search

frederic / chipicopwn

Bootloader exploit for Google Nest Hub (2nd Gen) (elaine)
MIT License
132 stars 7 forks source link

New firmware version does not crash #2

Closed iMartyn closed 1 year ago

iMartyn commented 1 year ago

Hi, I was trying to boot a linux kernel (the one linked to in your blog was an android kernel and it was causing me issues, so I started working out the boot.img stuff...) and I rebooted with my ethernet still connected. Not good, it went into an update before I realised and now the pico doesn't crash uboot. Previously I was using the fw-2022_01 branch and aside from all the problems of running an android kernel with ubuntu userspace, it was working.

On the offchance that you have already begun the investigation, and here's hoping that it's just a different offset or similar, I have a device here (with debug breakout because I wanted to get a mainlineish kernel running) that I can confirm things on with unfortunately this new firmware.

I'm not holding out that much hope because from what I can tell it should crash but not boot if they didn't touch uboot but the log implies the same version.

Here's the log, BL2 built more recently but with apparently the same uboot. It's still trying to load recovery.img but not crashing : 

SM1:BL:511f6b:81ca2f;FEAT:A28821B2:202B3000;POC:D;USB:0;SM1:BL:511f6b:81ca2f;FEAT:A28821B2:202B3000;POC:D;USB:0;EMMC:0;READ:0;CHK:1F;READ:0;0.0;0.0;CHK:0;
bl2_stage_init 0x01
bl2_stage_init 0x81
hw id: 0x0000 - pwm id 0xff
bl2_stage_init 0xff
bl2_stage_init 0x02

L0:e41baa55
L1:00000703
L2:00008067
L3:15000000
S1:00100000
B2:202b3000
B1:a28821b2

BL2 Built : 16:19:59, May 05 2021. \ng12a gb9ea438 - user@host

Set cpu clk to 24M
Set clk81 to 24M
Use GP1_pll as DSU clk.
DSU clk: 1200 Mhz
CPU clk: 1200 MHz
Set clk81 to 166.6M
eMMC boot @ 1
sw8 s
sd/emmc cmd 8 arg 0x00000000 status 01df3000
OTP_ARB=00000001
DDR driver_vesion: LPDDR4_PHY_V_0_1_12 build time: May 14 2022 04:45:55
board id: 0
Load MISC SETTING from eMMC, src: 0x0b000000, des: 0xfffd0000, size: 0x00001000, part: 0
00000000
emmc switch 0 ok
check ab data
Load FIP HDR from eMMC, src: 0x0c900000, des: 0xfffd0000, size: 0x00004000, part: 0
fw parse done
Load ddrfw from eMMC, src: 0x0c944000, des: 0xfffd0000, size: 0x0000c000, part: 0
Load ddrfw from eMMC, src: 0x0c928000, des: 0xfffd0000, size: 0x00004000, part: 0
PIEI prepare done
Cfg max: 2, cur: 1. Board id: 255. Force loop cfg
DDR3 probe
ddr clk to 912MHz
Load ddrfw from eMMC, src: 0x0c91c000, des: 0xfffd0000, size: 0x0000c000, part: 0

dmc_version 0001
Check phy result
INFO : End of initialization
INFO : End of read enable training
INFO : End of fine write leveling
INFO : End of read dq deskew training
INFO : End of MPR read delay center optimization
INFO : End of Write leveling coarse delay
INFO : End of write delay center optimization
INFO : End of read delay center optimization
INFO : End of max read latency training
INFO : Training has run successfully!
1D training succeed
DDR cs0 size: 1024MB
DDR cs1 size: 1024MB
DMC_DDR_CTRL: 0020001bDDR size: 2048MB
cs0 DataBus test pass
cs1 DataBus test pass
cs0 AddrBus test pass
cs1 AddrBus test pass

100bdlr_step_size ps== 472
result report
boot times 0Enable ddr reg access
00000000
emmc switch 3 ok
BL2: rpmb counter: 0x00000000
00000000
emmc switch 0 ok
load A/B image
Load FIP HDR from eMMC, src: 0x0c900000, des: 0x01700000, size: 0x00004000, part: 0
Load BL3X from eMMC, src: 0x0c95c000, des: 0x0175c000, size: 0x00140000, part: 0
0.0;0.0;M3 CHK:0;cm4_sp_mode 0
E30HDR
MVN_1=0x00000000
MVN_2=0x00000000
[Image: g12a_v0.0.4129-f3af4946 Fri Apr 30 20:24:40 2021 -0700 user@host]
ring efuse init
2b 0c 05 00 01 2d 0c 00 00 01 30 36 32 52 43 50
secure task start!
high task start!
low task start!
mach_cpu_init

U-Boot 2019.01-gdeafea66ea-dirty (Dec 16 2021 - 02:43:54 )

DRAM:  2 GiB
board init
GPIOA_10: not found
GPIOH_5: not found
MMC:
sd: 0, emmc: 1
In:    serial@3000
Out:   serial@3000
Err:   serial@3000
board late init
emmc: resp timeout, cmd8, status=0x1df2800
emmc: resp timeout, cmd55, status=0x1df2800
emmc probe success
switch to partitions #0, OK
mmc1(part 0) is current device
lcd extern: aml_lcd_extern_probe ok
lcd: error: gpio 1 is not probed
lcd: error: gpio 1 is not probed
wipe_data=successful
wipe_cache=successful
fts: v13 loaded from 0x00000000
fts: v13 loaded from 0x00000000
lcd: error: gpio 1 is not probed
** File not found last_brightness **
Enabling Amp Boost
MUTE engaged
VOL_UP pressed
VOL_DN pressed
fts: v13 loaded from 0x00000000
vmin:32 b5 0 0!
get dvfs_id:0
detect VOL_UP pressed
VOL_DN pressed
resetting USB...
USB0:   <NULL>: not found
Register 3000140 NbrPorts 2
Starting the controller
USB XHCI 1.10
scanning bus 0 for devices... 2 USB Device(s) found
       scanning usb for storage devices... 1 Storage Device(s) found
** Unrecognized filesystem type **
resetting USB...
USB0:   <NULL>: not found
Register 3000140 NbrPorts 2
Starting the controller
USB XHCI 1.10
scanning bus 0 for devices... 2 USB Device(s) found
       scanning usb for storage devices... 1 Storage Device(s) found
** Unable to read file recovery.img **
resetting USB...
USB0:   <NULL>: not found
Register 3000140 NbrPorts 2
Starting the controller
USB XHCI 1.10
scanning bus 0 for devices... 2 USB Device(s) found
       scanning usb for storage devices... 1 Storage Device(s) found
** Unable to read file recovery.img **
resetting USB...
USB0:   <NULL>: not found
Register 3000140 NbrPorts 2
Starting the controller
USB XHCI 1.10
scanning bus 0 for devices... 2 USB Device(s) found
       scanning usb for storage devices... 1 Storage Device(s) found
** Unable to read file recovery.img **
resetting USB...
USB0:   <NULL>: not found
frederic commented 1 year ago

The update fixed the bug exploited by chipicopwn : Your U-Boot build date (Dec. 2021) matches the expected fix release date. You might be able to downgrade the firmware, however I've never attempted to do so.