rellla changed the topic of #linux-sunxi to: Allwinner/sunxi /development discussion - did you try looking at our wiki? https://linux-sunxi.org - Don't ask to ask. Just ask and wait! - https://github.com/linux-sunxi/ - Logs at http://irclog.whitequark.org/linux-sunxi - *only registered users can talk*
<MoeIcenowy> bauen1: don't worry, the H5 one is severely broken, at least when secure boot is not used
gaston1980 has quit [Quit: Konversation terminated!]
ganbold has joined #linux-sunxi
ChriChri_ has joined #linux-sunxi
ChriChri has quit [Ping timeout: 272 seconds]
ChriChri_ is now known as ChriChri
lurchi_ has quit [Remote host closed the connection]
lurchi_ has joined #linux-sunxi
<smaeul> bauen1: correct. I never bothered to install Ruby (gentoo...) to generate a TOC0 image, so I never burnt the fuse.
<smaeul> Since I'm not using that board for anything anyway, who cares if it boots? So eh, screw it: https://github.com/smaeul/sunxi-blobs/commit/5d07b76bbc83
zoobab has quit [Remote host closed the connection]
zoobab has joined #linux-sunxi
lurchi_ is now known as lurchi__
zoobab has quit [Ping timeout: 240 seconds]
zoobab has joined #linux-sunxi
chewitt has quit [Quit: Zzz..]
zoobab has quit [Ping timeout: 256 seconds]
zoobab has joined #linux-sunxi
rex_victor has quit [Ping timeout: 272 seconds]
\\Mr_C\\ has quit [Quit: (Read error: Connection reset by beer)]
rex_victor has joined #linux-sunxi
[7] has quit [Ping timeout: 244 seconds]
TheSeven has joined #linux-sunxi
JohnDoe_71Rus has joined #linux-sunxi
lurchi_ has joined #linux-sunxi
lurchi__ has quit [Ping timeout: 260 seconds]
cnxsoft1 has joined #linux-sunxi
cnxsoft has quit [Read error: Connection reset by peer]
AneoX has quit [Ping timeout: 240 seconds]
anarsoul has quit [Remote host closed the connection]
anarsoul has joined #linux-sunxi
ddlstwrr has joined #linux-sunxi
j--r has quit [Ping timeout: 244 seconds]
j--r has joined #linux-sunxi
yann has joined #linux-sunxi
<bauen1> smaeul: thanks
<bauen1> MoeIcenowy: in what way ?
igraltist has quit [Remote host closed the connection]
igraltist has joined #linux-sunxi
<bauen1> smaeul: the sbrom you uploaded is just the nbrom but twice
cmeerw has joined #linux-sunxi
<bauen1> anyhow i'm tending towards buying a h6 device
yann has quit [Ping timeout: 265 seconds]
ric96 has quit [Ping timeout: 272 seconds]
ric96 has joined #linux-sunxi
Benjojo has quit [Ping timeout: 272 seconds]
Benjojo has joined #linux-sunxi
yann has joined #linux-sunxi
diego71 has quit [Ping timeout: 260 seconds]
<bauen1> so the h6 has a trusted watchdog, which is nice i guess, and according to the arm trusted firmware SRAM A2 is marked as secure, but still no trace of anything that would allow marking peripherals as secure
<bauen1> it also appears that all the R_.*, RTC and SRAM A2 are attached on the same bus, so it could be possible that their all marked as secure
<bauen1> that would actually be quite decent
<bauen1> however not being able to mark peripherals as secure also makes it less useful
<bauen1> guess i just have to buy a board to dump the firmware and figure out if there are any undocumented features
ddlstwrr has quit [Ping timeout: 245 seconds]
warpme_ has joined #linux-sunxi
ndufresne has quit [Quit: The Lounge - https://thelounge.chat]
florian has joined #linux-sunxi
AneoX has joined #linux-sunxi
ndufresne has joined #linux-sunxi
JohnDoe6 has joined #linux-sunxi
JohnDoe_71Rus has quit [Ping timeout: 240 seconds]
jbrown has joined #linux-sunxi
netlynx has joined #linux-sunxi
netlynx has quit [Changing host]
netlynx has joined #linux-sunxi
obbardc has quit [Remote host closed the connection]
ndufresne has quit [Quit: The Lounge - https://thelounge.chat]
ldevulder__ has joined #linux-sunxi
ldevulder_ has quit [Ping timeout: 246 seconds]
chewitt has joined #linux-sunxi
_whitelogger has joined #linux-sunxi
ndufresne has joined #linux-sunxi
<bauen1> it kind of looks like all trustzone implementation in allwinner SoCs are handi-capped in some way or another (backkdoor in h3, probably a lack of SPC / SMC on the h6)
lvrp16 has quit [Ping timeout: 260 seconds]
lvrp16 has joined #linux-sunxi
<smaeul> bauen1: oops, sorry. I dumped the BROM from FEL, but FEL is implemented in the NBROM only, so the SBROM switches the mux to NBROM before entering FEL
<smaeul> I will get the correct BROM and reupload
<smaeul> about the H6: there is MMIO address space reserved for the SPC/TZASC, but the BSP isn't clear if any device actually exists at those locations
<smaeul> it's possible they are completely hidden until the secure mode fuse is blown, or (as you suggest) they aren't there at all
<smaeul> bauen1: what about h3 do you consider a backdoor?
chewitt has quit [Quit: Zzz..]
Mangy_Dog has joined #linux-sunxi
lurchi_ is now known as lurchi__
AneoX has quit [Ping timeout: 240 seconds]
diego71 has joined #linux-sunxi
<smaeul> bauen1: I pushed the real H5 SBROM. I can do H6 too, though I'd like to add TOC0 support to binman before blowing more fuses
florian has quit [Quit: Leaving]
AneoX has joined #linux-sunxi
chewitt has joined #linux-sunxi
ddlstwrr has joined #linux-sunxi
steev has quit [Ping timeout: 272 seconds]
steev has joined #linux-sunxi
jbrown has quit [Ping timeout: 272 seconds]
<bauen1> smaeul: thanks, i'll take a look and reverse engineer it a bit
jbrown has joined #linux-sunxi
<bauen1> smaeul: i was thinking about the 'smc #0' call to enter secure mode from fel without any signature check
<bauen1> smaeul: where did you find the info that there is mmio space reserved on the h6 ?
<bauen1> if it does have a TZASC or SPC that would be awesome
<bauen1> and if the sbrom can switch to the nbrom at runtime it might also be possible to switch to sbrom without blowing any fuses (and maybe that could be applied to the h6)
<smaeul> I don't think you can toggle the BROM without the fuse. the switching code is func_000080ac => bit 31 0x1c000f0, 0 == SBROM, 1 == NBROM, the bit itself is NS
<smaeul> but without the fuse, the whole register is 0, and you still get the NBROM
<smaeul> H6 info would have come from the BSP code. I'd have to dig through it again
_whitelogger has joined #linux-sunxi
pmp-p has quit [Ping timeout: 258 seconds]
<smaeul> the secure monitor installed by the SBROM does zero checking before toggling the NS bit, and the monitor is installed unconditionally
<smaeul> so FEL access implies unsigned code execution at EL3
<bauen1> yeah so not exactly how it should be
<bauen1> did you observe this just with the h3 or also with the h5 ?
<smaeul> I am just looking at the H5 SBROM
<bauen1> yeah that's not so nice
ddlstwrr has quit [Remote host closed the connection]
<bauen1> the code that switches to secure mode is still there for sure (0x000081d8 - $+0x2) but now i can't really find the code that actually loads the secure monitor vector table (0x000081a4)
<bauen1> oh nevermind i found it
<bauen1> it also reads the ROTPK hash and NV1 values from SID and writes them to ~0x10000 before executing fel, but i'm not really sure what for
jstein has joined #linux-sunxi
iyzsong has quit [Quit: ZNC 1.7.5 - https://znc.in]
iyzsong has joined #linux-sunxi
ganbold has quit [Read error: Connection reset by peer]
JohnDoe6 has quit [Quit: KVIrc 5.0.0 Aria http://www.kvirc.net/]
<Ashleee> wow the H6 is a really hot chip eh?
<Ashleee> the problem with the cooling isn't with heatsink but with the chip itself
pmp-p has joined #linux-sunxi
pmp-p has quit [Client Quit]
jstein has quit [Quit: quit]
pmp-p has joined #linux-sunxi
jstein has joined #linux-sunxi
hexdump0815 has joined #linux-sunxi
<hexdump0815> Ashleee: what helped for me on one h6 box was to remove the heatsink and apply a bigger one with fresh and good thermal paste - this way i was able to run a h6 at 1.8ghz and full load with passive cooling
<hexdump0815> Ashleee: and on tv boxes i think they might run at slightly differerent voltages (due to binning maybe) depending on the box which lets them run slightly hotter or cooler
<Ashleee> fair point
<Ashleee> I am half tempted to say that the thermal pad is also not the best
<Ashleee> but the one I normally use has gone missing so I reused the original one
<Ashleee> right now the test looks like this
<Ashleee> hope it opens
<hexdump0815> Ashleee: my impression was that the thermal paste sometimes is not even thermal paste but just some kind of silocon glue :)
<Ashleee> this is the thermal glue-pad
<hexdump0815> Ashleee: neat :)
<Ashleee> even with this it is between 77 - 80C ...
<Ashleee> on full 1.8GHz
pmp-p has quit [Ping timeout: 272 seconds]
<hexdump0815> Ashleee: then i think the thermal pad is not good or not touching the soc well enough
<Ashleee> yeah
<Ashleee> I need to clean up my table and find the better one
pmp-p has joined #linux-sunxi
<bauen1> smaeul: did you use https://gist.github.com/jemk/2abcab1359c4bce793679c5854062331 to create the image that boots ?
hexdump0815 has quit [Ping timeout: 245 seconds]
pmp-p has quit [Ping timeout: 272 seconds]
pmp-p has joined #linux-sunxi
gaston1980 has joined #linux-sunxi
<smaeul> bauen1: I used https://github.com/ssvb/sunxi-tools/tree/toc0 rebased on top of master
<smaeul> ./egon2toc.rb sunxi-spl.bin sunxi-spl.toc0 0x10000 && cat sunxi-spl.toc0 u-boot.itb > u-boot-sunxi-with-spl.toc0
<smaeul> and flash as normal. you'll need to change CONFIG_SYS_MMCSD_RAW_MODE_U_BOOT_SECTOR=0x70 since SPL is now 48k instead of 32k
tuxillo has quit [Ping timeout: 256 seconds]
qschulz has quit [Remote host closed the connection]
qschulz has joined #linux-sunxi
<bauen1> hm, so the function that "parses" the asn.1 data structre gets passed the pointer to the data and the length, but it doesn't actually seem to _ever_ validate the length of asn.1 elements against the total length
tuxillo has joined #linux-sunxi
<bauen1> but it is probably limited to triggering read access to above where the asn.1 data is located
warpme_ has quit [Quit: Connection closed for inactivity]
netlynx has quit [Quit: Ex-Chat]
lurchi__ is now known as lurchi_
jbrown has quit [Ping timeout: 240 seconds]
cmeerw has quit [Ping timeout: 244 seconds]
yann has quit [Ping timeout: 272 seconds]