse_blow_byte ; Branch with Link<br />
ROM:870048B8 008 04 46 MOV R4, R0 ; Rd = Op2<br />
ROM:870048BA 008 20 46 MOV R0, R4 ; Rd = Op2<br />
ROM:870048BC 008 10 BD POP {R4,PC} ; Pop registers<br />
ROM:870048BC ; End of function fuse_blow_BS_DIS<br />
ROM:870048BC<br />
</syntaxhighlight><br />
<br />
'''Listing 2.''' Fuse blowing CUSTOM ( from mbmloader )<br />
<syntaxhighlight lang="ida" line><br />
ROM:870048E2 ; =============== S U B R O U T I N E =======================================<br />
ROM:870048E2<br />
ROM:870048E2<br />
ROM:870048E2 ; int __cdecl fuse_blow_CUSTOM(int fuse_entry_number, int value)<br />
ROM:870048E2 fuse_blow_CUSTOM<br />
ROM:870048E2 000 70 B5 PUSH {R4-R6,LR} ; Push registers<br />
ROM:870048E4 010 04 46 MOV R4, R0 ; Rd = Op2<br />
ROM:870048E6 010 0D 46 MOV R5, R1 ; Rd = Op2<br />
ROM:870048E8 010 10 26 MOVS R6, #0x10 ; Rd = Op2<br />
ROM:870048EA 010 A9 B2 UXTH R1, R5 ; Unsigned extend halfword to word<br />
ROM:870048EC 010 20 46 MOV R0, R4 ; fuse_entry_number<br />
ROM:870048EE 010 FF F7 53 FF BL fuse_blow_byte ; Branch with Link<br />
ROM:870048F2 010 06 46 MOV R6, R0 ; Rd = Op2<br />
ROM:870048F4 010 30 46 MOV R0, R6 ; Rd = Op2<br />
ROM:870048F6 010 70 BD POP {R4-R6,PC} ; Pop registers<br />
ROM:870048F6 ; End of function fuse_blow_CUSTOM<br />
ROM:870048F6<br />
</syntaxhighlight><br />
<br />
'''Listing 3.''' Fuse blowing PRODUCTION ( from mbmloader )<br />
<syntaxhighlight lang="ida" line><br />
ROM:870048F8<br />
ROM:870048F8 ; =============== S U B R O U T I N E =======================================<br />
ROM:870048F8<br />
ROM:870048F8<br />
ROM:870048F8 ; int __cdecl fuse_blow_PRODUCTION()<br />
ROM:870048F8 fuse_blow_PRODUCTION<br />
ROM:870048F8 000 10 B5 PUSH {R4,LR} ; Push registers<br />
ROM:870048FA 008 10 24 MOVS R4, #0x10 ; Rd = Op2<br />
ROM:870048FC 008 01 21 MOVS R1, #1 ; value<br />
ROM:870048FE 008 70 20 MOVS R0, #SEC_PROD ; fuse_entry_number<br />
ROM:87004900 008 FF F7 4A FF BL fuse_blow_byte ; Branch with Link<br />
ROM:87004904 008 04 46 MOV R4, R0 ; Rd = Op2<br />
ROM:87004906 008 20 46 MOV R0, R4 ; Rd = Op2<br />
ROM:87004908 008 10 BD POP {R4,PC} ; Pop registers<br />
ROM:87004908 ; End of function fuse_blow_PRODUCTION<br />
ROM:87004908<br />
</syntaxhighlight><br />
<br />
'''Listing 4.''' Fuse blowing ENGINEERING ( from mbmloader )<br />
<syntaxhighlight lang="ida" line><br />
ROM:8700490A<br />
ROM:8700490A ; =============== S U B R O U T I N E =======================================<br />
ROM:8700490A<br />
ROM:8700490A<br />
ROM:8700490A ; int __cdecl fuse_blow_ENGINEERING()<br />
ROM:8700490A fuse_blow_ENGINEERING ; CODE XREF: main+20<br />
ROM:8700490A 000 10 B5 PUSH {R4,LR} ; Push registers<br />
ROM:8700490C 008 10 24 MOVS R4, #0x10 ; Rd = Op2<br />
ROM:8700490E 008 01 21 MOVS R1, #1 ; value<br />
ROM:87004910 008 6F 20 MOVS R0, #SEC_ENG ; fuse_entry_number<br />
ROM:87004912 008 FF F7 41 FF BL fuse_blow_byte ; Branch with Link<br />
ROM:87004916 008 04 46 MOV R4, R0 ; Rd = Op2<br />
ROM:87004918 008 20 46 MOV R0, R4 ; Rd = Op2<br />
ROM:8700491A 008 10 BD POP {R4,PC} ; Pop registers<br />
ROM:8700491A ; End of function fuse_blow_ENGINEERING<br />
</syntaxhighlight><br />
<br />
=== Fuse reading functions ===<br />
<br />
'''Listing 2.''' Fuse reading byte (from mbmloader)<br />
<syntaxhighlight lang="ida" line><br />
ROM:8F31DB0A<br />
ROM:8F31DB0A ; =============== S U B R O U T I N E =======================================<br />
ROM:8F31DB0A<br />
ROM:8F31DB0A<br />
ROM:8F31DB0A ; int __cdecl moto_efuse_read(__int32 fuse_entry)<br />
ROM:8F31DB0A moto_efuse_read ; CODE XREF: fuse_read_SEC_MODEL_ID+6�p<br />
ROM:8F31DB0A ; fuse_read_SEC_BS_DIS+6�p ...<br />
ROM:8F31DB0A 000 PUSH {R4-R6,LR} ; Push registers<br />
ROM:8F31DB0C 010 MOV R4, R0 ; Rd = Op2<br />
ROM:8F31DB0E 010 LDR R5, =0xDEADBEEF ; Load from Memory<br />
ROM:8F31DB10 010 SUB.W R0, R4, #0x65 ; switch 16 cases<br />
ROM:8F31DB14 010 CMP R0, #0x10 ; Set cond. codes on Op1 - Op2<br />
ROM:8F31DB16 010 BCS return_ ; do nothing<br />
ROM:8F31DB16<br />
ROM:8F31DB18<br />
ROM:8F31DB18 fuse_table ; switch jump<br />
ROM:8F31DB18 010 TBB.W [PC,R0]<br />
ROM:8F31DB18<br />
ROM:8F31DB18 ; ---------------------------------------------------------------------------<br />
ROM:8F31DB1C 010 fuse_choice DCB 8 ; jump table for switch statement<br />
ROM:8F31DB1D 010 DCB 0x52<br />
ROM:8F31DB1E 010 DCB 0x52<br />
ROM:8F31DB1F 010 DCB 0x11<br />
ROM:8F31DB20 010 DCB 0x1A<br />
ROM:8F31DB21 010 DCB 0x22<br />
ROM:8F31DB22 010 DCB 0x52<br />
ROM:8F31DB23 010 DCB 0x2A<br />
ROM:8F31DB24 010 DCB 0x52<br />
ROM:8F31DB25 010 DCB 0x32<br />
ROM:8F31DB26 010 DCB 0x37<br />
ROM:8F31DB27 010 DCB 0x3D<br />
ROM:8F31DB28 010 DCB 0x43<br />
ROM:8F31DB29 010 DCB 0x52<br />
ROM:8F31DB2A 010 DCB 0x4D<br />
ROM:8F31DB2B 010 DCB 0x51<br />
ROM:8F31DB2C ; ---------------------------------------------------------------------------<br />
ROM:8F31DB2C<br />
ROM:8F31DB2C is_SEC_APP_PA_PPA ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DB2C 010 MOVS R0, #3 ; jumptable 8F31DB18 case 101<br />
ROM:8F31DB2E 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DB2E<br />
ROM:8F31DB32 010 ASRS R6, R0, #8 ; Arithmetic Shift Right<br />
ROM:8F31DB34 010 MOV R0, R6 ; count<br />
ROM:8F31DB36 010 BL standard_efuse_count ; Branch with Link<br />
ROM:8F31DB36<br />
ROM:8F31DB3A 010 MOV R5, R0 ; Rd = Op2<br />
ROM:8F31DB3C 010 B return ; Branch<br />
ROM:8F31DB3C<br />
ROM:8F31DB3E ; ---------------------------------------------------------------------------<br />
ROM:8F31DB3E<br />
ROM:8F31DB3E is_SEC_ML_PBRDL ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DB3E 010 MOVS R0, #3 ; jumptable 8F31DB18 case 104<br />
ROM:8F31DB40 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DB40<br />
ROM:8F31DB44 010 UXTB R6, R0 ; Unsigned extend byte to word<br />
ROM:8F31DB46 010 MOV R0, R6 ; count<br />
ROM:8F31DB48 010 BL standard_efuse_count ; Branch with Link<br />
ROM:8F31DB48<br />
ROM:8F31DB4C 010 MOV R5, R0 ; Rd = Op2<br />
ROM:8F31DB4E 010 B return ; Branch<br />
ROM:8F31DB4E<br />
ROM:8F31DB50 ; ---------------------------------------------------------------------------<br />
ROM:8F31DB50<br />
ROM:8F31DB50 is_SEC_MBM ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DB50 010 MOVS R0, #2 ; jumptable 8F31DB18 case 105<br />
ROM:8F31DB52 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DB52<br />
ROM:8F31DB56 010 MOV R6, R0 ; Rd = Op2<br />
ROM:8F31DB58 010 BL standard_efuse_count ; Branch with Link<br />
ROM:8F31DB58<br />
ROM:8F31DB5C 010 MOV R5, R0 ; Rd = Op2<br />
ROM:8F31DB5E 010 B return ; Branch<br />
ROM:8F31DB5E<br />
ROM:8F31DB60 ; ---------------------------------------------------------------------------<br />
ROM:8F31DB60<br />
ROM:8F31DB60 is_SEC_RRDL_BRDL ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DB60 010 MOVS R0, #1 ; jumptable 8F31DB18 case 106<br />
ROM:8F31DB62 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DB62<br />
ROM:8F31DB66 010 MOV R6, R0 ; Rd = Op2<br />
ROM:8F31DB68 010 BL standard_efuse_count ; Branch with Link<br />
ROM:8F31DB68<br />
ROM:8F31DB6C 010 MOV R5, R0 ; Rd = Op2<br />
ROM:8F31DB6E 010 B return ; Branch<br />
ROM:8F31DB6E<br />
ROM:8F31DB70 ; ---------------------------------------------------------------------------<br />
ROM:8F31DB70<br />
ROM:8F31DB70 is_SEC_AP_OS ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DB70 010 MOVS R0, #0 ; jumptable 8F31DB18 case 108<br />
ROM:8F31DB72 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DB72<br />
ROM:8F31DB76 010 MOV R6, R0 ; Rd = Op2<br />
ROM:8F31DB78 010 BL standard_efuse_count ; Branch with Link<br />
ROM:8F31DB78<br />
ROM:8F31DB7C 010 MOV R5, R0 ; Rd = Op2<br />
ROM:8F31DB7E 010 B return ; Branch<br />
ROM:8F31DB7E<br />
ROM:8F31DB80 ; ---------------------------------------------------------------------------<br />
ROM:8F31DB80<br />
ROM:8F31DB80 is_SEC_BS_DIS ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DB80 010 MOVS R0, #4 ; jumptable 8F31DB18 case 110<br />
ROM:8F31DB82 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DB82<br />
ROM:8F31DB86 010 ASRS R5, R0, #0xF ; Arithmetic Shift Right<br />
ROM:8F31DB88 010 B return ; Branch<br />
ROM:8F31DB88<br />
ROM:8F31DB8A ; ---------------------------------------------------------------------------<br />
ROM:8F31DB8A<br />
ROM:8F31DB8A is_SEC_ENG ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DB8A 010 MOVS R0, #4 ; jumptable 8F31DB18 case 111<br />
ROM:8F31DB8C 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DB8C<br />
ROM:8F31DB90 010 UBFX.W R5, R0, #0xD, #1 ; Unsigned Bit Field Extract<br />
ROM:8F31DB94 010 B return ; Branch<br />
ROM:8F31DB94<br />
ROM:8F31DB96 ; ---------------------------------------------------------------------------<br />
ROM:8F31DB96<br />
ROM:8F31DB96 is_SEC_PROD ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DB96 010 MOVS R0, #4 ; jumptable 8F31DB18 case 112<br />
ROM:8F31DB98 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DB98<br />
ROM:8F31DB9C 010 UBFX.W R5, R0, #0xE, #1 ; Unsigned Bit Field Extract<br />
ROM:8F31DBA0 010 B return ; Branch<br />
ROM:8F31DBA0<br />
ROM:8F31DBA2 ; ---------------------------------------------------------------------------<br />
ROM:8F31DBA2<br />
ROM:8F31DBA2 is_SEC_CUST_CODE ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DBA2 010 MOVS R0, #4 ; jumptable 8F31DB18 case 113<br />
ROM:8F31DBA4 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DBA4<br />
ROM:8F31DBA8 010 UBFX.W R6, R0, #8, #5 ; Unsigned Bit Field Extract<br />
ROM:8F31DBAC 010 MOV R0, R6 ; count<br />
ROM:8F31DBAE 010 BL standard_efuse_count ; Branch with Link<br />
ROM:8F31DBAE<br />
ROM:8F31DBB2 010 MOV R5, R0 ; Rd = Op2<br />
ROM:8F31DBB4 010 B return ; Branch<br />
ROM:8F31DBB4<br />
ROM:8F31DBB6 ; ---------------------------------------------------------------------------<br />
ROM:8F31DBB6<br />
ROM:8F31DBB6 is_SEC_MODEL_ID ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DBB6 010 LDR R0, =OMAP3430_MSV_ADRESS ; jumptable 8F31DB18 case 115<br />
ROM:8F31DBB8 010 LDR R0, [R0] ; Load from Memory<br />
ROM:8F31DBBA 010 UXTH R5, R0 ; Unsigned extend halfword to word<br />
ROM:8F31DBBC 010 B return ; Branch<br />
ROM:8F31DBBC<br />
ROM:8F31DBBE ; ---------------------------------------------------------------------------<br />
ROM:8F31DBBE<br />
ROM:8F31DBBE return__ ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DBBE 010 NOP ; jumptable 8F31DB18 case 116<br />
ROM:8F31DBBE<br />
ROM:8F31DBC0<br />
ROM:8F31DBC0 return_ ; CODE XREF: moto_efuse_read+C�j<br />
ROM:8F31DBC0 ; moto_efuse_read:fuse_table�j<br />
ROM:8F31DBC0 010 NOP ; do nothing<br />
ROM:8F31DBC0<br />
ROM:8F31DBC2<br />
ROM:8F31DBC2 return ; CODE XREF: moto_efuse_read+32�j<br />
ROM:8F31DBC2 ; moto_efuse_read+44�j ...<br />
ROM:8F31DBC2 010 NOP ; No Operation<br />
ROM:8F31DBC4 010 MOV R0, R5 ; Rd = Op2<br />
ROM:8F31DBC6 010 POP {R4-R6,PC} ; Pop registers<br />
ROM:8F31DBC6<br />
ROM:8F31DBC6 ; End of function moto_efuse_read<br />
ROM:8F31DBC6<br />
</syntaxhighlight><br />
<br />
'''Listing 2.''' Fuse reading word (from mbm)<br />
<syntaxhighlight lang="ida" line><br />
ROM:8F31DA9C<br />
ROM:8F31DA9C ; =============== S U B R O U T I N E =======================================<br />
ROM:8F31DA9C<br />
ROM:8F31DA9C<br />
ROM:8F31DA9C ; __int16 __fastcall fuse_read_word(int fuse_entry)<br />
ROM:8F31DA9C fuse_read_word ; CODE XREF: fuse_read+24�p<br />
ROM:8F31DA9C ; fuse_read+36�p ...<br />
ROM:8F31DA9C<br />
ROM:8F31DA9C var_30 = -0x30<br />
ROM:8F31DA9C var_28 = -0x28<br />
ROM:8F31DA9C<br />
ROM:8F31DA9C 000 F0 B5 PUSH {R4-R7,LR} ; Push registers<br />
ROM:8F31DA9E 014 87 B0 SUB SP, SP, #0x1C ; Rd = Op1 - Op2<br />
ROM:8F31DAA0 030 04 46 MOV R4, R0 ; Rd = Op2<br />
ROM:8F31DAA2 030 00 25 MOVS R5, #0 ; Rd = Op2<br />
ROM:8F31DAA4 030 4F F6 FF 77 MOVW R7, #0xFFFF ; Rd = Op2<br />
ROM:8F31DAA8 030 00 BF NOP ; No Operation<br />
ROM:8F31DAAA 030 04 E0 B loop_count ; Branch<br />
ROM:8F31DAAC ; ---------------------------------------------------------------------------<br />
ROM:8F31DAAC<br />
ROM:8F31DAAC loop_body ; CODE XREF: fuse_read_word+1C�j<br />
ROM:8F31DAAC 030 00 20 MOVS R0, #0 ; Rd = Op2<br />
ROM:8F31DAAE 030 02 A9 ADD R1, SP, #0x30+var_28 ; Rd = Op1 + Op2<br />
ROM:8F31DAB0 030 41 F8 25 00 STR.W R0, [R1,R5,LSL#2] ; Store to Memory<br />
ROM:8F31DAB4 030 6D 1C ADDS R5, R5, #1 ; Rd = Op1 + Op2<br />
ROM:8F31DAB6<br />
ROM:8F31DAB6 loop_count ; CODE XREF: fuse_read_word+E�j<br />
ROM:8F31DAB6 030 04 2D CMP R5, #4 ; Set cond. codes on Op1 - Op2<br />
ROM:8F31DAB8 030 F8 DD BLE loop_body ; Branch<br />
ROM:8F31DABA 030 00 BF NOP ; No Operation<br />
ROM:8F31DABC 030 04 2C CMP R4, #4 ; Set cond. codes on Op1 - Op2<br />
ROM:8F31DABE 030 08 D8 BHI is_higher ; Branch<br />
ROM:8F31DAC0 030 02 AB ADD R3, SP, #0x30+var_28 ; Rd = Op1 + Op2<br />
ROM:8F31DAC2 030 00 93 STR R3, [SP,#0x30+var_30] ; Store to Memory<br />
ROM:8F31DAC4 030 01 23 MOVS R3, #1 ; Rd = Op2<br />
ROM:8F31DAC6 030 07 22 MOVS R2, #7 ; Rd = Op2<br />
ROM:8F31DAC8 030 00 21 MOVS R1, #0 ; SEC_ENTRY<br />
ROM:8F31DACA 030 36 20 MOVS R0, #0x36 ; param<br />
ROM:8F31DACC 030 04 F0 F2 FD BL security_handler ; API_HAL_MOT_EFUSE_READ<br />
ROM:8F31DAD0 030 06 46 MOV R6, R0 ; Rd = Op2<br />
ROM:8F31DAD2<br />
ROM:8F31DAD2 is_higher ; CODE XREF: fuse_read_word+22�j<br />
ROM:8F31DAD2 030 1E B9 CBNZ R6, return ; Compare and Branch on Non-Zero<br />
ROM:8F31DAD4 030 02 A8 ADD R0, SP, #0x30+var_28 ; Rd = Op1 + Op2<br />
ROM:8F31DAD6 030 50 F8 24 00 LDR.W R0, [R0,R4,LSL#2] ; Load from Memory<br />
ROM:8F31DADA 030 87 B2 UXTH R7, R0 ; Unsigned extend halfword to word<br />
ROM:8F31DADC<br />
ROM:8F31DADC return ; CODE XREF: fuse_read_word:is_higher�j<br />
ROM:8F31DADC 030 38 46 MOV R0, R7 ; Rd = Op2<br />
ROM:8F31DADE 030 07 B0 ADD SP, SP, #0x1C ; Rd = Op1 + Op2<br />
ROM:8F31DAE0 014 F0 BD POP {R4-R7,PC} ; Pop registers<br />
ROM:8F31DAE0 ; End of function fuse_read_word<br />
ROM:8F31DAE0<br />
ROM:8F31DAE0 ; ---------------------------------------------------------------------------<br />
ROM:8F31DAE2 00 20 DCW 0x2000<br />
ROM:8F31DAE4 70 47 DCW 0x4770<br />
ROM:8F31DAE6<br />
</syntaxhighlight><br />
<br />
'''Listing 2.''' Fuse reading BS_DIS (from mbmloader)<br />
<syntaxhighlight lang="ida" line><br />
ROM:870048BE<br />
ROM:870048BE ; =============== S U B R O U T I N E =======================================<br />
ROM:870048BE<br />
ROM:870048BE<br />
ROM:870048BE ; int __cdecl fuse_read_BS_DIS()<br />
ROM:870048BE fuse_read_BS_DIS ; CODE XREF: check_BS_DIS+4<br />
ROM:870048BE 000 10 B5 PUSH {R4,LR} ; Push registers<br />
ROM:870048C0 008 10 24 MOVS R4, #0x10 ; Rd = Op2<br />
ROM:870048C2 008 6E 20 MOVS R0, #SEC_BS_DIS ; fuse_entry_number<br />
ROM:870048C4 008 FF F7 09 FF BL fuse_read_byte ; Branch with Link<br />
ROM:870048C8 008 00 B9 CBNZ R0, return ; Compare and Branch on Non-Zero<br />
ROM:870048CA 008 00 24 MOVS R4, #0 ; Rd = Op2<br />
ROM:870048CC<br />
ROM:870048CC return ; CODE XREF: fuse_read_BS_DIS+A<br />
ROM:870048CC 008 20 46 MOV R0, R4 ; Rd = Op2<br />
ROM:870048CE 008 10 BD POP {R4,PC} ; Pop registers<br />
ROM:870048CE ; End of function fuse_read_BS_DIS<br />
ROM:870048CE<br />
ROM:870048D0<br />
ROM:870048D0 ; =============== S U B R O U T I N E =======================================<br />
ROM:870048D0<br />
ROM:870048D0<br />
ROM:870048D0 ; int __cdecl fuse_read_SECVER(int entry_number)<br />
ROM:870048D0 fuse_read_SECVER ; CODE XREF: check_secure_version+14<br />
ROM:870048D0 000 70 B5 PUSH {R4-R6,LR} ; Push registers<br />
ROM:870048D2 010 04 46 MOV R4, R0 ; Rd = Op2<br />
ROM:870048D4 010 00 25 MOVS R5, #0 ; Rd = Op2<br />
ROM:870048D6 010 20 46 MOV R0, R4 ; fuse_entry_number<br />
ROM:870048D8 010 FF F7 FF FE BL fuse_read_byte ; Branch with Link<br />
ROM:870048DC 010 05 46 MOV R5, R0 ; Rd = Op2<br />
ROM:870048DE 010 28 46 MOV R0, R5 ; Rd = Op2<br />
ROM:870048E0 010 70 BD POP {R4-R6,PC} ; Pop registers<br />
ROM:870048E0 ; End of function fuse_read_SECVER<br />
ROM:870048E0<br />
ROM:870048E2<br />
</syntaxhighlight><br />
<br />
[[Category:Security]]</div>
Eiyee
http://droid-developers.org/wiki/EFuse
EFuse
2012-02-23T22:59:24Z
<p>Eiyee: mention sec driver, SWRV, SEC_SV_COMPONENT_T</p>
<hr />
<div>== Overview ==<br />
The OMAP3xxx contains (unknown value) 128-bit banks of electronically blown fuses<br />
(eFuse). This is one-time only programmable memory that is organized into N x 32-bit words -<br />
(unknown value) words are reserved by Texas Instruments and for future use. <br />
The remaining 4 words are fully user programmable, designed to allow storage of a 128-bit encryption key for secure<br />
external memory encryption.<br />
<br />
The kernel source released by Motorola includes a "sec" module that reads 128-bit of eFuse data (referred to as "SWRV") using [[Secure Services]] call API_HAL_MOT_EFUSE_READ. It contains an enum with hints to eFuse values:<br />
<br />
drivers/misc/sec/sec_core.h:<br />
<pre><br />
typedef enum {<br />
/*Starting with random non zero value for component type */<br />
SEC_AP_PA_PPA = 0x00000065,<br />
SEC_BP_PPA,<br />
SEC_BP_PA,<br />
SEC_ML_PBRDL,<br />
SEC_MBM,<br />
SEC_RRDL_BRDL,<br />
SEC_BPL,<br />
SEC_AP_OS,<br />
SEC_BP_OS,<br />
SEC_BS_DIS,<br />
SEC_ENG,<br />
SEC_PROD,<br />
SEC_CUST_CODE,<br />
SEC_PKC,<br />
SEC_MODEL_ID,<br />
SEC_MAX<br />
} SEC_SV_COMPONENT_T;<br />
</pre><br />
<br />
== eFuse table ==<br />
<br />
{|<br />
! Index<br />
! Name<br />
! Description<br />
|-<br />
| <br />
| PRODUCTION_ID<br />
| not available yet<br />
|-<br />
|<br />
| SECURITY_ID<br />
| not available yet<br />
|}<br />
<br />
== EFUSE Power Domain ==<br />
<br />
EFUSE Power Domain Clock Controls<br />
<br />
'''EFUSE Power Domain Clock-Gating Control'''<br />
{| border="1" cellpadding="0" cellspacing="0" style="border: 1px solid #cccccc;"<br />
!Clock Name <br />
!Reset<br />
!Clock-Gating Control<br />
!Gating Description<br />
|-<br />
|EFUSE_ALWON_FCLK<br />
|Running<br />
|None<br />
|Active when VDD1 and VDD2 are switched on and eFuse-ready hardware signal is released<br />
|}<br />
<br />
== Reading ==<br />
<br />
For reading eFuse you need:<br />
# call 0x28 Secure Service - invalidate dcache<br />
# call 0x2a Secure Service - aux write<br />
# call 0x36 Secure Service with parameter eFuse index - API_HAL_MOT_EFUSE_READ<br />
<br />
PPA handler of EFUSE READ interrupt call<br />
<syntaxhighlight lang="ida" line><br />
ROM:86FFF06C<br />
ROM:86FFF06C ; =============== S U B R O U T I N E =======================================<br />
ROM:86FFF06C<br />
ROM:86FFF06C<br />
ROM:86FFF06C ; int __cdecl PPA_API_HAL_MOT_EFUSE_READ()<br />
ROM:86FFF06C PPA_API_HAL_MOT_EFUSE_READ ; DATA XREF: PPA_SMC_handler_SL+44�o<br />
ROM:86FFF06C ; ROM:off_86FFF5B8�o<br />
ROM:86FFF06C 000 MOV R2, R0 ; arg_3<br />
ROM:86FFF06E 000 PUSH {R4,LR} ; Push registers<br />
ROM:86FFF070 008 MOVS R1, #1 ; arg_2<br />
ROM:86FFF072 008 MOVS R0, #0x64 ; arg_1<br />
ROM:86FFF074 008 BLX PPA_interrupt_call ; Branch with Link and Exchange (immediate address)<br />
ROM:86FFF074<br />
ROM:86FFF078 008 LDR R1, =0xAF8023D4 ; Load from Memory<br />
ROM:86FFF07A 008 LDR R2, [R1] ; Load from Memory<br />
ROM:86FFF07C 008 UXTH R3, R2 ; Unsigned extend halfword to word<br />
ROM:86FFF07E 008 ORR.W R2, R3, R2,LSR#16 ; Rd = Op1 | Op2<br />
ROM:86FFF082 008 STR R2, [R0] ; Store to Memory<br />
ROM:86FFF084 008 LDR R2, [R1,#4] ; Load from Memory<br />
ROM:86FFF086 008 UXTH R3, R2 ; Unsigned extend halfword to word<br />
ROM:86FFF088 008 ORR.W R2, R3, R2,LSR#16 ; Rd = Op1 | Op2<br />
ROM:86FFF08C 008 STR R2, [R0,#4] ; Store to Memory<br />
ROM:86FFF08E 008 LDR R2, [R1,#8] ; Load from Memory<br />
ROM:86FFF090 008 UXTH R3, R2 ; Unsigned extend halfword to word<br />
ROM:86FFF092 008 ORR.W R2, R3, R2,LSR#16 ; Rd = Op1 | Op2<br />
ROM:86FFF096 008 STR R2, [R0,#8] ; Store to Memory<br />
ROM:86FFF098 008 LDR R2, [R1,#0xC] ; Load from Memory<br />
ROM:86FFF09A 008 UXTH R3, R2 ; Unsigned extend halfword to word<br />
ROM:86FFF09C 008 ORR.W R2, R3, R2,LSR#16 ; Rd = Op1 | Op2<br />
ROM:86FFF0A0 008 STR R2, [R0,#0xC] ; Store to Memory<br />
ROM:86FFF0A2 008 LDR R1, [R1,#0x10] ; Load from Memory<br />
ROM:86FFF0A4 008 UXTH R2, R1 ; Unsigned extend halfword to word<br />
ROM:86FFF0A6 008 ORR.W R1, R2, R1,LSR#16 ; Rd = Op1 | Op2<br />
ROM:86FFF0AA 008 STR R1, [R0,#0x10] ; Store to Memory<br />
ROM:86FFF0AC 008 MOVS R0, #0 ; Rd = Op2<br />
ROM:86FFF0AE 008 POP {R4,PC} ; Pop registers<br />
ROM:86FFF0AE<br />
ROM:86FFF0AE ; End of function PPA_API_HAL_MOT_EFUSE_READ<br />
ROM:86FFF0AE<br />
ROM:86FFF0AE ; ---------------------------------------------------------------------------<br />
ROM:86FFF0B0 dword_86FFF0B0 DCD 0xAF8023D4 ; DATA XREF: PPA_API_HAL_MOT_EFUSE_READ+C�r<br />
ROM:86FFF0B4<br />
</syntaxhighlight><br />
<br />
== Code Listings ==<br />
<br />
=== Fuse blowing functions ===<br />
<br />
'''Listing 1.''' Fuse blowing BS_DIS ( from mbmloader )<br />
<syntaxhighlight lang="ida" line><br />
ROM:870048AC ; =============== S U B R O U T I N E =======================================<br />
ROM:870048AC<br />
ROM:870048AC<br />
ROM:870048AC ; int __cdecl fuse_blow_BS_DIS()<br />
ROM:870048AC fuse_blow_BS_DIS<br />
ROM:870048AC 000 10 B5 PUSH {R4,LR} ; Push registers<br />
ROM:870048AE 008 10 24 MOVS R4, #0x10 ; Rd = Op2<br />
ROM:870048B0 008 01 21 MOVS R1, #1 ; value<br />
ROM:870048B2 008 6E 20 MOVS R0, #SEC_BS_DIS ; fuse_entry_number<br />
ROM:870048B4 008 FF F7 70 FF BL fuse_blow_byte ; Branch with Link<br />
ROM:870048B8 008 04 46 MOV R4, R0 ; Rd = Op2<br />
ROM:870048BA 008 20 46 MOV R0, R4 ; Rd = Op2<br />
ROM:870048BC 008 10 BD POP {R4,PC} ; Pop registers<br />
ROM:870048BC ; End of function fuse_blow_BS_DIS<br />
ROM:870048BC<br />
</syntaxhighlight><br />
<br />
'''Listing 2.''' Fuse blowing CUSTOM ( from mbmloader )<br />
<syntaxhighlight lang="ida" line><br />
ROM:870048E2 ; =============== S U B R O U T I N E =======================================<br />
ROM:870048E2<br />
ROM:870048E2<br />
ROM:870048E2 ; int __cdecl fuse_blow_CUSTOM(int fuse_entry_number, int value)<br />
ROM:870048E2 fuse_blow_CUSTOM<br />
ROM:870048E2 000 70 B5 PUSH {R4-R6,LR} ; Push registers<br />
ROM:870048E4 010 04 46 MOV R4, R0 ; Rd = Op2<br />
ROM:870048E6 010 0D 46 MOV R5, R1 ; Rd = Op2<br />
ROM:870048E8 010 10 26 MOVS R6, #0x10 ; Rd = Op2<br />
ROM:870048EA 010 A9 B2 UXTH R1, R5 ; Unsigned extend halfword to word<br />
ROM:870048EC 010 20 46 MOV R0, R4 ; fuse_entry_number<br />
ROM:870048EE 010 FF F7 53 FF BL fuse_blow_byte ; Branch with Link<br />
ROM:870048F2 010 06 46 MOV R6, R0 ; Rd = Op2<br />
ROM:870048F4 010 30 46 MOV R0, R6 ; Rd = Op2<br />
ROM:870048F6 010 70 BD POP {R4-R6,PC} ; Pop registers<br />
ROM:870048F6 ; End of function fuse_blow_CUSTOM<br />
ROM:870048F6<br />
</syntaxhighlight><br />
<br />
'''Listing 3.''' Fuse blowing PRODUCTION ( from mbmloader )<br />
<syntaxhighlight lang="ida" line><br />
ROM:870048F8<br />
ROM:870048F8 ; =============== S U B R O U T I N E =======================================<br />
ROM:870048F8<br />
ROM:870048F8<br />
ROM:870048F8 ; int __cdecl fuse_blow_PRODUCTION()<br />
ROM:870048F8 fuse_blow_PRODUCTION<br />
ROM:870048F8 000 10 B5 PUSH {R4,LR} ; Push registers<br />
ROM:870048FA 008 10 24 MOVS R4, #0x10 ; Rd = Op2<br />
ROM:870048FC 008 01 21 MOVS R1, #1 ; value<br />
ROM:870048FE 008 70 20 MOVS R0, #SEC_PROD ; fuse_entry_number<br />
ROM:87004900 008 FF F7 4A FF BL fuse_blow_byte ; Branch with Link<br />
ROM:87004904 008 04 46 MOV R4, R0 ; Rd = Op2<br />
ROM:87004906 008 20 46 MOV R0, R4 ; Rd = Op2<br />
ROM:87004908 008 10 BD POP {R4,PC} ; Pop registers<br />
ROM:87004908 ; End of function fuse_blow_PRODUCTION<br />
ROM:87004908<br />
</syntaxhighlight><br />
<br />
'''Listing 4.''' Fuse blowing ENGINEERING ( from mbmloader )<br />
<syntaxhighlight lang="ida" line><br />
ROM:8700490A<br />
ROM:8700490A ; =============== S U B R O U T I N E =======================================<br />
ROM:8700490A<br />
ROM:8700490A<br />
ROM:8700490A ; int __cdecl fuse_blow_ENGINEERING()<br />
ROM:8700490A fuse_blow_ENGINEERING ; CODE XREF: main+20<br />
ROM:8700490A 000 10 B5 PUSH {R4,LR} ; Push registers<br />
ROM:8700490C 008 10 24 MOVS R4, #0x10 ; Rd = Op2<br />
ROM:8700490E 008 01 21 MOVS R1, #1 ; value<br />
ROM:87004910 008 6F 20 MOVS R0, #SEC_ENG ; fuse_entry_number<br />
ROM:87004912 008 FF F7 41 FF BL fuse_blow_byte ; Branch with Link<br />
ROM:87004916 008 04 46 MOV R4, R0 ; Rd = Op2<br />
ROM:87004918 008 20 46 MOV R0, R4 ; Rd = Op2<br />
ROM:8700491A 008 10 BD POP {R4,PC} ; Pop registers<br />
ROM:8700491A ; End of function fuse_blow_ENGINEERING<br />
</syntaxhighlight><br />
<br />
=== Fuse reading functions ===<br />
<br />
'''Listing 2.''' Fuse reading byte (from mbmloader)<br />
<syntaxhighlight lang="ida" line><br />
ROM:8F31DB0A<br />
ROM:8F31DB0A ; =============== S U B R O U T I N E =======================================<br />
ROM:8F31DB0A<br />
ROM:8F31DB0A<br />
ROM:8F31DB0A ; int __cdecl moto_efuse_read(__int32 fuse_entry)<br />
ROM:8F31DB0A moto_efuse_read ; CODE XREF: fuse_read_SEC_MODEL_ID+6�p<br />
ROM:8F31DB0A ; fuse_read_SEC_BS_DIS+6�p ...<br />
ROM:8F31DB0A 000 PUSH {R4-R6,LR} ; Push registers<br />
ROM:8F31DB0C 010 MOV R4, R0 ; Rd = Op2<br />
ROM:8F31DB0E 010 LDR R5, =0xDEADBEEF ; Load from Memory<br />
ROM:8F31DB10 010 SUB.W R0, R4, #0x65 ; switch 16 cases<br />
ROM:8F31DB14 010 CMP R0, #0x10 ; Set cond. codes on Op1 - Op2<br />
ROM:8F31DB16 010 BCS return_ ; do nothing<br />
ROM:8F31DB16<br />
ROM:8F31DB18<br />
ROM:8F31DB18 fuse_table ; switch jump<br />
ROM:8F31DB18 010 TBB.W [PC,R0]<br />
ROM:8F31DB18<br />
ROM:8F31DB18 ; ---------------------------------------------------------------------------<br />
ROM:8F31DB1C 010 fuse_choice DCB 8 ; jump table for switch statement<br />
ROM:8F31DB1D 010 DCB 0x52<br />
ROM:8F31DB1E 010 DCB 0x52<br />
ROM:8F31DB1F 010 DCB 0x11<br />
ROM:8F31DB20 010 DCB 0x1A<br />
ROM:8F31DB21 010 DCB 0x22<br />
ROM:8F31DB22 010 DCB 0x52<br />
ROM:8F31DB23 010 DCB 0x2A<br />
ROM:8F31DB24 010 DCB 0x52<br />
ROM:8F31DB25 010 DCB 0x32<br />
ROM:8F31DB26 010 DCB 0x37<br />
ROM:8F31DB27 010 DCB 0x3D<br />
ROM:8F31DB28 010 DCB 0x43<br />
ROM:8F31DB29 010 DCB 0x52<br />
ROM:8F31DB2A 010 DCB 0x4D<br />
ROM:8F31DB2B 010 DCB 0x51<br />
ROM:8F31DB2C ; ---------------------------------------------------------------------------<br />
ROM:8F31DB2C<br />
ROM:8F31DB2C is_SEC_APP_PA_PPA ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DB2C 010 MOVS R0, #3 ; jumptable 8F31DB18 case 101<br />
ROM:8F31DB2E 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DB2E<br />
ROM:8F31DB32 010 ASRS R6, R0, #8 ; Arithmetic Shift Right<br />
ROM:8F31DB34 010 MOV R0, R6 ; count<br />
ROM:8F31DB36 010 BL standard_efuse_count ; Branch with Link<br />
ROM:8F31DB36<br />
ROM:8F31DB3A 010 MOV R5, R0 ; Rd = Op2<br />
ROM:8F31DB3C 010 B return ; Branch<br />
ROM:8F31DB3C<br />
ROM:8F31DB3E ; ---------------------------------------------------------------------------<br />
ROM:8F31DB3E<br />
ROM:8F31DB3E is_SEC_ML_PBRDL ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DB3E 010 MOVS R0, #3 ; jumptable 8F31DB18 case 104<br />
ROM:8F31DB40 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DB40<br />
ROM:8F31DB44 010 UXTB R6, R0 ; Unsigned extend byte to word<br />
ROM:8F31DB46 010 MOV R0, R6 ; count<br />
ROM:8F31DB48 010 BL standard_efuse_count ; Branch with Link<br />
ROM:8F31DB48<br />
ROM:8F31DB4C 010 MOV R5, R0 ; Rd = Op2<br />
ROM:8F31DB4E 010 B return ; Branch<br />
ROM:8F31DB4E<br />
ROM:8F31DB50 ; ---------------------------------------------------------------------------<br />
ROM:8F31DB50<br />
ROM:8F31DB50 is_SEC_MBM ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DB50 010 MOVS R0, #2 ; jumptable 8F31DB18 case 105<br />
ROM:8F31DB52 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DB52<br />
ROM:8F31DB56 010 MOV R6, R0 ; Rd = Op2<br />
ROM:8F31DB58 010 BL standard_efuse_count ; Branch with Link<br />
ROM:8F31DB58<br />
ROM:8F31DB5C 010 MOV R5, R0 ; Rd = Op2<br />
ROM:8F31DB5E 010 B return ; Branch<br />
ROM:8F31DB5E<br />
ROM:8F31DB60 ; ---------------------------------------------------------------------------<br />
ROM:8F31DB60<br />
ROM:8F31DB60 is_SEC_RRDL_BRDL ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DB60 010 MOVS R0, #1 ; jumptable 8F31DB18 case 106<br />
ROM:8F31DB62 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DB62<br />
ROM:8F31DB66 010 MOV R6, R0 ; Rd = Op2<br />
ROM:8F31DB68 010 BL standard_efuse_count ; Branch with Link<br />
ROM:8F31DB68<br />
ROM:8F31DB6C 010 MOV R5, R0 ; Rd = Op2<br />
ROM:8F31DB6E 010 B return ; Branch<br />
ROM:8F31DB6E<br />
ROM:8F31DB70 ; ---------------------------------------------------------------------------<br />
ROM:8F31DB70<br />
ROM:8F31DB70 is_SEC_AP_OS ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DB70 010 MOVS R0, #0 ; jumptable 8F31DB18 case 108<br />
ROM:8F31DB72 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DB72<br />
ROM:8F31DB76 010 MOV R6, R0 ; Rd = Op2<br />
ROM:8F31DB78 010 BL standard_efuse_count ; Branch with Link<br />
ROM:8F31DB78<br />
ROM:8F31DB7C 010 MOV R5, R0 ; Rd = Op2<br />
ROM:8F31DB7E 010 B return ; Branch<br />
ROM:8F31DB7E<br />
ROM:8F31DB80 ; ---------------------------------------------------------------------------<br />
ROM:8F31DB80<br />
ROM:8F31DB80 is_SEC_BS_DIS ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DB80 010 MOVS R0, #4 ; jumptable 8F31DB18 case 110<br />
ROM:8F31DB82 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DB82<br />
ROM:8F31DB86 010 ASRS R5, R0, #0xF ; Arithmetic Shift Right<br />
ROM:8F31DB88 010 B return ; Branch<br />
ROM:8F31DB88<br />
ROM:8F31DB8A ; ---------------------------------------------------------------------------<br />
ROM:8F31DB8A<br />
ROM:8F31DB8A is_SEC_ENG ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DB8A 010 MOVS R0, #4 ; jumptable 8F31DB18 case 111<br />
ROM:8F31DB8C 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DB8C<br />
ROM:8F31DB90 010 UBFX.W R5, R0, #0xD, #1 ; Unsigned Bit Field Extract<br />
ROM:8F31DB94 010 B return ; Branch<br />
ROM:8F31DB94<br />
ROM:8F31DB96 ; ---------------------------------------------------------------------------<br />
ROM:8F31DB96<br />
ROM:8F31DB96 is_SEC_PROD ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DB96 010 MOVS R0, #4 ; jumptable 8F31DB18 case 112<br />
ROM:8F31DB98 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DB98<br />
ROM:8F31DB9C 010 UBFX.W R5, R0, #0xE, #1 ; Unsigned Bit Field Extract<br />
ROM:8F31DBA0 010 B return ; Branch<br />
ROM:8F31DBA0<br />
ROM:8F31DBA2 ; ---------------------------------------------------------------------------<br />
ROM:8F31DBA2<br />
ROM:8F31DBA2 is_SEC_CUST_CODE ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DBA2 010 MOVS R0, #4 ; jumptable 8F31DB18 case 113<br />
ROM:8F31DBA4 010 BL efuse_read ; Branch with Link<br />
ROM:8F31DBA4<br />
ROM:8F31DBA8 010 UBFX.W R6, R0, #8, #5 ; Unsigned Bit Field Extract<br />
ROM:8F31DBAC 010 MOV R0, R6 ; count<br />
ROM:8F31DBAE 010 BL standard_efuse_count ; Branch with Link<br />
ROM:8F31DBAE<br />
ROM:8F31DBB2 010 MOV R5, R0 ; Rd = Op2<br />
ROM:8F31DBB4 010 B return ; Branch<br />
ROM:8F31DBB4<br />
ROM:8F31DBB6 ; ---------------------------------------------------------------------------<br />
ROM:8F31DBB6<br />
ROM:8F31DBB6 is_SEC_MODEL_ID ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DBB6 010 LDR R0, =OMAP3430_MSV_ADRESS ; jumptable 8F31DB18 case 115<br />
ROM:8F31DBB8 010 LDR R0, [R0] ; Load from Memory<br />
ROM:8F31DBBA 010 UXTH R5, R0 ; Unsigned extend halfword to word<br />
ROM:8F31DBBC 010 B return ; Branch<br />
ROM:8F31DBBC<br />
ROM:8F31DBBE ; ---------------------------------------------------------------------------<br />
ROM:8F31DBBE<br />
ROM:8F31DBBE return__ ; CODE XREF: moto_efuse_read:fuse_table�j<br />
ROM:8F31DBBE 010 NOP ; jumptable 8F31DB18 case 116<br />
ROM:8F31DBBE<br />
ROM:8F31DBC0<br />
ROM:8F31DBC0 return_ ; CODE XREF: moto_efuse_read+C�j<br />
ROM:8F31DBC0 ; moto_efuse_read:fuse_table�j<br />
ROM:8F31DBC0 010 NOP ; do nothing<br />
ROM:8F31DBC0<br />
ROM:8F31DBC2<br />
ROM:8F31DBC2 return ; CODE XREF: moto_efuse_read+32�j<br />
ROM:8F31DBC2 ; moto_efuse_read+44�j ...<br />
ROM:8F31DBC2 010 NOP ; No Operation<br />
ROM:8F31DBC4 010 MOV R0, R5 ; Rd = Op2<br />
ROM:8F31DBC6 010 POP {R4-R6,PC} ; Pop registers<br />
ROM:8F31DBC6<br />
ROM:8F31DBC6 ; End of function moto_efuse_read<br />
ROM:8F31DBC6<br />
</syntaxhighlight><br />
<br />
'''Listing 2.''' Fuse reading word (from mbm)<br />
<syntaxhighlight lang="ida" line><br />
ROM:8F31DA9C<br />
ROM:8F31DA9C ; =============== S U B R O U T I N E =======================================<br />
ROM:8F31DA9C<br />
ROM:8F31DA9C<br />
ROM:8F31DA9C ; __int16 __fastcall fuse_read_word(int fuse_entry)<br />
ROM:8F31DA9C fuse_read_word ; CODE XREF: fuse_read+24�p<br />
ROM:8F31DA9C ; fuse_read+36�p ...<br />
ROM:8F31DA9C<br />
ROM:8F31DA9C var_30 = -0x30<br />
ROM:8F31DA9C var_28 = -0x28<br />
ROM:8F31DA9C<br />
ROM:8F31DA9C 000 F0 B5 PUSH {R4-R7,LR} ; Push registers<br />
ROM:8F31DA9E 014 87 B0 SUB SP, SP, #0x1C ; Rd = Op1 - Op2<br />
ROM:8F31DAA0 030 04 46 MOV R4, R0 ; Rd = Op2<br />
ROM:8F31DAA2 030 00 25 MOVS R5, #0 ; Rd = Op2<br />
ROM:8F31DAA4 030 4F F6 FF 77 MOVW R7, #0xFFFF ; Rd = Op2<br />
ROM:8F31DAA8 030 00 BF NOP ; No Operation<br />
ROM:8F31DAAA 030 04 E0 B loop_count ; Branch<br />
ROM:8F31DAAC ; ---------------------------------------------------------------------------<br />
ROM:8F31DAAC<br />
ROM:8F31DAAC loop_body ; CODE XREF: fuse_read_word+1C�j<br />
ROM:8F31DAAC 030 00 20 MOVS R0, #0 ; Rd = Op2<br />
ROM:8F31DAAE 030 02 A9 ADD R1, SP, #0x30+var_28 ; Rd = Op1 + Op2<br />
ROM:8F31DAB0 030 41 F8 25 00 STR.W R0, [R1,R5,LSL#2] ; Store to Memory<br />
ROM:8F31DAB4 030 6D 1C ADDS R5, R5, #1 ; Rd = Op1 + Op2<br />
ROM:8F31DAB6<br />
ROM:8F31DAB6 loop_count ; CODE XREF: fuse_read_word+E�j<br />
ROM:8F31DAB6 030 04 2D CMP R5, #4 ; Set cond. codes on Op1 - Op2<br />
ROM:8F31DAB8 030 F8 DD BLE loop_body ; Branch<br />
ROM:8F31DABA 030 00 BF NOP ; No Operation<br />
ROM:8F31DABC 030 04 2C CMP R4, #4 ; Set cond. codes on Op1 - Op2<br />
ROM:8F31DABE 030 08 D8 BHI is_higher ; Branch<br />
ROM:8F31DAC0 030 02 AB ADD R3, SP, #0x30+var_28 ; Rd = Op1 + Op2<br />
ROM:8F31DAC2 030 00 93 STR R3, [SP,#0x30+var_30] ; Store to Memory<br />
ROM:8F31DAC4 030 01 23 MOVS R3, #1 ; Rd = Op2<br />
ROM:8F31DAC6 030 07 22 MOVS R2, #7 ; Rd = Op2<br />
ROM:8F31DAC8 030 00 21 MOVS R1, #0 ; SEC_ENTRY<br />
ROM:8F31DACA 030 36 20 MOVS R0, #0x36 ; param<br />
ROM:8F31DACC 030 04 F0 F2 FD BL security_handler ; API_HAL_MOT_EFUSE_READ<br />
ROM:8F31DAD0 030 06 46 MOV R6, R0 ; Rd = Op2<br />
ROM:8F31DAD2<br />
ROM:8F31DAD2 is_higher ; CODE XREF: fuse_read_word+22�j<br />
ROM:8F31DAD2 030 1E B9 CBNZ R6, return ; Compare and Branch on Non-Zero<br />
ROM:8F31DAD4 030 02 A8 ADD R0, SP, #0x30+var_28 ; Rd = Op1 + Op2<br />
ROM:8F31DAD6 030 50 F8 24 00 LDR.W R0, [R0,R4,LSL#2] ; Load from Memory<br />
ROM:8F31DADA 030 87 B2 UXTH R7, R0 ; Unsigned extend halfword to word<br />
ROM:8F31DADC<br />
ROM:8F31DADC return ; CODE XREF: fuse_read_word:is_higher�j<br />
ROM:8F31DADC 030 38 46 MOV R0, R7 ; Rd = Op2<br />
ROM:8F31DADE 030 07 B0 ADD SP, SP, #0x1C ; Rd = Op1 + Op2<br />
ROM:8F31DAE0 014 F0 BD POP {R4-R7,PC} ; Pop registers<br />
ROM:8F31DAE0 ; End of function fuse_read_word<br />
ROM:8F31DAE0<br />
ROM:8F31DAE0 ; ---------------------------------------------------------------------------<br />
ROM:8F31DAE2 00 20 DCW 0x2000<br />
ROM:8F31DAE4 70 47 DCW 0x4770<br />
ROM:8F31DAE6<br />
</syntaxhighlight><br />
<br />
'''Listing 2.''' Fuse reading BS_DIS (from mbmloader)<br />
<syntaxhighlight lang="ida" line><br />
ROM:870048BE<br />
ROM:870048BE ; =============== S U B R O U T I N E =======================================<br />
ROM:870048BE<br />
ROM:870048BE<br />
ROM:870048BE ; int __cdecl fuse_read_BS_DIS()<br />
ROM:870048BE fuse_read_BS_DIS ; CODE XREF: check_BS_DIS+4<br />
ROM:870048BE 000 10 B5 PUSH {R4,LR} ; Push registers<br />
ROM:870048C0 008 10 24 MOVS R4, #0x10 ; Rd = Op2<br />
ROM:870048C2 008 6E 20 MOVS R0, #SEC_BS_DIS ; fuse_entry_number<br />
ROM:870048C4 008 FF F7 09 FF BL fuse_read_byte ; Branch with Link<br />
ROM:870048C8 008 00 B9 CBNZ R0, return ; Compare and Branch on Non-Zero<br />
ROM:870048CA 008 00 24 MOVS R4, #0 ; Rd = Op2<br />
ROM:870048CC<br />
ROM:870048CC return ; CODE XREF: fuse_read_BS_DIS+A<br />
ROM:870048CC 008 20 46 MOV R0, R4 ; Rd = Op2<br />
ROM:870048CE 008 10 BD POP {R4,PC} ; Pop registers<br />
ROM:870048CE ; End of function fuse_read_BS_DIS<br />
ROM:870048CE<br />
ROM:870048D0<br />
ROM:870048D0 ; =============== S U B R O U T I N E =======================================<br />
ROM:870048D0<br />
ROM:870048D0<br />
ROM:870048D0 ; int __cdecl fuse_read_SECVER(int entry_number)<br />
ROM:870048D0 fuse_read_SECVER ; CODE XREF: check_secure_version+14<br />
ROM:870048D0 000 70 B5 PUSH {R4-R6,LR} ; Push registers<br />
ROM:870048D2 010 04 46 MOV R4, R0 ; Rd = Op2<br />
ROM:870048D4 010 00 25 MOVS R5, #0 ; Rd = Op2<br />
ROM:870048D6 010 20 46 MOV R0, R4 ; fuse_entry_number<br />
ROM:870048D8 010 FF F7 FF FE BL fuse_read_byte ; Branch with Link<br />
ROM:870048DC 010 05 46 MOV R5, R0 ; Rd = Op2<br />
ROM:870048DE 010 28 46 MOV R0, R5 ; Rd = Op2<br />
ROM:870048E0 010 70 BD POP {R4-R6,PC} ; Pop registers<br />
ROM:870048E0 ; End of function fuse_read_SECVER<br />
ROM:870048E0<br />
ROM:870048E2<br />
</syntaxhighlight><br />
<br />
[[Category:Security]]</div>
Eiyee
http://droid-developers.org/wiki/Motorola_Defy
Motorola Defy
2012-02-23T22:36:41Z
<p>Eiyee: defy sec.ko data</p>
<hr />
<div>The Motorola Defy (MB525) and Defy+ (MB526) have the same parts except for the battery.<br />
<br />
== FCC information ==<br />
FCC ID: IHDP56LC1<br />
<br />
FCC ID: IHDP56LC2<br />
<br />
FCC ID: IHDP56LC3<br />
<br />
FCC ID: IHDP56LC4 <br />
<br />
== Parts list ==<br />
<br />
From (http://http://forum.xda-developers.com/showthread.php?t=1461090), thanks to sam_24.<br />
<br />
* Ti omap3630-variant 0x36300800 ARMv7 Processor rev 2 (v7l)<br />
* PowerVR SGX 530 OpenGL<br />
<br />
=== Memory ===<br />
* SEM02G 1.82 GiB mmc1:0001 (iNAND e.MMC)<br />
* Micro SD slot mmc0:1234 , SDHC compatible<br />
<br />
=== Interfaces ===<br />
* TPS65950 power-management, audio coder/decoder, USB (OTG) high-speed transceiver,USB charger,LED drivers, ADC + RTC<br />
* LM3554 1.2A Dual LED Drivers and I2C-Compatible Interface<br />
<br />
=== Sensors ===<br />
* Bayer modul. ("red") MT9P012 - 5Mp, 1/3.2-inch Micron CMOS Image Sensor<br />
* Bayer modul. ("green") = ?<br />
* SOC modul ("green") OV5642 - cmos Image sensor<br />
<br />
* KXTF9 - Tri-axis Digital Accelerometer<br />
* AKM8973 - 3-axis electronic compass<br />
* LIS331DLH - digital motion sensor<br />
<br />
<br />
== CPU-ID/PKEY ==<br />
<br />
<pre><br />
omapinfo v.1.0.0<br />
STATE : 205 <br />
PKEY0 : c57aa19e <br />
PKEY1 : 31fe2d32 <br />
PKEY2 : 2e48bc96 <br />
PKEY3 : 15fcea7b <br />
PKEY4 : 876578f3 <br />
CPU-ID: 1b89102f <br />
</pre><br />
<br />
== Socinfo ==<br />
<br />
cat /proc/socinfo<br />
<pre><br />
SoC : OMAP3630 ES1.1<br />
IDCODE : 1b89102f<br />
Pr. ID : 00000000 00000000 000004cc cafeb891<br />
Die ID : 06027009 0160757a ffd80000 366c0001<br />
</pre><br />
<br />
== Secure Services data ==<br />
<br />
dmesg output from driver sec.ko (http://dl.dropbox.com/u/31689596/sec.ko, drivers/misc/sec/ in kernel source). SRWV is the data returned by [[Secure Services]] call API_HAL_MOT_EFUSE_READ.<br />
<br />
<pre><br />
SecGetSWRV = 3f 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 00 00<br />
SecGetModelId = 02 00 00 00<br />
SecGetProcID = 09 70 02 06 7a 75 60 01 00 00 d8 ff 01 00 6c 36<br />
SecProcessorType = 44<br />
</pre><br />
<br />
See [http://forum.xda-developers.com/showthread.php?p=21402316#post21402316 this thread] for more information.<br />
<br />
== Interrupts ==<br />
<br />
cat /proc/interrupts:<br />
<pre><br />
CPU0<br />
11: 1556066 INTC prcm<br />
12: 32697 INTC DMA<br />
21: 19225 INTC SGX ISR<br />
24: 0 INTC omap-iommu.0, Omap 3 Camera ISP<br />
25: 37531 INTC OMAP DSS<br />
26: 7 INTC DspBridge mailbox<br />
28: 0 INTC DspBridge iommu fault<br />
35: 18694 INTC sim<br />
37: 64884 INTC gp timer<br />
56: 27740 INTC i2c_omap<br />
57: 12138 INTC i2c_omap<br />
58: 396 INTC omap_hdq<br />
61: 33 INTC i2c_omap<br />
72: 294 INTC serial idle<br />
73: 0 INTC serial idle<br />
74: 0 INTC serial idle<br />
77: 11425 INTC ehci_hcd:usb1<br />
78: 291 INTC usbtll<br />
83: 2002 INTC mmc0<br />
86: 38332 INTC mmc1<br />
88: 0 INTC syspanic<br />
92: 23630 INTC musb_hdrc<br />
93: 23848 INTC musb_hdrc<br />
94: 2741 INTC TIWLAN_SDIO<br />
160: 4364 GPIO cpcap-irq<br />
170: 0 GPIO bu52014hfv<br />
176: 330 GPIO isl29030_als_ir<br />
182: 34 GPIO kxtf9_irq<br />
197: 1 GPIO gpio_kp<br />
199: 0 GPIO gpio_kp<br />
225: 13305 GPIO tiwlan0<br />
252: 0 GPIO lm3530_led<br />
259: 1180 GPIO qtouch_ts_int<br />
271: 0 GPIO bu52014hfv<br />
301: 0 GPIO Remote Wakeup<br />
323: 0 GPIO mmc0<br />
337: 0 GPIO gpio_keys<br />
Err: 0<br />
</pre><br />
<br />
== Iomem ==<br />
<br />
cat /proc/iomem<br />
<pre><br />
48060000-4806003f : i2c_omap.3<br />
48060000-4806003f : i2c_omap<br />
48062000-48062fff : ehci-omap.0<br />
48064000-480643ff : ehci-omap.0<br />
48064800-48064bff : ehci-omap.0<br />
4806a000-4806a3ff : omap-uart.1<br />
4806a000-4806a3ff : omap-uart<br />
4806c000-4806c3ff : omap-uart.2<br />
4806c000-4806c3ff : omap-uart<br />
48070000-4807003f : i2c_omap.1<br />
48070000-4807003f : i2c_omap<br />
48072000-4807203f : i2c_omap.2<br />
48072000-4807203f : i2c_omap<br />
48098000-480980ff : omap2_mcspi.1<br />
48098000-480980ff : omap2_mcspi.1<br />
4809a000-4809a0ff : omap2_mcspi.2<br />
4809a000-4809a0ff : omap2_mcspi.2<br />
4809c000-4809c1ff : mmci-omap-hs.0<br />
4809c000-4809c1ff : mmci-omap-hs<br />
480ab000-480acfff : musb_hdrc<br />
480ad000-480ad1ff : TIWLAN_SDIO.2<br />
480b2000-480b201c : omap_hdq.0<br />
480b4000-480b41ff : mmci-omap-hs.1<br />
480b4000-480b41ff : mmci-omap-hs<br />
480b8000-480b80ff : omap2_mcspi.3<br />
480b8000-480b80ff : omap2_mcspi.3<br />
480ba000-480ba0ff : omap2_mcspi.4<br />
480ba000-480ba0ff : omap2_mcspi.4<br />
480bc000-480bc06f : omap3isp<br />
480bc000-480bc06f : omap3isp<br />
480bc100-480bc177 : omap3isp<br />
480bc100-480bc177 : omap3isp<br />
480bc400-480bc5ef : omap3isp<br />
480bc400-480bc5ef : omap3isp<br />
480bc600-480bc6a7 : omap3isp<br />
480bc600-480bc6a7 : omap3isp<br />
480bca00-480bca47 : omap3isp<br />
480bca00-480bca47 : omap3isp<br />
480bcc00-480bcc5f : omap3isp<br />
480bcc00-480bcc5f : omap3isp<br />
480bce00-480bce9f : omap3isp<br />
480bce00-480bce9f : omap3isp<br />
480bd000-480bd0ab : omap3isp<br />
480bd000-480bd0ab : omap3isp<br />
480bd200-480bd2fb : omap3isp<br />
480bd200-480bd2fb : omap3isp<br />
480bd400-480bd4ff : omap-iommu.0<br />
480bd400-480bd4ff : omap-iommu.0<br />
480bd800-480bd96f : omap3isp<br />
480bd800-480bd96f : omap3isp<br />
480bd970-480bd977 : omap3isp<br />
480bd970-480bd977 : omap3isp<br />
48314000-4831404f : omap_wdt<br />
48314000-4831404f : omap_wdt<br />
49020000-490203ff : omap-uart.3<br />
49020000-490203ff : omap-uart<br />
70000000-70ffffff : vrfb<br />
71000000-71ffffff : vrfb<br />
72000000-72ffffff : vrfb<br />
73000000-73ffffff : vrfb<br />
74000000-74ffffff : vrfb<br />
75000000-75ffffff : vrfb<br />
76000000-76ffffff : vrfb<br />
77000000-77ffffff : vrfb<br />
78000000-78ffffff : vrfb<br />
79000000-79ffffff : vrfb<br />
7a000000-7affffff : vrfb<br />
7b000000-7bffffff : vrfb<br />
7c000000-7cffffff : vrfb<br />
7d000000-7dffffff : vrfb<br />
7e000000-7effffff : vrfb<br />
7f000000-7fffffff : vrfb<br />
80c00000-9fdfffff : System RAM<br />
80c35000-81152fff : Kernel text<br />
8117a000-813d5b0f : Kernel data<br />
8e000000-8e01ffff : ram_console.0<br />
e0000000-e0ffffff : vrfb<br />
e1000000-e1ffffff : vrfb<br />
e2000000-e2ffffff : vrfb<br />
e3000000-e3ffffff : vrfb<br />
e4000000-e4ffffff : vrfb<br />
e5000000-e5ffffff : vrfb<br />
e6000000-e6ffffff : vrfb<br />
e7000000-e7ffffff : vrfb<br />
</pre><br />
<br />
[[Category:Phones]]</div>
Eiyee
http://droid-developers.org/wiki/Motorola_Defy
Motorola Defy
2012-02-23T22:05:47Z
<p>Eiyee: defy socinfo</p>
<hr />
<div>The Motorola Defy (MB525) and Defy+ (MB526) have the same parts except for the battery.<br />
<br />
== FCC information ==<br />
FCC ID: IHDP56LC1<br />
<br />
FCC ID: IHDP56LC2<br />
<br />
FCC ID: IHDP56LC3<br />
<br />
FCC ID: IHDP56LC4 <br />
<br />
== Parts list ==<br />
<br />
From (http://http://forum.xda-developers.com/showthread.php?t=1461090), thanks to sam_24.<br />
<br />
* Ti omap3630-variant 0x36300800 ARMv7 Processor rev 2 (v7l)<br />
* PowerVR SGX 530 OpenGL<br />
<br />
=== Memory ===<br />
* SEM02G 1.82 GiB mmc1:0001 (iNAND e.MMC)<br />
* Micro SD slot mmc0:1234 , SDHC compatible<br />
<br />
=== Interfaces ===<br />
* TPS65950 power-management, audio coder/decoder, USB (OTG) high-speed transceiver,USB charger,LED drivers, ADC + RTC<br />
* LM3554 1.2A Dual LED Drivers and I2C-Compatible Interface<br />
<br />
=== Sensors ===<br />
* Bayer modul. ("red") MT9P012 - 5Mp, 1/3.2-inch Micron CMOS Image Sensor<br />
* Bayer modul. ("green") = ?<br />
* SOC modul ("green") OV5642 - cmos Image sensor<br />
<br />
* KXTF9 - Tri-axis Digital Accelerometer<br />
* AKM8973 - 3-axis electronic compass<br />
* LIS331DLH - digital motion sensor<br />
<br />
== CPU-ID/PKEY ==<br />
<br />
<pre><br />
omapinfo v.1.0.0<br />
STATE : 205 <br />
PKEY0 : c57aa19e <br />
PKEY1 : 31fe2d32 <br />
PKEY2 : 2e48bc96 <br />
PKEY3 : 15fcea7b <br />
PKEY4 : 876578f3 <br />
CPU-ID: 1b89102f <br />
</pre><br />
<br />
== Socinfo ==<br />
<br />
cat /proc/socinfo<br />
<pre><br />
SoC : OMAP3630 ES1.1<br />
IDCODE : 1b89102f<br />
Pr. ID : 00000000 00000000 000004cc cafeb891<br />
Die ID : 06027009 0160757a ffd80000 366c0001<br />
</pre><br />
<br />
== Interrupts ==<br />
<br />
cat /proc/interrupts:<br />
<pre><br />
CPU0<br />
11: 1556066 INTC prcm<br />
12: 32697 INTC DMA<br />
21: 19225 INTC SGX ISR<br />
24: 0 INTC omap-iommu.0, Omap 3 Camera ISP<br />
25: 37531 INTC OMAP DSS<br />
26: 7 INTC DspBridge mailbox<br />
28: 0 INTC DspBridge iommu fault<br />
35: 18694 INTC sim<br />
37: 64884 INTC gp timer<br />
56: 27740 INTC i2c_omap<br />
57: 12138 INTC i2c_omap<br />
58: 396 INTC omap_hdq<br />
61: 33 INTC i2c_omap<br />
72: 294 INTC serial idle<br />
73: 0 INTC serial idle<br />
74: 0 INTC serial idle<br />
77: 11425 INTC ehci_hcd:usb1<br />
78: 291 INTC usbtll<br />
83: 2002 INTC mmc0<br />
86: 38332 INTC mmc1<br />
88: 0 INTC syspanic<br />
92: 23630 INTC musb_hdrc<br />
93: 23848 INTC musb_hdrc<br />
94: 2741 INTC TIWLAN_SDIO<br />
160: 4364 GPIO cpcap-irq<br />
170: 0 GPIO bu52014hfv<br />
176: 330 GPIO isl29030_als_ir<br />
182: 34 GPIO kxtf9_irq<br />
197: 1 GPIO gpio_kp<br />
199: 0 GPIO gpio_kp<br />
225: 13305 GPIO tiwlan0<br />
252: 0 GPIO lm3530_led<br />
259: 1180 GPIO qtouch_ts_int<br />
271: 0 GPIO bu52014hfv<br />
301: 0 GPIO Remote Wakeup<br />
323: 0 GPIO mmc0<br />
337: 0 GPIO gpio_keys<br />
Err: 0<br />
</pre><br />
<br />
== Iomem ==<br />
<br />
cat /proc/iomem<br />
<pre><br />
48060000-4806003f : i2c_omap.3<br />
48060000-4806003f : i2c_omap<br />
48062000-48062fff : ehci-omap.0<br />
48064000-480643ff : ehci-omap.0<br />
48064800-48064bff : ehci-omap.0<br />
4806a000-4806a3ff : omap-uart.1<br />
4806a000-4806a3ff : omap-uart<br />
4806c000-4806c3ff : omap-uart.2<br />
4806c000-4806c3ff : omap-uart<br />
48070000-4807003f : i2c_omap.1<br />
48070000-4807003f : i2c_omap<br />
48072000-4807203f : i2c_omap.2<br />
48072000-4807203f : i2c_omap<br />
48098000-480980ff : omap2_mcspi.1<br />
48098000-480980ff : omap2_mcspi.1<br />
4809a000-4809a0ff : omap2_mcspi.2<br />
4809a000-4809a0ff : omap2_mcspi.2<br />
4809c000-4809c1ff : mmci-omap-hs.0<br />
4809c000-4809c1ff : mmci-omap-hs<br />
480ab000-480acfff : musb_hdrc<br />
480ad000-480ad1ff : TIWLAN_SDIO.2<br />
480b2000-480b201c : omap_hdq.0<br />
480b4000-480b41ff : mmci-omap-hs.1<br />
480b4000-480b41ff : mmci-omap-hs<br />
480b8000-480b80ff : omap2_mcspi.3<br />
480b8000-480b80ff : omap2_mcspi.3<br />
480ba000-480ba0ff : omap2_mcspi.4<br />
480ba000-480ba0ff : omap2_mcspi.4<br />
480bc000-480bc06f : omap3isp<br />
480bc000-480bc06f : omap3isp<br />
480bc100-480bc177 : omap3isp<br />
480bc100-480bc177 : omap3isp<br />
480bc400-480bc5ef : omap3isp<br />
480bc400-480bc5ef : omap3isp<br />
480bc600-480bc6a7 : omap3isp<br />
480bc600-480bc6a7 : omap3isp<br />
480bca00-480bca47 : omap3isp<br />
480bca00-480bca47 : omap3isp<br />
480bcc00-480bcc5f : omap3isp<br />
480bcc00-480bcc5f : omap3isp<br />
480bce00-480bce9f : omap3isp<br />
480bce00-480bce9f : omap3isp<br />
480bd000-480bd0ab : omap3isp<br />
480bd000-480bd0ab : omap3isp<br />
480bd200-480bd2fb : omap3isp<br />
480bd200-480bd2fb : omap3isp<br />
480bd400-480bd4ff : omap-iommu.0<br />
480bd400-480bd4ff : omap-iommu.0<br />
480bd800-480bd96f : omap3isp<br />
480bd800-480bd96f : omap3isp<br />
480bd970-480bd977 : omap3isp<br />
480bd970-480bd977 : omap3isp<br />
48314000-4831404f : omap_wdt<br />
48314000-4831404f : omap_wdt<br />
49020000-490203ff : omap-uart.3<br />
49020000-490203ff : omap-uart<br />
70000000-70ffffff : vrfb<br />
71000000-71ffffff : vrfb<br />
72000000-72ffffff : vrfb<br />
73000000-73ffffff : vrfb<br />
74000000-74ffffff : vrfb<br />
75000000-75ffffff : vrfb<br />
76000000-76ffffff : vrfb<br />
77000000-77ffffff : vrfb<br />
78000000-78ffffff : vrfb<br />
79000000-79ffffff : vrfb<br />
7a000000-7affffff : vrfb<br />
7b000000-7bffffff : vrfb<br />
7c000000-7cffffff : vrfb<br />
7d000000-7dffffff : vrfb<br />
7e000000-7effffff : vrfb<br />
7f000000-7fffffff : vrfb<br />
80c00000-9fdfffff : System RAM<br />
80c35000-81152fff : Kernel text<br />
8117a000-813d5b0f : Kernel data<br />
8e000000-8e01ffff : ram_console.0<br />
e0000000-e0ffffff : vrfb<br />
e1000000-e1ffffff : vrfb<br />
e2000000-e2ffffff : vrfb<br />
e3000000-e3ffffff : vrfb<br />
e4000000-e4ffffff : vrfb<br />
e5000000-e5ffffff : vrfb<br />
e6000000-e6ffffff : vrfb<br />
e7000000-e7ffffff : vrfb<br />
</pre><br />
<br />
[[Category:Phones]]</div>
Eiyee
http://droid-developers.org/wiki/Main_Page
Main Page
2012-02-23T21:32:23Z
<p>Eiyee: add defy link</p>
<hr />
<div>__NOTOC__<br />
<br />
==== About this site ====<br />
<br />
{| cellspacing=5 cellpadding=15 border=0 valign="top" width=100%<br />
<br />
| width=50% style="vertical-align:top"|<br />
<br />
This wiki documents our research on the Motorola Droid-family phones (including Milestone) internals.<br />
These phones are:<br />
<br />
<br />
# '''Motorola Milestone''' (our primary target)<br />
# Motorola Milestone 2<br />
# Motorola Droid<br />
# Motorola Droid X<br />
# Motorola Droid 2<br />
# Motorola MOTOROI/Milestone XT720<br />
# Motorola Sholes Tablet XT701<br />
# Motorola Titanium XT800<br />
# Motorola Ruth (ME511) aka. Flipout<br />
# Motorola Charm (MB502)<br />
# Motorola DEXT (MB200) aka. Cliq<br />
# Motorola Defy (MB525)<br />
# Motorola Defy+ (MB526)<br />
<br />
| width=50% style="vertical-align:top"|<br />
<br />
{|<br />
|style="vertical-align:top"|<br />
[[Image:community.png]]<br />
|style="vertical-align:top"|<br />
'''<span style="font-variant:small-caps; font-size:150%">Community</span>'''<br /><small>Join our community! Discuss with us. </small><small><hr /> [[Credits | Our team]] | [irc://irc.freenode.net/#milestone-modding Our IRC channel] | [http://www.damogran.de/milestone-modding/ <span title="Starts on Jan 21 2010, 11:33:51 UTC. Refreshes every 15 minutes. Timezone: UTC+1. Thanks to Kasperle.">IRC log #1</span>] | [http://bacon.ojnk.org/milestone-modding.log <span title="Starts on Jan 21 2010, 13:09:10 UTC. Timezone: UTC-6. Thanks to Orgg.">IRC log #2</span>] | [http://milestone.bekaakut.de/ <span title="There is now a new channel log. Thanks to rebel1">IRC log #3</span>] | [http://mmlogs.doshaska.net/ <span title="Backup log. Started 23.09.2011.">IRC log #5</span>] | [http://gitorious.org/+droid-developers Our projects on Gitorious] | [http://hg.droid-developers.org/ Our projects on Bitbucket]</small><br />
|}<br />
<br />
{|<br />
|style="vertical-align:top"|<br />
[[Image:hardware.png]]<br />
|style="vertical-align:top"|<br />
'''<span style="font-variant:small-caps; font-size:150%">Hardware</span>'''<br /><small>All about devices internals - PCB, chips </small><small><hr />[[device_information|Overview]] | [[Motorola Milestone | Milestone]] | [[Motorola Droid | Droid]] | [[Motorola Droid X | Droid X]] | [[Motorola Droid 2 | Droid 2]] | [[Motorola Milestone 2 | Milestone 2]] | [[Motorola Sholes Tablet XT701 | Sholes Tablet XT701]] | [[Motorola Milestone XT720 | Milestone XT720]] | [[Motorola Titanium XT800 | Titanium XT800]] | [[Motorola Ruth ME511 | Ruth ME511]] | [[Motorola Charm | Charm]] | [[Motorola Atrix | Atrix]] | [[Motorola DEXT | DEXT]] | [[Motorola Defy | Defy]]</small><br />
|}<br />
<br />
{|<br />
|style="vertical-align:top"|<br />
[[Image:reverse.gif]]<br />
|style="vertical-align:top"|<br />
'''<span style="font-variant:small-caps; font-size:150%">For developers</span>'''<br /><small>Useful information for experts and beginners </small><small><hr />[[Toolchain]] | [[CyanogenMod]] | [[Compiling]] | [[Debugging]] | [[QEMU]] </small><br />
|}<br />
<br />
|}<br />
<br />
==== Information for volunteers ====<br />
<br />
If you are a developer and have some code-project for the Droid family of smartphones(e.g. Milestone) - enjoy us on [http://gitorious.org/+droid-developers Gitorious]<br />
<br />
Even if you're not the technical type, you too can help us mod the Milestone by participating in the [[Custom_recovery:pr_attack|PR campaign to force Motorola to unlock it]].<br />
<br />
If you're technical type - see our [[roadmap|Roadmap]] and progress in our [[projects|Projects]].<br />
<br />
See the [[content|content index here]].<br />
<br />
{| cellspacing=5 cellpadding=15 border=0 valign="top" width=100%<br />
<br />
| width=50% style="vertical-align:top"|<br />
<br />
{|<br />
|style="vertical-align:top"|<br />
[[Image:reverse.gif]]<br />
|style="vertical-align:top"|<br />
'''<span style="font-variant:small-caps; font-size:150%">Bootloader Unlock</span>'''<br /><small>Research how-to unlock boot process for the Application Processor </small><small><hr />[[Booting chain]] | [[Security]] | [[Cryptography]] | [http://gitorious.org/+droid-developers/droid/reversed IDA databases of bootloaders] | [[Disassembling]] </small><br />
|-<br />
|style="vertical-align:top"|<br />
|style="vertical-align:top"|<br />
The [[modes|recovery image]] hasn't yet been [http://android-dls.com/wiki/index.php?title=HOWTO:_Unpack,_Edit,_and_Re-Pack_Boot_Images modified] due to our current impossibility of controlling [[Booting chain|the boot process]]. We cannot alter the boot process so far because there seems to be a digital signature on each of its components. It seems the bootloader (mbm in particular (neither lbl nor mbmloader access the CDT). See [[Booting chain|here]] and [https://opensource.motorola.com/sf/discussion/do/listPosts/projects.milestone/discussion.general_comments.topc2012?_pagenum=2 here].) uses the [[CDT|cdt partition table]] to check if the recovery has been signed correctly. If not, the recovery won't start at all and the [[modes|bootloader mode]] shows instead of it.<br />
<br />
* '''[[2ndboot]]'''<br />
* '''[[Vulnerability hunting]]'''<br />
* '''[[Bruteforce]]'''<br />
* '''[[open_recovery | Open Recovery]]'''<br />
* '''[[2ndinit]]'''<br />
<br />
|}<br />
<br />
| width=50% style="vertical-align:top"|<br />
<br />
{|<br />
|style="vertical-align:top"|<br />
[[Image:baseband.png]]<br />
|style="vertical-align:top"|<br />
'''<span style="font-variant:small-caps; font-size:150%">Baseband Research</span>'''<br /><small>All our researches of Baseband and RF part of these phones</small><small><hr />[[GSM/CDMA-chain|GSM/UMTS & CDMA Milestone/Droid structure]]</small><br />
|-<br />
|style="vertical-align:top"|<br />
|style="vertical-align:top"|<br />
We have running RTXC OS on [[Wrigley 3G]] modem, which consist from ARM core and [[TMS320C55x+]] DSP core<br />
Our main problem, that Motorola using non-standard RIL, which partially implemented on AP side.<br />
Also, our second problem, that [[TMS320C55x+]] is closed platform, and no datasheets for it available.<br />
It very different from original [[TMS320C55x]] architecture and have other opcodes.<br />
We only have '''asm55p''' utility from TI, which can produce binary from TMS320 assembler.<br />
So, it is very important task - make full reverse of it. [[File:asm55p.idb.bz2]] [[File:dis55.idb.bz2]] [[File:dis55.c.gz]]<br />
<br />
* '''[[Baseband Processor Boot ROM]]'''<br />
* '''[[BP firmware]]'''<br />
* '''[[Texas Instruments Wrigley 3G]]'''<br />
* '''[[GSM/CDMA-chain]]'''<br />
<br />
|}<br />
<br />
|<br />
|}<br />
<br />
== '''[[2ndboot]]''' ==<br />
<br />
This attack right now is by far the most promising and convenient. Recently a few developers have pursued this approach in at least three independent attempts. All face a significant roadblock: hardware initialization. There are a [http://android.git.kernel.org/?p=kernel/omap.git;a=blob;f=arch/arm/mach-omap2/prcm.c;h=86c3fe328f51736ee4139b59654252021f3d90a2;hb=refs/heads/android-omap-2.6.29-eclair#l129 couple] of [https://patchwork.kernel.org/patch/82291/ ideas] about tackling it, but it is still a work in progress at the time of this writing. See more information about previous attempts [[custom_recovery:alternative_methods#kexec_attack here]].<br />
<br />
== '''[[Vulnerability hunting]]''' ==<br />
<br />
As far as we know now this attack is, if not a waste of time, at least a very long shot. The idea is that reverse engineering the boot ROM, mbmloader and/or mbm might allow us to find some exploitable vulnerability in order to gain control of the boot process. Since we already have the source code for lbl, it might be useful too. Mike Baker([mbm]) has written a [http://pastebin.ca/raw/1833228|user mode memory dumper] and dumped Droid public ROM. As we found - all roms for omap3430 are identical. Same situation for the omap3630. See here: [[Booting chain|Boot chain]]<br />
<br />
== '''[[Bruteforce]]''' ==<br />
<br />
This is distributed computation of the 1024 bit RSA secret key, which can be used for signing our bootloaders and kernel images. <br />
<br />
== '''[[open_recovery | Open Recovery]]''' ==<br />
<br />
Uses the payload exploit to start the custom recovery application. Supports rooting the phone from menu, as well as taking backups and flashing unsigned update *.zip files. Also runs ADB.<br />
<br />
== '''[[2ndinit]]''' ==<br />
<br />
This thing basically inject code to /init to "restart itself" allowing you to use custom init binary and init.rc scripts without side effects.</div>
Eiyee
http://droid-developers.org/wiki/Motorola_Defy
Motorola Defy
2012-02-23T21:30:43Z
<p>Eiyee: defy fcc ids</p>
<hr />
<div>The Motorola Defy (MB525) and Defy+ (MB526) have the same parts except for the battery.<br />
<br />
== FCC information ==<br />
FCC ID: IHDP56LC1<br />
<br />
FCC ID: IHDP56LC2<br />
<br />
FCC ID: IHDP56LC3<br />
<br />
FCC ID: IHDP56LC4 <br />
<br />
== Parts list ==<br />
<br />
From (http://http://forum.xda-developers.com/showthread.php?t=1461090), thanks to sam_24.<br />
<br />
* Ti omap3630-variant 0x36300800 ARMv7 Processor rev 2 (v7l)<br />
* PowerVR SGX 530 OpenGL<br />
<br />
=== Memory ===<br />
* SEM02G 1.82 GiB mmc1:0001 (iNAND e.MMC)<br />
* Micro SD slot mmc0:1234 , SDHC compatible<br />
<br />
=== Interfaces ===<br />
* TPS65950 power-management, audio coder/decoder, USB (OTG) high-speed transceiver,USB charger,LED drivers, ADC + RTC<br />
* LM3554 1.2A Dual LED Drivers and I2C-Compatible Interface<br />
<br />
=== Sensors ===<br />
* Bayer modul. ("red") MT9P012 - 5Mp, 1/3.2-inch Micron CMOS Image Sensor<br />
* Bayer modul. ("green") = ?<br />
* SOC modul ("green") OV5642 - cmos Image sensor<br />
<br />
* KXTF9 - Tri-axis Digital Accelerometer<br />
* AKM8973 - 3-axis electronic compass<br />
* LIS331DLH - digital motion sensor<br />
<br />
== CPU ==<br />
<br />
<pre><br />
omapinfo v.1.0.0<br />
STATE : 205 <br />
PKEY0 : c57aa19e <br />
PKEY1 : 31fe2d32 <br />
PKEY2 : 2e48bc96 <br />
PKEY3 : 15fcea7b <br />
PKEY4 : 876578f3 <br />
CPU-ID: 1b89102f <br />
</pre><br />
<br />
[[Category:Phones]]<br />
<br />
== Interrupts ==<br />
<br />
cat /proc/interrupts:<br />
<pre><br />
CPU0<br />
11: 1556066 INTC prcm<br />
12: 32697 INTC DMA<br />
21: 19225 INTC SGX ISR<br />
24: 0 INTC omap-iommu.0, Omap 3 Camera ISP<br />
25: 37531 INTC OMAP DSS<br />
26: 7 INTC DspBridge mailbox<br />
28: 0 INTC DspBridge iommu fault<br />
35: 18694 INTC sim<br />
37: 64884 INTC gp timer<br />
56: 27740 INTC i2c_omap<br />
57: 12138 INTC i2c_omap<br />
58: 396 INTC omap_hdq<br />
61: 33 INTC i2c_omap<br />
72: 294 INTC serial idle<br />
73: 0 INTC serial idle<br />
74: 0 INTC serial idle<br />
77: 11425 INTC ehci_hcd:usb1<br />
78: 291 INTC usbtll<br />
83: 2002 INTC mmc0<br />
86: 38332 INTC mmc1<br />
88: 0 INTC syspanic<br />
92: 23630 INTC musb_hdrc<br />
93: 23848 INTC musb_hdrc<br />
94: 2741 INTC TIWLAN_SDIO<br />
160: 4364 GPIO cpcap-irq<br />
170: 0 GPIO bu52014hfv<br />
176: 330 GPIO isl29030_als_ir<br />
182: 34 GPIO kxtf9_irq<br />
197: 1 GPIO gpio_kp<br />
199: 0 GPIO gpio_kp<br />
225: 13305 GPIO tiwlan0<br />
252: 0 GPIO lm3530_led<br />
259: 1180 GPIO qtouch_ts_int<br />
271: 0 GPIO bu52014hfv<br />
301: 0 GPIO Remote Wakeup<br />
323: 0 GPIO mmc0<br />
337: 0 GPIO gpio_keys<br />
Err: 0<br />
</pre><br />
<br />
== Iomem ==<br />
<br />
cat /proc/iomem<br />
<pre><br />
48060000-4806003f : i2c_omap.3<br />
48060000-4806003f : i2c_omap<br />
48062000-48062fff : ehci-omap.0<br />
48064000-480643ff : ehci-omap.0<br />
48064800-48064bff : ehci-omap.0<br />
4806a000-4806a3ff : omap-uart.1<br />
4806a000-4806a3ff : omap-uart<br />
4806c000-4806c3ff : omap-uart.2<br />
4806c000-4806c3ff : omap-uart<br />
48070000-4807003f : i2c_omap.1<br />
48070000-4807003f : i2c_omap<br />
48072000-4807203f : i2c_omap.2<br />
48072000-4807203f : i2c_omap<br />
48098000-480980ff : omap2_mcspi.1<br />
48098000-480980ff : omap2_mcspi.1<br />
4809a000-4809a0ff : omap2_mcspi.2<br />
4809a000-4809a0ff : omap2_mcspi.2<br />
4809c000-4809c1ff : mmci-omap-hs.0<br />
4809c000-4809c1ff : mmci-omap-hs<br />
480ab000-480acfff : musb_hdrc<br />
480ad000-480ad1ff : TIWLAN_SDIO.2<br />
480b2000-480b201c : omap_hdq.0<br />
480b4000-480b41ff : mmci-omap-hs.1<br />
480b4000-480b41ff : mmci-omap-hs<br />
480b8000-480b80ff : omap2_mcspi.3<br />
480b8000-480b80ff : omap2_mcspi.3<br />
480ba000-480ba0ff : omap2_mcspi.4<br />
480ba000-480ba0ff : omap2_mcspi.4<br />
480bc000-480bc06f : omap3isp<br />
480bc000-480bc06f : omap3isp<br />
480bc100-480bc177 : omap3isp<br />
480bc100-480bc177 : omap3isp<br />
480bc400-480bc5ef : omap3isp<br />
480bc400-480bc5ef : omap3isp<br />
480bc600-480bc6a7 : omap3isp<br />
480bc600-480bc6a7 : omap3isp<br />
480bca00-480bca47 : omap3isp<br />
480bca00-480bca47 : omap3isp<br />
480bcc00-480bcc5f : omap3isp<br />
480bcc00-480bcc5f : omap3isp<br />
480bce00-480bce9f : omap3isp<br />
480bce00-480bce9f : omap3isp<br />
480bd000-480bd0ab : omap3isp<br />
480bd000-480bd0ab : omap3isp<br />
480bd200-480bd2fb : omap3isp<br />
480bd200-480bd2fb : omap3isp<br />
480bd400-480bd4ff : omap-iommu.0<br />
480bd400-480bd4ff : omap-iommu.0<br />
480bd800-480bd96f : omap3isp<br />
480bd800-480bd96f : omap3isp<br />
480bd970-480bd977 : omap3isp<br />
480bd970-480bd977 : omap3isp<br />
48314000-4831404f : omap_wdt<br />
48314000-4831404f : omap_wdt<br />
49020000-490203ff : omap-uart.3<br />
49020000-490203ff : omap-uart<br />
70000000-70ffffff : vrfb<br />
71000000-71ffffff : vrfb<br />
72000000-72ffffff : vrfb<br />
73000000-73ffffff : vrfb<br />
74000000-74ffffff : vrfb<br />
75000000-75ffffff : vrfb<br />
76000000-76ffffff : vrfb<br />
77000000-77ffffff : vrfb<br />
78000000-78ffffff : vrfb<br />
79000000-79ffffff : vrfb<br />
7a000000-7affffff : vrfb<br />
7b000000-7bffffff : vrfb<br />
7c000000-7cffffff : vrfb<br />
7d000000-7dffffff : vrfb<br />
7e000000-7effffff : vrfb<br />
7f000000-7fffffff : vrfb<br />
80c00000-9fdfffff : System RAM<br />
80c35000-81152fff : Kernel text<br />
8117a000-813d5b0f : Kernel data<br />
8e000000-8e01ffff : ram_console.0<br />
e0000000-e0ffffff : vrfb<br />
e1000000-e1ffffff : vrfb<br />
e2000000-e2ffffff : vrfb<br />
e3000000-e3ffffff : vrfb<br />
e4000000-e4ffffff : vrfb<br />
e5000000-e5ffffff : vrfb<br />
e6000000-e6ffffff : vrfb<br />
e7000000-e7ffffff : vrfb<br />
</pre></div>
Eiyee
http://droid-developers.org/wiki/Motorola_Defy
Motorola Defy
2012-02-23T21:20:26Z
<p>Eiyee: defy iomem</p>
<hr />
<div>The Motorola Defy (MB525) and Defy+ (MB526) have the same parts except for the battery.<br />
<br />
== Parts list ==<br />
<br />
From (http://http://forum.xda-developers.com/showthread.php?t=1461090), thanks to sam_24.<br />
<br />
* Ti omap3630-variant 0x36300800 ARMv7 Processor rev 2 (v7l)<br />
* PowerVR SGX 530 OpenGL<br />
<br />
=== Memory ===<br />
* SEM02G 1.82 GiB mmc1:0001 (iNAND e.MMC)<br />
* Micro SD slot mmc0:1234 , SDHC compatible<br />
<br />
=== Interfaces ===<br />
* TPS65950 power-management, audio coder/decoder, USB (OTG) high-speed transceiver,USB charger,LED drivers, ADC + RTC<br />
* LM3554 1.2A Dual LED Drivers and I2C-Compatible Interface<br />
<br />
=== Sensors ===<br />
* Bayer modul. ("red") MT9P012 - 5Mp, 1/3.2-inch Micron CMOS Image Sensor<br />
* Bayer modul. ("green") = ?<br />
* SOC modul ("green") OV5642 - cmos Image sensor<br />
<br />
* KXTF9 - Tri-axis Digital Accelerometer<br />
* AKM8973 - 3-axis electronic compass<br />
* LIS331DLH - digital motion sensor<br />
<br />
== CPU ==<br />
<br />
<pre><br />
omapinfo v.1.0.0<br />
STATE : 205 <br />
PKEY0 : c57aa19e <br />
PKEY1 : 31fe2d32 <br />
PKEY2 : 2e48bc96 <br />
PKEY3 : 15fcea7b <br />
PKEY4 : 876578f3 <br />
CPU-ID: 1b89102f <br />
</pre><br />
<br />
[[Category:Phones]]<br />
<br />
== Interrupts ==<br />
<br />
cat /proc/interrupts:<br />
<pre><br />
CPU0<br />
11: 1556066 INTC prcm<br />
12: 32697 INTC DMA<br />
21: 19225 INTC SGX ISR<br />
24: 0 INTC omap-iommu.0, Omap 3 Camera ISP<br />
25: 37531 INTC OMAP DSS<br />
26: 7 INTC DspBridge mailbox<br />
28: 0 INTC DspBridge iommu fault<br />
35: 18694 INTC sim<br />
37: 64884 INTC gp timer<br />
56: 27740 INTC i2c_omap<br />
57: 12138 INTC i2c_omap<br />
58: 396 INTC omap_hdq<br />
61: 33 INTC i2c_omap<br />
72: 294 INTC serial idle<br />
73: 0 INTC serial idle<br />
74: 0 INTC serial idle<br />
77: 11425 INTC ehci_hcd:usb1<br />
78: 291 INTC usbtll<br />
83: 2002 INTC mmc0<br />
86: 38332 INTC mmc1<br />
88: 0 INTC syspanic<br />
92: 23630 INTC musb_hdrc<br />
93: 23848 INTC musb_hdrc<br />
94: 2741 INTC TIWLAN_SDIO<br />
160: 4364 GPIO cpcap-irq<br />
170: 0 GPIO bu52014hfv<br />
176: 330 GPIO isl29030_als_ir<br />
182: 34 GPIO kxtf9_irq<br />
197: 1 GPIO gpio_kp<br />
199: 0 GPIO gpio_kp<br />
225: 13305 GPIO tiwlan0<br />
252: 0 GPIO lm3530_led<br />
259: 1180 GPIO qtouch_ts_int<br />
271: 0 GPIO bu52014hfv<br />
301: 0 GPIO Remote Wakeup<br />
323: 0 GPIO mmc0<br />
337: 0 GPIO gpio_keys<br />
Err: 0<br />
</pre><br />
<br />
== Iomem ==<br />
<br />
cat /proc/iomem<br />
<pre><br />
48060000-4806003f : i2c_omap.3<br />
48060000-4806003f : i2c_omap<br />
48062000-48062fff : ehci-omap.0<br />
48064000-480643ff : ehci-omap.0<br />
48064800-48064bff : ehci-omap.0<br />
4806a000-4806a3ff : omap-uart.1<br />
4806a000-4806a3ff : omap-uart<br />
4806c000-4806c3ff : omap-uart.2<br />
4806c000-4806c3ff : omap-uart<br />
48070000-4807003f : i2c_omap.1<br />
48070000-4807003f : i2c_omap<br />
48072000-4807203f : i2c_omap.2<br />
48072000-4807203f : i2c_omap<br />
48098000-480980ff : omap2_mcspi.1<br />
48098000-480980ff : omap2_mcspi.1<br />
4809a000-4809a0ff : omap2_mcspi.2<br />
4809a000-4809a0ff : omap2_mcspi.2<br />
4809c000-4809c1ff : mmci-omap-hs.0<br />
4809c000-4809c1ff : mmci-omap-hs<br />
480ab000-480acfff : musb_hdrc<br />
480ad000-480ad1ff : TIWLAN_SDIO.2<br />
480b2000-480b201c : omap_hdq.0<br />
480b4000-480b41ff : mmci-omap-hs.1<br />
480b4000-480b41ff : mmci-omap-hs<br />
480b8000-480b80ff : omap2_mcspi.3<br />
480b8000-480b80ff : omap2_mcspi.3<br />
480ba000-480ba0ff : omap2_mcspi.4<br />
480ba000-480ba0ff : omap2_mcspi.4<br />
480bc000-480bc06f : omap3isp<br />
480bc000-480bc06f : omap3isp<br />
480bc100-480bc177 : omap3isp<br />
480bc100-480bc177 : omap3isp<br />
480bc400-480bc5ef : omap3isp<br />
480bc400-480bc5ef : omap3isp<br />
480bc600-480bc6a7 : omap3isp<br />
480bc600-480bc6a7 : omap3isp<br />
480bca00-480bca47 : omap3isp<br />
480bca00-480bca47 : omap3isp<br />
480bcc00-480bcc5f : omap3isp<br />
480bcc00-480bcc5f : omap3isp<br />
480bce00-480bce9f : omap3isp<br />
480bce00-480bce9f : omap3isp<br />
480bd000-480bd0ab : omap3isp<br />
480bd000-480bd0ab : omap3isp<br />
480bd200-480bd2fb : omap3isp<br />
480bd200-480bd2fb : omap3isp<br />
480bd400-480bd4ff : omap-iommu.0<br />
480bd400-480bd4ff : omap-iommu.0<br />
480bd800-480bd96f : omap3isp<br />
480bd800-480bd96f : omap3isp<br />
480bd970-480bd977 : omap3isp<br />
480bd970-480bd977 : omap3isp<br />
48314000-4831404f : omap_wdt<br />
48314000-4831404f : omap_wdt<br />
49020000-490203ff : omap-uart.3<br />
49020000-490203ff : omap-uart<br />
70000000-70ffffff : vrfb<br />
71000000-71ffffff : vrfb<br />
72000000-72ffffff : vrfb<br />
73000000-73ffffff : vrfb<br />
74000000-74ffffff : vrfb<br />
75000000-75ffffff : vrfb<br />
76000000-76ffffff : vrfb<br />
77000000-77ffffff : vrfb<br />
78000000-78ffffff : vrfb<br />
79000000-79ffffff : vrfb<br />
7a000000-7affffff : vrfb<br />
7b000000-7bffffff : vrfb<br />
7c000000-7cffffff : vrfb<br />
7d000000-7dffffff : vrfb<br />
7e000000-7effffff : vrfb<br />
7f000000-7fffffff : vrfb<br />
80c00000-9fdfffff : System RAM<br />
80c35000-81152fff : Kernel text<br />
8117a000-813d5b0f : Kernel data<br />
8e000000-8e01ffff : ram_console.0<br />
e0000000-e0ffffff : vrfb<br />
e1000000-e1ffffff : vrfb<br />
e2000000-e2ffffff : vrfb<br />
e3000000-e3ffffff : vrfb<br />
e4000000-e4ffffff : vrfb<br />
e5000000-e5ffffff : vrfb<br />
e6000000-e6ffffff : vrfb<br />
e7000000-e7ffffff : vrfb<br />
</pre></div>
Eiyee
http://droid-developers.org/wiki/Motorola_Defy
Motorola Defy
2012-02-23T21:19:12Z
<p>Eiyee: defy interrupts</p>
<hr />
<div>The Motorola Defy (MB525) and Defy+ (MB526) have the same parts except for the battery.<br />
<br />
== Parts list ==<br />
<br />
From (http://http://forum.xda-developers.com/showthread.php?t=1461090), thanks to sam_24.<br />
<br />
* Ti omap3630-variant 0x36300800 ARMv7 Processor rev 2 (v7l)<br />
* PowerVR SGX 530 OpenGL<br />
<br />
=== Memory ===<br />
* SEM02G 1.82 GiB mmc1:0001 (iNAND e.MMC)<br />
* Micro SD slot mmc0:1234 , SDHC compatible<br />
<br />
=== Interfaces ===<br />
* TPS65950 power-management, audio coder/decoder, USB (OTG) high-speed transceiver,USB charger,LED drivers, ADC + RTC<br />
* LM3554 1.2A Dual LED Drivers and I2C-Compatible Interface<br />
<br />
=== Sensors ===<br />
* Bayer modul. ("red") MT9P012 - 5Mp, 1/3.2-inch Micron CMOS Image Sensor<br />
* Bayer modul. ("green") = ?<br />
* SOC modul ("green") OV5642 - cmos Image sensor<br />
<br />
* KXTF9 - Tri-axis Digital Accelerometer<br />
* AKM8973 - 3-axis electronic compass<br />
* LIS331DLH - digital motion sensor<br />
<br />
== CPU ==<br />
<br />
<pre><br />
omapinfo v.1.0.0<br />
STATE : 205 <br />
PKEY0 : c57aa19e <br />
PKEY1 : 31fe2d32 <br />
PKEY2 : 2e48bc96 <br />
PKEY3 : 15fcea7b <br />
PKEY4 : 876578f3 <br />
CPU-ID: 1b89102f <br />
</pre><br />
<br />
[[Category:Phones]]<br />
<br />
== Interrupts ==<br />
<br />
cat /proc/interrupts:<br />
<pre><br />
CPU0<br />
11: 1556066 INTC prcm<br />
12: 32697 INTC DMA<br />
21: 19225 INTC SGX ISR<br />
24: 0 INTC omap-iommu.0, Omap 3 Camera ISP<br />
25: 37531 INTC OMAP DSS<br />
26: 7 INTC DspBridge mailbox<br />
28: 0 INTC DspBridge iommu fault<br />
35: 18694 INTC sim<br />
37: 64884 INTC gp timer<br />
56: 27740 INTC i2c_omap<br />
57: 12138 INTC i2c_omap<br />
58: 396 INTC omap_hdq<br />
61: 33 INTC i2c_omap<br />
72: 294 INTC serial idle<br />
73: 0 INTC serial idle<br />
74: 0 INTC serial idle<br />
77: 11425 INTC ehci_hcd:usb1<br />
78: 291 INTC usbtll<br />
83: 2002 INTC mmc0<br />
86: 38332 INTC mmc1<br />
88: 0 INTC syspanic<br />
92: 23630 INTC musb_hdrc<br />
93: 23848 INTC musb_hdrc<br />
94: 2741 INTC TIWLAN_SDIO<br />
160: 4364 GPIO cpcap-irq<br />
170: 0 GPIO bu52014hfv<br />
176: 330 GPIO isl29030_als_ir<br />
182: 34 GPIO kxtf9_irq<br />
197: 1 GPIO gpio_kp<br />
199: 0 GPIO gpio_kp<br />
225: 13305 GPIO tiwlan0<br />
252: 0 GPIO lm3530_led<br />
259: 1180 GPIO qtouch_ts_int<br />
271: 0 GPIO bu52014hfv<br />
301: 0 GPIO Remote Wakeup<br />
323: 0 GPIO mmc0<br />
337: 0 GPIO gpio_keys<br />
Err: 0<br />
</pre></div>
Eiyee
http://droid-developers.org/wiki/Motorola_Defy
Motorola Defy
2012-02-23T21:16:52Z
<p>Eiyee: more defy info</p>
<hr />
<div>The Motorola Defy (MB525) and Defy+ (MB526) have the same parts except for the battery.<br />
<br />
== Parts list ==<br />
<br />
From (http://http://forum.xda-developers.com/showthread.php?t=1461090), thanks to sam_24.<br />
<br />
* Ti omap3630-variant 0x36300800 ARMv7 Processor rev 2 (v7l)<br />
* PowerVR SGX 530 OpenGL<br />
<br />
=== Memory ===<br />
* SEM02G 1.82 GiB mmc1:0001 (iNAND e.MMC)<br />
* Micro SD slot mmc0:1234 , SDHC compatible<br />
<br />
=== Interfaces ===<br />
* TPS65950 power-management, audio coder/decoder, USB (OTG) high-speed transceiver,USB charger,LED drivers, ADC + RTC<br />
* LM3554 1.2A Dual LED Drivers and I2C-Compatible Interface<br />
<br />
=== Sensors ===<br />
* Bayer modul. ("red") MT9P012 - 5Mp, 1/3.2-inch Micron CMOS Image Sensor<br />
* Bayer modul. ("green") = ?<br />
* SOC modul ("green") OV5642 - cmos Image sensor<br />
<br />
* KXTF9 - Tri-axis Digital Accelerometer<br />
* AKM8973 - 3-axis electronic compass<br />
* LIS331DLH - digital motion sensor<br />
<br />
== CPU ==<br />
<pre><br />
omapinfo v.1.0.0<br />
STATE : 205 <br />
PKEY0 : c57aa19e <br />
PKEY1 : 31fe2d32 <br />
PKEY2 : 2e48bc96 <br />
PKEY3 : 15fcea7b <br />
PKEY4 : 876578f3 <br />
CPU-ID: 1b89102f <br />
</pre><br />
<br />
[[Category:Phones]]</div>
Eiyee
http://droid-developers.org/wiki/Motorola_Defy
Motorola Defy
2012-02-23T21:11:25Z
<p>Eiyee: basic defy info</p>
<hr />
<div>== Parts list ==<br />
<br />
From (http://http://forum.xda-developers.com/showthread.php?t=1461090), thanks to sam_24.<br />
<br />
* Ti omap3630-variant 0x36300800 ARMv7 Processor rev 2 (v7l)<br />
* PowerVR SGX 530 OpenGL<br />
<br />
=== Memory ===<br />
* SEM02G 1.82 GiB mmc1:0001 (iNAND e.MMC)<br />
* Micro SD slot mmc0:1234 , SDHC compatible<br />
<br />
=== Interfaces ===<br />
* TPS65950 power-management, audio coder/decoder, USB (OTG) high-speed transceiver,USB charger,LED drivers, ADC + RTC<br />
* LM3554 1.2A Dual LED Drivers and I2C-Compatible Interface<br />
<br />
=== Sensors ===<br />
* Bayer modul. ("red") MT9P012 - 5Mp, 1/3.2-inch Micron CMOS Image Sensor<br />
* Bayer modul. ("green") = ?<br />
* SOC modul ("green") OV5642 - cmos Image sensor<br />
<br />
* KXTF9 - Tri-axis Digital Accelerometer<br />
* AKM8973 - 3-axis electronic compass<br />
* LIS331DLH - digital motion sensor<br />
<br />
[[Category:Phones]]</div>
Eiyee
http://droid-developers.org/wiki/Main_Page
Main Page
2012-02-23T20:58:22Z
<p>Eiyee: add defy/defy+ models, similar to milestone2</p>
<hr />
<div>__NOTOC__<br />
<br />
==== About this site ====<br />
<br />
{| cellspacing=5 cellpadding=15 border=0 valign="top" width=100%<br />
<br />
| width=50% style="vertical-align:top"|<br />
<br />
This wiki documents our research on the Motorola Droid-family phones (including Milestone) internals.<br />
These phones are:<br />
<br />
<br />
# '''Motorola Milestone''' (our primary target)<br />
# Motorola Milestone 2<br />
# Motorola Droid<br />
# Motorola Droid X<br />
# Motorola Droid 2<br />
# Motorola MOTOROI/Milestone XT720<br />
# Motorola Sholes Tablet XT701<br />
# Motorola Titanium XT800<br />
# Motorola Ruth (ME511) aka. Flipout<br />
# Motorola Charm (MB502)<br />
# Motorola DEXT (MB200) aka. Cliq<br />
# Motorola Defy (MB525)<br />
# Motorola Defy+ (MB526)<br />
<br />
| width=50% style="vertical-align:top"|<br />
<br />
{|<br />
|style="vertical-align:top"|<br />
[[Image:community.png]]<br />
|style="vertical-align:top"|<br />
'''<span style="font-variant:small-caps; font-size:150%">Community</span>'''<br /><small>Join our community! Discuss with us. </small><small><hr /> [[Credits | Our team]] | [irc://irc.freenode.net/#milestone-modding Our IRC channel] | [http://www.damogran.de/milestone-modding/ <span title="Starts on Jan 21 2010, 11:33:51 UTC. Refreshes every 15 minutes. Timezone: UTC+1. Thanks to Kasperle.">IRC log #1</span>] | [http://bacon.ojnk.org/milestone-modding.log <span title="Starts on Jan 21 2010, 13:09:10 UTC. Timezone: UTC-6. Thanks to Orgg.">IRC log #2</span>] | [http://milestone.bekaakut.de/ <span title="There is now a new channel log. Thanks to rebel1">IRC log #3</span>] | [http://mmlogs.doshaska.net/ <span title="Backup log. Started 23.09.2011.">IRC log #5</span>] | [http://gitorious.org/+droid-developers Our projects on Gitorious] | [http://hg.droid-developers.org/ Our projects on Bitbucket]</small><br />
|}<br />
<br />
{|<br />
|style="vertical-align:top"|<br />
[[Image:hardware.png]]<br />
|style="vertical-align:top"|<br />
'''<span style="font-variant:small-caps; font-size:150%">Hardware</span>'''<br /><small>All about devices internals - PCB, chips </small><small><hr />[[device_information|Overview]] | [[Motorola Milestone | Milestone]] | [[Motorola Droid | Droid]] | [[Motorola Droid X | Droid X]] | [[Motorola Droid 2 | Droid 2]] | [[Motorola Milestone 2 | Milestone 2]] | [[Motorola Sholes Tablet XT701 | Sholes Tablet XT701]] | [[Motorola Milestone XT720 | Milestone XT720]] | [[Motorola Titanium XT800 | Titanium XT800]] | [[Motorola Ruth ME511 | Ruth ME511]] | [[Motorola Charm | Charm]] | [[Motorola Atrix | Atrix]] | [[Motorola DEXT | DEXT]]</small><br />
|}<br />
<br />
{|<br />
|style="vertical-align:top"|<br />
[[Image:reverse.gif]]<br />
|style="vertical-align:top"|<br />
'''<span style="font-variant:small-caps; font-size:150%">For developers</span>'''<br /><small>Useful information for experts and beginners </small><small><hr />[[Toolchain]] | [[CyanogenMod]] | [[Compiling]] | [[Debugging]] | [[QEMU]] </small><br />
|}<br />
<br />
|}<br />
<br />
==== Information for volunteers ====<br />
<br />
If you are a developer and have some code-project for the Droid family of smartphones(e.g. Milestone) - enjoy us on [http://gitorious.org/+droid-developers Gitorious]<br />
<br />
Even if you're not the technical type, you too can help us mod the Milestone by participating in the [[Custom_recovery:pr_attack|PR campaign to force Motorola to unlock it]].<br />
<br />
If you're technical type - see our [[roadmap|Roadmap]] and progress in our [[projects|Projects]].<br />
<br />
See the [[content|content index here]].<br />
<br />
{| cellspacing=5 cellpadding=15 border=0 valign="top" width=100%<br />
<br />
| width=50% style="vertical-align:top"|<br />
<br />
{|<br />
|style="vertical-align:top"|<br />
[[Image:reverse.gif]]<br />
|style="vertical-align:top"|<br />
'''<span style="font-variant:small-caps; font-size:150%">Bootloader Unlock</span>'''<br /><small>Research how-to unlock boot process for the Application Processor </small><small><hr />[[Booting chain]] | [[Security]] | [[Cryptography]] | [http://gitorious.org/+droid-developers/droid/reversed IDA databases of bootloaders] | [[Disassembling]] </small><br />
|-<br />
|style="vertical-align:top"|<br />
|style="vertical-align:top"|<br />
The [[modes|recovery image]] hasn't yet been [http://android-dls.com/wiki/index.php?title=HOWTO:_Unpack,_Edit,_and_Re-Pack_Boot_Images modified] due to our current impossibility of controlling [[Booting chain|the boot process]]. We cannot alter the boot process so far because there seems to be a digital signature on each of its components. It seems the bootloader (mbm in particular (neither lbl nor mbmloader access the CDT). See [[Booting chain|here]] and [https://opensource.motorola.com/sf/discussion/do/listPosts/projects.milestone/discussion.general_comments.topc2012?_pagenum=2 here].) uses the [[CDT|cdt partition table]] to check if the recovery has been signed correctly. If not, the recovery won't start at all and the [[modes|bootloader mode]] shows instead of it.<br />
<br />
* '''[[2ndboot]]'''<br />
* '''[[Vulnerability hunting]]'''<br />
* '''[[Bruteforce]]'''<br />
* '''[[open_recovery | Open Recovery]]'''<br />
* '''[[2ndinit]]'''<br />
<br />
|}<br />
<br />
| width=50% style="vertical-align:top"|<br />
<br />
{|<br />
|style="vertical-align:top"|<br />
[[Image:baseband.png]]<br />
|style="vertical-align:top"|<br />
'''<span style="font-variant:small-caps; font-size:150%">Baseband Research</span>'''<br /><small>All our researches of Baseband and RF part of these phones</small><small><hr />[[GSM/CDMA-chain|GSM/UMTS & CDMA Milestone/Droid structure]]</small><br />
|-<br />
|style="vertical-align:top"|<br />
|style="vertical-align:top"|<br />
We have running RTXC OS on [[Wrigley 3G]] modem, which consist from ARM core and [[TMS320C55x+]] DSP core<br />
Our main problem, that Motorola using non-standard RIL, which partially implemented on AP side.<br />
Also, our second problem, that [[TMS320C55x+]] is closed platform, and no datasheets for it available.<br />
It very different from original [[TMS320C55x]] architecture and have other opcodes.<br />
We only have '''asm55p''' utility from TI, which can produce binary from TMS320 assembler.<br />
So, it is very important task - make full reverse of it. [[File:asm55p.idb.bz2]] [[File:dis55.idb.bz2]] [[File:dis55.c.gz]]<br />
<br />
* '''[[Baseband Processor Boot ROM]]'''<br />
* '''[[BP firmware]]'''<br />
* '''[[Texas Instruments Wrigley 3G]]'''<br />
* '''[[GSM/CDMA-chain]]'''<br />
<br />
|}<br />
<br />
|<br />
|}<br />
<br />
== '''[[2ndboot]]''' ==<br />
<br />
This attack right now is by far the most promising and convenient. Recently a few developers have pursued this approach in at least three independent attempts. All face a significant roadblock: hardware initialization. There are a [http://android.git.kernel.org/?p=kernel/omap.git;a=blob;f=arch/arm/mach-omap2/prcm.c;h=86c3fe328f51736ee4139b59654252021f3d90a2;hb=refs/heads/android-omap-2.6.29-eclair#l129 couple] of [https://patchwork.kernel.org/patch/82291/ ideas] about tackling it, but it is still a work in progress at the time of this writing. See more information about previous attempts [[custom_recovery:alternative_methods#kexec_attack here]].<br />
<br />
== '''[[Vulnerability hunting]]''' ==<br />
<br />
As far as we know now this attack is, if not a waste of time, at least a very long shot. The idea is that reverse engineering the boot ROM, mbmloader and/or mbm might allow us to find some exploitable vulnerability in order to gain control of the boot process. Since we already have the source code for lbl, it might be useful too. Mike Baker([mbm]) has written a [http://pastebin.ca/raw/1833228|user mode memory dumper] and dumped Droid public ROM. As we found - all roms for omap3430 are identical. Same situation for the omap3630. See here: [[Booting chain|Boot chain]]<br />
<br />
== '''[[Bruteforce]]''' ==<br />
<br />
This is distributed computation of the 1024 bit RSA secret key, which can be used for signing our bootloaders and kernel images. <br />
<br />
== '''[[open_recovery | Open Recovery]]''' ==<br />
<br />
Uses the payload exploit to start the custom recovery application. Supports rooting the phone from menu, as well as taking backups and flashing unsigned update *.zip files. Also runs ADB.<br />
<br />
== '''[[2ndinit]]''' ==<br />
<br />
This thing basically inject code to /init to "restart itself" allowing you to use custom init binary and init.rc scripts without side effects.</div>
Eiyee
http://droid-developers.org/wiki/Mbm
Mbm
2012-02-23T18:24:43Z
<p>Eiyee: mbm usb command syntax</p>
<hr />
<div>mbm (also known as RAMLD or ramloader).<br />
= Versions of mbm =<br />
<br />
== Milestone (A853) ==<br />
<br />
* 90.72 - [[File:mbm-90.72.raw.gz]]<br />
* 90.73 - phones from LA (Latin America) and DACH (Germany, Austria, Switzerland) [[File:mbm-90.73.raw.gz]]<br />
* 90.74 - Canadian Phones [[File:mbm-90.74.raw.gz]]<br />
* 90.76 - unknown<br />
* 90.78 - newly released phones [[File:mbm-90.78.raw.gz]]<br />
* 90.80 - developer phones [[File:mbm-90.80.raw.gz]]<br />
<br />
== Milestone XT701 ==<br />
== Milestone XT720 ==<br />
<br />
* 80.89 - current phones [[File:mbm-80.89.tar.gz]]<br />
<br />
== Droid ==<br />
== Droid X ==<br />
<br />
* 26.01 - [http://and-developers.com/sbf#droid_x_mb810 SBF download]<br />
* 27.01 - Preinstalled on the phons [http://and-developers.com/sbf#droid_x_mb810 SBF download]<br />
<br />
== Droid 2 ==<br />
<br />
= Booting errors =<br />
<br />
{|<br />
! Error code<br />
! What does this error mean<br />
|-<br />
| E000<br />
| wrong security type<br />
|-<br />
| B655 EDDC EB<br />
| security version error<br />
|-<br />
| DBE7 11E1 83<br />
| ramloader: wrong address<br />
|-<br />
| D000<br />
| ramloader: security checking error<br />
|-<br />
| FEBE<br />
| ramloader: integrity checking error<br />
|-<br />
| CAA5 6CCF<br />
| error: none pds pages<br />
|-<br />
| C0FF CABE E1<br />
| ramloader: loading error<br />
|-<br />
| C0FF 1CCC E1<br />
|<br />
|-<br />
| C0FF 1CCC 8B<br />
| error: wrong jump address (null)<br />
|-<br />
| DAA5 19ED 83<br />
| error: wrong jump address<br />
|-<br />
| C0FF CABE 8B<br />
| error: wrong jump address<br />
|-<br />
| CAA5 6CCF<br />
|<br />
|-<br />
| 1337 AB6B 83<br />
|<br />
|-<br />
| 1337 510B 83<br />
| invalid address<br />
|- <br />
| C0FF BBD6<br />
|<br />
|-<br />
| C0FF 32DF D5<br />
|<br />
|-<br />
| C0FF CABE D5<br />
|<br />
|-<br />
| C0FF A430 83<br />
|<br />
|-<br />
| C0FF 11E1 83<br />
|<br />
|-<br />
| 1337 11E1 83<br />
|<br />
|-<br />
| DEA1<br />
|<br />
|-<br />
| DEA1 8D<br />
| security checking error<br />
|-<br />
| C089<br />
| security checking error<br />
|-<br />
| C0FF CABE<br />
| error when executing BIN command<br />
|-<br />
| DAA5 1D23 83<br />
| wrong ramloader<br />
|-<br />
| C0FF 200B<br />
| usb error<br />
|-<br />
| C0FF 2190<br />
| usb error<br />
|-<br />
| C0FF 1AB4<br />
| usb error<br />
|-<br />
| C0FF 1FFF<br />
| usb error<br />
|-<br />
| C0FF 101F<br />
| usb error<br />
|-<br />
| C0FF 21FF<br />
| usb error<br />
|-<br />
| C0FF 3001<br />
| usb error<br />
|-<br />
| B655 XXXX<br />
| fastboot errors<br />
|}<br />
<br />
<br />
= Interfacing over pc =<br />
<br />
it can talk with pc over usb.<br />
It have this commands:<br />
<syntaxhighlight lang="asm" line highlight="2"><br />
cmd_ADDR EQU 1<br />
cmd_BIN EQU 2<br />
cmd_START EQU 3<br />
cmd_HSYNC EQU 4<br />
cmd_POWER_DOWN EQU 5<br />
cmd_RQHW EQU 7<br />
cmd_RQRC EQU 8<br />
cmd_RQUID EQU 0xA<br />
cmd_RQVN EQU 0xB<br />
cmd_JUMP EQU 0xC<br />
cmd_RESTART EQU 0xE<br />
cmd_RQSW EQU 0x12<br />
cmd_READ EQU 0x15<br />
cmd_RQINFO EQU 0x17<br />
cmd_FL_RESTART EQU 0x18<br />
</syntaxhighlight><br />
<br />
USB command syntax is 0x02, commandbuf, 0x03. command buf contains command string and each argument (if any) seperated by 0x1e, for example: <br />
<br />
<syntaxhighlight lang="c" line><br />
"\x02JUMP\x03" // no arguments<br />
"\x02RQUID\xe10000\x03" // one argument<br />
</syntaxhighlight><br />
<br />
And this is a section inside mbm which parse this commands:<br />
<syntaxhighlight lang="c" line><br />
struct command {<br />
int code;<br />
char* str;<br />
};<br />
<br />
struct command* cmdlist;<br />
<br />
// arg_count can be argument, only if count of arguments == 1<br />
// e.g. for ADDR and BIN commands<br />
signed int cmd_handler(int cmd, int arg_count, char** arg_array)<br />
{<br />
uint8_t i = 0;<br />
uint8_t cmd_code;<br />
int sec_type;<br />
signed int result;<br />
char* buf;<br />
<br />
cmd_code = 26; <br />
sec_type = security_check_type();<br />
while ( !standard_strcmp(cmdlist[i].str, cmd) ) {<br />
i++<br />
if ( i >= 0xF )<br />
goto parse_CMD;<br />
}<br />
cmd_code = cmdlist[i].code;<br />
parse_CMD:<br />
result = cmd_security_check(cmd_code, arg_count, cmd);<br />
if ( result != 35 ) {<br />
if ( cmd_code < 0x19 ) {<br />
switch ( cmd_code ) {<br />
case 1:<br />
if ( *(uint8_t)0x8F32D150 == 1 ) {<br />
result = cmd_handler_ADDR(arg_count);<br />
} else {<br />
buf[0] = 119;<br />
result = usb_send("ERR", buf);<br />
}<br />
return result;<br />
case 2:<br />
return cmd_handler_BIN(arg_count, arg_array);<br />
case 5:<br />
cmd_handler_POWEROFF();<br />
return result;<br />
case 14:<br />
cmd_handler_RESET();<br />
return result;<br />
case 21:<br />
return cmd_handler_READ(arg_count);<br />
case 7:<br />
if ( *(uint8_t)0x8F32D18C == 240 || *(uint8_t)0x8F32D3A9 != 1 || sec_type != 49153 && sec_type != 43806 ) {<br />
result = cmd_handler_RQHW();<br />
} else {<br />
*(uint8_t)0x8F32D3A9 = 0;<br />
buf[0] = *(uint8_t)0x8F32D18C;<br />
result = usb_send("ERR", buf);<br />
}<br />
return result;<br />
case 10:<br />
return cmd_handler_RQUID(arg_count);<br />
case 11:<br />
return cmd_handler_RQVN();<br />
case 8:<br />
return cmd_handler_RQRC(arg_count);<br />
case 23:<br />
return cmd_handler_RQINFO();<br />
case 18:<br />
return cmd_handler_RQSW();<br />
case 12:<br />
return cmd_handler_JUMP(arg_count);<br />
case 24:<br />
cmd_handler_FL_RE(arg_count);<br />
return result;<br />
case 0:<br />
case 3:<br />
case 4:<br />
case 6:<br />
case 9:<br />
case 13:<br />
case 15:<br />
case 16:<br />
case 17:<br />
case 19:<br />
case 20:<br />
case 22:<br />
break;<br />
}<br />
}<br />
buf[0] = 133;<br />
result = usb_send("ERR", buf);<br />
}<br />
return result;<br />
}<br />
</syntaxhighlight><br />
<br />
[[Category:Booting Chain]]</div>
Eiyee
http://droid-developers.org/wiki/Mbmloader
Mbmloader
2012-02-23T18:15:55Z
<p>Eiyee: link to peripheral boot info page</p>
<hr />
<div>= What is mbmloader =<br />
<br />
Strictly speaking, mbmloader (There's a (c) 2006 Motorola notice in it, since it reuses code from the older versions of mbmloader used in previous Motorola phones. This works to our advantage because some of those earlier versions have been reverse engineered in the past by yakk in his MotoMagX hack.) is one of the first components in the [[Booting chain|boot chain]]. It verifies and then loads the mbm component. It checks mbmbackup for newer versions of mbm, so that mbm cannot be downgraded (this can be easily bypassed once running as root, since both mbm and mbmbackup could be downgraded at the same time).<br />
<br />
More generally speaking, we sometimes say "mbmloader" to refer to the whole bootstrap system, which is composed by:<br />
* [[CH|CH table]]<br />
* [[Cryptography|Certificates and Public Keys]]<br />
* [[PPA|Primary Protected Application]]<br />
* [[ISW|Initial Software image]]<br />
<br />
The mtd-hack module by '''janneg''' allows us to dump mtd00 which includes all of these, and we usually call this the "mbmloader dump" or "mbmloader CG".<br />
<br />
= mbmloader protections =<br />
<br />
Mbmloader has public certificates in it (see the [[ISW|ISW section]]). These certificates parsed on [[Cryptography]] page. We also know that both the Milestone and the Droid run in HS mode, which requires this format.<br />
<br />
According to the CSST's use of openssl, the openssl "commands" used to generate the certificates may somehow be intercepted. Moreover, analyzing the csstcli(command line tool) and it's parameters may identify what and how the certificates are signing upon.<br />
<br />
= Loading mbmloader from SD card =<br />
<br />
mbmloader can be loaded from SD card after software reset. It may be useful to check new version of mbmloader without reflashing phone.<br />
Details: [[How to load mbmloader from SD card]]<br />
<br />
= How mbmloader verify mbm? =<br />
<br />
== Introduction ==<br />
<br />
yakk has contributed his effort to map many high level functions name for the mbmloader image. This allows easier inspection of how the verification of mbm is performed. Perhaps he has already reviewed the related portion of codes for potential vulnerability, trying to document the findings that allows continuation could be a possible way to figure out a way.<br />
<br />
== Work flow ==<br />
<br />
mbm is read into address 0x8f310000.<br />
<br />
Search for the end of signature mark(the data length suggests a sha1sum):<br />
<pre><br />
6B D3 98 E2 D6 F0 F8 CF FC D4 96 72 5E B3 A8 B3 6B F9 B1 16<br />
</pre><br />
<br />
<br />
= Milestone mbmloader =<br />
<br />
now we only known only two versions of mbmloader for milestone:<br />
* one [[File:mbmloader-0.5A.raw.gz]]<br />
* two [[File:mbmloader-1.raw.gz]]<br />
<br />
Both versions have same code (and even version number - 05.0A!), but some data and keys differ.<br />
<br />
== Background ==<br />
<br />
Accredited by yakk, idb of mbmloader with high level function names are available. Further exploration is in the progress to map more information from kernel source and technical reference manual.<br />
<br />
== Kernel source ==<br />
<br />
drivers/misc/sec/sec_core.h:<br />
<syntaxhighlight lang="c" line><br />
#define REGISTER_ADDRESS_DIE_ID 0x4830A218<br />
#define REGISTER_ADDRESS_MSV 0x480023B4<br />
</syntaxhighlight><br />
<br />
Searching b4 23 00 48 in mbmloader give:<br />
<syntaxhighlight lang="asm" line><br />
ROM:87004954 EF BE AD DE dword_87004954 DCD 0xDEADBEEF ; DATA XREF: get_fuse+4<br />
ROM:87004954 ; sub_87004798+A<br />
ROM:87004958 B4 23 00 48 MSV DCD 0x480023B4 ; DATA XREF: get_fuse:loc_87004786<br />
ROM:8700495C 18 A2 30 48 DIE_ID DCD 0x4830A218 ; DATA XREF: sub_87004832+18<br />
</syntaxhighlight><br />
<br />
arch/arm/plat-omap/include/mach/omap34xx.h:<br />
<syntaxhighlight lang="c" line><br />
#define L4_34XX_BASE 0x48000000<br />
#define L4_WK_34XX_BASE 0x48300000<br />
#define L4_PER_34XX_BASE 0x49000000<br />
#define L4_EMU_34XX_BASE 0x54000000<br />
#define L3_34XX_BASE 0x68000000<br />
#define OMAP3430_32KSYNCT_BASE 0x48320000<br />
#define OMAP3430_CM_BASE 0x48004800<br />
#define OMAP3430_PRM_BASE 0x48306800<br />
#define OMAP343X_SMS_BASE 0x6C000000<br />
#define OMAP343X_SDRC_BASE 0x6D000000<br />
#define OMAP34XX_GPMC_BASE 0x6E000000<br />
#define OMAP343X_SCM_BASE 0x48002000<br />
#define OMAP34XX_IC_BASE 0x48200000<br />
#define OMAP34XX_IVA_INTC_BASE 0x40000000<br />
#define OMAP34XX_SR1_BASE 0x480C9000<br />
#define OMAP34XX_SR2_BASE 0x480CB000<br />
#define OMAP34XX_DSP_BASE 0x58000000<br />
</syntaxhighlight><br />
<br />
== Technical Reference Manual ==<br />
<br />
{| border="1" cellpadding="0" cellspacing="0"<br />
! Abbreviation<br />
! Meaning<br />
! Reference<br />
|-<br />
| MSV <br />
| Model Specific Value <br />
| spruf98 p. 981, 6.6.4.47(System Control Module, Registers, GENERAL registers description), Table 6-496. CONTROL_MSV_0 <br />
|}<br />
<br />
4.14.1 CM Module Registers, Table 4-90. CM Instance Summary (spruf98 p.440)<br />
<br />
{| border="1" cellpadding="0" cellspacing="0"<br />
! Module Name<br />
! Base Address (hex)<br />
! Size<br />
|-<br />
| IVA2_CM <br />
| 0x4800 4000 <br />
| 8192 bytes<br />
|-<br />
| OCP_System_Registers_CM <br />
| 0x4800 4800 <br />
| 8192 bytes<br />
|-<br />
| MPU_CM <br />
| 0x4800 4900 <br />
| 8192 bytes<br />
|-<br />
| CORE_CM <br />
| 0x4800 4A00 <br />
| 8192 bytes<br />
|-<br />
| SGX_CM <br />
| 0x4800 4B00 <br />
| 8192 bytes<br />
|-<br />
| WKUP_CM <br />
| 0x4800 4C00 <br />
| 8192 bytes<br />
|-<br />
| Clock_Control_Registers_CM <br />
| 0x4800 4D00 <br />
| 8192 bytes<br />
|-<br />
| DSS_CM <br />
| 0x4800 4E00 <br />
| 8192 bytes<br />
|-<br />
| CAM_CM <br />
| 0x4800 4F00 <br />
| 8192 bytes<br />
|-<br />
| PER_CM <br />
| 0x4800 5000 <br />
| 8192 bytes<br />
|-<br />
| EMU_CM <br />
| 0x4800 5100 <br />
| 8192 bytes<br />
|-<br />
| Global_Registers_CM <br />
| 0x4800 5200 <br />
| 8192 bytes<br />
|-<br />
| NEON_CM <br />
| 0x4800 5300 <br />
| 8192 bytes<br />
|-<br />
| USBHOST_CM <br />
| 0x4800 5400 <br />
| 8192 bytes<br />
|}<br />
<br />
6.6 System Control Module Registers Table 6-80. Instance Summary<br />
<br />
{| border="1" cellpadding="0" cellspacing="0"<br />
! Name<br />
! Address<br />
! Instance length<br />
|-<br />
| INTERFACE<br />
| 0x4800 2000<br />
| 36 bytes<br />
|-<br />
| PADCONFS<br />
| 0x4800 2030<br />
| 564 bytes<br />
|-<br />
| GENERAL<br />
| 0x4800 2270<br />
| 767 bytes<br />
|-<br />
| MEM_WKUP<br />
| 0x4800 2600<br />
| 1K byte<br />
|-<br />
| PADCONFS_WKUP<br />
| 0x4800 2A00<br />
| 80 bytes<br />
|-<br />
| GENERAL_WKUP<br />
| 0x4800 2A60<br />
| 31 bytes<br />
|} <br />
<br />
<br />
18.8 McSPI Registers, Table 18-22. Instance Summary<br />
<br />
{| border="1" cellpadding="0" cellspacing="0"<br />
! Module Name<br />
! Base Address<br />
! Size<br />
|-<br />
|MCSPI1<br />
|0x4809 8000<br />
|4Kbytes<br />
|-<br />
|MCSPI2<br />
|0x4809 A000<br />
|4Kbytes<br />
|-<br />
|MCSPI3<br />
|0x480B 8000<br />
|4Kbytes<br />
|-<br />
|MCSPI4<br />
|0x480B A000<br />
|4Kbytes<br />
|}<br />
<br />
== Address extracted from mbmloader ==<br />
<br />
Prefixed by 0x4800:<br />
<pre><br />
0x48002000 Control Revision<br />
0x48002180 CONTROL_PADCONF_UART1_CTS - Configuration register for pads uart1_cts(clear to send), uart1_rx. ((spruf98 p. 870, 6.6.3.85 CONTROL_PADCONF_UART1_CTS))<br />
0x480021C8 CONTROL_PADCONF_MCSPI1_CLK - Configuration register for pads mcspi1_clk, mcspi1_simo<br />
0x480022F0 Control status - SYS_BOOT and DEVICETYPE<br />
0x480023B4 MSV - Model Specific Value, 4 bytes<br />
0x48004000 Clock manager, Module region A, 8KB ((spruf98 p.203, Table 2-3. L4-Core Memory Space Mapping))<br />
0x48004904 CM_CLKEN_PLL_MPU, This register allows controlling the DPLL1 modes. ((spruf98 p.454))<br />
0x48004A00 Table 4-143. CM_FCLKEN1_CORE, Controls the module functional clock activity.<br />
0x48004A10 Table 4-147. CM_ICLKEN1_CORE, Controls the modules interface clock activity.<br />
0x48004A20 Table 4-153. CM_IDLEST1_CORE, CORE modules access availability monitoring. This register is read only and automatically updated.<br />
0x48004B40 Table 4-177. CM_CLKSEL_SGX, SGX clock selection.<br />
0x48004C00 4.14.1.7.1 CM_FCLKEN_WKUP, Table 4-185. CM_FCLKEN_WKUP, Controls the modules functional clock activity.<br />
0x48004D00 Table 4-195. CM_CLKEN_PLL, This register allows controlling the DPLL3 and DPLL4 modes.<br />
0x48004E40 Table 4-227. CM_CLKSEL_DSS, Modules clock selection.<br />
0x48005000 Table 4-251. CM_FCLKEN_PER, Controls the modules functional clock activity. RW, WDTIMER can be enabled/disabled here.<br />
0x48005140 Table 4-267. CM_CLKSEL1_EMU, Modules clock selection.<br />
</pre><br />
<br />
Prefixed by 0x4830:<br />
<pre><br />
0x48306000 Table 4-297. PRM Instance Summary, IVA2_PRM<br />
0x48306D40 Table 4-387. PRM_CLKSEL, This register controls the selection of the system clock frequency. This register is reset on power-up only. RW<br />
0x48307000 Table 4-297. PRM Instance Summary, PER_PRM<br />
0x48307250 Table 4-456. PRM_RSTCTRL, Global software and DPLL3 reset control. This register is auto-cleared. Only write 1 is possible. A read returns 0 only. Perhaps it be used to issue a software reset? ((4.5.9.2 Global Warm Reset Sequence))<br />
0x48307270 Table 4-466. PRM_CLKSRC_CTRL, This register provides control over the device source clock.<br />
0x4830A218 DIE ID, 16 bytes<br />
</pre><br />
<br />
Other 32-bit dword:<br />
<pre><br />
0x18000000<br />
0x1F000000<br />
0x20000000<br />
0x208D0024<br />
0x28000000<br />
0x3FCFF000<br />
0x40000000<br />
0x40208800 SRAM <br />
0x4020C800 SRAM<br />
0x43FFFE01<br />
0x4806A000 UART1 DLL_REG, 16.6 UART/IrDA/CIR Registers<br />
0x48098000 18.8 McSPI Registers, McSPI1(Multichannel Serial Port Interface)<br />
0x48314000 WDTIMER2, Table 15-66. WDT2 Register Summary<br />
0x48318000 GPTIMER1, 15.3 General-Purpose (GP) Timer Registers<br />
0x49020000 UART3 (infrared), 2.3.2.3 L4-Peripheral Memory Space Mapping, Table 2-5. L4-Peripheral Memory Space Mapping<br />
0x5004800C <br />
0x5005C008<br />
0x5A827999 SHA1 c1<br />
0x6E000000 Table 10-27. Instance Summary, GPMC.<br />
0x6E00007C 10.1.7.2.17 GPMC_NAND_COMMAND_i, This register is not a true register, just an address location.<br />
0x6E000084 10.1.7.2.19 GPMC_NAND_DATA_i, This register is not a true register, just an address location.<br />
0x6E0000A8 10.1.7.2.16 GPMC_CONFIG7_i, i = 1<br />
0x6E0001F4 10.1.7.2.24 GPMC_ECC_CONFIG, ECC configuration, RW, able to control hardware ECC.<br />
0x6E0001F8 10.1.7.2.25 GPMC_ECC_CONTROL, ECC control, RW, able to control hardware ECC.<br />
0x6ED9EBA1 SHA1 c2<br />
0x76543210<br />
0x78020000<br />
0x7FFFFED3<br />
0x80000000 <br />
0x80080000<br />
0x81000000<br />
0x81001000<br />
0x81001080<br />
0x81001484<br />
0x81001888<br />
0x81001908<br />
0x8100192C<br />
0x81001D2C<br />
0x8100212C<br />
0x810021AC<br />
0x8100222C<br />
0x8100322C<br />
0x8100422C<br />
0x8100522C<br />
0x8100562C<br />
0x8100762C<br />
0x81007A14<br />
0x81007A54<br />
0x81007C54<br />
0x81007C64<br />
0x81007CE4<br />
0x81007DE4<br />
0x81007DF4<br />
0x81007E04<br />
0x8100AE40<br />
0x85030004<br />
0x860527A0<br />
0x87000998<br />
0x87009792<br />
0x87009A08<br />
0x87009BDC<br />
0x87009E52<br />
0x87009E5C<br />
0x87009FA6<br />
0x8700AA96<br />
0x8700B614<br />
0x8700B634<br />
0x8700B664<br />
0x8700B684<br />
0x87014D4C<br />
0x89ABCDEF<br />
0x8F1BBCDC SHA1 c3<br />
0x8F310000 mbm load address<br />
0x8F311000 mbm offset 0x1000<br />
0x8FFFFFFF<br />
0x90000000<br />
0xB17219E9 special value in mbm<br />
0xCA62C1D6 SHA1 c4<br />
0xDEADBEEF dummy value mark dead beef<br />
0xF0E1D2C3<br />
0xFC000000<br />
0xFEDCBA98<br />
0xFF000000<br />
0xFFF800FF<br />
0xFFFDD000<br />
0xFFFFDFE1<br />
0xFFFFF7FF<br />
0xFFFFFC01<br />
0xFFFFFFFD<br />
0xFFFFFFFF<br />
</pre><br />
<br />
== Mbmloader replacement Attack ==<br />
<br />
By having probed the hardware, with this simple code:<br />
<pre><br />
#include <mach/cpu.h><br />
main () <br />
{<br />
printk(KERN_INFO "omap type: %d\n", omap_type());<br />
}<br />
</pre><br />
we know the OMAP processor works in High Security mode upon booting (as opposed to General Purpose mode). We know the Droid is working in HS mode too. <br />
In HS mode the [[mbmloader|mbmloader]]'s cryptographic signature can be checked before booting, and since the signatures are being checked in later stages of the boot process, we guess both mbmloader and mbm are probably signed and verified too. Static code analysis seem to confirm the signatures are in place.<br />
Mbmloader itself apparently checks for mbm's signature before passing control to it. The idea of this attack is simply to replace mbmloader with another version that does not check for mbm's signature. We would then be free to replace mbm with a patched version that allowed us to run modified kernels and boot images.<br />
<br />
=== Hypothesis ===<br />
<br />
We can find some mbmloader that is signed with the same key as the Milestone's but that does not enforce the signature chain on mbm. We are also able to write to the NAND area where mbmloader is stored, so as to replace it.<br />
<br />
=== How can we write to the NAND area where mbmloader is stored ===<br />
<br />
Janneg's test has sadly demonstrated that we're currently unable to write meaningful data on those sectors of the NAND Flash. The Hardware ECC mechanism should be used somehow.<br />
<br />
=== How to know in advance whether a given mbmloader can work on the Milestone ===<br />
<br />
When janneg's phone was unfortunately bricked, it ended up with a corrupted mbmloader and trying to boot from USB (expecting a signed image in some unknown format). In this mode, the phone's boot ROM sends the ASIC ID to the USB host. In janneg's case, the ASIC ID was:<br />
<pre><br />
05010501 34300757 13020100 12150136 <br />
66e176b7 00efa289 0d53bd71 93627710<br />
b01bbe14 15011d3f b662794d 8c70fb57<br />
b4cb492e 27f66f15 2e4f1509 01f7488f<br />
28a027e5 b3<br />
</pre><br />
<br />
This has been decomposed into the following information by user [mbm], based on table 1-8 in the 1.4.4.1 section of the [http://bunnitude.com/misc/files/omap/pdf/sprufd6.pdf sprufd6.pdf TRM document]:<br />
<pre><br />
ASIC ID Item Size [bytes] Description<br />
Items 1 Number of subblocks<br />
ID sub block 7 Device identification information<br />
Secure mode subblock 4 Secure identification data<br />
Public ID subblock 23 Public identification data generated by secure ROM<br />
Root key hash subblock 23 Root key hash generated by a secure ROM service<br />
Checksum Subblock 11 4 bytes: CRC of public ROM. 4 bytes: CRC of secure ROM<br />
<br />
ITEMS: 05<br />
ID[01] 05 [01][34 30 07 57]<br />
SECURE[13] 02 [01][00]<br />
PUBLIC[12] 15 [01][36 66 e1 76 b7 00 ef a2 89 0d 53 bd 71 93 62 77 10 b0 1b be]<br />
ROOT[14] 15 [01][1d 3f b6 62 79 4d 8c 70 fb 57 b4 cb 49 2e 27 f6 6f 15 2e 4f]<br />
CRCS[15] 09 [01][f7 48 8f 28][a0 27 e5 b3]<br />
</pre><br />
<br />
It is possible to get the device into USB peripheral boot mode by changing "software booting configuration" (see [[How to load mbmloader from SD card]]).<br />
<br />
It seems user kokone has been able to guess how the key verification process works. Using [[Cryptography|his tool for exporting mbmloader keys into .PEM format]], he realized that the SHA1 verification hash of the "Public Key in LBL Format including the 0x14 bytes status info in front" results in value '''1d3fb662794d8c70fb57b4cb492e27f66f152e4f''', which is precisely the same value as the ROOT[14] field decoded from the ASIC ID. It is verified that kokone calculated the sha1 hash based on this formula:<br />
<br />
''' root_pk_hash = sha1_hash(20_bytes_key_info + modulus) '''<br />
<br />
Modulus's length is specified in the key info. For instance, a 1024-bits modulus would require only 1024-bits to be hashed due to the least significant byte order of modulus.<br />
<br />
The content can be extracted by mbmloader using this command:<br />
<pre><br />
dd if=mtd_00_mbmloader.img skip=1076 bs=1 count=276 of=pk.bin<br />
sha1sum pk.bin<br />
1d3fb662794d8c70fb57b4cb492e27f66f152e4f *pk.bin <br />
</pre><br />
A sample file can be downloaded -> <br />
<br />
It has also been found that droid001's returns this same value (reversed order is normal due to different presentation method of sha1sum and pkhash) in its '''CONTROL_RPUB_KEY_H[4:0]''' field.<br />
<br />
Running droid001's pkhash in Latam Milestone phones shows that those phones have the same hardware key as the European Milestone.<br />
<br />
Sadly, the Droid hash stored in hardware is different from the Milestone's: it is '''75ed7020641333dd7bc3aecb9857683c2422efe1'''(see [http://pastebin.com/raw.php?i=e9XbzQXp].). Thus, we won't be able to use Droid's mbmloader on the Milestone. It's strange that the root pk hash is different from the value calculated by hand according to the method above.((http://milestone.denhaas.info/date/10-03-2010/ 17:42:38 nothize))<br />
<br />
XVilka's developer phone, mbmloader version 90.80 (which has a CertPK that matches the CSST 2.6's multiroot key; see [http://pastebin.ca/1831383].), does NOT run in HS mode. It does have a hash key stored in hardware (different from the one in the normal Milestone, see [http://pastebin.ca/1831344].), but it is not used in GP mode.<br />
<br />
So, all in all, we do not have any mbmloader suitable for installation on the Milestone that will break Motorola's chain of trust. If you know of any other mbmloader version, let us know.<br />
<br />
== Problems ==<br />
=== mbm's entry point ===<br />
<br />
The Droid's mbm might have a different entry point than the one in the Milestone's mbm. Thus the Droid's mbmloader would not be able to pass control to the Milestone's mbm. The obvious workaround would be to replace mbm too. '''There might be other offsets to take care of, besides mbm's entry point.'''<br />
<br />
=== mbm's hardware initialization process ===<br />
<br />
The Droid's hardware might be a bit different from the Milestone's. This is supported by an [https://opensource.motorola.com/sf/discussion/do/listPosts/projects.milestone/discussion.general_comments.topc2016 official Motorola reply to a direct question by vekexasia]. If that's the case, the Droid's mbm would fail to initialize the Milestone's hardware, thereby bricking the phone. The workaround would be to use the Milestone's mbm, but patching it so that the Droid's mbmloader is able to use it (e.g., moving mbm code around, inserting jumps, etc.). There would be no problem with patching Milestone's mbm in this case, since the Droid's mbmloader would not check on mbm's signature (but this is an ad-hoc hypothesis, because we don't know it for sure!).<br />
<br />
=== cdt format ===<br />
<br />
The CDT table's format seems to differ between the Droid and the Milestone, so if we were to use the Droid mbmloader this should be handled somehow.<br />
<br />
=== Risk ===<br />
<br />
In the event of a mistake in the process, or if our hypothesis is wrong, the device would be bricked beyond repair (at least with the resources we have, namely [[ROM_Flashing|RSD Lite]]). The person trying this attack should be aware of this risk, and would probably be willing to try it on a device which could be sent to Motorola for repair without much hassle or cost (e.g., a Milestone that has some obvious warranty-covered issue such as a defective keyboard, etc). A German Motorola service agent is said to have quoted 89 euros for repairing firmware tampering.<br />
<br />
== Attack process ==<br />
<br />
[http://bit.ly/cqNt3i Here's a donation link] that some people have set up to buy a Milestone for testing this attack.<br />
<br />
Note: this test procedure is under review, so please ask before following it!<br />
<br />
# If possible, record the whole process with a video camera), so it can later be analyzed. You should also log in to the IRC channel for assistance during this attack.<br />
# Get [http://www.megaupload.com/?d=15EGPJ0U the 6mb droid dump] and gunzip the file((Since the CH header differs between the Droid and the Milestone, the Droid CH table may not work with a Milestone. The risk is low, though, because the difference is small. Although we cannot be sure about it, it is [mbm]'s opinion that it could work. In case you want to keep the Milestone CH table, you can use this other [http://www.megaupload.com/?d=V7BIRKOF patched Droid dump] instead, but keep in mind that the Release Notes for CSST v2.4 suggest the CH header can be signed too (and if it is, this patched Droid dump could brick your phone permanently). Nonetheless, as far as we know the CH table doesn't seem to be signed in the Milestone nor in the Droid, so this patched Droid dump should probably work fine. Finally, a whole dump of a Droid NAND flash can be used too; just remember that it should contain at least CH+MBMLOADER+MBM+MBMBACKUP+CDT.).<br />
# Obtain and transfer a modified, write-enabled mtd-hack-based harakiri.ko module to the phone ([http://www.megaupload.com/?d=1H1XODOM untested source code by [mbm] here that compiles with warnings](it's a quick and dirty version; it takes mtd->erase and points it at new erase function which is just a cut and paste of the old one with the panic commented out), [http://www.megaupload.com/?d=2ZG207FO precompiled binary here with those warnings solved]).<br />
# Set USB Debugging in the Milestone's Settings/Applications/Development configuration menu.<br />
# Boot the Milestone in [[recovery_mode|Recovery mode with ADBrecovery]], so it's running on RAM.<br />
# Follow this procedure to change mbmloader:<br />
## su to root<br />
## Execute a command to write the Droid image into the h_harakiri mtd. The correct command is yet to be determined((There are two known teardowns of the Droid, and none of the Milestone. There's the [http://www.phonewreck.com/2009/11/12/motorola-droid-teardown-analysis/ phoneWreck teardown] and the [http://www.isuppli.com/News/Pages/iSuppli-Does-Droid-Teardown-Finds-$18775-Bill-of-Materials-and-Manufacturing-Cost.aspx iSuppli cost analysis]. The 512 MB total NAND flash is split in 256 MB PoP and 256 MB standalone. The PoP chip is a Toshiba YBC0A111100L8, although there is no information about this chip ID on the web; iSupply but doesn't mention any chip ID. The standalone chip seen in the phoneWreck teardown is [http://www.data-io.com/device/details.asp?Prog=PS300FC&DevTech=ALL&PAdapt=ALL&PBase=ALL&PkgType=ALL&SemiMfgr=Motorola&offset=150&DID=60430&SUP_ID=60548&PMODEL=PS300FC&HW_ID=57462 Toshiba TY9000A000GLLF], and the one seen in the iSuppli pictures is a [http://www.dataio.com/device/details.asp?Prog=FLX500&DidList=63337&DID=63337&SUP_ID=55023&PMODEL=FLX500&HW_ID=57462 Numonyx (SGS-Thomson, STMicroelectronics) NANDA9R4N4CZBA5]. As seen on the Linux syslog, the Droid's memory detection message is "NAND device: Manufacturer ID 0x20, Chip ID: 0xbc (ST Micro NAND 512MiB 1,8V 16-bit)". In contrast, the Milestone's memory detection message is "NAND device: Manufacturer ID: 0x98, Chip ID: 0xbc (Toshiba NAND 512MiB 1,8V 16-bit)".)).<br />
<br />
* Note 1: do NOT use dd at this point, because it seems to corrupt the hardware-ECC-corrected part of the NAND flash((see the patches introduced to the OMAPZoom project on 2010-01-07 [http://git.omapzoom.org/?p=repo/x-loader.git;a=summary here]. They may point the way to fix this problem, although those sources seem to apply to a [http://www.datasheetsite.com/extpdf.php?q=http%3A%2F%2Fwww.samsung.com%2FProducts%2FSemiconductor%2FNANDFlash%2FSLC_LargeBlock%2F1Gbit%2FK9F1G08U0A%2Fds_k9f1g08x0a_rev10.pdf Samsung K9F1G08R0A] chip. User kokone proposes that "The ROM loader reads mbmloader using low level access to the Flash ... Perhaps the hardware ECC is not yet enabled and the used software ECC not compatible with hardware ECC?". But user sgx says "I can confirm that hardware ecc is required to properly flash an omap initial bootloader".)). User janneg created a Milestone dump, flashed it using dd but saw md5 difference with his previous dump; he then tried flash_image and the phone rebooted automatically due to panic in old mtd-hack. The reboot went fine (even though there were bit errors) and the system ran fine, even booting Android. ([http://pastebin.ca/1815149 Here]'s the corrupted code diff, so we can inspect whether that was ECC or not).<br />
<br />
* Note 2: do NOT use "flash_image h_harakiri droid.flash" at this point, because it may not be writing to the correct NAND flash location (or otherwise does in a way that is not bootable). User janneg tried this command after his abovementioned test; he also added mtd-hack with panic workaround, flashed the Milestone dump again using flash_image and md5 hash of boot area was correct again. But then he rebooted and the phone was bricked. We still do not know what went wrong with this test. His phone was left with the boot ROM receiving USB commands((see the abovementioned sprufd6.pdf TRM. User playya has put together [[http://pastebin.com/MX72CpRW some untested code]] for talking to the boot ROM in this state.)).<br />
<br />
* Note 3: An alternative method has been proposed by Skrilax_CZ based on how other Motorola phones have their mbmloader updated: by creating [http://rapidshare.com/files/357531828/Milestone-bootloader-flash-test-9072.rar an SBF file] containing mbm (CG30), mbmloader (CG31), bploader (CG32) and a modded ramdld. The ramdld can be modded because the address table inside the ramdld located between addresses 0x0F8 and 0x260 (offsets of the smg) is not signed. But applying this SBF file blindly is likely to brick your phone, because:<br />
- we do not know whether the Milestone mbm is able to write to the hardware-based ECC protection of the first sectors of the NAND flash.<br />
- the included mbmloader version is 90.72 which is the oldest Milestone version. If you have a later mbm version, the mbmloader will refuse to boot in order to prevent the mbm downgrade; thus, the phone would be bricked.<br />
- the included bploader is set at 128KB long. This has been extracted from a live phone. The length is guessed (there are only 0xff after this part, and the Sholes Table bploader is also 128KB long).<br />
# Execute "sync" as root.<br />
# Execute "dmesg" and see the latest info, to check if there were any errors during the flashing.<br />
# Dump the flash contents in the SD card. For example, try something like "dd if=/dev/mtd11 of=/sdcard/afterflash.img" if mtd11 is h_harakiri<br />
# Take the battery out.<br />
# Put the battery back.<br />
# Connect the Milestone via USB to a Linux host.<br />
# Press the D-Pad UP key, and hold it. Press the Power button for a while, then let go of both keys.<br />
# Report what happens at this point.<br />
# Does it turn the screen on? (check it out in a dark room).<br />
# run "lsusb -vd 22b8:41db" on the Linux host (you may need to wait a bit before you get any results with this).<br />
# If mbm shows up on the display and says "OK to program", then we're in. We just need to prepare a custom SBF with the correct baseband, etc., and then load it with RSD Lite under Windows XP (MUST be XP for meaningful results).<br />
<br />
[[Category:Booting Chain]]</div>
Eiyee
http://droid-developers.org/wiki/How_to_load_mbmloader_from_SD_card
How to load mbmloader from SD card
2012-02-23T18:10:57Z
<p>Eiyee: </p>
<hr />
<div>== Introduction ==<br />
<br />
After software reset, OMAP BootROM checks scratchpad memory at address 0x48002910 where can be address of "software booting configuration".<br />
<br />
<blockquote>The software booting configuration is a simple structure at the address stored<br />
at the first location of available scratchpad memory: 0x48002910. There are two sections in this structure:<br />
* The first section provides devices for the booting device list.<br />
* The second section provides clock settings, which are applied before booting.<br />
<pre><br />
Devices to be put on the device list<br />
0x00: Void, no device<br />
0x01: XIP memory<br />
0x02: NAND<br />
0x03: OneNAND<br />
0x04: DOC<br />
0x05: MMC/SD2<br />
0x06: MMC/SD1<br />
0x07: XIP memory with wait monitoring<br />
0x08 to 0x0F: Reserved<br />
0x10: UART<br />
0x11: HS USB<br />
</pre><br />
</blockquote><br />
<br />
== Implementation ==<br />
<br />
We will use boot device "0x06: MMC/SD1" to load mbmloader and device "0x11: HS USB" to check if boot from SD was failed.<br />
<br />
=== Prepare file to load ===<br />
# You need to have original mbmloader from Milestone's NAND (first 128K) in file. <br />
# Then replace string X-LOADER to MLO inside second 512 bytes block.<br />
# Rename file to MLO<br />
# Reduce file up to end of mbmloader code.<br />
# Copy this file to the root directory of SD card. Partition should be "active" and formatted as FAT16/32. I think default formatting of SD card by Milestone is Ok.<br />
<br />
=== Prepare code to software reset the Milestone ===<br />
<br />
We need to create right structure inside scratch memory and to do software reset.<br />
I've selected address 0x480029B0 to store booting configuration.<br />
<br />
I've used 2ndboot module from yakk to inject my code, because I'm not ready to develop full kernel module yet.<br />
<br />
Example of my code:<br />
<syntaxhighlight lang="c" line><br />
#define SCRATCH_MEM 0x48002910<br />
#define GLOBAL_REG_PRM 0x48307200<br />
<br />
scratch_mem = ioremap(SCRATCH_MEM, 240);<br />
global_reg_prm = ioremap(GLOBAL_REG_PRM, 256);<br />
<br />
// Disable IRQ<br />
local_irq_disable();<br />
local_fiq_disable();<br />
<br />
// Store address of booting configuration structure<br />
__raw_writel(SCRATCH_MEM+0xA0, scratch_mem + 0);<br />
<br />
// Header of booting config<br />
__raw_writel(0xCF00AA01, scratch_mem + 0xA0);<br />
// Size of booting config<br />
__raw_writel(0xC, scratch_mem + 0xA4);<br />
// First booting device is 0x06<br />
__raw_writel(0x00060000, scratch_mem + 0xA8);<br />
// Second is 0x06, third is 0x11<br />
__raw_writel(0x00060011, scratch_mem + 0xAC);<br />
// Fourth is 0x11<br />
__raw_writel(0x00000011, scratch_mem + 0xB0);<br />
<br />
// software reset<br />
__raw_writel(0x04, global_reg_prm + 0x50);<br />
<br />
</syntaxhighlight><br />
Here is archive with compiled module and Motorola's mbmloader: [[File:Boot_from_sd.gz]]<br />
<br />
=== Put all of them together ===<br />
# Copy module 2ndboot_mmc_usb.ko to root of SD card where MLO copied<br />
# Run command: insmode /sdcard/2ndboot_mmc_usb.ko<br />
<br />
Your phone should black screen and reboot successfuly, if your MLO file is Ok. <br />
If you remove MLO file from SD card and load module again, your phone should be in infinite loop of tries to boot from SD card (unsuccessful) and from USB, so your computer should see tries of USB enumerations every 3-4 seconds. You may "fix" your phone from that state by battery removing only (or maybe you can try to upload some mbmloader through USB, but it should be signed by Motorola).<br />
<br />
== Booting from USB ==<br />
<br />
There is some python code ([[File:omapusbboot.raw]]) to talk to the device in USB peripheral boot mode. So far no success actually uploading and booting from an image this way. The USB interface knows the following commands (from OMAP3630 TRM vS, 26.4.5 Peripheral Booting):<br />
<br />
{| border="1"<br />
! Command<br />
! Description<br />
|-<br />
|0xf0030002<br />
|Continue peripheral booting<br />
|-<br />
|0xf003NN06<br />
|Change booting device to NN (e.g. 0x11:HSUSB)<br />
|-<br />
|0xffffffff<br />
|Skip current booting device and move to next<br />
|-<br />
|<u32_imagesize><image><br />
|Boot memory image<br />
|}<br />
<br />
== Why all of this ? ==<br />
<br />
We can try to load changed mbmloader and see which effect it has, without flash the phone. For example: you can try to change CHSETTINGS because it's not signed.<br />
Also we can try to break RSA checks in some way.<br />
<br />
== Follow-up of the process ==<br />
<br />
Although no 3rd party tester has been able to repeat the scene from booting from MLO on Milestone, it is confirmed that(by another user Nothize other than the original writer SergeyZH) (on Windows) the control panel -> system -> hardware -> device manager can be used to monitor the USB enumeration after the phone has entered the software boot device list state.<br />
<br />
A standalone module has been written based on the code above to try a boot list of three 0x11(HS USB) and one 0x11 respectively and the response of the USB enumerations comply with these two sets.<br />
<br />
The setting for MLO and USB booting should refer to the ROM code memory and peripheral booting guide.</div>
Eiyee
http://droid-developers.org/wiki/File:Omapusbboot.raw
File:Omapusbboot.raw
2012-02-23T18:09:49Z
<p>Eiyee: </p>
<hr />
<div></div>
Eiyee
http://droid-developers.org/wiki/How_to_load_mbmloader_from_SD_card
How to load mbmloader from SD card
2012-02-23T18:06:02Z
<p>Eiyee: add some info about talking to device in usb peripheral boot mode</p>
<hr />
<div>== Introduction ==<br />
<br />
After software reset, OMAP BootROM checks scratchpad memory at address 0x48002910 where can be address of "software booting configuration".<br />
<br />
<blockquote>The software booting configuration is a simple structure at the address stored<br />
at the first location of available scratchpad memory: 0x48002910. There are two sections in this structure:<br />
* The first section provides devices for the booting device list.<br />
* The second section provides clock settings, which are applied before booting.<br />
<pre><br />
Devices to be put on the device list<br />
0x00: Void, no device<br />
0x01: XIP memory<br />
0x02: NAND<br />
0x03: OneNAND<br />
0x04: DOC<br />
0x05: MMC/SD2<br />
0x06: MMC/SD1<br />
0x07: XIP memory with wait monitoring<br />
0x08 to 0x0F: Reserved<br />
0x10: UART<br />
0x11: HS USB<br />
</pre><br />
</blockquote><br />
<br />
== Implementation ==<br />
<br />
We will use boot device "0x06: MMC/SD1" to load mbmloader and device "0x11: HS USB" to check if boot from SD was failed.<br />
<br />
=== Prepare file to load ===<br />
# You need to have original mbmloader from Milestone's NAND (first 128K) in file. <br />
# Then replace string X-LOADER to MLO inside second 512 bytes block.<br />
# Rename file to MLO<br />
# Reduce file up to end of mbmloader code.<br />
# Copy this file to the root directory of SD card. Partition should be "active" and formatted as FAT16/32. I think default formatting of SD card by Milestone is Ok.<br />
<br />
=== Prepare code to software reset the Milestone ===<br />
<br />
We need to create right structure inside scratch memory and to do software reset.<br />
I've selected address 0x480029B0 to store booting configuration.<br />
<br />
I've used 2ndboot module from yakk to inject my code, because I'm not ready to develop full kernel module yet.<br />
<br />
Example of my code:<br />
<syntaxhighlight lang="c" line><br />
#define SCRATCH_MEM 0x48002910<br />
#define GLOBAL_REG_PRM 0x48307200<br />
<br />
scratch_mem = ioremap(SCRATCH_MEM, 240);<br />
global_reg_prm = ioremap(GLOBAL_REG_PRM, 256);<br />
<br />
// Disable IRQ<br />
local_irq_disable();<br />
local_fiq_disable();<br />
<br />
// Store address of booting configuration structure<br />
__raw_writel(SCRATCH_MEM+0xA0, scratch_mem + 0);<br />
<br />
// Header of booting config<br />
__raw_writel(0xCF00AA01, scratch_mem + 0xA0);<br />
// Size of booting config<br />
__raw_writel(0xC, scratch_mem + 0xA4);<br />
// First booting device is 0x06<br />
__raw_writel(0x00060000, scratch_mem + 0xA8);<br />
// Second is 0x06, third is 0x11<br />
__raw_writel(0x00060011, scratch_mem + 0xAC);<br />
// Fourth is 0x11<br />
__raw_writel(0x00000011, scratch_mem + 0xB0);<br />
<br />
// software reset<br />
__raw_writel(0x04, global_reg_prm + 0x50);<br />
<br />
</syntaxhighlight><br />
Here is archive with compiled module and Motorola's mbmloader: [[File:Boot_from_sd.gz]]<br />
<br />
=== Put all of them together ===<br />
# Copy module 2ndboot_mmc_usb.ko to root of SD card where MLO copied<br />
# Run command: insmode /sdcard/2ndboot_mmc_usb.ko<br />
<br />
Your phone should black screen and reboot successfuly, if your MLO file is Ok. <br />
If you remove MLO file from SD card and load module again, your phone should be in infinite loop of tries to boot from SD card (unsuccessful) and from USB, so your computer should see tries of USB enumerations every 3-4 seconds. You may "fix" your phone from that state by battery removing only (or maybe you can try to upload some mbmloader through USB, but it should be signed by Motorola).<br />
<br />
== Booting from USB ==<br />
<br />
There is some code ([[File:omapusbboot]]) to talk to the device in USB peripheral boot mode. So far no success actually uploading and booting from an image this way. The USB interface knows the following commands (from OMAP3630 TRM vS, 26.4.5 Peripheral Booting):<br />
<br />
{| border="1"<br />
! Command<br />
! Description<br />
|-<br />
|0xf0030002<br />
|Continue peripheral booting<br />
|-<br />
|0xf003NN06<br />
|Change booting device to NN (e.g. 0x11:HSUSB)<br />
|-<br />
|0xffffffff<br />
|Skip current booting device and move to next<br />
|-<br />
|<u32_imagesize><image><br />
|Boot memory image<br />
|}<br />
<br />
== Why all of this ? ==<br />
<br />
We can try to load changed mbmloader and see which effect it has, without flash the phone. For example: you can try to change CHSETTINGS because it's not signed.<br />
Also we can try to break RSA checks in some way.<br />
<br />
== Follow-up of the process ==<br />
<br />
Although no 3rd party tester has been able to repeat the scene from booting from MLO on Milestone, it is confirmed that(by another user Nothize other than the original writer SergeyZH) (on Windows) the control panel -> system -> hardware -> device manager can be used to monitor the USB enumeration after the phone has entered the software boot device list state.<br />
<br />
A standalone module has been written based on the code above to try a boot list of three 0x11(HS USB) and one 0x11 respectively and the response of the USB enumerations comply with these two sets.<br />
<br />
The setting for MLO and USB booting should refer to the ROM code memory and peripheral booting guide.</div>
Eiyee
http://droid-developers.org/wiki/Main_Page
Main Page
2012-02-23T00:41:48Z
<p>Eiyee: remove broken irc log #4</p>
<hr />
<div>__NOTOC__<br />
<br />
==== About this site ====<br />
<br />
{| cellspacing=5 cellpadding=15 border=0 valign="top" width=100%<br />
<br />
| width=50% style="vertical-align:top"|<br />
<br />
This wiki documents our research on the Motorola Droid-family phones (including Milestone) internals.<br />
These phones are:<br />
<br />
<br />
# '''Motorola Milestone''' (our primary target)<br />
# Motorola Milestone 2<br />
# Motorola Droid<br />
# Motorola Droid X<br />
# Motorola Droid 2<br />
# Motorola MOTOROI/Milestone XT720<br />
# Motorola Sholes Tablet XT701<br />
# Motorola Titanium XT800<br />
# Motorola Ruth (ME511) aka. Flipout<br />
# Motorola Charm (MB502)<br />
# Motorola DEXT (MB200) aka. Cliq<br />
<br />
| width=50% style="vertical-align:top"|<br />
<br />
{|<br />
|style="vertical-align:top"|<br />
[[Image:community.png]]<br />
|style="vertical-align:top"|<br />
'''<span style="font-variant:small-caps; font-size:150%">Community</span>'''<br /><small>Join our community! Discuss with us. </small><small><hr /> [[Credits | Our team]] | [irc://irc.freenode.net/#milestone-modding Our IRC channel] | [http://www.damogran.de/milestone-modding/ <span title="Starts on Jan 21 2010, 11:33:51 UTC. Refreshes every 15 minutes. Timezone: UTC+1. Thanks to Kasperle.">IRC log #1</span>] | [http://bacon.ojnk.org/milestone-modding.log <span title="Starts on Jan 21 2010, 13:09:10 UTC. Timezone: UTC-6. Thanks to Orgg.">IRC log #2</span>] | [http://milestone.bekaakut.de/ <span title="There is now a new channel log. Thanks to rebel1">IRC log #3</span>] | [http://mmlogs.doshaska.net/ <span title="Backup log. Started 23.09.2011.">IRC log #5</span>] | [http://gitorious.org/+droid-developers Our projects on Gitorious] | [http://hg.droid-developers.org/ Our projects on Bitbucket]</small><br />
|}<br />
<br />
{|<br />
|style="vertical-align:top"|<br />
[[Image:hardware.png]]<br />
|style="vertical-align:top"|<br />
'''<span style="font-variant:small-caps; font-size:150%">Hardware</span>'''<br /><small>All about devices internals - PCB, chips </small><small><hr />[[device_information|Overview]] | [[Motorola Milestone | Milestone]] | [[Motorola Droid | Droid]] | [[Motorola Droid X | Droid X]] | [[Motorola Droid 2 | Droid 2]] | [[Motorola Milestone 2 | Milestone 2]] | [[Motorola Sholes Tablet XT701 | Sholes Tablet XT701]] | [[Motorola Milestone XT720 | Milestone XT720]] | [[Motorola Titanium XT800 | Titanium XT800]] | [[Motorola Ruth ME511 | Ruth ME511]] | [[Motorola Charm | Charm]] | [[Motorola Atrix | Atrix]] | [[Motorola DEXT | DEXT]]</small><br />
|}<br />
<br />
{|<br />
|style="vertical-align:top"|<br />
[[Image:reverse.gif]]<br />
|style="vertical-align:top"|<br />
'''<span style="font-variant:small-caps; font-size:150%">For developers</span>'''<br /><small>Useful information for experts and beginners </small><small><hr />[[Toolchain]] | [[CyanogenMod]] | [[Compiling]] | [[Debugging]] | [[QEMU]] </small><br />
|}<br />
<br />
|}<br />
<br />
==== Information for volunteers ====<br />
<br />
If you are a developer and have some code-project for the Droid family of smartphones(e.g. Milestone) - enjoy us on [http://gitorious.org/+droid-developers Gitorious]<br />
<br />
Even if you're not the technical type, you too can help us mod the Milestone by participating in the [[Custom_recovery:pr_attack|PR campaign to force Motorola to unlock it]].<br />
<br />
If you're technical type - see our [[roadmap|Roadmap]] and progress in our [[projects|Projects]].<br />
<br />
See the [[content|content index here]].<br />
<br />
{| cellspacing=5 cellpadding=15 border=0 valign="top" width=100%<br />
<br />
| width=50% style="vertical-align:top"|<br />
<br />
{|<br />
|style="vertical-align:top"|<br />
[[Image:reverse.gif]]<br />
|style="vertical-align:top"|<br />
'''<span style="font-variant:small-caps; font-size:150%">Bootloader Unlock</span>'''<br /><small>Research how-to unlock boot process for the Application Processor </small><small><hr />[[Booting chain]] | [[Security]] | [[Cryptography]] | [http://gitorious.org/+droid-developers/droid/reversed IDA databases of bootloaders] | [[Disassembling]] </small><br />
|-<br />
|style="vertical-align:top"|<br />
|style="vertical-align:top"|<br />
The [[modes|recovery image]] hasn't yet been [http://android-dls.com/wiki/index.php?title=HOWTO:_Unpack,_Edit,_and_Re-Pack_Boot_Images modified] due to our current impossibility of controlling [[Booting chain|the boot process]]. We cannot alter the boot process so far because there seems to be a digital signature on each of its components. It seems the bootloader (mbm in particular (neither lbl nor mbmloader access the CDT). See [[Booting chain|here]] and [https://opensource.motorola.com/sf/discussion/do/listPosts/projects.milestone/discussion.general_comments.topc2012?_pagenum=2 here].) uses the [[CDT|cdt partition table]] to check if the recovery has been signed correctly. If not, the recovery won't start at all and the [[modes|bootloader mode]] shows instead of it.<br />
<br />
* '''[[2ndboot]]'''<br />
* '''[[Vulnerability hunting]]'''<br />
* '''[[Bruteforce]]'''<br />
* '''[[open_recovery | Open Recovery]]'''<br />
* '''[[2ndinit]]'''<br />
<br />
|}<br />
<br />
| width=50% style="vertical-align:top"|<br />
<br />
{|<br />
|style="vertical-align:top"|<br />
[[Image:baseband.png]]<br />
|style="vertical-align:top"|<br />
'''<span style="font-variant:small-caps; font-size:150%">Baseband Research</span>'''<br /><small>All our researches of Baseband and RF part of these phones</small><small><hr />[[GSM/CDMA-chain|GSM/UMTS & CDMA Milestone/Droid structure]]</small><br />
|-<br />
|style="vertical-align:top"|<br />
|style="vertical-align:top"|<br />
We have running RTXC OS on [[Wrigley 3G]] modem, which consist from ARM core and [[TMS320C55x+]] DSP core<br />
Our main problem, that Motorola using non-standard RIL, which partially implemented on AP side.<br />
Also, our second problem, that [[TMS320C55x+]] is closed platform, and no datasheets for it available.<br />
It very different from original [[TMS320C55x]] architecture and have other opcodes.<br />
We only have '''asm55p''' utility from TI, which can produce binary from TMS320 assembler.<br />
So, it is very important task - make full reverse of it. [[File:asm55p.idb.bz2]] [[File:dis55.idb.bz2]] [[File:dis55.c.gz]]<br />
<br />
* '''[[Baseband Processor Boot ROM]]'''<br />
* '''[[BP firmware]]'''<br />
* '''[[Texas Instruments Wrigley 3G]]'''<br />
* '''[[GSM/CDMA-chain]]'''<br />
<br />
|}<br />
<br />
|<br />
|}<br />
<br />
== '''[[2ndboot]]''' ==<br />
<br />
This attack right now is by far the most promising and convenient. Recently a few developers have pursued this approach in at least three independent attempts. All face a significant roadblock: hardware initialization. There are a [http://android.git.kernel.org/?p=kernel/omap.git;a=blob;f=arch/arm/mach-omap2/prcm.c;h=86c3fe328f51736ee4139b59654252021f3d90a2;hb=refs/heads/android-omap-2.6.29-eclair#l129 couple] of [https://patchwork.kernel.org/patch/82291/ ideas] about tackling it, but it is still a work in progress at the time of this writing. See more information about previous attempts [[custom_recovery:alternative_methods#kexec_attack here]].<br />
<br />
== '''[[Vulnerability hunting]]''' ==<br />
<br />
As far as we know now this attack is, if not a waste of time, at least a very long shot. The idea is that reverse engineering the boot ROM, mbmloader and/or mbm might allow us to find some exploitable vulnerability in order to gain control of the boot process. Since we already have the source code for lbl, it might be useful too. Mike Baker([mbm]) has written a [http://pastebin.ca/raw/1833228|user mode memory dumper] and dumped Droid public ROM. As we found - all roms for omap3430 are identical. Same situation for the omap3630. See here: [[Booting chain|Boot chain]]<br />
<br />
== '''[[Bruteforce]]''' ==<br />
<br />
This is distributed computation of the 1024 bit RSA secret key, which can be used for signing our bootloaders and kernel images. <br />
<br />
== '''[[open_recovery | Open Recovery]]''' ==<br />
<br />
Uses the payload exploit to start the custom recovery application. Supports rooting the phone from menu, as well as taking backups and flashing unsigned update *.zip files. Also runs ADB.<br />
<br />
== '''[[2ndinit]]''' ==<br />
<br />
This thing basically inject code to /init to "restart itself" allowing you to use custom init binary and init.rc scripts without side effects.</div>
Eiyee