diff --git a/SConscript.firmware b/SConscript.firmware
index 9bcdcca8e..7b66b6fa6 100644
--- a/SConscript.firmware
+++ b/SConscript.firmware
@@ -255,6 +255,7 @@ SOURCE_STMHAL = [
]
SOURCE_FIRMWARE = [
+ 'embed/firmware/bl_check.c',
'embed/firmware/startup.s',
'embed/firmware/header.S',
'embed/firmware/main.c',
@@ -426,6 +427,14 @@ obj_program.extend(
' --rename-section .data=.vendorheader,alloc,load,readonly,contents'
' $SOURCE $TARGET', ))
+obj_program.extend(
+ env.Command(
+ target='embed/firmware/bootloader.o',
+ source='embed/firmware/bootloader.bin',
+ action='$OBJCOPY -I binary -O elf32-littlearm -B arm'
+ ' --rename-section .data=.bootloader'
+ ' $SOURCE $TARGET', ))
+
env.Depends(obj_program, qstr_generated)
program_elf = env.Command(
diff --git a/embed/bootloader/messages.c b/embed/bootloader/messages.c
index 269215fe0..70cf066a1 100644
--- a/embed/bootloader/messages.c
+++ b/embed/bootloader/messages.c
@@ -310,7 +310,7 @@ void process_msg_FirmwareErase(uint8_t iface_num, uint32_t msg_size, uint8_t *bu
MSG_RECV(FirmwareErase);
firmware_remaining = msg_recv.has_length ? msg_recv.length : 0;
- if ((firmware_remaining > 0) && ((firmware_remaining % 4) == 0) && (firmware_remaining <= (FIRMWARE_SECTORS_COUNT * IMAGE_CHUNK_SIZE))) {
+ if ((firmware_remaining > 0) && ((firmware_remaining % sizeof(uint32_t)) == 0) && (firmware_remaining <= (FIRMWARE_SECTORS_COUNT * IMAGE_CHUNK_SIZE))) {
// request new firmware
chunk_requested = (firmware_remaining > IMAGE_CHUNK_SIZE) ? IMAGE_CHUNK_SIZE : firmware_remaining;
MSG_SEND_INIT(FirmwareRequest);
diff --git a/embed/firmware/bl_check.c b/embed/firmware/bl_check.c
new file mode 100644
index 000000000..d33095512
--- /dev/null
+++ b/embed/firmware/bl_check.c
@@ -0,0 +1,84 @@
+/*
+ * This file is part of the TREZOR project, https://trezor.io/
+ *
+ * Copyright (c) SatoshiLabs
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see .
+ */
+
+#include
+#include
+#include "common.h"
+#include "flash.h"
+#include "blake2s.h"
+
+// symbols from bootloader.bin => bootloader.o
+extern const uint32_t _binary_embed_firmware_bootloader_bin_start;
+extern const uint32_t _binary_embed_firmware_bootloader_bin_size;
+
+/*
+static secbool known_bootloader(const uint8_t *hash, int len) {
+ if (len != 32) return secfalse;
+ // bootloader-2.0.1.bin (padded with 0x00)
+ if (0 == memcmp(hash, "\x91\x37\x46\xd0\x2d\xa7\xc4\xbe\x1d\xae\xef\xb0\x9b\x4e\x31\x88\xed\x38\x23\x5e\x0e\x31\xa7\x8c\x01\xde\x4e\xcc\xc2\xd6\x36\xb3", 32)) return sectrue;
+ // bootloader-2.0.1.bin (padded with 0xff)
+ if (0 == memcmp(hash, "\x2f\xdb\xde\x94\x0a\xd8\x91\x1c\xbd\x07\xb0\xba\x06\x2c\x90\x84\x02\xec\x95\x19\xde\x52\x8d\x4b\xe9\xb9\xed\x30\x71\x91\xb4\xd3", 32)) return sectrue;
+ // bootloader-2.0.2.bin (padded with 0x00)
+ if (0 == memcmp(hash, "\x2e\xf7\x47\xf8\x49\x87\x1e\xc8\xc6\x01\x35\xd6\x32\xe5\x5a\xd1\x56\x18\xf8\x64\x87\xb7\xaa\x7c\x62\x0e\xc3\x0d\x25\x69\x4e\x18", 32)) return sectrue;
+ // bootloader-2.0.2.bin (padded with 0xff)
+ if (0 == memcmp(hash, "\xcc\x6b\x35\xc3\x8f\x29\x5c\xbd\x7d\x31\x69\xaf\xae\xf1\x61\x01\xef\xbe\x9f\x3b\x0a\xfd\xc5\x91\x70\x9b\xf5\xa0\xd5\xa4\xc5\xe0", 32)) return sectrue;
+ return secfalse;
+}
+*/
+
+static secbool latest_bootloader(const uint8_t *hash, int len) {
+ if (len != 32) return secfalse;
+ // bootloader.bin (padded with 0x00)
+ if (0 == memcmp(hash, "\x2e\xf7\x47\xf8\x49\x87\x1e\xc8\xc6\x01\x35\xd6\x32\xe5\x5a\xd1\x56\x18\xf8\x64\x87\xb7\xaa\x7c\x62\x0e\xc3\x0d\x25\x69\x4e\x18", 32)) return sectrue;
+ // bootloader.bin (padded with 0xff)
+ if (0 == memcmp(hash, "\xcc\x6b\x35\xc3\x8f\x29\x5c\xbd\x7d\x31\x69\xaf\xae\xf1\x61\x01\xef\xbe\x9f\x3b\x0a\xfd\xc5\x91\x70\x9b\xf5\xa0\xd5\xa4\xc5\xe0", 32)) return sectrue;
+ return secfalse;
+}
+
+#define BACKLIGHT_NORMAL 150
+
+void check_and_replace_bootloader(void)
+{
+ // compute current bootloader hash
+ uint8_t hash[BLAKE2S_DIGEST_LENGTH];
+ const uint32_t bl_len = 128 * 1024;
+ const void *bl_data = flash_get_address(FLASH_SECTOR_BOOTLOADER, 0, bl_len);
+ blake2s(bl_data, bl_len, hash, BLAKE2S_DIGEST_LENGTH);
+
+ // don't whitelist the valid bootloaders for now
+ // ensure(known_bootloader(hash, BLAKE2S_DIGEST_LENGTH), "Unknown bootloader detected");
+
+ // do we have the latest bootloader?
+ if (sectrue == latest_bootloader(hash, BLAKE2S_DIGEST_LENGTH)) {
+ return;
+ }
+
+ // replace bootloader with the latest one
+ const uint32_t *data = (const uint32_t *)&_binary_embed_firmware_bootloader_bin_start;
+ const uint32_t len = (const uint32_t)&_binary_embed_firmware_bootloader_bin_size;
+ ensure(flash_erase(FLASH_SECTOR_BOOTLOADER), NULL);
+ ensure(flash_unlock_write(), NULL);
+ for (int i = 0; i < len / sizeof(uint32_t); i++) {
+ ensure(flash_write_word(FLASH_SECTOR_BOOTLOADER, i * sizeof(uint32_t), data[i]), NULL);
+ }
+ for (int i = len / sizeof(uint32_t); i < 128 * 1024 / sizeof(uint32_t); i++) {
+ ensure(flash_write_word(FLASH_SECTOR_BOOTLOADER, i * sizeof(uint32_t), 0x00000000), NULL);
+ }
+ ensure(flash_lock_write(), NULL);
+}
diff --git a/embed/firmware/bl_check.h b/embed/firmware/bl_check.h
new file mode 100644
index 000000000..9a03de493
--- /dev/null
+++ b/embed/firmware/bl_check.h
@@ -0,0 +1,25 @@
+/*
+ * This file is part of the TREZOR project, https://trezor.io/
+ *
+ * Copyright (c) SatoshiLabs
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see .
+ */
+
+#ifndef __BL_CHECK_H__
+#define __BL_CHECK_H__
+
+void check_and_replace_bootloader(void);
+
+#endif
diff --git a/embed/firmware/bootloader.bin b/embed/firmware/bootloader.bin
new file mode 100644
index 000000000..4f34cb118
Binary files /dev/null and b/embed/firmware/bootloader.bin differ
diff --git a/embed/firmware/bootloader_hashes.py b/embed/firmware/bootloader_hashes.py
new file mode 100755
index 000000000..b2db0e1a2
--- /dev/null
+++ b/embed/firmware/bootloader_hashes.py
@@ -0,0 +1,20 @@
+#!/usr/bin/env python3
+import glob
+import pyblake2
+
+ALIGNED_SIZE = 128 * 1024
+
+files = glob.glob("bootloader*.bin")
+
+for fn in sorted(files):
+ data = open(fn, "rb").read()
+ if len(data) > ALIGNED_SIZE:
+ raise ValueError(fn, "too big")
+ data_00 = data + b"\x00" * (ALIGNED_SIZE - len(data))
+ data_ff = data + b"\xff" * (ALIGNED_SIZE - len(data))
+ h_00 = pyblake2.blake2s(data=data_00).digest()
+ h_ff = pyblake2.blake2s(data=data_ff).digest()
+ h_00 = "".join(["\\x%02x" % i for i in h_00])
+ h_ff = "".join(["\\x%02x" % i for i in h_ff])
+ print(" // %s (padded with 0x00)\n if (0 == memcmp(hash, \"%s\", 32)) return sectrue;" % (fn, h_00))
+ print(" // %s (padded with 0xff)\n if (0 == memcmp(hash, \"%s\", 32)) return sectrue;" % (fn, h_ff))
diff --git a/embed/firmware/main.c b/embed/firmware/main.c
index 5b203ccc6..5d517fcc0 100644
--- a/embed/firmware/main.c
+++ b/embed/firmware/main.c
@@ -40,6 +40,7 @@
#include "rng.h"
#include "sdcard.h"
#include "touch.h"
+#include "bl_check.h"
int main(void)
{
@@ -51,6 +52,7 @@ int main(void)
collect_hw_entropy();
#if TREZOR_MODEL == T
+ check_and_replace_bootloader();
// Enable MPU
mpu_config();
#endif
diff --git a/embed/firmware/memory_T.ld b/embed/firmware/memory_T.ld
index 21faf01e8..e253c8ea3 100644
--- a/embed/firmware/memory_T.ld
+++ b/embed/firmware/memory_T.ld
@@ -53,6 +53,8 @@ SECTIONS {
*(.text*);
. = ALIGN(4);
*(.rodata*);
+ . = ALIGN(4);
+ *(.bootloader*);
. = ALIGN(512);
} >FLASH AT>FLASH
diff --git a/embed/trezorhal/flash.c b/embed/trezorhal/flash.c
index 4df25c163..b270b7cc5 100644
--- a/embed/trezorhal/flash.c
+++ b/embed/trezorhal/flash.c
@@ -141,7 +141,7 @@ secbool flash_write_word(uint8_t sector, uint32_t offset, uint32_t data)
if (address == 0) {
return secfalse;
}
- if (offset % 4 != 0) {
+ if (offset % sizeof(uint32_t)) { // we write only at 4-byte boundary
return secfalse;
}
if (data != (data & *((const uint32_t *)address))) {
@@ -149,7 +149,6 @@ secbool flash_write_word(uint8_t sector, uint32_t offset, uint32_t data)
}
if (HAL_OK != HAL_FLASH_Program(FLASH_TYPEPROGRAM_WORD, address, data)) {
return secfalse;
-
}
if (data != *((const uint32_t *)address)) {
return secfalse;
diff --git a/embed/unix/flash.c b/embed/unix/flash.c
index a76e6f2e4..4e68a9953 100644
--- a/embed/unix/flash.c
+++ b/embed/unix/flash.c
@@ -158,7 +158,7 @@ secbool flash_write_byte(uint8_t sector, uint32_t offset, uint8_t data)
secbool flash_write_word(uint8_t sector, uint32_t offset, uint32_t data)
{
- if (offset % 4) { // we write only at 4-byte boundary
+ if (offset % sizeof(uint32_t)) { // we write only at 4-byte boundary
return secfalse;
}
uint32_t *flash = (uint32_t *)flash_get_address(sector, offset, sizeof(data));