2018-02-26 13:06:10 +00:00
|
|
|
/*
|
2019-06-17 18:27:55 +00:00
|
|
|
* This file is part of the Trezor project, https://trezor.io/
|
2018-02-26 13:06:10 +00:00
|
|
|
*
|
|
|
|
* Copyright (c) SatoshiLabs
|
|
|
|
*
|
|
|
|
* This program is free software: you can redistribute it and/or modify
|
|
|
|
* it under the terms of the GNU General Public License as published by
|
|
|
|
* the Free Software Foundation, either version 3 of the License, or
|
|
|
|
* (at your option) any later version.
|
|
|
|
*
|
|
|
|
* This program is distributed in the hope that it will be useful,
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
* GNU General Public License for more details.
|
|
|
|
*
|
|
|
|
* You should have received a copy of the GNU General Public License
|
|
|
|
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
*/
|
|
|
|
|
2017-04-01 17:58:58 +00:00
|
|
|
#include <string.h>
|
2017-04-12 16:31:23 +00:00
|
|
|
#include <sys/types.h>
|
2017-04-01 17:58:58 +00:00
|
|
|
|
2023-10-31 11:38:11 +00:00
|
|
|
#include "boot_args.h"
|
2017-03-21 00:41:49 +00:00
|
|
|
#include "common.h"
|
2018-07-26 13:28:34 +00:00
|
|
|
#include "display.h"
|
2023-06-28 08:51:30 +00:00
|
|
|
#include "display_utils.h"
|
2023-11-14 10:53:24 +00:00
|
|
|
#include "fault_handlers.h"
|
2019-03-29 15:26:02 +00:00
|
|
|
#include "flash.h"
|
2023-11-01 12:40:50 +00:00
|
|
|
#include "flash_otp.h"
|
2019-03-29 15:26:02 +00:00
|
|
|
#include "image.h"
|
2023-06-28 08:51:30 +00:00
|
|
|
#include "lowlevel.h"
|
2023-07-20 11:20:50 +00:00
|
|
|
#include "messages.pb.h"
|
2021-03-25 18:33:21 +00:00
|
|
|
#include "random_delays.h"
|
2017-10-26 21:51:39 +00:00
|
|
|
#include "secbool.h"
|
2023-07-20 11:20:50 +00:00
|
|
|
#include "secret.h"
|
2023-06-30 10:12:55 +00:00
|
|
|
|
2023-02-15 12:57:54 +00:00
|
|
|
#ifdef USE_DMA2D
|
2022-08-16 14:51:10 +00:00
|
|
|
#include "dma2d.h"
|
2022-04-25 09:46:09 +00:00
|
|
|
#endif
|
2023-03-27 15:52:59 +00:00
|
|
|
#ifdef USE_I2C
|
|
|
|
#include "i2c.h"
|
|
|
|
#endif
|
2023-09-26 09:44:43 +00:00
|
|
|
#ifdef USE_OPTIGA
|
|
|
|
#include "optiga_hal.h"
|
|
|
|
#endif
|
2023-02-15 12:57:54 +00:00
|
|
|
#ifdef USE_TOUCH
|
2023-06-23 14:50:13 +00:00
|
|
|
#include "touch.h"
|
2023-02-15 12:57:54 +00:00
|
|
|
#endif
|
|
|
|
#ifdef USE_BUTTON
|
2022-04-25 09:46:09 +00:00
|
|
|
#include "button.h"
|
2023-02-15 12:57:54 +00:00
|
|
|
#endif
|
2023-06-22 19:56:48 +00:00
|
|
|
#ifdef USE_CONSUMPTION_MASK
|
|
|
|
#include "consumption_mask.h"
|
|
|
|
#endif
|
2023-02-15 12:57:54 +00:00
|
|
|
#ifdef USE_RGB_LED
|
2022-05-31 07:31:32 +00:00
|
|
|
#include "rgb_led.h"
|
2022-04-25 09:46:09 +00:00
|
|
|
#endif
|
2023-12-15 22:50:33 +00:00
|
|
|
#ifdef USE_HASH_PROCESSOR
|
|
|
|
#include "hash_processor.h"
|
|
|
|
#endif
|
|
|
|
|
2023-06-01 12:21:51 +00:00
|
|
|
#include "model.h"
|
2017-03-28 11:04:54 +00:00
|
|
|
#include "usb.h"
|
2017-04-06 15:21:03 +00:00
|
|
|
#include "version.h"
|
2017-03-20 14:41:21 +00:00
|
|
|
|
2017-12-17 00:09:45 +00:00
|
|
|
#include "bootui.h"
|
2017-04-12 16:31:23 +00:00
|
|
|
#include "messages.h"
|
2022-05-05 11:47:19 +00:00
|
|
|
#include "rust_ui.h"
|
2023-04-14 15:18:03 +00:00
|
|
|
#include "unit_variant.h"
|
2017-04-01 17:58:58 +00:00
|
|
|
|
2023-06-30 10:12:55 +00:00
|
|
|
#ifdef TREZOR_EMULATOR
|
|
|
|
#include "emulator.h"
|
|
|
|
#else
|
|
|
|
#include "compiler_traits.h"
|
|
|
|
#include "mpu.h"
|
|
|
|
#include "platform.h"
|
|
|
|
#endif
|
|
|
|
|
2019-03-29 15:26:02 +00:00
|
|
|
#define USB_IFACE_NUM 0
|
2018-02-12 13:42:47 +00:00
|
|
|
|
2022-05-05 11:47:19 +00:00
|
|
|
typedef enum {
|
2023-06-30 20:57:04 +00:00
|
|
|
SHUTDOWN = 0,
|
|
|
|
CONTINUE_TO_FIRMWARE = 0xAABBCCDD,
|
|
|
|
RETURN_TO_MENU = 0x55667788,
|
2022-05-05 11:47:19 +00:00
|
|
|
} usb_result_t;
|
|
|
|
|
2023-09-25 13:35:09 +00:00
|
|
|
void failed_jump_to_firmware(void);
|
2023-06-28 08:51:30 +00:00
|
|
|
|
2024-03-03 21:19:12 +00:00
|
|
|
CONFIDENTIAL volatile secbool dont_optimize_out_true = sectrue;
|
|
|
|
CONFIDENTIAL volatile void (*firmware_jump_fn)(void) = failed_jump_to_firmware;
|
2023-09-25 13:35:09 +00:00
|
|
|
|
2020-02-12 20:47:05 +00:00
|
|
|
static void usb_init_all(secbool usb21_landing) {
|
|
|
|
usb_dev_info_t dev_info = {
|
2019-03-29 15:26:02 +00:00
|
|
|
.device_class = 0x00,
|
|
|
|
.device_subclass = 0x00,
|
|
|
|
.device_protocol = 0x00,
|
|
|
|
.vendor_id = 0x1209,
|
|
|
|
.product_id = 0x53C0,
|
|
|
|
.release_num = 0x0200,
|
2024-05-03 12:57:55 +00:00
|
|
|
.manufacturer = MODEL_USB_MANUFACTURER,
|
|
|
|
.product = MODEL_USB_PRODUCT,
|
2019-03-29 15:26:02 +00:00
|
|
|
.serial_number = "000000000000000000000000",
|
|
|
|
.interface = "TREZOR Interface",
|
|
|
|
.usb21_enabled = sectrue,
|
2020-02-12 20:47:05 +00:00
|
|
|
.usb21_landing = usb21_landing,
|
2019-03-29 15:26:02 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
static uint8_t rx_buffer[USB_PACKET_SIZE];
|
|
|
|
|
|
|
|
static const usb_webusb_info_t webusb_info = {
|
|
|
|
.iface_num = USB_IFACE_NUM,
|
2023-03-23 14:42:21 +00:00
|
|
|
#ifdef TREZOR_EMULATOR
|
|
|
|
.emu_port = 21324,
|
|
|
|
#else
|
2024-05-29 08:22:54 +00:00
|
|
|
.ep_in = 0x01,
|
|
|
|
.ep_out = 0x01,
|
2023-03-23 14:42:21 +00:00
|
|
|
#endif
|
2019-03-29 15:26:02 +00:00
|
|
|
.subclass = 0,
|
|
|
|
.protocol = 0,
|
|
|
|
.max_packet_len = sizeof(rx_buffer),
|
|
|
|
.rx_buffer = rx_buffer,
|
|
|
|
.polling_interval = 1,
|
|
|
|
};
|
|
|
|
|
2024-05-31 11:25:47 +00:00
|
|
|
ensure(usb_init(&dev_info), NULL);
|
2019-03-29 15:26:02 +00:00
|
|
|
|
|
|
|
ensure(usb_webusb_add(&webusb_info), NULL);
|
|
|
|
|
2024-05-31 11:25:47 +00:00
|
|
|
ensure(usb_start(), NULL);
|
2017-04-05 17:33:50 +00:00
|
|
|
}
|
|
|
|
|
2022-05-05 11:47:19 +00:00
|
|
|
static usb_result_t bootloader_usb_loop(const vendor_header *const vhdr,
|
|
|
|
const image_header *const hdr) {
|
2020-02-12 20:47:05 +00:00
|
|
|
// if both are NULL, we don't have a firmware installed
|
|
|
|
// let's show a webusb landing page in this case
|
|
|
|
usb_init_all((vhdr == NULL && hdr == NULL) ? sectrue : secfalse);
|
2017-04-07 00:34:53 +00:00
|
|
|
|
2019-03-29 15:26:02 +00:00
|
|
|
uint8_t buf[USB_PACKET_SIZE];
|
2017-04-07 00:34:53 +00:00
|
|
|
|
2019-03-29 15:26:02 +00:00
|
|
|
for (;;) {
|
2023-03-23 14:42:21 +00:00
|
|
|
#ifdef TREZOR_EMULATOR
|
|
|
|
emulator_poll_events();
|
|
|
|
#endif
|
2019-03-29 15:26:02 +00:00
|
|
|
int r = usb_webusb_read_blocking(USB_IFACE_NUM, buf, USB_PACKET_SIZE,
|
|
|
|
USB_TIMEOUT);
|
|
|
|
if (r != USB_PACKET_SIZE) {
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
uint16_t msg_id;
|
|
|
|
uint32_t msg_size;
|
2022-05-05 11:47:19 +00:00
|
|
|
uint32_t response;
|
2019-03-29 15:26:02 +00:00
|
|
|
if (sectrue != msg_parse_header(buf, &msg_id, &msg_size)) {
|
|
|
|
// invalid header -> discard
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
switch (msg_id) {
|
2023-07-20 11:20:50 +00:00
|
|
|
case MessageType_MessageType_Initialize:
|
2019-03-29 15:26:02 +00:00
|
|
|
process_msg_Initialize(USB_IFACE_NUM, msg_size, buf, vhdr, hdr);
|
|
|
|
break;
|
2023-07-20 11:20:50 +00:00
|
|
|
case MessageType_MessageType_Ping:
|
2019-03-29 15:26:02 +00:00
|
|
|
process_msg_Ping(USB_IFACE_NUM, msg_size, buf);
|
|
|
|
break;
|
2023-07-20 11:20:50 +00:00
|
|
|
case MessageType_MessageType_WipeDevice:
|
2022-05-05 11:47:19 +00:00
|
|
|
response = ui_screen_wipe_confirm();
|
2019-03-29 15:26:02 +00:00
|
|
|
if (INPUT_CANCEL == response) {
|
|
|
|
send_user_abort(USB_IFACE_NUM, "Wipe cancelled");
|
2022-05-05 11:47:19 +00:00
|
|
|
hal_delay(100);
|
|
|
|
usb_deinit();
|
2023-06-30 20:57:04 +00:00
|
|
|
return RETURN_TO_MENU;
|
2018-01-23 23:36:32 +00:00
|
|
|
}
|
2019-03-29 15:26:02 +00:00
|
|
|
ui_screen_wipe();
|
|
|
|
r = process_msg_WipeDevice(USB_IFACE_NUM, msg_size, buf);
|
|
|
|
if (r < 0) { // error
|
2022-05-05 11:47:19 +00:00
|
|
|
screen_wipe_fail();
|
2023-03-10 17:26:42 +00:00
|
|
|
hal_delay(100);
|
2019-03-29 15:26:02 +00:00
|
|
|
usb_deinit();
|
2022-05-05 11:47:19 +00:00
|
|
|
return SHUTDOWN;
|
|
|
|
} else { // success
|
|
|
|
screen_wipe_success();
|
2023-03-10 17:26:42 +00:00
|
|
|
hal_delay(100);
|
2019-03-29 15:26:02 +00:00
|
|
|
usb_deinit();
|
2022-05-05 11:47:19 +00:00
|
|
|
return SHUTDOWN;
|
2017-04-12 16:31:23 +00:00
|
|
|
}
|
2019-03-29 15:26:02 +00:00
|
|
|
break;
|
2023-07-20 11:20:50 +00:00
|
|
|
case MessageType_MessageType_FirmwareErase:
|
2019-03-29 15:26:02 +00:00
|
|
|
process_msg_FirmwareErase(USB_IFACE_NUM, msg_size, buf);
|
|
|
|
break;
|
2023-07-20 11:20:50 +00:00
|
|
|
case MessageType_MessageType_FirmwareUpload:
|
2019-03-29 15:26:02 +00:00
|
|
|
r = process_msg_FirmwareUpload(USB_IFACE_NUM, msg_size, buf);
|
2022-11-21 13:12:49 +00:00
|
|
|
if (r < 0 && r != UPLOAD_ERR_USER_ABORT) { // error, but not user abort
|
2023-08-24 17:16:09 +00:00
|
|
|
if (r == UPLOAD_ERR_BOOTLOADER_LOCKED) {
|
2024-06-10 14:57:59 +00:00
|
|
|
// This function does not return
|
|
|
|
show_install_restricted_screen();
|
2023-08-24 17:16:09 +00:00
|
|
|
} else {
|
|
|
|
ui_screen_fail();
|
|
|
|
}
|
2019-03-29 15:26:02 +00:00
|
|
|
usb_deinit();
|
2022-05-05 11:47:19 +00:00
|
|
|
return SHUTDOWN;
|
|
|
|
} else if (r == UPLOAD_ERR_USER_ABORT) {
|
|
|
|
hal_delay(100);
|
|
|
|
usb_deinit();
|
2023-06-30 20:57:04 +00:00
|
|
|
return RETURN_TO_MENU;
|
2019-03-29 15:26:02 +00:00
|
|
|
} else if (r == 0) { // last chunk received
|
|
|
|
ui_screen_install_progress_upload(1000);
|
|
|
|
ui_screen_done(4, sectrue);
|
|
|
|
ui_screen_done(3, secfalse);
|
|
|
|
hal_delay(1000);
|
|
|
|
ui_screen_done(2, secfalse);
|
|
|
|
hal_delay(1000);
|
|
|
|
ui_screen_done(1, secfalse);
|
|
|
|
hal_delay(1000);
|
|
|
|
usb_deinit();
|
2023-06-30 20:57:04 +00:00
|
|
|
return CONTINUE_TO_FIRMWARE;
|
2017-04-07 00:34:53 +00:00
|
|
|
}
|
2019-03-29 15:26:02 +00:00
|
|
|
break;
|
2023-07-20 11:20:50 +00:00
|
|
|
case MessageType_MessageType_GetFeatures:
|
2019-03-29 15:26:02 +00:00
|
|
|
process_msg_GetFeatures(USB_IFACE_NUM, msg_size, buf, vhdr, hdr);
|
|
|
|
break;
|
2023-06-28 08:51:30 +00:00
|
|
|
#if defined USE_OPTIGA && !defined STM32U5
|
2023-07-20 11:20:50 +00:00
|
|
|
case MessageType_MessageType_UnlockBootloader:
|
|
|
|
response = ui_screen_unlock_bootloader_confirm();
|
|
|
|
if (INPUT_CANCEL == response) {
|
|
|
|
send_user_abort(USB_IFACE_NUM, "Bootloader unlock cancelled");
|
|
|
|
hal_delay(100);
|
|
|
|
usb_deinit();
|
2023-06-30 20:57:04 +00:00
|
|
|
return RETURN_TO_MENU;
|
2023-07-20 11:20:50 +00:00
|
|
|
}
|
2023-08-24 17:16:09 +00:00
|
|
|
process_msg_UnlockBootloader(USB_IFACE_NUM, msg_size, buf);
|
2023-07-20 11:20:50 +00:00
|
|
|
screen_unlock_bootloader_success();
|
|
|
|
hal_delay(100);
|
|
|
|
usb_deinit();
|
|
|
|
return SHUTDOWN;
|
|
|
|
break;
|
|
|
|
#endif
|
2019-03-29 15:26:02 +00:00
|
|
|
default:
|
|
|
|
process_msg_unknown(USB_IFACE_NUM, msg_size, buf);
|
|
|
|
break;
|
2017-04-07 00:34:53 +00:00
|
|
|
}
|
2019-03-29 15:26:02 +00:00
|
|
|
}
|
2017-04-06 13:53:47 +00:00
|
|
|
}
|
|
|
|
|
2021-05-05 15:24:30 +00:00
|
|
|
static secbool check_vendor_header_lock(const vendor_header *const vhdr) {
|
2019-03-29 15:26:02 +00:00
|
|
|
uint8_t lock[FLASH_OTP_BLOCK_SIZE];
|
2021-05-05 15:24:30 +00:00
|
|
|
ensure(flash_otp_read(FLASH_OTP_BLOCK_VENDOR_HEADER_LOCK, 0, lock,
|
2019-03-29 15:26:02 +00:00
|
|
|
FLASH_OTP_BLOCK_SIZE),
|
|
|
|
NULL);
|
|
|
|
if (0 ==
|
|
|
|
memcmp(lock,
|
|
|
|
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"
|
|
|
|
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF",
|
|
|
|
FLASH_OTP_BLOCK_SIZE)) {
|
|
|
|
return sectrue;
|
|
|
|
}
|
|
|
|
uint8_t hash[32];
|
2021-05-05 15:24:30 +00:00
|
|
|
vendor_header_hash(vhdr, hash);
|
2019-03-29 15:26:02 +00:00
|
|
|
return sectrue * (0 == memcmp(lock, hash, 32));
|
2017-12-15 14:26:36 +00:00
|
|
|
}
|
|
|
|
|
2017-10-12 12:35:01 +00:00
|
|
|
// protection against bootloader downgrade
|
|
|
|
|
2023-06-28 08:51:30 +00:00
|
|
|
#if PRODUCTION && !defined STM32U5
|
2017-12-15 14:26:36 +00:00
|
|
|
|
2019-03-29 15:26:02 +00:00
|
|
|
static void check_bootloader_version(void) {
|
|
|
|
uint8_t bits[FLASH_OTP_BLOCK_SIZE];
|
|
|
|
for (int i = 0; i < FLASH_OTP_BLOCK_SIZE * 8; i++) {
|
|
|
|
if (i < VERSION_MONOTONIC) {
|
|
|
|
bits[i / 8] &= ~(1 << (7 - (i % 8)));
|
|
|
|
} else {
|
|
|
|
bits[i / 8] |= (1 << (7 - (i % 8)));
|
2017-10-12 12:35:01 +00:00
|
|
|
}
|
2019-03-29 15:26:02 +00:00
|
|
|
}
|
|
|
|
ensure(flash_otp_write(FLASH_OTP_BLOCK_BOOTLOADER_VERSION, 0, bits,
|
|
|
|
FLASH_OTP_BLOCK_SIZE),
|
|
|
|
NULL);
|
|
|
|
|
|
|
|
uint8_t bits2[FLASH_OTP_BLOCK_SIZE];
|
|
|
|
ensure(flash_otp_read(FLASH_OTP_BLOCK_BOOTLOADER_VERSION, 0, bits2,
|
|
|
|
FLASH_OTP_BLOCK_SIZE),
|
|
|
|
NULL);
|
|
|
|
|
|
|
|
ensure(sectrue * (0 == memcmp(bits, bits2, FLASH_OTP_BLOCK_SIZE)),
|
2023-04-03 12:32:08 +00:00
|
|
|
"Bootloader downgrade protection");
|
2017-10-12 12:35:01 +00:00
|
|
|
}
|
|
|
|
|
2017-12-15 14:26:36 +00:00
|
|
|
#endif
|
2017-12-13 22:08:15 +00:00
|
|
|
|
2024-06-10 14:57:59 +00:00
|
|
|
void failed_jump_to_firmware(void) { error_shutdown("(glitch)"); }
|
2023-09-25 13:35:09 +00:00
|
|
|
|
|
|
|
void real_jump_to_firmware(void) {
|
|
|
|
const image_header *hdr = NULL;
|
|
|
|
vendor_header vhdr = {0};
|
|
|
|
|
|
|
|
ensure(read_vendor_header((const uint8_t *)FIRMWARE_START, &vhdr),
|
|
|
|
"Firmware is corrupted");
|
|
|
|
|
|
|
|
ensure(check_vendor_header_keys(&vhdr), "Firmware is corrupted");
|
|
|
|
|
|
|
|
ensure(check_vendor_header_lock(&vhdr), "Unauthorized vendor keys");
|
|
|
|
|
|
|
|
hdr =
|
|
|
|
read_image_header((const uint8_t *)(size_t)(FIRMWARE_START + vhdr.hdrlen),
|
|
|
|
FIRMWARE_IMAGE_MAGIC, FIRMWARE_IMAGE_MAXSIZE);
|
|
|
|
|
|
|
|
ensure(hdr == (const image_header *)(size_t)(FIRMWARE_START + vhdr.hdrlen)
|
|
|
|
? sectrue
|
|
|
|
: secfalse,
|
|
|
|
"Firmware is corrupted");
|
|
|
|
|
|
|
|
ensure(check_image_model(hdr), "Wrong firmware model");
|
|
|
|
|
|
|
|
ensure(check_image_header_sig(hdr, vhdr.vsig_m, vhdr.vsig_n, vhdr.vpub),
|
|
|
|
"Firmware is corrupted");
|
|
|
|
|
|
|
|
ensure(check_image_contents(hdr, IMAGE_HEADER_SIZE + vhdr.hdrlen,
|
|
|
|
&FIRMWARE_AREA),
|
|
|
|
"Firmware is corrupted");
|
|
|
|
|
2024-04-04 14:33:39 +00:00
|
|
|
secret_prepare_fw(
|
2024-04-22 08:32:23 +00:00
|
|
|
((vhdr.vtrust & VTRUST_SECRET_MASK) == VTRUST_SECRET_ALLOW) * sectrue,
|
|
|
|
((vhdr.vtrust & VTRUST_NO_WARNING) == VTRUST_NO_WARNING) * sectrue);
|
2023-09-25 13:35:09 +00:00
|
|
|
|
2024-04-22 08:32:23 +00:00
|
|
|
// if all warnings are disabled in VTRUST flags then skip the procedure
|
|
|
|
if ((vhdr.vtrust & VTRUST_NO_WARNING) != VTRUST_NO_WARNING) {
|
2023-09-25 13:35:09 +00:00
|
|
|
ui_fadeout();
|
2024-05-15 09:26:27 +00:00
|
|
|
ui_screen_boot(&vhdr, hdr, 0);
|
2023-09-25 13:35:09 +00:00
|
|
|
ui_fadein();
|
|
|
|
|
2024-04-22 08:32:23 +00:00
|
|
|
// The delay is encoded in bitwise complement form.
|
|
|
|
int delay = (vhdr.vtrust & VTRUST_WAIT_MASK) ^ VTRUST_WAIT_MASK;
|
2023-09-25 13:35:09 +00:00
|
|
|
if (delay > 1) {
|
|
|
|
while (delay > 0) {
|
2024-05-15 09:26:27 +00:00
|
|
|
ui_screen_boot(&vhdr, hdr, delay);
|
2023-09-25 13:35:09 +00:00
|
|
|
hal_delay(1000);
|
|
|
|
delay--;
|
|
|
|
}
|
|
|
|
} else if (delay == 1) {
|
|
|
|
hal_delay(1000);
|
|
|
|
}
|
|
|
|
|
2024-04-22 08:32:23 +00:00
|
|
|
if ((vhdr.vtrust & VTRUST_NO_CLICK) == 0) {
|
2024-05-15 09:26:27 +00:00
|
|
|
ui_screen_boot(&vhdr, hdr, -1);
|
|
|
|
ui_click();
|
2023-09-25 13:35:09 +00:00
|
|
|
}
|
|
|
|
|
2024-04-10 12:56:34 +00:00
|
|
|
ui_screen_boot_stage_1(false);
|
2023-09-25 13:35:09 +00:00
|
|
|
}
|
|
|
|
|
2024-04-16 08:12:49 +00:00
|
|
|
display_finish_actions();
|
2023-09-25 13:35:09 +00:00
|
|
|
ensure_compatible_settings();
|
|
|
|
|
|
|
|
mpu_config_off();
|
|
|
|
jump_to(FIRMWARE_START + vhdr.hdrlen + IMAGE_HEADER_SIZE);
|
|
|
|
}
|
|
|
|
|
2023-06-28 08:51:30 +00:00
|
|
|
#ifdef STM32U5
|
|
|
|
__attribute__((noreturn)) void jump_to_fw_through_reset(void) {
|
2024-04-16 08:12:49 +00:00
|
|
|
display_finish_actions();
|
2023-06-28 08:51:30 +00:00
|
|
|
display_fade(display_backlight(-1), 0, 200);
|
|
|
|
|
|
|
|
__disable_irq();
|
|
|
|
delete_secrets();
|
|
|
|
NVIC_SystemReset();
|
|
|
|
for (;;)
|
|
|
|
;
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
|
2023-03-23 14:42:21 +00:00
|
|
|
#ifndef TREZOR_EMULATOR
|
2019-03-29 15:26:02 +00:00
|
|
|
int main(void) {
|
2023-03-23 14:42:21 +00:00
|
|
|
#else
|
|
|
|
int bootloader_main(void) {
|
|
|
|
#endif
|
2023-10-20 12:58:32 +00:00
|
|
|
secbool stay_in_bootloader = secfalse;
|
2022-04-11 11:27:48 +00:00
|
|
|
|
2021-03-25 18:33:21 +00:00
|
|
|
random_delays_init();
|
2023-06-28 08:51:30 +00:00
|
|
|
|
2023-12-17 22:51:10 +00:00
|
|
|
#if defined TREZOR_MODEL_T
|
|
|
|
set_core_clock(CLOCK_180_MHZ);
|
|
|
|
#endif
|
|
|
|
|
2023-12-15 22:50:33 +00:00
|
|
|
#ifdef USE_HASH_PROCESSOR
|
|
|
|
hash_processor_init();
|
|
|
|
#endif
|
|
|
|
|
2023-12-17 22:51:10 +00:00
|
|
|
#ifdef USE_I2C
|
|
|
|
i2c_init();
|
|
|
|
#endif
|
|
|
|
|
2024-03-04 14:46:58 +00:00
|
|
|
display_reinit();
|
2023-12-17 22:51:10 +00:00
|
|
|
|
2022-08-16 14:51:10 +00:00
|
|
|
#ifdef USE_DMA2D
|
|
|
|
dma2d_init();
|
|
|
|
#endif
|
|
|
|
|
2024-03-04 14:46:58 +00:00
|
|
|
unit_variant_init();
|
|
|
|
|
|
|
|
#ifdef USE_TOUCH
|
|
|
|
#ifdef TREZOR_MODEL_T3T1
|
|
|
|
// on T3T1, tester needs to run without touch, so making an exception
|
|
|
|
// until unit variant is written in OTP
|
|
|
|
if (unit_variant_present()) {
|
|
|
|
ensure(touch_init(), "Touch screen panel was not loaded properly.");
|
|
|
|
} else {
|
|
|
|
touch_init();
|
|
|
|
}
|
|
|
|
#else
|
|
|
|
ensure(touch_init(), "Touch screen panel was not loaded properly.");
|
|
|
|
#endif
|
|
|
|
#endif
|
2022-10-14 10:43:37 +00:00
|
|
|
|
2024-04-10 12:56:34 +00:00
|
|
|
ui_screen_boot_stage_1(false);
|
2023-08-17 11:42:22 +00:00
|
|
|
|
2022-05-05 11:47:19 +00:00
|
|
|
mpu_config_bootloader();
|
|
|
|
|
2023-11-14 10:53:24 +00:00
|
|
|
fault_handlers_init();
|
|
|
|
|
2023-06-30 20:57:04 +00:00
|
|
|
#ifdef TREZOR_EMULATOR
|
|
|
|
// wait a bit so that the empty lock icon is visible
|
|
|
|
// (on a real device, we are waiting for touch init which takes longer)
|
|
|
|
hal_delay(400);
|
|
|
|
#endif
|
|
|
|
|
2022-05-05 11:47:19 +00:00
|
|
|
const image_header *hdr = NULL;
|
|
|
|
vendor_header vhdr;
|
|
|
|
|
2023-06-30 20:57:04 +00:00
|
|
|
// detect whether the device contains a valid firmware
|
|
|
|
volatile secbool vhdr_present = secfalse;
|
|
|
|
volatile secbool vhdr_keys_ok = secfalse;
|
|
|
|
volatile secbool vhdr_lock_ok = secfalse;
|
|
|
|
volatile secbool img_hdr_ok = secfalse;
|
|
|
|
volatile secbool model_ok = secfalse;
|
|
|
|
volatile secbool header_present = secfalse;
|
|
|
|
volatile secbool firmware_present = secfalse;
|
2023-09-25 13:35:09 +00:00
|
|
|
volatile secbool firmware_present_backup = secfalse;
|
2023-10-20 12:58:32 +00:00
|
|
|
volatile secbool auto_upgrade = secfalse;
|
2023-06-30 20:57:04 +00:00
|
|
|
|
|
|
|
vhdr_present = read_vendor_header((const uint8_t *)FIRMWARE_START, &vhdr);
|
|
|
|
|
|
|
|
if (sectrue == vhdr_present) {
|
|
|
|
vhdr_keys_ok = check_vendor_header_keys(&vhdr);
|
2022-05-05 11:47:19 +00:00
|
|
|
}
|
|
|
|
|
2023-06-30 20:57:04 +00:00
|
|
|
if (sectrue == vhdr_keys_ok) {
|
|
|
|
vhdr_lock_ok = check_vendor_header_lock(&vhdr);
|
2022-05-05 11:47:19 +00:00
|
|
|
}
|
|
|
|
|
2023-06-30 20:57:04 +00:00
|
|
|
if (sectrue == vhdr_lock_ok) {
|
2023-06-30 10:12:55 +00:00
|
|
|
hdr = read_image_header(
|
|
|
|
(const uint8_t *)(size_t)(FIRMWARE_START + vhdr.hdrlen),
|
|
|
|
FIRMWARE_IMAGE_MAGIC, FIRMWARE_IMAGE_MAXSIZE);
|
2023-06-30 20:57:04 +00:00
|
|
|
if (hdr == (const image_header *)(size_t)(FIRMWARE_START + vhdr.hdrlen)) {
|
|
|
|
img_hdr_ok = sectrue;
|
2022-05-05 11:47:19 +00:00
|
|
|
}
|
|
|
|
}
|
2023-06-30 20:57:04 +00:00
|
|
|
if (sectrue == img_hdr_ok) {
|
|
|
|
model_ok = check_image_model(hdr);
|
2022-05-05 11:47:19 +00:00
|
|
|
}
|
2023-06-30 20:57:04 +00:00
|
|
|
if (sectrue == model_ok) {
|
|
|
|
header_present =
|
2022-05-05 11:47:19 +00:00
|
|
|
check_image_header_sig(hdr, vhdr.vsig_m, vhdr.vsig_n, vhdr.vpub);
|
|
|
|
}
|
2023-06-30 20:57:04 +00:00
|
|
|
|
|
|
|
if (sectrue == header_present) {
|
2023-06-30 10:12:55 +00:00
|
|
|
firmware_present = check_image_contents(
|
|
|
|
hdr, IMAGE_HEADER_SIZE + vhdr.hdrlen, &FIRMWARE_AREA);
|
2023-09-25 13:35:09 +00:00
|
|
|
firmware_present_backup = firmware_present;
|
2022-05-05 11:47:19 +00:00
|
|
|
}
|
|
|
|
|
2023-09-26 09:44:43 +00:00
|
|
|
#ifdef USE_OPTIGA
|
|
|
|
optiga_hal_init();
|
|
|
|
#endif
|
|
|
|
|
2023-02-15 12:57:54 +00:00
|
|
|
#ifdef USE_BUTTON
|
2022-04-25 09:46:09 +00:00
|
|
|
button_init();
|
2023-02-15 12:57:54 +00:00
|
|
|
#endif
|
2023-06-22 19:56:48 +00:00
|
|
|
|
|
|
|
#ifdef USE_CONSUMPTION_MASK
|
|
|
|
consumption_mask_init();
|
|
|
|
#endif
|
|
|
|
|
2023-02-15 12:57:54 +00:00
|
|
|
#ifdef USE_RGB_LED
|
2022-05-31 07:31:32 +00:00
|
|
|
rgb_led_init();
|
2022-04-25 09:46:09 +00:00
|
|
|
#endif
|
2019-02-21 08:52:28 +00:00
|
|
|
|
2023-06-28 08:51:30 +00:00
|
|
|
#if PRODUCTION && !defined STM32U5
|
|
|
|
// for STM32U5, this check is moved to boardloader
|
2019-03-29 15:26:02 +00:00
|
|
|
check_bootloader_version();
|
2017-10-12 12:35:01 +00:00
|
|
|
#endif
|
|
|
|
|
2023-10-31 11:38:11 +00:00
|
|
|
switch (bootargs_get_command()) {
|
2023-10-20 12:58:32 +00:00
|
|
|
case BOOT_COMMAND_STOP_AND_WAIT:
|
|
|
|
// firmare requested to stay in bootloader
|
|
|
|
stay_in_bootloader = sectrue;
|
|
|
|
break;
|
|
|
|
case BOOT_COMMAND_INSTALL_UPGRADE:
|
|
|
|
if (firmware_present == sectrue) {
|
|
|
|
// continue without user interaction
|
|
|
|
auto_upgrade = sectrue;
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
default:
|
|
|
|
break;
|
2022-05-27 10:36:29 +00:00
|
|
|
}
|
|
|
|
|
2023-09-25 13:35:09 +00:00
|
|
|
ensure(dont_optimize_out_true * (firmware_present == firmware_present_backup),
|
|
|
|
NULL);
|
|
|
|
|
2022-05-27 10:36:29 +00:00
|
|
|
// delay to detect touch or skip if we know we are staying in bootloader
|
|
|
|
// anyway
|
2019-03-29 15:26:02 +00:00
|
|
|
uint32_t touched = 0;
|
2023-02-15 12:57:54 +00:00
|
|
|
#ifdef USE_TOUCH
|
2023-03-29 14:42:18 +00:00
|
|
|
if (firmware_present == sectrue && stay_in_bootloader != sectrue) {
|
2024-06-03 18:01:49 +00:00
|
|
|
// Wait until the touch controller is ready
|
|
|
|
// (on hardware this may take a while)
|
|
|
|
while (touch_ready() != sectrue) {
|
|
|
|
hal_delay(1);
|
|
|
|
}
|
|
|
|
#ifdef TREZOR_EMULATOR
|
|
|
|
hal_delay(500);
|
|
|
|
#endif
|
|
|
|
// Give the touch controller time to report events
|
|
|
|
// if someone touches the screen
|
2023-12-17 22:51:10 +00:00
|
|
|
for (int i = 0; i < 10; i++) {
|
2024-06-03 18:01:49 +00:00
|
|
|
if (touch_activity() == sectrue) {
|
|
|
|
touched = 1;
|
2022-05-27 10:36:29 +00:00
|
|
|
break;
|
|
|
|
}
|
2024-06-03 18:01:49 +00:00
|
|
|
hal_delay(5);
|
2017-12-17 00:09:45 +00:00
|
|
|
}
|
2019-03-29 15:26:02 +00:00
|
|
|
}
|
2023-02-15 12:57:54 +00:00
|
|
|
#elif defined USE_BUTTON
|
2022-04-25 09:46:09 +00:00
|
|
|
button_read();
|
|
|
|
if (button_state_left() == 1) {
|
|
|
|
touched = 1;
|
|
|
|
}
|
|
|
|
#endif
|
2019-03-29 15:26:02 +00:00
|
|
|
|
2023-09-25 13:35:09 +00:00
|
|
|
ensure(dont_optimize_out_true * (firmware_present == firmware_present_backup),
|
|
|
|
NULL);
|
|
|
|
|
2023-06-30 20:57:04 +00:00
|
|
|
// start the bootloader ...
|
|
|
|
// ... if user touched the screen on start
|
|
|
|
// ... or we have stay_in_bootloader flag to force it
|
2023-10-20 12:58:32 +00:00
|
|
|
// ... or strict upgrade was confirmed in the firmware (auto_upgrade flag)
|
2023-06-30 20:57:04 +00:00
|
|
|
// ... or there is no valid firmware
|
2023-10-20 12:58:32 +00:00
|
|
|
if (touched || stay_in_bootloader == sectrue || firmware_present != sectrue ||
|
|
|
|
auto_upgrade == sectrue) {
|
2023-06-30 20:57:04 +00:00
|
|
|
screen_t screen;
|
2023-10-20 12:58:32 +00:00
|
|
|
ui_set_initial_setup(true);
|
2023-06-30 20:57:04 +00:00
|
|
|
if (header_present == sectrue) {
|
2023-10-20 12:58:32 +00:00
|
|
|
if (auto_upgrade == sectrue) {
|
|
|
|
screen = SCREEN_WAIT_FOR_HOST;
|
|
|
|
} else {
|
|
|
|
ui_set_initial_setup(false);
|
|
|
|
screen = SCREEN_INTRO;
|
|
|
|
}
|
|
|
|
|
2023-06-30 20:57:04 +00:00
|
|
|
} else {
|
|
|
|
screen = SCREEN_WELCOME;
|
2019-03-29 15:26:02 +00:00
|
|
|
|
2023-06-28 08:51:30 +00:00
|
|
|
#ifdef STM32U5
|
|
|
|
secret_bhk_regenerate();
|
|
|
|
#endif
|
2023-06-30 20:57:04 +00:00
|
|
|
// erase storage
|
|
|
|
ensure(flash_area_erase_bulk(STORAGE_AREAS, STORAGE_AREAS_COUNT, NULL),
|
|
|
|
NULL);
|
2019-03-29 15:26:02 +00:00
|
|
|
|
2023-06-30 20:57:04 +00:00
|
|
|
// keep the model screen up for a while
|
2023-08-17 11:42:22 +00:00
|
|
|
#ifndef USE_BACKLIGHT
|
2023-06-30 20:57:04 +00:00
|
|
|
hal_delay(1500);
|
2023-08-17 11:42:22 +00:00
|
|
|
#else
|
2023-06-30 20:57:04 +00:00
|
|
|
// backlight fading takes some time so the explicit delay here is
|
|
|
|
// shorter
|
|
|
|
hal_delay(1000);
|
2023-08-17 11:42:22 +00:00
|
|
|
#endif
|
2018-02-10 16:52:45 +00:00
|
|
|
}
|
2022-05-05 11:47:19 +00:00
|
|
|
|
|
|
|
while (true) {
|
2023-09-25 13:35:09 +00:00
|
|
|
volatile secbool continue_to_firmware = secfalse;
|
|
|
|
volatile secbool continue_to_firmware_backup = secfalse;
|
2022-05-05 11:47:19 +00:00
|
|
|
uint32_t ui_result = 0;
|
|
|
|
|
|
|
|
switch (screen) {
|
2023-06-30 20:57:04 +00:00
|
|
|
case SCREEN_WELCOME:
|
|
|
|
|
|
|
|
ui_screen_welcome();
|
|
|
|
|
|
|
|
// and start the usb loop
|
|
|
|
switch (bootloader_usb_loop(NULL, NULL)) {
|
|
|
|
case CONTINUE_TO_FIRMWARE:
|
|
|
|
continue_to_firmware = sectrue;
|
2023-09-25 13:35:09 +00:00
|
|
|
continue_to_firmware_backup = sectrue;
|
2023-06-30 20:57:04 +00:00
|
|
|
break;
|
|
|
|
case RETURN_TO_MENU:
|
|
|
|
break;
|
|
|
|
default:
|
|
|
|
case SHUTDOWN:
|
|
|
|
return 1;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
|
2022-05-05 11:47:19 +00:00
|
|
|
case SCREEN_INTRO:
|
2023-06-30 20:57:04 +00:00
|
|
|
ui_result = ui_screen_intro(&vhdr, hdr, firmware_present);
|
2022-05-05 11:47:19 +00:00
|
|
|
if (ui_result == 1) {
|
|
|
|
screen = SCREEN_MENU;
|
|
|
|
}
|
|
|
|
if (ui_result == 2) {
|
|
|
|
screen = SCREEN_WAIT_FOR_HOST;
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
case SCREEN_MENU:
|
2023-06-30 20:57:04 +00:00
|
|
|
ui_result = ui_screen_menu(firmware_present);
|
|
|
|
if (ui_result == 0xAABBCCDD) { // exit menu
|
2022-05-05 11:47:19 +00:00
|
|
|
screen = SCREEN_INTRO;
|
|
|
|
}
|
2023-06-30 20:57:04 +00:00
|
|
|
if (ui_result == 0x11223344) { // reboot
|
2023-06-28 08:51:30 +00:00
|
|
|
#ifndef STM32U5
|
2024-04-10 12:56:34 +00:00
|
|
|
ui_screen_boot_stage_1(true);
|
2023-06-28 08:51:30 +00:00
|
|
|
#endif
|
2023-06-30 20:57:04 +00:00
|
|
|
continue_to_firmware = firmware_present;
|
2023-09-25 13:35:09 +00:00
|
|
|
continue_to_firmware_backup = firmware_present_backup;
|
2022-05-05 11:47:19 +00:00
|
|
|
}
|
2023-06-30 20:57:04 +00:00
|
|
|
if (ui_result == 0x55667788) { // wipe
|
2022-05-05 11:47:19 +00:00
|
|
|
screen = SCREEN_WIPE_CONFIRM;
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
case SCREEN_WIPE_CONFIRM:
|
|
|
|
ui_result = screen_wipe_confirm();
|
|
|
|
if (ui_result == INPUT_CANCEL) {
|
|
|
|
// canceled
|
|
|
|
screen = SCREEN_MENU;
|
|
|
|
}
|
|
|
|
if (ui_result == INPUT_CONFIRM) {
|
|
|
|
ui_screen_wipe();
|
|
|
|
secbool r = bootloader_WipeDevice();
|
|
|
|
if (r != sectrue) { // error
|
|
|
|
screen_wipe_fail();
|
|
|
|
return 1;
|
|
|
|
} else { // success
|
|
|
|
screen_wipe_success();
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
case SCREEN_WAIT_FOR_HOST:
|
2023-10-20 12:58:32 +00:00
|
|
|
screen_connect(auto_upgrade == sectrue);
|
2022-05-05 11:47:19 +00:00
|
|
|
switch (bootloader_usb_loop(&vhdr, hdr)) {
|
2023-06-30 20:57:04 +00:00
|
|
|
case CONTINUE_TO_FIRMWARE:
|
|
|
|
continue_to_firmware = sectrue;
|
2023-09-25 13:35:09 +00:00
|
|
|
continue_to_firmware_backup = sectrue;
|
2022-05-05 11:47:19 +00:00
|
|
|
break;
|
2023-06-30 20:57:04 +00:00
|
|
|
case RETURN_TO_MENU:
|
2022-05-05 11:47:19 +00:00
|
|
|
screen = SCREEN_INTRO;
|
|
|
|
break;
|
|
|
|
case SHUTDOWN:
|
|
|
|
return 1;
|
|
|
|
break;
|
|
|
|
default:
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
default:
|
|
|
|
break;
|
|
|
|
}
|
2021-03-06 19:09:56 +00:00
|
|
|
|
2023-09-25 13:35:09 +00:00
|
|
|
if (continue_to_firmware != continue_to_firmware_backup) {
|
|
|
|
// erase storage if we saw flips randomly flip, most likely due to
|
|
|
|
// glitch
|
2023-06-28 08:51:30 +00:00
|
|
|
|
|
|
|
#ifdef STM32U5
|
|
|
|
secret_bhk_regenerate();
|
|
|
|
#endif
|
2023-09-25 13:35:09 +00:00
|
|
|
ensure(flash_area_erase_bulk(STORAGE_AREAS, STORAGE_AREAS_COUNT, NULL),
|
|
|
|
NULL);
|
|
|
|
}
|
|
|
|
ensure(dont_optimize_out_true *
|
|
|
|
(continue_to_firmware == continue_to_firmware_backup),
|
|
|
|
NULL);
|
2023-06-30 20:57:04 +00:00
|
|
|
if (sectrue == continue_to_firmware) {
|
2023-06-28 08:51:30 +00:00
|
|
|
#ifdef STM32U5
|
|
|
|
firmware_jump_fn = jump_to_fw_through_reset;
|
|
|
|
#else
|
2024-04-10 12:56:34 +00:00
|
|
|
ui_screen_boot_stage_1(true);
|
2023-09-25 13:35:09 +00:00
|
|
|
firmware_jump_fn = real_jump_to_firmware;
|
2023-06-28 08:51:30 +00:00
|
|
|
#endif
|
2022-05-05 11:47:19 +00:00
|
|
|
break;
|
|
|
|
}
|
2019-03-29 15:26:02 +00:00
|
|
|
}
|
|
|
|
}
|
2017-10-13 16:05:47 +00:00
|
|
|
|
2023-09-25 13:35:09 +00:00
|
|
|
ensure(dont_optimize_out_true * (firmware_present == firmware_present_backup),
|
|
|
|
NULL);
|
2023-06-28 08:51:30 +00:00
|
|
|
|
|
|
|
#ifdef STM32U5
|
|
|
|
if (sectrue == firmware_present &&
|
|
|
|
firmware_jump_fn != jump_to_fw_through_reset) {
|
|
|
|
firmware_jump_fn = real_jump_to_firmware;
|
|
|
|
}
|
|
|
|
#else
|
2023-09-25 13:35:09 +00:00
|
|
|
if (sectrue == firmware_present) {
|
|
|
|
firmware_jump_fn = real_jump_to_firmware;
|
2019-03-29 15:26:02 +00:00
|
|
|
}
|
2023-06-28 08:51:30 +00:00
|
|
|
#endif
|
2019-03-29 15:26:02 +00:00
|
|
|
|
2023-09-25 13:35:09 +00:00
|
|
|
firmware_jump_fn();
|
2017-03-20 14:41:21 +00:00
|
|
|
|
2019-03-29 15:26:02 +00:00
|
|
|
return 0;
|
2017-03-20 14:41:21 +00:00
|
|
|
}
|