-
Notifications
You must be signed in to change notification settings - Fork 428
Firmware m0801
Target
Purpose
Versions
Structure
Boot process
OS and Libraries
Flashing
Interfaces
The firmware programs SoC which handles video encoding and flight control. Location of this chip:
- in WM230, H3 Eagle SoC is on WM230 Main Core Processor board
- in WM240, H3 Eagle SoC is on WM240 Core Board
- in WM245, H3 Eagle SoC is on WM245 Core Board
- in WM231, H6 E1E SoC is on WM231 Main Core Processor board
- in WM232, H6 E1E SoC is on WM232 Main Core Processor board
- in other products, the location is unknown
Note that within WM100, WM220, WM330 and WM620, the m0801 module identifier is used to store something different - there's m0901 instead. So the information on this page does not apply to these platforms.
The module contains programming of a SoC which handles image sensor and video encoding, but also flight control. Additionally, it uses TrustZone to (semi)securely store cryptographic keys, and is the component which controls firmware update process of the drone.
TODO
The IM*H module within FW update package is always encrypted, with AES, using platform-specific UFIE key.
Decrypted firmware is a JAR file, which when unzipped reveals typical Android boot images (normal.img, recovery.img), and a bootloader (bootarea.img). It also contains new content for system and vendor partitions, as sparse filesystem images (*.new.dat, *.transfer.list).
The bootarea.img has the bootloader encrypted with TBIE key. Like the whole firmware file, it has IM*H format, though within the binary image that part is preceded by a little chunk of unencrypted data, usually public part of PRAK RSA key.
Boot partitions (normal.img, recovery.img) are encrypted with TBIE key, and have IM*H format as well. They contain Linux kernel and ramdisk RootFS for normal side startup, but also TrustZone OS image for trusted side startup. They also include Linux Device Tree blobs which are passed to kernel in order to identify available hardware. These DTB files can be converted back to DTS; analyzing them provides valuable insight into the custom silicon.
Encryption keys, like in all DJI products, are identified by four-byte character code, comprising of English letters. Production keys have the letters in upper case. Most of the keys is derived within TrustZone, using CryptoCell algorithms, from several input character arrays, including: master key, public part of PRAK RSA key, and a string containing short description of the key. Not all of the information required to derive a key is included in the TZOS binary available within boot partitions.
After reset signal pulls to zero, control is given to embedded bootrom. The bootrom is programmed by DJI. It contains code to read IM*H images and encryption keys required to decrypt the bootloader. After bootloader is decrypted to memory, bootrom jumps to it with execution.
The bootloader behaves in similar manner to Android bootloader, with added IM*H format and TrustZone support. Its source is based on LittleKernel project and contains code to derive key for RPMB partition on the MMC, as well as code to derive keys for boot images. The bootloader selects boot of either normal.img or recovery.img, then decrypts the proper file and loads KERN Linux kernel on Normal side, and TZOS OP-TEE binary on Trusted side. Device tree DTBx is selected based on board version and provided to the kernel.
Trusted side boots and awaits SMC commands.
Standard Linux kernel boot proceeds on the Normal side, loading kernel modules, mounting filesystems and starting services.
Below is a table of Random Access Memory regions within H3 Eagle SoC.
| Offset | Size | Description | Content |
|---|---|---|---|
| 20000000 | 4000000 | AXI_MON_REGION | Advanced eXtensible Interface |
| 24000000 | 100000 | OPTEE_RAMCONSOLE | |
| 24100000 | bf00000 | ION_RSV_REGION_0 | |
| 30000000 | 4c000000 | ION_RSV_REGION_1 | |
| 7FF00000 | 100000 | OPTEE_RSV_REGION | |
| F0000000 | 10000 | USB0_A | USB instance 0 MMIO area, supports USB OTG and has sub-area for that feature at offset 0xC000 |
| F0100000 | 10000 | USB1_A | USB instance 1 MMIO area |
| F0200000 | 10000 | USB2_A | USB instance 2 MMIO area |
| F0400000 | 4000 | SDHCI0_BASE | |
| F0404000 | 4000 | SDHCI1_BASE | |
| F040C000 | 4000 | DMAC0 | |
| F0410000 | 4000 | IPCM | |
| F0418000 | 4000 | DMAC1 | |
| F0450000 | 1000 | AXI_PM | Advanced eXtensible Interface PM |
| F0480000 | 7000 | TZASC | TrustZone Address Space Controller, 7 areas of 0x1000 bytes each |
| F0A00000 | 500000 | APB_BASE | Advanced Peripheral Bus region |
| F0A00000 | 8000 | APB UART | Universal Asynchronous Receiver-Transmitter MMIO area, 8 devices of 0x1000 bytes each |
| F0A08000 | 3000 | APB GPIO | General Purpose I/O MMIO area, 3 devices of 0x1000 bytes each |
| F0A0B000 | 5000 | APB SPI | Serial Peripheral Interface MMIO area, 5 devices of 0x1000 bytes each |
| F0A10000 | C000 | I2C | Inter-Integrated Circuit MMIO area, 12 devices of 0x1000 bytes each |
| F0A1C000 | 1000 | I2S | Inter-IC Sound MMIO area |
| F0A40000 | 1000 | AP_SC | |
| F0A41000 | 160 | PINMUX | Pin-muxing configuration |
| F0A43000 | 1000 | DW_WDT | DW Watchdog Timer |
| F0A44000 | 1000 | RTC | Real-Time Clock MMIO area |
| F0A45000 | 64 | TIMER0 | Timer MMIO area, 5 devices of 0x14 bytes each |
| F0A49000 | 1000 | I2C12 | Inter-Integrated Circuit MMIO area |
| F0A4D000 | 1000 | USB0_B | |
| F0A4E000 | 1000 | USB1_B | |
| F0A4F000 | 1000 | USB2_B | |
| F0A50000 | 10000 | CLOCK_ACPU_SC | |
| F0A70000 | 1000 | ABP1_BASE | |
| F0A72000 | 1000 | SDHCI_CFG_ABP0_BASE | |
| F0BB0000 | 10000 | CORESIGHT_BASE | CoreSight debug interface |
| F0E00000 | 100000 | CC310_BASE | CryptoCell 310 MMIO area |
| F0E01000 | 1000 | DX_CC44P | |
| F0E09000 | 08 | ON_CHIP_TIMER | |
| F6409000 | 1000 | OMC | OMC |
| F8000000 | 40000 | DSP_CORE0_A | DSP core 0 area A |
| F8200000 | 20000 | DSP_CORE0_B | DSP core 0 area B |
| F8400000 | 10000 | DSP_CORE0_C | DSP core 0 area C |
| F8800000 | 40000 | DSP_CORE1_A | DSP core 1 area A |
| F8A00000 | 20000 | DSP_CORE1_B | DSP core 1 area B |
| F8C00000 | 10000 | DSP_CORE1_C | DSP core 1 area C |
| F9000000 | 40000 | DSP_CORE2_A | DSP core 2 area A |
| F9200000 | 20000 | DSP_CORE2_B | DSP core 2 area B |
| F9400000 | 10000 | DSP_CORE2_C | DSP core 2 area C |
| F9800000 | 40000 | DSP_CORE3_A | DSP core 3 area A |
| F9A00000 | 20000 | DSP_CORE3_B | DSP core 3 area B |
| F9C00000 | 10000 | DSP_CORE3_C | DSP core 3 area C |
| FA000000 | 40000 | DSP_CORE4_A | DSP core 4 area A |
| FA200000 | 20000 | DSP_CORE4_B | DSP core 4 area B |
| FA400000 | 10000 | DSP_CORE4_C | DSP core 4 area C |
| FA800000 | 4000 | DSP_VISION_ACC | DSP VISION ACC |
| FA804000 | 5000 | DSP_CORE_WDT | Watchdog Timer, 5 devices of 0x1000 bytes each, one for each DSP core |
| FA900000 | 40000 | DSP_GIC | DSP Generic Interrupt Controller |
| FAF00000 | 100000 | RCAM_DSPNOC_BASE | RCam DSP NOC |
| FB000000 | 210000 | VISION_ACC | VISION ACC |
| FC000000 | 10000 | IMGTEC_D5500_BASE | Imagination Technologies D5500 decoder |
| FC400000 | 400 | IMGTEC_E5010_BASE | Imagination Technologies E5010 JPEG encoder |
| FC800000 | 80000 | IMGTEC_E5500_BASE | Imagination Technologies E5500 encoder |
| FD100000 | 100000 | CAM_APOST_BASE / CAM_ISPENH_BASE | ISP Enh |
| FD200000 | 100000 | CAM_CINEMA_BASE | CINEMA system control region |
| FD300000 | 100000 | CAM_ISP_CORE_BASE / RCAM_APICAL_BASE | RCam API CAL |
| FD400000 | 1000 | RCAM_ISP_SC_BASE | RCam ISP SC |
| FD401000 | 1000 | MIPI_CSI2_TX | Mobile Industry Processor Interface Camera Serial Interface 2 TX subsystem |
| FD402000 | 400 | CAM_CINE_AES_BASE | CINEMA camera Auto Exposure System region |
| FD403000 | 1000 | CAM_CRS | Camera Raw Settings area |
| FD404000 | 2000 | CAM_CSI | Camera Sensor Interface area, 2 devices of 0x1000 bytes each |
| FD406000 | 1000 | VIDEO_TX | Video Transmission device config area |
| FD440000 | 200 | LCDC_A | LCD controller |
| FD460000 | 20000 | DW_HDMI | HDMI device MMIO area |
| FD604000 | 1000 | CAM2D | cam2d MMIO area |
| FD608000 | 4000 | PRORES_ENC | Apple ProRes Encoder MMIO area |
| FD60C000 | 1000 | VISION_V2D | Vision-based Adaptive Cruise Control V2D |
| FD610000 | 4000 | CAM_GDC_BASE | Camera and Graphics Display Controller region |
| FF000000 | 4000 | GIC_BASE | Generic Interrupt Controller region |
| FF001000 | 1000 | GIC_B | Generic Interrupt Controller area D |
| FF002000 | 2000 | GIC_C | Generic Interrupt Controller area C |
| FFFC0000 | 30000 | SYS_RAM | System RAM |
| FFFCFF80 | 80 | FC_PINMUX | FC Pin-muxing configuration |
The software is divided into normal side and trusted side. Normal side runs directly on the ARM CPU, while trusted side is executed within hardware-accelerated ARM TrustZone.
The firmware is based on Android, though it is cut down and heavily modified version. Embedded bootrom is designed to support IM*H images, and bootloader images are supplied in form of such encrypted files. The bootloader is also supplied as IM*H image, preceded by public RSA key used to sign its header. Note that bootrom is not loaded from eMMC - it is within internal ROM of the chip.
User space has the graphical interface part removed, and works like simple Linux distribution. There are several DJI-made native executables and libraries available within the file system. Some of them are running as services, performing designed functions of the module. Some tools, like dji_fw_verify (used to verify and decrypt firmware updates), are relaying encryption-related operations to TrustZone.
This part is based on OP-TEE OS which is stored within boot images (normal.img, recovery.img).
Encryption algorithms are hardware-accelerated using CryptoCell 310 SDK library provided by Nordic Semiconductor.
The Normal side sends commands to Trusted side using Secure Monitor Calls. Besides generic SMC commands from OP-TEE, the DJI firmware also defines few custom commands.
Trusted Applications running within the TrustZone are in standard TA format, but wrapped with IM*H header and encrypted. The application loading function decrypts the TA file automatically before execution.
TODO
TODO
This page is created by drone enthusiasts for drone enthusiasts.
If you see a mistake, or you know more about specific subject, or you see an area for improvement for the wiki - create an issue in this project and attach your patch (or describe the change you propose).