Bootloader code is split into two stages. See [Memory Layout](memory.md) for more info about in which sectors the code is stored.
Bootloader is split into two stages. See [Memory Layout](memory.md) for info about in which sectors each stage is stored.
First stage checks the integrity and signatures of second stage and runs it if everything is OK.
First stage is stored in write-protected area, which means it is non-upgradable. Only second stage bootloader update is allowed.
However, if first stage bootloader finds a valid second stage bootloader on the SD card (in raw format, no filesystem), it will replace the internal second stage, allowing an upgrade of the second stage.
First stage is stored in write-protected area, which means only upgrade of the second stage bootloader is allowed.
##First Stage Bootloader
First stage checks the integrity and signatures of the second stage and runs it if everything is OK.
If first stage bootloader finds a valid second stage bootloader image on the SD card (in raw format, no filesystem),
it will replace the internal second stage, allowing a second stage update via SD card.
##Second Stage Bootloader
Second stage checks the integrity and signatures of the firmware and runs it if everything is OK.
If second stage bootloader detects a pressed finger on the display or there is no firmware loaded in the device,
it will start in a firmware update mode, allowing a firmware update via USB.
##Common notes
##Common notes
* Hash function used is SHA-256 and signature system is Ed25519 (allows combining signatures by multiple keys into one).
* Hash function used below is SHA-256 and signature system is Ed25519 (allows combining signatures by multiple keys into one).
There is a tool called [check_firmware](../tools/check_firmware) which parses and checks validity of the firmware including the both headers.
###Vendor Header
###Vendor Header
Total length of vendor header is 82 + 32 * (number of pubkeys) + (length of vendor string) + (length of vendor image) bytes rounded up to the closest multiply of 256 bytes.
Total length of vendor header is 82 + 32 * (number of pubkeys) + (length of vendor string) + (length of vendor image) bytes rounded up to the closest multiply of 256 bytes.
@ -52,19 +67,19 @@ Total length of vendor header is 82 + 32 * (number of pubkeys) + (length of vend
| offset | length | name | description |
| offset | length | name | description |
|-------:|-------:|------|-------------|
|-------:|-------:|------|-------------|
| 0x0000 | 4 | magic | firmware magic `TRZV` |
| 0x0000 | 4 | magic | firmware magic `TRZV` |
| 0x0004 | 4 | hlen | length of the vendor header |
| 0x0004 | 4 | hdrlen | length of the vendor header |